Subject: RISKS DIGEST 11.11 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Friday 15 February 1991 Volume 11 : Issue 11 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Enterprising Vending Machines (Jeff Johnson) Re: Electronic Cash (Joseph R. Beckenbach [2], 34AEJ7D, M P Evans) Re: Cashless Banking and Privacy (Jake Livni) Re: Cashless gas pumps (Jeff Helgesen, Dick Smith, Lars-Henrik Eriksson, K. M. Sandberg, Sean Malloy, Peter da Silva, 34AEJ7D) Re: Electronic telephone directory (Ralph Moonen) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j (where i=1 to 11, j is always TWO digits. Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 11 Feb 91 15:26:14 PST From: Jeff Johnson Subject: Re: Enterprising Vending Machines (Risks 11.03) Just had my own run-in with a postal vending machine. Was expecting trouble because of what I'd read in RISKS, but got bitten anyway. If not interested in the details, skip to Summary. Entered a post office to buy some new stamps. Long line waiting. Vending machines (3) all flashing the "Use exact change" light. Line backed up into narrow hallway containing both vending machines and post boxes. Hallway very crowded; people angry because they must wait in line or because they can't get through the crowd to their post box. Several people standing in front of the vending machines, trying to figure out how to coerce stamps from them, adding to the crowd. Purchase-pooling deals being suggested, mentally tested ("Let's see, if I buy two books of stamps and you get 1 book of post-card stamps..."), and tried. One machine offered ten 29-cent stamps for $2.90, but wanted exact change. I had 3 ones and a twenty. I decided to put in $3, get ten stamps, and forget about the extra dime. Put in first dollar: amount-display showed $1.00. Tried to put second bill in, but machine rejected it repeatedly. Ditto other bill. Pressed "change return" to get first dollar back. Machine made four "ka-chunk" noises, but no money actually appeared. The amount-display now read $0.00, but I didn't notice this at the time. I put in the other 2 bills (this time the machine accepted them); now the display said $2.00. Hadn't notice that it had gone to zero, so wondered where my other dollar had gone. Figured that it must have timed me out as reported in RISKS. Had no more one-dollar bills, so was stuck. Pressed "change return" in frustration: eight "ka-chunks" but no money. Noticed amount decreasing $.25 for each "ka-chunk" this time, so figured out what happened to first dollar. Asked to see station manager. Told him what happened. He didn't understand. Invited him out into lobby to put bills into machine. He did. Told him to press "change return". He didn't want to: didn't want to lose his money. I said, "You've already lost your money since there's no way to get it back; you might as well press 'change return' so you can see what happens." He did, heard the "ka-chunks", then said: "This machine is out of order; I need to put a sign on it". I said, "It's out of order, but not because it's malfunctioning; this is what it is designed to do when out of change." He didn't think so. I also tried to explain to him that new stamp price *means* that vending machines must be refilled with change much more often. By now he was beginning to feel some of the stress and exasperation that filled the hallway. He said, "The guy who services these machines isn't here today," gave me my money back, and put an "Out of Service" sign on the machine. This ended the interaction, because now several other people who had been having trouble with the machines pounced upon him. Summary: The new stamp-price ($.29) has side-effects that clearly were not anticipated by the Postal Service. The new price was calculated to increase revenue to cover operating costs, but some of its ramifications weren't anticipated. One is that the vending machines will be dispensing much more change and therefore must be re-filled more frequently if they are to serve their purpose. The change-making apparatus also will require more frequent repair. This increased servicing of machines will consume some of the expected revenue gain. Second, increased demand for change from the machines has increased user-exposure to various design flaws in the change-making functionality of the machines. The Postal Service should either keep the machines full of change or change the stamp-price to $.30. Simply fixing the machines to behave "correctly" when out of money won't solve the real problem: long lines in post offices. Jeff Johnson, HP Labs ------------------------------ Date: Fri, 8 Feb 91 10:26:55 PST From: jerbil@cobalt.cco.caltech.edu Re: Electronic Cash In comp.risks you (Brian Yamauchi ) write: >I'm in favor of replacing the various pieces of paper and bits of metal we >currently use for money with a more convenient electronic system, but I think >this should and will be done via the free market rather than as mandated by the >central government. Agreed. This is what the growing trend for payroll electronic automatic deposit, and Social Security "direct deposit", are all about. Agreed, that for payments over $20 a credit card is