![[UKUUG Logo]](/images/ukuug.gif)
Copyright © 1995-2004 UKUUG Ltd
Copyright © 1995-2004 UKUUG Ltd ![[Back]](/images/back.gif)
(Total Telecom, 26 February 1998).
(TechWeb, 11 February 1998)
Earlier this week, the German weekly
newsmagazine Focus reported that scam
artists from the Netherlands had flooded
Germany with millions of illegally
recharged telephone debit cards. The cards,
designed for Deutsche Telekom payphones,
use a simple EEPROM chip, developed by
Siemens Corp., that deducts value from the
card as minutes are used up.
Ordinarily, once the credit balance reaches
zero, the cards are thrown away or given to
collectors. But the Dutch pirates found a
way to bypass the simple security and
recharge the cards without leaving any
physical evidence of tampering.
The pirates bought up thousands of spent
cards in bulk from collectors, recharged
them, and resold them cheaply to tobacco
shops and other retail outlets across
Germany.
The magazine said that the German association of tobacconist wholesalers
assesses the losses at DM60 million, or
US$34 million dollars. With revenues last
year of close to US$38 billion, Deutsche
Telekom AG is Europe's largest telco and
the third largest carrier worldwide.
But according to Mueller-Maguhn and other
card experts, the Dutch piracy operation is
only the latest, albeit the most widespread,
scam against Deutsche Telekom, which has
encountered security problems with its cards
since they were introduced in the 1980s. It
is not known if the pirates are in custody or
still at large.
“Anyone who observed, with a logic
analyzer, the data traffic between a card and
a public phone could fully understand the
protocol and implement it on a simple
microcontroller plus very little auxiliary
logic,” said Kuhn.
Kuhn and Mueller-Maguhn said the flawed
card was replaced in March 1995 with the
current model, which contains another
Siemens chip, the SLE4433 – commonly
known as the “Eurochip”. Though the
Eurochip does contain some simple
cryptography, the pirates soon heard about
a bug hidden in the hardware that could
allow the stored values to be reset.
“The Eurochip has a bug in the chipmask,
allowing a cracker to reload almost all the
bits using an normally unused counter,” said
Mueller-Maguhn.
Kuhn said that he examined the flawed
Eurochip under a microscope about six
months ago, and saw what he described as
“a typical lowest-cost cryptoalgorithm”.
“Siemens has devoted considerable
resources to the development of
leading-edge chip card technology, as well
as to cutting chip development cycle time in
an ongoing effort to identify possible
security issues in next-generation
technology,” the statement said.
Mueller-Maguhn and other sources made it
clear that the Dutch pirates were not
technically adept crackers or hackers.
Rather, he said, they were con men who
likely bought the know-how, or hired the
person who discovered the bug, and then
bought spent phone cards from collectors to
reload them in the Netherlands.
“Codebreaking is not an adequate
description for this kind of attack, as it relies
on simple electrical engineering errors in the
chip layout and not on cryptoanalysis,” said
Kuhn.
In the meantime, there is little Deutsche
Telekom can do to stop the scam, because
cracked cards are indistinguishable from the
real thing, and the costs of tracking the
pirate cards are prohibitive. Siemens and
Deutsche Telekom are reportedly working
on a new version of the Eurochip, called
Eurochip2.
“Deutsche Telekom doesn't seem to learn
about this in the chip-card business,” he
said. “They used security by obscurity in
the first technique, then changed to security
by obscurity in the second technique and
now will likely do it the third time,”
Mueller-Maguhn said.
![[Forward]](/images/forward.gif)
|
Tel: 01763 273 475 Fax: 01763 273 255 Web: Webmaster Queries: Ask Here |
Join UKUUG Today! |
UKUUG Secretariat PO BOX 37 Buntingford Herts SG9 9UQ |