Oh Shit ….

Those were my words when someone pointed me to the new and improved
website of multipick in Germany. Previously they offered a set of 10
or 12 bumpkeys. We tested these keys in our consumer reports test in
2006, and found they were of very poor quality.

However, multipick now seems to have invested seriously in their
bumpkey division.

You can now order individual keys online, and to make things
convenient they included the images of the profiles of the keyways.

Life for criminals have never been easier … Just examine the lock
you want to open (or make a picture), compare with the profile
sketches on their website and order the correct key online.

We have not tested any of multipick’s keys yet, but looking at how serious
they invested in their website I fear for the worst….

Dutch RTL just visited me to shoot some video for a TV item about this
new site and the consequences it has for security in general. It will be
aired on RTL4 around 18:15 today in a program called ‘editie NL‘.

(Video available now, WMV 10 Mb)

12 Responses to “Oh Shit ….”

  1. pw says:

    Barry, are you doing a ‘U’ turn on your thoughts then?

    It seems only yesterday that you was showing the world how to bump locks and get as many people involved now it sounds like you dont want it as widespread.

    It was afterall, in some part, your doing that its become so popular, i assumed you would be happy about this development on the multipick site rather than be dissapointed unless ive misunderstood your posting log entry.
    Show innocent people how to break locks and there will always be the unwashed element that want to use the info to steal, you must know this when you do your talks and demos for the internet and hacking communities amoungst the others?

    I dont see it as a big issue as Multipick are usually over priced and when the keys are so easy to make why buy them only to then wait for delivery.

    As a locksmith i have recently been out to 2 break-in’s that involved bumping and in one case the person was caught and told the police that he learnt the technique off an internet site and made his own key.

    But as long as the lock companies turn a blind eye nothings going to change.

  2. pe says:

    Hi Barry,

    I’m really confused about your position on bump keys in light of your most recent blog entry.

    Firstly, you have been very active in demonstrating the bumping “exploit”. I learnt about it from you as I imagine many others have also. You have made or participated in videos that demonstrate the technique and the tools required.

    Secondly, Multipick isn’t the only online store selling bump keys or promoting their purchase. There are equivalent sites in the UK and the US. There are also forums attached to some of these online stores that provide post-sales support for their bump keys.

    Thirdly, bump keys can be readily made (as you are well aware). For this reason selling ready-made bump keys will most likely only make a marginal upward difference in their uptake by criminals (that is my conjecture).

    Fourthly, the Multipick bump keys (like all Multipick items) are overpriced for anyone other than the professional locksmith (who for some reason can’t make his/her own set) or the professional criminal that makes capital investment in his “craft” (how many of these would there be?).

    Can you please clarify your position?

    Best regards
    pe

  3. Barry says:

    pw: good point.

    However, I feel my documents and demonstrations are there to educate
    the people, and help them make the right choices when it comes to
    physical security. It is not my meaning in life to educate criminals.

    And keep in mind my research was done after it was aired prime time on
    German television. Criminals learn fast and do not mind borders. If I
    would not have written the articles and put the video’s online the
    criminals would have had more time to exploit the vulnerability worldwide. Only
    by exposing it, and telling as many people about it as you can, a problem like
    this can gets solved.

    The bump key story so far has proven most lock companies do not want
    to improve their locks unless the there is pressure from the public.

    And their attempts to downplay the bump key threat has only motivated
    me to do more thorough research and publish about it. I still think
    the ‘what the hack’ video is the best information available on
    bumping. It covers it all. And still the industry tries to downplay by
    saying ‘burglaries with bumpkeys do not happen often, there is no need
    for you to change your locks’.

    The first time I saw the new multipick website I honestly said ‘Oh
    Shit’ because it dramatically lowers the amount of effort a criminal
    has to put into planning a successful burglary. Not to mention the
    fact the multipick people even got ahold of Kurt Shulke and are now
    selling the original tomahawk hammers too. All these ingredients were
    not really easy accessible to the public until now.

    And I see it as my responsibility to warn people a crime wave could be
    coming. Nothing more and nothing less…..

  4. pw says:

    Please dont think i meant that you teach crinimals or intend your work to do so, i didnt mean that.

    I see your points but dont think a criminal is going to order from an online locksmith store somthing that he can file up on his kitchen table, the fact multipick are now selling them isnt the start of the war its just one of the battles.

    Some may say that having the info on how to make the keys and do the technique free for all to see online is much worse than a supplier selling them pre made.

    I agree the more professional or thoughtful thief would probably know about bumping but im sure its nothing new to that group of people, the pro may look at useing the technique but the opertunist will still use brute force,

    As you say it really is a case of the consumer’s demanding change before the lock makers think about altering designs and unfortunatley in order for that to happen the market needs to want or need change which will only happen with break-ins useing the technique becoming common place which of course isnt the case right now, as far as we know.

