The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 54

Monday 14 February 1994


o Info on RISKS (comp.risks)
o Voice-mail phreaking
Mich Kabay
o Electronic Food Stamps
Mich Kabay
o Another ATM "front end" fraud - this time caught
Jonathan Haruni
o [Lighter Side] Risks of computer-literate babies
Robert J Woodhead
o New Novel/Thought experiment...
Peter Wayner
o Recent Articles of Interest
Bob Frankston
o Re: Celebrity Risks — Bill Gates
John Bush
o Card Fraud and Computer Evidence
Ross Anderson

Voice-mail phreaking

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
14 Feb 94 03:20:52 EST
  Hacker attempts to chase cupid away
  SAN FRANCISCO (UPI, 10 Feb 1994) — Two bachelors who rented a billboard to
  find the perfect mate said Thursday they had fallen victim to a computer
  hacker who sabotaged their voice mail message and made it X-rated.  Steeg
  Anderson said the original recording that informed callers how they may get
  hold of the men was changed to a "perverted" sexually suggestive message.
  He said the tampering occurred sometime Wednesday."  [United Press newswire
  via Executive News Service (GO ENS) on CompuServe]

The article states that Pacific Bell has been investigating other voice-mail
tampering recently as well.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Electronic Food Stamps

"Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM>
14 Feb 94 03:21:03 EST
  Welfare Cards (By Michael Holmes, Associated Press Writer)
    AUSTIN, Texas (AP, 10 Feb 1994) — Texas plans to begin providing welfare
  benefits electronically this year with bank-style cards that take the place
  of paper coupons.  The new system is designed to reduce administrative
  expenses, fraud and theft.  [From the Associated Press newswire via
  Executive News Service (GO ENS) on CompuServe]

The author continues with the following key points:

o "Electronic benefits transfer" will begin in two counties in autumn 1994
  and should be statewide by 1996.

o The Lone Star Card will function like a debit card, allowing holders to
  purchase food only in cooperating grocery stores.

o Cardholders will use a 4-digit PIN.

o Officials hope the cards will reduce fraud by eliminating all cash from
  food-stamp transactions (sometimes stores returned change).

It will be interesting to watch this program to see how security aspects are

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Another ATM "front end" fraud - this time caught

Jonathan Haruni <>
14 Feb 1994 10:23:30 GMT
An Article in London's Evening Standard of February 11 says that "in one of
the most ingenious and innovative high-tech crimes of recent years", culprits
planted a fake ATM card reader at a London branch of the Midland bank.  In a
variation on the theme, the reader was not planted over top of the ATM, but
was installed to emulate the door opening devices which most banks use.  Users
were asked to swipe their cards through the device, and then type in their
PINs, to gain admission to the ATM hall.

A suspicious customer informed the bank.  Some customers had used the device
unsuspectingly, but no money was stolen.

I see the following developments:

  - As we know, thieves are well able to reproduce magnetic swipe cards.
    They no longer need to steal peoples' cards to gain access to their
    accounts.  Any scheme which gives the card number and PIN will do.
    If this plan really qualified as "ingenious" it would have transmitted
    the data by radio directly to the thieves' card making machine, and
    the resulting cards would have been used without delay.

  - The article was on the front page of a popular newspaper.  Although
    it did contain some excess verbiage (such as the quote above) it
    also contained all the salient technical details, it described the
    extent of success and the outcome of the scheme.  There is a quote
    from a bank spokesman and a quote from the police.

I've never seen such a complete description of a RISK-worthy story in such a
prominent position.  Is this a sign that the non-technical public are becoming
more aware of the risks of technology, or at least more interested in it ?

Jonathan Haruni

[Lighter Side] Risks of computer-literate babies

Robert J Woodhead <>
Tue, 15 Feb 1994 09:07:29 +0900
My wife and I are blessed with an extremely literate 14-month-old
boy.  James is extremely enamoured of technology in general, with
special attention being given to remote controls and our family
Powerbook laptop.

As you might expect, we suffered through the usual baby-instigated
data processing disasters (leave the Mac unattended for a moment
and he'll go and click the mouse or hit keys in such a way as to
maximize the damage), but we have since adjusted to these dangers.

