Monthly Archives: March 2011

Security

FNB ATMs Allow Cell Phone Withdrawal

Leave a comment

A bank in South Africa recently announced the “breaking news” that a PIN to withdraw cash from an ATM can be sent via SMS to cell phones. Bank cards are not needed in the transaction.

First National Bank (FNB) today announced its latest innovation – a Cash Withdrawal solution using Cellphone Banking. A first in South Africa, Cash Withdrawal will allow FNB Cellphone Banking customers to withdraw cash directly from their FNB transactional account at an FNB ATM without the use of any bank cards.

The bank card is something you have and the PIN you registered with the bank is something you know. Here are some thoughts on how a cell phone compares.

The cell phone is also something you have, but it is better than a card because you probably constantly know its whereabouts. FNB says their customers come into the bank for cash because they have forgotten their wallet at home. Apparently they always have their phone. Imagine a customer walking up to a teller and saying “My name is X and my account is Y but I have forgotten my wallet”; at which point the teller would pick up the phone and dial for X. If the customer’s pocket starts ringing, the teller would continue the transaction. The disadvantage is that phones tend to be fragile and have spotty service. I suspect service will not be an issue at the ATM location because many ATMs are now being deployed with cellular capability instead of POTS (plain old telephone service).

A PIN sent to the phone is something you know. It is better than the card PIN because it can be pushed (to something you have) by the bank and therefore is easily updated. The disadvantage is that phones can end up in multi-user environments yet lack even the most basic multi-user protections. That is probably why the FNB PIN is only valid for 30 seconds. Even if someone were to find an SMS with a PIN on a phone it would very quickly have become invalid. It also is why you might be able to specify that the PIN only be sent by voice (Interactive Voice Response – IVR). I wonder if the bank also revokes used PINs so they are never valid again.

Another disadvantage is, although you don’t have to register a PIN with the bank, you now have to register a phone number with the bank. If they do not secure the process to register a number properly or you do not keep your list of numbers up to date, an attacker can prompt the bank to send them a PIN instead and they could access cash from your account. Phones are easy to clone and tap so an attacker could wait by another ATM for a PIN to be sent. The bulletin also mentions a login to the Cellphone Banking from the phone to request a PIN for cash withdrawal. It begs the question of communication security between the phone and Cellphone Banking interface, as well as protection against account recovery fraud or social engineering. Several new threats may appear because of the login requirement and PIN request, including remote/hidden attacks, compared to the bank card.

Some might get comfort to know that the concept for ATM withdrawals with a cell phone is not new.

In 2001, NCR announced its Freedom concept, demonstrating the use of a mobile phone or personal digital assistant to obtain cash from a futuristic egg shaped ATM. With the Freedom concept, mobile devices would replace the magnetic-stripe cards in a consumer’s pocket.

This system differs from many of the original ideas because the phone does not communicate directly with the ATM but instead replaces the bank card as a factor for authentication. It sounds like a good idea, and less revolutionary than a direct connection, but it also introduces many new risks.

Security

GE Hacks Tax Law – Pays Nothing

Leave a comment

The NYT reports that GE has hired insiders from the IRS and Congress to tell it how to circumvent tax laws in America.

Its extraordinary success is based on an aggressive strategy that mixes fierce lobbying for tax breaks and innovative accounting that enables it to concentrate its profits offshore. G.E.’s giant tax department, led by a bow-tied former Treasury official named John Samuels, is often referred to as the world’s best tax law firm. Indeed, the company’s slogan “Imagination at Work” fits this department well. The team includes former officials not just from the Treasury, but also from the I.R.S. and virtually all the tax-writing committees in Congress.

This seems like a fun example of an insider attack being leveraged from the outside. Insiders leave an organization and then find they can make a handy profit explaining how to get around all the controls they know or even designed.

Energy, Security

EPA Withholds Nuclear Data on CA

3 Comments

Note: San Diego now has a line again like the other cities, although flatter, and the warning at the top of Greg’s lab page has been edited to say “Update: Apologies for the delay. Current data has been restored.”

Greg’s lab provides real-time “California radiation monitoring map”. I just noticed an update with a warning at the top of the main page:

Update: Data for some locations is currently being withheld by the EPA for review. Fresh data for the locations in question will begin to appear once the data is re-cleared for public release.

The access to raw data in some locations is currently unavailable for those who want to monitor time-critical information for radiation. San Jose monitoring stops on March 24th. Here is a graph for San Diego, which stops on March 23rd.

San Diego Radiation

The page has two notes, one of which gives the following prediction:

Please be aware that, while there is evidence that traces of fallout from the damaged Fukushima Daiichi nuclear plant in Japan are arriving on U.S. shores, the contribution of these substances at the levels detected to your daily radiation dose is practically nil. The Department of Energy and the EPA continue to monitor the situation carefully, and there is no expectation that harmful amounts of fallout will reach the United States.

That being said, the line only runs for a few days and then stops on the same day that Japan’s nuclear catastrophe was put in a different light by European scientists monitoring data in California.

Austrian scientists have released what appears to be the first clear, independent data concerning radiation levels in the immediate aftermath of the Fukushima radiation leak.

By releasing data from two monitoring stations of the Comprehensive Test Ban Treaty Organization (CTBTO) from Japan and California, researchers from the Central Institute for Meteorology and Geodynamics in Vienna have calculated backwards to estimate the true levels of radiation from Fukushima.

[…]

…Gerhard Wotawa, the lead Austrian researcher, noted that because of the high volume of particles released only during the first four days of the leak, he speculated that further data would reveal an even higher total amount.

“The releases of the volatile radionucleotides, like iodine and cesium, are very likely in the same order of magnitude as happened during the Chernobyl accident,” he told Deutsche Welle, adding that CTBTO member states, like Austria, only received data 72 hours after it was gathered via e-mail and private websites.

Other scientists disagree with this prediction but not definitively. They all say there is a need to review more data. Meanwhile, Japan is reporting more serious leaks detected.

Earlier, officials from the plant’s operator said there was possible damage at reactor number three at the complex, meaning more radioactive contamination may have leaked into the environment.

“It is possible that the pressure vessel containing the fuel rods in the reactor is damaged,” a spokesman from Tokyo Electric Power Co (TEPCO) told the AFP news agency.

So why has the EPA withheld data after the scientists announce a need for more transparency? Are they trying to tune out noise or hide a weak signal to avoid more speculation about the direction it might be headed? Some are starting to use the graphs as a reason to be concerned. Maybe the EPA has found the graphs are too low and should show an increase — a warning? I have a feeling it’s not the latter.

I have to say this reminds me of a 2009 story about how the EPA handled data on arsenic, lead, mercury and boron pollution from coal power.

People who live near sites used to store ash or sludge from coal-fired power plants have a one in 50 chance of developing cancer, according to a just released government report kept from the public for seven years by the Bush Administration.

The data on harm was released after the 2008 Tennessee coal ash spill ignited greater public concern. Will the public demand real-time radiation monitoring be restored, or at least that the EPA better explain the reasons for withholding data?

Updated to add: Humorous view of data analysis from the Daily Show

The Daily Show With Jon Stewart Mon – Thurs 11p / 10c
When Reporters Attack
www.thedailyshow.com
Daily Show Full Episodes Political Humor & Satire Blog The Daily Show on Facebook
Food, Security

Turmeric Detects Explosives

Leave a comment

The BBC calls it a use for curry powder, but scientists really are working with turmeric. They have found a way to make thin films of it on transparent plates to look for the presence of explosives.

The idea would be to use an inexpensive light source – the team uses LEDs – shone on to the thin films, detecting the light they then put off. In the presence of explosives, the light would dim.

By using an array of sensors, each sensitive to slightly different colours of light, a range of different materials could be detected, and, crucially, reduce the risk of false alarms.

In tests, the films can currently detect explosive levels down to 80 parts per billion, but Mr Kumar said that for hgh-sensitivity applications like mine detection, they needed to increase the sensitivity further, by adjusting the chemical groups attached to curcumin.

This could be more accurate than the rats trained for mine detection. How will a plate of turmeric be made operational and sent into the field?

Curcumin

I am reminded of the Red Dwarf episode when a Vindaloo Beast rampages the ship. What if scientists go too far and make a curry detection monster that gets out of control – a mind of its own? “Of course, Lager, the only thing that can kill a vindaloo.”