Creativity and security

Anne & Lynn Wheeler lynn at garlic.com
Sat Apr 8 10:31:45 EDT 2006 

Anne & Lynn Wheeler wrote:
> the trivial case from nearly 10 years ago was the waiter in nyc
> restaurant (something sticks in my mind it was the Brazilian restaurant
> just off times sq) that had pda and small magstripe reader pined to the
> inside of their jacket. At some opportunity, they would causally pass
> the card down the inside of their lapel (doesn't even really have to
> disappear anyplace). This was before wireless and 801.11 ... so the
> magstripe images would accumulate in the pda until the waiter took a
> break ... and then they would be uploaded to a PC and then to the
> internet (hong kong was used as example) ... counterfeit cards would be
> on the street (opposite side of the world), still within a few hours at
> most.

supposedly new?

iPod used to store data in identity theft
http://news.com.com/2061-10789_3-6059128.html

from above ..

April 7, 2006 4:55 PM PDT

A 35-year-old identity theft suspect may have taken Apple Computer's 
mandate, "Think Different," a little too far.

... snip ... above article references:

Beware the 'pod slurping' employee
http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl

... from above

Published: February 15, 2006, 10:29 AM PST

A U.S. security expert who devised an application that can fill an iPod 
with business-critical data in a matter of minutes is urging companies 
to address the very real threat of data theft.

... snip

and some conjecture about a possible MITM-attack ... using counterfeit 
card in conjunction with PDA wireless internet connection to a 
lost/stolen valid card at some remote location.
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin
http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a 
desktop near you

This is scenario where a card may be authenticated separately from its 
actual operation. The hypothetical MITM-attack is against a terminal's 
willingness to agree with the business rules in a valid card used for 
offline transactions. Since the attack is against the offline 
transaction business rules in a valid card, it may not even be necessary 
to obtain a lost/stolen valid card ... it may just be just necessary to 
obtain any valid card (say thru valid application using false 
information) ... the MITM counterfeit card uses any valid card for the 
authentication exchange ... and then proceeds with the rest of the 
transaction using its own business rules.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list