Entries Tagged "UK"

Page 15 of 18

Shell Suspends Chip & Pin in the UK

According to the BBC:

Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers’ accounts.

This is just sad:

“These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed,” said Apacs spokeswoman Sandra Quinn.

She said Apacs was confident the problem was specific to Shell and not a systemic issue.

A Shell spokeswoman said: “Shell’s chip-and-pin solution is fully accredited and complies with all relevant industry standards.

That spokesperson simply can’t conceive of the fact that those “relevant industry standards” were written by those trying to sell the technology, and might possibly not be enough to ensure security.

And this is just after APACS (that’s the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.

Good commentary here. See also this article. Here’s a chip-and-pin FAQ from February.

EDITED TO ADD (5/8): Arrests have been made. And details emerge:

The scam works by criminals implanting devices into chip and pin machines which can copy a bank card’s magnetic strip and record a person’s pin number.

The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.

This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.

Posted on May 8, 2006 at 12:41 PMView Comments

Cubicle Farms are a Terrorism Risk

The British security service MI5 is warning business leaders that their offices are probably badly designed against terrorist bombs. The common modern office consists of large rooms without internal walls, which puts employees at greater risk in the event of terrorist bombs.

From The Scotsman:

The trend towards open-plan offices without internal walls could put employees at increased risk in the event of a terrorist bomb, MI5 has warned business leaders. The advice comes as the Security Service steps up its advice to companies on how to prepare for an attack. MI5 has produced a 40-page leaflet, “Protecting Against Terrorism”, which will be distributed to large businesses and public-sector bodies across Britain. Among the guidance in the pamphlet is that bosses should consider the security implications of getting rid of internal walls.

Open-plan offices are increasingly popular as businesses seek to improve communication and cooperation between employees. But MI5 points out that there are potential risks, too. “If you are converting your building to open-plan accommodation, remember that the removal of internal walls reduces protection against blast and fragments,” the leaflet says.

All businesses should make contingency plans for keeping staff safe in the event of a bomb attack, the Security Service advises. Instead of automatically evacuating staff, companies are recommended to gather workers in a designated “protected space” until the location of the bomb can be confirmed. “Since glass and other fragments may kill or maim at a considerable distance from the centre of a large explosion, moving staff into protected spaces is often safer than evacuating them on to the streets,” the leaflet cautions. Interior rooms with reinforced concrete or masonry walls often make suitable protected spaces, as they tend to remain intact in the event of an explosion outside the building, employers are told. But open-plan offices often lack such places, and can have other effects on emergency planning: “If corridors no longer exist then you may also lose your evacuation routes, assembly or protected spaces, while the new layout will probably affect your bomb threat contingency procedures.” Companies converting to open-plan are told to ensure that there is no significant reduction in staff protection, “for instance by improving glazing protection.”

Posted on March 31, 2006 at 5:14 AMView Comments

London Rejects Subway Scanners

Rare outbreak of security common sense in London:

London Underground is likely to reject the use of passenger scanners designed to detect weapons or explosives as they are “not practical”, a security chief for the capital’s transport authority said on 14 March 2006.

[…]

“Basically, what we know is that it’s not practical,” he told Government Computing News. “People use the tube for speed and are concerned with journey time. It would just be too time consuming. Secondly, there’s just not enough space to put this kind of equipment in.”

“Finally there’s also the risk that you actually create another target with people queuing up and congregating at the screening points.”

Posted on March 23, 2006 at 1:39 PMView Comments

Class Break of Citibank ATM Cards

There seems to be some massive class break against Citibank ATM cards in Canada, the UK, and Russia. I don’t know any details, but the story is interesting. More info here.

EDITED TO ADD (3/6): More info here, here, here, and here.

EDITED TO ADD (3/7): Another news article.

From Jake Appelbaum: “The one unanswered question in all of this seems to be: Why is the new card going to have any issues in any of the affected countries? No one from Citibank was able to provide me with a promise my new card wouldn’t be locked yet again. Pretty amazing. I guess when I get my new card, I’ll find out.

