The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 7 Issue 37

Friday 19 August 1988

Contents

o Virus insurance
Rodney Hoffman
o Blind faith in overly electronic locks
Leonard N. Foner
o Fewer Charges Now Require a Signature
Kian-Tat Lim
o Re: Danger of Sensitive Car Electronics
Hugh Davies
o Info on RISKS (comp.risks)

Virus insurance

Rodney Hoffman <Hoffman.es@Xerox.COM>
17 Aug 88 15:39:55 PDT (Wednesday)
A front-page article by James Daly in the August 15 `ComputerWorld' surveys
availability of insurance against computer viruses.  Excerpts:

  ... A recent survey of insurers providing computer security policies
  revealed an industry with not only a dearth of knowledge about viruses
  but an inability to determine whether policyholders are now or will
  ever be covered.  And at least one underwriter has also begun to 
  specifically reject virus protection....

  Even where virus protection is not specifically excluded, an enormous
  gray area exists.  "We're looking into it, but we're not sure it would
  be covered anyway," said [one insurer].  Others put it more bluntly.  
  "I don't think you'll see coverage ever offered," said [a computer 
  security lawyer]....

  At a recent American Bankers Association conference, a speaker from 
  Lloyds of London said the number of outstanding computer crime-related
  claims would devastate the industry if they were all brought to fruition.
  And the virus outbreak has made a bad situation even worse....

  Additionally, it has always been difficult to put a dollar value on 
  information, and some assert that if everyone hit by a virus made a claim,
  the courts would be tied up for eons just figuring out how much the data
  was worth.

  ... The deductible on many [computer security] policies ... often begins 
  at around $10,000, but may skyrocket to $3 million at large banks....

  One underlying problem, most underwriters admit, is that they cannot
  keep pace with changes in the technology.... The Surety Association of
  America, a quilt of nearly 600 insurance underwriters, has formed a 
  committee to begin reworking some of its policies, and computer viruses
  "will certainly be on the agenda," said [the assoc. V.P.].... 

  "We're doing like everyone else: trying to understand the technical 
  aspects of the virus," said [one insurance company senior V.P.]. "Maybe
  then we will be able to relate it to some coverage."


Blind faith in overly electronic locks

Leonard N. Foner <foner@wheaties.ai.mit.edu>
Thu, 18 Aug 88 00:03:05 EDT
I work at a rapidly-growing company in Cambridge (currently about 160 people)
that just recently expanded to the third floor of our current building.

Prior to the expansion, we had a keypad on the first-floor door that would be
used to open the door from the outside.  To open the door from the inside, you
turned a mechanical latch that overrode the electric one (probably a
spring-coupled system like many other standard electric latches).  The second
floor was locked with a completely nonelectronic lock, and is the main entrance
for visitors and other such people.

Well.  Shortly after we expanded to the third floor, the main door to the space
acquired a locking device which was essentially a metal plate bolted to the top
of one door in a double door.  (The other door just uses the up-and-down slides
that lock it in place in the floor and ceiling unless you've got the first door
open---you've probably seen the type).  When the door with the metal plate is
closed, it contacts a very strong electromagnet mounted at the top of the frame
that holds the door shut with a theoretical strength of about a metric ton.

This magnet is controlled by a motion sensor mounted on the inside of the
space, on the wall to one side of the door.  The motion sensor presumably is
wired to the central alarm system (i.e., not in series with the actual
electromagnet).

Stop and think a moment about the implications of this.  Think you've got them
all?

It gets better.  It turns out that when the system was installed, *no one was
told* that there was a motion sensor on the inside.  The door automatically
locked at 6pm.  Immediately thereafter, somebody tried to get out on his way to
the airport, stopped a moment just inside the door to check something on his
person, and tried to open the door.

Surprise.

