Hackaday editors Elliot Williams and Mike Szczys bubble sort a sample set of amazing hacks from the past week. Who has even used the smart chip from an old credit card as a functional component in their own circuit? This guy. There’s something scientifically devious about the way solder smoke heat-seeks to your nostrils. There’s more than one way to strip 16-bit audio down to five. And those nuclear tests from the 40s, 50s, and 60s? Those are still affecting how science takes measurements of all sorts of things in the world.
Perhaps the simplest radio one can build is the crystal radio. Using a diode as a detector, the design generally uses less than 10 components and no battery, getting its power to run from the radio signal itself. [Billy Cheung] decided to build a crystal radio using a rather unconventional detector – the smart chip in a common credit card.
This is possible because the smart chip on many credit cards contains a diode. It’s then a simple matter of hooking up the right pads on the credit card to the rest of a crystal radio circuit, and you’re all set. Of course, [Billy] goes the whole hog, building the entire radio on a single credit card. Other cards are cut up to create bobbins for winding coils to form a variable inductor, used to tune the radio. Doing this allows for a much cleaner, thinner design, rather than using a variable capacitor which is comparatively hard to find. Turning the dial allows stations to be tuned in, and with a high impedance earbud hooked up, you’re listening to AM radio. Oh, and don’t forget an antenna!
[Billy] breaks down the details for anyone wishing to replicate the feat, going so far as to wind the coils in real time in his Youtube video. Cutting templates and other details are available on Github. While it’s not going to be the most replicated hack, as it requires the destruction of a credit card to achieve, we love the ingenuity. And, if society does collapse, we’ll all have a great source of diodes when the ATMs have all become useless. Video after the break.
RFID payment systems are one of those things that the community seems to be divided on. Some only see the technology as a potential security liability, and will go a far as to disable the RFID chip in their card so that it can’t be read by a would-be attacker. Others think the ease and convenience of paying for goods by tapping their card or smartphone on the register more than makes up for the relatively remote risk of RFID sniffers. Given the time and effort [David Sikes] put into creating this contactless payment ring, we think it’s pretty clear which camp he’s in.
Alright, so the whole ring making part sounds easy enough, but how does one get an RFID chip that’s linked to their account? Easy. Just call the bank and ask them for one. Of course, they won’t just send you out a little RFID chip and antenna to mount in your hacked up project. (If only things were so simple!) But they will send you a new card if you tell them your old one is getting worn out and needs a replacement. All you have to do when it gets there is liberate the electronics without damaging them.
[David] found that an hour or so in an acetone bath was enough to dissolve the plastic and expose the epoxy-encased RFID chip, assuming you scrape the outer layers of the card off first. He notes that you can speed this part of the process up considerably if you know the exact placement and size of the RFID chip; that way you can cut out just the area you’re interested in rather than having to liquefy the whole card.
Once you have your chip, you just need to mount it into a ring. [David] has designed a 3D printable frame (if you’ve got a high-resolution SLA machine, that is) which accepts the chip and a new antenna made from a coil of 38 AWG magnet wire. With the components settled into the printed frame, its off to a silicone mold and the liberal application of epoxy resin to encapsulate the whole thing in a durable shell.
One of many ways that Americans are ridiculed by the rest of the world is that they don’t have chip and PIN on their credit cards yet; US credit card companies have been slow to bring this technology to millions of POS terminals across the country. Making the transition isn’t easy because until the transition is complete, the machines have to accept both magnetic stripes and chip and PIN.
This device can disable chip and PIN, wirelessly, by forcing the downgrade to magstripe. [Samy Kamkar] created the MagSpoof to explore the binary patterns on the magnetic stripe of his AmEx card, and in the process also created a device that works with drivers licenses, hotel room keys, and parking meters.
The electronics for the MagSpoof are incredibly simple. Of course a small microcontroller is necessary for this build, and for the MagSpoof, [Samy] used the ATtiny85 for the ‘larger’ version (still less than an inch square). A smaller, credit card-sized version used an ATtiny10. The rest of the schematic is just an H-bridge and a coil of magnet wire – easy enough for anyone with a soldering iron to put together on some perfboard.
By pulsing the H-bridge and energizing the coil of wire, the MagSpoof emulates the swipe of a credit card – it’s all just magnetic fields reversing direction in a very particular pattern. Since the magnetic pattern on any credit card can be easily read, and [Samy] demonstrates that this is possible with some rust and the naked eye anyway, it’s a simple matter to clone a card by building some electronics.
[Samy] didn’t stop there, though. By turning off the bits that state that the card has a chip onboard, his device can bypass the chip and PIN protection. If you’re very careful with a magnetized needle, you could disable the chip and PIN protection on any credit card. [Samy]’s device doesn’t need that degree of dexterity – he can just flip a bit in the firmware for the MagSpoof. It’s all brilliant work, and although the code for the chip and PIN defeat isn’t included in the repo, the documents that show how that can be done exist.
