Hacking Oklahoma State University’s Student ID Cards

[Sam] took an information security class at Oklahoma State University back in 2013. For his final project, he and a team of other students had to find a security vulnerability and then devise a theoretical plan to exploit it. [Sam’s] team decided to focus on the school’s ID cards. OSU’s ID cards are very similar to credit cards. They are the same size and shape, they have data encoded on a magnetic strip, and they have a 16 digit identification number. These cards were used for several different purposes. Examples include photo ID, physical access to some areas on campus, charges to an online account, and more.

[Sam] and his team analyzed over 100 different cards in order to get a good sample. They found that all cards started with same eight digits. This is similar to the issuer identification number found in the first six digits of a credit card number. Th analysis also showed that there were only three combinations used for the next two digits. Those were either 05, 06, or 11. With that in mind, the total possible number of combinations for card numbers was mathematically calculated to be three million.

OSU also had a URL printed on the back of each card. This website had a simple form with a single field. The user can enter in a 16 digit card number and the system would tell the user if that card was valid. The page would also tell you if the card holder was an employee, a student, or if there were any other special flags on the card. We’re not sure why every student would need access to this website, but the fact is that the URL was printed right on the back of the card. The website also had no limit to how many times a query could be made. The only hint that the university was aware of possible security implications was the disclaimer on the site. The disclaimer mentioned that usage of the tool was “logged and tracked”.

The next step was to purchase a magnetic card reader and writer. The team decoded all of the cards and analyzed the data. They found that each card held an expiration date, but the expiration date was identical for every single card.  The team used the reader/writer to copy the data from [Sam’s] card and modify the name. They then wrote the data back onto a new, blank magnetic card. This card had no printing or markings on it. [Sam] took the card and was able to use it to purchase items from a store on campus. He noticed that the register reached back to a server somewhere to verify his real name. It didn’t do any checks against the name written onto the magstripe. Even still, the cashier still accepted a card with no official markings.

The final step was to write a node.js script to scrape the number verification website. With just 15 lines of code, the script will run through all possible combinations of numbers in a random sequence and log the result. The website can handle between three and five requests per second, which means that brute forcing all possible combinations can be completed in roughly two days. These harvested numbers can then be written onto blank cards and potentially used to purchase goods on another student’s account.

[Sam’s] team offers several recommendations to improve the security of this system. One idea is to include a second form of authorization, such as a PIN. The PIN wouldn’t be stored on the card, and therefore can’t be copied in this manner. The primary recommendation was to take down the verification website. So far OSU has responded by taking the website offline, but no other changes have been made.

Posted in Tagged

Just swipe your card and enter the pin… what could go wrong?

We do hope this project makes you shiver.

“Financial risks” is an audiovisual installation that reacts when you swipe your credit card and prints an odd looking receipt if you type in your pin-code. Even though the website contains few technical details (read none) about the build, we chose to feature the project as we find his intent interesting:

‘Financial Risks’ installation is a project designed to present an ironical viewpoint on encoded wallets, as a data input interface invites to overcome fear of impossibility to control spread of confidential information for the sake of curiosity of interaction with an object of art.

The piece consists of 6 bank card readers, a hardware system of sound and video synthesis, a keyboard for pin code entering, a 2-channel sound system and a cash register printer configured to print images. Up to 6 cards simultaneously may be used for playing.

We do hope that nothing is stored in the platform’s memory… but is the installation monitored?

Posted in Tagged

SparkFun gets a Subpoena for all orders; says nah

It’s no secret that we’re fans of open source, and open hardware. And we have to applaud companies like SparkFun who also keep their customers in the loop about what’s going on with the business end of the company. For instance, they were recently contacted by a Sheriff’s office and asked for customer information and are sharing the story. One of their products had been used in a series of credit card skimmers and the officers wanted to get purchase information to track down the bad guys. SparkFun doesn’t just give out customer data and so was subsequently served with a subpoena.

The thing is, the document asks for all customer orders shipped to Georgia during a six month period. This seemed like it covered way too many orders, since the majority of them didn’t include the part in question. But the officials were willing to work with the company and narrowed the request to just the 20 or so orders that had the item in them.

