The Stamp of Incompetence
Electronic stamps clearly have much to offer in terms of convenience and are being adopted in an increasing number of countries. However, a recent advisory from Alexander Klink of the German security service provider Cynops sheds some light on interesting implementation details of the service the German Deutsche Post Stampit. It reveals a text-book example of how not to implement digital rights management. We understand that the system has very recently been changed to migitate the Denial of Service attack described by Klink, but the basic architecture remains much the same as described in the advisory.
A user registers with Stampit and then can buy a type of virtual stamp in the form of smart PDFs. When the stamp is printed from the user's computer system the PDF contacts the Post Office server to check if it is still valid. It does this without the user registering - it is just the stamp itself "phoning home". In this transaction, the unique identifier of the stamp is cancelled on the server so that no further printings of that stamp can be made.
A pity if the paper jams then, or if the printer turned out to be out of toner. heise Security has heard from readers so frustrated with this problem that they have ended up creating special printer definitions in their systems that will print the stamp to a normal pdf so that it can then be printed again - and again. They do this not because they want to cheat the Post Office, but because problems so often arise when printing they want the security of being able to try again.
This is the key point here; it is quite proper that the German Post Office would seek to prevent multiple use of its stamps, but that is not the effect of this system - it provides merely the illusion of protection. It is relatively easy to produce multiple copies of any individual stamp, by the "normal pdf" method or even by photocopying, but it is the use of the stamp that matters. As the stamp contains unique information and is read when the stamp passes into the post office system, that is the moment to prevent abuse.
Thankfully, the UK SmartStamp system seems to be better considered. When the equivalent "phone home" process takes place it does so under the control of their own software that has been installed on your PC after registration. According to their technical support line, when this happens the software logs-on with the user account, debits that account, but at that moment the stamp's unique ID is not cancelled - this only happens when the letter or package is checked in at the post office. There may well be problems with this system, but the UK security system is intended to prevent you using a stamp more than once, whilst the German system is perversely aimed at preventing you from even trying to print it more than once - and in the process it can provide users with totally unnecessary problems.
On request of heise Security Deutsche Post has admitted that it is aware of the fact that this is an inefficient system for copy protection. It has been implemented to create some kind of barrier – regardless how feeble – to provide a legal basis for the pursuit of fraud analogous, it would seem, to the circumvention provisions of the US DMCA. Quite obviously this was a part of the requirement specification – and customer satisfaction was not.