Security

PIN scare story

Leave a comment

Unfortunately this Red Tape article was written without any mention whatsoever to the chip and PIN requirement for cards outside the US.

Could a hacker steal enough information from a store you’ve shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you’ve never told a soul your PIN code?

In fact, said the Justice Department last week, it’s already happened, possibly to millions of people.

Let’s face it, antiquated American payment cards have been a technology embarrassment for years, just like the primitive mono-tone one-size-fits all bills.

The systems outside the US not only are more modern in terms of security controls, but also more consumer-oriented, and even less invasive (better privacy).

Consumers in America deserve(d) better. The real story is why they have not been offered a choice.

Banking regulators and Congress have coddled the industry, which has worked its will over the past two decades with an army of lobbyists and more than $200 million in campaign contributions spread around Washington.

There is a slim chance that America could get wise and regulate financial security more carefully:

A critical test for reform came last month in the House Financial Services Committee, where Republican members tried to amend a “Credit Cardholders Bill of Rights” into oblivion or replace it with a meaningless statement commending the Fed’s proposals. Instead, two Republicans, Reps. Christopher Shays of Connecticut and Walter Jones of North Carolina, joined 37 Democrats, led by Rep. Carolyn Maloney of New York, to hand the banking lobby a rare defeat.

I think it should not be called a banking lobby defeat, when in fact some in banking support regulation. Perhaps I am naive to think that the banking lobby does not fairly represent all of the broad interests of banks in America, but I see the reform movement as a genuinely positive step towards bringing some balance back to the industry.

Security

Wells hints at more PIN breaches

Leave a comment

A Wells Fargo notice, as published by the New Hampshire Attorney General, points to “suspicious transactions” from unauthorized use of access codes. They claim they do not know how the codes were compromised:

We are writing to inform you that a third party data provider has notified us that a Wells Fargo access code was used to gain unauthorized access to your personal information. This data may have included your name, address, date of birth, Social Security number, driver’s license number, and credit account information. We do not know how this breach occurred, but we have notified the appropriate law enforcement authorities and a thorough investigation is underway.

This seems at face value to be similar to the Citibank-7/11 incident where large numbers of PIN codes were somehow stolen. PCI has primarily been focused on merchants, and is just now shifting to payment applications, but the attackers seem way ahead of the curve and going directly after the banks themselves.

History, Security

Woodlock Gags Speech, Again

3 Comments

America has a sad “gag rule” history few Americans know.

…the U.S. House of Representatives instituted the “gag rule,” the first instance of what would become a traditional practice forbidding the House from considering anti-slavery petitions. Representative James Hammond of South Carolina first proposed the gag rule in December 1835.

It lasted years, and was used by abusive men specifically to silence the speech of anyone perceived to have empathy for the oppressed (e.g. de oppresso liber).

Members of Congress publicly ridiculed [human rights petition] efforts. Senator Thomas Hart Benton responded to the tide of petitions by saying, “I would recommend to these ladies, not to douse their bonnets, and tuck up their coats, for such a race, but to sit down on the way side, and wait for the coming of the conquerors.”

“The conquerors” ended up losing their Civil War over denying rights to “such a race”.

Fast-forward to today and a story from The Register explains the difference between a Judge in Holland and one in America, when faced with the same situation:

NXP Semiconductor, maker of the cryptographically challenged Mifare card, has also taken legal action to silence researchers who poked holes in fare collection systems used in the Netherlands. A Dutch judge rejected the request.

Opsahl said the EFF planned to appeal the decision, even though a ruling will not be issued in time to save the canceled talk. He said the judge reached a very, very wrong conclusion when using the Computer Fraud and Abuse Act as grounds for canceling the talk.

“The statute on its face appears to be discussing sending code, programs or similar types of information to a computer,” Opsahl said. “It does not appear to contemplate somebody who’s giving a talk to humans.

A Dutch judge rejected the request. That could have been the end of the story, but America’s secret society of “gag rule” men still occupy the highest government seats.

Opsahl is referring to US District Judge Douglas P. Woodlock, who has ordered a gag for three students of MIT who were going to present the Mifare card story yesterday, but in context of the Boston transit system.

Some may remember that Woodlock is the same judge that told antiwar activists that they were “stuck under the tracks”. He ruled against their right to speech because of what he called an “irretrievably sad” post-9/11 world that requires internment camps as security precautions to gag speech.