With the magnet on, turning the (unlocked) knob does nothing, because the door
is physically held closed.  Further, we had someone on the outside
(coincidentally) who was trying to get in.  What *they* didn't know (again,
because the alarm company didn't tell anyone else what they were doing) was
that they had to hit the # key on the keypad after entering the combination.
So the keypad was essentially inoperable, too.

It turned out that it took about fifteen minutes for us to open the door, from
either direction.  No one on the inside was moving enough for the motion sensor
to notice them (they were pushing on the door, to no avail, or typing on an
alarm control panel which seemed dead and was, in fact, not connected to
anything).  Eventually, someone happened to step back and scratch their head or
something, at the same time someone was pulling on the outside of the door, and
it magically and mysteriously opened with no effort at all.

No one knew why the door had unlocked, so the person who was now late for the
airport departed, while we opened the adjoining door so we could close the
magnetically locked one to figure out what was going on without risking being
locked in.

It took us another fifteen minutes to finally notice the correlation between
movement and the magnet.  (Since the magnet turning off is not audible, unlike
a latch retracting, we had to park one person leaning on the door to guarantee
that we'd know when it opened.  And the motion sensor, since it looks sideways
across the door, and very high off the ground, is not very sensitive to short
or medium people walking *toward* the door.)  Another few minutes of work
yielded the procedure for the keypad, and we were all set---or were we?

I had had bad misgivings about the magnet from the moment I had seen workmen
installing it, and it turns out that they have been borne out.  Consider, for
example, that there is no switch, not anywhere, that is directly in series with
the magnet's power supply.  Any failure of the motion sensor, its wiring to the
alarm, or the alarm itself could jam the magnet on, with no remedy except
unscrewing the (obviously nonmagnetic and probably aluminum) casing of the
magnet and cutting the leads.  Given that the case has about ten phillips-head
screws, I wouldn't like to try this in a fire---especially when you consider
how long it generally takes to find a phillips-head screwdriver and a pair of
diagonals...

Incidentally, the alarm and the magnet are battery-backed.  Even a fire that
killed the 120V power would not unlock the door, and if it burned through or
shorted, as appropriate, the correct wires, you can guess the outcome.

So once I realized how insanely they had designed the system (what's
wrong with an ordinary latch?), I went to our chief administrative
officer, who's also in charge of things like alarms, and asked her to
put a manual override on the magnet.  I drew a schematic to indicate
that the switch should be in series with the magnet itself, not
connected to the alarm's logic.  It only took *three days* to convince
her of the necessity for the change...

I also asked how the fire marshall could possibly approve such a dangerous fire
exit.  She gave the incomprehensible answer that the alarm people *were*
firemen.  Since I'm not aware that the fire department routinely double-dips by
working as alarm installers in their off hours, I let it drop there.  I'll
probably ask the fire marshall to come take a look if things don't improve.

So the alarm people, who were initially rather startled that we didn't trust
their alarm to work perfectly in all cases, even in the event of a fire, said
that asking for a switch wasn't totally a new concept, and installed one (no
doubt anything they can charge us a bundle for makes good sense to them).  This
switch is the sort that is labelled "Pull in case of fire" and generally makes
it look like it's a bad thing to pull the switch casually (it looks pretty
non-resettable).  This makes me hesitant to test it.  However, the fact that
the switch is on the wall under the motion sensor, rather than between the
magnet and the alarm (which is in a room on the *opposite side* of the door
from the motion sensor) makes me believe that the switch is simply in series
(or parallel, if it's normally-open) with the motion sensor.  This removes one
point of failure (the motion sensor), but still leaves all of its wiring and
the central alarm's logic circuits, which have already (in two weeks of
operation) demonstrated themselves to be unreliable.  (No one could get in on
Saturday.  The alarm company insisted that the logic had gotten wedged because
someone had entered their combination "too quickly" on the keypad outside.  I
don't know whether to believe them---and assume that the engineer who designed
the alarm is incompetent---or disbelieve them---and assume that the maintenance
guys are incompetent.  Neither is very reassuring in the face of this
non-overrideable lock.)

