• Nagesh (unregistered)

    Here in Hyderbad, theeving is very common even in University where rich kids are being.

  • Robert Hanson (unregistered)

    [not frist]

  • (cs)

    My university used to have a similar system, however the cards only worked on the dormitory laundry machines and a few vending machines AND the cards had a $10 limit. Anybody with a card reader could modify their balance but it wasn't really worth the effort.

    They eventually got rid of the system and now all the laundry machines are free to use anyway.

  • Robert Hanson (unregistered)

    Its fun to figure out how to rig the system; not so much fun when the system rigs you. Going to jail and being expelled just for free soda seems childish.

    Speaking of being childish, when I was young we had punch cards for school lunches, 10 punches per card. But the ticket taker did not punch tha cards; instead they used a rubber stamp. All I needed to do was tear my card; ask for some tape to fix the card, and -- after the tape was rubber-stamped, just rub off the ink. Another free lunch.

  • (cs)

    I assume the "U2V0ZWMgQXN0cm9ub215" wasn't the ACTUAL string they found, but was a dummy string which the author substituted for the real one.

    But certainly not encoded very well.

  • wheaties (unregistered)

    Pfft, we just went up to the cashiers crying about how the coin change machine kept taking our $20 bills and handing us 4 quarters. That's how we got free video games. Although, in hindsight, that was a very immature thing to do. Thankfully I'm not 12 anymore. These guys should have known better by then.

  • unicorns (unregistered)

    really? my eyes hurt...

  • (cs)
    ...they were ripping strings off the card that looked like this: U2V0ZWMgQXN0cm9ub215. Obviously, it was encrypted in some fashion.
    U28gYmFzZTY0IGNvdW50cyBhcyBlbmNyeXB0aW9uIG5vdz8gIFdoeSBkaWQgbm9ib2R5IHRlbGwg bWU/Cg==
  • Paco (unregistered)

    In Holland, we use a similar system for public transport (trains, busses, etc.). It is also known how to decrypt the 32-bits encryption, and card-readers can be ordered for about $40. The government organizations introducing this chip, still want to keep it...

  • Anon (unregistered)

    sneaky remy has too many secrets

  • (cs)

    "Today, with all the usual pomp and circumstance, pride and prejudice,"

    Really, Remy? Seriously?

  • (cs) in reply to wheaties
    wheaties:
    Thankfully I'm not 12 anymore. These guys should have known better by then.
    Or it means they're freaking geniuses, in college at only 12 years of age.

    And if so, their drinking habits should be concerning.

  • Cap'n Spanky (unregistered) in reply to Quango
    Quango:
    I assume the "U2V0ZWMgQXN0cm9ub215" wasn't the ACTUAL string they found, but was a dummy string which the author substituted for the real one.

    But certainly not encoded very well.

    ******************** couldn't possibly be the string they pulled off the card. It's all asterisks.

  • Someone, somewhere (unregistered)

    My local city bus system uses something just like this, except with MiFare Classic RFID cards instead of contact cards. The balance is just stored on the card. There is no storage encryption. There is no signature, no hash, no protection against storage replay/rewrite attacks. The cards are basically used as plaintext storage devices.

    MiFare Classic has a proprietary encrypted communications (not storage) and authentication system that is in use, but that's been cracked for a very long time now (you can get any key using any one of several different cryptographic flaws in the system). There are some workarounds that can make cracking the system harder, but none of them were in use. It took 30 minutes with a bog-standard RFID reader not specifically designed to perform the attack (it would've taken under a minute using a specialized device).

    The chips do at least have internal support for a "wallet" system where you can format a specific sector in a specific way and use it to store an integer, and you can have one key that can decrement it (used in debit terminals) and a different key that can increment/reset it (used at the credit points). Not that it's secure with the crypto completely broken, but they didn't even try to use this. The balance is just stored as a byte inside a raw format sector.

    For bonus points, I looked at the auth keys to try to work out the algorithm that generates them. You'd expect something secure, like an HMAC of the card serial number, which means you'd have to get ahold of a reader to extract the master key. Instead, after staring at all of three card ID/key pairs (mine, my dad's, and my brother's, keys obtained using the aforementioned crypto exploit), I worked out the algorithm by hand. Behold, the secure key generation algorithm:

    k0 = 0xbb ^ id1
k1 = 0xfc ^ id0
k2 = 0x90
k3 = 0x9f ^ id0 ^ id1 ^ id2 ^ id3
k4 = 0xe1 ^ id1
k5 = 0x55 ^ id0

    The USB reader I used for this cost me all of €10 (a TikiTag).

