|Elliott Sound Products||Is Your Security at Risk|
Copyright © 2001 - Rod Elliott (ESP)
Page Updated January 2015
Your security - and that of your credit card - is important, but do you realise how easily either can be compromised? Cordless phones and thermal transfer plain paper fax machines may be responsible for more card fraud that we ever thought. In fact, they are downright dangerous. They are not the only grave security risks either. Wireless LANs (Local Area Networks) are now commonplace, even in SOHO (Small Office, Home Office) environments. They are very convenient, and don't require any cabling. Some of the older routers also have virtually no worthwhile security or are left with the default password, and anyone with a suitable receiver may be able to pick up every character sent from one machine to another.
It is difficult to know which of these is the worst - the potential for exploitation is just as high with all of these modern conveniences unless they are set up properly. This is not a trivial matter, but the instruction books and magazine advertisements for these devices are very good at telling you the features and how to use them, but are woefully lax in advising you of security issues.
This is not meant to scare you, although it probably should.
Not only is the ESP fax 'machine' in a secure location (it is accessed only by me), but I use an electronic fax machine that doesn't use any media.
Credit card authorisations are performed using a bank EFTPOS terminal via a fixed (wired) phone line. No card details are kept on any computer.
It is worth noting that the only worthwhile reference I found on the topic of analogue cordless phones was at the US site www.privacyrights.org - there is some good info there for US readers, but it's not much use for the rest of us (other than to verify what I have to say here). If you are still using an old analogue cordless phone I recommend that you replace it. If you aren't sure if your phone is analogue or not, if it has an extendable whip antenna then it's definitely analogue, but some may use a different arrangement. When all else fails, read the instruction manual which should tell you.
I have found no reference at all to security issues with the developer roll used by thermal transfer plain paper facsimile (fax) machines, but phone line scramblers for fax use are readily available in the US. Use of any security device is completely pointless if the developer roll is just tossed in the dustbin when it is depleted!
I have never seen a reference to this topic - anywhere! A full
year decade after I published this, and still nothing! What happens when you fax an order through to your supplier, complete with credit card details and whatever else? Perhaps your doctor uses a plain paper fax for medical records, so what of these? Chances are, they are using a plain paper fax machine. If it is a laser fax, then there is nothing to worry about, but the popular and relatively inexpensive thermal transfer plain paper machines use a developer roll.
What happens to the old rolls? The developer roll (thermal transfer roll) just happens to have every detail that was printed, and it shows in negative where the thermal head transferred the toner from the film to the paper. The rendition is perfect, and if they are simply tossed into the bin (the most likely probability), then any unscrupulous person with access to the company rubbish has access to your card details, medical records, bank details, etc.
Naturally, the problem is not limited to credit cards or medical records - almost everyone uses faxes. Although the use of fax machines has dwindled, they are still popular and some material is only accepted in fax format by some (relatively few now) organisations. Government departments, schools, hotels, solicitors (lawyers), the list is endless - and every one of them has some of your personal details or credit card information. By rights, the instruction books for these machines should advise the owner that if sensitive information is received by the fax machine, then the thermal 'ink' developer roll should be shredded before disposal. Needless to say they offer no such advice.
My old fax machine's instructions had a note about the developer roll - it tells you that the ink will not rub off on your hands, so it is safe to handle it. That's it!
We know that credit card fraud, identity theft and all sorts of other ill defined crimes are being committed every day - how do people get hold of our details so they can perpetrate their dastardly deeds? Well, this is one way, and as the owner of such a machine I was horrified when I changed out the first developer roll.
Being an inquisitive type (always ), I wanted to see if the machine was smart enough to 'scrunch' everything up on the developer to make maximum use of it. As it turns out, it isn't smart enough, or the manufacturers are smart enough to realise that the developer rolls are a cash cow!
What I saw on the roll was a perfect reversed (negative) image of every fax I'd received and every copy I made. All lettering was perfectly legible - credit card numbers, names, addresses, the lot. All of this, and not a single, solitary warning anywhere in the manual or on the Net about the security hazard of the roll. Scared me, I can tell you!
What You Can Do
Before you send a fax with potentially sensitive information, check with the recipient if they use a thermal plain paper machine, and ask if they shred the developer rolls. We know exactly what the answer will be in most cases - either ...
"I think that sir may be paranoid. There is nothing to worry about." or (more likely) ...
"How the %$&# should I know what sort of fax it is. Are you some sort of nut-case or something?"
"Sir" has every right to be paranoid, and this is not to be taken lightly - you are not being a nut-case simply by being concerned about what happens to your personal information.
Note that as stated above, laser and inkjet fax machines (or even the old but still used thermal paper faxes) do not have this problem - they don't use a developer roll, so the details are confined to the page that is printed.
If the person cannot (or will not) tell you what sort of machine it is, and what they do with the rolls, then ask them to get you the information, or you will take your custom elsewhere. You have every right to know.
In just the same way, the carbon paper on the credit card voucher (in the 'old' mechanical imprinting machines) has a negative imprint of your card - always, always make sure that it is torn up into small pieces in front of you. Otherwise, anyone can get hold of it, and they then have your card details. They are rarely used any more, but they still exist as a backup if the on-line system goes down.
Remember - just because you are paranoid, it doesn't mean 'they' are not out to get you.
The cordless telephone is now in a huge number of households and businesses. How many movies have you seen where the baddie arranges a hit, deal, or whatever else - and uses a cordless phone? I have seen quite a few such movies, and even the old analogue mobile (cell) phones are/were not secured in any form at all. The proof of that was Prince Charles' infamous mobile phone conversation with Camilla Parker-Bowles - that was picked up using a scanner, and in no time at all was all over the radio and newspapers.
"But!" the legislators and lawyers will cry "to use this information is illegal, and is in violation of the 'Listening Devices for Complete Morons act [of Parliament/ Congress/ etc.] of 1902' - everyone knows that." Big deal. Since when has any criminal been afraid of some antiquated law that prohibits them from using something that no-one can prove they have obtained anyway? (BTW, the answer to that little quiz is "never", but you knew that already.)
The common analogue cordless phone is not encrypted, and uses one of perhaps 10 open frequencies that any scanner can pick up. In many cases, you don't even need a scanner. Take your phone around the block, and the chances are that you will be able to get dialtone from someone else's phone line, or listen to their conversation. At this point, it may not even be illegal in many cases. It may only become an illegal act if you make a call from someone else's phone, thus defrauding them of the call and the cost thereof, or if you use the information you obtain by listening to their call. But who can prove it? What if it happens to you?
Some time ago, I was chatting to a fellow at my local pub (watering hole). He has a scanner, and told me that he has heard countless banking transactions and credit card payments made on cordless phones - account numbers, PINs, the lot. If he were of a criminal bent, all he'd need is a recorder to record the transaction details. With the aid of a DTMF (Dual Tone Multi Frequency) decoder, it would then be possible (easy, more like it) to convert the tones recorded from the phone into numbers. This is not science fiction, it is extremely easy to do - the decoder ICs are available from many chip makers, and are dead simple to use by anyone who knows electronics.
What about if you suspect criminal activity in a neighbouring house? You call the police using your cordless phone (since you can stay by the window and advise them of what you see). What if the activity were completely kosher, but someone else (with a scanner) heard it, and went and told everyone else in your street. Your neighbour would be quite rightly pissed off, and your name would be mud.
Worse still! What if you were 100% right, and the activities you saw were indeed criminal? What if the person with the scanner happened to be one of 'them'? Now you are in serious danger. Admittedly, these are extreme cases, but are nonetheless quite plausible and may have already happened - in fact, both scenarios probably have happened!
Few of us are going to find ourselves in either of those situations, but there are obviously a great many people using cordless phones for banking, paying bills using their credit cards, discussing possibly sensitive details about their job, or arranging the odd 'discrete' meeting.
So, how many times have you done any of those things? Who was listening? If it's a scanner, you will never know if you are being heard or not, since there is only a one-way communication (scanners are receivers only - they don't have a transmitter). Forget that bollocks you see on TV where the line makes clicking noises if there is a bug of some kind - they don't make noise! What sensible criminal (ok, I know that's an oxymoron ) would make a silent listening device that wasn't actually silent?
What You Can Do
Use a DECT (Digitally Enhanced Cordless Telephony) phone - these are encrypted, as are the new 'spread spectrum' handsets. Either of these will give you much greater security than the standard analogue cordless telephone.
Even if you have a secure cordless phone, to be safe, use a wired phone for all banking or credit card transactions.
If you call someone to give or receive highly sensitive information, ask if they are using a cordless phone. If so, ask them to use a wired phone instead. Explain the reason, and if they refuse to listen to you (the potential for similar conversations as for the fax issue is quite high), do not continue with the conversation. You have a right to privacy, and if others put that in jeopardy, you are not obligated to continue.
There can be no doubt that the wireless LAN (Wi-Fi) is a wonderful thing for many people. You can move about with a notebook computer or tablet just like you can wander around while chatting on a cordless phone (not quite the same thing, but you get the idea). There are no wires to run, and it all seems so easy ... until someone is able to attach to your LAN, or just 'listen' to the LAN traffic.
Most of the earlier generation of wireless LANs were extremely susceptible to eavesdropping, and some of the later offerings are not much better if improperly configured. The level of security with any wireless system is nowhere near as high as a wired LAN. An optical LAN is virtually impenetrable, but is much more than most people need or can afford. The latest encryption systems are only as good as the password you use, so if you keep the default or make up a simple password it's easily broken by anyone who wants to do so.
There is not so much to say on this topic, as it has been covered fairly extensively in many computer magazines, and even the popular press has made its comments. It would have been remiss of me not to have mentioned this potential security hazard though, and it is worth mentioning that if someone really thinks that you have something they can steal, they will go to all sorts of measures to do so. Even better if you have no idea, since you will keep feeding them information.
The world's military establishments have used encryption for a long time, and there are big stakes indeed in cracking a code (the Enigma machine used by Germany in the WW2 is a perfect example). Enormous expense and time is spent on trying to break any code that is created - even the encryption used in SSL (Secure Socket Layer) TCP/IP transactions over the internet has been cracked - it's not easy, but it can be (and has been) done.
What You Can Do
Fairly obviously, don't use an unsecured wireless LAN for sensitive information. If you absolutely have to do so, then make sure that the material you transmit (or receive) uses a level of security that is appropriate to the sensitivity of your data. Most free Wi-Fi access points are not encrypted so be careful.
All modern Wi-Fi systems have the option for good security, but it's up to the user to ensure that it's set up properly, doesn't use any default passwords, and that the password used is secure.
For reasons that remain entirely obscure to me, nearly all IT departments seem to think that making you change your password every 5 minutes enhances security. It does not! People get frustrated, and either write it down somewhere (where they - or anyone else - will be able to find it), or end up using simple passwords (swearwords are quite common for a lot of people). These will be cracked with only a half-hearted attempt by the cat.
A relatively simple first attempt at cracking a password will 'throw' a dictionary at it. Start from Aabec (Australian tree bark) or Aardvark (burrowing animal) and continue through to Zyzomma (it's a dragon fly). They (the baddies) might even add the digits 0 to 9 at the end on subsequent passes. Any normal word will offer no resistance at all.
A good password does not appear in a dictionary, and is not the name of your dog, cat, mother, girl/boy friend, or anything else that people might be able to work out. Changing a password of "password" to "passw0rd" is no better - it is still painfully obvious. Besides, any password cracking program worth its salt will know of the standard digit substitutions used. A good password does not appear in a dictionary, and is easily remembered.
Weird 'invented' words, bizarre word combinations, or even changing a single letter can help make a good password. Consider "happiness" as a password - lousy isn't it? It's in the dictionary and will be found easily. How about "happenis"? (A tad risqué perhaps, but you will remember it! And it's not a real word.) As a password, the latter is much better. If included in a random or pseudo random phrase (see below) it becomes very hard to break.
As an example of a good password, one I introduced at work (and no, I am not going to tell you what it was) was used for over 5 years on customer machines. It was never compromised in all that time, and no-one who needed it ever forgot it once I explained how it was derived. It would appear in no dictionary, so was effectively random. That's a fairly good password, but with modern computer algorithms it would still be cracked fairly easily.
Completely random passwords would seem to offer the best security, but this is not really the case. No-one ever remembers them, so they will be written down somewhere, and they are hard to type, which makes it easier for someone 'spying' to catch what you type in.
The best solution is a 'pass phrase' using random words in random order. For example, have a look at XKCD's 'correct horse battery staple' cartoon as this provides a good example as well as showing just how easy it can be to crack traditional passwords. A pass phrase should be easy to remember but not anything that you'd expect someone to say in the course of a conversation - unless you have some very strange friends of course .
I shouldn't need to say anything about viruses, after all, everyone knows not to open any attachment without checking it first. Sadly, if this were the case, viruses would cease to be, but virus writers are getting very sneaky, with many looking perfectly harmless.
The Windows operating system doesn't help either - by default, filename extensions are hidden in later versions, so the user does not get to see the .com, .exe, .pif, .scr (etc.) at the end of the filename. One can 'unhide' extensions easily enough, but most users never do so. The filename extension is a sure way to tell that 'picture.jpg' is really 'picture.jpg.exe' - naturally it will be a virus!
