Here are RFID Debit Cards, whether you wanted them or not.

By davidjsh at 3:01 pm on January 27, 2008 | 7 Comments

In the world of banking, attention has turned to the prospect of using RFID technology for contactless transactions via bank cards.  While this in of itself is a security concern, John Leyden brought to light in his article (http://www.theregister.co.uk/2008/01/27/paywave/) that some banks have started phasing in these cards without the consent of their customers.    

In the UK, some banks such as Halifax are trying a system backed by Visa known as PayWave.  Under PayWave, customers can make transactions under £10 without the need for a pin or having to sign anything.  In the article, we find that Pete is one of the customers upon whom this technology has been pushed without their consent.   After destroying the new PayWave card (which he did not request) out of security concerns, Pete found that Halifax had also cancelled his old card.  The replacement card Halifax ended up sending him was also a PayWave card.  Though Pete was eventually able to obtain a non-PayWave card by enough complaining, it alarms me that banks would presume that convenience outweighs security for every customer.  What prevents a “vendor” from rigging up a reader located in a backpack that would allow them to roam the streets charging a small transaction to every passing card.  Few people would notice such a miniscule charge on their statements, and the “vendor” could potentially obtain a large sum of money over time.   In my opinion, companies that are entrusted with our money should be much more responsible when it comes to security.  Or at least they should ask their customers first.

Filed under: Current Events7 Comments »

Logic Bomb Fails to Cripple Medco’s Systems

By kurifodo at 2:09 pm on | 2 Comments

In a recent article on Computerworld, it was reported that a former system administrator of Medco planted a logic bomb which was intended to cripple the company’s network. Medco deals with prescribing drugs and various other heath services. Due to the nature of this attack, the well-being of customers of Medco were put at risk. Fortunately, the logic bomb did not succeed, and it is reported that the first wave of the attack failed due to buggy code, and subsequent waves were detected and prevented before they could trigger. The former system administrator will now serve 30 months and has to pay $81,200 in damages.

It is mentioned that upcoming layoffs could have triggered the system administrator (Lin) to commit this offense. Medco had just been restructured, and layoffs had taken place, but Lin did not lose his job. However, there were more layoffs to come, so perhaps in anticipation, Lin planted the logic bomb. It is difficult to say if there could have been anything done to prevent this offense. Since Lin was a system administrator, it is difficult to stop or deter a person of this position if they are willing to commit such a serious offense. I think the best a company could do is respond to actions taken by employees by checking their work, but enforcing a system like this would be too pricey and time consuming to be plausible.

As mentioned before, the impact of this event, if it were successful, could have been very serious. People’s lives could have been lost due to lack of prescription drugs, and others could have been damaged for life potentially. One very difficult question to answer is, what should we do with people like Lin? What kind of punishment is suitable for the crime? Even though it was not successful, the intent to harm was always present. After Lin completes his sentence, should he be trusted to work with a company’s computer systems? Who knows if Lin will have learned his lesson, or if he will be even more upset and “out to get the world.” I would think it is safe to say that a company will never hire Lin to work on their computer systems with this kind of event on his record.

Filed under: Current Events,Ethics,Policy2 Comments »

Pillaged MySpace Photos Show Up in BitTorrent Download

By felixctc at 2:51 am on | 5 Comments

More than half of the million images that are private photos of MySpace users was stolen and uploaded onto BitTorrent. This is a huge privacy breach to MySpace users. The hacker, “DMaul”, said that he learned the security hole from the WIRED and used the method of attack. This security hole was surfaced last fall and because of this, various adversaries such as possible pedophiles, voyeurs, and advertisements were able to steal these photos. DeMaul ended up seeding these photos and advertised them as “pictures taken exclusively from private profiles”. It turns out that his attack cycles through the accounts by MySpace Friend ID numbers, thus did not target any specific group of people. Although, the attack did not target any specific group, this is a significant breach that affected users who are under 16 because their accounts are automatically set of private and their adversaries are more dangerous. Even though the attack result in leaks of a huge amount of pictures, it seems that MySpace didn’t follow up with the issue properly.

(Read on …)

Filed under: Availability,Current Events,Privacy5 Comments »