Are passwords and codes, available in too many places, enabling crime?

Wired News (Kevin Poulsen) reported another instance, where an ATM was easily reprogrammed to think it was dispensing $1 bill instead of 20's.

The same thing happened in Virginia Beach last September.

Wired News reports:

Police in Derry, Pennsylvania are baffled by a June ATM robbery in which an unidentified man wearing flip flops and shorts strolled into Mastrorocco's Market and reprogrammed the cash machine to think it was dispensing dollar bills when it was actually spewing twenties.

In this instance, the factory code not removed from the ATM was "123456" and programming manuals are available on-line.

Wired story, here.

Of course, the ATM company in the article accepts no liability. Somewhere in their technical manual, they warned the buyer to remove the code.

Unfortunately, this doesn't only apply to ATM machines, and it's not the first time I've seen a factory code as simple as "123456."

Hackers love to target people, who forget to change default codes. The reason for this is because it is easy, and a surprising number of businesses fail to change them.

In the technology driven society of today, default codes are put into cell phones, point-of-sale equipment, alarm systems, and even safes. The list of devices using codes, or passwords could go on and on.

I even found instructions on how to hack a soda machine, using their default code on Google. As a matter of fact, besides technical manuals posting their default codes online, hackers seem more than happy to share this kind of information and post it (online), also.

In many of the data breaches, we read about too frequently, default codes, or not very strong passwords might have enabled hackers to breach a system containing financial information. Visa listed this as one of the top three vulnerabilities in point-of-sale systems in a November CISP bulletin.

If you are interested you can read Visa's CISP bulletin regarding this, here.

The bulletin is focused on merchant systems, and not banking ones? Does that mean there are no vulnerabilities in banking systems?

Of course, most of the information from banks is stolen via phishing -- where a person is tricked into giving up their information (passwords highly desirable) by social engineering methods, or more and more frequently -- (at least according to the last APWG report) by downloading malware (crimeware). When malware is downloaded, no more human interface is needed, and the information is stolen (normally with keylogging software).

Maybe, we are making it too easy to hack systems? Whether we call it a code, or a password, both of these are used to open something. Essentially, they are a key, which opens up the lock of whatever you are trying to keep locked (secure). Is the problem that we've created too many different keys?

At least with keys, you have to go to a little more trouble to duplicate them. It's hard to post them online, and a little more difficult to write them down, or even memorize them.

My best advice to the less technical people out there -- dealing with layers of passwords, or default codes -- is to read the technical manuals, carefully. It might also be a good idea to consult with the salesperson selling you the device on how to make it 100 percent secure, also.

Of course, it also might be a good idea, to see what is being posted online and not to hand out your keys to the wrong person.

I recently did a post on Dariusz Grabowski, a Polish immigrant, who describes himself as the "eBay king of stolen cars." As part of his plea bargain agreement, he disclosed information on how he was stealing a lot of cars and made the statement:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.

Maybe if some of the people selling the devices, protected the keys a little better, the information wouldn't be so easily picked up?

R. Lee Ermey, who played Senior Drill Instructor Gunnery Sergeant Hartman in Full Metal Jacket might have have said it best in a scene from the now classic movie.

Courtesy of YouTube and Warner Home Video

It pays to be observant when paying with your credit card

Dishonest employees at your local restaurant, or store might be making a little spending money selling your card information. Leaving your card unattended (even for a couple of seconds) can make you a victim.

An interesting video on YouTube (posted by kamranakhtar) shows why.

You Tube video, here.

This video was first shown on the TechEBlog, as far as I can tell.

Are RFID Credit Cards Safe?

The RFID ConsortiUm for Security and Privacy (CUSP) has issued a study about vulnerabilities in first-generation RFID-enabled credit cards.

In their blog, Ari Juels writes:

Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards—or even just their wallets—near point-of-sale terminals.

While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer’s consent or knowledge. RFID credit cards therefore call for particularly careful security design.

Blog post, here.

In a "nutshell," the study warns that current RFID credit cards are vulnerable to having the identities of the cardholder scanned from afar and the information could also be used in credit/debit card skimming.

They also state that this can be accomplished without great technical difficulty and that "slightly stronger data protections and cryptography would largely prevent the problems they discovered."

The study admits that "card skimming" is already a big problem, therefore these cards are unlikely to change anything that isn't already going on.

My question is when will we start developing technology that will protect the consumer instead of developing technology that will "probably" add to the problem?

There is an interesting demonstration posted by RFID-CUSP on YouTube about this, here.

Here is a previous post, I did on RFID:

RFID, A Necessary Evil; or an Invasion of Privacy?

RFID, A Necessary Evil; or an Invasion of Privacy?

