risks@CSL.SRI.COM (RISKS Forum) (02/07/91)
RISKS-LIST: RISKS-FORUM Digest Wednesday 6 February 1991 Volume 11 : Issue 03
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Tube Tragedy (Pete Mellor)
New Zealand Computer Error Holds Up Funds (Gligor Tashkovich)
"Inquiry into cash machine fraud" (Stella Page)
Quick n' easy access to Fidelity account info (Carol Springs)
Re: Enterprising Vending Machines (Mark Jackson)
Risks of no escape paths (Geoff Kuenning)
A risky gas pump (Bob Grumbine)
Electronic traffic signs endanger motorists... (Rich Snider)
Re: Predicting system reliability (Richard P. Taylor)
The new California licenses (Chris Hibbert)
Phone Voting -- Really a Problem? (Michael Barnett, Dave Smith)
Re: Electronic cash completely replacing cash (Barry Wright)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM.
FTP VOL i ISSUE j: ftp CRVAX.sri.com<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR> (where i=1 to 11, j is always TWO digits. Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye" logs out.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Tue, 5 Feb 91 21:43:18 PST
From: Pete Mellor <pm@cs.city.ac.uk>
Subject: Tube Tragedy
The Sun, Tuesday, February 5th, 1991, p. 6:
A tube passenger was dragged to his death after getting his arm trapped in a
train's automatic doors.
Four pals inside the carriage watched as the victim was pulled along the
platform and smashed against the tunnel wall at London's Kings Cross. He was
then sucked under the moving train. But the friends have not come forward,
and the man - believed to be Italian - has not been identified.
*********************
I was puzzled that this was not reported in the Guardian, or on the evening
TV news, so I rang London Underground's PR department for confirmation.
It happened on Sunday night, on the Northern Line. Apparently the man, being
separated from his friends as the doors closed, had opened them by operating
the butterfly clasp on top of the carriage. (Presumably this is intended for
staff use only, to open doors in exceptional circumstances.) The doors then
closed faster than he expected, so trapping him before he could get on. (The
fact that the butterfly clasp had been operated, presumably meant that no
warning signal was sent.) According to the PR department, neither the guard
(still employed on older parts of the underground) nor the driver were to
blame. LU PR are surprised, however, that the man was able to reach and operate
the clasp.
It looks like a case of "No system is foolproof. It all depends on the size
of the fool!", but there may be some design implications here. Surely, for
instance, a warning should be given if a door is open for *any* reason?
In the meantime, London Underground is making 1000 staff redundant to cut
costs. According to one union leader, this will lead to unmanned stations at
night, and take the underground closer to being a "passenger-hostile system".
Peter Mellor, Centre for Software Reliability, City University, Northampton
Sq.,London EC1V 0HB +44(0)71-253-4399 Ext. 4162/3/1 p.mellor@uk.ac.city (JANET)
------------------------------
Date: Wed, 6 Feb 91 11:40 EST
From: <TASHKOVI@CRNLGSM.BITNET>
Subject: New Zealand Computer Error Holds Up Funds
>From the New Zealand Herald, January 15th, 1991, p. 4.
NZPA -- Wellington A computer processing error at Databank has thrown many
savings account balances out of kilter. Misalignment of account number
suffixes prevented Databank's computers from identifying some recipient
accounts. The computer posted payments to a safe holding file until the
problem could be resolved, Databank said yesterday. Although current accounts
(those with 00 suffixes) were not affected, accounts with other suffixes (such
as 02, 03) may not have received payments made on Friday. This problem would
show up on automatic teller machine and Eftpos inquiries into savings and
special accounts. All bank in New Zealand were affected but the problem was
expected to be resolved by start of business today, Databank said.
------------------------------
Date: Mon, 4 Feb 91 11:33:31 GMT
From: Stella Page <sp@cs.city.ac.uk>
Subject: "Inquiry into cash machine fraud"
Extracts from Finance and Economics article, The Guardian, 1 February 1991:
A bank engineer is being interviewed by police investigating unauthorised
withdrawals from cash machines. It is alleged that money was withdrawn from
customers' accounts through information gained during the servicing of machines
operated by Clydesdale Bank.
