wmartin@ALMSA-1.ARPA (Will Martin -- AMXAL-RI) (12/19/86)
Here's a segment of a posting that just appeared in the RISKS Digest that should be of interest to the Telecom readership: Date: Thu 18 Dec 86 11:25:17-PST From: Peter G. Neumann <Neumann@CSL.SRI.COM> Subject: EXTRA! British Telecom pay phone Phonecard broken? To: RISKS@CSL.SRI.COM Britain is currently just at the tip of an iceberg regarding an apparent vulnerability in its debit cards for British Telecom pay phones. The debit cards can be purchased from all sorts of shops, and come in a range of denominations such as 5, 10, 40, or 100 calling units. The system has been in use for a year or two, and card pay phones are both widely accessible and very popular. (If you've ever tried to use coins in a London call box, you know that it is quite an experience.) My best guess is that it has a holographic stripe, and that a destructive write is used effectively to burn out a part of the hologram corresponding to each message unit -- making it difficult to ADD units to the card. Unfortunately, a relatively simple doctoring of the card has been discovered that threatens the whole scheme, and makes a card indefinitely reusable [at least until the system is either modified or withdrawn]. An article appeared as the front-page lead story in The Sunday Post (West Scotland?), 14 December 1986, with the banner headline "DIAL WORLD WIDE FOR NOTHING -- TELECOM HIT BY 'PHONE FRAUD'". The article notes that the trick was discovered by a British soldier "fed up with paying a fortune to call his Scottish girlfriend". The word is now spreading around British troops, and can be expected to be widely known in a very short time. (The newspaper states that they know how it is done, and have proved that it works. It cites a variety of calls that they were able to make without any debit to their card.) The consequences of the propagation of this trick are awesome to contemplate. The system was presumably billed as "foolproof". But "foolproof" is not good enough against intelligence -- although it should be pointed out that the card is not a smart-card in the usual sense. There is no user identification number required, and no use of encryption. The AT&T credit card number seems somewhat safer, as it is quickly revocable on an individual basis. On the other hand, the convenience of the BT phone card is certainly appealing. [Following portion was "RISKS"-specific, so has been deleted - WM]