Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines.
At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming methods that use traditional cameras to capture the PINs people enter during transactions. That’s because customers often obscure a camera’s view with their bodies, either inadvertently or on purpose. What’s more, it can take a considerable amount of time for crooks to view the captured footage and log the code entered during each session.
Thermal imaging can vastly improve the process by recovering the code for some time after each PIN is entered. Their output can also be processed by an algorithm that automates the process of translating it into the secret code.
The findings expand on 2005 research from Michal Zalewski, who is now a member of Google’s security team. The Usenix presenters tested the technique laid out by Zalewski on 21 subjects who used 27 randomly selected PINs and found the rate of success varied depending on variables including the types of keypads and the subjects’ body temperature.
“In summary, while we document that post-hoc thermal imaging attacks are feasible and automatable, we also find that the window of vulnerability is far more modest than some feared and that there are simple counter-measures (i.e., deploying keypads with high thermal conductivity) that can shrink this vulnerability further still,” the researchers wrote.
A PDF of their paper, which is titled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, is here. ®
Hackers breached the website belonging to a police union and posted sensitive personal information for more than 100 officers who work for a San Francisco regional transit authority.
The breach of bartpoa.com was the second time in less than a week that websites affiliated with Bay Area Rapid Transit have been targeted by hackers. Over the weekend, people claiming to be members of the Anonymous hacking collective said they were protesting BART by publishing personal information for more than 2,000 passengers who had nothing to do with the agency’s management.
People claiming to be members of Anonymous took credit for the attack that exposed passenger data. It was less clear what role the group had in Wednesday’s breach.
“The leak today of BART officer data could be the work sanctioned by those who truly support anonymous, or agent provocateurs,” a tweet from AnonyOps said. “Stay skeptical.”
A later dispatch on the microblogging site said: “People who are against anonymous know they can do things under the name ‘anonymous’ and never be questioned. This is anonymous, defined.”
A posting on Pastebin.com listed the names, home and email addresses and site passwords of 102 BART police officers. At time of writing, bartpoa.com was inaccessible.
It’s unclear exactly how the hackers compromised the police officer data.
The hackers in the earlier attack claimed to access the passenger information by exploiting a rudimentary security flaw in MyBart.org, which is owned by BART. BART officials have declined to say whether the site was ever reviewed by outside security auditors.
The attacks follow a controversial move to disable cellular service in at least four San Francisco BART stations last week. BART management took that action to disrupt a planned demonstration that protesters were organizing online. BART officials said its decision to turn off the nodes that connected carriers to underground antennas was legal and necessary to prevent unsafe conditions in confined spaces. Critics have compared the move to those taken by former Egyptian President Hosni Mubarak to quash protests against his rule.
The BART demonstrations were protesting the fatal shooting by BART police in July of a homeless man who allegedly brandished a knife as he lunged at officers. ®
Computer scientists have developed an Android app that logs keystrokes using a smartphone’s sensors to measure the locations a user taps on the touch screen.
TouchLogger, as their demo app is dubbed, allowed its creators at the University of California at Davis to demonstrate a vulnerability in smartphones and tablets that has largely gone unnoticed: While most of these devices lack physical keyboards that have long been known to leak user input, they nonetheless remain susceptible to monitoring through similar side-channel attacks.
Whereas eavesdroppers measure sound and electromagnetic emanation to capture input from traditional keyboards, they can monitor the motion of the device to achieve much the same result from a touch screen.
“Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes,” the researchers wrote in a paper (PDF here) presented last week at the HotSec’11 workshop in San Francisco. “When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed.”
User interface for data collection app
Applications like TouchLogger could be significant because they bypasses protections built into both Android and Apple’s competing iOS that prevent a program from reading keystrokes unless it’s active and receives focus from the screen. It was designed to work on an HTC Evo 4G smartphone. It had an accuracy rate of more than 70 percent of the input typed into the number-only soft keyboard of the device. The app worked by using the phone’s accelerometer to gauge the motion of the device each time a soft key was pressed.
With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger, as well as the devices it will work on.
“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a qwerty keyboard,” said Liang Cai, a graduate student in UC Davis’s computer science department who collaborated with his advisor Hao Chen. “We didn’t really try it on a large scale of devices.”
Besides targeting devices with larger touch screens, the researchers said TouchLogger could also be improved by tapping other sensors built into the targeted device. Prime candidates include gyroscopes to measure the rate of rotation and a camera to further detect motion. The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.
For now, they hope to get the word out that the motion detected by a smart device’s own sensors could expose highly valuable information, including passwords, social security numbers and credit card numbers.
“We hope to raise the awareness of motion as a significant side channel that may leak confidential data,” they wrote. ®
Erstwhile Met Police commissioner Sir Paul Stephenson and his one-time colleagues – John Yates, Andy Hayman and Peter Clarke – have all been cleared of misconduct during an inquiry by the cop watchdog into the phone-hacking scandal at News International.
