“The petition, set up by Dan Frydman of web firm Inigo, currently has just 44 signatures.”

Since when is a petition with 44 signatures worthy of front page BBC News? Does someone in their web team have an undisclosed anti-IE6 agenda, or has the Beeb started doing marketing work on the side?

Since the BBC story was posted, the petition has gained approximately 1300 signatures.

Update: 11 hours later and the petition has 4400 signatures.

I called them immediately and we went through the usual security shenanigens (inside leg measurement, favourite adverb, etc) and the card was activated.

A couple of minutes after my activation call I received a phonecall from a lady who claimed to be from the same credit card company, saying that she had to confirm who she was talking to before she could tell me something very important about my credit card.

She asked me all the security questions, and this time I refused to answer.

I explained to her that she could have been anyone, so I asked her to prove her identity by telling me something that only the two of us could know, something from my account or something about my previous phonecall. She said she couldn’t because of the data protection act. So I took her name and extension number, and called her back on the standard company number.

Telephone security in this credit card company is fundamentally flawed. Their policy of calling customers without a means of self authentication whilst asking customers to provide personal information as an authentication token results in an overall reduction in the security of their cardholders.

The recent spate of phishing has led to many banks and credit providers issuing warnings about not giving out your personal details online, yet this is an example of a company that’s normalising the process of giving away your credentials to an unauthenticated party through their own actions.

Recent articles by the Guardian, the BBC, the Register and Bruce Schneier have highlighted some insight provided by Dr. Emily Finch‘s interviews with credit card criminals:

“One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody’s card and then find out the PIN. So the focus has been changed to finding the PIN first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale … and then attempt to steal the card at a later date.”

To combat such social miscreants, the Chip and PIN machine that’s installed in my local store (pictured) features a small finger shield that can partially obscure the view of a ne’er-do-well who has to be looking at just the right moment to be able to spot the PIN.

The effectiveness of this shield is largely compromised, however, because the checkout camera stays squarely focused on the customer, and their PIN, even when everybody else does avert their gaze: so anybody that has access to the shop’s security recordings doesn’t need furtive glances, they can take their time and study every delicate finger movement as the PIN is entered.

If this is not happening already, it will, I guarantee it.

Today the resolution on most ageing surveillance cameras is unlikely to be high enough to enable a frame-by-frame zoomed analysis of how a shoppers fingers move as they type their PIN, but, that’s changing, because of the rapidly decreasing cost of low and mid-range digital imaging equipment. The future of digital surveilance is crisp focused pictures, that can get a very good closeup of any keypad.

Next time you use your chip and PIN card, take a look around and see if you’re being recorded. Ask the shopkeeper about who has access to the security tapes.

I asked at my local store (purely out of interest) and was met with an open mouthed “Uh?”.

If you’d like to take the investigation further in the UK, then the Data Protection Act (DPA) provides for a useful means of gathering material that can illustrate the problem. The DPA grants the subject of any CCTV recording access to “the information held about them, a description of why that information is being processed, and details of anyone who may see a copy of the data, to whom it may be transferred, and the logic involved in any automated decisions taken on the basis of that data.” So for the cost of a stamp, and a maximum fee of £10, it’s possible to get a copy of the recording, and see for yourself whether your PIN is decipherable.

When I receive comment spam which doesn’t obviously link to a gambling, pornographic or pharmaceutical site then I usually do a little investigation to see what’s on the site, who owns it, why they’re spamming me, etc.

In the last 24 hours I’ve been hit by comment spam promoting MyNiceMailAt.com.

1. I tried to look at mynicemailat.com, and it didn’t exist; so
2. I tried to find the domain ownership records, and they didn’t exist either.

MyNiceMailAt.com was an unregistered domain, being promoted by a spammer.

1. I like to do my bit for hindering spammers; so
2. I bought the domain, before the spammer could; so
3. the entire spam run has been a waste of the spammer’s time and resources.

Useful Info

• If you’d like to learn more about comment spam, I highly recommend Ann Elisabeth’s SpamHuntress blog.
• This is not the first time such action has been taken by a spam recipient, last year jagk.com was similarly snapped up, and now has a regularly updated spam blacklist that you can add to your .htaccess file (if you don’t run your blog server, tell your administrator about it).

In computing, it’s a simlar process, the low level computer code that makes up a program can be turned into higher level code that humans find more palatable. The result, is a set of “blueprints” that allow an experienced software engineer to go beyond an understanding of what a program does; they know how the program does it .

Legally, this has been a grey area for some time. Although there are commercial & contractural technicalities that make reverse enginering code “a little bit illegal”, there are some important benefits.

To understand the benefits it’s first necessary to accept that there are some people in the world who are inherently naughty, and who will therefore reverse engineer code, and exploit any weakness they find – because they can, and because they don’t care about the consequences. Typically, an exploitable weakness will be something very simple that enables an attacker to gain control of a machine.

There are an opposing group of noble, unsung-superhero-type-good-guys who also reverse engineer stuff, but they don’t do bad things with it. Instead they analyse the vulnerabilities of many different pieces of software, and improve the process of software engineering by talking about the problems they see – because they can, and becasue they do care about the consequences.

Today, a French court has convicted a security researcher (one of the people in the second group) and dished out a €5000 suspended fine for the crime of reverse engineering an anti-virus product which he proved was open to exploitation.

So – all French superheroes are now open to large fines if they publish their findings. This means that they won’t publish. This will do nothing to stop the naughty people from reverse engineering software and exploiting the weaknesses, but it will stop the software manufacturers from improving their code, because the flaws won’t be found, not in France anyway.

Zoot alors.

Bad-guys, 1, Good Guys, nil.