Monthly Archives: May 2010

Dutch GGD claims survey to be anonymous, but it’s not

Posted on by
Reply

The Dutch healthcare organisation (GGD) is an organisation funded by the Dutch government that is concerned with the health of people in the Netherlands. They want to know about the health of people in the province of Gelderland, so they decided to start a survey.
I agree, statistics, like from the Dutch statistics bureau need to come from somewhere, and in this case it is important they get it from a very diverse an relatively large population.

How it works
So how does the GGD do that? Well, they first they send you a letter with login data. You can login on their website (not using SSL!) using a predefined code and you are ready to fill in the survey. And to be certain you didn’t forget, they send you the survey on paper, so people with no access or know how of the Internet can complete the survey as well.

Sensitive information
The questions they ask you are about your birth year, marital status, education, health, alcohol use, smoking, drug use, eating habits, social environment, violence at home and your work. A lot of sensitive information, some of which you probably don’t even voluntarily tell to your doctor, unless absolutely necessary.

Anonymity
Of course, you don’t have to be afraid that the data you fill in is connected to you as a person, because they offer you to conduct the survey anonymously. So, the GGD offers you a way to keep your privacy. They intent to do this by allowing you to rip off the first paper of the survey before sending it to them. Well ok, I ripp off the first page and my privacy is guaranteed. But then I started wondering what all the the bar codes and identification numbers are doing on each of the pages? (take a look at the first survey page snapshot below)

Anonymous or not anonymous, that’s the question
The thing that really scares me about this survey is the fact that they lie to the participants. This is not an anonymous survey, at least not to my definition of “anonymous”.
They GGD even mistakenly proofs to you that their survey is not really anonymous. How? Because they recently sent me a letter asking why I didn’t fill in the survey. Err wait, I could have submitted it to them anonymously (remember), so how could they possibly know I didn’t sent it to them or filled it in online already..? That’s the point. If it was really anonymous, they shouldn’t have known whether I sent them the survey!

My opinion
I think the GGD screwed up. Not because their survey was bad, nor is their intention to conduct this survey, but solely because they claim that it is anonymous, which it is certainly not! If they ever want to gain my trust again, or even receive sensitive information about myself, they should define what they mean by “anonymous” and provide a proper and clear privacy policy. Lying is not a good basis for gaining consumer trust.

References (the letters)

Vodafone voicemail uses caller ID for authentication

Posted on by
2

This article is about a security risk that I found while using Skype and Vodafone voicemail. In this article I will dive into a specific situation concerning the security of one’s Vodafone voicemail (Netherlands) in combination with Skype‘s ability to spoof the caller ID. Besides that I look at the main concern: trusting a caller ID for authentication purposes.

Vodafone voicemail and Skype

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication.
Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

Other services at risk?

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN).
Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance?
By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing by dhanjani.com, but for the sake of simplicity I will not go into that right now.

Questions and conclusion

So what do you think?

  • Do you think this is a security risk or not?
  • Is the caller ID something that is easy to fake?
  • Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
  • Should service providers be allowed to trust the caller ID for authentication purposes?
  • Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposes a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can! ;-)

Update 24-03-2011: I merely used the examples of the ABN Amro and the Rabo Bankieren application as an example to think deeper about security and privacy concerning the use of these (very handy!) financial applications, but its clear that they do not rely (and probably also not even send) the caller ID to the bank’ server, so a probable risk with using the caller ID as authentication for these applications is irrelevant.