The frightening thing about some of the newer worm viruses is that they open a path into your computer, and as you type your user name and password into your internet banking site, the criminals who wrote the virus may be able to capture this information (plus anything else that may be useful to the criminal elements). The 'Sobig' worm from 2003 is now old hat, but it had this ability, and variations of it caused mayhem at the time. There are many new and 'exciting' worms, Trojan horses and other viruses available now, and no-one is 'safe' so you must remain ever-vigilant. It is now commonly believed that Sobig was not the work of a computer geek, but was very carefully written by a criminal gang, with the sole intention of using the worm to 'open' as many PCs as possible for intrusion. If you have had the Sobig or similar worm on your machine, consider changing bank account PINs and other sensitive material you may have stored on your hard disk.
Also, it is important to bear in mind that Microsoft never sends spam e-mails with attached 'patches' for your operating system, and nor does any other s/w provider. The ability to obtain patches, updates and the like is either built into the program or is available from the manufacturer's website. (MS will also never pay you to read and forward e-mails!)
What You Can Do
Never open any attachment without first scanning it for viruses, using the latest virus signature file for your virus scanner. If you do not have anti-virus software installed, then get a copy now!!! Consider the cost of someone being able to acquire your bank details vs. the cost of the software - it really is a no-brainer.
If you have a broadband connection, use a firewall! To remain on-line without one is asking for trouble. I have one in my router, and an earlier one on my PC almost daily gave pop-up messages telling me that "someone on [ip.address] wants to ping your machine", or "send a UDP datagram" or whatever. These are probes from hackers and/or criminals looking for vulnerable machines on the internet. If your machine is open to the outside world (and most are), then you are at serious risk. Separate routers with a firewall will simply ignore any external probe if they are set up properly.
In fact, I strongly recommend using a firewall even for the 7 people still using a dial-up connection. Yes, a firewall may be a nuisance, must be configured (so you have to learn how to do that), and may even cost you money (although there are many freeware versions available). Compare that to the potential loss (monetary, identity theft, etc.) if someone were to gain free access to your computer and all your files. If you are not scared by this, you either have nothing at all on your PC, or believe in the theory that "it will never happen to me".
Yes it will - eventually, or maybe it just did!
If you have a PayPal or E-Bay account, you may already have seen an e-mail requesting that you complete a form to "verify" your account. Do not fill in the form ever! No reputable organisation will ever ask for you bank account number and PIN - it is simply not done. Any request for this information should be viewed with the utmost suspicion, as it is almost certainly a scam.
To make it look authentic, many such e-mails have links to the 'real' site included, but the form data will be sent somewhere completely different. If you are unsure, e-mail the site's help desk and ask them - forward the entire e-mail you were sent, and have them verify its authenticity. 99% of the time, you will be told it's a scam, and not to provide the details requested.
In some cases, you may be taken to a website that looks 'exactly' the same as the real thing. A recent PayPal scam did just that - the only difference between the fake PayPal site and the real one was in the URL in the browser's URL window, and the lack of the 'https://' in the address.
What You Can Do
Always be suspicious of any e-mail that tells you that you must 'verify' your account details. Be doubly suspicious of any request that seems unreasonable, asks too many questions of a personal or financial nature, or that just seems 'wrong' somehow. If there is the slightest suspicion on your part, you are probably right!
Anything that seems too good to be true is! The Nigerian money scam and its derivatives have netted the criminals involved millions of dollars, and this will continue as long as people see a 'golden opportunity' and leap into it without so much as a web search.
Always, always do a search on anything that seems odd. Most times, you will find that some helpful individual somewhere (or many of them) has already investigated it, and you can find out what 'they' are up to.
We are not really secure, but there is no reason to make it easy for anyone to get hold of our personal details. Take sensible precautions. As well as the points mentioned above, beware of the following security holes ...
Paranoia - maybe. Sensible - absolutely!
Remember that just as locks are made to keep honest people out, encryption and other precautions are the same. If someone really wants your data, they will get it. Much of the time, sensitive information is leaked by someone with a big mouth, or is acquired by happenstance. There is however, a growing trend for people to obtain information by stealth or deception, and it is up to all of us to make it as hard as we possibly can for others to obtain our details - 'accidentally' or otherwise.
For those who visit my pages regularly, this may be seen as somewhat 'off topic' for a hi-fi audio site, but I thought that this information was too important not to share. Should anyone have other information, or feels that I have left out some detail, please send me an e-mail with your query or comments.
|Copyright Notice. This article, including but not limited to all text and diagrams, is the intellectual property of Rod Elliott, and is Copyright © 2002. Reproduction or re-publication by any means whatsoever, whether electronic, mechanical or electro-mechanical, is strictly prohibited under International Copyright laws. The author (Rod Elliott) grants the reader the right to use this information for personal use only, and further allows that one (1) copy may be made for reference. Commercial use is prohibited without express written authorisation from Rod Elliott.|