Bad ideas are brewing in Italy. It is a difficult time for the country, torn between civil unrest due to large swathes of redundancies, a prime minister bent on gaining more and more power by whatever means, the selling of national art treasures and a deep uncertainty about the future.
Amongst the worsening news coming out of Italy on pretty much any subject you care to mention a small snippet of Internet news. The italian registration authority, the people who define the rules to manage the .it domain, are being taken over by a semi-governmental organisation. The plan is very simple, take control of the current democratic process and turn it into yet another way in which to exert power, the same power which is slipping from their hands.
A petition (in italian) to support the struggle against this demented plan has been setup. Please sign if you can.
Sometimes I am amazed at how different countries can be in their perception of what is acceptable to minimise risk. Let us take credit cards, a subject which is sadly in my mind due to recent events.
Very simply different countries have different standards and they all boil down to a single issue: perception of risk. If a particular bank or inter-bank body believes that the risk is of a certain entity then the corresponding budget will be increased or decreased depending on the required level (e.g. VISA's 5% limit on fraud). But how do you measure the percieved risk? Or more to the point, how do you assign a budget to it? Very simple: you base it on how much it costs in hard, solid cash.
If all you can come up with is some sort of wishy-washy number then you are never going to gain the attention of the management, and rightly so. Why should they assign a bugdet to a completely unsubstantiated exercise which might well skyrocket out of control? The hard facts are very simple drivers in the plastic card world.
Let us assume that to decrease the level of fraud you will equip all the VISA transaction terminals in the UK with chip readers (for those reading from across the pond: in the USA most of your cards don't yet have a chip on them, you only have the magnetic strip. The chip looks identical to a mobile phone SIM. Ah, but you don't really have GSM either... never mind). This will cost a certain amount, say GBP m. Pilot installs have shown that the introduction of chip readers reduces the amount of fraud by, say, x% overall. Furthermore sending off new cards to customers (ie. accelerating the normal rate of change for cards) costs GBP n. Finally let us say that the current level of fraud is GBP f. We are now set to pose the question.
The answer to "should I install chip readers?" is simply the answer to the question: m + n < (1-x)f? If that is not the case then no, you shouldn't install them and should simply pay up the cost of fraud.
Given the premises it becomes interesting to read about the newest advances in credit card technology in the UK. For example BarclayCard is now moving to what they call "chip & PIN" where the chip on the card is used to validate the transaction and you have to type in your PIN number to authorise it.
Is that a step in the dark for a credit card company in the UK? Of course not, it has been this way in Switzerland for ages. Did you ever read the small print on your credit card contract? Ever notice that it says that it is your responsability to ensure that the credit card is never out of your sight? Have you recently stalked your waiter at a restaurant to guard your card? No, I didn't think you had. So, technically you are in breach of your credit card agreement! Where does it come from? It comes from the old days of the "clack-clack" machines which were brought to your table. But then restaurants had their electronic terminals and they couldn't carry them to the table nor indeed ask the customer to go and swipe in front of their eyes. That is when they clone the credit card (other means are straight guessing and then validating the number, shoulder surfing, etc.).
In Switzerland (and in Italy for that matter, where it started with ATM cards) you are brought a terminal or, if a checkout of the supermarket, the terminal is facing you already. You swipe your card, type your PIN and authorise the transaction. This works quite well: it would have defeated at least two of my clones since they were taken from the printed receipt copy which held my complete card details (in the UK supermarkets didn't obscure some of the digits on the receipt, unlike other countries. Apparently they now do). Because they are swiss they go one step beyond: you can now have your photo on the back of the credit card, beneath the signature strip. This is an interesting twist. Of course if you can print cloned cards you can add a photo to it but it raises the bar on the cost of technology. There again, to understand the mentality just think about the fact that swiss online banking uses one-time-pads for authentication.
So why doesn't the whole world move to "chip & PIN"? Go back to the formula. In the UK you can probably do a good job on reducing fraud by moving all of Greater London to "chip & PIN" and migrating the rest of the country more slowly. But what about a place like the USA? The economies of scale are such that a roll-out of these proportions is not trivial and you should also remember that they were "first movers" with credit cards. This means that they have legacy systems in place. In Switzerland, with a total population of barely a large american city, it is comparably trivial to roll-out such high-tech systems.
The moral of the story is that in the UK Barclaycard is experiencing fraud above the magical trigger number to go and upgrade the systems.
I am working hard on entering the Guinness Book of Records for the largest number of credit card cloning incidents in an year. So, pretty trip to the US and one of four locations (Hotel in Cupertino, Fry's, Thai restaurant on De Anza, fishy place on El Camino) politely makes an illegal copy of my card. On Saturday they decide to make a small purchase in the neigbourhood for $2000 which fortunately hits the card limit (ie. they don't get to continue).
Small detail: I am not only physically back in Europe but, according to timestamps, have made an authorised (ie. VISA was called for authorisation) transaction about 50 minutes before the small purchase in the US. Interestingly both swipes (US and EU) are recorded with "card holder present" and required telephone authorisation.