  5. pe says:

    Nevertheless, bumping still requires some practice to perfect. It is much easier than picking but it isn’t an instant or no-skill method. I can’t imagine a junkie burglar (who are responsible for many residential B&Es) buying his set of bump keys, practice cylinder and “Tomahawk” from Multipick and sitting down to practice. Do we have any reports of residential burglars using commercial bump keys and tools?

    What would motivate a switch of methods? Why would an opportunist burglar go to the trouble of learning bumping?

    Table 9.6: Method of Entry to Building

    Burglary Burglary Burglary
    (Aggravated) (Residential) (Other) Total Percentage
    Force / Broke Door 178 6835 5738 12751 26.8
    Force / Broke Window 190 9838 5066 15094 31.7
    Cut Hole 5 177 502 684 1.4
    Cut / Broke Lock 17 835 1073 1925 4.0
    Cut / Remove Flywire 57 1619 210 1886 4.0
    Remove Louvre / Window 9 495 275 779 1.6
    Remove Roof Tile / Iron 0 167 327 494 1.0
    Unscrew Hinges 0 38 42 80 0.2
    Unlocked / Open Window 108 1792 313 2213 4.6
    Unlocked / Open Door 454 3680 1185 5319 11.2
    Key Used 12 341 237 590 1.2
    Lock Manipulated 18 473 394 885 1.9
    Tape Used 0 5 11 16 0.0
    Invited In 14 39 64 117 0.2
    No Sign Forced Entry 149 2643 1334 4126 8.7
    Other 25 250 378 653 1.4
    TOTAL 1236 29227 17149 47612 100.0

    Table 9.7: Type of Tools Used to Enter Building
    Burglary Burglary Burglary
    (Aggravated) (Residential) (Other) Total Percentage
    Bolt / Tin Cutters 1 365 965 1331 9.1
    Glass Cutters 1 34 21 56 0.4
    Stillsons / Multi-Grips 1 68 27 96 0.7
    Oxy / Explosives 0 2 33 35 0.2
    Brick / Rock / Missile 11 591 1223 1825 12.5
    Coat Hanger / Nylon Tape 0 12 14 26 0.2
    Key Used 8 158 138 304 2.1
    Jemmy / Lever / Screwdriver 133 6539 3994 10666 73.3
    Vehicle 0 31 105 136 0.9
    Ladder 3 40 34 77 0.5
    TOTAL 158 7840 6554 14552 100.0

    (Source: Victoria Police Crime Statistics 2004/05)

    PS:- Will there be a manufacturing run of the TOOOL/HOPE pick set this year? Will it be available to TOOOL and Barry Wels fans around the world?

  6. Z5 says:

    Is dumb to think that all criminals are junkies who would not take advantage of this information, are you trying to say that people like professional car thieves don’t take the time to learn how to steal a car, they just break the window with a stone and drive away?

    What about the kidnappers from third world countries, if they have the money to buy assault weapons, safe houses, buy fake police uniforms etc i’m sure they can buy these keys to make things easier, what is more dangerous? to surround a car with ak-47’s in the street to kidnap a person or to sneak into a house in the middle of the night and catch all the family off guard, the same goes for thieves.

    Of course Barry would suggest those third worlders to buy a 200 dollar lock, specially since that’s what the mayority of that people earn in a month.

    PS, i know that bump keys don’t work in cars, i’m just trying to show that not all criminals are dumb or lazy.

  7. TOWCH says:

    Well, replacement locks don’t need to be $200. Cheap china disc locks are bump proof and can be had for much less. I don’t know if they make knockoff disc lock door hardware yet, but you can secure a door with a padlock.

    Security is a luxury. You get as much as you choose to pay for. Some people can’t afford to choose very much. People who can’t, have my deepest sympathies, but their interests in this situation are less significant than their interests in other situations where their interests are ignored. No decision decision leaves everyone a winner.

    It figures that these arguments that advocate the interests of the disadvantaged, tend to be inspired surrounding the decisions that have monetary intersts involved.

    Bumping is beyond damage control. There isn’t an internet savy criminal that doesn’t know about it. It’s not in our hands anymore. Criminal knowledge starts with insiders and goes word of mouth from there. Locksmiths need to stock CHEAP bump proof locks in addition to the more expensive brands and offer them to the people who they can’t sell the medeco to, and their own conscience can decide who to stress the cheaper models to in the first place.

    I’m not really concerned about multipick because their prices are notoriously outrageous. They won’t be the first stop of junkies. I can’t really imagine them being the first stop of ANY criminal for that matter. Ebay has such a lower profile.

