Singing like a bird

20150521-system failure imageIT IS one thing to possess the ability to interfere with the avionic systems onboard an aircraft. It is quite another to announce to the world the intention of practicing such capabilities. But it takes a galactic level of stupidity, hubris or, perhaps, courage to tweet that you are going to do it when you are in seat 3A of United Airlines flight 1607, about to depart from Denver to Chicago. That is exactly what Chris Roberts, a security researcher with One World Labs, did last month:

Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ?  Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂

The tweet in question (above) suggests Mr Roberts intended to interfere with the Engine Indication Crew Alerting System (EICAS), which informs crew when something goes amiss with a plane’s engine. Or perhaps he wanted to deploy the passenger oxygen masks. Unsurprisingly, he is now helping the FBI with their enquiries. His actions have animated the debate about so-called “cyberjacking”—the ability to take control of aircraft remotely, or at least interfere with aircraft systems for malicious gain. How seriously should such claims be taken?

Mr Roberts maintains his intention was to raise awareness of security vulnerabilities. The FBI says Mr Roberts had identified a weakness with the in-flight entertainment (IFE) systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft. It is thought he accessed the systems by plugging a laptop into one of the electronic boxes usually found under the seats either side of the aisle. Once connected, Mr Roberts claims to have accessed other systems on the aircraft. He admits to having issued a “CLB”, or climb command, to the thrust management computer on a previous flight, resulting in a “lateral or sideways movement of the plane”.

Industry experts are sceptical of such claims but admit it is theoretically possible. As the data bus for the IFE is not also used for communications or flight systems, at best Mr Roberts may have seen interference between the two systems, says David Stupples, professor of electronics and radio systems at City University in London. Data packets travelling on copper wires (common in older aircraft) may allow some messages to be seen, but probably only the meta-data, such as the origin and destination of the message, rather than the content itself, which is encrypted. The fibre optic architecture of modern aircraft will not suffer similarly. And anyway, to change an aircraft’s direction Mr Roberts would have had to persuade it that he was the satellite navigation system. That entails spoofing the signals from up to 16 satellites at a time; a tall order suggests Mr Stupples.

There is no room for complacency, however. Last month, the United States Government Accountability Office (GAO) raised concerns over plans to replace the current radar-based air-traffic control with one based on satellite navigation and automation. In a report, it warned that with increased reliance on the internet “unauthorised individuals might access and compromise aircraft avionics systems” and that cyber-based threats present “significant security control weaknesses”.

The industry is acting. Airbus, for example, is working with Cranfield University in Britain to mitigate the risk. One idea is to have a preset “safe state” for each stage of flight, which the aircraft will adopt in the event of system anomalies being discovered. (In the recent Germanwings tragedy, such a system might have decided that descending over mountainous terrain with no immediate airfield available was so odd as to be countermanded.) Another solution is for all flight safety systems to be triplicated and operated on a “voting” system, meaning any malicious software would need to affect at least two systems.

All of which points to how difficult the concept of cyberjacking is. Industry experts and the GAO report suggest the threat of a disgruntled employee infecting the aircraft systems prior to flight (say, during routine maintenance) is more likely. The possibility of hackers taking control of aircraft, while real, should not be overblown. But for one man it has already been costly. Twelve days after his initial tweet, Mr Roberts followed it with one reading:

United have cancelled ALL my trips…and my daughters…and no refund on the Air Miles..goodbye 100,000 Miles so it seems…

This post was commissioned by The Economist

Hitting home

20150515-Card fraud imageAFTER falling in love with European coffeehouses on his wanderjahr in Germany in1971, Brian Olson started importing espresso machines to America. Today his three Café Intermezzo outlets in Atlanta employ 150 people and take in $7m a year. But in 2013, after fake credit cards were used in one of his restaurants, his card payment processor started withholding 20% of his revenue in escrow, “holding my business hostage” he laments. He is now an enthusiastic advocate of payment card security, hoping others avoid the “capricious and arbitrary” treatment he experienced. Changes to America’s payment card environment are imminent, but industry experts warn that without an holistic approach to data security fraudsters will continue to cause misery.

2014 was the worst year on record for data breaches and payment card security in America lags much of the rest of the world. A major improvement will occur later this year with the introduction of EMV; the technology introduced by Europay, MasterCard and Visa to the European payment card ecosystem 20 years ago and known outside America as chip and PIN (personal identification number). To authenticate legitimate card users and protect sensitive card details, EMV uses an embedded smart chip instead of the magnetic strip on the back of the cards, which can easily be cloned.