Woodlock said he had initially assumed that activists were exaggerating when they likened the protest zone near Canal Street to an internment camp. But he said that after touring the area for 90 minutes Wednesday, he concluded that comparison was “an understatement.”

[…]

“One cannot conceive of other elements [that could be] put in place to create a space that’s more of an affront to the idea of free expression than the designated demonstration zone,” Woodlock said.

Nonetheless, Woodlock said that unruly demonstrators at other political events have made the precautions necessary to foil protesters who might hurl objects at delegates arriving on buses

The logic is tortured to the point where Woodlock seems to favor a dark authoritarian world as a form of “safety”.

In another example, Woodlock ruled against the free speech rights for three newspapers. These papers argued that speech rights were violated when an Architectural Commission in Boston banned “street furniture” including news racks. Unfortunately for the papers, Woodlock was a student of architectural history and favored the aesthetics and safety of the street more than any individual right:

“While the guideline forces plaintiffs to use distribution means in the district which they find economically unappealing or that they would otherwise not use,” Woodlock said, “this does not change the fact that alternatives to newsracks in the district are available to plaintiffs.”

The conditions might be economically unappealing, also known as financially prohibitive, but the judge said he was unsympathetic because he saw no evidence of expense/damage from the alternatives. Again, logic tortured to the point where you are told to think of possibilities still available to you once your speech is restricted. Maybe a paper can survive without a forum for speech, maybe not, but at least the streets are clean.

Reasons for “an affront to the idea of free expression” seem to be stacking up under Woodlock. Has he ever ruled in favor of free speech? Does he even believe in it? Anyone surprised that this man was nominated to his position by Ronald Reagan, or was a college friend of George W. Bush?

Douglas Woodlock was appointed to the district court in 1986 by President Ronald Reagan. He possessed an interesting pedigree: a couple of high school years at Phillips Academy Andover, a distinguished undergraduate career at Yale, capped by being chosen for the secret society known as Skull and Bones by fifteen club members (including George W. Bush) from the class ahead.

Woodlock’s distance from Bush should not be underestimated. Bush has been a long-time critic of free speech. He is still listed as the #1 Muzzle in The Thomas Jefferson Center for the Protection of Free Expression. Bush threatened legal action against individuals who tried to expose or discuss his flaws on the Internet:

In a May 21 press conference, Bush himself stated “[t]here ought to be limits to freedom.

[…]

On April 14, 2000, the FEC dismissed the Bush complaint stating, “this matter is less significant relative to other matters pending before the Commission.”

Americans should be ashamed of Woodlock’s decision on this matter.

The gag action on the Boston transit research is an embarrassment to the nation. Consider how the same situation played out in Holland:

The case went to court in Holland and now the court in Arnhem has overturned the injunction citing local freedom of expression laws.

In its ruling, the court said: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”

In a statement, Radboud University hailed the ruling and said: “…in a democratic society it is of great importance that the results of scientific research can be published”.

Oh, wow. That is really, REALLY well said.

Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings

These people are clearly intelligent and capable, and this ruling happened PRIOR to Woodlock’s gag order.

This means Woodlock must have decided to silence three students presenting the information to their peers despite the fact that already it is in the public domain. America’s “skull and bones” tin-pot dictatorship crew are indefatigable.

Who wants to bet the American judge will say something about how “unfortunate” or “sad” it is that his “hands are tied” or he is “forced” by post-9/11 events to censor and restrict the scientific community into an internment camp for their own “safety”?

Security

Decrypting PIN numbers

Leave a comment

The TJX case just keeps giving and giving. A recent indictment of a man named Gonzales, which has the rather revealing filename of N:\SHeymann\Case Files\TJX\Indictment and Informations\Final Versions\Gonzalez Indictment Final.wpd, shows that PIN numbers were being decrypted in large batches:

e. Downloaded from the corporate networks processing and/or storing payment card transactions the track 2 data for tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards;

f. Obtained technical assistance from criminal associates in decrypting encrypted PIN numbers

This is major news. How did they decrypt PINs?

I have seen few report on the implications of this for bank security, but frankly it changes everything. If an attacker can steal your PIN number even when it is encrypted and stored within a bank, then your financial data is under an even bigger threat than ever before.