Yesterday, however, he got us but good.  In a display of hitherto
unsuspected manual dexterity, he managed to introduce into the
floppy disc drive a used popsicle stick, a fact not discovered
until some time later when an attempt was made to insert a floppy
into the drive.

15 minutes and a spirited display of vocabulary on the part of this
author later, the errant splinter was removed with the help of
a bent paperclip.  In a tribute to modern floppy disc design, the
drive has apparently survived the introduction of wood pulp and
traces of raspberry juice.

The risks are of course obvious.  As our children become more and
more computer literate at an earlier age, we need to develop a new
BABYSPEC specification (similar to MILSPEC but tougher), which
should include (but not be limited to)

* Diskette drive flaps that only flap for real diskettes.
* Hardened keyboards capable of withstanding two-fisted infant
  impacts (our "f" key will never be quite the same, though we
  did manage to get it working again with a paperclip).
* Smudge-resistant screens.
* Washable.
* And, of course, a baby-proof paperclip storage area.

Robert J. Woodhead, Biar Games / AnimEigo, Incs. |

New Novel/Thought experiment...

Peter Wayner <>
12 Feb 1994 18:46:50 -0500
If you're interested in a thought experiment about how to abuse the
Intelligence system and products like Clipper, then read Joe Finder's new
novel, _Extraordinary Powers_ (Ballentine).  It's a great spy
novel/technothriller that kept me up long past my bedtime. Saying anymore
would spoil the story.  (I should say that he is a friend...)  Peter

Recent Articles of Interest

Mon, 14 Feb 1994 00:26 -0400
I won't attempt to do more than a very brief comment on each one. As I've
noted in the past, some of us (would like to) assume that simply placing a
reference (link) should sufficient. In the world of the Web it's actually
starting to happen.

Discover Magazine (March 1994) has an article entitled "Counting on
Dyscalculia" (which I've called innumeracy). It discusses various problems
familiar to Risks readers such as the fact that a false positive rate on a
rare disease produces results which are not very good indicators of whether
you have the disease. It mentions the impact on public policy such as banning
substances at levels that are a fraction of what we ingest anyway.

A recent issue of Science News (which I put aside to mention here and have
yet to find again) summarizes research on the difference between logical
reasoning and human reasoning. In many cases humans reason correctly. These
are the cases that make sense to the person doing the reasoning. Otherwise
they can be very far off. It covers some of the open issues such as how much
people use correlation and coincidence because of its evolution advantages in
the absence of complex reasoning. Again, not a surprising article for Risks
readers. It does jibe with my observation phrase like "Couldn't care less"
and "could care less" mean the same thing because the sentence is analyzed
against one's own semantic biases as opposed to logical analysis.

The Feb. 13th Sunday New York Times had two articles. One is by Peter Lewis
based on the CERT alert. It has a sidebar illustrating how a Kerberos
challenge/response key system works. Lawrence Fisher has an article on the
changes in Telecommuting since the San Francisco earthquake. It says that
security is a serious concern and has some discussion on approaches.

Re: Celebrity Risks — Bill Gates

John Bush <>
Mon, 14 Feb 1994 18:48:48 -0500 (EST)
In RISKS-15.53, Jack B. Rochester writes:

> The Jan. 10, 1994 issue of The New Yorker has a long, juicy article entitled
> "E-Mail From Bill,"

And NOW, from the 21 Feb 1994 issue of BusinessWeek:


A personality profile in _The New Yorker_ magazine's Jan. 10 issue revealed
Bill Gates's electronic-mail address — and his electronic in box hasn't been
the same since.  "I've got 5,000 messages stacked up," says Gates, CEO of the
Redmond (Wash.) giant, Microsoft.  That's up from no more than 10 e-mail
messages daily before from the outside (although he may receive as many as 250
per day internally).

Until the article ran, the software billionaire was never too busy to read --
and often respond to — messages sent from around the world via the Internet
data highway.  Gates chats with outsiders on items that include technology and
business opportunities.  In his email -ure of the Information Superhighway and
his analysis of F. Scott Fitzgerald's _The Great Gatsby_.  [This article has
been taken verbatim from the magazine.  I assume that last sentence is a

Now, though, he has been forced to use a software program that sifts through
the deluge to identify items from important people such as Intel CEO Andrew
Grove.  But what about the thousands of notes from who-knows-who that continue
to stream in and sit in computer memory, ungraced by Bill's attention?  Gates
has never had anyone else read his electronic mail for him, "but I'm seriously
considering it now."

