- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Victor's experiment as stated only proved that he could copy a value from one card to another card. It doesn't prove that the value copied was a balance.
Certainly it COULD have been an encrypted balance, but it could also have been an encrypted student ID number or account number. If so, the machine would have read Patrick's card as Victor's and happily debited Victor's account for the sodas.
This doesn't make it any more secure, of course, it just changes who the victim is. If it's a balance, the victim is the school; if it's an ID, the victim is the student whose card gets duped.
Admin
I think my Uni briefly had a similar system for a while, except rather than being like a credit card, it was more like a 'PhoneCard' (which were popular back then - you get cards that you could stick in public phones to make calls - although originally these were one-use (with holes to represent how much credit was used, I think) eventually these became refillable). The Uni got on board, and everyone's Student Card became a refillable phoneCard, which was accepted in most places on campus, as well as many vending machines and a few stores around the city... I always wondered whether the reason it was dumped so quickly (1-2 years) was that although they had always realised the value of the cards was like cash so people would steal them, they never realised that students would be so tight as to try to work out ways to get bang for their buck - and a card that stored its value seemed a perfect target...
Admin
I think Remy did it because he knew the arguments it will cause about encrypting vs encoding vs hashing... Getting the impression that increasingly little tidbits are added to [s]spark argument[/s] spark debate
Admin
Fraud. You are obtaining goods (beer) by deception
Admin
aHR0cDovL3hrY2QuY29tLzE1My8K
Admin
Our university had a similar stored-value system for photocopying. It very quickly became known that if you cut 2mm out of the mag stripe in the right place your card always read as having $12.50 on it. Unfortunately they only worked in photocopiers and there was a limit to how much photocopying I wanted to do.
Those cards only lasted a year before being replaced.
Admin
Admin
Admin
By Jove, you're right!! I've never heard of anyone guilty as sin getting off because he had a good lawyer.
Have you ever had a look at how many prosecutions are actually successful? Me neither, but I'm sure there are thousands of cases where the police do good investigation, and catch the right man, but the courts never manage to get a prosecution because there was a breakdown in process, or something was done ever so slightly wrong by the coppers, or there is insufficient evidence to conclusively prove what is bleedingly obvious etc....
Just because we are all certain that the dude in the ski mask with the gun and the bag of money is the perp, doesn't meant that the courts won't rule that there is some shadow (and that's all that's needed) of a doubt....
Lawyers suck unless you're a crim.
Admin
obtaining property by false pretenses
Admin
Innocent until proven guilty. We don't believe CK is SM until you prove without a shadow of a doubt that he is.
Admin
Admin
And what good did it do to only keep $5 on your card? Unless the value of your card was emblazoned on your forehead in neon, a mugger didn't know the value of your card until he took it. So, whether you've got $1,000,000 or $1, you still get mugged.
Admin
Yes, but you only lose $5, as opposed to $1,000,000.
A-DUUUUURRRRRRRRR
Edit:
Person A: I only kept $5 in my wallet, because muggings were frequent. Person B: But how would the mugger know you only had $5, genius?!
Admin
FTFY
Admin
We used to use blueboxes, DTMF dialers (I had a watch that dialed DTMF) and payphone bugs to get free calls back in the day (before internet etc).
One of the good ones was you could actually start to dial before the screen picked up the keystrokes. So, for a long time, you could quickly dial '0800' (which is toll free here) before the numbers would start to appear on the pay phone screen. This meant you could dial '0800' and the screen would then display 'toll free number' and give you an open line, but it never actually DIALED the 0800 due to you entering it before the phone line was ready. This meant that you could dial 0800 very quickly, then dial ANY number you wanted and be connected.
Was great for getting the phone numbers of payphones.
Also, there was a flaw with the payphones in that they hold onto your coin until the call is connected, then drop it down to a money box. If the call isn't connected, the coin is dropped to the return slot. We discovered if you put in a 50c piece, then punched the phone right on the logo, you could make the coin 'jump' and about 80% of the time, it would fall down the return slot... letting you put it back in and build up your credit. Usually was good for getting $3-$5 worth of credit from a 50c.
Admin
Hey - Thanks for the tip!!! I never knew that one!
Admin
At our school, they started bolting vending machines to the ground after students worked out that knocking them over could help you knock them over.... Good hip'n'Shoulder usually managed to loosen a coupl' bags of chips, but.
Admin
Don't tell anyone this, but Racer X is secretly Speed's older brother, Rex (crosses slides on screen).
Admin
Except in the UK if they're football tickets, because it's illegal to resell them (afaicr).
Admin
Or an innocent person being wrongly accused.
