The RISKS Digest
Volume 11 Issue 11

Friday, 15th February 1991

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Re: Enterprising Vending Machines
Jeff Johnson
o Re: Electronic Cash
Joseph R. Beckenbach [2]
M P Evans
o Re: Cashless Banking and Privacy
Jake Livni
o Re: Cashless gas pumps
Jeff Helgesen
Dick Smith
Lars-Henrik Eriksson
K. M. Sandberg
Sean Malloy
Peter da Silva
o Re: Electronic telephone directory
Ralph Moonen
o Info on RISKS (comp.risks)

Re: Enterprising Vending Machines (Risks 11.03)

Jeff Johnson <>
Mon, 11 Feb 91 15:26:14 PST
Just had my own run-in with a postal vending machine.  Was expecting trouble
because of what I'd read in RISKS, but got bitten anyway.  If not interested in
the details, skip to Summary.

Entered a post office to buy some new stamps.  Long line waiting.  Vending
machines (3) all flashing the "Use exact change" light.  Line backed up into
narrow hallway containing both vending machines and post boxes.  Hallway very
crowded; people angry because they must wait in line or because they can't get
through the crowd to their post box.  Several people standing in front of the
vending machines, trying to figure out how to coerce stamps from them, adding
to the crowd.  Purchase-pooling deals being suggested, mentally tested ("Let's
see, if I buy two books of stamps and you get 1 book of post-card stamps..."),
and tried.

One machine offered ten 29-cent stamps for $2.90, but wanted exact change.  I
had 3 ones and a twenty.  I decided to put in $3, get ten stamps, and forget
about the extra dime.  Put in first dollar: amount-display showed $1.00.  Tried
to put second bill in, but machine rejected it repeatedly.  Ditto other bill.
Pressed "change return" to get first dollar back.  Machine made four "ka-chunk"
noises, but no money actually appeared.  The amount-display now read $0.00, but
I didn't notice this at the time.  I put in the other 2 bills (this time the
machine accepted them); now the display said $2.00.  Hadn't notice that it had
gone to zero, so wondered where my other dollar had gone.  Figured that it must
have timed me out as reported in RISKS.  Had no more one-dollar bills, so was
stuck.  Pressed "change return" in frustration: eight "ka-chunks" but no money.
Noticed amount decreasing $.25 for each "ka-chunk" this time, so figured out
what happened to first dollar.

Asked to see station manager.  Told him what happened.  He didn't understand.
Invited him out into lobby to put bills into machine.  He did.  Told him to
press "change return".  He didn't want to: didn't want to lose his money.  I
said, "You've already lost your money since there's no way to get it back; you
might as well press 'change return' so you can see what happens."  He did,
heard the "ka-chunks", then said: "This machine is out of order; I need to put
a sign on it".  I said, "It's out of order, but not because it's
malfunctioning; this is what it is designed to do when out of change."  He
didn't think so.

I also tried to explain to him that new stamp price *means* that vending
machines must be refilled with change much more often.  By now he was beginning
to feel some of the stress and exasperation that filled the hallway.  He said,
"The guy who services these machines isn't here today," gave me my money back,
and put an "Out of Service" sign on the machine.  This ended the interaction,
because now several other people who had been having trouble with the machines
pounced upon him.

Summary: The new stamp-price ($.29) has side-effects that clearly were not
anticipated by the Postal Service.  The new price was calculated to increase
revenue to cover operating costs, but some of its ramifications weren't
anticipated.  One is that the vending machines will be dispensing much more
change and therefore must be re-filled more frequently if they are to serve
their purpose.  The change-making apparatus also will require more frequent
repair.  This increased servicing of machines will consume some of the expected
revenue gain.  Second, increased demand for change from the machines has
increased user-exposure to various design flaws in the change-making
functionality of the machines.  The Postal Service should either keep the
machines full of change or change the stamp-price to $.30.  Simply fixing the
machines to behave "correctly" when out of money won't solve the real problem:
long lines in post offices.

Jeff Johnson, HP Labs

Fri, 8 Feb 91 10:26:55 PST
In comp.risks you (Brian Yamauchi <>) write:

>I'm in favor of replacing the various pieces of paper and bits of metal we
>currently use for money with a more convenient electronic system, but I think
>this should and will be done via the free market rather than as mandated by the
>central government.

