The Rising Barcode Security Threat

← Back to Stories (view on slashdot.org)

The Rising Barcode Security Threat

Posted by ScuttleMonkey on Monday December 31, 2007 @11:23AM from the what's-in-a-number dept.

eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

6 of 125 comments (clear)

Min score:

Reason:

Sort:

Re:Fraud with copied bar codes by bjorniac · 2007-12-31 12:41 · Score: 3, Informative

Been done a few times, but the one that comes to mind is this:http://www.denverpost.com/news/ci_3270764

There was also someone who stole a bunch (something like $300k) of legos like this (yeah, geeks crime) and I remember a case involving Mall-wart and iPods...
Souldn't work against properly designed systems. by BitterOak · 2007-12-31 13:36 · Score: 5, Informative

Anyone who has done any work with barcodes knows they are encoding schemes, not encrypting schemes. A barcode is simply a way of representing data (may be alphanumeric or binary), in a way that is easily read by scanning equipment. The commonly used algorithms are well publicized and it is easy to obtain software to read or write them. If security is important, encryption must be applied before the data is encoded in a barcode. I've scanned many barcodes on many things, and if money is involved, such as tickets or postage, I've generally found that they decode to seemingly random binary data, which means that most likely, encryption was applied first.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Chaos Communication Congress by matelmaster · 2007-12-31 13:50 · Score: 3, Informative

The talk this Heise article is about (which was held at 24c3 on friday) is actually available as a full-length download in various formats on mirrors (look for "2273-en-toying with barcodes") and on bittorent along with most of the other talks given at this (totally awesome) event. And it's in english, too.
24C3-Video about the barcode-hacking by TransEurope · 2007-12-31 14:17 · Score: 2, Informative

http://ftp.uni-kl.de/24C3/matroska/24c3-2273-en-toying_with_barcodes.mkv

See this website for mirrors, other video formats and the rest of the videos of the 24C3-conference (some of them are really interesting, videos with a 'de' instead of 'en' in the filename are in german). http://events.ccc.de/congress/2007/Conference_Recordings

Happy new year, gentleman/women :-D
Re:bar codes can be copied by DoomfrogBW · 2007-12-31 14:43 · Score: 4, Informative

That is incorrect. While the barcode can be photocopied, a backend database with terminal-level authentication to verify the barcode would stop most people. Before passing to the server, the terminal takes the barcode and has the algorithm below for generating the checksum. The two are compared and if they match, then it is passed onto the server which provides the ultimate authentication. If the checksum's do not match, then it is invalid. This prevents someone from simply changing a few digits and thinking it will work, which is what the article is talking about. The following method is a popular means by which to combat photocopying. For instance: A barcode number in Code 128C can be given as 000000070314100601 then apply checksum security and add these last two digits to the end of the current number:
// Generate CRC16 checksum using pos 1,3,5,7,9,11,13,15,17 of barcode unsigned short cs; cs = crc16((unsigned char*)barcode); barcode[18] = (cs / 10) + '0'; barcode[19] = (cs % 10) + '0'; barcode[20] = '\0'; ... unsigned short __fastcall TFormMenu::crc16(char* p) { char checksum = 0; for (int i = 1; i <= 17; i += 2) { checksum = checksum + p[i] - '0'; } return checksum; }
Re:Easy way to do it with self checkouts by AnarkiNet · 2007-12-31 15:30 · Score: 2, Informative

That doesn't work.
The cashier's screen shows the SKU/UPC, abbreviated description, and price of each item on all self-checkout lanes attached to that cashier's station (usually 4). Unless the cashier is very green, or distracted by another customer, you will certainly get caught.
However, scuffing up the barcode on an expensive bottle of wine that looks very similar to a cheap bottle, and buying both by trying to scan the damaged barcode on the expensive bottle, which won't work with the machine, then typing in the UPC on the cheap bottle...that one might work, although again a veteran cashier will catch it instantly.