Schneier on Security
A blog covering security and security technology.
« Cory Doctorow on DRM |
| 1624 Cryptography Book Up for Auction »
September 11, 2007
Lousy Electronic Stamp Security in Germany
More and more, we're seeing electronic postage stamps: stamps you can print directly onto envelopes from your printer. This story from Germany illustrates some of the problems when security collides with convenience.
Posted on September 11, 2007 at 7:23 AM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
IIRC, stamps.com and other US electronic postage vendors have a strong incentive to get it right. The USPS charges *them* for each stamp of theirs the system processes. If their security isn't good enough to go back to the customer who bought the stamp, it's not the postal service's problem. Once again, economics does its job.
( Windows machines autonomously debiting post office accounts and managing stamps == Script kiddies using postal service free )
The system Paypal uses (not sure if this is via stamps.com or what) allows reprinting until the printout is acceptable.
It has a 2D barcode on it, which I'm sure links back to the original transaction. Its unique number gets registered as "used" once it enters the postal stream. If it gets "used" twice, they know who did it and you'll be talking to postal inspectors.
If the security *is* good enough to go back to the customer who bought the stamp, that means you lose anonymity by using the electronic stamp instead of a regular one. That's not a good thing.
The only way to avoid tracking back to the purchaser would be to simply reject inbound mail that has a duplicate stamp on it. It's equivalent of using a counterfeit stamp.
Rejected mail goes back to the return address (there goes your anonymity; your name and address is printed right on it).
If there's no return address, I'm assuming they go to dead letters, and will probably be opened. There goes your anonymity.
Both those cases are equivalent between normal and (fictitious untrackable) eStamps.
Counterfeiting a stamp is a felony. I'm assuming that photocopying an eStamp is the same. If you use a counterfeit stamp, I'm sure the postal inspectors are going to try to find you.
OT: not sure if this has any broader security lessons, but a fascinating story nonetheless (http://www.washingtoncitypaper.com/display.php?id=2497).
@Matthew Skata, Regarding Anonymity
Good point about being able to trace back. In grad school I studied some anonymous digital cash schemes. There are cryptographic properties that can be employed to hide the identity of the user _unless_ the "cash" is double-spent.
This is the same situation you're citing for stamp transactions. Theoretically, the same anonymous-unless-fraudulent technique could be encoded into the printed stamps.
Reference: Applied Cryptography, Section 6.4, Digital Cash
I'm thinking that anonymity on electronic stamps is probably not totally good. It opens up everyone to attack; I could photocopy a bunch of anonymous estamps, put them on a bunch of mail with your return address on it, and drop them in the post office near your house, and you get to talk with the postal inspectors and maybe the secret service. Again, this is no different than using fake normal stamps.
It's a lot harder for me to build a convincing trail back to you with traceable eStamps. To do a good job, I'd have to park near your house and steal your wireless (to get your IP) or work from a public access terminal or wireless hotspot (hopefully one that you are known to use), and know your credit card info.
I haven't read the stamps.com policy. I'm assuming there's limited anonymity; they probably keep records but like an ISP, they will disclose those records only with a warrant. I could easily be wrong; there could be provisions in their contract with the USPS that they have to disclose records on request.
I'd rather keep the anonymity we currently have, and also keep the current vulnerability to forgery, than lose anonymity and gain a forgery protection we don't currently have. I also think that this would be a *very* good application for the kind of blind-signature ecash systems Nyhm mentions.
Let's leave it that there is an Idiot (with bigI) in germany .. and english are good shopkeepers as one famed german noted once.
The joke is that there are even easier ways to get things mailed for free, so why even bother...
"It opens up everyone to attack; I could photocopy a bunch of anonymous estamps,"
Why so complicated to attack someone? Write a terror-bomb-copyright-piracy-whatever threatening letter, put my return address on it and drop it in the post office near my house, and I will get more talks with more services than I ever wanted to have...
Yes, it will be obvious for any intelligent person that it is a fake, no sane person would write his own address on it. But once they read the word "TERROR" in it, their brains will malfunction on the instant.
There are two failures to consider -
One is a false-positive, where a non-paying customer gets to send a letter. This costs a few pennies a time.
The other is a false-negative, where a paying customer gets his letters rejected. This costs potentially all future business from that customer.
If I were designing this system, I'd want it to fail in the direction of the former situation, not the latter. The problem described in the German system actually sounds like it might in both directions - a customer with printing problems can't send, and an attacker can print to postscript or pdf, and may be able to keep reusing one stamp.
Actually, the story doesn't illustrate security colliding with convenience -- it cannot, since the "security" system doesn't make the stamp more secure in the first place.
However, it demonstrates yet again that, whatever the security problem, somebody will invent a solution that improves matters not at all, helps absolutely no one, and inconveniences everybody.
If a stamp is duplicated and returned to the sender, can you write the destination address in the sender space and hope it gets delivered?
It probably allows for spam-like mailings, in which you put the address of the recipients in the sender space and send them for free. Unless the contents identify you, the worst that can happen is that the post office throws them away (or you can use this method to get a third party in trouble by sending something that identifies them).
And if the post office just disposes of the extra letters, if you are a legit user how can you be sure your letter has been delivered?
@aracne: "if you are a legit user how can you be sure your letter has been delivered?"
In general, you can't, even without the problems mentioned here. Letters are more like IP/UDP datagrams with which a "best effort" is undertaken to deliver them. As a plus, in another "best effort" the sender is notified if the delivery fails (and the failure is detected).
Still, no guarantees.
At least in Germany, however, you have the option to choose (= pay for) various levels of certified delivery.
I think "registered mail" is the correct english term.
@Paeniteo: "Letters are more like IP/UDP datagrams with which a 'best effort' is undertaken to deliver them"
Yes, but if the Post Office starts to throw letters to the trash, the problem is compounded.
You know I usually use such firms as DHL and send registered letters. It's quite good and not problems with security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.