    Agreed.  This is what the growing trend for payroll electronic
automatic deposit, and Social Security "direct deposit", are all about.
Agreed, that for payments over $20 a credit card is handy.  But I'd rather
have the option, thanks, to handle my finances more flexibly.
    My big disagreement with you comes with the transfer scenario --
if that's the only method of transfer.  Checks of many sorts handle the large
transfers, as do wire transfers, and cash handles the small stuff.

    Want to absolutely ruin a cashless society?  Turn off the power to
the clearinghouses.  I wonder how commerce fared during the New York black-out
of several years ago, when no one had power.  Shopkeepers which didn't have to
depend on credit-card sales didn't see the same dip in sales for the month that
the others would, I'd wager....

>I'm not extremely enthusiastic about giving the government too much
>information.  It is true that they could abuse this.  On the other hand, the
>real solution is to enact pro-freedom measures legislatively to limit the
>government's power.  If either (1) the government ceases to become democratic,
>or (2) the majority wants to allow government oppression, then there's not a
>lot you can do — short of armed rebellion — the tanks can always roll through
>the streets.

    If the government ceases to be democratic, or the majority wants
government oppressions, then those will be fought by citizens who do not want
to see the US Constitution circumvented.  The Constitution came out of the
efforts of citizens trying to weld together thirteen States in a failing
Confederation after a bloody armed rebellion.  The tanks can roll through the
streets, but unless there's valid authority behind it, it's unconstitutional.
The bystanders might be just as dead, but the following reactions would bring
the balance back.

>Electronic cash would have both positive and negative effects on crime.  On the
>positive side, violent crimes would drop substantially — no longer would you
>have to worry about being knifed for your wallet in a dark alley.  On the
>negative side, the potential for computer crime would be increased.  At least
>in theory, this could create the potential for truly huge sums of money to be
>stolen, not by stealing large chunks, but by stealing minute amounts from large
>numbers.  For example, stealing 1 cent from every transaction made in the U.S.
>would probably result in a take in the $million/day range.

    Depends on the method of 'cashlessness'.  If the cards are truly
personal, stealing them would be a better method of tying him up than beating
himn into hospital.  If not personal, then anyone wishing more money would
simply mug for the cards, just as they currently mug for coins and paper
and cards.  (I thought most muggings were non-violent.)
    Several cases have already meandered though RISKS' attention about
computer money-skimming schemes at banks, including the 'take the round-off
balance account and assign it to me' scam.  And the 1-cent per transaction
fraud would be noticed somewhere, since it's simply a variation of how banks
get paid for their services.

>Still, given a choice, I would rather have some hacker breaking into
>my checking account than some mugger slitting my throat...

    I'd rather have the mugger.  Most of them don't go for the strong, the
active, or those who look like they know what they're doing.  The others tend
to be caught not long after.  With hackers, no one could be the wiser, it's not
clear what laws are applicable and to what extent, and the damage potential is
orders of magnitude higher.
                                    Joseph Beckenbach

Re: Electronic cash completely replacing cash

Joseph R. Beckenbach <>
Fri, 8 Feb 91 10:40:39 PST
In RISKS-11.06 Richard A. O'Keefe writes regarding David Witt in RISKS-10.81:

>Eh?  These machines are going to be *at least* as expensive as VCRs, and we're
>talking about distributing > 500 million of them (ALL homes and businesses,
>remember, and businesses will need as many of these gadgets as they have cash
>registers).  Then think about maintenance.

    Let's see, that's running $150.00 x 200 x 10^6 as a low estimate.
$30 G-bucks.   That's over 1% of the current deficit.  GACK!

<>    The Federal Reserve would be better able to follow the economy, helping
<> to stabilize the financial markets.

    It ain't broke, don't fix it.  At least, that part ain't broke.

>Here we have someone who does not believe in the Free Market, and has
>a wonderful child-like faith that because there is an outfit whose task
>is to manage the economy that it is able to do it.  I have a bridge for him.

    See below....

>The thing that is really evil about the suggestion is that it is a
>technological fix to a social problem; the basic attitude is that
>human "misbehaviour" is best cured by making people behave like good
>little cogs.  "Forget trying to build a humane society so that fewer
>people *want* to buy drugs, let's build electronic cages so they're
>found out."  How do we educate people like this?