Admin
In which case they suck harder.
Admin
I work at a security company in R&D and have everyday access to Mifare and 125KHz card reading and encoding technology. This article comes as no surprise to me. The transport card I carry and use every day stores the encrypted value on the card with the default read and write keys, meaning anyone can read and write it. Nothing appears to be stopping a "save and reload" attack except for the fact that I am an honest person.
Admin
Multi-million euro investment, according to the picture.
Maybe that will call for another hundred comments or so :-)
Admin
Are such cards really worth the effort?
Admin
Admin
By that logic one is not allowed to begin a sentence with "In Texas, [...]". Holland still exists as place.
Admin
Oops, this was intended to be in reply to this:
Admin
Correct. This is apparently a special provision in law, which has been extended to cover Olympic/Paralympic tickets. The conditions of most other tickets also prohibit resale above face value, not that most companies bother enforcing it.
If you went and "created" some of this virtual currency, you would be obtaining goods by deception (i.e. telling the vendor that you have credit when you don't).
Admin
Slight correction - football resales are banned by s.166 Criminal Justice and Public Order Act 1994 (same Act as the "repetitive beats" nonsense), *lympic resales are covered by s.31 London Olympic Games and Paralympic Games Act 2006.
[Only because I know what you lot are like.]
Admin
(And no, Great Britain is not the same as the United Kingdom, and then there's the Isle of Man, Jersey, and Guernsey and Alderney, which are part of neither, but still their citizens have a British passport. And that's just the European part of what we shall call 'Britain', for want of a more inclusive phrase. Well, except Gibraltar, which is also in Europe, and a crown colony. They do this on purpose, you know. Confuse the enemy.)
Admin
Admin
[1] The land border is defined by historic county boundaries. The sea border, ... not so much. (PROTIP: it's not straight down the middle.)
Admin
Admin
Admin
In the 80s, the national banks introduced an nation wide ATM system based more or less on the same principle; the ATMs where not all the time connected, and the data where updated nightly; the cards, called 'Bancomat' where purely magnetic at the time.
So, if you duplicated a card, you could take money from each ATM up to your daily limit.
Somebody actually did it, duplicated a few thousands cards and run all the day in the north of Italy. It was caught anyway, because it was the only customer of the card writing equipment that was not a bank.
Maurizio
Admin
SSBkaWRuJ3QgZXZlbiBjbGljayBvbiB0aGUgbGluayBhbmQga25ldyBpdCB3YXMgc29tZSBmYWcgbGlua2luZyB4a2NkLiBJdCdzIG5vdCBjbGV2ZXIuIEl0J3Mgbm90IGZ1bm55LiBKdXN0IHRoZSB3b3JkICJidXR0ZXJmbGllcyIgd2l0aCBhIGxpbmsgdW5kZXIgaXQgYW5kIHRoZSBzaG9ydCwgdXNlbGVzcywgb25lIHNlbnRlbmNlIHBvc3Qgd2FzIGFsbCBJIG5lZWRlZCB0byBrbm93IHRoYXQgeW91IHdlcmUgbGlua2luZyB0aGUgY2FydG9vbiB3aGVyZSB0aGUgcHJvZ3JhbW1lcnMgaXRlcmF0aXZlbHkgb25lLXVwIGVhY2ggb3RoZXIgb24gaG93IHRoZXkgaW5wdXQgYSBwcm9ncmFtLg0KDQpGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVSBGVUNLIFlPVQ0KDQpJdCB3YXMgZnVubnkgdG8gcmVhZCB3aGVuIGl0IGNhbWUgb3V0LiBJdCdzIGV2ZW4gZnVubnkgd2hlbiBjbGlja2luZyBvbiB0aGUgUmFuZG9tIGJ1dHRvbiBvbiB0aGUgc2l0ZSBhbmQgc2VlaW5nIGl0LiBJdCdzIE5PVCBmdW5ueSB3aGVuIHNvbWVvbmUgbGlua3MgdG8gaXQgZnJvbSBhIG9uZS1zZW50ZW5jZSBwb3N0IGFuZCB0aGlua3MgdGhleSdyZSBzbyBmdWNraW5nIGNsZXZlciB0byBoYXZlIGRpc2NvdmVyZWQgeGtjZC4NCg0KWW91IHByb2JhYmx5IHN0aWxsIHVzZSBsbWd0ZnkgYW5kIHRoaW5rIHlvdSdyZSBzbyBkYW1uIGNsZXZlci4NCg0KSXQgbWVhbnMgaW4gcmVhbCBsaWZlLCB5b3UncmUgYW4gdW5vcmlnaW5hbCBoaXBzdGVyIGRvb2Z1cy4NCg0KDQpHb3QgYW55dGhpbmcgdG8gZG8gd2l0aCBzYW5pdGl6aW5nIGlucHV0cyB0byBhIFNRTCBkYXRhYmFzZSwgZXRjLj8gTGluayB0byBCb2JieSBUYWJsZXMuIEdvdCBhIG5lcmQtcHJvamVjdCBzbG93LWFzcyB0dXJpbmcgbWFjaGluZT8gTGlrZSBhIG1pbmVjcmFmdCBsb2dpYyBjaXJjdWl0IGZyb20gcmVkc3RvbmU/IExpbmsgdG8gdGhlIG9uZSB3aGVyZSBpdCdzIHNvbWUgZ3V5IGFsb25lIGluIHRoZSB3b3JsZCBtYWtpbmcgYSBjb21wdXRlciBvdXQgb2Ygcm9ja3MuIEdvdCBhIHN0b3J5IGFib3V0IHBhc3N3b3JkIHNlY3VyaXR5IG9yIGVuY3J5cHRpb24/IExpbmsgdG8gdGhlIG9uZSB3aGVyZSB0aGV5IGJlYXQgdGhlIHBhc3N3b3JkIG91dCBvZiB0aGUgZ3V5IHdpdGggYSB3cmVuY2guDQoNCkZ1Y2sgb2ZmLiBZb3UncmUgbm90IGNsZXZlci4gDQoNCkZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9VIEZVQ0sgWU9V