The Independent Police Complaints Commission concluded that Stephenson, who resigned last month, had not committed any offence.
He walked from his job in July while insisting that his “integrity” was intact. Stephenson said at the time that he was stepping down due to the “excessive distraction” his presence at the helm was causing to the effective running of Britain’s largest police force.
“I… considered whether the public interest requires any other matter to be investigated by the IPCC, including Sir Paul’s acceptance of hospitality from a family friend at Champneys Medical, unconnected to his professional life, while he was on sick leave,” said IPCC deputy chair Deborah Glass in a statement issued this lunchtime.
The health spa was promoted by PR firm Outside Organisation, whose managing director was Neil Wallis – the former deputy editor of the News of the World.
Wallis was arrested on 14 July by Met police investigating alleged phone-hacking at the now-defunct Sunday tabloid.
“The public will make its own judgments about whether any senior public official should accept hospitality to this extent from anyone – or indeed about a policy which regards hospitality as acceptable merely because it is disclosed,” said Glass.
“But whether or not the acceptance of hospitality amounts to recordable conduct, I do not consider that it is necessary to investigate it further. Sir Paul Stephenson has given a public account of his actions and of course, has resigned.”
Scotland Yard’s assistant commissioner John Yates also quit his job at the Met last month, as revelations in the phone-tapping saga at News International, which is owned by Rupert Murdoch’s News Corp, continued to unravel.
Glass said today that given Yates had been questioned in six separate parliamentary grillings over his involvement in phone hacking, the IPCC could not see what any further probe would achieve.
“We would agree that he made a poor decision in 2009,” she said.
Last month, Yates told MPs that he regretted not re-opening the Met’s original investigation into phone-hacking claims in 2009.
“I felt the evidence had been followed,” he said at the time.
Yates, who stood down from his position on 18 July, spent one day in 2009 looking at the initial investigation into phone-hacking, but concluded that there was nothing worth pursuing further.
“He himself has acknowledged that, given what is now known, he made a poor decision for which he has now taken responsibility. Had no new investigation into phone hacking begun this may well have been a recommendation, but the current investigation which started in January 2011 makes this unnecessary,” said Glass.
She said she had also found no reason to carry out any further investigation into the conduct of Peter Clarke, who led the original phone-hacking investigation at the Met, which at the time was handling around 70 live operations relating to terrorist plots.
Glass noted that the Met’s ex-deputy commissioner Andy Hayman’s conduct had not been referred to the IPCC by the Metropolitan Police Authority.
“[H]is social contacts with News International and subsequent employment by the Times [which is owned by News International] have been criticised,” she said.
“While there are serious issues that need to be scrutinised about the extent of contact between senior police officers and the media – and particularly around hospitality – in the absence of any actual evidence of impropriety these are, in my view, for the inquiry to explore,” said Glass.
An independent inquiry has been launched by the police watchdog into claims that Yates had secured a job at the Met for the daughter of Neil Wallis.
The former Murdoch man’s Chamy Media company’s contract with Scotland Yard – offering up PR services to England’s largest police force between October 2009 and September 2010 – is also being investigated by the IPCC, said Glass.
The Commission is separately probing alleged police corruption linked to the phone-hacking scandal, which the Met is investigating as part of Operation Weeting.
“Should any further evidence emerge, through our investigations or from the Leveson Inquiry, of any impropriety by an officer, retired or otherwise of any rank, I would expect it to be recorded by the appropriate authority and referred to the IPCC,” Glass added.
“On this basis I will keep all of these decisions under review as the inquiry progresses.”
Yates said in a statement via the Met that he was “pleased” that the IPCC was no longer investigating him in relation to any involvement in the phone-tapping issues that had been flagged by the MPA.
“I am disappointed with the IPCC’s decision to investigate my peripheral involvement in recruitment process of Neil Wallis’s daughter,” said Yates.
“I strongly deny any wrongdoing and I am completely confident that I will be exonerated.
“I have been entirely open about this matter and I will cooperate fully with the investigation which I hope will be conducted swiftly,” he added. ®
The German arms of Telefonica and Vodafone, along with Deutsche Telekom, have signed an agreement to take their virtual mpass payment platform physical, without the help of the banks.
The letter of intent, signed by all three companies, states that the mpass system will be set up as a jointly-owned-but-independent company handling payments made by customers of any of the network operators, and without having to pass on a cut to the existing payment processors.
That is in contrast to the rest of the world where mobile operators have been busy conceding the mobile-payments business to the existing providers (Visa, Mastercard and their ilk).
