Eusec West2009 Stored Value Gift Cards

Stored Value Gift Cards: Magstripes
Revisited
by Adrian Pastor
adrian.pastor@corsaire.com
About me
Principal Security Consultant @ Corsaire.com
Independent Security Researcher @ GNUCITIZEN.org
AKA pagvac
Google hacking linksys ip cameras for last project
I love what I do like most of you!
Particularly interested in:
Web hacking
Embedded devices
Credit card security
Old school technologies such as magstripes
Freaky stuff in general
Meeting people with similar interests
02/06/2009
Copyright Corsaire Ltd 2006
Disclaimer
My views do not necessarily represent those of my employer
Im not here to persuade you or sell you anything, but rather to share
ideas and experiments
02/06/2009
Agenda
What the heck does this presentation cover?
Agenda
Magstripes intro
Why focus on gift cards?
Attacks
Countermeasures
02/06/2009
Magstripes Intro
Brief overview of magnetic stripes technology
The story of Forrest Parry's wife and her iron

IBM engineer
Thought of gluing short pieces of magnetic tape to back of plastic card
It was actually his wife Dorothea who figured out how to accomplish
this using a clothes iron
What would we do without our wives!
That was back in the 60s!
CC content from http://www.flickr.com/photos/chanwj91/3375021768/

02/06/2009
Properties of magstripe cards (pt 1)

Ferromagnetic particles
Ferrum: metal in Latin
http://www.usna.edu/InfoTech/papers/MAGSTRIPE%20Readers3.doc
Usually up-to 3 tracks, but track #3 rarely used

Most credit cards use track #1 and #2
Track #2 usually read by default
02/06/2009
Properties of magstripe cards (pt 2)

Gift cards seem to vary. Some have data on track #1 and #2, while
others only on track #2
Coercivity
HiCo: harder to erase
LowCo: easier to erase
Theyre rewritable just like cassette tapes

DoS via high strength Neodymium magnets
Most gift cards use the same standard formats used on credit cards
Track #2: BCD
Track #1: ALPHA
02/06/2009
Standard formats of magstripe cards (pt 1)

Track #2
BCD (Binary Coded Decimal) encoding
Up to 40 chars in total
Each char: 5-bits. 4 bits of actual data, 1 ODD parity bit (makes total
number of 1s on each char to be ODD)
Only digits (plus start/end sentinel and separators)
Track read by default by POS terminals
02/06/2009
10

Example of gift card track #2 content:
;5045075645502551155=161211093621576?0
02/06/2009
11

Example of gift card track #2 content:
;5045075645502551155=161211093621576?0
From left to right:
02/06/2009
Start sentinel: ;
Gift card number: 5045075645502551155 (written on back of card)
Field separator: =
Expiry date: 1612 (seemed constant across different instances of same
type of gift card)
Service code: 110 (also seemed constant)
Discretionary data: 93621576 (varies for each card number)
End sentinel: ?
LRC: 0 (error checking byte)
12

Track #1
ALPHA (alphanumeric) encoding
Up to 79 chars in total
Each char: 7 bits. 6 bits of actual data, 1 ODD parity bit (makes total
number of 1s on each char to be ODD)
Digits and letters (plus start/end sentinel and separators)
02/06/2009
13

We dont care about track #3 as its not used on gift cards (same
usually applies to credit/debit cards)
02/06/2009
14
Toys to play with (pt 1)

Raw VS ISO-compliant readers
Magstripe readers are sometimes referred to as decoders
You can build your own raw reader very cheaply, but if you want writing
capabilities youll have to spend a significant amount
You need a raw reader that performs decoding at the software layer if
you want to analyze proprietary formats
02/06/2009
15
Toys to play with (pt 2)

New MAKStripe USB reader/writer: 199.00 EUR
Previous MAKstripe model used parallel port which is hardly found on
laptops these days!
Reads and writes 3 tracks
Includes decent MAKStripeExplorer software runs on Windows
NT4/2K/XP/Vista/Mobile, Linux and Mac OS X
Works on VMware! (previous model didnt)
Picture from http://www.makinterface.de/makstusbe.php3

02/06/2009
16
Applications for magstripes

So many, despite how old magstripes are!
02/06/2009
17
Applications for magstripes (pt 2)

Credit cards
Loyalty program cards
Public transportation
Parking passes
Identity cards / driver licenses
Hotel key cards
Gift voucher/cards
02/06/2009
18
Stored-value cards
A stored-value card is just a card which is associated to a balance
which allows the cardholder to purchase a good. The card is usually
purchased with a preset balance, which may or may not be updated
via top-ups.
Anyone who makes purchases with a merchant gift card, places
phone calls with a prepaid telephone card, or buys goods or services
with a prepaid debit card is using a stored value card.
http://www.ny.frb.org/regional/stored_value_cards.html
02/06/2009
19
Types of stored-value cards

