Posted by Jonathan on Nov 2, 2009 in Security
For the past several years, merchants have “masked” most of the numbers in a credit card account on receipts. You’ll see something like “VISA XXXXXXXXXXXX6723″. The idea is that this hides almost all of your credit card number — enough to thwart thieves — but (probably) allows you to figure out which of your many credit cards you used.
I shred my credit card receipts, but I toyed with the idea of stopping because everyone masks the credit card number these days. As I thought about it, I realized that thieves can make a pretty good guess at the first 12 digits, because most of those digits identify your bank, and there are only so many of those. In other words, the receipt still solves the hardest part of a thief’s job. Better to shred it.
This problem could be solved, though. Most people only have one card (or at least, one card of each type) from a particular institution, so you could get the benefit of knowing which card you used AND masking most of your number if merchants would mask the end of the credit number, rather than the beginning.
Which is exactly what they are starting to do. Unfortunately, some of them still mask the beginning. So you could end up with two receipts like this in your trash can:
VISA 2345 6789 1xxx xxxx
VISA XXXX XXXX XXXX 6723
Which narrows the uncertainty to 1,000 numbers. Who knows, maybe somebody will have the bright idea to mask the beginning and the end, leaving the middle numbers exposed.
The only way to standardize this — and make masking even halfway useful — is legislation. It would be helpful if those legislatures who mandated masking also specified how that masking should be done, preferably leaving only a few numbers at the beginning unmasked.
On the other hand, really good credit card thieves don’t dive into dumpsters for receipts. They steal millions of numbers from merchants’ computer systems.
Posted by Jonathan on Aug 28, 2009 in iPhone
CNET says the 15-year-old encryption technology used to secure voice communications on GSM cellular networks (like AT&T’s) will be cracked wide open in a few months. Skype, which encrypts voice communications using a variety of standards-based technologies, avoids this problem, at least for Skype-to-Skype calls.
Posted by Jonathan on Jul 31, 2009 in iPhone
[Edited August 5 to add] There were some important details that the San Francisco Chronicle left out or got wrong. The attack actually seems to be much worse than the original story suggested. First, the “invisible” messages, which the story described as “text” or “SMS” messages, seem to be control messages. As cNet makes more clear, control messages are not necessarily seen by the user, which makes this attack far easier to pull off. The Chronicle’s story said you could delete any one of the 512 incoming messages to foil the attack. Obviously that is not possible if the user can’t see the messages. So the Chronicle blew it, presenting a jumble of true and incorrect information, and I will know better than to rely on it in the future.
Perhaps the most shocking thing about the exploit is that ordinary Joes who have nothing to do with the phone company or Apple can send control messages to cell phones and, according to the cNet story, any iPhone can be reprogrammed to do so.
A huge buzz preceded the presentation by Charlie Miller and Collin Mulliner at the famous “Black Hat” cybersecurity conference in Las Vegas. The pair claim to have discovered a way to take over a smartphone, such as an iPhone or Windows Mobile phone, using nothing more than SMS. According to the San Francisco Chronicle, “A pair of security experts have found a vulnerability in the iPhone that allows a hacker to take control of an iPhone through a text-message attack.”
Even scarier, the attack uses “a series of mostly invisible SMS . . . bursts,” the Chronicle said.
Here are the real facts:
- Yes, in theory, a hacker could take over your smartphone. Could be an iPhone, as the Chronicle’s lead paragraph and headline said. Could be a Windows Mobile phone.
- There is no such thing as a “mostly invisible”
SMS message. You would receive a normal-seeming SMS message that should show up on your phone just like any other.
- You would know you are being hacked because you will receive
SMS messages that contain empty square characters (I guess this is what the Chronicle means by “mostly invisible”; by that standard, the letter o is mostly invisble). If at that point you delete the messages or turn off your phone or go into Airplane mode, the attack will not succeed.
- The attack requires 512 SMS messages, presumably delivered rapid-fire.
That makes an attack against a single victim fairly noticeable and possibly expensive. An attack against more than a small number of smartphone users would be cost-prohibitive. Even “unlimited” SMS plans have their limits.
- The attacker needs the phone numbers of enough smartphones to make this worth his while. Sending the attack to landlines or regular cellphones would merely run up his costs and raise his profile.
This effectively limits the attack to “whales.”
- The 512 SMS messages must all survive until all of them have been received by the victim. If the victim deletes even one of these messages, the exploit fails.
- Cell phone companies actually care about SMS spam and have countermeasures in place. Leaky, lousy countermeasures, to be sure, but they would be foolish to allow their networks to be take over by zombie phones. Surely they could filter out all “mostly invisible” messages.
It is disturbing that this attack is possible, even given these constraints. You just don’t think of SMS as a security hole. Thank goodness Apple has already patched against this exploit. But get a grip, people.