In the USA ISIS was set up to provide a similar mechanism, but has now scaled back plans to welcome in the existing players, while the UK operators have been busy creating a standardised advertising platform so that they can make money from NFC without having to worry about slicing the mobile-payment cake too thinly.
But German operators reckon they can do it, even if it means distributing new point-of-sale equipment to shops and, as NFC Times points out, delaying previously-scheduled launches of independent offerings:
“[Q]ueues at the supermarket will soon be a thing of the past,” says Deutsche Telekom’s ebullient Director of Marketing, espousing the benefits of pay-by-tap.
Mpass already operates in Germany, allowing payments authorised by SMS, and was even available (briefly) in the UK a decade or so ago, but despite its longevity it hasn’t proved very popular. Getting new terminals into every shop in the country will increase the visibility of the brand, but it is the cost of doing just that which has put off operators in so many other countries. ®
An Australian Senate committee has recommended that law enforcement authorities should only hand information to agencies from other countries if those countries have privacy protection that matches our own.
That’s one of the key recommendations made by the bipartisan committee looking into proposed cybercrime legislation, which tabled its report on August 18.
The committee has also recommended that the Cybercrime Amendment Bill 2011 should apply more detailed conditions to any telecommunications data that is disclosed to foreign countries, covering how that data might be retained and stored, and prohibiting any “secondary use” by the foreign country.
According to Australian Greens senator Scott Ludlam, the original Cybercrime Amendment Bill went beyond the European convention on which it was based, and the committee’s recommendations should help address what he called “overreach”.
The committee has also recommended that the Australia Federal Police provide ministerial reports on how often it discloses intercepts to foreign countries, which countries receive that data, how many disclosures are made, and how often that information gets disclosed even further.
A judge has gutted a lawsuit that accused companies including Microsoft, McDonald’s, and advertising network Interclick of fraud for the use of code that tracked the browsing history of website visitors, even when they took pains to keep that information private.
Wednesday’s dismissal of claims under the federal Computer Fraud and Abuse Act and breach and interference of contract statutes came in a case that challenged the use of Adobe Flash cookies by Interclick to track people over extended periods of time as they surfed from site to site. New York City consumer Sonal Bose alleged use of the technology, and JavaScript that detected what websites she visited, were deceptive and invaded her privacy because they allowed tracking cookies to be resurrected even after she deleted them.
US District Judge Deborah A. Batts of the Southern District of New York, dismissed most of the claims brought by Bose under a rationale that’s becoming common in privacy-invasion lawsuits. The crux of her basis is that there wasn’t an injury that could be quantified in monetary amounts required by the statutes. She said the plaintiff failed to prove that the secret tracking created actual damages of $5,000 or more, as required under the CFAA.
“Only economic damages or loss can be used to meet the $5,000.00 threshold,” Batts wrote in the 28-page decision. “The limit based on economic damages under the CFAA ‘precludes damages for death, personal injury, mental distress, and the like,’” she added, quoting from a 2004 decision from the Ninth Circuit US Court of Appeals.”
She went on to say: “Advertising on the internet is no different from advertising on television or in newspapers. Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.”
The judge also dismissed claims for breach of implied contract and tortious interference with contract. Several claims brought under New York state laws were dismissed against the website operators that relied on Interclick, which in addition to Microsoft and McDonald’s, included the CBS network and a US subsidiary of Mazda. She allowed claims brought under New York State law and under a trespass statute to remain against Interclick.
The ruling is the latest to dash a lawsuit alleging invasion of privacy because the plaintiff couldn’t meet the required showing of monetary damages. Facebook, prescription processor Express Scripts, and job application processor Vangent have been absolved for alleged failures to safeguard sensitive information on similar grounds. The Technology Marketing Law blog has legal analysis here.
According to the lawsuit gutted Wednesday, Interclick used Flash cookies to back up more traditional browser-based cookies it used to track which websites individual users visited. Until recently, Flash cookies – which are also known as LSOs, or locally stored objects – were significantly harder to delete. This allowed website operators in many case to recreate the deleted browser cookies, a practice known as “cookie respawning,” that was first revealed in 2009.
The lawsuit also accuses Interclick of exploiting a decade-old vulnerability in virtually every web browser that leaks the websites end users have visited recently. Interclick’s use of history-sniffing code was first documented in December by researchers from the University of California at San Diego. Most browser makers have patched the vulnerability past year or so.
A 25-year-old UK man has been charged with five counts of illegal hacking for repeatedly penetrating the security defenses of Facebook.
Glenn Steven Mangham of York was accused of engaging in a hacking spree against Facebook earlier this year. From April 27 to May 9, he allegedly targeted at least three different services used by the social network. According toThe Telegraph, the services included a Facebook “puzzle server,” a “mailman” server and a restricted part of a “Facebook Phabricator server.”
