Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture |
| Surveillance and the Internet of Things »
May 20, 2013
Security Risks of Too Much Security
All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them.
The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound.
"Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms of when you sort of see the strip, the polymer looking materials, everybody says 'oh, this one's going to be good because you know it's impossible to counterfeit,'" he said.
"So people don't actually check it."
Posted on May 20, 2013 at 6:34 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There's no such thing as "too much security". These are the risks of "too much trust in security", which is an effect of the security theatre created around new very expensive (and ultimately flawed) security systems.
The more expensive a scheme is, the more its proponents will boast about how impressively secure it is, and people will lower their guards down. This is identical (but opposite) as when the government says no one is secure, turning people into paranoid robots, identifying little girls as security threats.
The main problem, though, is that both behaviours are analogous and being heavily encouraged by the media / government, since they can't increase the real security, they lie on both sides.
I wonder how long that's going to last, and how explosive will be the outcome...
I wonder whether it's even possible nowadays to design security features that are both hard to counterfeit AND quick to check without mechanical aids in a casual transaction.
The technological means available to determined counterfeiters get steadily better, whereas the eyeballs most cashiers need to use are stuck on version 1.0.
I've never had anyone check an Australian polymer note in the two decades or so they've been around.
I'm still bemused when I'm in the US and people bring out those pens - just because it is such an unusual experience.
Apparently it's been done with the Australian notes http://www.dailytelegraph.com.au/... but it's still so rare that rigorously checking notes like is done in the US with a "less secure" currency would probably cost more money than would be lost due to problematic banknotes.
This made me laugh. If it is impossible to counterfeit, there is no need for people to check it. Isn't that the point of the security? If people still need to check it, it is unclear what purpose all the extra security serves. There's no number given on how much the previous version was checked, but I will bet it is effectively the same as before.
@Jeff - "impossible to counterfeit" implies "convincingly". It's not that you can't copy these notes; it's that the security features are (supposedly, in practice) impossible to reproduce accurately. But if nobody ever checks them, then this doesn't matter, because inaccurate reproductions will not be caught.
In other words, yours is *precisely* the mistake the article's talking about.
@Orin, I live in the US and I'm also bemused when people bring out those pens - if only because I know they don't work for anything but the sloppiest counterfeits, the ones so amateurish that they are unlikely to fool an experienced cashier anyway.
The worst offenders are at a store near me where the policy seems to be "if the note is a 'new' note with a large portrait, use the pen, even if it's only a $5." But if I handed them five ones for the same transaction, they'd accept them without blinking.
Missing from the article:
effort needed to spot the fakes. Most of the things look rather hard to spot, see the "guard duty problem": 99% of the fake (except for the ridge details) looks exactly like the real thing. Even if they are looking they aren't seeing the right things.
The second part is the "walmart checkout clerk" problem. A wallmart checkout clerk can be made to swipe $20 and up bills with a marker. Presumably, the fakes will jump out at them. A wallmart checkout clerk can be told to look at the money, but all they are doing is resting while gazing at some color.
A scarier system: public key encrypted serial numbers. Money could be scanned by the UPS scanner (presumably modified for the special watermarked scan) and enforced by the POS (cash register) system (thus avoiding the "wallmart checkout issues"). While this really doesn't help the companies much (just duping real serial numbers would work) it would spot counterfeit money as it appeared. It would also prevent anonymous spending far better than closing down bitcoin wallets ever did.
I suspect that regardless of the tracking issues, scanning the money with the UPS barcode scanner is the key. It never gets bored no matter how much money it looks at, and the cash register knows how many bills it should have looked at.
For some reason, I'm reminded of the Somebody Else's Problem field (as mentioned by Douglas Adams in one of the Hitchhiker's Guide to the Galaxy sequels).
The new security-features on the new Canadian $100 bill leads people to trust that Someone Else has taken care of the problem of whether the bill that is in offered is a counterfeit bill.
@Renato: There sure is. Anytime the cost of security outweighs the benefit, that's too much security.
Imagine if you wallet was encased in a huge cement block, or locked in a vault with a 100 year timed lock. Lots of security, but I'd think we'd agree it would qualify as "too much".
Note: this post has nothing to do with the gold standard and I do not see the need for another exciting off-topic shouting match about that subject, so I'll be removing comments about it.
"56 polymer counterfeit notes across Canada, out of about 500-million polymer notes in circulation."
So the stores are correct in not wasting employee time checking notes with a 1 in 10million risk of being fake.
Especially if the security is now so good that only an expert can make the fake - and so presumably only an expert can tell the difference.