... Since the first cash machines appeared ... all banks have denied that
"phantom withdrawals" are possible, despite the fact that public complaints
alleging such withdrawals make up the biggest single item in the banking
Ombudsman's caseload. In only one of many hundreds of complaints has the
Ombudsman found in the customer's favour ... Last year, 482 complaints about
cash machine withdrawals were lodged ... None were resolved in the customer's
favour. The only time the Ombudsman did find for the customer, in 1988, it was
on a legal technicality. The first Ombudsman ... said his office accepted the
banking industry line that withdrawals could only be made by a person using a
card and a number.
The banks have never accepted that cash-machine withdrawals could be made as
a result of computer error or internal security breaches. Clydesdale said:
"Unauthorised transactions were revealed as a result of our investigative
procedures and the police advised. Only a very small number of accounts has
been affected and the bank has written to them."
Stella Page, Centre for Software Reliability, The City University,
Northampton Square, London EC1V OHB, United Kingdom.
------------------------------
Date: Tue, 5 Feb 91 13:37:38 EDT
From: Carol Springs <carols@drilex.dri.mgh.com>
Subject: Quick n' easy access to Fidelity account info
Robert Powell reports in the Boston Herald, February 5, 1991, that from January
8 to February 4 callers were able to access info on any Fidelity Investments
shareholder's account for which blocking had not been specifically requested --
solely via the investor's SSN. The access is still available for most Fidelity
accounts. From the article:
The program, introduced Jan. 8 and called Fidelity
Telepeople Collection, lets folks dial an 800 telephone
number. After being prompted by a computer, callers
key in their or any customer's Social Security number
to learn holdings of stocks, options, and mutual funds.
People who knew the Social Security numbers of
Fidelity's bigwigs like Chairman Edward C. Johnson or
Peter Lynch could easily learn whether Johnson put his
money where his firm is, or just how many shares of the
Magellan Fund Lynch owned.
The Social Security numbers of most executive officers
of investment advisory firms is on file with the
Securities and Exchange Commission. Fidelity, in
reaction to a story in yesterday's Wall Street Journal,
blocked the public's access to Fidelity executives'
accounts.
The article goes on to add that individual shareholders can request that
telephone access to their accounts be blocked, according to Tracey
Gordon at Fidelity. Marketing manager Judith McMichael adds that
...Fidelity changed the access code to the telephone
service from a customer's account number to his or her
Social Security number because of overwhelming customer
support during the company's research. And Fidelity
has only received three complaints to date, she said.
Eric Kobren, the president of Mutual Fund Investors Association, is requesting
that his subscribers call Fidelity to ask them to require a PIN tag for the
service.
Carol Springs carols@drilex.dri.mgh.com
------------------------------
Date: Tue, 5 Feb 1991 12:55:01 PST
From: mjackson.wbst147@xerox.com
Sender: Mark_Jackson.wbst147@xerox.com
Subject: Re: Enterprising Vending Machines (Allan Meers, Risks 11.01)
In Risks 11.02, PGN writes:
> Here is another example of ordinary mortals having to gain sophistication
> in the vagaries of automated systems in order to maintain their cool.
Who are you calling a mere mortal?-) Despite having read Allan Meers' posting
(Risks 11.01) *I* got burned this morning, and not by an older machine, either.
Around 11 AM I entered the lobby of the (brand-new) post office in Webster NY.
Approximately 35 people were waiting in line, so I turned to the (brand-new)
stamp vending machine. Several of the selections were flashing "SOLD OUT" but
(great!) rolls of "F" stamps were still available for $29.00.
There was a puzzled couple ahead of me; they'd fed a dollar into the machine
thinking they could buy *one* F stamp, and were now trying to figure out what
to do (no purchase, no change; cheapest non-sold-out option was 10 23 cent
stamps for $2.30). I offered to feed the machine a $10 and a $20 bill, buy the
$29.00 roll, and split the $2 change. (There was a big sign posted next to the
machine warning about no change without purchase, noting that change up to $5
would be given in coins.) No problem. . .until I got my stamps. Displayed
credit dropped from $31.00 to $2.00. Pressed the CHANGE button. . .display
changed to flashing "OUT OF COINS - NO CHANGE AVAILABLE"!
