I
read with much amusement the article “Thieves Clone Debit
Cards”, published Thursday March 11, 2010, The Thursday Star which
reports a supposedly new phenomenon of Debit Card cloning.
This
reminded me of a similar report earlier this year on Wednesday January 6th 2010,
when the Bank of Nova Scotia announced on radio that persons were soliciting
the Card numbers and PIN (Personal Identification Numbers) of customers Debit
and Credit Card accounts via a phishing scam i.e. fake website requesting
personal information.
While
this technique is nothing new, it is not the first time either, as Cable and
Wireless (now LIME) used to put out advisories warning persons against giving
out account information if they had received email of the type similar to what
was described in the advisory.
I
use the word “new” rather loosely, as over the years I have heard so many
countless stories about Credit Card theft, cloning and skimming that it has
become rather boring, especially as I have worked in the Telecoms Sector for
such a long stretch and I am thus used to the fact that Cards with magnetic
strips can be easily copied to any other Card with a magnetic strip.
The
procedure is so simple for copying Credit Cards that is somewhat obvious: just
copy the Card using a generic Card Reader, which you can purchase online, store
the contents onto a computer and use the same Card Reader to copy back the
contents onto a new Card with a magnetic strip, a process called cloning. This
new Card does not have to be blank, a point to note, as it can be any Card,
including the Digicel Card Top-Up facility and the software to do it come with
the Card Reader. But what of Debit Card Theft?
Debit
Card theft is not a new phenomenon either and has been around since the early
2000 in other countries, such as in Great Britain, where Debit Card theft is on
the rise and usually associated with organized crime, which is most likely the
case here. However despite the phenomenon now in Jamaica using pin hole cameras
mounted in brackets inside of the ATM (Automated Teller Machines) and devices,
called Card Skimmers, placed over the Card slot to read the information on the
Debit Card in order to copy the Card, these are not in anyway new.
The
defeat for this type of fraud is also very simple: don’t use ATM with anything
protruding from the Card Reader slot and always shield your pin when entering
it to transact business. What however is new is how easily the information can
be recovered. One of the relatively new methods is the use of wireless cameras.
In the past, the pin hole cameras used to made from old camera parts that were
stripped down and powered by a 9 VDC battery and stored the information
digitally for retrieval later by the Debit Card thieves, along with the Skimmer
device that was placed on top of the Card Slot.
However
this has proven risky as the chances of getting caught in a police sting
operation have increased and now a new generation of more sophisticated Credit
Card thieves have begun to use wireless means of retrieving the data. In this
new method, the Credit Card thief has a camera that transmits on a NTSC
standard television channel, which has a range of 100 feet. As such, the Credit
Card thieves can sit comfortably some distance away, possibly in a car and
using a laptop, record all the transmissions from the wireless camera. But it
is the Skimmer that has really gotten sophisticated.
With
a bit of electronic wizardry, the Skimmer is now designed to send a
transmission to a receiver owned by the Debit Card thief! This is done by using
a mini radio transmitter which is gutted and connected to the Skimmers
electronic circuit board. The Skimmer, like the Card Reader, records the Debit
Card information as a series of tones or frequencies, as the information stored
on the Debit Card, believe it or not, is not encrypted. Thus, once the victim,
who is called a mark, inserts their Debit Card and then pulls it out, the
Skimmer then transmits these tones via a RF frequency to a receiver that
records the tones.
Later
the images from the wireless pinhole camera and the information transmitted by
the wireless Skimmer are paired together and used to place the Skimmer’s
information on the new Card with a magnetic strip, which is essentially is
cloning. Thus, by making the Skimmer and the pinhole camera wireless, the Debit
Card thief ensures anonymity, making it difficult to trace anything back to the
Debit Card thief.
As
time goes by, with the prevalence of data services on Telecoms Provider’s
Networks, the Debit Card thieves may become even more sophisticated and begin
using 2G data services such as GPRS (Global Packet Radio System) and EDGE
(Enhanced Data Rates for GSM Evolution) to transmit the skimmed Debit Card
information and 3G or 4G data services to separately transmit the images from
the mini camera. Already, I have seen mobile phone circuits reconnected just to
do this, but this method too easily traces back to the Debit Card thief, so its
prevalence may be short lived.
It
seems Telecoms Providers may possibly be the Debit Card thief’s best friend in
another way that most police may not have possibly foreseen but is so new that
it has a new name: GSM snooping. This new method is now made possible thanks to
the work of a German security expert Karsten Nohl indicated at a Hackers convention
press conference in German that he had decrypted the A5/1 codebook, which uses
a 64-bit encryption key, as stated in the article “Q&A:
Researchers Karsten Nohl on Mobile eavesdropping”, published January 1,
2010 4:00 AM PST author Elinor Mills, InSecurity
Complex – CNET.