It’s an interesting read, and we agree with SparkFun’s point about white hats and black hats. Often when posting about projects here we wonder about the potential to use the knowledge for no-good. But restricting the availability of knowledge (or hardware in this case) because of a few bad-actors is a concept we oppose. It’s like being a hacking super hero, with great skill comes great responsibility.

Posted in Tagged

Reading credit cards with a tape head

A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.

[Steve]’s work in decoding credit card data builds off [Count Zero]’s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.

The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.

[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.

EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.

Posted in Tagged

Hackaday Links: April 18, 2012

Sandcasting at the beach

[mkb] sent in a video he found of [Max Lamb] sandcasting a stool at a beach in England. The material is pewter, or >90% tin with a little bit copper and antimony thrown in for good measure. While we’re sure there will be a few complaints from environmentalists, it’s still a cool video to see.

Your project needs an OLED display

Here’s a Kickstarter for a tiny 96×16 OLED display. Connect this thing to any I2C bus and you get a 15×2 character display (or a graphic display if that’s your inclination) very easily. Thanks to [Chris] for sending this one in.

Here’s one for a larf

[Ryan Inman] is suing 20 companies because he got mercury poisoning from vacuum tubes. Read that last line again. Most of the companies that sell antique/repro/hard-to-find components like Angela Instruments, Antique Electronic Supply, and even eBay are listed as defendants in the case. This might put at least one company out of business even though they never sold [Ryan] a vacuum tube edit: they did sell him a neon bulb, and courts are generally idiotic when it comes to technological issues. It’s hilarious and sad, so we’ll keep you updated if we get more info.

Nostalgia, the pain from an old wound

The Adafruit blog posted an excellent piece on the Apple ][ game Rocky’s Boots, an educational game from 1982 that teaches kids how to connect logic gates. You can play this game in your browser, but we’d like to hear our stories of ancient video games that teach you engineering concepts like The Incredible Machine or Widget Workshop. Leave a note in the comments if we’re leaving any out.

A question posed to the community

A company is giving away credit card readers that plug into the headphone jack of an iDevice. [J Smith] writes in to ask us if anyone has gotten one of these and opened them up. Like [J Smith] we’re expecting something a repeat of the CueCat where free hardware is opened up to everybody. If you’ve done a teardown of one of these card readers, send it in.

3DS homebrew

[Mike] sent us a link to [neimod]’s Flickr photostream. It looks like we’re on the cusp of tearing open the Nintendo 3DS for homebrew apps. Someone who uses this much hot glue must know what they’re doing, right?

Posted in Tagged

Magnetic card stripe spoofer

This hodge-podge of components is capable of spoofing the magnetic stripe on a credit card. [Sk3tch] built an electromagnet using a ferrous metal shim wrapped in enameled magnet wire. While he was doing the windings [Sk3tch] connected his multimeter to the metal shim and one end of the wire, setting it to test continuity. This way, if he accidentally scraps the enamel coating and grounds the wire on the metal the meter will sound and alarm and he’ll know about the short immediately. An Arduino takes over from here, actuating the coil to simulate the different data sections of a magnetic stripe.

From his schematic we see that the electromagnet is directly connected to two pins of the Arduino. We haven’t looked into the code but is seems there should be either some current limiting, or the use of a transistor to protect the microcontroller pins (we could be wrong about this).

[Sk3tch’s] realization of this spoofer can be made quickly with just a few parts. Card data must be written in the code and flashed to the Arduino. If you want to see what a more feature-rich version would entail take a look at this spoofer that has a keypad for changing data on the go.

[via Lifehacker]

Posted in Tagged

Teensy credit card reader

Here’s a hack that makes business sense. [PT] recalls last year’s HOPE conference when their booth was using a virtual credit card terminal for purchases that required manual entry of card information. This year they’ll have the same virtual terminal but this magnetic stripe reader will fill it out automatically.

A magstripe reader (reading only, no funny business here) from Mouser grabs data from the card. A Teensy microcontroller board, which identifies itself as a USB keyboard, automatically fills out the virtual terminal from the parsed data. The real question, are his customers comfortable sliding their plastic through a hacked reader?

Posted in Tagged