1. Value/balance physically stored on card: type usually targeted by
hackers
2. Value/balance stored on back-end DB only: usually regarded as
the more secure type
02/06/2009
20
Types of stored-value cards: value stored on

card
Value/balance physically stored on card: typically smart chips. i.e.:
FedEx Kinkos cards
http://hackaday.com/2006/03/02/fedex-kinkos-smart-cards-hacked/
Although sometimes can be magstripe. i.e.: Boston Metro

CharlieTicket
http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Balance is updated once item/service is purchased by performing

write operations on the chip or magstripe
02/06/2009
21

back-end DB
Value/balance stored on back-end DB
Manipulating value on card is not possible as its only stored in backend
Typically read using standard POS terminal equipment as those
used to read credit cards
Data stored on card includes a unique ID # that identifies the card in
the back-end
Other data besides ID # might also be stored in track data. Whether
or not this additional data is required for the transaction to be valid
is an important question!
i.e.: discretionary data shown in earlier gift card example
02/06/2009
22

back-end DB (pt 2)
Since security does not rely on data on card, vendors have no need to
obfuscate it
Data is ISO 7811 compliant so that it can be read with standard POS
terminals
Usually it is thought that they can only be cloned if magstripe is read
02/06/2009
23
Why focus on gift cards?
Why gift cards?

On the rise
Most merchants in UK seem to support the initiative
Theyre everywhere: supermarkets, coffee shops, restaurants,
cinemas, department stores, etc.
Form of currency, thus subject to fraud
02/06/2009
25
Why gift cards? (pt 2)

Most use magstripe technology (easy to read with appropriate
hardware)
Sometimes gift cards can be taken for free (deactivated of course).
i.e.: several coffee shop and restaurant chains popular in London
Ideal for creating genuine-looking counterfeit cards
Ideal for obtaining large samples for analysis
Bust most importantly: its freaky and I like freaky stuff
02/06/2009
26
02/06/2009
27
02/06/2009
28
02/06/2009
29
Low-tech(ish) attacks
Often the simplest attacks are the best ones
Traditional cloning
AKA skimming
Most obvious attack
Since most gift cards are read with the same equipment used to
swipe CC cards, they can be read using standard equipment
A raw magnetic stripe reader is not required (track data in gift cards is
usually ISO-compliant)
Requirement: attacker must be able to swipe magnetic stripes
Not very sexy really, but it works!
02/06/2009
31
Bridging the world of magstripes and the

web
Cloning gift cards without reading track data
Cloning by shoulder surfing card # (pt 1)

1. Attacker makes note of card # at store (usually on back of card)
Remember that gift cards are often available for anyone to inspect
before being purchased!
2. Attacker derives track data from gift card #

Requirement: attacker must be able to derive track data from card
#
02/06/2009
33

Found several merchants affected by this attack
Cloning a card without swiping stripes is sexy, BUT cloned card wont
necessarily be activated and have interesting balance
Dont worry, most gift card providers offer online balance checking
facilities
02/06/2009
34

Example of gift card track #2 content: ;60362817971974876725?7
Start sentinel: ;
Gift card number: 60362817971974876725
End sentinel: ?
LRC: 7 (error checking byte)
Only track #2 contains data in this case. Track #1 is empty

So whats wrong with this implementation?
02/06/2009
35

All track data can be derived from gift card number!
02/06/2009
36
Cloning without reading track data or

shoulder surfing (pt 1)
Is it really possible?
Depends on each implementation
Can be hard to test unless you recreate a real merchant setup
Attacker must be able to:
Enumerate active gift card #s
Ideally also obtain balance, as cloning a gift card with 0.05 balance is
not that attractive 8-)
Predict track data from a valid gift card #
02/06/2009
37

Pose as merchant and enrol in gift card program
Can cost as little as USD $445.00 including gift cards, POS terminal
and remote admin access
Provides a white box view of the transaction process
02/06/2009
38

1. Enumerate active accounts by brute-forcing gift card #s against
check balance site
Many gift card #s follow Luhns algorithm (mod 10): we can reduce
number of HTTP requests by 10 times less
2. Parse activated card #s and respective balance

3. Generate track data for target gift card number
4. Write data on counterfeit card
02/06/2009
39

Generate range of card #s to target and filter numbers following

Luhns algorithm: we reduce card #s to bruteforce by 10
02/06/2009
40


Submit balance check HTTP requests with valid Luhn numbers

Capture activated card #s and respective balance
02/06/2009
41

Derive and write track data!
02/06/2009
42

Possible challenges
Balance checking site uses CAPTCHAs. Makes it harder to
enumerate active gift card #s, but many CAPTCHA implementations
have been broken in the past
Balance checking site asks for PIN when checking balance
Gift card #s are not immediately sequential, thus it takes too many
requests to find a valid #. i.e.: 1,000,000 HTTP requests
Target gift card implementation includes a magic number in track data
which cannot be predicted. i.e.: in discretionary data field
02/06/2009
43

