Recently I had an interesting conversation, if you can call it that, on Twitter (hey, kids – follow me @mendacities, kthxbai) about how very few things have security designed in or sometimes even included, at least at the beginning. Essentially, there’s a kind of obvious trend for new technology to be exploitable in all kinds of interesting and sometimes alarming ways. Often you want to smack someone and ask what they were thinking.
My view is that visionaries – inventors, designers, the people who come up with new stuff – are, at heart, optimists. They think the best of people, and the idea that their products can be misused and abused and exploited never enters their minds – or if it does, it gets discounted immediately, because they’re, well, optimists.
I think that security-related fields – law enforcement, cyber-security, and so on – attract a lot of deeply bitter cynics who have no romantic ideas about human nature, and understand that there is almost nothing people will not exploit, just because they can.
I mean, consider phone phreaking. Leave aside the blue boxes and the red boxes and the beige boxes and the spotted mauve polkadot boxes with white racing stripes; in the mid 1990s, you could make free local calls on a lot of cellphones by shorting the mouthpiece element, I think it was, to earth ground of the chassis, with a straightened paperclip. The fix, if I recall correctly, was installation of a $0.01 diode. Why hadn’t it been there to begin with? Nobody on the technical side of things were cynical enough to think anyone would ever discover it…
Anyway, here’s a first-hand story of one of the most bone-headed moves ever made by a large American retailer…
For a while in the 1990s, I worked retail for a large chain store. When I began there, the company already offered gift cards. They were plastic cards with a label attached to them, which contained the card’s alphanumeric number, and a bar code to scan. I used to have a couple old cards from this era, but I can’t find ‘em anymore; I’m pretty sure the “number” was actually a hash of some sort.
Now, as far as I’m aware, the cards were never “hacked”, but someone realized that a gift card – which is basically cash, for all intents and purposes, something of a fiat currency – that could pretty much be made or at least cloned with a laser printer was a Bad Idea(TM), so in about August or September of a certain year, the old scannable gift cards were replaced with swipable magnetic-stripe cards in a credit-card form factor.
I’ve still got a couple of these, and to be honest I’ve never gotten a stripe reader to see how the data on the card was encoded, so I don’t know how cloneable they were, from that perspective. But that really doesn’t, and didn’t, matter, because whomever came up with the idea did something incredibly fucking stupid.
The cards were issued in batches, 250 to a box. If you had one card, you could extrapolate the number of all 249 other cards in the box, because they incremented by twelve. I assume there were checksums involved, but the important take-away is that the numbers were FANTASTICALLY non-random.
Within a couple of weeks of their being first issued, I noticed that we were starting to get a lot of phone calls from people wanting to check the balance on their cards. It was easy enough to do; we had a function on the registers to do that. What was weird was that a lot of the “cards” people wanted checked over the phone had zero balance; normally we’d toss an “empty” gift card, so people shouldn’t have had cards with zero balances.
It took me a month or two – into the beginning of the holiday season – to figure out what was going on. By that point it was way too late, though. You could check gift card balances on the newly-redesigned company website, and redeem those cards on the website, as well…
I pointed out the problem with this to the manager of the store. He didn’t get it. I told one of the assistant managers. He was skeptical, until I took a box of gift cards, a sheet of graph paper, and a pencil, and showed him how it worked. We grabbed one card, he worked out a dozen numbers either way, incrementing or decrementing by twelve, and then we compared them to cards on each side of the original card in the box. He, bless his heart, understood the implications of this perfectly well, and raised a stink up the corporate ladder.
Three days after my little demonstration – the only time I ever saw that company move fast – a new policy came through: you could no longer redeem gift cards on the website, or over the phone, effective immediately. You had to do it in-store, with the physical card.
This was the late 1990s, remember; the economy was somewhat healthy, and $100 gift cards were pretty popular during the holidays. If someone hadn’t caught on to the problem, folks could have gone to, say, five different stores, and “spent” $500 on gift cards – one $100 card per store. (The $50 and $100 cards were pre-printed with their values, and thus came in their own boxes, in batches of 250.) That $500 investment – a temporary investment, always redeemable for goods – plus an Excel spreadsheet could potentially net you (249 * 5) 1,225 other valid card numbers, almost all of which would have been intended as Christmas gifts, and thus be pretty much guaranteed to have full value – and not be otherwise redeemed – until after Christmas. $122,500 in basically free money, albeit money you had to redeem for stuff the company sold – stuff that was fairly easily salable on the secondary market, like eBay or wherever. Where you would ship all that crap was another matter, but for professional criminals, hardly a problem.
Assume you got $0.25 on the dollar, reselling the stuff wherever, discounted to move fast, your temporary $500 investment would net you $30,000. Not too shabby, really.
And unlike dollar bills, you didn’t need all kinds of complicated technical equipment to counterfeit that “money”. All you needed were very rudimentary math skills.
There were still a lot of stores, and employees, who didn’t get the message, and from late December on for six months or so, customers would periodically show up with $100 and rarely $50 gift cards with zero remaining balance on them. They’d insist they’d never spent a penny on the card, and that it must have been our error, and we’d call the company-wide hotline for gift-card issues, and they’d inevitably concede that, yes, there really was a “mistake”, and add the missing balance to the card, and tell us to apologize profusely to the customer, blah blah blah.
Those cards were replaced about eighteen months later by branded cards backed by a certain major credit-card company, who obviously had slightly more of a clue than whomever had developed the in-house product.
Eighteen months – it happened again the next holiday season, predictably enough – of patient bullshit explanations about “technical issues” why you couldn’t use gift cards on the website, and the arbitrary policy that you couldn’t place orders over the phone, sorry. Eighteen months of customers with zero-balance cards – a lot of stores and employees still accepted them for phone orders, despite an endless series of memos about this, and I suspect people were probably cloning/reprogramming physical cards by that point, too – which were inevitably resolved with phone calls and insincere apologies about “mistakes”.
There were no technical issues with the cards, or the backend. Transactions weren’t lost. Computers didn’t screw up. That’s what people were told, or assumed. That’s what people believed, because it was easy to accept.
The only mistake, the only error, was a company trying to save some money by reinventing the wheel, in-house, and being gullible idiots too short-sighted to realize the monster they’d created. They were optimists, and I shudder to think how much money that optimism cost the company over the span of two or so years.
Anything that can be exploited for gain, monetary or otherwise, will be.