Академический Документы
Профессиональный Документы
Культура Документы
Revisited
by Adrian Pastor
adrian.pastor@corsaire.com
About me
Principal Security Consultant @ Corsaire.com
Independent Security Researcher @ GNUCITIZEN.org
AKA pagvac
Google hacking linksys ip cameras for last project
I love what I do like most of you!
Particularly interested in:
Web hacking
Embedded devices
Credit card security
Old school technologies such as magstripes
Freaky stuff in general
Meeting people with similar interests
02/06/2009
Disclaimer
My views do not necessarily represent those of my employer
Im not here to persuade you or sell you anything, but rather to share
ideas and experiments
02/06/2009
Agenda
What the heck does this presentation cover?
Agenda
Magstripes intro
Why focus on gift cards?
Attacks
Countermeasures
02/06/2009
Magstripes Intro
Brief overview of magnetic stripes technology
02/06/2009
Most gift cards use the same standard formats used on credit cards
Track #2: BCD
Track #1: ALPHA
02/06/2009
02/06/2009
10
02/06/2009
11
02/06/2009
Start sentinel: ;
Gift card number: 5045075645502551155 (written on back of card)
Field separator: =
Expiry date: 1612 (seemed constant across different instances of same
type of gift card)
Service code: 110 (also seemed constant)
Discretionary data: 93621576 (varies for each card number)
End sentinel: ?
LRC: 0 (error checking byte)
12
02/06/2009
13
02/06/2009
14
02/06/2009
15
16
02/06/2009
17
02/06/2009
18
Stored-value cards
A stored-value card is just a card which is associated to a balance
which allows the cardholder to purchase a good. The card is usually
purchased with a preset balance, which may or may not be updated
via top-ups.
Anyone who makes purchases with a merchant gift card, places
phone calls with a prepaid telephone card, or buys goods or services
with a prepaid debit card is using a stored value card.
http://www.ny.frb.org/regional/stored_value_cards.html
02/06/2009
19
02/06/2009
20
02/06/2009
21
02/06/2009
22
02/06/2009
23
02/06/2009
25
02/06/2009
26
02/06/2009
27
02/06/2009
28
02/06/2009
29
Low-tech(ish) attacks
Often the simplest attacks are the best ones
Traditional cloning
AKA skimming
Most obvious attack
Since most gift cards are read with the same equipment used to
swipe CC cards, they can be read using standard equipment
A raw magnetic stripe reader is not required (track data in gift cards is
usually ISO-compliant)
Requirement: attacker must be able to swipe magnetic stripes
Not very sexy really, but it works!
02/06/2009
31
02/06/2009
33
02/06/2009
34
Start sentinel: ;
Gift card number: 60362817971974876725
End sentinel: ?
LRC: 7 (error checking byte)
02/06/2009
35
02/06/2009
36
02/06/2009
37
02/06/2009
38
02/06/2009
39
02/06/2009
40
02/06/2009
41
02/06/2009
42
Possible challenges
Balance checking site uses CAPTCHAs. Makes it harder to
enumerate active gift card #s, but many CAPTCHA implementations
have been broken in the past
Balance checking site asks for PIN when checking balance
Gift card #s are not immediately sequential, thus it takes too many
requests to find a valid #. i.e.: 1,000,000 HTTP requests
Target gift card implementation includes a magic number in track data
which cannot be predicted. i.e.: in discretionary data field
02/06/2009
43
02/06/2009
44
02/06/2009
45
02/06/2009
46
02/06/2009
47
Countermeasures
02/06/2009
49
02/06/2009
50
Q&A
No, I dont expect you to have listened to everything Ive talked about!
51
Thank You
To the audience for attending
To the EUSecWest crew for inviting me
To Corsaire for sponsoring this presentation
Major Malfunction for the inspiration to start researching magstripes 3
years ago
To everyone who helped me preparing for my presentation
02/06/2009
52