copyright notice
accesses since July 5, 2005

Mutual Authentication, Plastic, and Phishing

Hal Berghel

As this issue goes to press, one of the biggest news events of the summer is the discovery that CardSystems Solutions, a credit card transaction processing company, has let credit card information of 40 million customers leak out of the server farm in its Tucson office. According to the June 29 Winston-Salem Journal, at least 200,000 MasterCard and Visa credit cards are known to have been stolen. At this writing attorneys general of 44 states have requested that CardSystems Solutions inform every affected cardholder in their state of the potential risk of identity theft.

According to Master Card spokesperson Sharon Gamsin, the stolen data includes credit card numbers and three-digit security codes found on the back of the card that are used for verification. CardSystems Solutions CEO, John Perry, indicated that the company should not have retained any archival customer information that was stolen. As a transaction processing service, CardSystems had apparently agreed to delete the consumer data on completion of the transaction. So much for the purge utility. When is the last time that you conducted a security audit on your merge-purge software?

According to Softpedia.Com, the litigation against CardSystems Solutions has already begun. A lawsuit was filed in the San Francisco Superior Court alleging that CardSystems Solutions (1) retained customer data without authorization, and (2) failed to adequately secure the customer data that it was authorized to retain. This litigation will likely go on for years as finger-pointing, excuses, insurance settlements inevitably transition to courtroom controversy. The collective pain of 40 million credit cardholders will be offset by millions of dollars in attorney's contingency fees.

On the bright side, according to Ms. Gamsin the customer names, addresses and social security numbers of the customers were not compromised, and that only 13.9 million of the 40 million credit card customers are estimated to be at risk.

THE EVIL OF PLASTIC

At bottom, the CardSystems Solutions problem is a result of our fetish for plastic. If no one used plastic for credit, there wouldn't be any need for companies like CardSystems Solutions in the first place.

Plastic credit cards, plastic debit cards, plastic ID cards, plastic membership cards, even plastic player's cards, are ubiquitous. It takes a sturdy, self-reliant, debt-free zealot and martial artist to be able to be plastic-averse these days. Our world is so complicated that many of us can't get through a day without using some sort of plastic. The cash-and-carry days that our grandparents knew are as foreign to us now as buggy whips and pillbox hats.

The fundamental problem with the use of plastic credit is that the mainstream transaction-processor technologies do not support mutual authentication. When you present your credit card to the merchant, the evidence that the merchant uses to authenticate you is basically the same medium as the credit card - plastic. The driver's license or ID card are as easy to forge as the credit card, so someone who is determined to cheat the merchant can do so pretty much with one-stop shopping. The criminal uses a "master plastician" to forge both. Encoding the magnetic stripe uses off-the-shelf hardware that's actually simpler to use than the graphics software used to simulate the laser hologram over the photo on the ID. It's getting to the point where someone in every college dorm can add 3 years to your age and change your state of residence, armed with only a hand-me-down computer, a digital camera, some inexpensive graphics software, and a laminator - which, incidentally, may be the most expensive piece of gear. (I just bought one and it's mighty spiffy).

Restated, the problem is that the bank can't really be sure what's happening on our side of the wire. This didn't escape the attention of the criminal element among us. That's why some criminals are willing to face 20 years in the slammer to get a hold of a few million credit cards numbers. With this information a "master plastician" can have a field day. In fact, the more cerebral criminals can even use this information to leverage other identity information useful in identity theft.

PHISHING AROUND

The credit card thief relies on a vulnerability of plastic transaction processing - the lack of reliable authentication. However, credit card fraud capitalizes on only one direction of the deficient authentication: the credit card company or financial institution can't authenticate the user.

It's ironic that the digital networks recently gave rise to the defective authentication in the other direction. The technique is known as Phishing. Think of phishing as the same sort of crime with the roles reversed.

When a Phisher asks us to confirm confidential information in spoofed email from a bank, he/she does so with the full understanding that we can't readily authenticate the source of the email. Typically a Phish scam results from an email that's "dressed" to look so authentic that the request (e.g., for our bank account and PIN) seems innocuous. Unbeknownst to the unwary, the data we provide goes to the Phisherman, who then may relay the data to the actual bank site so that the bank logs show the transaction. Just as with credit card fraud, the complete solution is mutual authentication. What makes this most interesting is that the logic of credit card fraud and Phishing is the same. The difference is the direction of the attack vector.

VARIATIONS ON THE THEME

There are many slips twixt our cup and lip in the mutual authentication realm. For example, in our lab we experiment with a form of social engineering akin to the magician's sleight-of-hand. A few years back it became fashionable among credit card thieves to imprint credit and debit card information on hotel room keys, players cards, phone cards - anything that had a magnetic stripe. The reason was that in some states there was a presumption of guilt if anyone were found with more than two credit cards in someone else's name. This presumption of guilt makes the savvy criminal reluctant to carry a fist full of their booty on their person. So, they transfer the magnetic information to some other form of card. Cops are still busting people with bedspreads covered with hotel room keys, and purses full of phone cards. Our challenge was to develop technology that could detect an anomalous card without actually reading it.

In one of life's great ironies, the lack of mutual authentication is at the root of many of our greatest security vulnerabilities from WiFi to DNS cache poisoning.