So we're left with a system that is difficult to test (sometime late at night I
will almost certainly disassemble the various pieces to see where the wires go,
and thus where the switch is in the circuit), unfriendly (the motion sensor is
not very sensitive, requiring people to often walk back and forth, jump up and
down, or wave things to get out), insecure (sticking a piece of paper on a coat
hanger between the gap in the two doors and waving it vigorously enough should
open them, if it's a sufficiently large piece of paper), and dangerous
(multiple points of failure all leading to being locked in).

Whatever became of good, old-fashioned mechanical locks?

To top it off, the second floor just got an electronically controlled latch
(not an electromagnet, but again with no obvious mechanical override), and it,
too, is attached to a motion sensor...


Fewer Charges Now Require a Signature (L.A. Times)

Kian-Tat Lim <lim@csvax.caltech.edu>
Fri, 19 Aug 88 00:29:09 PDT
Fewer Charges Now Require a Signature
By Albert B. Crenshaw, the Washington Post
Los Angeles Times, August 18, 1988, page IV-3

WASHINGTON - A hotel in Richmond, Va., discovers some telephone charges after a
guest has checked out.  No problem.  An employee telephones the guest and tells
him the hotel will simply put the charges on his credit card.
  A restaurant in Washington demands a credit card number when taking
reservations.  If the guests fail to show, a $15 charge is placed on the credit
card.
  A busy professional spots an appealing item in a catalogue, dials an 800
number and says, "Ship it and put it on my credit card."
  These transactions, like millions of others in today's charge-it world, have
one thing in common.  A charge was recorded on a credit card but no signed
document changed hands.

Signatures Not Required

  The signature, in fact, is rapidly becoming obsolete in credit card
transactions.
  Having a customer sign a slip when he or she buys something is already "less
significant than it was" in the past, said Dan Brigham of Visa International.
Credit cards today are evolving into "a national payment system," said Spencer
Nilson, publisher of the Nilson Report, a California-based newsletter that
tracks the credit card industry.
  "It allows you to do things you cannot do with cash," such as make
long-distance transactions, Nilson said.  "That is what people pay interest
for, what they pay fees for," and as the system becomes increasingly electronic
"the trend is for more transactions to be without signatures," he added.
  "Nothing in the law specifically requires a signature" in a credit card
transaction, said Elgie Holstein of Bankcard Holders of America, a
Virginia-based consumer group.
  "The issue is positive identification of the card member," said Philip Riese
of American Express.  This can be done several ways -- by comparing the
signature on the card to the one on the charge slip, by using a personal
identification number similar to those for automated teller machines, and by
"what is known generically as 'signature on file,' " Riese said.
  In the third case, which arises mostly in telephone transactions, the burden
is on the merchant to ascertain the cardholder's identity, though American
Express helps by providing an address-verification system that matches the
cardholder's address against the one to which merchandise is to be sent.
  In some cases signatures are being dropped for in-person transactions,
especially where signing a slip may be viewed as an impediment to a speedy
sale.
  For example, Visa and Arby's, the roast beef chain, are experimenting with
putting fast food on plastic.  In an effort to keep the fast food fast, they
require no signature for purchases under $25.
  The clerk merely "swipes" the customer's Visa card through a magnetic stripe
reader, which checks a "hot sheet" to see if the card is OK.  If it is, then
the customer is on his way.
  The experiment promises to put fast food where mail order and other forms of
remote marketing have been for years.  The appeal to these marketers is
obvious.  Customers enjoy the convenience and merchants find they are able to
capture more impulse business -- sales that would be lost if the buyer had to
write out a check and mail it in.
  While acknowledging the convenience, hover, many customers feel just a bit
nervous at this "loosey goosey" system, as Holstein termed it, of telephone and
other signatureless transactions.
  But lawyers and others who follow the industry agree that it is the merchant
and the card issuer that bear the bulk of the risk.
  Under the Truth in Lending Act, consumers are generally protected from losses
of more then $50 due to unauthorized use of their credit card.  And in
practice, said Holstein, the customer's chance of successfully disputing a
charge "is in fact enhanced when they don't have your signature."
  The law specifically states that if a card issuer seeks to collect a disputed
charge, "the burden of proof is upon the card issuer to show that the use (of
the card) was authorized" by the cardholder, he added.
  Visa's Brigham said that, if a cardholder swears in an affidavit that he did
not authorize a disputed transaction, "that's generally the end of it."
  This does not mean, however, that there is no risk for the cardholder.
  Nilson noted that fraud by "telemarketing" is increasing rapidly and that
these thieves prey particularly on those who are not aware of their rights or
who may for some reason be unwilling to assert them.
  Many of these scams are aimed at merchants by crooks who collect card
numbers, run up a lot of charges and quickly skip before the cardholders begin
to complain.
  But other are aimed at the cardholders themselves.
  Nilson said purchasers of pornography offer a fertile field for such scams.
Some thieves even make deals with pornography sellers to buy the right to
collect their credit card accounts.  They then run up phony charges with the
numbers.
  Often, he said, cardholders pay up for fear that any dispute would reveal
what they had been involved with.
  In other cases, cardholders may find the issuer willing to go to court with
even marginal cases if the amount involved is large enough.
  In addition to being a payment system, credit cards are on their way to
becoming a national identity card system, as anyone who has tried to check in
to a hotel recently can attest.
  Businesses that use credit cards as identification are "trying to confirm who
you are, that you're not a phony," Nilson said.  They regard the credit card
"as sort of a monitor.  If you don't have one it doesn't mean you're rejected
but it triggers something else," such as requirement for further
identification.  