..End of article.

If I remember correctly, that address is ""...


Mon, 14 Feb 1994 13:15:28 GMT
A case has just concluded in England which may be significant for computer and
cryptographic evidence in general, and for electronic banking in particular.
It also give some interesting insights into the quality assurance and fraud
investigation practices of one of Britain's largest financial institutions.

I will be talking about this case to the BCS Computer Law Special Interest
Group on Thursday 17th February at 6pm. The meeting will be held at the
offices of Bristows Cooke Carpmael, which can be found at 10 Lincoln's Inn
Fields. To get there, take the tube to Holborn, exit southwards and turn
second left into Remnant Street.

For the sake of those who cannot make it, there follows a report of the
case from the notes I made during the hearing.

            *       *       *

1. Background.

On February 8th, 10th and 11th, I attended the trial at Mildenhall
Magistrates' Court, Suffolk, England, of a man who was charged with attempting
to obtain money by deception after he complained that he had not made six of
the automatic teller machine transactions which appeared on his statement.

The essence of the case was that John Munden, a police constable, had
complained to the manager of the Halifax Building Society in Newmarket about
these transactions, which appeared in September 1992. He had also stated that
his card had been in his possession at all times. Since the society was
satisified about the security of its computer systems, it was alleged to
follow that Munden must have made these transactions, or suffered them to be
made; and thus that his complaint was dishonest.

This trial had resumed after being adjourned in late 1993. According to the
clerk, evidence was given for the Crown at the initial hearing by Mr Beresford
of the Halifax Building Society that the society was satisfied that its
systems were secure, and so the transaction must have been made with the card
and PIN issued to the customer. Beresford had no expert knowledge of computer
systems, and had not done the investigation himself, but had left it to a
member of his department. He said that fraudulent transactions were rarely if
ever made from lobby ATMs because of the visible cameras. The Newmarket branch
manager, Mr Morgan, testified that one of the transactions at issue had indeed
been made from a machine inside the branch. He also said that in his opinion
the defendant had been convinced that he had not made the transaction; and
that he would not be aware of all the possible malfunctions of the ATM.

The defence had objected that the evidence about the reliability of the
computer systems was inadmissible as Beresford was not an expert. The court
allowed the prosecution an adjournment to go and look for some evidence; and
at the last minute, on the 20th January, I was instructed by Mr Munden's
solicitor to act as an expert witness for the defence.

2. The Prosecution Case.

On 8th February, Beresford's evidence resumed. He admitted that the Halifax
had some 150-200 `unresolved' transactions over the previous 3-4 years, and
that it would be possible for a villain to observe someone's PIN at the ATM
and then make up a card to use on the account. He confirmed that the person
who investigated the incident had no technical qualifications, had acted under
his authority rather than under his direct supervision, and had involved the
police without consulting him.

Evidence was next given by Mr Dawson, the Halifax's technical support manager.
He had originally written the bank's online system in 1971, and was now
responsible for its development and maintenance. The ATM system had been
written in 1978 for IBM 3600 series machines, and altered in 1981 when the
Diebold machines currently in use were purchased. All software was written
internally, and in the case of the mainframe element, this had accreted to
the nucleus originally written in 1971. Amendments to the online system are
made at the rate of 2-3 per week.

The PIN encryption scheme used was nonstandard. The PIN was encrypted twice
at the ATM and then once more in the branch minicomputer which controls it.
At the mainframe, the outer two of these encryptions were stripped off and
the now singly encrypted PIN was encrypted once more with another key; the
16 digit result was compared with a value stored on the main file record and
on the online enquiry file.

When asked whether system programmers could get access to the mainframe
encryption software, he categorically denied that this was possible as the
software could only be called by an authorised program.

When asked whether someone with access to the branch minicomputer could view
the encrypted PIN, he denied that this was possible as there were no routines
to view this particular record (even although the mini received this field and
had PCs attached to it). When asked what operating system the mini used, he
said that it was called either TOS or TOSS and that he thought it had been
written in Sweden. He could give no more information.

