Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

The Rising Barcode Security Threat

Posted by ScuttleMonkey on Mon Dec 31, 2007 06:23 PM
from the what's-in-a-number dept.
Security Software
eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."
+ -
story

Related Stories

Submission: The Rising Barcode Security Threat by eldavojohn (898314)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

The Rising Barcode Security Threat 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Nice vacations? (Score:5, Funny)

    by MiniMike (234881) on Monday December 31 2007, @06:26PM (#21870786)
    > The article also points out that boarding passes work on this basis -- with something
    > like GNU Barcode software and a template of printed out tickets, one might be able
    > to take some nice vacations."

    Yeah, in Guantanamo...

    • Re:Nice vacations? (Score:5, Funny)

      by jacquesm (154384) <.j. .at. .ww.com.> on Monday December 31 2007, @06:30PM (#21870816) Homepage
      water boarding passes ?

    • Re:Nice vacations? (Score:5, Interesting)

      by Penguinisto (415985) on Monday December 31 2007, @06:31PM (#21870822) Journal
      There's also the missing component of having the corresponding data in the airline's computer network/system that matches the barcode for that flight, at that time, on that date, at that gate, for that seat, etc etc... it only get more complex if you're dumb enough to try and check baggage as well.

      You'd have to study more than just algorithms to get on a plane - all of the data the barcode represents would have to be in the airline's computer as well, else you won't ever get past the gate.

      Unless there's some sort of secret code that gives free flights (could be, like for stewardesses returning home and such), it just ain't gonna happen that way.

      Of course you could get real lucky, but it would have to be something on the scale of winning enough money via the Lottery to pay for the flight.

      /P

      • Re:Nice vacations? (Score:5, Insightful)

        by JacksBrokenCode (921041) on Monday December 31 2007, @07:50PM (#21871240)

        You'd have to study more than just algorithms to get on a plane - all of the data the barcode represents would have to be in the airline's computer as well, else you won't ever get past the gate.

        Ticket numbers are tied to specific passengers, not just flight & seat info. If you got to the point where you could accurately predict future ticket numbers for other passengers, you'd be able to get past security and likely on the plane... until a legitimate passenger shows up with the same ticket number. Even if you didn't sit in the seat you forged, they'd force everyone to disembark and reauthenticate themselves with photo-ids. Then there's the uncomfortable situation of trying to explain why you forged a boarding pass to circumvent security measures.

      • I don't think that's the mechanism for this attack at all. You'd take the fake barcodes to the e-ticket terminals and pretend to be someone flying that day. Then you just take their tickets. Of course, when they do arrive and make a fuss, you'll get flagged and caught when you try to use the tickets at the gate.

      • Not entirely accurate... (Score:5, Interesting)

        by Anonymous Coward on Monday December 31 2007, @08:56PM (#21871560)
        I've done this for kicks just to see if I could do it, but once I brought one of my fake ID's and fake boarding passes to the airport and got through the "security" (security? BAHAHAHA!) and made it into the terminal. Bought some drinks, ate some food and went home.

        No one was the wiser.

        You see, it's just a billion dollar FARCE and a WASTE OF TAXPAYERS MONEY for the *feeling* of safety when there really isn't any.

        Of course I couldn't get on the plane. I couldn't get on a plane in 2001 without a correct ticket anyways. They had the barcode scanners to "check" you into the plane anyhow. At least, I remember them being available back in 1999 -AND- I wasn't too keene on getting onto a plane where there weren't enough seats where I'd get caught :P

        Anyways, just as I said, this is easy to blow a hole through. There's nothing in the world that makes me more mad than being patted down, scanned or searched before boarding PUBLIC TRANSIT. I'm not a criminal, wtf are government agencies doing there?

        (posted anon and through a couple anon proxies)

      • Passes worthless! I got on a flight without paying (Score:5, Interesting)

        by KWTm (808824) on Monday December 31 2007, @09:21PM (#21871680) Journal

        There's also the missing component of having the corresponding data in the airline's computer network/system that matches the barcode for that flight, at that time, on that date, at that gate ...
        You won't be so sure after you hear what happened to me.

        Once, I got on a flight to Hawaii. The plane was about to push off and, like most of the other passengers, I had settled into my seat. Then some other passenger came and said I was sitting in her seat! We compared boarding passes, and lo and behold, both of our passes were for the same seat! We couldn't figure it out, so we asked the flight attendant for assistance. She couldn't figure it out either, so she had to go back to the boarding gate with our passes to ask the ground crew to figure it out.

