jump to navigation

A Culture of Poor Cryptography November 16, 2013

Posted by louloizides in Security.

I’m taking a trip to over Thanksgiving. So just before reading “Why Cryptosystems Fail” by Anderson [1] I moved some money into a rarely used online checking account to have a backup while traveling. Truthfully, I’ve never trusted any bank completely with my savings. I spread it between multiple banks as a result. But it was very unnerving having just logged into my bank and then reading about how much complacency banks have had when implementing poor, broken cryptographic systems.

Anderson lives in Europe and describes many European banks in his article. But Europe learned it’s lesson the hard way. ATM fraud in Europe has been far more common than ATM fraud in the US, and as a result banks have improved ATM security through the use of smart cards [2]. Many of the ATMs I’ll find in my trip (I’m traveling to Europe) won’t even accept my outdated magnetic strip card. On a smart card the chip on the card can contain more advanced measures to protect against cloning and cryptography attacks than a magnetic stripe can.

Smart card technology has been around for decades now [3], so why hasn’t the US caught onto this? Until the amount of ATM fraud in the US is high enough, very few banks will be willing to replace their ATMs and improve their systems – it makes more sense to just take the economic hit. This exposes a fundamental problem. In a capitalist society like the US we’d assume that this could potentially change if consumers decide they want their money in more secure financial institutions, providing a motivation for businesses to improve. But in the case of broken cryptographic systems almost all consumers have no idea of the risk. And they won’t understand the risk until something actually happens.

In contrast, I work for an FDA regulated medical imaging device company. And while the FDA regulation can be a pain to deal with, I’d rather go to a hospital knowing that a doctor won’t schedule me for unnecessary surgery because the image showed a false artifact. But I understand this risk and the need for regulation – most people don’t. So in these cases someone who does understand the risk needs to step in and set rules. I have to wonder if cryptographic systems such as ones in banking, therefore, need to be subject to similar regulations. At the least can we subject financial institutions for a fine if their systems are broken so that an economic motivation exists to improve them?

I would love to write a blog post suggesting things like having experts come in and audit a system, or hiring white hat hackers to try and break it. But unless either an economic or regulatory motivation exists to change the broken cultural mentality of implementing bad systems I don’t see why any of those other suggestions would ever be followed.


On a side note, Anderson’s personal homepage [http://www.cl.cam.ac.uk/~rja14/] contains links to most of his papers. Some of them are extremely interesting, particularly his paper on stealing smart phone pin numbers. And he’s now finding significant vulnerabilities with smart chips as well.

1. Anderson, Ross, “Why Cryptosystems Fail“, Nov 1994, Communications of the ACM, http://www.cl.cam.ac.uk/~rja14/Papers/wcf.pdf, Retrieved on 16 Nov 2013

2. Emspak, Jesse, “Why Your Credit Card Won’t Work In Europe”, Apr 2012, http://news.discovery.com/tech/gear-and-gadgets/smart-card-europe-120406.htm, Retrieved on 16 Nov 2013

3. “Smart Card Tutorial Part 1”, Sept 1992, http://www.smartcard.co.uk/tutorials/sct-itsc.pdf, Retrieved on 16 Nov 2013



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: