Security Watch

Relay Attack Requires Way Too Much Work

Criminals will look for easier ways to steal your ID and money than this particular attack scenario. Plus: logic bomber gets slammed; data breach law covers medical records.

Steven J. Murdoch, a researcher with the University of Cambridge's security group, published a paper describing how an "easy" and "cheap" relay attack can be established against EMV smart card transactions, including those using Chip and PIN technology. All a criminal needs is:

  1. Control of a terminal being used by unsuspecting users
  2. A counterfeit card with a wire attached and inserted into a legitimate terminal
  3. The timing of Mission Impossible I, II, or III

So here's how it works: A user inserts a legitimate card into the criminally controlled terminal at the same time as the criminal inserts the counterfeit card into a legitimate terminal at some other merchant location. Remember that the counterfeit card has some wire attached to it -- but hey, the legitimate merchant never notices this.

Next, the legitimate purchaser enters a PIN number into the criminally controlled terminal. The info is then relayed to a wireless headset worn by the criminal at the legitimate merchant's terminal. Criminal enters that PIN number into the legitimate terminal and -- voila -- unsuspecting victim has authorized the purchase at the legitimate merchant's premises.

Given how easy this is, it's no wonder its happening all the time -- not! How long do these boffins think their criminally controlled terminal would last before being spotted by a victim? In the researcher's example, the victim attempts to purchase a $20 meal but instead purchases a $2,000 ring. The victim would likely notice this mistake the minute they attempted to pay for the cab ride home from the restaurant.

Logic Bomber Gets 30 Months
Facing up to 10 years in federal prison for logic bomb that sysadmin Yung-Hsun Lin planted at Medco Health Solutions servers when he was employed there, Lin received a 30-month sentence which is believed to be the longest sentence handed down for such a crime. Lin was also fined $81,000. (Read the sordid details here.)

Lin pled guilty in September 2007 to planting the logic bomb in 2003, when the company was undergoing a restructuring of its Unix server group. The story goes that Lin feared being let go, so he planted it. He remained employed, but left the code in place. Before the logic bomb went off, it was discovered by another sysadmin.

The systems that could have been affected were designed to check drug interactions for customers. Had the logic bomb gone off, it is possible that a customer might have received incorrect prescriptions that could have produced an adverse outcome or even death. N.J. prosecutors emphasized this fact, to show how cybercrime can do financial and physical damage.

Lin was expected to surrender to federal authorities by February 25.

ComScore Ethics Come into Question Again
At InformationWeek is an article starting yet another discussion of ComScore's methods. This time, ComScore's ethics and the quality of the data they gather is under scrutiny.

ComScore needs to be more forthcoming with its practices, so that independent verification can be had regarding both its software components and the numbers it markets. Companies who rely on ComScore's figures are already in a position of power, where they can decide whether ComScore's data is worth what those companies are paying. The public, however, does not get the same luxury with respect to the software. There is continual disclosure of how ComScore's tools can be installed but without so much as a by-your-leave and, no doubt, ComScore's products are on thousands of people's systems who have absolutely no idea what information is crossing the wire.

Medical Records Now Covered by CA Data Breach Law
Back in January, California legislators extended the state's data breach notification law to cover medical and health insurance records. Assembly Bill AB 1298 extends on Senate Bill SB 1386, which already states that companies in California or who do business with California companies must notify users whose financial data -- encrypted or unencrypted -- is compromised or breached in any way. (SC Magazine has the story here.)

While there are many reasons that the bill is a good one, there are other reasons that seem a stretch in our estimation. However, there is no doubt that protecting sensitive, personally identifiable information is a good thing for everyone. Data at rest is easily protected with encryption, and even relatively simple encryption is sufficient to prevent abuse. In our experience, encryption failures do not represent any tangible amount of crime. Instead, it is the lack of any form of encryption that results in loss.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular