Face-slapping security gaff in stored-value cards

The laundry machines at [Hans Viksler’s] apartment were converted over from coin operation to stored value cards. We’ve all dealt with these cards before and [Hans] thought it would be fun to do a little sniffing around at how this particular company implements them. We’ve covered how to read these cards and there have been several stories regarding how to bypass the security that they use.

But [Hans] wasn’t interested in stealing value, just in seeing how things work. So he stuck the card in his reader and after looking around a bit he figured out that they use the Atmel AT88SC0404C chip. He downloaded the datasheet and started combing through the features and commands. The cards have a four-wrong-password lockout policy. He calculated that it would take an average of over two million cards to brute force the chip’s stored password. But further study showed that this is a moot point. He fed the default password from the datasheet to his card and it worked.

We know it takes quite a bit of knowledge for the average [Joe] to manipulate these cards at home, but changing the default password is literally the very least the company could have done to protect their system.

38 thoughts on “Face-slapping security gaff in stored-value cards

  1. I used to teach in a poor SF Bay Area town which always had default passwords in its copiers. 11111. When we were budgeted only 2000 copies per teacher one year, I created several unlimited copier accounts so colleagues and I could make the copies they needed to ensure all students had access to the materials (amazingly, a very real concern among poorer districts even today).

    There were no consequences except slightly better student outcomes.

  2. @Dan Fruzzetti

    Good for you. The costs for this kind of thing is insignificant compared to many other things they spend on, and the budgeting of copies is a major thorn in the side of teachers.

  3. @dreath: that’s exactly the reason i didn’t have a problem doing it — to do the job well, student needs come first.

    that and tenure :P

  4. hmmmm, i remember checking out my laundry cards and they had the same chip in them. I gave up because school has been getting in the way, now i have an excuse to tinker again

  5. I was also a teacher, we did not use the default “11111”, instead we used the principal’s Password of “12345”

    by mid year, the passwords and restrictions were removed.

  6. Once at a Best Buy, I noticed one of their employee computers unattended. On a whim, I entered “bestbuy” into the screensaver password box. Had a good chuckle when it worked.

    Not on the same scale, but you’d think they’d at least add a number to the end. Go figure.

  7. they probably didn’t want to have to re-program the new card every time, this way they just order 10000 printed cards and they are ready to operate on their system.

    still idiotic nevertheless.

  8. FAIL! Colossal fail. I mean it couldn’t be any more fail than if every molecule was replaced with fail enriched baryons held together by a fail boson field.

    (assuming the standard model holds, or else it would be made of superfailstrings…)

  9. A friend of mine used to have a phone card that would get him free stuff from a certain gas station. He found out by accident, since the phone card looked a lot like his credit card on the face. The dumb bastard got greedy though, and almost got in to a lot of trouble.

  10. Wow – how does that even happen? Too bad banks don’t issue a default PIN until you change it. I bet the designers of that system would still be using 1111 on their ATM cards!
    Good thing there are folks out there willing to pressure test these type of designs.

  11. uh, seriously folks this is not a big fail. the reality is most people don’t have the hardware or sophistication needed to break a system like this even though the passwords are left as default and the cards are out-of-box vanilla.

    i think the best REAL fail i can think of was those wal-mart gift cards using magnetic strips that contained in plaintext their values encoded on the card with no backend authentication to back them up. man, i know some people printed their own money with that system.

    here in the bay area we have a commuter train system called BART. their magstrip cards were among the earliest used for infrastructure on this side of the country, and even since the beginning they have had good overall security on their system — everything is authenticated on their side; even though your card has its value printed on it, the magstrip says something else.

    even a direct copy of another card doesn’t work in my experience.

  12. Being a bank employee, I have come to be familiar with some of the regular ATM default admin passwords. Its crazy, just about every gas station I walk into is using a cheap atm with the default password still used. And that’s through a card-services vendor! Absolutely nuts how people don’t change those things.

  13. Perhaps this security hole is limited to Viksler’s location? The Web laundry cards on my campus all have non-default write7 passwords and have all four security fuses blown. Please don’t ask me how I know this. Anyway, I’m wondering if this “fail” might not be all that widespread.

  14. @Rattigan, considering its a university campus, I bet someone was caught before, and they fixed everything by the time you showed up to test things out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s