[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto not being used where needed



Mike Ingle writes :
> 
> At CES someone was showing a cellular credit card machine. It had an
> antenna and a regular card reader, and was battery powered, so it could
> be used anywhere. The machine was designed to be used in taxicabs,
> at swapmeets, and wherever there were no phone lines available.
> 
> I asked the rep about its security - does it use encryption? No, it does
> not use encryption. It sends your credit card number and expiration date
> over the cellular link in clear. Most credit card machines use low-speed
> modems which are trivial to intercept. This one is probably no exception.
> Here is a case where DES is badly needed and not being used. If this
> machine becomes popular, thieves will be trailing taxicabs with scanners
> and tape recorders.
> 

Although I sincerely agree that the data should be encrypted, is it really
that easy to intercept cellular phone calls? I thought you had to go to 
considerably more effort than programming a scanner to pick up these 
transmissions - I don't know much about cellular phones, but I thought they
hopped frequencies and so forth such that it was a real pain to listen in.

The reason I ask is that I have a buddy who works for local law enforcement.
His group is about to roll out a network of laptops in their cars, linked
by modem to the AS/400 that serves as their gateway to NCIC. We've talked
about how easy it is to intercept/spoof transmissions in the clear on a 
single channel, but we both figured it would be considerably more difficult
to intercept cellular calls. Given the level of understanding of the fuzz,
they'll probably slap a Hayes modem on their Barney Fife Cop Car Radios
anyway, and I'll gleefully try to trap their transmissions.... just as an
exercise, of course, to educate them as to the error of their ways...

Seriously, folks, this issue is a valid one. If [insert favorite bogeyman
here] can dial a scanner and pick up credit card numbers, vehicle and
driver's license data, and criminal histories, our privacy is due for
another beating. The way I got my friend's attention was to ask whether the
police department is liable for revealing private information - in other
words, if Charles Manson grabs my license data off the cops' data net, can
I sue the cops? 

-- 
........................................................................
Philippe D. Nave, Jr.   | The person who does not use message encryption
[email protected]   | will soon be at the mercy of those who DO...
Denver, Colorado USA    | PGP public key: by arrangement.