(In)security through obfuscation 20/04/2008
Any security expert worth his salt will tell you that trying to achieve security by hiding things from people is doomed to failure. This week, I had a worrying reminder of how imperfect the security around banking can be.
I have been scanning in credit card receipts from a journey I made recently to a well-developed, technically advanced, Western country. Indeed, I was able to pay for absolutely everything on my plastic, hence the forest size collection of receipts.
Ironically, the trip started with a bump because my bank refused to authorise a withdrawal from a cash machine, necessitating a (long) phone call to their customer service department to get the mandatory foreign roaming block lifted. Apparently I have to do it every time I leave the country.
But it’s the credit card receipts which were most interesting. I’m not going to reproduce them here, because the security risks are extreme.
Once upon a time, all the digits of a credit card and its expiry date were visible on the receipt, which make it a fraudsters paradise. Simply by stealing a receipt, particularly one with a signature on, you could relatively easily make fraudulent transactions until the genuine cardholder noticed and called stop.
So, in the UK at least, the digits are now obscured. Only the last 4 digits remain visible, along with the expiry date, thus leaving somewhere around 50,000,000 permutations to guess my card details. (Assuming that there is a smaller subset of card issuer codes than the 9999 allocated, and that some cards will indeed share the same expiry date as mine). I find the last 4 digits invaluable to work out which card I’ve put something on, so I consider the risks acceptable for the benefit I gain, and obviously UK banks too. I’ve never seen a UK credit card receipt show anything other than last 4 digits and expiry date. (Let me know if you have seen different – excepting the old manually swipe receipts!).
Flicking through my foreign receipts, I noticed that the obfuscated digits varied from receipt to receipt. One of the showed last 4 digits. One blanked out 4 digits in the middle (starting at position 10) and another blanked out 4 digits (starting at position 12). So my three receipts looked like this:
XXXXXXXXXXXXDDDD DDDDDDDDXXXXDDDD DDDDDDDDDDXXXXDD
The observant of you will now have noticed that, by holding those three receipts, only TWO digits of my card remain unknown. That’s 100 guesses. And to add interest to the matter, credit cards use a CRC-style validation, so you wouldn’t need to crank this through much of a Visual Basic programme to find the unique number that matched that particular validation code.
I’m amazed that this obfuscation isn’t standardised to prevent this kind of risk occurring. I think that the second and third examples are hideously insecure anyway, giving away the type and issuer of the card (first four digits) allowing an attack on a wider number of vectors. Why does anyone need to see so many digits of a card number?
In none of the above cases was I asked for a PIN number, nor was the CVV of the card checked. Just a simple scribble on the paper copy of the receipt. It’s incredible.
There doesn’t seem to be much I can do to reduce this risk, other than keeping a very tight grip on my own receipts (which I do as a matter of course), and check my credit-card on-line every couple of days. But if those three merchants ever get together with my (and other peoples’) receipts, they could have a heck of a party.