I find it amusing that we worry so much about the anti-counterfeiting measures in a $100 bill (Canadian or U.S.).
Yes, there are more counterfeit bills because more people have more technology available. And, yes, $100s are probably targeted more because it's the biggest bang-for-buck a counterfeiter can get. But if the scrutiny of the $100s got too high, wouldn't you just counterfeit $50s instead? And isn't the risk still far smaller than it was on the 1960s when we had $500 and $1000 notes still in circulation?
"Yes, there are more counterfeit bills because more people have more technology available. And, yes, $100s are probably targeted more because it's the biggest bang-for-buck a counterfeiter can get. But if the scrutiny of the $100s got too high, wouldn't you just counterfeit $50s instead?"
Here in the US, crooks target $10, $20, $50, and $100 mainly. The easiest method to fake these bills right now is to bleach a $5, then print the new bill on it. This makes the resulting bill pass the marker test and feel like the right material. However, it will fail the visual watermark test. Yet, people trust markers and the feel of a bill so much they rarely do that. Hence, this is the most popular method right now.
So, why 100's? Well, let's ignore whether we're using the aforementioned method or one that passes watermark. Most counterfeiters buy expensive equipment and do expensive experiments until they can produce believable bills. Then, each bill costs a bit of money. They also tend to print a bunch at once. So, the simple reason to favor $100's is they get more profit out of it. Plus, there's still plenty of demand for them on the streets.
@ Henning Makholm
"I wonder whether it's even possible nowadays to design security features that are both hard to counterfeit AND quick to check without mechanical aids in a casual transaction."
With the US bills, they've pretty much done that. Most of the features on it are ignored during verification by experienced people. The most important are the feel of the bill, the marker test, and the watermark. It takes about 1 second for a quick person to check all of that, three to four for slower people. Counterfeiters almost never get these all right and it usually doesn't impact small businesses much when they do as it's caught higher up in the banking chain.
I'd say the Scientific Games' scratchoff lottery tickets are another good example. They have plenty of security built in and I haven't heard of a big (or small) cheat for their products. Yet, verification is done by scanning a barcode. Very simple.
Completely useless begging the question logic...
"If consumers are still not sure whether the bill is legitimate, they can compare the note with a genuine."
And just HOW do they determine the the other one to compare with is genuine? If they can do that then they don't need to compare, just do it to the bill in question!
I haven't kept up with the marker tests. Do they still fail on legit bills that have spent too much time out and about?
Does that mean the US bills' anti-counterfeiting measures are security theater, because the recipient only need trust in God?
I am astounded at the suggestion that people should compare a $100 bill to a genuine one to see if it is the same. That's a requirement for every store and every clerk who uses a cash register to hold on to a $100 bill. Who can afford that? And is it good for Canada to take so much money out of circulation?
- tobias d. robison
As a non-American I would has guessed that the optical variable ink, along with the raised printing, would have been the easiest ways to check, and the hardest to fake.
In Australia running your fingers over the transparent windows , and again the raised printing, are usually dead giveaways. Until recently, most of the fakes have been poor photocopies with a transparent window sticky-taped in. These are usually passed in dimly lit night clubs at 3 am.
According to orin's Daily Telegraph link above, Australia has only 8 counterfeit notes per 1 million in circulation.
Sounds like it's not a big issue so much as a "this thing has occurred" but I wonder if a factor isn't the novelty of the new money. I haven't even seen one of the new bills yet (I don't handle cash much so not highly meaningful) so I don't have a great idea of what the real thing looks like so have nothing to compare a fake to.
This reminds me of the way that an article having plenty of references to back its claims can make it feel more trustworthy - even in cases when the reader never bothers to check any of the references, which could be completely made-up.
Counterfeit 100 RMB bills is a huge problem in China, and I once found a counterfeit bill and I was amazed at how clever the counterfeiters were.
You have an embedded metal strip that is supposed to deter counterfeiting, but they did was to use an inkjet printer to print one side with a grey strip, and the other side they used the printer to print some foil. The net result is that it looks like a foil strip, until you look closely.
One reason I knew it was counterfeit was that it just felt wrong. The paper had the wrong texture and there weren't raised indentations in the ink. Once I felt the bill, and something was off, then I looked at it closely and the more I looked at it, the worse it looked.
Something else was that it turned out that I was better at spotting counterfeit bills than a lot of my friends for an interesting reason. In the US, it is extremely rare for someone to hand you a $100 bill so if you get one, you are going to check for it closely. In China, 100 RMB notes are worth about $15 US, so they are quite common, so people don't have the time to check. If you go to an electronics store in China with a wad of cash, this is normal. If you go to a store in the US, and you try to pay with 5 $100 bills (or with cash at all), people are going to get very suspicious.
The answer, as always, is to overcomplicate things with needless technology.
There should be a google app on every ipad that can authenticate any bill in the world.
Simply take an image of the bill, click the "is it a ringer?" button and wait.
The image will be uploaded to a google server and checked.
As a bonus, you'll get back a list of the last ten places that serial number was seen.
Fun for all the family, and foolproof until MITM attacks are devised.
In my mind, security is also about context. Years ago, the 100$ bill was paper and by today's account, easy to counterfeit.
If such an article had run in 1986 when the bills technology was last changed (I think), it would have been a small newspaper article, with some folks wondering if the next bill they came across was real or not. But nothing would have come out of it in the long run. More attempts would be made, as communication in the world was different, investigation was different and the Bank of Canada was modest about its security.
But in this case, the context is way different, and I think the piece of polymer is the expression of it, but not the limit of the context; we have a handful of individuals getting all the media attention, some may actually be traced back, making this a very risky operation. I expect there won't be another attempt at faking $100 bills for a while, because electronic news lingers.
I would not be surprised to learn we've put together a team to rapidly catch these guys. Yet again, too much security ? One option would be to just reimbursed a few merchants and folks, and concentrate on the really bad guys. Another is to make a media campaign, make sure the public notices policemen's hard work to make sure those pesky smart*** are caught.
And that is context.
I think a good analogy for "too much security" would be vehicles. Seat belts, air bags, etc., significantly reduce the chances that a driver will be killed in an accident. What is not measurable is how many more accidents happen because that sense of security causes drivers to be more careless and easily distracted.
I wonder how safe the roads would be if we stripped all cars of driver side seatbelts and air bags (allow passengers to keep theirs), and instead mounted a spike on the steering wheel aimed at the drivers chest. I bet we'd have the safest roads in the world without speed limits and anti-texting laws.
Now, my last paragraph is in jest. I seriously do not advocate that. But it does illustrate with an extreme example how security introduces incentives/disincentives that can make people less safe.
Onearmedspartan, you can save news links for Friday or you can post them on last Friday's squid post.
"As a non-American I would has guessed that the optical variable ink, along with the raised printing, would have been the easiest ways to check, and the hardest to fake."
It might be true. Yet, what I usually see over here is people check the strip, watermark, marker color or UV light pattern. Maybe one of the reasons why they don't look at the ink pattern is we have several different types of each bill in circulation. In many cases, one looks like a copy of another one. I think it confuses people as to what the appearance should look like so they just use the methods that are easy to remember.
If I find myself in possession of a counterfeit note I have two options:
1) surrender the note to the appropriate authority, and lose the value of the note.
2) try and knowingly offload the "worthless" counterfeit off to the next link in the chain, expecting that no one is really checking. Best case I don't lose anything, worst case I can affect a shocked expression and loop back to 1) or 2).
It's pretty obvious which option most people are going to take most of the time when not under duress. There is simply no value, to me, of voluntarily surrendering a counterfeit note.
Oh, wait - there is a third option:
3) proclaim loudly "hey, cool! I've got a counterfeit not", then frame that sucker and hang it on the wall.
@JonS. ask me about the shoddy ink-jet $20 on my wall.
also, ask me about the genuine, Series 1950, $20 which someone thought was counterfeit and happily traded for a modern example.
@Jake: Ha :D
I meant to add: I personally don't really care whether there's counterfeit notes washing aorund in the pool of money. My only concern is that someone will accept notes which I tender.
To put that another way, all these uber wonderful security features on modern notes probably have value to someone, but that someone isn't me, and I bet it isn't you either. They're intellectually interesting, but practically meaningless.
The social dynamics of passing counterfeit notes is interesting. If you possess a bill, it is simply not in your interest to check closely if the bill is counterfeit. The person that you are passing the bill to is the person that has an incentive to check the bill.
It's also interesting what happens *after* you find that someone is trying to hand you a counterfeit bill. If you are a bank, you will seize the bill and call the police, because you are legally required to do so. If you are anyone else, the odds are that you will just refuse to accept the bad note, which keeps the bad note in circulation.
This makes it in the interest of the government to make counterfeiting relatively rare. If it is common to come across a counterfeit note, then people won't and really can't call the police each time they get one.
One other clever security protocol I've seen in China. Whenever someone has a cash deposit, then record the serial numbers of the bills that you give them, and when they return the cash deposit, they give you exactly the bills that you gave them.
