On Mon, 13 Dec 1999, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Steve Reid writes:
> > A real-world example of the fact that cryptography is only part of the
> > equation, and "tamper-proof" devices are not necessarily so.
> >
> > Article: http://www.globeandmail.ca/gam/National/19991210/UDEBIN.html
> > Mirror: http://www.efc.ca/pages/media/globe.10dec99.html
>
> I personally would like a clearer explanation of just what happened, and what
> the "tamper-proof" devices were.
>
> As I read the article, the attack involved subversion of the swipe card
> readers. The modified versions apparently recorded both the mag stripe
> information and the user's PIN. Are the readers supposed to be
> tamper-resistant? Is the account information on the face of the card, as is
> true for credit cards? If so, a simple visual recorder -- already used by
It is not know whether these tampered terminals worked, if they were ever
used, or if any working terminals are in use.
Based on my reading of various news reports, the "tamper-proof" part of
the devices is a `EPROM' chip that is erased when exposed to light. This
is not unlike the commonly available EPROMs which are erased when exposed
to bright UV light. Now I'm sure criminals can work a screwdriver in the
dark and apply a patch of black tape to cover the window of the EPROM
which sound like a possible method to bypass such tamper-proof measures.
One of the largest security measures used seems to be that Interac (the
debit network company, www.interac.org) tried to control access of
Interact terminals to legimate companies. Of course this is impossible
since these machines are used in nearly ever retail store, including
corner stores, in Canada. In 1998, $1.6 billion ($CAD) of transactions
were made using debit cards.
Other related news articles:
Debit scams raise alarm (December 11, 1999)
http://www.efc.ca/pages/media/toronto.11dec99.html
Banks do little while fraud pumps thousands from accounts (October 18,
1997) (Yes, 1997)
http://www.efc.ca/pages/media/convergence.18oct97.html
Debit Card Danger? Card Danger? (December 11, 1999)
http://www.canada.com/saskatchewan/regina/stories/19991211/991211reginatopstory.html
Debit-card system secure, say police and banks (December 10, 1999)
http://www.canada.com/news/cp/stories/19991210/1555038.html
Interac Association and the Canadian Bankers Association Assert Confidence
in the Security of the Canadian Debit Card System (December 10, 1999)
http://www.interac.org/news/releases/dec10-99.html