        After a while, someone finally realized what happened. I was on the wrong flight! I was on board a direct flight to Hawaii, but I had actually bought a ticket to fly to San Francisco and from there transfer to a flight to Hawaii. I had always thought of it as "my flight to Hawaii" and had completely forgotten that I would have to transfer. The boarding gate was off by one, but the airport always changes boarding gates at the last minute and I figured this was one of the times. And the flight was scheduled 5 minutes before my actual flight, so I figured that the flight was early. I lined up like everyone else with my Internet-printed boarding pass, the computer scanned it, and I got on board just like everyone else. There was no alarm that I was on the wrong flight or anything like that.

        That was with me accidentally getting on the wrong flight. What do you suppose could happen if someone was intentionally trying to pull off a deception? The only redeeming feature is that this happened in 2002, and I hope that airline security has improved somewhat since then. (I can dream, can't I?)
        • Hmm. I boarded a flight on Dec. 24, sitting in seat 27C. As I got on the plane and handed the ticked to the member of cabin crew (having already had this boarding pass scanned at least twice) for her to direct me to my seat, she pointed it to me, and then did a double take.

          "Sorry," she said, "I thought your ticked was for December 27, not row 27."

          Now, either she was tired, or that's something that happens sometimes. Anybody know?

        • Re:Passes worthless! I got on a flight without pay (Score:5, Interesting)

          by jbengt (874751) on Monday December 31 2007, @10:35PM (#21871994)

          "and I hope that airline security has improved somewhat since then. (I can dream, can't I?)"

          Keep dreaming.
          My experience with a current construction project for a major airline at a major airport speaks to a discomfortingly confused security situation.

          The first time I went to the site with the Architect, who had a badge to escort us into the terminal, we were refused entry at 3 different points, always told to go somewhere else that wouldn't let us in. Then we went to an airline official, who said that the badge the architect had would get us in at a security gate that we tried before, so she escorted us there, and we weren't let in. So she did about a half hour of research, and found that we needed to go to the desk where they check in pets in their crates! There they checked the architect's badge and our IDs and issued us each a ticket-like piece of paper that we took to the security gate. There they took that "ticket" from us (and my co-worker's zippo lighter) and let us through. We then had the run of the place, without any ticket or pass.
          We spent over an hour and a half getting in to do 2 hours of work. Then, after suffering through all that security red tape, we at one point got separated from the contractor with the keys, while we were in the non-secure loading dock (accessible from a public roadway). But not to worry, a friendly worker let us back to the secured passenger terminal side.

          The second time I went with my boss, who picked up his own badge that he applied for three weeks earlier. He had been told it was ready to pick up. It took a little over an hour wating in lines and watching safety videos to pick up the badge. But when we tried it (it was a swipe and pin number type), it didn't work. So we went back down to the security badging office, only to find a sign on the door saying that they were closed for lunch and would be back at 1:00pm (even though it wasn't noon yet). I went back to the office, and he stayed the rest of the day to get it straightened out and do about an hour of work.

          The third time I went, construction was well under way, the walls were knocked down, and the only thing bewteen the public parking and the secure air side was some pastic sheeting.

          Did I mention that both the existing layout and the new design include a loading dock that connects the non-secured public roadways with the secure airside through a locked, but un-manned, door? Anyone on the inside (including employees, or sneaky passengers) could open the door, (or man the freight elevator if they had the key), and bring large, explosive things off the truck with a forklift and into the passenger terminal.

    • or like two people in the same airline seat. I flew 18 segments in 2007 and only two of them had empty seats.
    • Yeah, I'm sure the NTSB will have a great laugh when they find out that two people have boarded a plane with the intention of sitting in the same seat. I hear they always find it hilarious when an unauthorized "passenger" slips aboard a plane. They even have a special word for those people: terrorists. Just imagine if you get airborne: the NTSB will radio the plane, the pilot will make a u-turn, the crew will get flustered and stare at you, and the other passengers will "subdue" the shit out of your face, o
  • with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations.

    you terrorist scum!
  • Maybe I'm missing something salient, but all this says is if you change the membership number provided to the system, the system will use that instead of any other. The only difference is that instead of the number being provided via a keyboard, it's provided via a barcode.

    Nothing to see here, move along.

    • Re:This is a fairly obvious vector (Score:5, Insightful)

      by schon (31600) on Monday December 31 2007, @06:50PM (#21870916) Homepage

      Maybe I'm missing something salient, but all this says is if you change the membership number provided to the system, the system will use that instead of any other.
      Yes, you are missing something. And it's significant becaose of this:

      instead of the number being provided via a keyboard, it's provided via a barcode.
      Yes, and the people operating the machines that read these codes trust them.