  • Martin Bishop (unregistered)

    too many secrets

  • Pytry (unregistered)

    I think we all tend to drink too much and fiddle with our cards when we're in front of a computer.

  • (cs) in reply to Zylon

    View Source- there's an explanation, if not a justification for that tortured line.

  • (cs)

    I'm old and I remember when we had these things called "Vending Machines". We had things called "coins" that we would carry around in our pockets. Each "coin" had a nominal value, typically five or ten cents. You would pay for your soda by putting a coin into the slot in the machine. What people would do is make "slugs" which were metal disks the same size and weight as coins. Sometimes these slugs would be accepted as coins by the machine. Another trick we learned was that if you dropped in a real coin and pressed two buttons all at the same time, sometimes two or three cans of soda would come out.

  • (cs) in reply to Paco
    Paco:
    In Holland, [...]
    No, the Netherlands. Holland as an independent state ceased to exist over two centuries ago.
  • Cheap student (unregistered)

    Our university had a similar system for paying for laundry.

    It would read the credit from the card, confirm which washer/dryer you wanted to use, deduct the credit and write it back to the card.

    It didn't take long for us to realise that you could squeeze two cards in the machine, and then by quickly removing the top card, the credit would be written to the card below.

  • Pytry (unregistered) in reply to Someone, somewhere
    Someone:
    ... I worked out the algorithm by hand...this cost me all of €10 (a TikiTag).

    That's what she said.

    (sorry, just can't help myself right now)

  • (cs) in reply to Robert Hanson
    Robert Hanson:
    Its fun to figure out how to rig the system; not so much fun when the system rigs you. Going to jail and being expelled just for free soda seems childish.
    Point is, how would they prove it? Somebody could prove his innocence by providing top-up chits, but you don't have to prove your innocence: the affected party needs to prove your guilt. Now, finding a card reader/writer would be highly incriminating, but for that you'd need to search the dorms.

    Not as easy as it sounds, unless they had a strong suspicion who was behind it (and most likely, they didn't).

  • XXXXX (unregistered)

    Why weren't there any criminal charges?

    Just because something can be stolen or a monetary system can be counterfeited or abused, that doesn't make it legal to do so.

    How hard would it have been to track which cards seemed to have the most suspicious money on them? Then flip those weenies on the guy with the dongle?

  • tom103 (unregistered)

    "U2V0ZWMgQXN0cm9ub215" is base64 for "Setec Astronomy"...

  • Anonymous Cow-Herd (unregistered)

    I guess the president wasn't a history major, and didn't take Not Repeating Yesterday's Fuck-Ups 101 as an optional.

  • (cs)

    We used a similar system at my campus. Printouts, Copiers, and a few vending machines used the system. I never kept more than $5 on my card as one of the primary crimes was mugging students for their card chip value.

  • The Flaming Foobar (unregistered) in reply to tom103
    tom103:
    "U2V0ZWMgQXN0cm9ub215" is base64 for "Setec Astronomy"...

    Tm8gc2hpdCwgU2hlcmxvY2suLi4=

  • (cs) in reply to newfweiler
    newfweiler:
    I'm old and I remember when we had these things called "Vending Machines". We had things called "coins" that we would carry around in our pockets. Each "coin" had a nominal value, typically five or ten cents. You would pay for your soda by putting a coin into the slot in the machine. What people would do is make "slugs" which were metal disks the same size and weight as coins. Sometimes these slugs would be accepted as coins by the machine. Another trick we learned was that if you dropped in a real coin and pressed two buttons all at the same time, sometimes two or three cans of soda would come out.
    When I was a senior in high school, one of my buddies found that if we reset one of the vending machines, it defaulted to $1. We got a round of free sodas and gave a few out to passers by.

    As a crowd started to gather, my buddy delegated to a small group of sophomores who thought that getting free sodas was the most awesome thing ever, were begging to get in there and take over, and weren't experienced enough to have any restraint. As the crowd quickly grew, we ducked out and watched over our shoulders as the vice principal dispersed the crowd and busted the sophomores.

  • Anon (unregistered)

    The reason why there weren't any criminal charges is likely the same reason these cards work at stadium vendors: there was no network tracking transactions off the cards. I'm sure each individual reader (might) track the transactions, but then the college would have had to gather all of the transaction data together, then compile it into lists sorted by student, and that would only give them the source card (since all of the cards would be reported as being the same student with the $100 balance), and not necessarily the perpetrators moving the balances between cards. This gets even more complicated if multiple independent groups found the problem at the same time, or if the exploiters knew better than to use the same card each time. That would have taken a lot of manpower to figure out, and most colleges lack that. Much easier to simply turn off the system.

