Face-slapping security gaff in stored-value cards

The laundry machines at [Hans Viksler's] apartment were converted over from coin operation to stored value cards. We’ve all dealt with these cards before and [Hans] thought it would be fun to do a little sniffing around at how this particular company implements them. We’ve covered how to read these cards and there have been several stories regarding how to bypass the security that they use.

But [Hans] wasn’t interested in stealing value, just in seeing how things work. So he stuck the card in his reader and after looking around a bit he figured out that they use the Atmel AT88SC0404C chip. He downloaded the datasheet and started combing through the features and commands. The cards have a four-wrong-password lockout policy. He calculated that it would take an average of over two million cards to brute force the chip’s stored password. But further study showed that this is a moot point. He fed the default password from the datasheet to his card and it worked.

We know it takes quite a bit of knowledge for the average [Joe] to manipulate these cards at home, but changing the default password is literally the very least the company could have done to protect their system.

Comments

  1. macusr says:

    lol.

  2. Alan says:

    That would be a “Forehead-slapping …”. You get slapped in the face for other transgressions.

  3. VV says:

    If you were in charge of securing these things you would be getting a slap to the face I guess!

  4. Ben Ryves says:

    “Gaffe”, surely? Interesting work, though!

  5. Dan Fruzzetti says:

    I used to teach in a poor SF Bay Area town which always had default passwords in its copiers. 11111. When we were budgeted only 2000 copies per teacher one year, I created several unlimited copier accounts so colleagues and I could make the copies they needed to ensure all students had access to the materials (amazingly, a very real concern among poorer districts even today).

    There were no consequences except slightly better student outcomes.

  6. BenBenson says:

    Cool gaff gaffe!

  7. mjrippe says:

    1, 2, 3 – That’s the sort of combination an idiot would have on their luggage!

  8. octel says:

    @mjrippe
    hey, i’m no idiot!

  9. M4CGYV3R says:

    Double Facepalm: Because sometimes one just isn’t enough…

  10. draeath says:

    @Dan Fruzzetti

    Good for you. The costs for this kind of thing is insignificant compared to many other things they spend on, and the budgeting of copies is a major thorn in the side of teachers.

  11. Dan Fruzzetti says:

    @dreath: that’s exactly the reason i didn’t have a problem doing it — to do the job well, student needs come first.

    that and tenure :P

  12. Zombie Linux says:

    hmmmm, i remember checking out my laundry cards and they had the same chip in them. I gave up because school has been getting in the way, now i have an excuse to tinker again

  13. Tal says:

    I was also a teacher, we did not use the default “11111”, instead we used the principal’s Password of “12345”

    by mid year, the passwords and restrictions were removed.

  14. chris says:

    2 words to describe that “security”: EPIC FAIL

  15. mjrippe says:

    @octel – Sorry man, it’s a quote from Spaceballs!

  16. Anonymous says:

    “1-1-1… uh… *1*!”
    – Soldier, Team Fortress 2 “Meet The Spy”

  17. Nick says:

    They have implemented this system at my dorm, must investigate….

  18. Drone says:

    This guy violated the DMCA. A busload of Trial Lawyers are on the way.

  19. Spork says:

    I wish there was something about actually cracking these guys.

  20. Jimbo says:

    @Drone – What copyright laws is he breaking?

  21. Forklift says:

    Once at a Best Buy, I noticed one of their employee computers unattended. On a whim, I entered “bestbuy” into the screensaver password box. Had a good chuckle when it worked.

    Not on the same scale, but you’d think they’d at least add a number to the end. Go figure.

  22. NP says:

    Datasheets can be scary to some. I bet the responsible “engineer” did not make it to that chapter…

  23. they probably didn’t want to have to re-program the new card every time, this way they just order 10000 printed cards and they are ready to operate on their system.

    still idiotic nevertheless.

  24. zeropointmodule says:

    FAIL! Colossal fail. I mean it couldn’t be any more fail than if every molecule was replaced with fail enriched baryons held together by a fail boson field.

    (assuming the standard model holds, or else it would be made of superfailstrings…)

  25. Tachikoma says:

    Posts like this puts a smile on my face, and made my day a bit less mundane.

  26. Adam says:

    1-2-3-4-5…
    That’s amazing. I’ve got the same combination on my luggage.

  27. ecko says:

    not changing the default password is like asking someone to break your system

  28. localroger says:

    @zeropointmodule — what do you expect, they probably get these things delivered via failgate.

  29. morphoyle says:

    A friend of mine used to have a phone card that would get him free stuff from a certain gas station. He found out by accident, since the phone card looked a lot like his credit card on the face. The dumb bastard got greedy though, and almost got in to a lot of trouble.

  30. CivisSmith says:

    Wow – how does that even happen? Too bad banks don’t issue a default PIN until you change it. I bet the designers of that system would still be using 1111 on their ATM cards!
    Good thing there are folks out there willing to pressure test these type of designs.

  31. dan fruzzetti says:

    uh, seriously folks this is not a big fail. the reality is most people don’t have the hardware or sophistication needed to break a system like this even though the passwords are left as default and the cards are out-of-box vanilla.

    i think the best REAL fail i can think of was those wal-mart gift cards using magnetic strips that contained in plaintext their values encoded on the card with no backend authentication to back them up. man, i know some people printed their own money with that system.

    here in the bay area we have a commuter train system called BART. their magstrip cards were among the earliest used for infrastructure on this side of the country, and even since the beginning they have had good overall security on their system — everything is authenticated on their side; even though your card has its value printed on it, the magstrip says something else.

    even a direct copy of another card doesn’t work in my experience.

  32. cpmike says:

    Being a bank employee, I have come to be familiar with some of the regular ATM default admin passwords. Its crazy, just about every gas station I walk into is using a cheap atm with the default password still used. And that’s through a card-services vendor! Absolutely nuts how people don’t change those things.

  33. Rattigan says:

    Perhaps this security hole is limited to Viksler’s location? The Web laundry cards on my campus all have non-default write7 passwords and have all four security fuses blown. Please don’t ask me how I know this. Anyway, I’m wondering if this “fail” might not be all that widespread.

  34. cde says:

    @Rattigan, considering its a university campus, I bet someone was caught before, and they fixed everything by the time you showed up to test things out.

  35. hans.vix says:

    @Rattigan – That’s interesting. I was wondering if it was isolated. Just curious, what campus are you on?

  36. Rattigan says:

    @hans.vix – UCI campus. (Go Anteaters!) If you want, send me an email: rattigantemp at gmail.

  37. Rupert says:

    Yep. It’s isolated. I have these cards but no can do. The fuse seems to properly blown. Must have been a bad batch.

  38. val says:

    Is the code $60 57 34 ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,325 other followers