Quick step back: last time they cloned my VISA the exact same thing happened but the other chap was comfortably in a hotel in Spain's Costa del Sol. I was paid back and credit restored but of course in the meantime I had a small debate on the fact that surely they could correlate purchases on my VISA card and notice the fact that I must have broken a number of laws of physics for the double purchase feat. No such luck, I was told that this was "impossible" to do.
So, almost one year on, I really refuse to digest this. I have a UK credit card, the purchase took place in California: this isn't exactly a case of a Yemeni credit card used in Paraguay, is it? Apparently it is: there is no connection between systems in the USA and UK. The card was authorised but not really in "real time" on my account. The transactions had not been processed so there was a pretty "grey haven" in which to work. Eventually the transactions trickle down to the UK from the USA and they do the reconciliation.
But wait a minute: if they are reconciled on the account does an alarm ring since now finally all the data is in the same place? No, it doesn't. Splendid. They just wait for you to query the bill and give them a piece of your mind.
You see, I am prepared to digest the "can't be done, problem intractable" for real -time transactions. Why am I so strangely reasonable: well, if they added 30 seconds per transaction people would complain so either the verification takes place within about 10 seconds or that's just too long. But conversely I am not prepared to digest even remotely the lack of post-mortem batch analysis which could be done once the data is at my bank. There they have both the time and computing power to check that the data is "reasonable".
It is a basic validation problem: order the transactions temporally, normalise timestamps to UTC, add a "distance metric" to cardholder present transactions and then compare. If the distance metric is greater than the time difference between the transactions you raise a Schrödinger exception and someone or something checks it. At the very least your statement is flagged as "suspicious".
Note that I have been extremely careful in qualifying the transaction as "cardholder present". I am not that stupid, I know about mail order and Internet transactions. But those do not carry the flag "cardholder present" in the transaction record.
Now I'll go back in my corner and sulk over the pointlessness of it all. All you need to think about is that if fraud is under 5% of all transactions VISA won't do anything about it as it would cost them more than just pay up. On top you add the lack of consumer pressure: want to give up your VISA? Try MasterCard? Oh, they are run by the exact same bunch of companies, surprise! I guess American Express is the last remaining one but can they really be any better?
Well, we all write perfect code and test it adequately. Despite this incredible amount of effort and testing sometimes bugs do slip into the code. Sometime the programmer should be taken out and shot.
The last released version of my random packet generator had a few horrendous bugs which I really should have never allowed. They were all linked to forgetting to initialise variables, surprise, surprise.
So, I fixed those and then added a few "features". The new code has been "enhanced" with IP checksumming, valid IP hlen enforcement and IP version number forcing. This makes it just a little easier to get through TCP/IP stacks.
Someone in ISS must have had his feathers ruffled by the BIND incident in mid-November. Guess what? They have now changed their disclosure policy to what the rest of the world had agreed was A Good Thing(tm) a few years ago.
If you read the PR blurb you will notice that nowhere can you find mention of an apology with respect to their behaviour with the BIND vulnerability disclosure nor is the previous policy mentioned. Did they actually have one? Or was it "who cares as long as we get the PR"? They go on and on about "responsibility" and how marvellous their new guidelines are.
Let us continue to propagate the "security people are all egocentric selfish showoffs who are unable to admit their mistakes", it really really helps with the credibility of the industry as a whole.
As I was not sufficiently thrilled with shipping myself across the length of Europe I decided that a trip to the USA "West Coast" was in order. A gruelling eleven hours of "economy" (intended as "the airline spends the least possible on your comfort") later I land in Los Angeles. A bit of business today and then a commuter flight up to San Jose in the afternoon.
Guess what? Orange County to Silicon Valley? Bound to be people with laptops even in "coach" (fascinating, their marketing staff clearly worked out that "economy "was ambiguous, with "coach" there can be no mistake: wave goodbye to legroom). Indeed there were and what a marvellous time to see if my friendly IR port had anything useful to say.
A bit of tinkering later and a quick sweep of the neighbour on my row indicates that the gentleman is running Windows with an open IR port. Within 10s we have a connection and not surprisingly the services are all wide open. The poor victim's company will not be named but let it suffice to say that they don't like Windows at all and sell a competitor to Office. A business plan and a bid later the plane has to land and they politely ask us to switch off our electronic devices.
The question I'd like to ask is: how many people actually use IR? Fine, so a few hands of worthy europeans with GSM phones go up. How many people in the USA use IR? What for? Oh yes, now you have GSM too... You don't really sync your Palm or iPAQ with it so why is it enabled by default on 100% of the laptops I've had the pleasure of scanning out of sheer boredom on airplanes and/or airport lounges?
Funnily enough my laptop (a Compaq Armada M300) has a design "feature" which helps avoiding people scanning your IR port: you can't get to it unless you turn the battery down by 90 degrees. As a matter of fact you can't get to the USB or the monitor port either which is rather less of a smart idea.
Folks, please turn off your IR port or at least put a little bit of duct tape over it...