      Think about this: you go somewhere that uses ID/membership cards with barcodes on it. Salesdrone asks for your card. If you just give them the number verbally and are security-minded, they'll probably ask for ID. However if you provide the card, they won't, because they the card *is* the ID.

      Non-technical people don't understand how barcodes work, so they assume that nobody else does either. So if nobody else understands it, then it can't be forged.
      • It's still lame. They shouldn't trust the input of the barcode, any more than a web developer trusts their input. Perhaps the membership numbers should be more sparse and difficult to guess.
        • Or lusers trust phishing emails. They do because they don't know any better, and they likely don't care either.

        • They shouldn't trust the input of the barcode, any more than a web developer trusts their input.
          Perhaps if you were comparing the people who *designed* the barcode system to web developers you'd have a point, but expecting the same from a minimum-wage clerk who's never had any real security training and doesn't even know how the system works is a bit much.

    • Re:This is a fairly obvious vector (Score:5, Interesting)

      by jimmyswimmy (749153) on Monday December 31 2007, @07:09PM (#21871046)
      I used to work at a semiconductor fab - basically a big chemical factory. Access control, security and timecards were all kept by a barcode system, printed on the back of your badge. I had a lot of fun making bar codes to see which would get me into places I shouldn't have been, like the spaces between the cleanroom walls, or the tunnel under the building, or the chemical storage area (that was a place I didn't ever like being in). Probably seems worse now than it did then.

      Back in elementary school we had a stored-value system for buying lunch, with security based on bar codes on little plastic cards. This was nearly 20 years ago and there was free software available then (on my Commodore 64? Atari? Can't remember) to generate bar codes. I made a couple, based on the ID numbers of friends, and gave them to the lunch lady, telling her that those cards were a bad idea. They never changed anything, though. These days I'd have been kicked out of school for that, though, if not arrested.
  • BART tickets in SF are magnetic, not barcodes, but I've been expecting fakes Any Day Now.

  • Great. (Score:3, Funny)

    by Rgb465 (325668) <gbk@nOspAM.insightbb.com> on Monday December 31 2007, @06:43PM (#21870882) Homepage

    The article also points out that boarding passes work on this basis -- with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

    Great, now GNU Barcode will be classified as a terrorist weapon...

  • Must admit I've taken advantage... (Score:4, Funny)

    by russotto (537200) on Monday December 31 2007, @06:54PM (#21870940) Journal
    Darn it, now Acme* is going to read this and put a stop to my fake-discount-card ways. (they'll accept any code with the right length and first three digits... amusingly including other supermarket's cards).

    *That's the grocery store, not Roadrunner's coyote-torturing company.

    • Re: (Score:3, Insightful)

      by bmsleight (710084)

      amusingly including other supermarket's cards
      It good marketing to take other supermarkets discounts. Kind of like making sure Oo.o can read other file formats, it keeps you coming back.

      • All stores that I've seen will allow you to get a "Club Card" or equivalent without giving any personal information.

        But they probably link it up first time you slip up and use a debit/credit card to pay. Using different "cards" prevents that.

        So does using the phone number the last guy used. Or in a pinch, just make one up in a local exchange; the chance of it working likely isn't too bad. Hmm, I just had a thought... what if you give the store's own main number? They probably have a card keyed to that.

  • Nothing special (Score:4, Insightful)

    by markdavis (642305) on Monday December 31 2007, @06:58PM (#21870970)
    There is nothing special or inherently secure about barcodes. They are just a machine readable number. Security has nothing to do with it- those are measures taken outside the barcodes. Anyone can print any type of barcode on just about anything.

  • Barcodes still worthless without insider info... (Score:3, Insightful)

    by shlingus (1046986) on Monday December 31 2007, @07:08PM (#21871036)
    Being able to print 2-dimensional, 3-dimensional, or even n-dimensional barcodes is useless no matter what software you have unless you already possess the inside info of knowing somebody's valid account number, data, etc. If somebody's gotten a hold of enough info to successfully print and use an illicit barcode, your security problem lies NOT with the barcode itself but with the system that allowed this information to get out in the first place.

    The same situation exists with magnetic stripes. If you have valid account data you can write it to a magnetic stripe on a card and go to town with it. It's getting the data that's the hard part.

  • Here we go again (Score:3, Insightful)

    by Flexagon (740643) on Monday December 31 2007, @07:08PM (#21871040)
    Sounds like the brilliant utility companies of the '60s that trusted the billing and payment amounts that they sent to their customers on punched cards, and expected to trust when the cards were returned with "payment".
  • These types of small-scale scams have been happening for years - there's no reason to get into a panic about it now (unless it happens to be a slow-news day ..... New years, hmmm)

    Barcodes are pretty much obsolete so far as people's ID goes so the only organisations who might possibly take a hit are those that haven't updated their systems to "modern" mag-strip technlogy.