    I think it's as simple as saying "Eastern Bloc during the Cold War".
Reasonable minds can, and _should_, take it from there.
                                                Joseph Beckenbach

RE: cashless society, a post-mortem

Mon, 11 Feb 91 09:35:36 EST
Two points militate more strongly against this scheme than any others I can
think of:

1.   The "barter" economy is already well-entrenched in the underground
     economy. This proposal would immeasurably swell the ranks of those
     trading by this method,

2.   The "hand print and retina pattern" scanners would, I am rather
     certain, run afoul of the recently-enacted ADA (Americans with
     Disabilities Act) as illegally discriminatory. There are, boys
     and girls, people in the good ol' US of A with neither hands
     nor eyes who are nevertheless productive citizens.

Re: Electronic cash (post dated cheques)

M P Evans <>
Mon, 11 Feb 91 19:17:11 GMT
With referance to Frank Wales article (RISKS-11.06) Post dated cheques (at
least in Britain) have no validity.  If someone were to write me a cheque with
next month's (or next year's) date on it I could immediately present it at my
bank, and they would accept it without question.  This has happened with a
cheque I wrote, which I was able to have returned to me, which clearly shows
that the date it was paid it (by to bank's stamp) was before the date which I
wrote on the cheque.  The only thing which can stop such a cheque being
processed is the staff at the bank, they do not check the date.  The only
information known to the automatic processing system is the cheque number, sort
code (bank), account number and the value of the cheque.  The first 3 are
preprinted on the cheque, the latter typed in at the bank.

Mark Evans, Univ. of Aston in Birmingham, Aston Triangle, Brimingham, England.

Cashless Banking and Privacy

Mon, 11 Feb 91 21:23:35 EST
[Internally-From: Jake Livni <JAKE@DBCLUA>]

Daniel B Dobkin <> describes the ultimate government
surveillance tool:

>Unfortunately, Smith doesn't attribute the source of this story; does
>anyone out there have any clues?  Enquiring minds want to know.....

Try the Nova show called "Computers, Spies and Secret Lives" which first
aired on PBS on Sept. 27, 1981.  Excerpts from the transcripts for
that show follow:

    Several years ago, I was a member of a workshop of computer people [and]
    law enforcement people who were gathered together and asked to pretend
    that we were consultants to the Russian Secret Police...given the task
    of designing for them a system which would keep track of all the Soviet
    citizens, plus all the foreigners who happened to be within the boundaries
    of the USSR.  After considerable study, the workshop concluded that the
    best system to build for the KGB, the secret police, was an electronic
    funds transfer system, for the reason that electronic funds transfer
    systems not only know what you're buying, but where you are in real time
    at the time you're making your financial transaction.

    Some privacy experts acknowledge these threats and consider them beyond
    existing computer capacities.

    [This is followed by a bank vice-president who says that ATM usage produces
    too much information to sort through with then-current computers, except
    in a serial manner.]

Jake Livni                                     

Cashless gas pumps; alternative to credit card use

Jeff Helgesen <>
Fri, 8 Feb 91 14:29:15 -0600
The risks inherent in automated charging to credit cards are easily avoided by
use of a system like the one(s) used by phone companies in many European
countries; that is, the user purchases a card of a particular denomination via
a vending machine [or human vendor, if the stories regarding post office
machines put you off]. This card has an mag strip encoded with a value which
can be read and written to by the automated pump. The card remains in the
machine and decrements the value available until the transaction is completed
(either the user stops the pump, or the value of the card is dropped to $0, and
the pump shuts off automatically), whereby it is ejected. Used-up cards may
then be discarded; cards with value remaining may be kept until the next time
the user needs petrol.

Benefits versus credit card system include:

    o  Difficult system to defraud; only risk to petrol vendor
       is that a wily consumer will figure out the encoding scheme.

    o  Validation of identity is no longer required. Too bad if you
       lose your card, though I'd rather lose one of these than my AmEx.

    o  Handling costs are reduced, presumably reducing the pump price
       of gas.

    o  Big brother is not watching.

Jeff Helgesen         

Re: A risky gas pump (Grumbine, RISKS-11.03)

Dick Smith <dick@smith.UUCP>
9 Feb 91 06:11:20 GMT
I worked on such a system at a previous employer, and think that the
concerns expressed are overdone.

Here are my thoughts on the worries expressed about this auto-approving gas

  Is card mine:  Well, it's probably checked as well as the typical
    human attendent checks it... I am surprised when someone looks at
    the back of mine to verify my signature.  I try to remember to thank
    them for doing it!