Spot the difference!
02/06/2009
44


Important question: if a random number is included in track data, is

it being checked by back-end when performing transactions?
Only by experimenting we can answer that question!
Test, test, test! (legally of course)
02/06/2009
45
Compromise gift card admin site! (pt 1)

Admin feature sometimes known as Gift Card Management System
(GCMS)
Could allow resetting balance of existing gift cards
Dont clone a gift card, change balance of legitimate gift card!
The system is very simple yet secure and allows funds to be added
remotely by an authorised administrator to new or existing gift cards.
http://www.employeebenefits.co.uk/cgi-bin/item.cgi?id=8791
02/06/2009
46
Compromise gift card admin site! (pt 2)

Classic web attacks such as SQLi and password cracking are your
friends
02/06/2009
47
Countermeasures
How to avoid cloning attacks that dont

require reading track data
Issue gift cards with random card #s
Include non-predictable data in track in addition to gift card #
Make sure that non-predictable data (magic number) in track is
required by backend for transaction to be considered valid
Implement CAPTCHA in balance-checking site
Require PIN when checking balance on-line
Make sure PIN is random and long enough
02/06/2009
49
Protecting gift card merchant admin site

Restrict access to trusted IP addresses only
Perform regular pentests
02/06/2009
50
Q&A
No, I dont expect you to have listened to everything Ive talked about!
Picture taken from http://icanhascheezburger.com/

02/06/2009
51
Thank You
To the audience for attending
To the EUSecWest crew for inviting me
To Corsaire for sponsoring this presentation
Major Malfunction for the inspiration to start researching magstripes 3
years ago
To everyone who helped me preparing for my presentation
02/06/2009
52

Eusec West2009 Stored Value Gift Cards

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Eusec West2009 Stored Value Gift Cards

Загружено:

Авторское право:

Доступные форматы

Stored Value Gift Cards: Magstripes

Copyright Corsaire Ltd 2006

Copyright Corsaire Ltd 2006

Copyright Corsaire Ltd 2006

The story of Forrest Parry's wife and her iron

CC content from http://www.flickr.com/photos/chanwj91/3375021768/

Copyright Corsaire Ltd 2006

Properties of magstripe cards (pt 1)

Usually up-to 3 tracks, but track #3 rarely used

Copyright Corsaire Ltd 2006

Properties of magstripe cards (pt 2)

Theyre rewritable just like cassette tapes

Copyright Corsaire Ltd 2006

Standard formats of magstripe cards (pt 1)

Copyright Corsaire Ltd 2006

Standard formats of magstripe cards (pt 2)

Copyright Corsaire Ltd 2006

Standard formats of magstripe cards (pt 2)

Copyright Corsaire Ltd 2006

Standard formats of magstripe cards (pt 3)

Copyright Corsaire Ltd 2006

Standard formats of magstripe cards (pt 4)

Copyright Corsaire Ltd 2006

Toys to play with (pt 1)

Copyright Corsaire Ltd 2006

Toys to play with (pt 2)

Picture from http://www.makinterface.de/makstusbe.php3

Copyright Corsaire Ltd 2006

Applications for magstripes

Copyright Corsaire Ltd 2006

Applications for magstripes (pt 2)

Copyright Corsaire Ltd 2006

Copyright Corsaire Ltd 2006

Types of stored-value cards

Copyright Corsaire Ltd 2006

Types of stored-value cards: value stored on

Although sometimes can be magstripe. i.e.: Boston Metro

Balance is updated once item/service is purchased by performing

Copyright Corsaire Ltd 2006

Types of stored-value cards: value stored on

Copyright Corsaire Ltd 2006

Types of stored-value cards: value stored on

Copyright Corsaire Ltd 2006

Why focus on gift cards?

Why gift cards?

Copyright Corsaire Ltd 2006

Why gift cards? (pt 2)

Bust most importantly: its freaky and I like freaky stuff

Copyright Corsaire Ltd 2006

Why gift cards? (pt 3)

Copyright Corsaire Ltd 2006

Why gift cards? (pt 4)

Copyright Corsaire Ltd 2006

Why gift cards? (pt 5)

Copyright Corsaire Ltd 2006

Copyright Corsaire Ltd 2006

Bridging the world of magstripes and the

Cloning by shoulder surfing card # (pt 1)

2. Attacker derives track data from gift card #

Copyright Corsaire Ltd 2006

Cloning by shoulder surfing card # (pt 2)

Copyright Corsaire Ltd 2006

Cloning by shoulder surfing card # (pt 3)