On October 1st the major credit card brands (MasterCard, Visa, American Express and Discover) are shifting the liability for fraud or data breach to the least secure part of the sales infrastructure. The move, designed to encourage take-up of safer point of sale apparatus that can handle EMV payments, is welcome news. But there are 12 million merchants in America cautions Jeremy King, International Director of the Payment Card Industry Security Standards Council (PCISSC), a cross-industry standards-setting organisation. Not all will be ready by October.

A second issue is that EMV allows for different Cardholder Verification Methods (CVM), some of which are stronger than others. PINs checked online with banks (using the debit rails) are the most robust. But one CVM accepts just a signature; a method open to abuse. (Purchases can also be made with no verification at all, for low-value transactions.) What is more, a transaction using a signature CVM uses the credit rails controlled by the major banks, with an attendant higher interchange fee. Mallory Duncan, Senior Vice President at the National Retail Federation (NRF), says that the interchange fee bonus and a reluctance to spend money investing in chip and PIN infrastructure means it is in banks’ interests to promote chip and signature as a CVM. This is despite wide acceptance across the industry that chip and PIN is more secure and retailers’ dismay that they are expected to invest in chip and PIN-reading equipment that may never be used. “Fraud flows to the weakest point,” Mr Duncan warns, “and that’s the signature.”

But unlike Europe 20 years ago, America today is an online marketplace. Measures to protect card details transmitted over the internet, (such as when an online CVM is used), or held within a retailer’s network (helpful in facilitating future sales and providing other services), are not included in the liability shift. Mr King warns that EMV is not a silver bullet and highlights the need for multi-channel protections.

Despite high profile attacks like those on Target and Home Depot, around 90% of data breaches hit SMEs, says Charles Hoff, former General Counsel of the Georgia Restaurant Association and now CEO of PCI University, an online platform providing data security education. Credit card companies expect banks and card processors to comply with data security standards set out by the PCISSC. They, in turn, expect merchants to do likewise, bearing the risk of failure to do so. The rules, expressed in the Standard Merchant Contract, state that following a data breach, merchants may have to employ forensic auditors to examine their network and pay fines, charge backs and card re-issuance penalties in the event of non-compliance. This “cash-flow crunch” can be terminal for SMEs and “within six months of a breach,” says Mr Hoff, “around 60% go out of business.”

Part of the problem is that most small business owners and merchants have the misconception that they are too small to be the target of hackers, says Mr Hoff.  As a result, they often feel that they can take their chances and not worry about initiating proper security measures. But after Café Intermezzo was attacked it cost $45,000 to beef up security at each restaurant and a yearly fee of around $30,000 for bank insurance, consultants services and technology maintenance to indemnify against future violations. Many small merchants ask if the exposure is worth the investment. And it is worse for big retailers. Target is spending $100m to change equipment and issue its own chip-based cards following the breach of 40m accounts in 2013.

For a robust and multi-layered approach to payment card security, five things are required. First, chip and PIN should be accepted as the industry standard (with banks absorbing the costs of their infrastructure investment, rather than pass these onto consumers and merchants). Second, as the Primary Account Number (PAN) on a smart card is still transmitted in clear, it is vulnerable. Point-to-Point Encryption (P2PE) along the transmission routes of a transaction should be implemented so that any data intercepted within the merchants point of sale apparatus or on the way to the card processor is better protected.

The third must-do is to remove the PAN from any online transaction as soon as possible. The card payment processor should swap the PAN for a token, so as to lessen the threat from any subsequent breach of the encrypted transmission routes or retailer’s systems’. Neither this process (known as tokenisation) nor P2PE will impact normal business processes and both should be a basic part of standard card processing packages offered by merchant’s banks and card processors.

The fourth element is to educate merchants and consumers and increase awareness of the threat across the whole industry (the NRF are calling for a Data Breach Notification law). Mr Hoff accepts that there is no easy or inexpensive solution and that every participant in the payment card security environment could make a case for someone else paying for P2PE and tokenisation. “It is tricky, but it’s a cost everybody needs to bear.”

Finally, greater industry self-regulation is required to provide a more responsive counter to innovative security threats and avoid the need for legislation. (Congress is always “a dollar too short and a day too late” says Tom Litchford, Vice President of Retail Technology at the NRF.) Initiatives such as Visa’s Technology Innovation and Secure Acceptance Incentive programmes encourage small merchants to employ the most secure and PCI-validated systems, says Ruston Miles, Chief Innovation Officer of Bluefin Payment Systems, the first company to offer PCI-validated P2PE to merchants in America. He hopes MasterCard will follow suit to produce an industry-wide “safe-harbour programme”.

In Café Intermezzo, Mr Olson says PCI-compliance is a crucial issue but he knows many restaurateurs who are unaware of the threat, the potential costs to business or of the EMV shift. “It takes a major negative experience to motivate us to do what we should have been doing in the first place,” he says.

Walking on water

20150503-Christo imageIN 1983 Christo surrounded 11 islands in Biscayne Bay, off Miami, with 600,000 square metres (6.5m square feet) of luminous pink fabric. The installation, called “Surrounded Islands”, was completely removed after two weeks. On one morning of its brief existence an elderly woman entered the project’s main office. She was livid. “It looks like you’ve emptied a bottle of Pepto-Bismol into the bay!” she raged. That afternoon an elderly man walked in and asked who was responsible for the project. After the morning’s experience Christo was nervous, but still introduced himself. “It’s fantastic,” the man said. “It looks like you’ve emptied a bottle of Pepto-Bismol into the bay!”

Christo, born Christo Javacheff in Bulgaria, delights in the story. He marvels at art’s ability to provoke such emotion and at how perceptions can differ so markedly. He hopes his latest project, “The Floating Piers”, which is planned for a 16-day stint next summer, on Lake Iseo in northern Italy, will stir similar passions.

“The Floating Piers” will be a series of golden walkways connecting Sulzano on the mainland to the islands of Monte Isola and San Paolo. Christo says his intention is to create a beautiful, temporary work of art. Temporariness is important to him, he says, for containing an aesthetic quality he calls the “presence of the missing”.

The project will be Christo’s first big work for ten years, and the first since the death of his wife and collaborator, Jeanne-Claude in 2009. Built of 200,000 specially designed polyethylene cubes normally used in the yachting industry for pontoons, the 16 metre-wide piers will float on the lake. Fastened to the lake floor every 50m, with anchors up to 90m deep and some weighing 7 tons, it is an ambitious vision. Sloping, unfenced sides will allow boats to ride up onto the piers so promenaders can alight. The cubes will be covered with 70,000 square metres of fabric: three kilometres of yellow road will move on the water; another 1.5km will flow through the tight pedestrian streets in Sulzano and Peschiera Maraglio. The contrast of the gentle fluidity on the water and the sturdy presence of the land will be sexy, says the artist.

The project is expected to cost $10m, which Christo will fund through the sales of sketches of the plans, scale models and past works. He does not balk at the cost. “These projects are our children,” he says. “Do you have a budget for your children?” He refuses commissions and sponsorship so as to remain in control.

A Harvard Business School report from 2006, looking at the way Christo and Jeanne-Claude fund their work, cited “illiquidity, uncertain valuations and faddishness” as reasons banks often avoid lending for arts. For “The Gates” (2005), which went up in New York’s Central Park, Bank Leu, then a subsidiary of Credit Suisse, provided Christo with a credit facility of $10m, and held $60m-worth of his works as collateral. In return, Christo paid an annual fee of $10,000, 1% of the unused credit, and 1% plus LIBOR (the rate banks charge for lending to other banks) of the credit used. Such a business model is rarely seen in the art world, but its unconventionality was in keeping with the work. And it certainly delivered: the estimated 4m visitors who saw “The Gates” brought in around $250m for New York City. It is a lesson not lost on the Italian government.

It took only a year to get permission for “The Floating Piers”; some of Christo’s projects have needed decades. “Wrapped Reichstag” (1995), which covered the German parliament building in silver fabric for two weeks, took 24 years to come to fruition. It was only made possible when the-then Chancellor, Helmut Kohl, horrified at the concept, put the decision to a vote in the Reichstag. He lost.

Operating at a scale that will inevitably draw opposition from some aggrieved party, political or otherwise, is one thing. To do it repeatedly, viewing the conflict and frustration as part of the art, invites the suggestion that Christo actually enjoys the confrontation. He denies it. But when asked about Jeanne-Claude, he says she was “a ferocious critic, and I miss this all the time.”

This article was commissioned by The Economist