He had never heard of ITSEC.

He had not investigated any of the other 150-200 `unresolved transactions'
because he had not been asked to. The last investigation he had done was of
another transaction which had led to a court case, three years previously; he
had no idea what proportion of transactions went wrong, was not privy to
out-of-balance reports from branches, and was not familiar with branch rules
on ATM operations. He never visited the branch at Newmarket, where the
disputed transactions took place, but merely looked at the mainframe records
to see whether any fault records or error codes. He found none and took this
information at face value.

The fault recording system does not show repairs. The cryptographic keys in
the ATM are not zeroed when the machine is opened for servicing. The
maintenance is done by a third party. The branch only loads initial keys into
the ATM if keys are lost.

The Halifax has no computer security function as such, just the internal
auditors and the technical staff; it does not use the term `quality assurance'.

When asked by the bench what information was required to construct a card,
Dawson initially said the institution identifier, the account number, the
expiry date, a service code, an ISO check digit, a proprietary check digit,
and a card version number. He concluded from this that a card forger would
have to have access to an original card. However it turned out that the ATM
system only checks the institution identifier, the account number and the card
version number. He maintained doggedly that a forger would still have to guess
the version number, or determine it by trial and error, and claimed there was
no record of an incorrect version number card being used.

However, Munden's card was version 2, and it transpired later that version 1,
though created, was not issued to him; and that an enquiry had been made from
a branch terminal two weeks before the disputed transactions (the person
making this enquiry could not be identified). When asked whether private
investigators could get hold of customer account details, as had been widely
reported in the press, he just shrugged.

He claimed that the system had been given a clean bill of health by the
internal and external auditors.

The branch manager was recalled and examined on balancing procedures. He
described the process, and how as a matter of policy the balancing records
were kept for two years. However the balancing records for the two machines
in question could not be produced.

There was then police evidence to the effect that Munden kept respectable
records of his domestic accounts, which included references to the undisputed
withdrawals from ATMs, and that although he had once bounced a cheque he was
no more in financial difficulty than anybody else. The investigating officer
had only had evidence from the branch manager, not from Beresford or Dawson.
The investigating officer also reported that Munden had served in the police
force for nineteen years and that he had on occasion been commended by the
Chief Constable.

3. The Defence.

That concluded the prosecution case, and the defence case opened with Munden
giving evidence. He denied making the transactions but could not produce an
alibi other than his wife for the times at which the alleged withdrawals had
taken place.

The only unusual matter to emerge from Munden's testimony was that when he
went in to the branch to complain, the manager had asked him how his holiday
in Ireland went. Munden was dumbfounded and the branch manager said that the
transaction code for one of the ATM withdrawals corresponded to their branch
in Omagh. This was not apparent from the records eventually produced in court.

The next witness was his wife, Mrs Munden. Her evidence produced a serious
upset: it turned out that she had had a county court judgment against her, in
a dispute about paying for furniture which she claimed had been defective,
some two weeks before the disputed withdrawals took place. Her husband had not
known about this judgement until it emerged in court.

I gave expert evidence to the effect that the Halifax's quality procedures, as
described by Dawson, fell far short of what might be expected; that testing of
software should be done by an independent team, rather than by the programmers
and analysts who created it; and that Dawson could not be considered competent
to pronounce on the security of the online system, and he had designed it and
was responsible for it.

At a more detailed level, I informed the court that both national and
international ATM network standards require that PIN encryption be conducted in
secure hardware, rather than software; that the reason for this was that it
was indeed possible for system programmers to extract encryption keys from
software, and that I understood this to have been the modus operandi of a
sustained fraud against the customers of a London clearing bank in 1985-6;
that I had been involved in other ATM cases, in which some two dozen
different types of attack had emerged and which involved over 2000 complaints
in the UK; and that the Halifax, uniquely among financial institutions, was a
defendant in civil test cases in both England and Scotland.

