Mike Ingle writes :
At CES someone was showing a cellular credit card machine. It had an antenna and a regular card reader, and was battery powered, so it could be used anywhere. The machine was designed to be used in taxicabs, at swapmeets, and wherever there were no phone lines available.
I asked the rep about its security - does it use encryption? No, it does not use encryption. It sends your credit card number and expiration date over the cellular link in clear. Most credit card machines use low-speed modems which are trivial to intercept. This one is probably no exception. Here is a case where DES is badly needed and not being used. If this machine becomes popular, thieves will be trailing taxicabs with scanners and tape recorders.
Although I sincerely agree that the data should be encrypted, is it really that easy to intercept cellular phone calls? I thought you had to go to considerably more effort than programming a scanner to pick up these transmissions - I don't know much about cellular phones, but I thought they hopped frequencies and so forth such that it was a real pain to listen in. The reason I ask is that I have a buddy who works for local law enforcement. His group is about to roll out a network of laptops in their cars, linked by modem to the AS/400 that serves as their gateway to NCIC. We've talked about how easy it is to intercept/spoof transmissions in the clear on a single channel, but we both figured it would be considerably more difficult to intercept cellular calls. Given the level of understanding of the fuzz, they'll probably slap a Hayes modem on their Barney Fife Cop Car Radios anyway, and I'll gleefully try to trap their transmissions.... just as an exercise, of course, to educate them as to the error of their ways... Seriously, folks, this issue is a valid one. If [insert favorite bogeyman here] can dial a scanner and pick up credit card numbers, vehicle and driver's license data, and criminal histories, our privacy is due for another beating. The way I got my friend's attention was to ask whether the police department is liable for revealing private information - in other words, if Charles Manson grabs my license data off the cops' data net, can I sue the cops? -- ........................................................................ Philippe D. Nave, Jr. | The person who does not use message encryption pdn@dwroll.dw.att.com | will soon be at the mercy of those who DO... Denver, Colorado USA | PGP public key: by arrangement.