Entries Tagged "theft"

Page 18 of 21

Expensive Cameras in Checked Luggage

This is a blog post about the problems of being forced to check expensive camera equipment on airplanes:

Well, having lived in Kashmir for 12+ years I am well accustomed to this type of security. We haven’t been able to have hand carries since 1990. We also cannot have batteries in any of our equipment checked or otherwise. At least we have been able to carry our laptops on and recently been able to actually use them (with the batteries). But, if things keep moving in this direction, and I’m sure it will, we need to start thinking now about checking our cameras and computers and how to do it safely.
This is a very unpleasant idea. Two years ago I ordered a Canon 20D and had it “hand carried” over to meet me in England by a friend. My friend put it in their checked bag. The bag never showed up. She did not have insurance and all I got $100 from British Airways for the camera and $500 from American Express (buyers protection) that was it. So now it looks as if we are going to have to check our cameras and our computers involuntarily. OK here are a few thoughts.

Pretty basic stuff, and we all know about the risks of putting expensive stuff in your checked luggage.

The interesting part is one of the blog comments, about halfway down. Another photographer wonders if the TSA rules for firearms could be extended to camera equipment:

Why not just have the TSA adopt the same check in rules for photographic and video equipment as they do for firearms?

All firearms must be in checked baggage, no carry on.

All firearms must be transported in a locked, hard sided case using a non-TSA approved lock. This is to prevent anyone from opening the case after its been screened.

After bringing the equipment to the airline counter and declaring and showing the contents to the airline representative, you take it over to the TSA screening area where it it checked by a screener, relocked in front of you, your key or keys returned to you (if it’s not a combination lock) and put directly on the conveyor belt for loading onto the plane.

No markings, stickers or labels identifying what’s inside are put on the outside of the case or, if packed inside something else, the bag.

Might this solve the problem? I’ve never lost a firearm when flying.

Then someone has the brilliant suggestion of putting a firearm in your camera-equipment case:

A “weapons” is defined as a rifle, shotgun, pistol, airgun, and STARTER PISTOL. Yes, starter pistols – those little guns that fire blanks at track and swim meets – are considered weapons…and do NOT have to be registered in any state in the United States.

I have a starter pistol for all my cases. All I have to do upon check-in is tell the airline ticket agent that I have a weapon to declare…I’m given a little card to sign, the card is put in the case, the case is given to a TSA official who takes my key and locks the case, and gives my key back to me.

That’s the procedure. The case is extra-tracked…TSA does not want to lose a weapons case. This reduces the chance of the case being lost to virtually zero.

It’s a great way to travel with camera gear…I’ve been doing this since Dec 2001 and have had no problems whatsoever.

I have to admit that I am impressed with this solution.

Posted on September 22, 2006 at 12:17 PMView Comments

Screaming Cell Phones

Cell phone security:

Does it pay to scream if your cell phone is stolen? Synchronica, a mobile device management company, thinks so. If you use the company’s Mobile Manager service and your handset is stolen, the company, once contacted, will remotely lockdown your phone, erase all its data and trigger it to emit a blood-curdling scream to scare the bejesus out of the thief.

The general category of this sort of security countermeasure is “benefit denial.” It’s like those dye tags on expensive clothing; if you shoplift the clothing and try to remove the tag, dye spills all over the clothes and makes them unwearable. The effectiveness of this kind of thing relies on the thief knowing that the security measure is there, or is reasonably likely to be there. It’s an effective shoplifting deterrent; my guess is that it will be less effective against cell phone thieves.

Remotely erasing data on stolen cell phones is a good idea regardless, though. And since cell phones are far more often lost than stolen, how about the phone calmly announcing that it is lost and it would like to be returned to its owner?

Posted on September 21, 2006 at 12:12 PMView Comments

Burglars Foil Alarm Systems

Clever trick:

Their scheme: Cut a closed store’s phone lines. Hang back while cops respond to the alarm. After officers fail to spot anything wrong and drive away, break into the store and spend as much time as they need to make off with a weekend’s worth of cash.

And one I wrote about in Beyond Fear (page 56):

Attackers commonly force active failures specifically to cause a larger system to fail. Burglars cut an alarm wire at a warehouse and then retreat a safe distance. The police arrive and find nothing, decide that it’s an active failure, and tell the warehouse owner to deal with it in the morning. Then, after the police leave, the burglars reappear and steal everything.

Posted on September 13, 2006 at 11:10 AMView Comments

Technological Arbitrage

This is interesting. Seems that a group of Sri Lankan credit card thieves collected the data off a bunch of UK chip-protected credit cards.

All new credit cards in the UK come embedded come with RFID chips that contain different pieces of user information, in order to access the account and withdraw cash the ATMs has to verify both the magnetic strip and the RFID tag. Without this double verification the ATM will confiscate the card, and possibly even notify the police.

They’re not RFID chips, they’re normal smart card chips that require physical contact—but that’s not the point.

They couldn’t clone the chips, so they took the information off the magnetic stripe and made non-chip cards. These cards wouldn’t work in the UK, of course, so the criminals flew down to India where the ATMs only verify the magnetic stripe.

Backwards compatibility is often incompatible with security. This is a good example, and demonstrates how criminals can make use of “technological arbitrage” to leverage compatibility.

EDITED TO ADD (8/9): Facts corrected above.

Posted on August 9, 2006 at 6:32 AMView Comments

iPod Thefts

What happens if you distribute 50 million small,valuable, and easily sellable objects into the hands of men, women, and children all over the world, and tell them to walk around the streets with them? Why, people steal them, of course.

“Rise in crime blamed on iPods”, yells the front page of London’s Metro. “Muggers targeting iPod users”, says ITV. This is the reaction to the government’s revelation that robberies across the UK have risen by 8 per cent in the last year, from 90,747 to 98,204. The Home Secretary, John Reid, attributes this to the irresistible lure of “young people carrying expensive goods, such as mobile phones and MP3 players”. A separate British Crime Survey, however, suggests robbery has risen by 22 per cent, to 311,000.

This shouldn’t come as a surprise, just as it wasn’t a surprise in the 1990s when there was a wave of high-priced sneaker thefts. Or that there is also a wave of laptop thefts.

What to do about it? Basically, there’s not much you can do except be careful. Muggings have long been a low-risk crime, so it makes sense that we’re seeing an increase in them as the value of what people are carrying on their person goes up. And people carrying portable music players have an unmistakable indicator: those ubiquitous ear buds.

The economics of this crime are such that it will continue until one of three things happens. One, portable music players become much less valuable. Two, the costs of the crime become much higher. Three, society deals with its underclass and gives them a better career option than iPod thief.

And on a related topic, here’s a great essay by Cory Doctorow on how Apple’s iTunes copy protection screws the music industry.

EDITED TO ADD (8/5): Eric Rescorla comments.

Posted on July 31, 2006 at 7:05 AMView Comments

Getting a Personal Unlock Code for Your O2 Cell Phone

O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can’t make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN—or forgetting it—they can contact O2 and get a Personal Unlock Code (PUK). Presumably, the operator goes through some authentication steps to ensure that the person calling is actually the legitimate owner of the phone.

So far, so good.

But O2 has decided to automate the PUK process. Now anyone on the Internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN—without any authentication whatsoever.

Oops.

EDITED TO ADD (7/4): A representitive from O2 sent me the following:

“Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer’s phone is lost or stolen. There are two scenarios in that event:

“Scenario 1 – The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it – there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.

“Scenario 2 – The phone remains powered on: Here, the thief can use the phone in any case without having to acquire PUK.

“In both scenarios we have taken the view that the principle security measure is for the customer to report the loss/theft as quickly as possible, so that we can remotely disable both the SIM and also the handset (so that it cannot be used with any other SIM).”

Posted on July 3, 2006 at 2:26 PM

Employee Theft at Australian Mint

You’d think a national mint would have better security against insiders.

But Justice Connolly also criticised security at the mint, saying he was amazed a theft on this scale could happen.

The court heard Grzeskowiac, 48, of the southern Canberra suburb of Monash, simply scooped coins from the production line into his pockets before transferring them to his boots or lunchbox in a toilet cubicle.

Over a 10-month period he walked out with an average of $600 a day.

Justice Connolly expressed astonishment that the mint’s security procedures were so lax.

“I find it hard to believe that 150 coins could be concealed in each boot and a person could still walk through the security system,” he said.

Justice Connolly also said he was amazed the mint could give no indication of just how many coins had actually gone missing.

“I would like to think those working at the other mint factory printing $100 notes might be subject to a better system of security,” he said.

Posted on June 27, 2006 at 7:45 AMView Comments

$1M VoIP Scam

Lots of details.

The basic service that Pena provided is not uncommon. Telecommunications brokers often buy long-distance minutes from carriers—especially VoIP carriers—and then re-sell those minutes directly to customers. They make money by marking up the services they buy from carriers.

Pena sold minutes to customers, but rather than buy the minutes, he instead decided to hack into the Internet phone company networks, and route calls over those networks surreptitiously, say prosecutors. So he had to pay virtually no costs for providing phone service.

Posted on June 13, 2006 at 2:15 PMView Comments

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.

If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner—who was presumably elsewhere in the store—that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it’s impossible to insert or delete transactions. It’s an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that’s not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn’t care one way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up a sign saying “Your purchase free if you don’t get a receipt,” the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

“When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks’ agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn’t care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses—most of the fraud actually was not the cardholder’s fault—while in the UK, the banks did nothing.”

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn’t until the UK courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don’t have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They’ll align interest with capability, and they’ll improve software security.

One last story… In Italy, tax fraud used to be a national hobby. (It may still be; I don’t know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the “Your purchase free if you don’t get a receipt” story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn’t work very well. Customers, especially tourists, didn’t like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn’t guard merchants wasn’t as effective an enticement as offering people a reward if they didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

This essay originally appeared on Wired.com.

Posted on June 1, 2006 at 6:27 AMView Comments

1 16 17 18 19 20 21

Sidebar photo of Bruce Schneier by Joe MacInnis.