Thursday, February 14, 2008

Why Fake Security is Worse than No Security

Most devs have heard the adage that fake security is worse than no security. By fake security, I mean those things that don't actually increase security but appear to. Asking for your mother's maiden name. The sign that says "Beware of Dog" when there isn't a dog. All the stuff we go through at the airport these days that isn't actually going to stop a terrorist (and if my bottle of water is so dangerous, why do they toss it in a big trash can and keep it in the airport?).

The usual response when I tell people this is, essentially, "don't bother me." How can fake security hurt? It can't possibly be worse than no security. There are three primary reasons:

  1. It gives users a false sense of security, causing them not to be alert to real potential security threats.
  2. Time spent on fake security diverts resources from real security.
  3. It can provide an avenue for a real security threat to emerge.
Here's a great example of #3:

My credit union, which I am otherwise quite happy with, had some fake security. The ATM is inside their lobby, which means there that both outer doors and inner doors. The inner doors are locked when the credit union is not open, but so were the inner doors. Notice I'm using the past tense here (more on that soon). To get into the lobby, you had to scan your card through a card reader. This supposedly ensured that only people with ATM cards could get in -- which limits it to, oh, almost everybody in the country.

But, it's worse than that. The reader was fake. It didn't actually read the card -- it sensed the presence of a magnetic stripe. So, any ATM card, credit card, supermarket card, etc., would work. The fake reader actually provided no security. Yet, it provided a sense of security.

I knew the reader was fake and I knew that it might be a security hole, so I always used a different card from my ATM card to open the door. On multiple occasions, I mentioned to people in the bank that the fake security was a joke, but, of course, I got the expected response.

Guess what? Here's what the credit union wrote:

At First Tech, the security of your accounts is a top priority. Recently, we learned that a card skimming device was illegally attached to the ... Branch ATM located at ..., sometime between December 8, 2007, and January 19, 2008.

"Skimming" occurs when fraudsters attach card reading devices to machines, such as ATMs, that can scan card information. Then, the fraudsters use cameras to capture PIN numbers. Using the skimmed information and captured PIN numbers, fraudsters produce a duplicate card to make purchases and withdrawals.
Reading between the lines, it looks like somebody replaced the outdoor reader with a skimmer. I think this is the case because:
  • The credit union has told me that I used the ATM while the skimmer was there and I think I would have noticed a skimmer attached to the ATM. And the door reader is the logical place to put it.
  • The skimmer was there for a long period of time, more than a month. I wouldn't be surprised if they didn't find it until after they started getting a lot of complaints from members.
  • I was not a victim, meaning that the fraudsters either failed to get my ATM card info or my PIN, or both. Had it been on the ATM, they would have gotten my card info and had a decent chance at my PIN.
  • And, last but not least, the fake security of the outdoor reader has unceremoniously vanished.
Did the fake security aid the security breach? The bank isn't saying, but it certainly seems likely to me. And, even if it didn't happen here, I hope this makes it clear how it could happen. The same thing can happen in software or in the airport.

By the way, the credit union recently posted some advice here.


Post a Comment