    With the hype around bumbkeys being as it is, potential profits are very persuasive so I think we might as well fully expect responsiblity and caution are going to get thrown to the wind till this dies down. The focus is MUCH better placed on the locksmiths who don’t offer cheap bump proof locks, both as an example of poor business practices, and as an example of the locksmithing community failing at it’s supposed purpose. Providing real security to the public. False security is supposed to be the domain of home improvement stores.

  8. Barry says:

    pe: what can I say …

    I said it many times before: I think the bump-key exploit is serious
    risk. The training required is minimal compared to the damage you can
    do with it. And people eager to learn can master it in half a day…

    I think it is a good thing the technique gets some attention once in a
    while to keep the public aware and the lock industry motivated to fix
    the problem.

    And to keep pressure on insurance companies to pay when use of a bump
    key is suspected. We forced the Dutch organization of insurance
    companies to publicly say they will pay when people fall victim to
    bumpkeys (or when there is a suspicion a bumpkey is used). And that is
    my motivation to bring out the information.

    Personally I do not care if burglars use the technique or not (on a
    wide scale). The fact it is so easy to open locks without leaving a
    trace (*), using the most simple tools, is something that needs
    fixing. Or at least give people a fair chance to make their own
    decision. In the consumer report of 2006 we tested many locks, the
    cheapest bump proof lock was a DOM rn-2 of only 22 euro. So upgrading
    your security does not have to be expensive at all. And we also did
    mention in the report that the most used ‘real world’ technique here
    is ‘pulling out’ or ‘breaking out’ the lock. It is not that bumping is
    the end of the world, but in some occasions it is just a little too
    convenient (like in recently constructed neighborhoods where all
    houses have the same keyway).

    The problem I have with your statistics is that it does not even
    mentions a bump key. Let alone the fact people might cause damage
    themselves to get the insurance to pay when their house is emptied and
    there are no traces of burglary.

    And the Toool picksets are currently sold out. I am still in doubt if
    it is worth the investment to have new sets made….

    And one more thing (PE, PW and the others): Thanks for your comments.
    It is nice to see people are paying attention and keeping an eye on
    what is going on and expressing their opinion about it.

  9. André Matuschek says:

    As I just see, they stopped selling bumpkeys.

    The site says:

    Dear customers!

    Internet forums inciting media to lead their reports to the criminal possibilities of bump key utilisation and to instruct these dubious circles with sound and images, how to commit criminal offence, we see ourselves, as a serious company, under the obligation to withdraw our bumpkeys from sales to the large public. Authorities and other authorised companies may contact our hotline for any information about bumpkeys.

    Thank you for your comprehension,

    Your Multipick-Service Team

    André

  10. Machiel van Wegen says:

    I think your an ass and Hypocrite.
    Supposedly “warning” people for bumpkeys just to get his ass on Television and get his 2 minutes of fame.

    Let me ask you this:
    What kind of person will take lockpicking-courses or is eager to learn
    about locks anyway?
    For the mechanical part of it? There are so many other types of
    fine mechanical hobbies that do not invlove locks.

    Thats why I think you’re a hypocrite who just want shis 2 muinutes of
    fame on telvision.

  11. Barry says:

    Machiel: Interesting phrased opinion. I have said it before and will
    do so again: I just think it is a good thing to keep the industry on
    their toes. Having the Dutch insurance companies acknowledged on
    public television they will pay victims of bumping, even when there
    are no clear signs of burglary is something I think is a good thing
    too.

    And believe it or not, but most locksport enthusiasts I know are just
    curious people who are fascinated by mechanical locks, and solving the
    mechanical puzzle. Maybe you should visit one of our meetings and find
    out for yourself “what kind of people” we are? I dare to say visiting us
    would change your mind. And, who knows, you might even enjoy it and get
    caught by the lockpick virus too …

    And it is a pity you do not know how many press inquiries from we
    turn down. I guess we only accept one out of five invitations orso.
    If it was my goal in life to be on television you would see me much
    more often. Fortunately for you it is not, so you can relax.

    Thanks for your comments and maybe see you on one of the toool
    meetings? The first drink would be on me ….

    Love, peace and happiness,

    Barry

  12. chris says:

    It seems that Mr Wells is happy to spread information when it suits him and happier to restric it when…it suits him. Nice
    Flippant use of ‘junkies’ is annoying. I was in the criminal world for years and no-one uses locksmith tools for entry, there’s really no need. You lot are so obsessed with pickinglocks you forget other, easier and more reliable ways of getting onto a property. In the UK, you wouldn;t want to get caught ‘going prepared’ which you would if you were carrying locksmith tools (inc bump keys) as opposed to a screwdriver, a peice of card and some BACKGROUND work on ‘the job’
    I think you flatter yourselves to think theives use bump-keys, they’re not even interested.

Leave a Reply