The Rising Barcode Security Threat

eldavojohn writes "As more and more businesses become dependent on barcodes, people are pointing out common problems involving the security of one- or two-dimensional barcode software. You might scoff at this as a highly unlikely hacking platform but from the article, 'FX tested the access system of an automatically operated DVD hire shop near his home. This actually demanded a biometric check as well, but he simply refused it. There remained a membership card with barcode, membership number and PIN. After studying the significance of the bar sequences and the linear digit combinations underneath, FX managed to obtain DVDs that other clients had already paid for, but had not yet taken away. Automated attacks on systems were also possible, he claimed. But you had to remember not to use your own membership number.' The article also points out that boarding passes work on this basis — with something like GNU Barcode software and a template of printed out tickets, one might be able to take some nice vacations."

Re:This is a fairly obvious vector

[schon]

Maybe I'm missing something salient, but all this says is if you change the membership number provided to the system, the system will use that instead of any other. Yes, you are missing something. And it's significant becaose of this:

instead of the number being provided via a keyboard, it's provided via a barcode. Yes, and the people operating the machines that read these codes trust them.

Think about this: you go somewhere that uses ID/membership cards with barcodes on it. Salesdrone asks for your card. If you just give them the number verbally and are security-minded, they'll probably ask for ID. However if you provide the card, they won't, because they the card *is* the ID.

Non-technical people don't understand how barcodes work, so they assume that nobody else does either. So if nobody else understands it, then it can't be forged.