Wednesday, October 8, 2008

A security idea...

While reading about the latest ATM card skimmers (which apparently send your card details via SMS to the thieves), I got an idea.

Traditionally, security of physical objects is certified by a sticker which acts as a seal... you see the sticker, it's not broken, you know the device hasn't been tampered with. But of course with modern color laser printers, you can easily forge such a sticker, and the resulting arms race with watermarks etc. will make the stickers prohibitevly expensive, with no real security gain (ever examined all security marks on a bank note? Do you even KNOW all of them by heart?).

So my idea is a little different... by using 2-dimensional barcodes (QR-codes and suchlike) you can put digital information onto a sticker, and a small handheld device like a mobile phone can be used to make that information visible. Now... what if you'd take some form of identification (ATM location, serial number, stuff that a customer can easily verify), digitally sign that information, and put that onto a sticker?

By doing this, you give the customer something he can verify himself (aforementioned ATM location, serial number, whatever), and a means to verify that the sticker wasn't forged (since it has a digital signature). The stickers could be easily made individually for every sealed object, all you need is a common label printer, a laptop and some software.

The only problem still to solve would be what identification marks to use that people could use to verify that this sticker really certifies THIS object - one possibility would be embossing serial numbers on all critical parts, for example right above the slot for the ATM card. This would effectively prevent a card skimmer being glued on top, as this would hide the serial number, and the sticker and embossed serial number would at least create an obstacle to the criminals - they'd have to emboss the serial to each of their card skimmers, making them effectively single-use, AND they'd still not be able to forge the security sticker (which would therefore not be attached to the ATM AND the fake faceplate).

No comments: