The Rising Barcode Security Threat

← Back to Stories (view on slashdot.org)

The Rising Barcode Security Threat

Posted by ScuttleMonkey on Monday December 31, 2007 @11:23AM from the what's-in-a-number dept.

eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

2 of 125 comments (clear)

Min score:

Reason:

Sort:

Souldn't work against properly designed systems. by BitterOak · 2007-12-31 13:36 · Score: 5, Informative

Anyone who has done any work with barcodes knows they are encoding schemes, not encrypting schemes. A barcode is simply a way of representing data (may be alphanumeric or binary), in a way that is easily read by scanning equipment. The commonly used algorithms are well publicized and it is easy to obtain software to read or write them. If security is important, encryption must be applied before the data is encoded in a barcode. I've scanned many barcodes on many things, and if money is involved, such as tickets or postage, I've generally found that they decode to seemingly random binary data, which means that most likely, encryption was applied first.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Re:bar codes can be copied by DoomfrogBW · 2007-12-31 14:43 · Score: 4, Informative

That is incorrect. While the barcode can be photocopied, a backend database with terminal-level authentication to verify the barcode would stop most people. Before passing to the server, the terminal takes the barcode and has the algorithm below for generating the checksum. The two are compared and if they match, then it is passed onto the server which provides the ultimate authentication. If the checksum's do not match, then it is invalid. This prevents someone from simply changing a few digits and thinking it will work, which is what the article is talking about. The following method is a popular means by which to combat photocopying. For instance: A barcode number in Code 128C can be given as 000000070314100601 then apply checksum security and add these last two digits to the end of the current number:
// Generate CRC16 checksum using pos 1,3,5,7,9,11,13,15,17 of barcode unsigned short cs; cs = crc16((unsigned char*)barcode); barcode[18] = (cs / 10) + '0'; barcode[19] = (cs % 10) + '0'; barcode[20] = '\0'; ... unsigned short __fastcall TFormMenu::crc16(char* p) { char checksum = 0; for (int i = 1; i <= 17; i += 2) { checksum = checksum + p[i] - '0'; } return checksum; }