With the State Department's (United States) announcement of adding RFID (Radio Frequency ID) chips to passports, the controversies surrounding this technology are again making headlines. Please note that other countries, especially in the European Union are also implementing RFID technology for identification purposes.

The Pakistan Passport Authority is already using RFID tags in it's passports. This might be an interesting place to study it's effectiveness because Pakistan seems to continue to be a sanctuary for terrorists and is known to be a origin and transshipment point for a lot of drug smuggling.

In recent years, RFID has been the "buzz word" in the security industry, however there are those that challenge it's long-term effectiveness. There are also those who fear that it will be abused, violating our rights to privacy and even other's from the religious community, who fear RFID is the mark of the beast mentioned in the Book of Revelation (Revelation 13:16).

The definition of RFID in Wikipedia is "an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source."

The proverbial question is RFID a necessary means of protecting ourselves, or in the end will the technology be abused to violate privacy, such as spyware and adware have already done.

This technology has been around for awhile. Currently, Wal-Mart and the United States Department of Defense are using this technology to manage their supply chains, as well as, prevent pilferage and theft. With decreasing costs, we can expect to see a lot more of this technology deployed by both the private and public sectors in the near term.

Besides being used for identification, RFID tags are being used as quick pay devices for fuel and tolls, theft tracking devices, to track animals and there have even been some implanted in humans.

Some of the security concerns already raised are if the ability to read them is too universal, they could pose a risk to personal location privacy, especially in the corporate/military environments. Another concern being raised by privacy groups are RFID devices being embedded in products (which aren't removed when purchased) that could be tracked from great distances. Because of this, they could be used for so-called "marketing" purposes, which invade personal privacy.

There are also concerns that these "tags" could be cloned.

If these tags could be cloned, they could be used in producing false identification, which is alarming considering the technology is being used for high security applications like "proximity cards used to access secure facilities, or vehicle immobilizer anti-theft systems which use an RFID tag embedded in the vehicle key. It is also a problem when RFID is used for payment systems, such as contactless credit cards (Blink, ExpressPay), the ExxonMobil Speedpass, and even in RFID enhanced casino chips."

"With wireless technology, RFID tags can be scanned from afar. Because of this, there is even more potential for abuse than the reencoding of magnetic stripe technology. There are defenses built into these tags, which fall into two categories. There are those use "cryptographic protocols. A typical example of the "RF-based" defense relies on the fact that passive RFID tags can only be activated by a reader in close proximity, due to the limited transmission range of the magnetic field used to power the tag. RFID manufacturers and customers occasionally cite this limitation as a security feature which (intentionally or otherwise) has the effect of limiting scanning range. However, while this approach may be successful against direct tag scanning, it does not necessarily prevent "eavesdropping" attacks, in which an attacker overhears a tag's response to a nearby, authorized reader. Under ideal conditions, these attacks have proven successful against some RFID tags at a range of more than sixty feet."

"A second class of defense uses cryptography to prevent tag cloning. Some tags use a form of "rolling code" scheme, wherein the tag identifier information changes after each scan, thus reducing the usefulness of observed responses. More sophisticated devices engage in challenge-response protocols where the tag interacts with the reader. In these protocols, secret tag information is never sent over the insecure communication channel between tag and reader. Rather, the reader issues a challenge to the tag, which responds with a result computed using a cryptographic circuit keyed with some secret value. Such protocols may be based on symmetric or public key cryptography. Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited. This cost/power limitation has led some manufacturers to implement cryptographic tags using substantially weakened, or proprietary encryption schemes, which do not necessarily resist sophisticated attack."

Last, but not least, there are "social" factors to be considered. Even with the best technology available, we have seen many technologies "hacked" that are supposed to protect us today. In the past couple of years, we have also seen massive data intrusions, many of which were accomplished by simple theft and or insider collusion.

In fact, a lot of the organized gangs committing fraud today, have access to a lot of displaced "highly educated" computer scientists, which already assist them in hacking technology at every turn for their criminal purposes. This is especially true of the area, formerly known as the Soviet Union, where a lot of these gangs are based.

One of the reasons, we are considering this technology is certainly the 9-11 attacks. We can implement the best technology available, however unless it is worldwide, the "bad and the ugly" will be able to obtain identification based on other identification. In fact several of the 9-11 attackers did just this in Virginia. In other words, it probably wouldn't have made any difference if RFID technology was in place in the 9-11 disaster.

Technology is merely a tool. Even though it continues to amaze me at how quickly it advances, it doesn't replace the human mind. While RFID technology is a tool to use for our protection, we must continue to examine, whether or not, it has potentials for abuse.