handy. But I'd rather have the option, thanks, to handle my finances more flexibly. My big disagreement with you comes with the transfer scenario -- if that's the only method of transfer. Checks of many sorts handle the large transfers, as do wire transfers, and cash handles the small stuff. Want to absolutely ruin a cashless society? Turn off the power to the clearinghouses. I wonder how commerce fared during the New York black-out of several years ago, when no one had power. Shopkeepers which didn't have to depend on credit-card sales didn't see the same dip in sales for the month that the others would, I'd wager.... >I'm not extremely enthusiastic about giving the government too much >information. It is true that they could abuse this. On the other hand, the >real solution is to enact pro-freedom measures legislatively to limit the >government's power. If either (1) the government ceases to become democratic, >or (2) the majority wants to allow government oppression, then there's not a >lot you can do -- short of armed rebellion -- the tanks can always roll through >the streets. If the government ceases to be democratic, or the majority wants government oppressions, then those will be fought by citizens who do not want to see the US Constitution circumvented. The Constitution came out of the efforts of citizens trying to weld together thirteen States in a failing Confederation after a bloody armed rebellion. The tanks can roll through the streets, but unless there's valid authority behind it, it's unconstitutional. The bystanders might be just as dead, but the following reactions would bring the balance back. >Electronic cash would have both positive and negative effects on crime. On the >positive side, violent crimes would drop substantially -- no longer would you >have to worry about being knifed for your wallet in a dark alley. On the >negative side, the potential for computer crime would be increased. At least >in theory, this could create the potential for truly huge sums of money to be >stolen, not by stealing large chunks, but by stealing minute amounts from large >numbers. For example, stealing 1 cent from every transaction made in the U.S. >would probably result in a take in the $million/day range. Depends on the method of 'cashlessness'. If the cards are truly personal, stealing them would be a better method of tying him up than beating himn into hospital. If not personal, then anyone wishing more money would simply mug for the cards, just as they currently mug for coins and paper and cards. (I thought most muggings were non-violent.) Several cases have already meandered though RISKS' attention about computer money-skimming schemes at banks, including the 'take the round-off balance account and assign it to me' scam. And the 1-cent per transaction fraud would be noticed somewhere, since it's simply a variation of how banks get paid for their services. >Still, given a choice, I would rather have some hacker breaking into >my checking account than some mugger slitting my throat... I'd rather have the mugger. Most of them don't go for the strong, the active, or those who look like they know what they're doing. The others tend to be caught not long after. With hackers, no one could be the wiser, it's not clear what laws are applicable and to what extent, and the damage potential is orders of magnitude higher. Joseph Beckenbach ------------------------------ Date: Fri, 8 Feb 91 10:40:39 PST From: jerbil@cobalt.cco.caltech.edu (Joseph R. Beckenbach) Subject: Re: Electronic cash completely replacing cash In RISKS-11.06 Richard A. O'Keefe writes regarding David Witt in RISKS-10.81: >Eh? These machines are going to be *at least* as expensive as VCRs, and we're >talking about distributing > 500 million of them (ALL homes and businesses, >remember, and businesses will need as many of these gadgets as they have cash >registers). Then think about maintenance. Let's see, that's running $150.00 x 200 x 10^6 as a low estimate. $30 G-bucks. That's over 1% of the current deficit. GACK! >> The Federal Reserve would be better able to follow the economy, helping >> to stabilize the financial markets. It ain't broke, don't fix it. At least, that part ain't broke. >Here we have someone who does not believe in the Free Market, and has >a wonderful child-like faith that because there is an outfit whose task >is to manage the economy that it is able to do it. I have a bridge for him. See below.... >The thing that is really evil about the suggestion is that it is a >technological fix to a social problem; the basic attitude is that >human "misbehaviour" is best cured by making people behave like good >little cogs. "Forget trying to build a humane society so that fewer >people *want* to buy drugs, let's build electronic cages so they're >found out." How do we educate people like this? I think it's as simple as saying "Eastern Bloc during the Cold War". Reasonable minds can, and _should_, take it from there. Joseph Beckenbach ------------------------------ Date: Mon, 11 Feb 91 09:35:36 EST From: 34AEJ7D@CMUVM.BITNET Subject: RE: cashless society, a post-mortem Two points militate more strongly against this