    If you wanted to try and scare people over the holidays - and there hasn't been a good scare for a while, so I suppose someone wants to

  • Fraud with copied bar codes (Score:3, Interesting)

    by steveha (103154) on Monday December 31 2007, @07:22PM (#21871120) Homepage
    I remember reading about some guy who was stealing using bar codes. He would go to a store, and put a fake price sticker complete with a fake barcode on some expensive item; then he would take the item to the cash register, where the sales person would scan the bar code, the item would ring up as something less expensive, and he would pay the amount on the cash register. Sell the item at a large profit, then repeat.

    He made up the fake stickers at home. I believe he would buy one of the less-expensive item, and at home he would duplicate its sticker. He didn't even need to generate the bar code, he was just copying the one that was on there.

    Eventually he did the same trick too many times and they caught up with him.

    If anyone remembers details of this story and can post a link to it, please do.

    steveha

    • Re:Fraud with copied bar codes (Score:4, Informative)

      by bjorniac (836863) on Monday December 31 2007, @07:41PM (#21871210)
      Been done a few times, but the one that comes to mind is this:http://www.denverpost.com/news/ci_3270764

      There was also someone who stole a bunch (something like $300k) of legos like this (yeah, geeks crime) and I remember a case involving Mall-wart and iPods...
      • This guy's problem was that he tried purchasing a $150 iPod with a $4.99 headphone barcode and naturally got caught. The better thing to have done(*) is to buy a top-end model of a product with a bottom-end model's sticker price. If you can achieve a > 2x price difference, then you can sell the original item at a hefty discount and make a profit. Was that the $149 iPod Nano or the $399 iPod touch? And if you're caught, you can easily feign ignorance as it's more likely that it was an employee labelin
    • When self-checkout machines first appeared in groceries I thought of this one.

      1) Go to your nearest grocery store that has self checkout machines as well as a weigh station in the produce dept.
      2) Pick up an expensive bottle of wine.
      3) Go to the produce section and put the wine on the scale and enter the code for a cheap item such as potatoes.
      4) Place the printed barcode sticker over the barcode on the wine bottle.
      5) Pay for your items using the self checkout. The machine verifies all purchases by ch

      • Re: (Score:2, Informative)

        by AnarkiNet (976040)
        That doesn't work.
        The cashier's screen shows the SKU/UPC, abbreviated description, and price of each item on all self-checkout lanes attached to that cashier's station (usually 4). Unless the cashier is very green, or distracted by another customer, you will certainly get caught.
        However, scuffing up the barcode on an expensive bottle of wine that looks very similar to a cheap bottle, and buying both by trying to scan the damaged barcode on the expensive bottle, which won't work with the machine, then ty

          • You must not have ever used a self checkout. While there are a number of stations that customers can use for scanning their own goods, they are tied to one station with a cashier standing there for assistance and (most likely) loss prevention. They even have a little register they can use.

            And, for once, someone should take their own advice first. To quote:

            The cashier's screen shows the SKU/UPC, abbreviated description, and price of each item on all self-checkout lanes attached to that cashier's station (

    • I was buying my kid an Xbox wireless controller from Target, the lady was having trouble scanning the UPC so she went looking for other barcodes, scanned the serial number which got a hit in their system as something for $6.99 (she figured out that wasn't right and eventually got the UPC to work).

      I was pretty surprised that the S/N (or at least the left or right part of it) matched a UPC.
    • My old employer had a timecard & access control system that used badges with a barcode. I scanned the back of my card and after some tweaking of the scan settings (the basic scan wasn't sharp enough) I was able to print out a backup badge to keep in my wallet.

      Worked out pretty well, since I was prone to forgetting my badge.

  • In other news... (Score:5, Funny)

    by Anonymous Coward on Monday December 31 2007, @07:23PM (#21871124)
    L33t hackers discovered that with a certain amount of awareness and bravado it is possible to obtain quite tasty sandwiches for free, by hanging around the pickup counter at sub shops and pretending to hold the ticket number that was just called out.

  • Souldn't work against properly designed systems. (Score:5, Informative)

    by BitterOak (537666) on Monday December 31 2007, @08:36PM (#21871474)
    Anyone who has done any work with barcodes knows they are encoding schemes, not encrypting schemes. A barcode is simply a way of representing data (may be alphanumeric or binary), in a way that is easily read by scanning equipment. The commonly used algorithms are well publicized and it is easy to obtain software to read or write them. If security is important, encryption must be applied before the data is encoded in a barcode. I've scanned many barcodes on many things, and if money is involved, such as tickets or postage, I've generally found that they decode to seemingly random binary data, which means that most likely, encryption was applied first.
    • Encryption? Why encrypt when you can just use a unique, unguessable ID and store everything of actual interest on a secured server?

