Locksmithing Blog

Well, yet again, we see spam coming in on a weekly basis, asking us to “Clcik here, and verify your online bank details” and other humorously low grade spoof attempts. A lot of this is for banks, as well as the usual PayPal and eBay stuff.

Today, we got a phonecall, purporting to be from the bank. So how do you tell? Your bank phones you, asks you to go through the security questions, and since they ask them, and they haven’t given you anything beyond “it’s a personal banking matter” you have no idea if it really is the bank. So, try asking them anything at all, and they say “Sorry, until you have gone through the security questions, we can’t tell you that.” We tried to get a reference number off them, so we could call them back, and were told “Not until you have been through security”!

Imagine our lack of suprise when the number they gave us to call didn’t tally with anything on Google search, and when called, it simply said “Thank-you for calling Card Services” and giving us another phone number to call!

So, was this a cunning scammer? No, amazingly enough, it wasn’t. It was actually the bank calling to confirm our contact telephone number. Which surely they did, when they were passed to the person they requested by name?

Not all companies are this stupidly insecure through too much security. Two days ago, I challenged a caller in the same way. His inspired response was to say “The last two digits of xyz added together are nn” which is a hash function which is non-reversible, and gives away nothing unless you hold the shared key and the secret numbers. Since this was correct, the odds of a correct guess was pretty small. Not tiny, but about 1 in 12. (Should I do the maths? 19 possible answers from 0 to 18, and the most likely ones being at best 9 in 91, and the worst being 1 in 91) For the purposes of the call, that was enough.

The best example of this one-way hash is the credit card companies. They sat for a long time, trying to find ways to avoid data protection issues, whilst still ensuring that the high levels of card fraud were reduced. They came up with a few different ideas, to solve different parts of the issue. To prevent electronically skimmed cards from being used without the card being present, they started using the “security number” on the back of the card, which isn’t recorded in the strip or the chip. As far as I know this is simply a reference for the card print run, but it does the job. Guessing it right would be 1 in 1000.

That wasn’t enough, though, since a stolen card being used via internet or phone would still work. So they decided they wanted address details. Uh oh! That’s an issue! Despite the merchant having the address, and the card company having it too, there was room for an attack by a corrupt merchant, or a cracker, who could simply try many, many card details until getting the address, or trying many addresses until getting the card number, or whatever.

The solution they came up with was to use only a part of the postcode and address. The number parts. This keeps it compatible with existing card terminals (as they already have numbers!) and, it is a one way hash. From the letters, you could determine where someone lived, and that would be bad. From the number part, however, you still have a good set of odds against a guess, and it is totally non-reversible. The entry 35, 2 cannot find a person, as they could be in any one of hundreds of major postcode areas, and hundreds of thousands of streets. Problem solved.

Large and small companies need to think a little about these issues. It is all well and good telling us to never respond to unexpected emails asking for details, but unexpected phone calls are surely just as big a worry today, as VoiP allows international calls for pennies, and voice recognition software can carry out basic phone conversations. It wouldn’t take much for a system to be built to specifically target this area, to socially engineer important data from targets by phone, without a human presence. This needs to be looked at now, not later.

With the rather amusing title How Jews celebrate christmas, LadyADA announced to the world her latest creation. It is a simple and cheap automatic radio frequency jammer.

For not very much money, this pocket sized device will knock out cellphone calls and GPS within a 10 to 30 metre radius of itself. This has some important conotations, from avoiding parking tickets and police pursuit, to the disabling of wireless video cameras and alarm systems.

Unlike like most systems, you see, this one automatically tunes to jam anything in range within milliseconds. So it doesn’t have to use a high power transmitter broadcasting all the time across a whole range of the radio spectrum, and it can work unattended. Ideal for stopping un-democratic “voting computers” that offer no proof that you pressed a button, let alone that your vote was actually counted any place. Also ideal for jamming wireless video cameras in public places, or, less civic-mindedly, private places.

Note that a wireless burglar alarm would simply sound forever, as this would keep track of the frequency hops it carried out to try to avoid the interference, and wipe it out, triggering a tamper alarm. Of course, with nothing visible, it would be silenced by law after the neighbours complained, leaving the clever criminal free to enter.

A more positive use would be a way to track down bugs in a security sweep. If the PLL locked to anything, it’s a transmitter, and those formerly listening in wouldn’t know to cut and run, or even turn off the transmitter, as it would be effectively jammed until it was located. Covert cameras could then be used to ensure that when the bug was retrieved, those monitoring would be caught in the act.

Like all technology, this has both a light and dark side.

My Technorati Profile

This will list me on Technorati, so the world can read it, or at least find it, more easily.