The Rising Barcode Security Threat 125
eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."
Re:Nice vacations? (Score:5, Interesting)
You'd have to study more than just algorithms to get on a plane - all of the data the barcode represents would have to be in the airline's computer as well, else you won't ever get past the gate.
Unless there's some sort of secret code that gives free flights (could be, like for stewardesses returning home and such), it just ain't gonna happen that way.
Of course you could get real lucky, but it would have to be something on the scale of winning enough money via the Lottery to pay for the flight.
Re:This is a fairly obvious vector (Score:5, Interesting)
Back in elementary school we had a stored-value system for buying lunch, with security based on bar codes on little plastic cards. This was nearly 20 years ago and there was free software available then (on my Commodore 64? Atari? Can't remember) to generate bar codes. I made a couple, based on the ID numbers of friends, and gave them to the lunch lady, telling her that those cards were a bad idea. They never changed anything, though. These days I'd have been kicked out of school for that, though, if not arrested.
Fraud with copied bar codes (Score:3, Interesting)
He made up the fake stickers at home. I believe he would buy one of the less-expensive item, and at home he would duplicate its sticker. He didn't even need to generate the bar code, he was just copying the one that was on there.
Eventually he did the same trick too many times and they caught up with him.
If anyone remembers details of this story and can post a link to it, please do.
steveha
Easy way to do it with self checkouts (Score:2, Interesting)
1) Go to your nearest grocery store that has self checkout machines as well as a weigh station in the produce dept.
2) Pick up an expensive bottle of wine.
3) Go to the produce section and put the wine on the scale and enter the code for a cheap item such as potatoes.
4) Place the printed barcode sticker over the barcode on the wine bottle.
5) Pay for your items using the self checkout. The machine verifies all purchases by checking the weight in the bagging area - which of course will match perfectly.
As an added bonus for those under 21, you will not be carded for your alcohol purchase. Of course I would never do this, but I can't imagine that I am the first person to think of it.
Not entirely accurate... (Score:5, Interesting)
No one was the wiser.
You see, it's just a billion dollar FARCE and a WASTE OF TAXPAYERS MONEY for the *feeling* of safety when there really isn't any.
Of course I couldn't get on the plane. I couldn't get on a plane in 2001 without a correct ticket anyways. They had the barcode scanners to "check" you into the plane anyhow. At least, I remember them being available back in 1999 -AND- I wasn't too keene on getting onto a plane where there weren't enough seats where I'd get caught
Anyways, just as I said, this is easy to blow a hole through. There's nothing in the world that makes me more mad than being patted down, scanned or searched before boarding PUBLIC TRANSIT. I'm not a criminal, wtf are government agencies doing there?
(posted anon and through a couple anon proxies)
Passes worthless! I got on a flight without paying (Score:5, Interesting)
Once, I got on a flight to Hawaii. The plane was about to push off and, like most of the other passengers, I had settled into my seat. Then some other passenger came and said I was sitting in her seat! We compared boarding passes, and lo and behold, both of our passes were for the same seat! We couldn't figure it out, so we asked the flight attendant for assistance. She couldn't figure it out either, so she had to go back to the boarding gate with our passes to ask the ground crew to figure it out.
After a while, someone finally realized what happened. I was on the wrong flight! I was on board a direct flight to Hawaii, but I had actually bought a ticket to fly to San Francisco and from there transfer to a flight to Hawaii. I had always thought of it as "my flight to Hawaii" and had completely forgotten that I would have to transfer. The boarding gate was off by one, but the airport always changes boarding gates at the last minute and I figured this was one of the times. And the flight was scheduled 5 minutes before my actual flight, so I figured that the flight was early. I lined up like everyone else with my Internet-printed boarding pass, the computer scanned it, and I got on board just like everyone else. There was no alarm that I was on the wrong flight or anything like that.
That was with me accidentally getting on the wrong flight. What do you suppose could happen if someone was intentionally trying to pull off a deception? The only redeeming feature is that this happened in 2002, and I hope that airline security has improved somewhat since then. (I can dream, can't I?)
Re:Passes worthless! I got on a flight without pay (Score:3, Interesting)
"Sorry," she said, "I thought your ticked was for December 27, not row 27."