      • Encryption? Why encrypt when you can just use a unique, unguessable ID and store everything of actual interest on a secured server?

        Encryption gives you the ability to verify that not only was the data read correctly, but that it is invalid rather than just being unscannable. So you can still have an unguessable ID (eg: a GUID) that's stored in a database and correlates with the info of actual interest, but also encrypt that. Where this could come in handy is in areas where there's a higher incident of employee fraud or the need for greater security/trackability. Assuming you've dealt with the problem of someone simply walking out o

  • Blockbuster Online's envelopes that you take back to the store had all kinds of account information on them, including what type of account. However, it occurs to me that all it needs to have is an account key. They should be able to scan that and your store membership card (two-key system to avoid spoofing) to return the DVD and give you credit to rent your free movie. I noticed a recent minor change in their store policy, so they may have actually fixed this?

  • Chaos Communication Congress (Score:3, Informative)

    by matelmaster (1040950) on Monday December 31 2007, @08:50PM (#21871532)
    The talk this Heise article is about (which was held at 24c3 on friday [events.ccc.de]) is actually available as a full-length download in various formats on mirrors [events.ccc.de] (look for "2273-en-toying with barcodes") and on bittorent [thepiratebay.org] along with most of the other talks given at this (totally awesome) event. And it's in english, too.
  • http://ftp.uni-kl.de/24C3/matroska/24c3-2273-en-toying_with_barcodes.mkv [uni-kl.de]

    See this website for mirrors, other video formats and the rest of the videos of the 24C3-conference (some of them are really interesting, videos with a 'de' instead of 'en' in the filename are in german). http://events.ccc.de/congress/2007/Conference_Recordings [events.ccc.de]

    Happy new year, gentleman/women :-D
  • The article also points out that boarding passes work on this basis -- with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

    What if the rightful owner shows up with the same ticket number? Unless the tracking software is lame, it should note that a given number had already check in. At that point, an investigation would ensue. The perpetrator is probably caught on camera for non-trivial travel and the time stamp of check-in and the

  • Considering how outdated barcodes are... (Score:3, Interesting)

    by ZonkerWilliam (953437) * on Monday December 31 2007, @10:50PM (#21872048) Journal
    I don't see much to be concerned about. "Hacking" them isn't really new, switching UPC stickers has occurred for decades, and as mentioned by another reader, it's considerably small instances. The best place to put security worries is in the bar-codes offshoot, RFID tags.
  • Or at least not more than at the moment. I just had an international Flight with e-checkin. Would have been trivial to print several boarding passes (you print them yourself) with different names. I don't remember whether it had a barcode, but at boarding they just kept the second printout. Admittedly this was from Switzerland to Austria, but still.

    I don't think barcodes are a security risk at all. Reliance on stuff that any modern printer can do is.

  • The real security threat in a barcode... (Score:3, Funny)

    by 6Yankee (597075) on Monday December 31 2007, @11:10PM (#21872132)
    ...is the Trojan zebra camouflaged within.

      • Re:bar codes can be copied (Score:4, Informative)

        by DoomfrogBW (1010579) on Monday December 31 2007, @09:43PM (#21871750)
        That is incorrect. While the barcode can be photocopied, a backend database with terminal-level authentication to verify the barcode would stop most people. Before passing to the server, the terminal takes the barcode and has the algorithm below for generating the checksum. The two are compared and if they match, then it is passed onto the server which provides the ultimate authentication. If the checksum's do not match, then it is invalid. This prevents someone from simply changing a few digits and thinking it will work, which is what the article is talking about. The following method is a popular means by which to combat photocopying. For instance: A barcode number in Code 128C can be given as 000000070314100601 then apply checksum security and add these last two digits to the end of the current number:

        // Generate CRC16 checksum using pos 1,3,5,7,9,11,13,15,17 of barcode

        unsigned short cs;
        cs = crc16((unsigned char*)barcode);
        barcode[18] = (cs / 10) + '0';
        barcode[19] = (cs % 10) + '0';
        barcode[20] = '\0';
        ...

        unsigned short __fastcall TFormMenu::crc16(char* p) {
        char checksum = 0;
        for (int i = 1; i <= 17; i += 2) {
        checksum = checksum + p[i] - '0';
        }

        return checksum;
        }

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.