  Receipt disagrees:  Complain to the attendent immediately... (in the
    US, there WILL be an attendent, if only to shut the pumps off if
    there is a fire) just as you would if the receipt that you got
    inside was wrong.  It's a requirement that the amount pumped stay
    displayed on the pump until the next person uses it, so you'll
    have something to compare against if you hurry.

  It remembers my card number:  Again, I don't know why this is any more
    likely than the human attendent copying down your number and reusing
    it.  Certainly not on purpose, anyway.  When I worked in this
    industry, I recall that the credit card network had its own
    validation organization which served as an independent check for
    credit equipment vendors.  I remember their testing as being
    fairly comprehensive, followed by a month long beta test at
    a single site with the paper logs checked.  We felt pretty good
    when we got through with it.

  The receipt printer doesn't work:  Well, the cutter kept jamming in
    ours... you'll have to go inside in that case, and get the guy to
    write one by hand.  He can copy the info off the paper tape log.

Actually, I worried more when I used a gas pump of a kind that wouldn't
be allowed in the U.S. (because of that fire law).  I was in Holland
last fall, and had occasion to buy gas on the AutoRoute late one night.
The station I pulled into has no attendent, just a bill reader for (I
think) 20 & 50 guilder bills.  What I worried about was what I was going to
do if I put in too much money, since there was no change return at all.
I managed to buy 2/3 of a tank for my rental car, though, with no

Dick Smith, R.H.E Smith Corp ...ast!smith!dick

Re: risky gas pumps (Clark, RISKS-11.05)

Lars-Henrik Eriksson <>
Sat, 9 Feb 91 15:34:40 GMT
I've been buying gas from automatic gas pumps (both manned and unmanned) in
Sweden for several years. I have not yet had a single case of incorrect
charging or any other problem that is worse than not getting gas out of the

However, at about 20% of all occations I use these machines, I do
*not* get a reciept. Usually because the machines are out of paper.

Lars-Henrik Eriksson                Internet:
Swedish Institute of Computer Science       Phone (intn'l): +46 8 752 15 09
Box 1263                    Telefon (nat'l): 08 - 752 15 09

Re: A risky gas pump

K. M. Sandberg <>
11 Feb 91 18:08:23 GMT
(Re: Lehman, RISKS-11.05)

>     None.  But my other credit card purchases are not usually validated
>either.  I think the fair credit acts protect you somewhat.

The difference is that with regular credit card transactions you have to sign
the slip, with ATM transactions you have to enter a pin code, either of which
indicates that you are the owner of the card or in the case of the signature,
you can show it is not your signature, with the readers there is no such
protection, but one question I have is what happens if you dispute a charge.
Since they have no proof of who charged it, except an electronic card number.

Normally a lot of the disputes can be resolved by looking at the signed charge
slip, in this case there is none, nor was there any pin code entered as an
electronic psuedo-signature, so is there really an agreement?

(Re Margolin, RISKS-11.03)

>From: barmar@think.UUCP (Barry Margolin)
>Subject: Re: A risky gas pump (from RISKS DIGEST 11.03)
>Your tone suggests that this is a new risk. ...

This is a new risk, allowing the use of a credit card with no trace back on who
used the card, no signature to forge, no pin code to break, nothing.  There is
no license plate recorded or anything else. You could take a valid charge and
say that it was not valid, how do they prove it was?  They take a charge that
is invalid, how do you prove it was not? Normally you can request the charge
slip and so it can be shown that it was not your signature, but in this case
anyone who has access to the card can use it. If someone borrowed your card,
you at least stand a chance of detecting who it was based on the signature.

As far as the phone credit calls, there is a record of the phone numbers and
where the call was placed from, along with a history which can be checked to
see if you ever called that number before, so it is quite different.

With mail order house they are supposed to have your signature on file and if
they don't you can dispute the charge, but in any case they have a record of
where the stuff was sent, and a way to track the person because of that.

