1997-11-10 - No Subject

Header Data

From: Mix <mixmaster@remail.obscura.com>
To: cypherpunks@cyberpass.net
Message Hash: 4d1c686ce344d5896b2a0a6dc8ffd0e28661406f3020f089c1eb20763d043227
Message ID: <199711100352.TAA23129@sirius.infonex.com>
Reply To: N/A
UTC Datetime: 1997-11-10 05:57:33 UTC
Raw Date: Mon, 10 Nov 1997 13:57:33 +0800

Raw message

From: Mix <mixmaster@remail.obscura.com>
Date: Mon, 10 Nov 1997 13:57:33 +0800
To: cypherpunks@cyberpass.net
Subject: No Subject
Message-ID: <199711100352.TAA23129@sirius.infonex.com>
MIME-Version: 1.0
Content-Type: text/plain



Monday, November 10, 1997 - 04:25:17 MET

The following is from http://www.mobil.com/speedpass/

Note that I've only quoted the parts I think are relevent
to a security discussion...

---begin quote---

How does Mobil Speedpass work?

Speedpass uses an electronic system located in the pump to 
"talk" with a miniature radio-like device (a transponder). Together, 
these electronic devices provide "instant" access to gasoline 
by automatically charging fuel purchases to the credit card you've 
selected. The technology is similar to the state-of-the-art 
technology successfully used by many tollways.

What happens if my Speedpass is lost, stolen or damaged?

Treat it just like a credit card. Immediately notify our Service Center at 
1-800-459-2266. Tell us your name or Speedpass number. And we'll cancel your 
old Speedpass and send you a new one right away. You should write down your 
Speedpass number (8 digits on tag) and keep it in a safe place.

Is there a pin code with my Mobil Speedpass?

No.

Can other people intercept the transmission of my credit card number?

No. The Speedpass system operates on a dedicated transponder 
identification code. Your credit card code remains outside the Speedpass 
signal system, maintaining the confidentiality of that information and 
protecting your account from unauthorized use.

---end quote---

I see several options, none seem too secure:

1) "dedicated transponder identification code" (dtic from now on) is
    sent in the clear. Anyone who can listen and re-transmit
    can get free gas.
2) Speedpass and the gas pump negotiate DH key exchange
    and use DES/RC5/IDEA/Whatever. Anyone who can
    impersonate a gas pump can gain access to dtics and
    get free gas.
2) Gas pumps have an RSA keypair, and all of the speedpasses
    know the public key. The dtic is encrypted to the 
    gas pump's key along with some random data. Anyone
    who can compromise the gas pump's private key
    (including service station operators/employees?)
    can imitate a gas pump and get dtics, with which to
    get free gas.

The third option seems pretty secure at first, until you
realize that it's like putting all of your eggs in one basket
and giving thousands of people physical access to the basket.

Anybody know how they are actualy doing it? Is there
some more secure way I haven't thought of?

-Some anonymous guy with no 'nym






Thread