The RISKS Digest
Volume 4 Issue 32

Thursday, 18th December 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator


o EXTRA! British Telecom payphone Phonecard broken?
o Info on RISKS (comp.risks)

EXTRA! British Telecom pay phone Phonecard broken?

Peter G. Neumann <Neumann@CSL.SRI.COM>
Thu 18 Dec 86 11:25:17-PST
Britain is currently just at the tip of an iceberg regarding an apparent
vulnerability in its debit cards for British Telecom pay phones.  The debit
cards can be purchased from all sorts of shops, and come in a range of
denominations such as 5, 10, 40, or 100 calling units.  The system has been
in use for a year or two, and card pay phones are both widely accessible and
very popular.  (If you've ever tried to use coins in a London call box, you
know that it is quite an experience.)

My best guess is that it has a holographic stripe, and that a destructive
write is used effectively to burn out a part of the hologram corresponding
to each message unit — making it difficult to ADD units to the card.

Unfortunately, a relatively simple doctoring of the card has been discovered
that threatens the whole scheme, and makes a card indefinitely reusable [at
least until the system is either modified or withdrawn].

An article appeared as the front-page lead story in The Sunday Post (West
Scotland?), 14 December 1986, with the banner headline "DIAL WORLD WIDE FOR
NOTHING — TELECOM HIT BY 'PHONE FRAUD'".  The article notes that the trick
was discovered by a British soldier "fed up with paying a fortune to call
his Scottish girlfriend".  The word is now spreading around British troops,
and can be expected to be widely known in a very short time.  (The newspaper
states that they know how it is done, and have proved that it works.  It
cites a variety of calls that they were able to make without any debit to
their card.)  The consequences of the propagation of this trick are awesome
to contemplate.

The system was presumably billed as "foolproof".  But "foolproof" is not
good enough against intelligence — although it should be pointed out that
the card is not a smart-card in the usual sense.  There is no user
identification number required, and no use of encryption.  The AT&T credit
card number seems somewhat safer, as it is quickly revocable on an
individual basis.  On the other hand, the convenience of the BT phone card
is certainly appealing.

A challenge is presented to RISKS as to how to handle this situation.  My
philosophy is generally to treat the existence of such cases relatively
openly, in the hopes that those who need to be protected will become wiser
fast enough to act accordingly.  If the vulnerability is about to be
replicated elsewhere, then knowledge of it may stave off disasters in
about-to-emerge applications of the technology.  Thus it seems germane at
least to call your attention to the problem at this time.

On the other hand, there is a more sensitive question about whether RISKS
should divulge specific details of the vulnerability.  (Indeed, several
possible approaches immediately come to mind, although I do not know the
technique that was allegedly demonstrated.)  Intelligent discussion on this
topic is welcomed here.  Furthermore, if hard knowledge of the penetration
method is already appearing in the British press, then it would seem to be
suitable for inclusion here.  I hope some of our British correspondents will
keep us informed.

We have previously had some discussions in RISKS on whether to address
operating system and network flaws, where it is vital that vulnerabilities
be quickly known to system personnel — the flaws may already be widely
known elsewhere.  It might be tempting to think that the holocard situation
is small peanuts — it is only dealing with 10P at a crack.  But that can
add up in a hurry when people discover they have unlimited free dialing.  It
might alternatively be tempting to think that this situation is more
sensitive than computer system security flaws, e.g., because MONEY is
involved — namely defrauding British Telecom.  But many computer systems
control very large sums of money, and are vulnerable to much greater frauds
than pay phone ripoffs.  At any rate, stay tuned, and let's see what happens.

It is certainly of concern to RISKS to point out that most such schemes have
vulnerabilities that transcend the set of assumptions made by the designers.
This appears to be a case in point.

There are also risks in smart-cards (widely used in France), although the
frauds are not quite so easy to perpetrate.

   [Thanks to Donn Parker for having brought back with him a copy of the
   Sunday Post whose presence all over a newspaper kiosk caught his eye as
   he was leaving for his flight back from London on Sunday.  It is pure
   coincidence, I guess, that he travels the world hunting down and 
   consulting on computer related crime!]

Please report problems with the web pages to the maintainer