[Samy]’s implementation is very neat, but it stands on the shoulders of giants. In particular, we’ve covered similar devices before (here and here, for instance) and everything that you’ll need for this hack except for the chip-and-PIN-downgrade attack are covered in [Count Zero]’s classic 1992 “A Day in the Life of a Flux Reversal“.
Thanks [toru] for sending this one in. [Samy]’s video is available below.
Back in the day, true hackers – the kind that would build VCRs out of 555 chips only to end up in the Hackaday comments section in their twilight years – would steal satellite TV feeds with the help of tiny little microcontrollers embedded in a credit card. This was the wild west, when a parallel port was the equivalent of a six-shooter and Jnco jeans were a ten gallon hat.
The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.
Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems. This system used an FPGA with a backpack worth of modified hardware – executing it in a store would raise more than a few eyebrows.
The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system. What is a gang of criminals to do? Simply program a smart card with all the smarts required to pull of the hack, of course.
To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.
How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found. Not only did the engineer responsible for this manage to put the code required for the exploit in an off-the-shelf smart card, the gold contact pads from the original credit card were rewired to the new microcontroller in an amazing feat of rework soldering.
Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals. They also came up with a few additional countermeasures that can be deployed in the future, just in case. In any event, it’s an amazing bit of reverse engineering, soldering, and craftsmanship that went into this crime spree, and as usual, it only took a massive loss for retailers to do anything about it.
[Sam] took an information security class at Oklahoma State University back in 2013. For his final project, he and a team of other students had to find a security vulnerability and then devise a theoretical plan to exploit it. [Sam’s] team decided to focus on the school’s ID cards. OSU’s ID cards are very similar to credit cards. They are the same size and shape, they have data encoded on a magnetic strip, and they have a 16 digit identification number. These cards were used for several different purposes. Examples include photo ID, physical access to some areas on campus, charges to an online account, and more.
[Sam] and his team analyzed over 100 different cards in order to get a good sample. They found that all cards started with same eight digits. This is similar to the issuer identification number found in the first six digits of a credit card number. Th analysis also showed that there were only three combinations used for the next two digits. Those were either 05, 06, or 11. With that in mind, the total possible number of combinations for card numbers was mathematically calculated to be three million.
OSU also had a URL printed on the back of each card. This website had a simple form with a single field. The user can enter in a 16 digit card number and the system would tell the user if that card was valid. The page would also tell you if the card holder was an employee, a student, or if there were any other special flags on the card. We’re not sure why every student would need access to this website, but the fact is that the URL was printed right on the back of the card. The website also had no limit to how many times a query could be made. The only hint that the university was aware of possible security implications was the disclaimer on the site. The disclaimer mentioned that usage of the tool was “logged and tracked”.
The next step was to purchase a magnetic card reader and writer. The team decoded all of the cards and analyzed the data. They found that each card held an expiration date, but the expiration date was identical for every single card. The team used the reader/writer to copy the data from [Sam’s] card and modify the name. They then wrote the data back onto a new, blank magnetic card. This card had no printing or markings on it. [Sam] took the card and was able to use it to purchase items from a store on campus. He noticed that the register reached back to a server somewhere to verify his real name. It didn’t do any checks against the name written onto the magstripe. Even still, the cashier still accepted a card with no official markings.
The final step was to write a node.js script to scrape the number verification website. With just 15 lines of code, the script will run through all possible combinations of numbers in a random sequence and log the result. The website can handle between three and five requests per second, which means that brute forcing all possible combinations can be completed in roughly two days. These harvested numbers can then be written onto blank cards and potentially used to purchase goods on another student’s account.
[Sam’s] team offers several recommendations to improve the security of this system. One idea is to include a second form of authorization, such as a PIN. The PIN wouldn’t be stored on the card, and therefore can’t be copied in this manner. The primary recommendation was to take down the verification website. So far OSU has responded by taking the website offline, but no other changes have been made.
“Financial risks” is an audiovisual installation that reacts when you swipe your credit card and prints an odd looking receipt if you type in your pin-code. Even though the website contains few technical details (read none) about the build, we chose to feature the project as we find his intent interesting:
‘Financial Risks’ installation is a project designed to present an ironical viewpoint on encoded wallets, as a data input interface invites to overcome fear of impossibility to control spread of confidential information for the sake of curiosity of interaction with an object of art.
The piece consists of 6 bank card readers, a hardware system of sound and video synthesis, a keyboard for pin code entering, a 2-channel sound system and a cash register printer configured to print images. Up to 6 cards simultaneously may be used for playing.
We do hope that nothing is stored in the platform’s memory… but is the installation monitored?