Re: Danger of Sensitive Car Electronics

<"hugh_davies.WGC1RX"@Xerox.COM>
19 Aug 88 06:52:54 PDT (Friday)
1) In the UK, there is a an area where two large motorways (freeways) converge
(the M1 and M6) near Rugby. This area also contains 2 large radio transmitting
stations - the BBC transmitter at Daventry and the Home Office transmitter at
Rugby (which transmits the MSF time standard, among other things). This area is
renowned for the failure rate of electronic engine management systems, which
upon the cars involved being towed from the area prove to be perfectly
functional. As a result, local car dealers have named the area 'the Black
Triangle'.

2) The radio literature is full of instances of interference with car control
systems by radio transmitters mounted in the vehicle. My last car would quite
happily sound its 'seat belt warning' upon every tranmission on certain
frequencies. I have also set off at least one shop (store) burglar alarm whilst
transmitting when outside the shop.

The phenomenon of EMC problems (Electromagnetic Compatibility) is well known in
the radio, computer and communications industries. There is a large short-fall
in the numbers of EMC engineers available in the industry, and in the case of
the UK, there are no egress regulations anyway, which leads to a total lack of
interest among manufacturers of electronic equipment. The fact that poor egress
specifications also lead to poor ingress specifications also seems not to
bother the manufacturers of cars, computers, radios, TVs, VCRs, etc. The EEC,
through the CEPT, is about to enact an ingress specification, but it is to a
very low standard, mainly aimed at preventing interference by CB. The FCC
standard appears to be much better, and, by European standards, reasonably well
enforced.

Many digital electronics engineers are poorly trained in analogue electronics,
and may not realise the magnitude of the problem. It is quite possible for the
amounts of RF induced by proximity to radio transmitters to reach the Volt
level, at significant currents. There are well documented problems with systems
adjacent to multi-megawatt radio transmitters, such as those ecperienced in the
national stadium in Jeddah.  Most microcomputers are poorly, if at all screened
in this respect - they are usually housed in plastic enclosures. Whilst the car
is probably one of the most hostile environments known to engineers, it is
quite possible for it to become more hostile yet in the prescence of large
amounts of RF.

Hugh Davies.

Please report problems with the web pages to the maintainer

Top