18-Dec-86 11:36:35-PST,5906;000000000001 Mail-From: NEUMANN created at 18-Dec-86 11:34:07 Date: Thu 18 Dec 86 11:34:06-PST From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS DIGEST 4.32 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Thursday, 17 December 1986 Volume 4 : Issue 32 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: EXTRA! British Telecom payphone Phonecard broken? The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. MAXj: Summary Contents Vol 1: RISKS-1.46; Vol 2: RISKS-2.57; Vol 3: RISKS-3.92.) ---------------------------------------------------------------------- Date: Thu 18 Dec 86 11:25:17-PST From: Peter G. Neumann Subject: EXTRA! British Telecom pay phone Phonecard broken? To: RISKS@CSL.SRI.COM Britain is currently just at the tip of an iceberg regarding an apparent vulnerability in its debit cards for British Telecom pay phones. The debit cards can be purchased from all sorts of shops, and come in a range of denominations such as 5, 10, 40, or 100 calling units. The system has been in use for a year or two, and card pay phones are both widely accessible and very popular. (If you've ever tried to use coins in a London call box, you know that it is quite an experience.) My best guess is that it has a holographic stripe, and that a destructive write is used effectively to burn out a part of the hologram corresponding to each message unit -- making it difficult to ADD units to the card. Unfortunately, a relatively simple doctoring of the card has been discovered that threatens the whole scheme, and makes a card indefinitely reusable [at least until the system is either modified or withdrawn]. An article appeared as the front-page lead story in The Sunday Post (West Scotland?), 14 December 1986, with the banner headline "DIAL WORLD WIDE FOR NOTHING -- TELECOM HIT BY 'PHONE FRAUD'". The article notes that the trick was discovered by a British soldier "fed up with paying a fortune to call his Scottish girlfriend". The word is now spreading around British troops, and can be expected to be widely known in a very short time. (The newspaper states that they know how it is done, and have proved that it works. It cites a variety of calls that they were able to make without any debit to their card.) The consequences of the propagation of this trick are awesome to contemplate. The system was presumably billed as "foolproof". But "foolproof" is not good enough against intelligence -- although it should be pointed out that the card is not a smart-card in the usual sense. There is no user identification number required, and no use of encryption. The AT&T credit card number seems somewhat safer, as it is quickly revocable on an individual basis. On the other hand, the convenience of the BT phone card is certainly appealing. A challenge is presented to RISKS as to how to handle this situation. My philosophy is generally to treat the existence of such cases relatively openly, in the hopes that those who need to be protected will become wiser fast enough to act accordingly. If the vulnerability is about to be replicated elsewhere, then knowledge of it may stave off disasters in about-to-emerge applications of the technology. Thus it seems germane at least to call your attention to the problem at this time. On the other hand, there is a more sensitive question about whether RISKS should divulge specific details of the vulnerability. (Indeed, several possible approaches immediately come to mind, although I do not know the technique that was allegedly demonstrated.) Intelligent discussion on this topic is welcomed here. Furthermore, if hard knowledge of the penetration method is already appearing in the British press, then it would seem to be suitable for inclusion here. I hope some of our British correspondents will keep us informed. We have previously had some discussions in RISKS on whether to address operating system and network flaws, where it is vital that vulnerabilities be quickly known to system personnel -- the flaws may already be widely known elsewhere. It might be tempting to think that the holocard situation is small peanuts -- it is only dealing with 10P at a crack. But that can add up in a hurry when people discover they have unlimited free dialing. It might alternatively be tempting to think that this situation is more sensitive than computer system security flaws, e.g., because MONEY is involved -- namely defrauding British Telecom. But many computer systems control very large sums of money, and are vulnerable to much greater frauds than pay phone ripoffs. At any rate, stay tuned, and let's see what happens. It is certainly of concern to RISKS to point out that most such schemes have vulnerabilities that transcend the set of assumptions made by the designers. This appears to be a case in point. There are also risks in smart-cards (widely used in France), although the frauds are not quite so easy to perpetrate. [Thanks to Donn Parker for having brought back with him a copy of the Sunday Post whose presence all over a newspaper kiosk caught his eye as he was leaving for his flight back from London on Sunday. It is pure coincidence, I guess, that he travels the world hunting down and consulting on computer related crime!] ------------------------------ End of RISKS-FORUM Digest ************************ -------