  • mjk340 (unregistered)

    Penn State had a system like this in place in 2001 when I was a burgeoning computer science student. It was called LionCash, had a $99 dollar storage limit, the card machines worked way too fast to be phoning home, and if you lost a card your money was lost for good, so I knew the balance was stored on the chip itself.

    It was the same chip used on the AT&T SIM cards, pictured here : http://img.ehowcdn.com/article-page-main/ehow/images/a07/ob/3e/another-att-sim-chip-800x800.jpg

    The card readers were a bit pricey for a Raman noodle eating college student at the time so I never went through with trying to hack it.

    A quick google search shows they now have a LionCash+ system in place that boasts "added security" and appears to have data stored on a central server (family can add money from home)

  • (cs) in reply to Quango
    Quango:
    I assume the "U2V0ZWMgQXN0cm9ub215" wasn't the ACTUAL string they found, but was a dummy string which the author substituted for the real one.

    But certainly not encoded very well.

    I think the point is that it doesn't matter how well it was encoded because you could just copy it and it wasn't checked against anything that would enable you to recognize and reject (or punish after the fact) such copies.

  • Tom Woolf (unregistered) in reply to mott555
    mott555:
    My university used to have a similar system, however the cards only worked on the dormitory laundry machines and a few vending machines AND the cards had a $10 limit. Anybody with a card reader could modify their balance but it wasn't really worth the effort.

    They eventually got rid of the system and now all the laundry machines are free to use anyway.

    We had a similar system with our washers and dryers - bent paper clips. Small ones worked for dimes, larger and sturdier clips were needed for quarters.

  • Anono (unregistered) in reply to Anon

    Obviously they'd need to bring in the devices at some point so the vendors could get their money in real money. It wouldn't be hard to then collect all the transactions in a database, but there would likely be a significant delay.

  • (cs)

    Remy Porter, I salute you... Your silent (but deadly) additions are better than most of the copy of this article

  • (cs) in reply to Anon
    Anon:
    The reason why there weren't any criminal charges is likely the same reason these cards work at stadium vendors: there was no network tracking transactions off the cards. I'm sure each individual reader (might) track the transactions, but then the college would have had to gather all of the transaction data together, then compile it into lists sorted by student, and that would only give them the source card (since all of the cards would be reported as being the same student with the $100 balance), and not necessarily the perpetrators moving the balances between cards. This gets even more complicated if multiple independent groups found the problem at the same time, or if the exploiters knew better than to use the same card each time. That would have taken a lot of manpower to figure out, and most colleges lack that. Much easier to simply turn off the system.

    Worse than that. If the encrypted data is just money (which it would seem that it has to be, for it to be so trivially transferred) the transactions are same-as-cash. Impossible to check.

    No doubt they realized that they'd been had when they did the accounting, but the odds of them being able to trace it back to the physical card are slim.

  • (cs)

    Beer googles, eh? I want to start using that search engine.

  • (cs) in reply to Severity One
    Severity One:
    Point is, how would they prove it? Somebody could prove his innocence by providing top-up chits, but you don't have to prove your innocence: the affected party needs to prove your guilt. Now, finding a card reader/writer would be highly incriminating, but for that you'd need to search the dorms.

    Not as easy as it sounds, unless they had a strong suspicion who was behind it (and most likely, they didn't).

    Seriously?

    Find a guy who's bragging about getting free stuff, threaten him with expulsion unless he cooperates, and you'll have your "strong suspiction" quicker than you can write it down. Alternatively, have someone ask around claiming to be a potential customer.

    It's kinda hard to sell something illegal widely without a lot of people knowing from whom to get it. Drug dealers do it via a violent and wasteful multi-tier system and still get caught a lot.

  • Lance (unregistered) in reply to Nagesh
    Nagesh:
    Here in Hyderbad, theeving is very common even in University where rich kids are being.
    Yes, and here in Oklahoma, counterfeiting is a Federal offense.
  • Rumen (unregistered) in reply to XXXXX
    XXXXX:
    Why weren't there any criminal charges?

    Just because something can be stolen or a monetary system can be counterfeited or abused, that doesn't make it legal to do so.

    How hard would it have been to track which cards seemed to have the most suspicious money on them? Then flip those weenies on the guy with the dongle?

    How is it illegal to "counterfeit" a non-official currency? It is like when you have a big festival where you need to buy tickets for beer, and you decide to print those tickets yourself. I always wondered which law you are supposed to be breaking there.

  • (cs) in reply to Severity One
    Severity One:
    Paco:
    In Holland, [...]
    No, the Netherlands. Holland as an independent state ceased to exist over two centuries ago.

