Paper security

The two dangers

Many people, perhaps out of convenience or a misguided belief that paper is always more reliable than electronic data, do not question the security of familiar, paper-based security systems. This unwarranted trust can be exploited by attackers through direct means such as forgery, or more subtle means, such as copying a familiar, secure, paper-based system and adding in an insecure but largely unsuspicious step.

As an example of the first, less sophisticated type, imagine a person walking into reception of a busy firm, dressed in the uniform of courier service, and presenting a sheet of paper to the receptionist asking them to sign for the pick up of the package that is waiting there. It would be a trivial matter to generate such a piece of paper and a uniform, copying from photographs of originals if necessary, and as such these visible symbols of authenticity, which are such powerful unconscious triggers, present a false sense of security to those relying on them. I leave it up to the interested reader to work out the specifics of observing when a package is put in reception for collection, and how the attacker would determine the source address for it.

The type I would like to talk about most, however, is the second type, where an attacker copies an existing, trusted process, which is not susceptible to alteration in itself, but uses the victim’s good faith in that process to make them carry out an additional insecure step. I have a very specific example for this, because it is a type of attack I realised was theoretically taking place in a security system which I have recently been expected to follow. After investigating thoroughly, I had sufficient evidence that the security system was indeed genuine, but unfortunately the unusual step that was added still represents a threat, since people’s familiarity with it makes them more likely to follow a slightly altered version in a spoofed copy of the security system, which could disclose private information to an attacker.

Example in the wild

Imagine you were to get a letter in the post, claiming to be from your bank, and not knowing this was false. It may be difficult for an attacker to do this secretly and cheaply in bulk, but perhaps one would consider significant the possibility of a one-off attack by a highly-motivated adversary. Assume the attacker knows your name and address (from various public records, or having met you personally), and which bank you use (after following you home from there, or recognising the logo on the shredded remains of a bank statement in your rubbish, for instance). Now imagine that the letter contains a card that looks like the one issued by your bank, again with your name on the front. Would you know if the card was genuine? We are told how easy it is for criminals to make cloned cards, but in this case they needn’t have even put any data on the magnetic strip, nor given it the features that only a cashier would know to check.

At this point, the setup is purely fanciful. The system largely does not need to be resistant against a spoof card at this stage. Without control over where you use your card, the system is secure, and no less secure for having a fake card. A bigger threat is that someone may have swapped a real letter and card with a fake letter and card, to stop the victim realising their card had been taken, but the attack I am describing does not rely on intercepting the real card. The problem comes when a step is added to this simple “card handover” process, not least because people are so familiar with, and trusting of, the existing conventional process. Imagine the new step is to send off a piece of paper, to a pre-printed address, on which you are asked to provide a copy of your signature, and your account number. Clearly these are two new pieces of information, not included in the letter, since ostensibly the request for this information is for you to provide something only the account holder would have. The question is whether you trust this new step.

Analysis of attack

This was the question I was faced with recently, and being unnerved by this request for extra information, I investigated. (Actually, my first step was to wait an amount of time I will not specify for a real card, if this was not it, to turn up and/or any scam to be detected and shutdown). When thinking about it, my conclusion was that a resourceful attacker could carry out all the steps listed above, thus this was potentially an attack. I must point out though that the attack could fail at the first hurdle if, when the target took out their old card to be destroyed they noticed that the periods of validity on the two cards overlapped significantly. Is this something that most people would notice, and what is the probability that the letter arrived near the end of the first card’s validity period? If we assume a 24 month validity period for a card, and that a 2 month overlap wouldn’t be seen as suspicious (and that everyone is checking for and basing their decision on this overlap), then random chance would mean the attack would not be detected at this stage in only 1 in about 10 cases. I of course did check, and found nothing suspicious about the dates.

One seemingly more definitive way, though, of determining whether the extra step was legitimate was to check the address that the letter was asking me to send my details to. A Google search of the postcode came up with just one site, in Russia, although fortunately the text was not used as a postcode on that site but as a part number or some such thing. Assuming the attacker expects the intended victim to give at least a cursory glance over the destination address, you would expect them to make it look related to the bank as much as possible. The prevalance of numbered “PO (Post Office) boxes” used by large companies, lessens the burden of proof for an attacker, since they can use a similarly anonymous and forgettable address. It wouldn’t even be hard to get a PO box from the same city, should people have an instinct about where their bank is headquartered. That just leaves the limited assurance from the first line of the address. Could an attacker really register a PO box under the name of a bank? The worryingly possible alternative is that an attacker could just give something like “New Card Processing” or “Security Activation” as the first line of the address, without arousing much suspicion from the PO box registering company.

The last question is what would they achieve. With all the trouble they would have to go to in order to find out the name of your bank, create a fake card and a fake PO box, and ideally finding out or hoping to guess your previous card’s expiration date, what information would be disclosed to them? The signature and account number of someone at a known address and with a known bank. I’m not sure what you could achieve at someone’s bank with a faked document and signature, but I imagine that at least somewhere this would be sufficient to get past a security system and provide more information to an attacker. Could the attack work? I would say yes. Is the attack worth the effort and the risk, compared to other attacks? I would hope not.

Conclusion

Although the immediate analysis is that the attack is unlikely or impractical, that is not on its own a reason to not be suspicious of this extra step if you are ever asked to perform it. As suggested above, the more people become accustomed to this step, the more likely criminals are to attempt using it in a spoof version of the card handover system. Thinking slightly wider about the problem, I’d recommend banks explaining the potential dangers in this step, to remind their customers to be vigilant at all times, and to provide some sort of trail of trust linking the address for sending card activation details to, back to the bank itself. For individuals, I would recommend always questioning new steps, and do not give any unwarranted trust to paper-based systems. To some extent the discussion above is just an exercise in looking for potential attacks on a system and then challenging that by finding mitigating factors. If I have added to people’s, or even my own, appreciation of the security perspective of an everyday paper-based system, then I’ve done something good.

Is this what my world is like?