Gotcha! There was *no* warning of this state until change was requested.
Getting a refund required pushing to the front of the line, flagging down a
clerk, then filling out a long postal refund form IN DUPLICATE. . .and, for all
I know, waiting for a government check to arrive from Washington. We decided
to feed the machine some more change and take our change in 23 cent stamps, so
the other guy put in 35 cents (no nickel). . .and THEN we noticed that the
machine had quietly eaten the $2 credit. At this point we gave up; final score
me -$1, them -$1.35, USPS +$2.35.
It seems the programmers did anticipate this problem (credit stuck in the
machine with no means of recovery). From the Postal System's point of view,
this is a problem because IT DISABLES THE MACHINE. So, apparently, the
solution is to clear unused credit after 60 seconds of inactivity, thereby
"resetting the trap."
Mark <MJackson.Wbst147@Xerox.COM>
"This U.S. stamp, along with 25 [cents] of additional U.S. postage,
is equivalent to the 'F' stamp rate"
- Official Algorithm of the US Postal Service
------------------------------
Date: Fri, 1 Feb 91 16:01:42 -0800
From: Geoff Kuenning <geoff@prodnet.la.locus.com>
Subject: Risks of no escape paths
I just got a phone message from one of my credit card companies, asking for a
return call. However, when I called their 800 number, I got a computerized
answering system. The second prompt was "please enter your 16-digit account
number now." Happens I have two cards from that company; which had they called
about? Hang up, try again -- this time I figure I'll pretend to have a dial
telephone and talk to a human. Wrong. The hardware is actually smart enough
to detect dialing on a dial phone, and my fancy PBX won't let me masquerade by
flashing the hook. Okay, I'll wait for a timeout. Wrong. After the timeout
it insists on a number. Okay, how about an obviously incorrect number? After
16 5's, it pauses and then complains that the account number is incorrect,
returning me to the original prompt.
In frustration, I begin composing this message. While typing, I notice that
there is a "flash" button on my PBX phone. Maybe that'll let me pretend to be
a dial phone. Nope. But my PBX is screwy enough that this attempt put the
line on hold without my noticing. 60 seconds later I notice the flashing light
and pick up, just in time to get a voice saying "Hello?" I say "hello," and
the person at the other end asks for my account number. But now I've got a
human, and when I tell him my problem, he is smart enough to handle me without
insisting on the account number. Surprise! I have more than two cards with
that company, because they just bought out another of my cards! So now which
card do they care about?
The only good thing (other than a chuckle) about this whole thing is that
the phone answering system is still on trial, so if I can remember to call
on Monday, I can talk to a responsible person and perhaps (especially by
mentioning RISKS) affect their go/no go decision.
If I didn't love them so much, I'd hate computers...
Geoff Kuenning geoff@la.locus.com geoff@ITcorp.com
------------------------------
Date: Saturday, 2 Feb 1991 14:14:32 EST
From: <RMG3@PSUVM.PSU.EDU>
Subject: A risky gas pump
I guess risks readers haven't stopped for gas on the Ohio turnpike lately.
A new service is being offered on the Ohio turnpike by Sohio (a division
of BP Oil). I'll quote their flyer:
" New from SOHIO and the Ohio Turnpike ... [Their ellipses]
Now, RAPID PUMP lets you charge your gas quickly
and conveniently right at the pump. If you need
a receipt, RAPID PUMP will give you one. No
need to walk to the cashier. Just charge your
gas at RAPID PUMP, and drive away. "
On another flyer the operation is explained:
" 1 Just insert and remove your card ...
RAPID PUMP automatically checks for authorization.
If you would like to cancel at any time before
pumping fuel, use the CANCEL button. You may
also press the HELP button at any time for
assistance
2 Need a Receipt?
Watch the display screen and select either the
YES or the NO button
3 Then select your fuel ...
[text irrelevant to risks]
4 Stop when you want ...
When you reach the dollars and gallons you
want, slide the lever down, replace the nozzle
and your gas cap. If you did not request a
receipt, your transaction is complete and
you may drive away.
