ARL Logo
Risky Thinking
On Risk Management, Business Continuity, and Security
18 October, 2017
Business Impact Analysis
(the easy way)
Try the
 
 

Crime and Technology

Why doesn't the technology of crime match what we see in the Hollywood movies? Some advanced criminal technology exists, but it's all a question of economics...

The Sunday Times just published a report on a trio of gamblers who managed to win £1.3 million on the roulette tables at the Ritz Casino in London using a ‘laser scanner’ linked to a computer. By determining the speed of the ball and the wheel, and the point on the wheel at which the ball was released, they could apparently increase their odds of winning a 36-1 bet from 37-1 (European casinos are content with a single zero) to 6-1. Police concluded that no law had been broken, and the trio were eventually allowed to keep their winnings.

This isn't, of course, the first time this has been done. In the book The Eudaemonic Pie by Thomas Bass a similar scheme is described. Toe-operated computers were used to beat the casino in Las Vegas. Partly as a result of this effort, Nevada passed a law in 1985 making it illegal to use such devices to “project the outcome of a game”, “keep track of cards played” and so forth. (Presumably no such law exists in England: hence the entrepreneurs where allowed to keep their winnings.)

Neither of the two cases described above were illegal. Both teams made use of new technology to augment human judgement. (I've no reason to believe that if I was really good at estimating the speed of the ball relative to the wheel and noting the position when it was released, I couldn't theoretically — and I must add, quite legally — do the same thing in my head.) The assumption behind roulette is that none of the players is that good at estimating positions, times, and velocities. Only if this assumption holds true is it a game of chance with a built-in advantage for the house.

Another recent use of high technology in crime: in 2004 in Ottawa, Canada, police arrested a group who had been copying bank debit cards and stealing personal identification numbers (PINs). Their method exploited all the latest technology. A card reader was skilfully designed to fit temporarily over the card entry slot on an ATM (Automated Teller Machine), looking like part of the original. A wireless video camera was secreted in a leaflet holder glued to the front of the machine. Once the devices had been fitted on a a drive-through ATM, the team could observe and record card details and PINs remotely.

There are interesting parallels between these cases. In both cases, research and development was necessary to develop new devices. In the casino capers, computers and input/output devices were developed that could be concealed from casino staff. In the card cloning crime, a neat card-reader had to be developed that could be fitted to the front of an ATM machine, would record card details, and would look like part of the bank machine. And in both cases, extensive use was made of off-the-shelf technology which had only recently become widely available at a low cost.

What has this to do with risk? These cases set me thinking about how easy it is to either over-estimate or under-estimate the ability of criminals to develop their own technology. The risk management question is this: is what we are doing valuable enough to be worth criminals the time and effort to develop technical solutions?

Hollywood, it its glamorous caper movies, gives us the impression that criminals have access to a plethora of ingenious high-tech criminal devices. Such is rarely the case. No criminal is going to spend $1,000,000 developing a portable device which can use radar to look through walls and see exactly where the guards are. It's considerably cheaper to just threaten or bribe a guard to tell you. There are no research and development costs, no technical risks, and the methods are tried and tested.¹

When criminals do use technology in innovative ways, the innovation is generally in discovering an alternative use rather than inventing the technology from scratch. This makes sense. The R&D costs are lower.

Compare the Hollywood view instead with the ongoing “war” between pay TV services and those who would sell the means to illegally access their services. Pay TV services are generally authorized by a “smart card” which plugs into the receiver and contains a mixture of a decryption algorithm and a key. Each (authorized) smart card has a unique key which is addressable and updateable by coded signals sent as part of the TV signal.

In the early days of pay TV, cost (rather than security) was a priority. At the time the tools required to reverse engineer and clone cards were expensive, making it easy to overlook or disregard risks from this source. But licensing restrictions meant that smart cards for some channels were only legally available in certain markets, resulting in the development of a black market in smart cards. The money that could be made from producing and selling smart cards, especially those which would enable reception of all channels at a reasonable cost became evident, and the high-tech “pirates” came into the picture. Fortunately, because of the cost emphasis, initial smart cards were fairly easy to reverse engineer. This made it feasible for pirates to launch their enterprises at reasonable cost.

It's more difficult now, but the pirates now have the capital, know their market, know the technology, and can afford to spend considerable time and money reverse-engineering designs and developing their own cards. In one case a dummy company was set up to get the chips used on the smart card professionally reverse-engineered by another legitimate company. The techniques use to make smart cards more tamper resistant continue to improve., but the cost of the equipment necessary to reverse engineer and clone a device is also decreasing. ²

Given that the pay-TV services must make available equipment to their subscribers, there is no practical way to completely prevent reverse engineering, and a perfect technical solution is therefore unlikely. Ideally you need a smart card that is both very cheap to make and modify (so you can afford to issue it frequently), and sufficiently tamper resistant that it won't be reverse-engineered between issues.

The nearer you come to achieving this, the easier it is to attack the economics of piracy. Frequent unpredictable changes force frequent reverse-engineering, increasing the pirate's costs. The value of a pirate cards become uncertain, since a purchaser will never be sure how long it will be before the technology changes and the card suddenly stops working. Even if the pirate offers free update (yes, apparently it does happen), there will be an uncertain wait period (perhaps during the Superbowl, the World Cup, or the World Series) while the pirate has to reverse engineer and clone the new card. Since pirate cards are less attractive, their price drops, and eventually the pirates abandon this business for a more lucrative one.

Economics generally wins, even in crime.

Postscript: 25th January 2005

The Register is reporting a new device being used by shoplifters which disables (jams?) anti-theft systems and can be worn in a large waist belt. Apparently anti-theft systems which hop frequencies are immune to the device. The war continues?


¹ Watch out in future, however. See-through-walls technology is being developed for governments for use in search and rescue and counter-terrorism. If the technology becomes reliable and easy to obtain, then the cost-benefit equation will change.

² For further reading on the war between smart cards and pirates, the technology for reverse engineering smart cards I can recommend Security Engineering by Ross Anderson.

Michael Z. Bell
May, 2005

Want to know when new articles are available? Subscribe to the Risky Thinking Newsletter and keep up to date. It's free for people working in business continuity, disaster recovery, or risk management.

[ Back To Top ]


Note. Where trademarks are mentioned, they belong to their respective owners.

© Albion Research Ltd. 2017