One reason counterfeiting is common in China is that the highest note is the 100 RMB note which isn't worth that much. It's much rarer in HK, because there are 1000 and 500 HKD notes and the profit margins in counterfeiting those is higher. Most merchants will refuse to account 1000 HKD notes, which makes this a "counterfeit honeypot".
Basically you create a large note that the counterfeiters focus on, so that the notes that people use for day to day transactions are less profitable to counterfeit.
If I find myself in possession of a counterfeit note I have two options
Actually there is a third that I've used on occasions.
In the UK there were at one point a lot of counterteit coins, and you would often get given one in change, and because you usually don't have time to check you find it later in your pocket...
So how to get rid of it well you rely on large retail corporations dislike for adverse publicity...
Most large corporates employ the cheapest labour they can to operate the check out's, and whilst those operating the tills might check the money they get given by a customer they don't check the money they give back to a customer in change.
Which is a security hole you can exploit quite easily if you can do a little slight of hand.
You go into one of these places at a busy time and buy an item and pay for it so that you will be given change that will contain the same currancy item that you have as a dud.
The cashier gives you your change and in the pretence of checking it you give the cashier back the dud and say "What do you call this you've given me?". If they don't change it then and there you start making a lot of noise and demand to see the manager immediatly and if the cashier pauses you pull out your mobile and say "Fine I'll call the police".
Most store managers realise in the blink of an eye that the cheap option is to give you another item of currancy because the cost of not doing so is way way higher than not doing so.
As others have noted it's a question of incentives when it comes to counterfeit currancy and if you can find a security hole and an appropriate incentive then you win, they lose but only the smaller of the two options. Also the chances are they don't lose because the manager will in all probability just put it back in a till at a later time so some other customer gets it in their change.
Similar situation in Europe with new 5 Euro notes being put in circulation these weeks.
I keep thinking that this would be a good time to try and pay with one of the "new 200 Euro" notes. Everybody knows that there are new-looking notes around, but few will know that the new 200 note has not been introduced yet, and (therefore) nobody knows what they look like or how to check that it's fake.
On the example of vehicles, I vaguely recall hearing about studies of the effectiveness of anti-lock brakes after they were introduced.
IIRC they were found to be safer (less incidents and less bodily harm) but on average, drivers compensated for those safety increases by driving more dangerously, so the net gain was close to zero.
I don't have a handy source for this though, take it with a giant punch of salt.
Years ago, you may recall, I wrote a comment on bad security in the Harry Potter universe.
In the sixth book, the school is essentially locked down. Anything and anyone going in to the school is checked to make sure it's safe. At one point, Ron Weasley drinks some mead that turns out to be poisoned, and only Harry's quick thinking saves his life.
The mead was trusted because it had made it in through the perimeter. However, it turned out the person who had brought it in had brought it through a loophole in the security.
Similarly, the anti-counterfeiting features of Canadian notes are supposed to establish an impenetrable perimeter through which no bogus notes are supposed to be able to pass. So, when one does, because of a hole in the perimeter or some other security failure, no one will bother to submit it to any further checks.
IIRC they were found to be safer (less incidents and less bodily harm) but on average, drivers compensated for those safety increases by driving more dangerously, so the net gain was close to zero.
The studies call this effect "risk homeostasis".
I am reminded of the universal tendency here in the United Kingdom for people to never even as much as glance at the signature on a debit or credit card any more, due to the pervasive assumption that if someone has the PIN to a Chip and PIN card, they must be the owner of the card, even if the actual owner is blonde, petite and female and the person presenting the card is male, 20 stone and bald.
@Renalto: When security gets in the way, it's too much. See also TSA, although that falls under Security Theatre rather than actual security.
The real threat is complacency. Why did 9/11 happen? Security personnel became complacent. The rules were in place which should have caught the attackers. Rules weren't followed because of complacency.
Complacency is also a major problem in the IT field of users, admins, and executives. Users don't think much about security because it doesn't affect them. Admins (myself included) get complacent because policies and systems are working at the present time, and executives become complacent for the same reasons the users do -- security issues aren't a daily problem to them.
A bank official told me that the little pens vendors have been selling to detect counterfeit currency for years don't work except on really bad counterfeits someone might make on a consumer grade photocopy machine. Yet, I've seen these used everywhere.
In my entire life I have only been given one obvious counterfeit bill and that was a very poor copy of a $10.00 which I refused to take. The cashier put it back in the cash register and gave it to the next customer, who took it without complaining.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.