The Rising Barcode Security Threat

eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

Re:This is a fairly obvious vector

[schon]

Maybe I'm missing something salient, but all this says is if you change the membership number provided to the system, the system will use that instead of any other.

Yes, you are missing something. And it's significant becaose of this:

instead of the number being provided via a keyboard, it's provided via a barcode.

Yes, and the people operating the machines that read these codes trust them.

Think about this: you go somewhere that uses ID/membership cards with barcodes on it. Salesdrone asks for your card. If you just give them the number verbally and are security-minded, they'll probably ask for ID. However if you provide the card, they won't, because they the card *is* the ID.

Non-technical people don't understand how barcodes work, so they assume that nobody else does either. So if nobody else understands it, then it can't be forged.

Nothing special

[markdavis]

There is nothing special or inherently secure about barcodes. They are just a machine readable number. Security has nothing to do with it- those are measures taken outside the barcodes. Anyone can print any type of barcode on just about anything.

Re:Magnetic, but...

[Anonymous Coward]

Pre-y2k the BART ticketing system was extremely hackable and a lot of duped tickets were being made with magstripe writers. BART used y2k as an excuse to upgrade their systems, and the tickets are uniquely identified now so forging them is pretty difficult.

Barcodes still worthless without insider info...

[shlingus]

Being able to print 2-dimensional, 3-dimensional, or even n-dimensional barcodes is useless no matter what software you have unless you already possess the inside info of knowing somebody's valid account number, data, etc. If somebody's gotten a hold of enough info to successfully print and use an illicit barcode, your security problem lies NOT with the barcode itself but with the system that allowed this information to get out in the first place.

The same situation exists with magnetic stripes. If you have valid account data you can write it to a magnetic stripe on a card and go to town with it. It's getting the data that's the hard part.

Here we go again

[Flexagon]

Sounds like the brilliant utility companies of the '60s that trusted the billing and payment amounts that they sent to their customers on punched cards, and expected to trust when the cards were returned with "payment".

Re:Must admit I've taken advantage...

[bmsleight]

amusingly including other supermarket's cards

It good marketing to take other supermarkets discounts. Kind of like making sure Oo.o can read other file formats, it keeps you coming back.

Re:Nice vacations?

[JacksBrokenCode]

You'd have to study more than just algorithms to get on a plane - all of the data the barcode represents would have to be in the airline's computer as well, else you won't ever get past the gate.

Ticket numbers are tied to specific passengers, not just flight & seat info. If you got to the point where you could accurately predict future ticket numbers for other passengers, you'd be able to get past security and likely on the plane... until a legitimate passenger shows up with the same ticket number. Even if you didn't sit in the seat you forged, they'd force everyone to disembark and reauthenticate themselves with photo-ids. Then there's the uncomfortable situation of trying to explain why you forged a boarding pass to circumvent security measures.

Duplicate Tickets

[Tablizer]

The article also points out that boarding passes work on this basis -- with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

What if the rightful owner shows up with the same ticket number? Unless the tracking software is lame, it should note that a given number had already check in. At that point, an investigation would ensue. The perpetrator is probably caught on camera for non-trivial travel and the time stamp of check-in and the camera would identify the crook.