I continued that ATM cameras are used by a number of other UK institutions,
including the Alliance and Leicester Building Society, to resolve such cases;
that in other countries which I have investigated the practice would be not to
prosecute without an ATM photograph, or some other direct evidence such as a
numbered banknote being found on the accused; that card forgery techniques
were well known in the prison system, thanks to a document written by a man
who had been jailed at Winchester some two years previously for card offences;
that I had personally carried out the experiment of manufacturing a card from
an observed PIN and discarded ticket, albeit with the account holder's consent
and on an account with Barclays rather than the Halifax; that the PIN pad at
the Halifax's Diebold ATM in Cambridge was so sited as to be easily visible
from across the road; and that in any case the investigative procedures
followed in the case left very much to be desired.

In cross examination, the prosecutor tried to score the usual petty points: he
attacked my impartiality on the grounds that I am assisting the Organised
Crime Squad at Scotland Yard to investigate criminal wrongdoing in financial
institutions (the reply from our lawyer was of course that helping the
prosecution as well as the defence was hardly evidence of partiality); he
claimed that the PIN pad at the ATM in Newmarket was differently sited to that
in Cambridge, to which I had no answer as I had not had the time to go there;
and he asserted that the Alliance and Leicester did not use ATM cameras.  On
this point I was able to shoot him down as I had advised that institution's
supplier. He finally tried to draw from me an alternative theory of the
disputed transactions - staff fraud, or a villain whom Munden had booked in
the past getting his own back by means of a forged card, or a pure technical
glitch? I was unable to do this as there had been neither the time nor the
opportunity to demand technical disclosure from the Halifax, as had been the
case in two previous criminal cases I had helped defend (both of which we
incidentally won).

Dawson was recalled by the prosecution. He explained that only two of the
three tests carried out on new software were done by the analysis and
programmers who had written it, and that the third or `mass test' was done by
an independent team. He said that software failures could not cause false
transactions to appear, since the online system was written in assembler, with
the result that errors caused an abend.

He claimed that they did indeed possess a hardware security module, which was
bought in 1987 when they joined VISA, and which they used for interchange
transactions with VISA and Link although not for all transactions with their
own customers; and he finally repeated his categorical denial that any system
programmer could get at the encryption software. When asked by what mechanism
this was enforced, he said that they used a program called ACF2.

In his closing speech, the defendant's lawyer pointed out the lack of any
apparent motive, and went on to point out the lack of evidence: the balancing
records were not produced; the person responsible for attending to those ATM
malfunctions which the branch could not cope with was not identified; the
Halifax employee who had carried out the investigation was not called; the
handwriting on the ATM audit rolls, which was the only way to tie them to a
particular machine, could not be identified; the cameras were not working;
statements were not taken from branch staff; the disk in the ATM had not been
produced; and the internal and external audit reports were not produced.

He mentioned my expert opinion, and reiterated my point that when a designer
of a system says that he can't find anything wrong, what has he shown? He also
recalled that in the High Court action in which the Halifax is the defendant,
they had not relied on the alleged infallibility; and pointed out that if ATM
systems worked properly, then people wouldn't need to go to keep going to law
about them.

4. The Verdict and Its Consequences.

I have been aware for years that the legal system's signal-to-noise ratio is
less than 10dB; however, in view of the above, you can understand that it was
with some considerable surprise that I learned late on Friday that the court
had convicted Munden. My own reaction to the case has been to withdraw my
money from the Halifax and close my account there. Quite apart from their
ramshackle systems, the idea that complaining about a computer error could
land me in prison is beyond my tolerance limit.

No doubt it will take some time for the broader lessons to sink in. What is
the point, for example, of buying hardware encryption devices if people can
get away with claiming that system programmers can never get at an authorised
library? Why invest in elaborate digital signature schemes if they simply
repair the banks' defence that the system cannot be wrong? Is there not a case
for giving more consideration to the legal and political consequences of
computer security designs?

5. Action.

In the meantime, the police investigations branch have to consider whether John
Munden will lose his job, and with it his house and his pension. In this
regard, it might just possibly be helpful if anyone who feels that Dawson's
evidence was untruthful on the point that software can be protected from system
programmers on an IBM compatible mainframe, or that his evidence was otherwise
unsatisfactory, could write expressing their opinion to the Chief Constable,
Cambridgeshire Constabulary, Hinchingbrooke Park, Huntingdon, England PE18 8NP.

Ross Anderson

Please report problems with the web pages to the maintainer