25 May, 2011
Having 16 characters of fun with magnetic cards
During stratHACK we had the opportunity to explore potential attacks against magnetic stripe cards. At the end of the day we discovered what nearly everyone else has concluded; the attack surface isn’t big, but there’s still some fun to be had.
For our testing we acquired some 48 magnetic stripes and a reader. We had a few hotel cards from other countries, bus tickets from interstate, loyalty clubs and memberships.
Background
Magnetic cards have 3 tracks. The first track allows the full range of ASCII characters, however there is only enough storage for 64 characters. The second track, which is the most used, only allows 16 character types (numbers 0-9 and : ; < = > ?). Track three, is limited to numbers (0-9) and tends to be used for identification purposes for financial transaction cards.
The data stored on these tracks typically has a relevant format specific to its industry (IE, airline tickets and credit cards) however every implementation seems to approach things somewhat uniquely, and there were many deviations from standards to accommodate for custom designs.
A few of the limitations we encountered were:
- The characters- the most common magnetic stripes use track two, which of course are limited to 16 characters.
- The size- cards typically have a limit of the amount of information you could write to them.
- The physical readers- along with not being able to modify some cards, we could not perform any penetration tests on live implementations as we did not have permission.(If anyone would like to volunteer a live implementation for testing we would love to have a look)
Findings
All cards we tested are STATIC, this means that all variables are controlled in a backend and card readers are not responsible for modifying the information. There are no dynamic variables (such as $$$ values) to manipulate on the cards. But that didn’t stop us from having fun.
Perhaps the most interesting item we found was on track 1 of a customer loyalty card:
DEAR VALUED CUSTOMER
It’s nice to know that a customer is valued, even if they never get to know it themselves.
There were two issues with editing this value and finding out what it really does - firstly, we do not have permission and testing on a live implementation could get us in a bit of trouble, and secondly, the store no longer uses the magnetic stripe and they have since gone to using barcodes on the back of their cards so it would be impossible to determine any implications of malformed data. Airlines are another example where magnetic stripes are no longer being used for boarding passes (and yet the data remains…).
Time and time again we saw track two as the only track used with information such as the following:
61003124506878
2211112579478
1062735782
0031735
1300025421
3090565=
32142
The reduced set of numbers on the cards got us thinking “is it possible to reverse engineer the numerical sequence and start enumerating cards?” By far our best target was a collection of RSL and other club membership cards which allowed us to perform a comparative analysis on the numbers (I’d still like more than one hotel card per city in the future, once again, if anyone would like to volunteer please get in contact with us). Here’s what we found:
3400010264
1205097329
2200026961
0010041518
Then we came across 2 cards from the same club:
7791060546
7791004741
Look closely- with the first 5 numbers used as a “site code” it could be derived that the last 5 were a membership ID (such as the one printed on the card). This leaves us with 100000 potential cards to attack… maybe? Lunch that day at the RSL was all about the recon. Around the table, we started to come up with some ideas:
- Could a card, cloned multiple times, be placed in multiple poker machines to rack up loyalty points?
- By enumerating cards sequentially, could we win a heap of the front door prizes or win nannas free birthday drink?
- Could we get heaps of meat raffle tickets when a valid card gets you two free tickets?
- Could we redeem anyone’s points for drinks?
But really, who’s going to hack an RSL, surely university students, pensioners and gamblers aren’t THAT desperate for free alcohol and raw meat?
At the end of the day, a card, whether it is magnetic, barcoded or RFID enabled is something you have and exists as one factor of (often basic) authentication. The vast majority of these other card implementations rely on a second factor such as a PIN or signature to counter the simplest attacks.
Where second factor authentication cannot be implemented, simple protection mechanisms are available to counter such easily enumerable information. Additional numbers (similar to a CVC on a credit card), names on track 1, or even obfuscating the member numbers or using integers different to individual memberships can be used to counter such easily guessable numbers.