Now, either she was tired, or that's something that happens sometimes. Anybody know?
Re:Passes worthless! I got on a flight without pay (Score:5, Interesting)
Keep dreaming.
My experience with a current construction project for a major airline at a major airport speaks to a discomfortingly confused security situation.
The first time I went to the site with the Architect, who had a badge to escort us into the terminal, we were refused entry at 3 different points, always told to go somewhere else that wouldn't let us in. Then we went to an airline official, who said that the badge the architect had would get us in at a security gate that we tried before, so she escorted us there, and we weren't let in. So she did about a half hour of research, and found that we needed to go to the desk where they check in pets in their crates! There they checked the architect's badge and our IDs and issued us each a ticket-like piece of paper that we took to the security gate. There they took that "ticket" from us (and my co-worker's zippo lighter) and let us through. We then had the run of the place, without any ticket or pass.
We spent over an hour and a half getting in to do 2 hours of work. Then, after suffering through all that security red tape, we at one point got separated from the contractor with the keys, while we were in the non-secure loading dock (accessible from a public roadway). But not to worry, a friendly worker let us back to the secured passenger terminal side.
The second time I went with my boss, who picked up his own badge that he applied for three weeks earlier. He had been told it was ready to pick up. It took a little over an hour wating in lines and watching safety videos to pick up the badge. But when we tried it (it was a swipe and pin number type), it didn't work. So we went back down to the security badging office, only to find a sign on the door saying that they were closed for lunch and would be back at 1:00pm (even though it wasn't noon yet). I went back to the office, and he stayed the rest of the day to get it straightened out and do about an hour of work.
The third time I went, construction was well under way, the walls were knocked down, and the only thing bewteen the public parking and the secure air side was some pastic sheeting.
Did I mention that both the existing layout and the new design include a loading dock that connects the non-secured public roadways with the secure airside through a locked, but un-manned, door? Anyone on the inside (including employees, or sneaky passengers) could open the door, (or man the freight elevator if they had the key), and bring large, explosive things off the truck with a forklift and into the passenger terminal.
Considering how outdated barcodes are... (Score:3, Interesting)
Re:Nice vacations? (Score:1, Interesting)
But you don't need an actual ticket, a boarding pass will get anyone to those shops and eateries. The TSA people don't usually bother scanning the boarding pass. They glance at it and off you go.
A fake pass with legitimate-looking info (all of which is public information, such as flight number, departure time, gate number, etc) can get you past TSA. I know what I got for a boarding pass last time I flew. I still have the rather crude PDF. Change a couple parts of that, print, done. The real thing looks fake to me so a fake one should work too. On my last flights, the TSA was only interested in the date and whether my name matched. Period.
As for actually getting on the plane, that's a whole other issue. For one thing, they usually will check at the gate. Sometimes. But even if they don't, planes are so full these days, you're not likely to get a seat that somebody else doesn't also want to sit in, and that sort of thing will get attention from the flight crew and that's a problem.
But if all you want to do is eat at the only restaurant that a particular chain has in your state, off you go. Enjoy your meal. I don't see a big problem with it.
OCR + Free 3of9 = Free Stuff? (Score:2, Interesting)
Back when I had a working scanner / OCR setup, I spent a lot of time trying to reverse-engineer the barcodes on coupons. You might be surprised how lenient cashiers are with those things these days... even after a former co-worker of mine printed up (and handed out) about 1,200 self-made "Free 20oz Coke Product" coupons.
With internet-printable coupons more popular than ever, I wonder how long it'll be before we start seeing larger-scale scams involving reverse-engineered "custom coupons"?
Ya, big man (Score:1, Interesting)
As for your claim about safety, do you have any doubt that if you take an airliner to fly someplace that you will get to where you are flying to? I fly both commercial and private aircraft. Being blown out of the sky or crashing at the hands of a hijacker isn't even a consideration I bet for anyone in America reading this. I wouldn't even bet on something happening in a given year, unless you want to lose money. You would be better off betting on Lotto. You may think what they are doing is silly, however it is working. Like it or not. I don't like it either, that is why I own my own airplane. It is always there waiting for me, ready to go.
I will say that you do have guts to pull that off. You may make a good CIA or FBI agent one day. You want a thrill, they have it. They need people with guts.