The Rising Barcode Security Threat 125
eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."
Re:This is a fairly obvious vector (Score:5, Insightful)
Think about this: you go somewhere that uses ID/membership cards with barcodes on it. Salesdrone asks for your card. If you just give them the number verbally and are security-minded, they'll probably ask for ID. However if you provide the card, they won't, because they the card *is* the ID.
Non-technical people don't understand how barcodes work, so they assume that nobody else does either. So if nobody else understands it, then it can't be forged.
Nothing special (Score:4, Insightful)
Re:Magnetic, but... (Score:1, Insightful)
Barcodes still worthless without insider info... (Score:3, Insightful)
The same situation exists with magnetic stripes. If you have valid account data you can write it to a magnetic stripe on a card and go to town with it. It's getting the data that's the hard part.
Here we go again (Score:3, Insightful)
Re:Must admit I've taken advantage... (Score:3, Insightful)
Re:Nice vacations? (Score:5, Insightful)
Ticket numbers are tied to specific passengers, not just flight & seat info. If you got to the point where you could accurately predict future ticket numbers for other passengers, you'd be able to get past security and likely on the plane... until a legitimate passenger shows up with the same ticket number. Even if you didn't sit in the seat you forged, they'd force everyone to disembark and reauthenticate themselves with photo-ids. Then there's the uncomfortable situation of trying to explain why you forged a boarding pass to circumvent security measures.
Duplicate Tickets (Score:2, Insightful)
What if the rightful owner shows up with the same ticket number? Unless the tracking software is lame, it should note that a given number had already check in. At that point, an investigation would ensue. The perpetrator is probably caught on camera for non-trivial travel and the time stamp of check-in and the camera would identify the crook.