Tag Archives: security

How Apple could have avoided fraud in iTunes with our Secure Code Generator

Now everybody has heard about the Chinese hackers who cracked the codes used for the iTunes Store vouchers. Using key-generators they have created millions of voucher codes and they are now selling $200 vouchers for as little as $2.60 online.

Following a report on the blog of Chinese music industry consultancy Outdustry.

It occurred to us that this is one of the main reasons many different companies approach us for advice.

Our secure code generator software is used by many large companies, throughout the world, such as British American Tobacco. It has been used in  a wide range of  applications such as database marketing, phone card pin generating and scratch card games.  It allows you to minimise the liability and exposure your company faces with problems associated in secure code generation,  and most importantly reducing your costs.

Generating secure codes creates a huge wealth of problems that many companies don’t realise,  it is a complex conundrum.

In most cases developers decide, knowing time is constrained, that using a standard pseudo random generator that is included in a standard library is the way to go.

This may work for Monte Carlo Simulations but when money is involved it is not the correct way to solve the problem.

A straightforward solution is to use a strong pseudo random generator or… a real random source.  This is a convenient way but it is necessary to store all the numbers generated and then verify each one to see if they are duplicates of a previously generated number.

The most desirable solution is to have a function f(<index>) and to change the index so it generates non-repeatable pseudo random numbers.  It would be even more desirable to customize the function with a secret key <key> so that you can change the function easily.

For business campaigns it would be better to add some configuration so that you can customise the alphabet and the length of the codes used.  With this solution you only need to remember the key and the upmost index to check if the codes were indeed generated by you.

Remember that the chance of guessing a correct code depends of the number of codes generated, the length of the code and the alphabet used by the code.

Function f must not just be any function, it must also obied by some strong security properties.

This is exactly what we deliver with our secure code generator software. A very simple library to generate custom codes in the most popular programming languages and different operating systems.

It’s time for Apple and other companies to take coupon, codes and  pin generation seriously otherwise i suspect we shall see similar stories of people hacking vouchers in the future.

You can use Secure Code Generator in many applications…

  • M-Coupons for consumer focused marketing campaigns.
  • E-Coupons for product discounts.
  • Event tickets with verifiable security.
  • Authentication codes for service/prepaid cards.
  • Special businesses offerings.
  • PIN & TAN (Transaction Authentication Number) generation.
  • Obfuscation of internal codes.
  • Mobile Phone 1D & 2D Barcodes campaigns.
  • E-banking token authentication.
  • Firmware for devices like Digipass®.

Secure Code Generator is also indispensable for scratchcard (e.g: a scratch off, scratch ticket, scratcher, scratchie, scratch-it, scratch game, scratch-and-win or instant game) games.

Secure Code Generator also provides these essential features.

  • Non-predictable and Non-deducible codes.
  • Codes with variable lengths.
  • Numeric & Alphanumeric code generation.
  • Codes can be verified in real time without requiring the massive storage of generated data.
  • Secure Code Generator can be integrated with almost all programming languages (i.e. C/C++, .NET, Java, PHP, Python, Ruby & Perl).

More information about our secure code generator is available at:


The truth about Google Chrome using Spy Studio

Everyone has a lot of questions about Chrome.  Some people say that it is spyware because each and every character you enter is sent to Google.  Hundreds of comments like this can be found on the web, like this one that says “Chrome spends nearly as much time phoning home to Google as it does talking to other Web servers.”  On the other hand, you can also find on the web the opposite opinion that claims “If you do not wish this data to be sent to your search provider, you have a number of options: Use incognito mode, turn off search suggestions permanently or change your search provider.”

Who is correct?  What kind of information is really traveling between Chrome and Google?  What data about you is being sent to the web?  Is it true that Google’s browser sends details about everything you do?  Is it an unsafe browser?  What happens behind Incognito mode?

The first thing we want to know is “What information does Chrome send about visited sites to Google”? Many different opinions can be found on the web, and some are really alarming.  One person says that toolbarqueries.google.com collects everything the browser sends to it.  This is indeed true, and you can see in metrics_service.cc [chromium.org], what information about visited websites is being sent.  Although this only happens if you selected it in Chromes ‘Under the Hood’ (Options -> “Help make Google Chrome better by automatically sending usage statistics and crash reports to Google”) this option is not selected by default, you have to specifically select it during the Chrome installation.  Using SpyStudio you can be 100% certain about this by checking and un-checking the option, and watching all the ‘send’ function calls.  So, does Google Chrome send information about every website you visit to toolbarqueries.google.com?  The answer is no, it does it only if you request it to.  This doesn’t mean that other information, like the one send to google-analytics, is not being sent anymore.

However it is interesting to notice that this behavior is exactly the same under Incognito mode.  This means that if the option of sending usage statistics is checked, it doesn’t matter what mode Chrome is running, the statistics are sent anyway.  We know that the only differences between normal and Incognito modes are the logging of websites visited, files downloaded, download histories and cookies.  So this feature is local to the machine, and nobody has said that statistics are not sent under this mode.  Although I think for many of us, we implicitly assume to be anonymous while running Chrome under Incognito mode.  So we better keep the limitations of this feature in mind!  Again, this only applies when sending statistics option is selected.

The other feature we want to inspect is the suggestion made by the address bar: “When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for.”  This is highly controversial, we want to know about this feature when using Incognito mode (in which the suggest feature seems to be automatically disabled). Again we can use SpyStudio to make sure.  You can see that Chrome does not send any information to Google about your key strokes when using Incognito mode.  You can also watch calls to GetAddrInfoW function, which provides protocol-independent translation from a Unicode host name to an address.
When you are not running on Incognito, you can turn this off by right clicking on the address bar and selecting “Edit search engines…” Then uncheck the check box at the bottom labeled “Use a suggestion service to help complete searches and URLs typed in the address bar”.

We can now safely stop all the paranoia about Chrome.  We can see the information that Google Chrome sends to Google using SpyStudio and we know that this depends on the options you choose.  So Chrome is not spyware that sends everything you do to Google.   I also believe it is important to understand what features the Incognito mode provides and not assume things about it.

Watch Google Chrome

See for yourself the information that Google Chrome sends to Google.  Use Nektra’s SpyStudio to monitor Chrome’s behavior.  It is very easy:

  1. Download SpyStudio from Nektra’s website free of charge and install it.
  2. Replace the database ‘deviare.fdb‘ with a new version.  You will find ‘deviare.fdb’ in the path you installed SpyStudio: SpyStudiobin
  3. Download the script chromewatcher and then add the path where you saved it to SpyStudio.  Edit -> Preferences -> Python
  4. Run SpyStudio and import the module chromeWatcher by typing “import chromeWatcher” in the Python console.  Then start monitoring by calling the Begin() function by typing “chromeWatcher.Begin()”.
  5. Now watch SpyStudio while using Google Chrome to find out what information is sent by Chrome.

What does the ChromeWatcher script do?

The ChromeWatcher module was specially made to capture calls to the Winsock functionssend‘ and ‘WSASend‘. To know where the information is going, a socket connections track must be kept.  So it is necessary to hook ‘connect’ and ‘select’ functions too.  The idea behind ChromeWatcher is to hook ‘send’ and ‘WSASend’ calls that are made to Google and show them to you.
To understand better this script you can see SpyStudio documentation on: SpyStudiodoc