scheme than any others I can think of: 1. The "barter" economy is already well-entrenched in the underground economy. This proposal would immeasurably swell the ranks of those trading by this method, 2. The "hand print and retina pattern" scanners would, I am rather certain, run afoul of the recently-enacted ADA (Americans with Disabilities Act) as illegally discriminatory. There are, boys and girls, people in the good ol' US of A with neither hands nor eyes who are nevertheless productive citizens. ------------------------------ Date: Mon, 11 Feb 91 19:17:11 GMT From: M P Evans Subject: Re: Electronic cash (post dated cheques) With referance to Frank Wales article (RISKS-11.06) Post dated cheques (at least in Britain) have no validity. If someone were to write me a cheque with next month's (or next year's) date on it I could immediately present it at my bank, and they would accept it without question. This has happened with a cheque I wrote, which I was able to have returned to me, which clearly shows that the date it was paid it (by to bank's stamp) was before the date which I wrote on the cheque. The only thing which can stop such a cheque being processed is the staff at the bank, they do not check the date. The only information known to the automatic processing system is the cheque number, sort code (bank), account number and the value of the cheque. The first 3 are preprinted on the cheque, the latter typed in at the bank. Mark Evans, Univ. of Aston in Birmingham, Aston Triangle, Brimingham, England. ------------------------------ Date: Mon, 11 Feb 91 21:23:35 EST From: jake@mars.bony.com Subject: Cashless Banking and Privacy [Internally-From: Jake Livni ] Daniel B Dobkin describes the ultimate government surveillance tool: >Unfortunately, Smith doesn't attribute the source of this story; does >anyone out there have any clues? Enquiring minds want to know..... Try the Nova show called "Computers, Spies and Secret Lives" which first aired on PBS on Sept. 27, 1981. Excerpts from the transcripts for that show follow: PAUL ARMER Several years ago, I was a member of a workshop of computer people [and] law enforcement people who were gathered together and asked to pretend that we were consultants to the Russian Secret Police...given the task of designing for them a system which would keep track of all the Soviet citizens, plus all the foreigners who happened to be within the boundaries of the USSR. After considerable study, the workshop concluded that the best system to build for the KGB, the secret police, was an electronic funds transfer system, for the reason that electronic funds transfer systems not only know what you're buying, but where you are in real time at the time you're making your financial transaction. NARRATOR Some privacy experts acknowledge these threats and consider them beyond existing computer capacities. [This is followed by a bank vice-president who says that ATM usage produces too much information to sort through with then-current computers, except in a serial manner.] Jake Livni jake@bony1.bony.com ------------------------------ Date: Fri, 8 Feb 91 14:29:15 -0600 From: Jeff Helgesen Subject: Cashless gas pumps; alternative to credit card use The risks inherent in automated charging to credit cards are easily avoided by use of a system like the one(s) used by phone companies in many European countries; that is, the user purchases a card of a particular denomination via a vending machine [or human vendor, if the stories regarding post office machines put you off]. This card has an mag strip encoded with a value which can be read and written to by the automated pump. The card remains in the machine and decrements the value available until the transaction is completed (either the user stops the pump, or the value of the card is dropped to $0, and the pump shuts off automatically), whereby it is ejected. Used-up cards may then be discarded; cards with value remaining may be kept until the next time the user needs petrol. Benefits versus credit card system include: o Difficult system to defraud; only risk to petrol vendor is that a wily consumer will figure out the encoding scheme. o Validation of identity is no longer required. Too bad if you lose your card, though I'd rather lose one of these than my AmEx. o Handling costs are reduced, presumably reducing the pump price of gas. o Big brother is not watching. Jeff Helgesen jmh@morgana.pubserv.com ------------------------------ Date: 9 Feb 91 06:11:20 GMT From: dick@smith.UUCP (Dick Smith) Subject: Re: A risky gas pump (Grumbine, RISKS-11.03) I worked on such a system at a previous employer, and think that the concerns expressed are overdone. Here are my thoughts on the worries expressed about this auto-approving gas pump: Is card mine: Well, it's probably checked as well as the typical human attendent checks it... I am surprised when someone looks at the back of mine to verify my signature. I try to remember to thank them for doing it! Receipt disagrees: Complain to the attendent immediately... (in the US, there WILL be an attendent, if only to shut the pumps off if there is a fire) just as you would if the receipt that