Entries Tagged "authentication"

Page 27 of 27

Canadian Airport Security Loses Uniforms

From CBC News:

1,127 uniform items belonging to Canadian airport screeners were lost or stolen in a nine-month period.

I’m not sure if this is an interesting story or not. We know that a uniform isn’t necessarily a reliable authentication tool, yet we use them anyway.

Losing 1,127 uniforms is bad, because they can be used to impersonate officials. But even if the 1,127 uniforms are found, they can be faked. Can you tell the difference between a legitimate uniform and a decent fake? I can’t.

The real story is the informal nature of most of our real-world authentication systems, and how they can be exploited.

I wrote about this in Beyond Fear (page 199):

Many authentication systems are even more informal. When someone knocks on your door wearing an electric company uniform, you assume she’s there to read the meter. Similarly with deliverymen, service workers, and parking lot attendants. When I return my rental car, I don’t think twice about giving the keys to someone wearing the correct color uniform. And how often do people inspect a police officer’s badge? The potential for intimidation makes this security system even less effective.

Uniforms are easy to fake. In the wee hours of the morning on 18 March 1990, two men entered the Isabella Stuart Gardner Museum in Boston disguised as policemen. They duped the guards, tied them up, and proceeded to steal a dozen paintings by Rembrandt, Vermeer, Manet, and Degas, valued at $300 million. (Thirteen years later, the crime is still unsolved and the art is still missing.) During the Battle of the Bulge in World War II, groups of German commandos operated behind American lines. Dressed as American troops, they tried to deliver false orders to units in an effort to disrupt American plans. Hannibal used the same trick—to greater success—dressing up soldiers who were fluent in Latin in the uniforms of Roman officials and using them to open city gates.

Spies actually take advantage of this authentication problem when recruiting agents. They sometimes recruit a spy by pretending to be working for some third country. For example, a Russian agent working in the U.S. might not be able to convince an American to spy for Russia, but he can pretend to be working for France and might be able to convince the person to spy for that country. This is called “false flag recruitment.” How’s the recruit going to authenticate the nationality of the person he’s spying for?

There’s some fascinating psychology involved in this story. We all authenticate using visual cues, and official uniforms are a big part of that. (When a policeman, or an employee from the local electric company, comes to your door and asks to come in, how to you authenticate him? His uniform and his badge or ID.)

Posted on December 29, 2004 at 8:37 AMView Comments

Phishing by Cell Phone

From an alert reader:

I don’t know whether to tell you, or RISKS, or the cops, but I just received an automated call on my cellphone that asked for the last four digits of my Social Security number. The script went:

Hello! This is not a solicitation! We have an important message for J-O-H-N DOE (my first name was spelled out, but the last name was pronounced). If this is J-O-H-N Doe, Press 1 now!

(after pressing 1:)

For your security, please enter the last four digits of your Social Security Number!

I have no idea who it was, because I’ll be—damned—if I’d give out ANY digits of my SSN to an unidentified party. My cell’s display is broken so I’m not sure whether there was any caller ID information on it, but I also know that can be forged. What company expects its customers to give up critical data like that during an unidentified, unsolicited call?

Sadly, there probably are well-meaning people writing automatic telephone scripts that ask this sort of question. But this could very well be a phishing scheme: someone trying to trick the listener into divulging personal information.

In general, my advice is to not divulge this sort of information when you are called. There’s simply no way to verify who the caller is. Far safer is for you to make the call.

For example, I regularly receive calls from the anti-fraud division of my credit card company checking up on particular charges. I always hang up on them and call them back, using the phone number on the back of my card. That gives me more confidence that I’m speaking to a legitimate representative of my credit card company.

Posted on December 7, 2004 at 1:58 PMView Comments

Hacking Faxes

Prisoner is freed from jail based on a forged fax:

In West Memphis District Court yesterday, Tristian Wilson was set to appear on the docket for a bond hearing on the charges. When he did not appear, Judge William “Pal” Rainey inquired about his release and found that a jail staff member released Wilson by the authority of a fax sent to the jail late Saturday night.

According to Assistant Chief Mike Allen, a fax was sent to the jail which stated “Upon decision between Judge Rainey and the West Memphis Police Department CID Division Tristian Wilson is to be released immediately on this date of October 30, 2004 with a waiver of all fines, bonds and settlements per Judge Rainey and Detective McDugle.”

Jail Administrator Mickey Thornton said that these faxes are part of a normal routine for the jail when it comes to releasing prisoners, however, this fax was different.

Faxes are fascinating. They’re treated like original documents, but lack any of the authentication mechanisms that we’ve developed for original documents: letterheads, watermarks, signatures. Most of the time there’s no problem, but sometimes you can exploit people’s innate trust in faxes to good effect.

Posted on November 8, 2004 at 7:12 AMView Comments

1 25 26 27

Sidebar photo of Bruce Schneier by Joe MacInnis.