Mangham appeared briefly in Westminster magistrates’ court on Wednesday and was released on bail. Judge Nicholas Evans ordered the defendant not to use the internet and to surrender his iPhone and any other devices capable of accessing the net while the case is pending.
Details of the alleged security breach were sketchy. The Telegraph said Mangham “repeatedly hacked into a Facebook ‘puzzle server’ using software he had downloaded.” The report went on to say Mangham “allegedly knew that doing so could disrupt its operation.” The mailman server he allegedly targeted may have been used to to run internal and external email distribution lists.
Mangham is accused of having “a special software script to hack into the Phabricator server.” The Facebook Phabricator is a collection of open-source applications for the site.
Users’ personal data wasn’t compromised in the hacks, a Facebook spokesman said. Mangham is scheduled to reappear in court next month for a committal hearing. ®
Interview Wars over creators’ rights are pretty old – much older than copyright law. In one of the first “copyfights”, in 561AD, about 3,000 people died, writes Robert Levine in his new book Free Ride. St Colmcille and St Finnian clashed over the right to make copies of the Bible, with the King castigating Colmcille for his “fancy new ideas about people’s property”.
Levine’s book is a story of the digital copyright wars …
“I tried to write in an analytical way about something people get very emotional about. I don’t really believe the entertainment industry is good and the technology industry is bad; I just don’t see it as a morality issue. Businesses are in business to make money,” Levine says.
The book details the calamitous decisions made by the music business, particularly in its suing of end users for infringement. “In a few years,” he writes, “the major labels managed to destroy the cultural cachet they had spent decades building.”
The book also follows in detail Google’s “war on copyright” and the academics and activists who benefit from it. It comprehensively demolishes the arguments put by Lawrence Lessig, who helped create the cyberlaw industry. This is a book with masses of solid, meticulously researched detail.
I caught up with Levine in Berlin.
Q: What do you see as the culture industries’ biggest mistakes? You focus a lot on music …
Levine: The music industry made a lot of mistakes. They could have launched an iTunes store. And suing individuals was a mistake. I don’t think there’s anything wrong with companies suing companies: Napster, or Grokster for example. But suing people created publicity so bad that it made it very hard to get a legislative solution. It was a complete disaster.
But you have to remember that there’s a lot of things that aren’t legally or financially practical for an incumbent to do. You have a game theory-type problem: the establishment player has a lot to lose and has to play by the rules. A startup doesn’t have to.
‘The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP’
People say they should have worked with Napster. But the labels would have been trading quarters for dimes, and they didn’t even know those dimes would be worth 10 cents. It assumes Napster would have worked out as a business.
I also think labels should have cut CD prices faster. But did you know Universal Music cut CD prices 25 per cent in 2002, and sold 13 per cent more CDs. You lose money that way; we’ve seen that again and again. We’ve seen iTunes raise the price of the best-selling songs from 99 cents to £1.20 and make more money. People aren’t price-sensitive as much as they’re convenience-sensitive. They want it when they want it.
The record companies should have done something like Hulu. I gather there were antitrust issues. Hulu does a good job, and it also helps TV companies control things a little bit. Hulu also makes money. The labels together could have done something pretty well.
Q: And DRM?
Levine: A lot of people say DRM was huge problem. But when EMI eliminated it, it didn’t create a huge boost in sales. People hate DRM in that it won’t let them do what they want, but very few people are against it on principle. I haven’t seen any evidence that people care. Sales don’t respond to DRM policy.
People want something easy to use and iTunes is easy to use. Convenience is what iTunes delivers.
It’s all about markets
Q: Your argument is really to get money flowing to the creators online.
Levine: We’ve had a market for IP for at least 300 years. I think it works pretty well. If you compare the cultural output of countries with a market for IP and those without, it’s clear that a market gives you better IP on an economic level, and possibly on a cultural level too.
If you look at West Germany, they produced Herzog, Fassbinder, Can, Neu! and Krautrock. In East Germany they produced, well, maybe some good TV shows, but not ones they could export.
Or if you look at Nigeria and Brazil, they’re countries that in the 1960s and 1970s had great pop music that changed the world. In Brazil, you had Tropicalia, Gilberto Gil and Os Mutantes; people still buy those records today. in Nigeria, you had Fela Kuti, who is still as iconic as he ever was. This generated money sent back to Brazil and Nigeria. Now people are still making the music but not a lot of money is going back. And those countries could use the money. The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP.
If the culture business disappears, then culture is not going to disappear. I use the example of The Beatles without George Martin: they would have continued to be great songwriters, and we’d have the songs, but they wouldn’t have made great albums.
You can’t have an economy without a market. You can’t have a market without property rights, and you can’t have property rights without a means of enforcing those rights. Copyright has some aspects of property, and one of these is you can’t sell something if somebody else is giving it away.