you got inside was wrong. It's a requirement that the amount pumped stay displayed on the pump until the next person uses it, so you'll have something to compare against if you hurry. It remembers my card number: Again, I don't know why this is any more likely than the human attendent copying down your number and reusing it. Certainly not on purpose, anyway. When I worked in this industry, I recall that the credit card network had its own validation organization which served as an independent check for credit equipment vendors. I remember their testing as being fairly comprehensive, followed by a month long beta test at a single site with the paper logs checked. We felt pretty good when we got through with it. The receipt printer doesn't work: Well, the cutter kept jamming in ours... you'll have to go inside in that case, and get the guy to write one by hand. He can copy the info off the paper tape log. Actually, I worried more when I used a gas pump of a kind that wouldn't be allowed in the U.S. (because of that fire law). I was in Holland last fall, and had occasion to buy gas on the AutoRoute late one night. The station I pulled into has no attendent, just a bill reader for (I think) 20 & 50 guilder bills. What I worried about was what I was going to do if I put in too much money, since there was no change return at all. I managed to buy 2/3 of a tank for my rental car, though, with no trouble. Dick Smith, R.H.E Smith Corp ...ast!smith!dick dick%smith@ast.dsd.northrop.com ------------------------------ Date: Sat, 9 Feb 91 15:34:40 GMT From: lhe@sics.se (Lars-Henrik Eriksson) Subject: Re: risky gas pumps (Clark, RISKS-11.05) I've been buying gas from automatic gas pumps (both manned and unmanned) in Sweden for several years. I have not yet had a single case of incorrect charging or any other problem that is worse than not getting gas out of the machine. However, at about 20% of all occations I use these machines, I do *not* get a reciept. Usually because the machines are out of paper. Lars-Henrik Eriksson Internet: lhe@sics.se Swedish Institute of Computer Science Phone (intn'l): +46 8 752 15 09 Box 1263 Telefon (nat'l): 08 - 752 15 09 S-164 28 KISTA, SWEDEN ------------------------------ Date: 11 Feb 91 18:08:23 GMT From: sandberg@ipla01.hac.com (K. M. Sandberg) Subject: Re: A risky gas pump Sender: news@hacgate.UUCP (Re: Lehman, RISKS-11.05) > None. But my other credit card purchases are not usually validated >either. I think the fair credit acts protect you somewhat. The difference is that with regular credit card transactions you have to sign the slip, with ATM transactions you have to enter a pin code, either of which indicates that you are the owner of the card or in the case of the signature, you can show it is not your signature, with the readers there is no such protection, but one question I have is what happens if you dispute a charge. Since they have no proof of who charged it, except an electronic card number. Normally a lot of the disputes can be resolved by looking at the signed charge slip, in this case there is none, nor was there any pin code entered as an electronic psuedo-signature, so is there really an agreement? (Re Margolin, RISKS-11.03) >From: barmar@think.UUCP (Barry Margolin) >Subject: Re: A risky gas pump (from RISKS DIGEST 11.03) > >Your tone suggests that this is a new risk. ... This is a new risk, allowing the use of a credit card with no trace back on who used the card, no signature to forge, no pin code to break, nothing. There is no license plate recorded or anything else. You could take a valid charge and say that it was not valid, how do they prove it was? They take a charge that is invalid, how do you prove it was not? Normally you can request the charge slip and so it can be shown that it was not your signature, but in this case anyone who has access to the card can use it. If someone borrowed your card, you at least stand a chance of detecting who it was based on the signature. As far as the phone credit calls, there is a record of the phone numbers and where the call was placed from, along with a history which can be checked to see if you ever called that number before, so it is quite different. With mail order house they are supposed to have your signature on file and if they don't you can dispute the charge, but in any case they have a record of where the stuff was sent, and a way to track the person because of that. I used such gas pumps, but I also write down all the information in a book to watch the gas mileage, so if there was a problem I could show that the gas was not put into one of my cars, unless I forged other entries. Personally I think the gas stations are taking a large risk unless they have something to track the cards better than it appears (ie. some information to ensure that the card number really belongs to the person, like the name. ATM cards have this information). Also if the card is lost or stolen it is generally the case that the person could not keep reusing the car because a person might notice and might also recognize them. In this case the card holder is not seen. Maybe there is a check to make sure that the card is