On Fri, Mar 14, 2003 at 05:36:28PM +0100, Thomas Shaddack wrote:
| Couple months ago, our local Telecom decided to switch over from
| easy-to-emulate EPROM-based "dumb smartcards" (described at
| http://www.phrack.com/show.php?p=48&a=10 ) to Eurochip ones. Today seemed
| a good day to learn more about them, so I sniffed around a bit (eg,
| http://gsho.thur.de/phonecard/advanced_e.htm ) and stumbled over some data
| that could have unpleasant implications.
|
|
| In Europe, chip cards for paying in payphones are common. However, the
| cards have serial numbers, usually assigned sequentially during the
| manufacture.
|
| It is possible to keep track of the serial numbers vs shipments. The
| phones may record (or even online-report (eg, for "fraud prevention")) the
| serial numbers of the cards used. Then it could be possible to list all
| calls done from the same card, possibly indirectly identify the person who
| made that call from a public payphone by matching their calling patterns.
| It could be also possible to identify where and approximately when the
| card was bought, putting more constraints to its owner's possible identity.
|
| I can't assess the real proportions of this threat, but it is another
| thing to be aware of.
Its possible, but expensive; this was done in the Tim MViegh trial;
they linked all his calls, and then traced it to him.
With computers, this gets easier and cheaper. Social network analysis
is an obvious outgrowth of the traffic analysis NSA has been doing for
60 years.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