    But the region of Holland still exists in the Netherlands. Are you saying he doesn't live there?

  • Anon (unregistered) in reply to boog
    boog:
    wheaties:
    Thankfully I'm not 12 anymore. These guys should have known better by then.
    Or it means they're freaking geniuses, in college at only 12 years of age.

    And if so, their drinking habits should be concerning.

    Their barkeep has dyslexia.

  • WC (unregistered) in reply to Rumen
    Rumen:
    XXXXX:
    Why weren't there any criminal charges?

    Just because something can be stolen or a monetary system can be counterfeited or abused, that doesn't make it legal to do so.

    How hard would it have been to track which cards seemed to have the most suspicious money on them? Then flip those weenies on the guy with the dongle?

    How is it illegal to "counterfeit" a non-official currency? It is like when you have a big festival where you need to buy tickets for beer, and you decide to print those tickets yourself. I always wondered which law you are supposed to be breaking there.

    Fraud.

  • WC (unregistered) in reply to mott555
    mott555:
    My university used to have a similar system, however the cards only worked on the dormitory laundry machines and a few vending machines AND the cards had a $10 limit. Anybody with a card reader could modify their balance but it wasn't really worth the effort.

    They eventually got rid of the system and now all the laundry machines are free to use anyway.

    Actually, that's worse. Because then, it would be a huge pain to refill that $10 legally every week (or day, if I drank a lot of soda) and it would be -so- easy to just keep refilling it from my computer.

  • (cs) in reply to Rumen
    Rumen:
    XXXXX:
    Why weren't there any criminal charges?

    Just because something can be stolen or a monetary system can be counterfeited or abused, that doesn't make it legal to do so.

    How hard would it have been to track which cards seemed to have the most suspicious money on them? Then flip those weenies on the guy with the dongle?

    How is it illegal to "counterfeit" a non-official currency? It is like when you have a big festival where you need to buy tickets for beer, and you decide to print those tickets yourself. I always wondered which law you are supposed to be breaking there.

    Theft or fraud I would think... They'll likely just kick you out and ban you rather than pursue criminal charges. I think charges would come in once you start selling them at a "discounted" price.

    But then again, unless they can prove that it's counterfiet (stamp on the back or special paper, etc.), then it's just another case of a weird guy who buys up a bunch of tickets and sells them at a loss...

  • Marvin the Martian (unregistered) in reply to shadowman
    shadowman:
    Severity One:
    Paco:
    In Holland, [...]
    No, the Netherlands. Holland as an independent state ceased to exist over two centuries ago.

    But the region of Holland still exists in the Netherlands. Are you saying he doesn't live there?

    Indeed... That two-province (North & South) Holland contains Amsterdam, The Hague, and Rotterdam... and indeed that system was introduced there.

  • Ken (unregistered) in reply to Severity One

    assuming they have the legal accounting stuff that records real payments into the system and expenditures from the system you can tell someone is doing something not legit when the expenditures are greater than payments into the system.

  • (cs)

    I was expecting the story to end differently.

    I assumed that the balance stored on the card was less definitive and more temporary. I assumed that the card would "sync" with your real balance when you use a vendor with network access, such as the bookstore, as that's also the only place you're able to add money.

    So, if you tamper with your card, you might be able to purchase something from a vendor with no network access (ballgame, vending machine), but the vendor will eventually process the transaction on the network, affecting your real balance, which by this time may throw you in the negative.

    Then, next time you go to the bookstore, you end up owing a lot of money, or you get a bill at the end of the semester. Either way, no need for cops.

    As long as the card is the ONLY card on the account, and you don't screw with it, it shouldn't let you go negative, but there would still be recourse if you screw with it.

    Hell... based on how the write-up "ended" that may really be what happened.

  • AP2 (unregistered) in reply to Satanicpuppy
    Satanicpuppy:
    Worse than that. If the encrypted data is just money (which it would seem that it has to be, for it to be so trivially transferred) the transactions are same-as-cash. Impossible to check.

    No doubt they realized that they'd been had when they did the accounting, but the odds of them being able to trace it back to the physical card are slim.

    It doesn't have to be, it could be copying everything including the user id. But there's an easy way to check: charge two different cards with the same balance (say, $5) and compare the data. If they're the same, the cards are untraceable.

  • steveo (unregistered) in reply to Cap'n Spanky

    hunter2hunter2hunter

    I see the above string rather than asterisks.

  • Pol (unregistered) in reply to The Flaming Foobar
    The Flaming Foobar:

    Tm8gc2hpdCwgU2hlcmxvY2suLi4=

    Lol!!

Leave a comment on “Wild Card”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article