5 If you requested a receipt ...
RAPID PUMP automatically prints your receipt
for you. Take it and drive away! "
Having read risks for a while (or rather, having read the archive recently),
I did not try this 'convenience' out. Just in the time I was pumping gas
I came up with several _risky_ questions about the process:
What verification is there that the card that is authorized is really mine?
What happens if the receipt disagrees with the amount pumped?
How about if my number is not cleared from the pump's memory and I get
billed for the entire day's gas from that pump?
How do I get that receipt if the machine is out of paper? Will is _always_
know that it can't print _before_ I pump the gas?
There are quite a few that risks readers could come up with. This situation
does start to merge in to the 'Americard' type of risks as well. Perhaps
this gas pump is a harbinger of the 'Americard'. I hope not.
Bob Grumbine
------------------------------
Date: Tue, 5 Feb 91 16:19:31 EST
From: rsnider@xrtll (nexus.yorku.ca?)
Subject: Electronic traffic signs endanger motorists...
Recently in Toronto the Ministry of Transportation has introduced a system to
regulate/inform motorists while driving on a large section of highway that
crosses almost centrally through the city (also known as the 401). This
highway has approx 16-20 lanes of traffic which has the daily weekday tendancy
to come to a full and complete stop during morning and afternoon rush hours.
The system they have given us consists of electronic signs much like typical
Stadium Scoreboards on which they will display messages about traffic
conditions ahead, behind, or wherever that they collect from a set of TV
cameras and wire loop sensors that are installed along the highway.
On a smaller highway that runs through the city they installed a single smaller
version of the big signs now installed, and for the last year or so they have
been conducting tests with it (I assume).
Now usually this smaller sign has contained a simple message saying what the
next exit is, but a few times it has displayed messages about weekend highway
closures. This has resulted in the best chaos I have seen next to the typical
rush hour stuff.
There is a serious danger here of people crashing into others who are either
reading the message, or trying to avoid someone else who is. This is ONE sign.
I figure there are about 30 of the big ones now going to be used. I can only
imagine what we are going to see happen when they start displaying things like
"LEFT LANE BLOCKED, USE COLLECTORS AHEAD" and 700 motorists first slow down to
read this and then try and pull over to the two rightmost lanes in order to
exit off that section of the highway. I suppose they could use some of the
other signs available to tell of the impending disaster in the collector lanes.
ISOTECH Computer Industries, Toronto, Canada ....Rich (rsnider@xrtll) Ls not 1s
....uunet!itcyyz!xrtll!rsnider
------------------------------
Date: Wed, 6 Feb 91 11:37:45 EST
From: Richard.P.Taylor@nve.crl.aecl.ca <taylorrp@nve.crl.aecl.ca>
Subject: Re: Predicting system reliability
I would like to expand on the issues raised by Martyn Thomas concerning
reliability requirements, expectations and predictions.
Mr. Thomas points out that it is unsound to predict the reliability of one
system from knowledge of the reliability of another, "similar" system. In my
opinion, this is the major problem with using reliability growth models to
predict the reliability of a system. Whenever changes are made to fix errors
discovered by testing, the result is a new system. The new system will
certainly be similar to the old system, but because the changes may have
introduced or uncovered new faults, we cannot predict that the reliability of
the new system will have any fixed relationship to the reliability of the old
system.
It seems clear to many investigators of software reliability that the only way
to gain confidence that a given level of reliability has been achieved is to
have a period of failure-free operation longer than the required period.
Therefore we must change some of our reliability requirements and definitions
in order to make reliability testing practical. I believe that someone has
already pointed out in a previous RISKS debate concerning the A320, that there
are great differences in the control requirements and safety requirements
between takeoff, level flight, and landing. It is much more feasible to test a
system over a large number of simulated takeoffs and landings than it is to
test for an extremely long operating time. Similarly, as Mr. Thomas points
out, for on demand systems.