EDITED TO ADD (3/8): Some more news.

Posted on March 6, 2006 at 2:44 PMView Comments

Kent Robbery

Something like 50 million pounds was stolen from a banknote storage depot in the UK. BBC has a good chronology of the theft.

The Times writes:

Large-scale cash robbery was once a technical challenge: drilling through walls, short-circuiting alarms, gagging guards and stationing the get-away car. Today, the weak points in the banks’ defences are not grilles and vaults, but human beings. Stealing money is now partly a matter of psychology. The success of the Tonbridge robbers depended on terrifying Mr Dixon into opening the doors. They had studied their victim. They knew the route he took home, and how he would respond when his wife and child were in mortal danger. It did not take gelignite to blow open the vaults; it took fear, in the hostage technique known as “tiger kidnapping”, so called because of the predatory stalking that precedes it. Tiger kidnapping is the point where old-fashioned crime meets modern terrorism.

Posted on February 27, 2006 at 12:26 PMView Comments

Identity Theft in the UK

Recently there was some serious tax credit fraud in the UK. Basically, there is a tax-credit system that allows taxpayers to get a refund for some of their taxes if they meet certain criteria. Politically, this was a major objective of the Labour Party. So the Inland Revenue (the UK version of the IRS) made it as easy as possible to apply for this refund. One of the ways taxpayers could apply was via a Web portal.

Unfortunately, the only details necessary when applying were the applicant’s National Insurance number (the UK version of the Social Security number) and mother’s maiden name. The refund was then paid directly into any bank account specified on the application form. Anyone who knows anything about security can guess what happened. Estimates are that fifteen millions pounds has been stolen by criminal syndicates.

The press has been treating this as an issue of identity theft, talking about how criminals went Dumpster diving to get National Insurance numbers and so forth. I have seen very little about how the authentication scheme failed. The system tried—using semi-secret information like NI number and mother’s maiden name—to authenticate the person. Instead, the system should have tried to authenticate the transaction. Even a simple verification step—does the name on the account match the name of the person who should receive the refund—would have gone a long way to preventing this type of fraud.

Posted on February 8, 2006 at 3:42 PMView Comments

Wireless Dead Drop

Dead drops have gone high tech:

Russia’s Federal Security Service (FSB) has opened an investigation into a spying device discovered in Moscow, the service said Monday.

The FSB said it had confiscated a fake rock containing electronic equipment used for espionage on January 23, and had uncovered a ring of four British spies who worked under diplomatic cover, funding human rights organizations operating in Russia.

BBC had this to say:

The old idea of the dead-drop (‘letterboxes’ the British tend to call them) – by the oak tree next to the lamppost in such-and-such a park etc – has given way to hand-held computers and short-range transmitters.

Just transmit your info at the rock and your ‘friends’ will download it next day. No need for codes and wireless sets at midnight anymore.

Transferring information to and from spies has always been risky. It’s interesting to see modern technology help with this problem.

Phil Karn wrote to me in e-mail:

My first reaction: what a clever idea! It’s about time spycraft went hi-tech. I’d like to know if special hardware was used, or if it was good old 802.11. Special forms of spread-spectrum modulation and oddball frequencies could make the RF hard to detect, but then your spies run the risk of being caught with highly specialized hardware. 802.11 is almost universal, so it’s inherently less suspicious. Randomize your MAC address, change the SSID frequently and encrypt at multiple layers. Store sensitive files encrypted, without headers, in the free area of a laptop’s hard drive so they’re not likely to be found in forensic analysis. Keep all keys physically separate from encrypted data.

Even better, hide your wireless dead drop in plain sight by making it an open, public access point with an Internet connection so the sight of random people loitering with open laptops won’t be at all unusual.

To keep the counterespionage people from wiretapping the hotspot’s ISP and performing traffic analysis, hang a PC off the access point and use it as a local drop box so the communications in question never go to the ISP.