not used too many times, I don't know. What I do know is that if your card is lost and returned, you better be very careful in knowing what you had charged to make sure that a charge was not made before it was returned. Kemasa. ------------------------------ Date: Mon, 11 Feb 1991 13:12:21 PST From: malloy@nprdc.navy.mil (Sean Malloy) Subject: Re: Burned by a gas pump (was Re: A risky gas pump, RISKS-11.05) > How about if my number is not cleared from the pump's memory and I get > billed for the entire day's gas from that pump? Your number can be cleared from the pump's memory and still try to take you, as long as the programmers for the billing software don't pay attention to wierd-case transactions. Some months ago, I received a bank statement showing that I'd been billed twice for the same transaction at an ARCO PayPoint gas station using my ATM card. The circumstances were that I was returning home _late_ at night, and had stopped to fill my tank. Between the time I'd opened the transaction and shut off the pump after filling my tank, the time had rolled across midnight to the next day. The billing software ARCO was using billed me for each end of the transaction, since there was a transaction start record for an amount of $9.56 on day X, and a transaction end record for an amount of $9.56 on day Z+1. The reason I noticed the error was that there were two transactions listed on consecutive days with the same transaction number and amount. When I called the customer service number for my bank and talked to the representative, they said that they'd take the duplicate charge off my account and inform ARCO of the problem; I got the notification of the credit to my account about a week later. Since then, when I've had to fill my tank close to midnight, I always wait for the date to change if there's a chance that it would roll over while I was pumping gas. Sean Malloy, Navy Personnel Research & Development Center, San Diego, CA 92152-6800 malloy@nprdc.navy.mil ------------------------------ Date: Fri, 8 Feb 1991 14:01:30 GMT From: peter@taronga.hackercorp.com (Peter da Silva) Subject: Risky gas pumps These pumps appeared a couple of years ago here in Houston, then most of them promptly vanished. Why? Simple... people buying gas this way didn't tend to make impulse purchases of the overpriced soft drinks, candy, motor oil, and other things they pile up around the regular payment window and revenue actually went down. The risks aren't just one-way. (peter@taronga.uucp.ferranti.com) ------------------------------ Date: Fri, 08 Feb 91 08:31:26 EST From: 34AEJ7D@CMUVM.BITNET Subject: gasoline Guy Sherr writes: >Gasoline is a volatile high explosive. Wrong. Gasoline is incapable of true "detonation", as required by the definition of a "high" explosive. ------------------------------ Date: Fri, 8 Feb 91 09:18 MET From: rmoonen@hvlpa.att.com Subject: Re: Electronic telephone directory MFMISTAL@HMARL5.BITNET (Jan Talmon) writes: ->In the Netherlands, printed telephone directories provide telephone numbers ->by using the name as an index. Currently, there is also an electronic ->version of those directories available by means of a VIDITEL service. ->Here it is also possible to ask for a telephone number by providing the ->street name, the house number and the city. This involves an inherent risk. ->When one observes that there are apparently no people in a house, one can ->ask for the phone number, dial that number and when no one replies.... ->it may be safe for burglars to go in. So what's the big deal here? The Dutch PTT has a directory assistance number (dial 008) that gives exactly the same service, but cheaper. And it's a voice number, so it's probably faster too. The computer number is only good when wanting to look up a lot of numbers, as directory assistance only gives you two informations per call. Another thing that the computer service does, but the voice number not, is give you the name & address, when you supply only the telephone number. I don't consider this a COMPUTER risk as: 1) the service was available all along, only voice. 2) Unlisted number are not in the computer 3) Burglars don't tend to pre-select their victim, but rather go out to a 'nice' neighbourhood, and find a suitable house there and then. 4) Burglars don't tend to have computers & modems unless they stole it from a previous victim :-) ->It seems also to be an invasion of one's privacy, since one need not to ->know a name in order to place haressing/obscene phone calls. No. I definetely disagree with this statement. One NEVER needs to know a name in order to find the telephone number. If this was an invasion of ones privacy, then get your name-tag off your frontdoor too! Furthermore, if you don't want _any_ unsollicited phonecalls, just change your number to an unlisted one. This costs nothing if you do it at the initial request for a telephone line, and it costs F35.00 ($20.00) if you want it changed to an unlisted number later. (BTW: I live in The Netherlands too, and have an unlisted number) --Ralph Moonen --rmoonen@hvlpa.att.com ------------------------------ End of RISKS-FORUM Digest 11.11 ************************