I used such gas pumps, but I also write down all the information in a book to
watch the gas mileage, so if there was a problem I could show that the gas was
not put into one of my cars, unless I forged other entries. Personally I think
the gas stations are taking a large risk unless they have something to track
the cards better than it appears (ie. some information to ensure that the card
number really belongs to the person, like the name. ATM cards have this
information).  Also if the card is lost or stolen it is generally the case that
the person could not keep reusing the car because a person might notice and
might also recognize them. In this case the card holder is not seen. Maybe
there is a check to make sure that the card is not used too many times, I don't
know. What I do know is that if your card is lost and returned, you better be
very careful in knowing what you had charged to make sure that a charge was not
made before it was returned.

Re: Burned by a gas pump (was Re: A risky gas pump, RISKS-11.05)

Sean Malloy <>
Mon, 11 Feb 1991 13:12:21 PST
>  How about if my number is not cleared from the pump's memory and I get
>    billed for the entire day's gas from that pump?

Your number can be cleared from the pump's memory and still try to
take you, as long as the programmers for the billing software don't
pay attention to wierd-case transactions.

Some months ago, I received a bank statement showing that I'd been billed twice
for the same transaction at an ARCO PayPoint gas station using my ATM card. The
circumstances were that I was returning home _late_ at night, and had stopped
to fill my tank. Between the time I'd opened the transaction and shut off the
pump after filling my tank, the time had rolled across midnight to the next
day. The billing software ARCO was using billed me for each end of the
transaction, since there was a transaction start record for an amount of $9.56
on day X, and a transaction end record for an amount of $9.56 on day Z+1.

The reason I noticed the error was that there were two transactions listed on
consecutive days with the same transaction number and amount. When I called the
customer service number for my bank and talked to the representative, they said
that they'd take the duplicate charge off my account and inform ARCO of the
problem; I got the notification of the credit to my account about a week later.
Since then, when I've had to fill my tank close to midnight, I always wait for
the date to change if there's a chance that it would roll over while I was
pumping gas.

 Sean Malloy, Navy Personnel Research & Development Center, San Diego,
   CA 92152-6800                         

Risky gas pumps

Peter da Silva <>
Fri, 8 Feb 1991 14:01:30 GMT
These pumps appeared a couple of years ago here in Houston, then most
of them promptly vanished. Why? Simple... people buying gas this way
didn't tend to make impulse purchases of the overpriced soft drinks,
candy, motor oil, and other things they pile up around the regular
payment window and revenue actually went down.

The risks aren't just one-way.


Fri, 08 Feb 91 08:31:26 EST
Guy Sherr writes:

>Gasoline is a volatile high explosive.

Wrong. Gasoline is incapable of true "detonation", as required by the
definition of a "high" explosive.

Re: Electronic telephone directory

Fri, 8 Feb 91 09:18 MET
MFMISTAL@HMARL5.BITNET (Jan Talmon) writes:

->In the Netherlands, printed telephone directories provide telephone numbers
->by using the name as an index. Currently, there is also an electronic
->version of those directories available by means of a VIDITEL service.
->Here it is also possible to ask for a telephone number by providing the
->street name, the house number and the city. This involves an inherent risk.
->When one observes that there are apparently no people in a house, one can
->ask for the phone number, dial that number and when no one replies....
->it may be safe for burglars to go in.

So what's the big deal here? The Dutch PTT has a directory assistance number
(dial 008) that gives exactly the same service, but cheaper. And it's a
voice number, so it's probably faster too. The computer number is only good
when wanting to look up a lot of numbers, as directory assistance only gives
you two informations per call. Another thing that the computer service does,
but the voice number not, is give you the name & address, when you supply
only the telephone number. I don't consider this a COMPUTER risk as:
1) the service was available all along, only voice.
2) Unlisted number are not in the computer
3) Burglars don't tend to pre-select their victim, but rather go out to
   a 'nice' neighbourhood, and find a suitable house there and then.
4) Burglars don't tend to have computers & modems unless they stole it from
   a previous victim :-)

->It seems also to be an invasion of one's privacy, since one need not to
->know a name in order to place haressing/obscene phone calls.

No. I definetely disagree with this statement. One NEVER needs to know a name
in order to find the telephone number. If this was an invasion of ones
privacy, then get your name-tag off your frontdoor too! Furthermore, if you
don't want _any_ unsollicited phonecalls, just change your number to an
unlisted one. This costs nothing if you do it at the initial request for
a telephone line, and it costs F35.00 ($20.00) if you want it changed to
an unlisted number later. (BTW: I live in The Netherlands too, and have an
unlisted number)

--Ralph Moonen

Please report problems with the web pages to the maintainer