For
the layperson, this means that conversations on Telecoms Providers networks
that still use the A5/1 codebook are not only interceptable but decodable. It
is thus being hoped that local Telecoms companies have upgraded to the more
secure A5/3 codebook, which Dr. Karsten Kohl, who holds a PhD in computer
engineering from the University of Virginia, has yet to decrypt…….at least for
now.
What
Dr. Karsten Kohl research means is that for the first time, the almost 80
billion users in the world on the older GSM networks that have not yet gone 3G,
which uses the stronger (and supposedly more secure A5/3 codebook), can have
their conversations intercepted and reliably deciphered using off-the-shelf,
easily available computer hardware. What is even worse, this information is now
circulating on the Internet, as Dr. Karsten Kohl did this project with
assistance from volunteers and developers from the Open Source community.
In
practical terms, this means that not only is the knowledge of the process of
how the codebook operates and is produced widely known, mobile conversations on
older GSM networks still using A5/1 codebooks can now be easily decrypted.
Decryption was possible years ago with the right gear, but this equipment was
specialized and required security clearance and registration and was very
expensive.
Thus
with this breakthrough, thanks to the Open Source Community, GSM mobile
conversations can no longer be considered private and confidential, as now
embassies and politicians will soon realize that persons with laptops with the
right gear can intercept their conversations as far as a kilometer away.
Thus
the recent Bank of Nova Scotia advisory and now this recent article in the
Thursday Star must now appear to be alarmist news, as most wireless POS (Point
Of Sale) at Gas Stations and Convenience Stores island wide are on GSM
networks, using the GPRS (Global Packet Radio System) and EDGE (Enhanced Data
Rates for GSM Evolution) to transmit data for each transaction involving Debit
and Credit Cards accounts.
Thus,
the layperson, armed with this information, is left to wonder where the real
concern of the Bank of Nova Scotia should be focused: not the few hundred
people, whose number admittedly are increasing, who do transactions online and
often receive notifications via email and may mistake them as real when in fact
they are part of a phishing scam, but the increasing thousands of people who
are now using wireless POS (Point Of Sale) at Gas Stations and Convenience
Stores island wide whose transactions are now interceptable and reliably
decodable with equipment that is already easily available in Jamaica.
Eventually
as Dr. Karsten Nohl and his Open Source team progress with their work, they
will soon decrypt the formidable 128 bit A5/3 codebook, which is currently not
in use on most GSM networks, inclusive of CLARO, Digicel and LIME and
AT&T, which has so far resisting change to this new encryption schema
due to it prohibitive costs as stated in the article “Cell
phone codebook exposes security gaps”, published January 28, 2010 by Sami
Lais, The Washington Technology, The
Washington Post. Thus it seems a solution is required for both the usage of
ATM Debit and Credit Cards as well as Wireless POS device usage.
So
what is the solution? Already, it has been reported that RFID (Radio Frequency
Identification) touted as the next secure means of transmitting you pin wirelessly
between the Card and the ATM machine was showing promise, but even these
systems have been compromised due to poor encryption schemas.
Perhaps
by 2015, with improvements in the power systems and the electronics of these
RFID tags, Debit Cards can be made safer by coercing people to do most of their
financial transactions without cash, doing away with the idea of money having
to be withdrawn from the banks forever, possibly even the Debit Card itself,
making everyone instead to posses a Credit Card with a RDID tag.
Even
cheaper would be an implantable RFID device in your wrist, eliminating the need
to carry a Card altogether. In this future Cashless Society, which is very much
possible as there have been calls by the BOJ (Bank of Jamaica) Governor for the
immediate passing of a Credit Reporting Bill as stated in the article “Credit
rating bureau needed quickly - Wynter”, published Friday January 22 2010,
The Daily
Observer, by Alicia Roache, The
Jamaica Observer to create a Credit Bureau which would result in the
construction of a CBD (Credit Bureau Database).
This
would be possibly using Digicel’s DataCenter as well as the recent passing of a
Cyber Crime Bill, as stated in the article “Move to
Tackle CyberCrime - Hacker got Golding”, published
Sunday February 14, 2010 by Philip Hamilton, The Jamaica Gleaner. Increased
Taxation and Financial Transaction Security by the introduction of a Cashless
Society via these two Acts of law would allow the Government of Jamaica to
literally modernize Jamaica overnight as we push towards 2030.
No comments:
Post a Comment