Check forgery protection using public-key cryptography

April 11, 2011 8:31 pm

Mom forwarded an email that was attempting to scam her in response to a Craigslist ad she placed for some furniture.

While I was thinking about this I realized we have the ability to essentially stop check forgery, specifically cashier’s checks and money orders, but the principle would also apply to personal checks if we could develop a trusted lookup source for public keys.

Public-key cryptography allows you to publish a public key that can be used to either verify that you digitally signed something with your private key or to encrypt something which can only be decrypted with your private key.

The application would be as follows.

First, the banks put together a trusted database of public keys. This part is essential, as it must be possible to lookup a public key for any bank and you need to have a trusted source where at you do the lookup. A central database is mainly a convenience factor, you could simply have each bank publish their public key on their own site, but a more integrated solution is more likely to be used. This is not an insurmountable hurdle.

Second, when a bank creates a cashier’s check it uses the data on the check (name, amount, date, etc.) and their private key to produce a digitally signed digital copy (or digitally signed hash) of the data which could be printed directly on the check as a QR code (or set of QR codes depending on size) [QR codes are those square barcodes].

Third, when someone attempts to cash the check the cashing bank scans the QR code(s) and verifies that the data matches what’s printed on the check and also looks up the public key of the issuing bank and verifies that the signature is legitimate. In fact the actual printed data would be unnecessary at this point if it was encoded in the QR code, but I imagine we’d want to leave it on for the sake of the humans handling the check.

That’s it. If implemented correctly and securely it would guarantee the authenticity of cashier’s checks. The same system could be used for money orders as well. The other great thing about it is that individuals could verify a check the same way. They could scan the QR codes themselves with their fancy phones and then lookup the bank’s public key (either from a trusted central repository or from the individual bank) and verify the authenticity of the check without any risk.

The biggest hurdles would really be getting a trusted repository set up and having banks securely store their private keys. There are easy extensions making this process even more feasible. You can use a master key to create sub-keys which could be used by individual branches. That would limit the risk if any individual branch’s private key were compromised. With a central repository a compromised bank would revoke the published public key and flag it as compromised. Any outstanding checks would need to be brought back to the issuing bank to be reissued using a new key. A hassle, but it should be a world-shattering occurrence for a private key to be compromised.

This system is totally possible with today’s technology. It would just be a matter of setting it up and getting banks to participate. Maybe I should go talk to some venture capitalists…

T-Mobile: Problem solved in under 5 minutes

April 9, 2011 1:49 pm

Jess and I don’t have a texting plan for our phones. Therefore, we are particularly annoyed with spam text messages because they cost us $.20 each in order to be annoyed. We don’t get them very often, but Jess just got one and I decided I wanted to stop them. To be clear, these aren’t just wrong-number texts, these are unsolicited-advertisement texts (“News alerts for your area! Text ‘Yes’ now to sign up!”). We’re OK with humans texting us occasionally but I don’t want to be paying to get ads sent to me.

So, I called T-Mobile’s customer service. I had to work my way through a voice-prompt menu but it was fairly short and at the end I was actually connected to a person and not put on hold. I told the CSR my problem and he offered two options: turn off texting completely or block 3rd-party texts. 3rd-party texts are advertising services, bulk-messaging services, etc., basically the kind of things you never want to get texts from anyway. So I said that a 3rd-party block sounded great. He said sure, activated a 3rd-party block for both of us and asked if there was anything else he could do. I asked another unrelated question about my account and when I hung up I checked the call time: 5:18. Subtracting out the time spent on the unrelated issue it took less than 5 minutes of my time to get the issue resolved.

Bravo T-Mobile.

No charge, he never tried to sell me something (“While the computer’s pulling up your account information let me tell you about our new….” — that annoys me), and he was polite and competent.

Compare this customer service experience with the previous one from AT&T. That difference is why I will be very sad if the T-Mobile buyout by AT&T goes through.

AT&T, How do I loathe thee? Let me count the ways

April 4, 2011 4:42 pm

Some of you may remember my post from March of last year: Wait. You mean… I… I won?. Turns out I didn’t win.

The story then was about calling AT&T to complain about a price increase on my Internet service. By the end of the call I had changed my service agreement to include a phone line and reduce my monthly bill by $5. It didn’t make any sense as to how they could add a phone line to my service and reduce my price, but I went with it. To ensure my situation was what I expected, to quote my previous post:

So, she gives me the exact price quote. To be absolutely clear on the matter, I ask directly, “Is this an introductory offer?” – “No.” “Is there an activation fee?” – “No.” “Will I have the same DSL speeds I have now, 6.0 Mbps down, 768 Kbps up? – “Yes.”