My own concern is with nuclear reactor shutdown systems. While these systems
are "on-demand" (they are only required to "act" to shut down the reactor when
some kind of process anomaly is detected), they are in continuous operation in
a monitoring role. In order to make reliability testing feasible, it is
necessary to design the system in such a way that each individual test need
not include the months of steady-state operation which generally precedes a
shutdown demand. We must also be careful to define our reliability
requirements to separate the shutdown function and from the less critical
monitoring and reporting functions.
The Canadian Atomic Energy Control Board is currently working on ways to
define, test and review software safety system reliability. I would also
welcome further discussion of these issues in RISKS.
Richard P. Taylor, Atomic Energy Control Board (AECB), P.O. Box 1046,
Station B, 270 Albert St., Ottawa, Canada, K1P 5S9 (613) 995-3782
------------------------------
Date: Tue, 5 Feb 91 11:02:13 PST
From: hibbert@xanadu.UUCP (Chris Hibbert)
Subject: the new California licenses
California did indeed introduce a new format of Driver's License. I've been
following the issue for a while as part of CPSR's Palo Alto working group on
Computers and Civil Liberties. Here are some of the details:
There will be a magnetic stripe on the back with three tracks encoded on it.
The middle track will be encoded in the same format as your credit cards, and
will therefore be readable with ordinary commercial readers. This track will
only contain 40 bytes of information, and will only contain the name, driver's
license number, and expiration date. The other two tracks will be in a format
that is incompatible with current commercial readers, and will contain the rest
of the information that is printed on the front: birth date, eye color, hair
color, height, weight etc.
The picture on the front will be an ordinary photo (I'm not sure whether it'll
be color or B&W), with a hologram of the state and DMV seals to make
counterfeiting harder. There will apparently be a different version for people
under the legal drinking age: the picture will be on the right instead of the
left. (This tidbit from the Mercury News. I hadn't noticed it before.)
The DMV says that the first and third stripes will be encoded at a higher
density and "corrosivity." Apparently corrosivity is resistance to changing
the pattern of magnetization. (I welcome corrections or expansions on this
point.) I'm not sure whether "Orsteds" are measures of density or corrosivity,
but they say that the standard specifies 30 Orsteds, and that's what the middle
stripe will use, while the other two stripes will be encoded at 3600 Orsteds.
The difference in density is for incompatibility with current commercial
readers, though I'm not convinced that new readers won't be made available soon
to the California business community. The difference in magnetization is
intended to make the cards harder to erase or rewrite. I don't know whether
it'll do any good, or whether there will be penalties for carrying an erased
card around. I fully intend to see if I can erase my card first thing when I
get one.
The primary purpose of the new cards, according to the DMV, is to make it
easier for police officers to fill out tickets correctly and quickly. There
will be readers for the new cards in all state police cars, though I don't know
what the schedule for installation is. They'll probably wait until a
significant proportion of the citizenry have the new licenses. A secondary
purpose is to save money and time when issuing renewal licenses. The DMV
(actually, the contractor who won the bid) will keep digitized records of the
picture and other data on the card, and when renewal time comes around, they'll
be able to just pop a brand-new card in the mail. This will get rid of the
certificates of renewal and address update cards that Californians now carry
around with their licenses until they get a new card.
Another purpose (as evidenced by the fact that the stripes are partially
compatible with commercial readers) is making the information more easily
available to merchants. Since the information is accessible, merchants will
find a way to use it. The most likely way is to keep track of customers and
their habits. More efficient access to the bad-check data bases is a laudable
goal, but it's cost will be that more information will be stored about
everybody who's willing to let their licenses be scanned in the name of
efficency. I've tried to explain this point to members of the state
legislature, but without success. The fact that I didn't find out about the
plan until after the DMV had gotten some approval and had requested and started
processing bids didn't help my case.
In a response to a letter of mine, Assemblywoman Delaine Eastin (Chairwoman of
the committee on Governmental Efficiency and Consumer Protection; now there's a
pair of incompatible goals for one committee to work on!) wrote: "I share your
concern that the stripes, if used improperly or if expanded beyond the current
plan, could constitute an invasion of privacy. A society where people carry
around magnetically coded `ID' cards for use by police and store-keepers would
not be one most of us want to live in. Nevertheless, the DMV plan, limited in
its scope, seems like a relatively benign way to save time and money for
everyone."