Admin
if only they used bitcoin
Admin
Credit amount is stored on the card etc. etc. etc.
Admin
The fact that a university would deploy such an obviously flawed system is even more disappointing (and even less shocking) than the fact that a university graduate misspelled "led" as "lead" when typing up this story.
Admin
When I was in college, nobody bothered writing up the encoding because any CS student could recognize the data just by looking at the position of the holes in the card.
Admin
A federal offense that is state-specific? Now that's interesting.
Admin
It would be even more interesting if it weren't a federal offence in Oklahoma.
Admin
Admin
Ponies... PONIES EVERYWHERE.
Admin
aHAH, but what if I tricked it up ;)
eAENxzEOgCAMBdDdU3x3dTKu3MDFwTgi1EjElkCN4fb6trcIdltoGuHkYS2wBcQu16RBGCyvAdaz wgf/bxdfoRQjbjLDsFHpMAv36VHKOCRecJYVmaxH0Lb5AFqtIQM=
Admin
My high school and junior high had a student ID with a barcode - the barcode led to a centrally stored database that kept track of how much you had in your lunch money. When you went through the lane, your barcode was scanned, and your lunch was rung up. The ammount was deducted and the nice lady told you your balance.
Somehow my brother found the lunch software on the school server - connecting from another computer at the school while he was supposed to be using it for class. There was no user credentials or anything from blocking him from using the program - all he had to do was find it on the server.
BUT INSTEAD OF just creating money out of thin air, whenever he credited money to a friends account, he took away money from someone elses. The school didn't loose money, but many people lost a day or two worth of three dollar lunches. No one knew about it because the lunch program wasn't bleeding money mysteriously.
Admin
I don't disagree with the gist of your comment at all. I'm not claiming that 100% of guilty persons are caught, convicted, and penalized, and that no innocent person anywhere has ever been penalized for a crime he didn't commit. Of course not. Like any system designed and run by fallible human beings, the criminal justice system is full of holes.
What I AM saying is that the post I originally replied to carried this to the extreme in saying that this was a crime that you would obviously and inevitably get away with. Even if the system did not keep an audit trail of any kind that would identify the guilty parties, that would make the problem for the police little different from identifying the person who committed a fraud in pre-electronic days. They would have to rely on things like witnesses and circumstantial evidence.
If someone steals cash, last I checked green paper bills did not have an automated method to track the identify of the thief. Nevertheless, the police often manage to solve such crimes. Not always, of course. But it certainly can be done.
Admin
Not to defend lawyers, but ...
Lawyers are also useful if, say, you don't know all the ins and outs of the law. For example, I've gone to a lawyer to have a will drawn up. If I tried to write my own, it might well have some flaw in it: I might use a word or phrase that has a technical meaning to the courts but that I intended in a different way, or I might be trying to do something that does not meet legal requirements, etc. And by the time the problem will my self-written will was apparent, I would presumably be dead and thus not available to explain what I really meant or correct the problems.
I don't think all lawyers are evil and corrupt. It's just that the 90% who are give all the rest a bad name.