The reading notes record thoughts from things I read. 這網誌是我的一些閱讀後的思考和摘要記錄。My website 我的網頁:

The unprotectable IT security loophole

There are many whiz kids among us.  Octopus is money which is the resource most protected by everybody, especially the banks.  IT data are flowing securely in networks, and stored in everybody’s and every company’s vault.  But nothing is absolutely safe.  The cat and mouse game of IT security is a forever battle being escalated everyday.  The most recent horror story is the breach of security of the Octopus reported below.

Money is a constant target to be faked.  Counterfeit money is an ancient crime found in many generations.  Now we have a new generation of electronic money.  We suppose that it will have the same level, if not higher, of protection.  Transactions of electronic money leave detailed records.  These make them doubly safe.  So it is really a surprise that we now have fake Octopus.

The trick was quite complicated.  The hackers did not hack the Octopus computer.  They hacked the Octopus cards.  The reading and writing of data on Octopus are proprietary technology.  They require a specially designed device.  The hackers made one.  They were also clever enough to take advantage of the time gap between transactions and the transmission of data to the Octopus computer.  It took the Octopus company quite some time to realize that the accounts did not tally and much longer to figure out that someone tampered with the cards.

How could they do that?  There is a reasonable explanation, the insiders did it.  The daily job of these guys was the maintenance of Octopus readers.  There is no wonder they knew the tricks and the loopholes.  Notwithstanding the most sophisticated IT security measures, you could not keep the locked secrets from the key holder.

There is an unprotectable IT security loophole, which is from within.  There are many IT security breach incidents which were the result of an insider job.  A dissatisfied staff is a possible danger.  Even a satisfied staff can be a potential danger because there is no way to know when the relation could get sour.  So, when it comes down to maintaining staff loyalty, love them everyday no matter what.

The most unprotectable IT security loophole is yourself.  You can guard against anyone yourself, but you cannot guard against yourself yourself.  It is human nature that keeping secrets give you some satisfaction; and there is always an impulse to share the satisfaction with others, to the point of boasting how clever one was, with some supposedly harmless demonstration.  Many secrets were leaked to unfamiliar persons such as bartenders or one night partners.  I read about the ways hackers worked.  Not all the tricks were sophisticated.  They said that the most useful trick was social engineering. They could guess the common passwords, and could tempt the innocents to tell their secrets with seemingly harmless email. 

Despite the best designed systems and guidelines, eventually someone will break the rules.  It may not be the fault of the systems.  A person with ill intent is always the culprit.  Just look at the Bowtie case.  Even with the water-tight Anti-corruption Ordinance, Civil Service Regulations and Administrative Order, nothing can stop the ultimate key holder from opening the Pandora Box himself.

Five arrested for Octopus scam   

The police have arrested five people and seized a homemade device for adding value to Octopus cards. Officers said the case is the first of its kind.  The scam came to light after the Octopus company detected unusual activities involving a series of value-added transactions and contacted the police. A man was detained along with his girlfriend, sister and parents.