The new licenses constitute exactly the "magnetically coded `ID' cards for use
by police and store-keepers" that she said we wouldn't find acceptable.
Merchants will start asking customers for their licenses, and most customers
will comply unthinkingly. Those who see the deeper privacy issues and don't
want their identity recorded along with their buying habits in yet another
computer system will have to contend with clerks who just do what the boss
tells them to. They won't be allowed to ignore those behind them in line who
can only tell that someone is interrupting the routine and making them wait
longer. I'm afraid that we've lost a little more of our privacy, and it's
going to be very hard to get it back.
Chris
------------------------------
Date: Tue, 5 Feb 91 13:03:29 CST
From: mbarnett@cs.utexas.edu (Michael Barnett)
Subject: Phone Voting -- Really a Problem?
I must agree with Mike Beede in RISKS-11.01 that phone voting is basically a
solution in search of a problem. I understand that we are all in technological
fields, but surely there must be times that we can see the answer to a problem
does not lie in technology. What is the problem that phone voting is trying to
solve? It appears to me that the main problem with elections in this country is
the low turnout. I find it hard to believe that it is the difficulty of
physically going to vote that accounts for that. Why not try the solution many
countries have -- either make election day a holiday, or conduct it on Sundays
when most of the population is not working? (Of course, I'm tempted to say that
having a real choice on the ballot may be the best cure.)
Michael Barnett
------------------------------
Date: 6 Feb 91 08:40:10 GMT
From: daemon@celit.UUCP
Subject: Re: Voting by Phone (Ravitz, RISKS-11.01)
Reply-To: dave@com.UUCP (Dave Smith)
eravitz@isis.cs.du.edu (Evan Ravitz) writes:
> (in regards to voting via phone)
>Paranoia is justified, but apply it to how we vote now, as well. Don't you
>think that a government that can photograph your license plate from outer space
>can install a tiny video camera that watches how you vote in a booth?
Sure the government could install a video camera in every voting booth. Could
they keep it secret? I don't think so. However, accessing a database and
cracking a cryptographic code is something that could be done by a small group
of people working in secret. That's the risk inherent. I doubt that the
government proper will ever conduct a project like spying on the voters but a
small group, ala Ollie North and Friends, could very easily do it given a
relatively small amount of resources.
David L. Smith, FPS Computing, San Diego ucsd!celit!dave or dave@fps.com
------------------------------
Date: Tue, 5 Feb 91 13:16:53 EST
From: ronin@ronin.sbi.com (Barry Wright)
Subject: Re: Electronic cash completely replacing cash
> Think about it. Drug deals, muggings, corruption, businesses
> concealing their income - they all require cash and secrecy. A monetary
> system bases solely on electronic currency would leave a trail that would
> cripple such enterprises.
Fat chance. When was the last time you "hacked" a supposedly secure system,
just to prove you could? I remember when BART (Bay Area Rapid Transit) was
just starting, with its supposedly secure, tamper-proof, "electronic tokens"
(cards that registered the amount in the commuter's "account" and allowed
a ticket purchase if there was enough remaining -- somewhat similar to the
electronic cash scenario).
A Berkeley councilman, suspecting the BART cards weren't quite as secure as
claimed, offered a cash reward (only $100, as I remember) to 50 UC Berkeley
students, if they could find a way to steal from the proposed system. He got
fifty different successful hacks.
^^^^^^^^^
Electronic cash would only breed electronic thieves. A better breed, perhaps,
but thieves nonetheless... :^)
B. Wright ronin@ronin.sbi.com
[By the way, there is still an enormous collection of pending messages
on mastercards and on americards. If I have the patience to prune it
a little, you'll get to see it. Otherwise, it may just drop through
the crack. It required much more moderation on the part of your
moderator than usual... PGN]
------------------------------
End of RISKS-FORUM Digest 11.03
************************