I am reminded of a dead drop technique used by, I think, the 9/11 terrorists. They used Hotmail (or some other anonymous e-mail service) accounts, but instead of e-mailing messages to each other, one would save a message as “draft” and the recipient would retrieve it from the same account later. I thought that was pretty clever, actually.

Posted on January 31, 2006 at 7:17 AMView Comments

New Zealand Espionage History

This is fascinating:

Among the personal papers bequeathed to the nation by former Prime Minister David Lange is a numbered copy of a top secret report from the organisation that runs the ‘spy domes’ at Waihopai and Tangimoana. It provides an unprecedented insight into how espionage was conducted 20 years ago.

[…]

Much of the GCSB’s work involved translating and analysing communications intercepted by other agencies, “most of the raw traffic used … (coming) from GCHQ/NSA sources”, the British and US signals intelligence agencies.

Its report says “reporting on items of intelligence derived from South Pacific telex messages on satellite communications links was accelerated during the year.

“A total of 171 reports were published, covering the Solomons, Fiji, Tonga and international organisations operating in the Pacific. The raw traffic for this reporting provided by NSA the US National Security Agency).”

The GCSB also produced 238 intelligence reports on Japanese diplomatic cables, using “raw traffic from GCHQ/NSA sources”. This was down from the previous year: “The Japanese government implementation of a new high grade cypher system seriously reduced the bureau’s output.” For French government communications, the GCSB “relied heavily on (British) GCHQ acquisition and forwarding of French Pacific satellite intercept”.

The report lists the Tangimoana station’s targets in 1985-86 as “French South Pacific civil, naval and military; French Antarctic civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian diplomatic; Soviet merchant and scientific research shipping; Soviet Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet Antarctic civil; East German diplomatic; Japanese diplomatic; Philippine diplomatic; South African Armed Forces; Laotian diplomatic (and) UN diplomatic.”

The station intercepted 165,174 messages from these targets, “an increase of approximately 37,000 on the 84/85 figure. Reporting on the Soviet target increased by 20% on the previous year”.

Posted on January 25, 2006 at 12:58 PMView Comments

ID Cards and ID Fraud

Unforeseen security effects of weak ID cards:

It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like ‘photo ID’, it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.

During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This “quasi-identity card… I think—had a converse effect to that which the Government sought… anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended.”

Effectively – as security experts frequently point out – apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.

Posted on December 30, 2005 at 1:51 PMView Comments

Vehicle Tracking in the UK

Universal automobile surveillance is coming:

Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years.

Using a network of cameras that can automatically read every passing number plate, the plan is to build a huge database of vehicle movements so that the police and security services can analyse any journey a driver has made over several years.

The network will incorporate thousands of existing CCTV cameras which are being converted to read number plates automatically night and day to provide 24/7 coverage of all motorways and main roads, as well as towns, cities, ports and petrol-station forecourts.

By next March a central database installed alongside the Police National Computer in Hendon, north London, will store the details of 35 million number-plate “reads” per day. These will include time, date and precise location, with camera sites monitored by global positioning satellites.

As The Independent opines, this is only the beginning:

The new national surveillance network for tracking car journeys, which has taken more than 25 years to develop, is only the beginning of plans to monitor the movements of all British citizens. The Home Office Scientific Development Branch in Hertfordshire is already working on ways of automatically recognising human faces by computer, which many people would see as truly introducing the prospect of Orwellian street surveillance, where our every move is recorded and stored by machines.

Although the problems of facial recognition by computer are far more formidable than for car number plates, experts believe it is only a matter of time before machines can reliably pull a face out of a crowd of moving people.

If the police and security services can show that a national surveillance operation based on recording car movements can protect the public against criminals and terrorists, there will be a strong political will to do the same with street cameras designed to monitor the flow of human traffic.

I’ve already written about the security risks of what I call “wholesale surveillance.” Once this information is collected, it will be misused, lost, and stolen. It will be filled with errors. The problems and insecurities that come from living in a surveillance society more than outweigh any crimefighting (and terrorist-fighting) advantages.

Posted on December 22, 2005 at 2:41 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.