It seemed good. I mean, those were the exact words I used and got as answers.

Turns out that Samantha, the CSR of March 2010, straight up lied to me when she answered 2 of those questions. Guess which ones!

I apparently didn’t blog it at the time, but that first bill I got with the new service had (can you guess?) a $41.45 activation fee! Way back when, I called and complained and eventually got them to reverse the charge. So that was lie number one from Samantha.

This month we got our bill and I discovered it was $15 higher than it should have been. So I call up to find out what’s going on and the CSR, Michelle, tells me that my introductory offer has ended and my price has increased to the regular price. Well, wasn’t I surprised since I was explicitly told this was not an introductory price. She, of course, was very sorry, but there was nothing she could do, but she would happily provide me a new introductory offer if I upgraded to a U-verse package. I told her I wasn’t interested in that and wanted to know what options I had for adjusting my service.

She transferred me to sales and after 10 minutes on hold Dave picks up. I tell Dave why I’m not happy and that I’m looking for options to adjust my service and reduce the price. He tells me there’s not really anything he can do. (Now, I’m signed up with the fastest DSL speed they offer, which is a crappy 6mbs down and 768kbs up, so I know that to reduce my monthly bill he could suggest I drop to a lower service tier.) He says there’s not anything he can do, but lets me know about the U-Verse service AT&T is bringing to my neighborhood. He never suggests that I could reduce my bill by lowering service tiers. (I’m not really interested in doing this as the service is marginal at times for Netflix as it is, but it is a possibility.)

So I assert that I’m still very unhappy that I was lied to by the CSR in 2010 and really want to find a solution. He offers a special discount of $10 a month for the next 12 months, so my bill would only be increasing by $5 per month. He tries to sell me on how this is such a great deal. I’m not impressed considering that in Provo I had a 15mbs up/down fiber-optic connection for $39.99 a month for 2 years without a contract and without a single price increase and without any installation fee.

Now, last year before we added the phone line we had just a bare DSL line (known as a dry loop). We were paying ~$40 per month before they tried to raise our price. So I asked Dave what the current options were for a dry loop. He told me they no longer offered dry loops in my area because they were phasing out their DSL service for the new U-verse service which he’d be happy to tell me more about.

I verify with him that he’s telling me that bare DSL service is no longer available for me. He says this is the case. So I ask him why AT&T is still advertising dry loop service on their website? And why, when I click on that, it says to call to set up service? He doesn’t have an answer.

So then I ask what’s going to happen to my current service if they phase out DSL? He says they’re grandfathering in existing DSL lines and will still allow you to get DSL if you also get a phone line (for now I suppose). This is rather preposterous to me.

So I ask him, if I were to move in the next few months would I still be able to get my current DSL service at the new location? He says probably not. I’d have to sign up for U-Verse.

Clearly, all signs point to U-verse. Figuring I may as well find out what he had to say on the matter, I asked about it. He tells me that the Internet-only U-verse package to match my current speeds has a ~$140 installation fee, a ~$75 equipment fee, and monthly prices starting at $45. Yah, that sounds like a great deal AT&T, I can’t imagine why I wouldn’t want to switch.

This is also disregarding the fact that I find it unlikely the apartment complex is going to want AT&T running around drilling holes and running fiber-optic connections all over the place. So it’s likely not going to happen here for a while even if I did want it.

So at this point I’m just cranky. They’re jacking up my rate (for the third time in the less than 2 years we’ve lived here) and pushing their overpriced fiber-optic service. But I’ve apparently managed to stay on the phone long enough to unlock another customer appeasement. Now Dave is willing to give me a $40 credit on this month’s bill along with the $10 per month discount (for 12 months). So over the next 12 months I’d only end up paying an extra $20 for my service instead of $180, so I guess we’re getting somewhere-ish.

Of course, since the last CSR I worked with blatantly lied to me I don’t have much reason to trust what he’s saying anyway.

So at this point in the call I pull up Comcast’s website because it is the only other Internet service provider in Livermore. Everything I’ve heard about them in Livermore lives up fully to their having won the award for Worst Company in America 2010. Sadly, their prices are all just as high (surprise!) so even contemplating switching would only, in effect, be cutting off my nose to spite my face.

Out of options and needing to get back to work I agree to the $40 credit and the $10/month discount. But I’m still not happy.