While reading about the latest ATM card skimmers (which apparently send your card details via SMS to the thieves), I got an idea.
Traditionally, security of physical objects is certified by a sticker which acts as a seal... you see the sticker, it's not broken, you know the device hasn't been tampered with. But of course with modern color laser printers, you can easily forge such a sticker, and the resulting arms race with watermarks etc. will make the stickers prohibitevly expensive, with no real security gain (ever examined all security marks on a bank note? Do you even KNOW all of them by heart?).
So my idea is a little different... by using 2-dimensional barcodes (QR-codes and suchlike) you can put digital information onto a sticker, and a small handheld device like a mobile phone can be used to make that information visible. Now... what if you'd take some form of identification (ATM location, serial number, stuff that a customer can easily verify), digitally sign that information, and put that onto a sticker?
By doing this, you give the customer something he can verify himself (aforementioned ATM location, serial number, whatever), and a means to verify that the sticker wasn't forged (since it has a digital signature). The stickers could be easily made individually for every sealed object, all you need is a common label printer, a laptop and some software.
The only problem still to solve would be what identification marks to use that people could use to verify that this sticker really certifies THIS object - one possibility would be embossing serial numbers on all critical parts, for example right above the slot for the ATM card. This would effectively prevent a card skimmer being glued on top, as this would hide the serial number, and the sticker and embossed serial number would at least create an obstacle to the criminals - they'd have to emboss the serial to each of their card skimmers, making them effectively single-use, AND they'd still not be able to forge the security sticker (which would therefore not be attached to the ATM AND the fake faceplate).
Traditionally, security of physical objects is certified by a sticker which acts as a seal... you see the sticker, it's not broken, you know the device hasn't been tampered with. But of course with modern color laser printers, you can easily forge such a sticker, and the resulting arms race with watermarks etc. will make the stickers prohibitevly expensive, with no real security gain (ever examined all security marks on a bank note? Do you even KNOW all of them by heart?).
So my idea is a little different... by using 2-dimensional barcodes (QR-codes and suchlike) you can put digital information onto a sticker, and a small handheld device like a mobile phone can be used to make that information visible. Now... what if you'd take some form of identification (ATM location, serial number, stuff that a customer can easily verify), digitally sign that information, and put that onto a sticker?
By doing this, you give the customer something he can verify himself (aforementioned ATM location, serial number, whatever), and a means to verify that the sticker wasn't forged (since it has a digital signature). The stickers could be easily made individually for every sealed object, all you need is a common label printer, a laptop and some software.
The only problem still to solve would be what identification marks to use that people could use to verify that this sticker really certifies THIS object - one possibility would be embossing serial numbers on all critical parts, for example right above the slot for the ATM card. This would effectively prevent a card skimmer being glued on top, as this would hide the serial number, and the sticker and embossed serial number would at least create an obstacle to the criminals - they'd have to emboss the serial to each of their card skimmers, making them effectively single-use, AND they'd still not be able to forge the security sticker (which would therefore not be attached to the ATM AND the fake faceplate).
Comments