The authors describe the introduction of prepayment electricity meters to South Africa and the various security and reliability problems that were encountered. The security problems that caused actual losses all resulted.

The authors describe a number of ways in which smartcards and other security processors have been, or could be, attacked. These range from using power transients to induce revealing errors through techniques for physical penetration of card packaging and analysis using chip testing tools. They report a protocol attack on the Dallas DS5002 series processors which use encrypted external memory. The attack searches through the range of encrypted instructions until an output instruction is recognised by its effects; this is then used to tabulate the encryption function. Techniques used by professional TV pirates are also described, and the authors conclude that chip-sized security processors are probably impossible to make completely tamper proof.

The authors describe the introduction of cryptography to protect prepayment utility meters from token fraud. Instructions to the meter are encrypted under a meter unique key and conveyed using a token, which may be a magnetic token or a number which the customer enters in the meter. Various robustness problems were encountered when transferring this technology to Africa, and the security problems all involved blunders in design, implementation and operation, rather than high tech attacks, thus confirming the first authors analysis of fraud from ATMs. Other lessons learned included the advisability of using multiple evaluators and field trials, and the difficulty of managing trust relations in multivendor systems.

The author discusses recent experience in the UK and elsewhere of legal disputes involving cryptographic evidence. One of the most powerful tactics in such cases is to challenge security claims by pushing for disclosure of the other sides security mechanisms; this has been granted by a number of courts, leading to the collapse of prosecution cases. Computer security mechanisms whose purpose is to provide evidence must therefore be designed to withstand scrutiny from hostile experts. Further problems are caused by the fact that many security systems are really intended to shift blame rather than to stop attacks, and this fact itself is concealed; and from system designers lack of understanding of how the legal system actually works.

A number of case histories of ATM fraud are discussed: the overall pattern is that most real losses are due to processing errors, or to thefts by staff or from the post, while assorted blunders in system design and operation account for almost all the rest. The conventional threat model, of a capable motivated attacker, was wrong; attacks were essentially opportunistic. Another lesson is that explicitness is fundamental to robust security. One must be explicit not just about threats, but about how these are tied to mechanisms and how the system will be operated; it is the failure to do this which causes the typical loophole."

Computerised burglar alarm is a good example of systems where the main concern is to prevent denial of service, rather than to assure confidentiality or integrity. This means detecting attacks on the network, whether by message manipulation, network flooding or simply cutting the wire. The best defences are end-to-end; if the alarm were polled by a local concentrator, then this would bring the network itself within the security envelope. An ideal system should also have anonymous communications, so that it is hard to attack the service of just one target customer.

Denial of service attacks have received relatively little attention in the literature, yet burglar alarms provide a good example of a system to which they are the main threat: the central server must never think that the alarm is sending an alls well signal when this is not the case. End-to-end protection is best, and messages in the network should be anonymous as far as possible; this keeps the network itself outside the trust envelope.