Schneier on Security
A blog covering security and security technology.
« The Zotob Worm |
| More on Sony's DRM Rootkit »
November 11, 2005
Ownership of Mag Stripe Readers May be Illegal
Here's an Illinois bill that:
Provides that it is unlawful to possess, use, or allow to be used, any materials, hardware, or software specifically designed or primarily used for the reading of encrypted language from the bar code or magnetic strip of an official Illinois Identification Card, Disabled Person Identification Card, driver's license, or permit.
Full text is here.
Posted on November 11, 2005 at 11:45 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What could be on that strip that they don't want you to know about :)
In most cases, there's nothing on the strip that's not on the card. I don't even think there's an encrypted PIN on bank cards anymore.
" used for the reading of encrypted language "
Is it just the act of decryption that would be illegal, or simply the act of reading the cypher-text?
Uh, it seems to me that this doesn't actually prevent the use of any hardware that I know of. Do any of you know of any magstripe readers that are specifically designed to read Illinois driver's license cards, as opposed to just any magnetic strip in general?
So, Illinois doesn't have an 'open records' law? Transparence in all government functions is important.
Putting the magnetic strip reader issue aside, the quote also mentions barcodes specifically.
Does this mean that all the supermarket tills will become illegal if they're able to convert the barcodes into strings?
Barcodes can be "read" (or recorded for later use) by any optical device within sight, and standards generally determine how they are decoded. This is as close to a sign that says "No reading" as I've ever heard of...
Good example of security through obscurity.
I don't think there's anything on the stipe that's not printed on the card. Atleast my bank can't change the pin unless they change the account number, which means the pin is probably not stored on the stripe either. My guess is they use some combination of the account number, name and given pin and hash them using a key that's stored on some central server of the bank to verify the pin.
And besides, anyone can buy a standard mag stripe reader/writer from any good store that sells industrial parts.
I just got a new IL ID card a few months ago, and it doesn't have a Mag strip.
It has a barcode, and it has sort of two dimensional bar code, like USPS labels have. Also on back right and bottom edge, it has a pattern of random dots. I don't know if this conveys any information, or is a type of counterfeit protection
Oh, and it also has an Organ doner form.
Interesting, especially considering the fact that it's possible to create a mag-stripe reader from scratch.
And I've found links in the past for building them using read heads from old cassette players.
So, yeah, they can make it illegal, but enforcement will be a little rough.
Caveat: I am not a lawyer.
I think the legal definition of "reading" would likely involve understanding. Just measuring the magnetic field of the bits in the strip would require a broader term, like "copying". Using the computer definition of "reading" is probably not going to get you far in court. The fraud provision would potentially permit anyplace to scan your card and store the bits as identification. In case of fraud, they could then get the cops to "read" the bits and track you down.
Of course the final law will probably look little like this initial version.
So I wonder what the lawmakers of IL are thinking here. That the can protect information that is printed on a card by forbidding people to have reading devices. Right.
This summer at WhatTheHack there was a great presentation on how to build your mag.stripe reader by using junk material. Just go here: http://wiki.whatthehack.org/index.php/...
I wonder if this means that any device that can make images of a barcode or any device that reads a magnetic field will be banned? ;-)
The stupidity of some people in this world is just wonderful.
Jeez -- I hate to think what they'd do if they caught me with one of my magstripe -writers-.
Ah, it's my own faut for not realizing that self-clocking flux-based encoding methods were actually encryption.
I'm not (yet) a lawyer so this isn't remotely close to legal advice, but this statute doesn't do what the original post implies.
This statute makes it illegal to:
(1) Possess, use, or allow to be used;
(2) any materials, hardware, or software;
(3) specifically designed OR primarily used for
(4) the reading of encrypted language from the bar code or magnetic strip of
(5) an official Illinois Identification Card, Disabled Person Identification Card, driver's license, or permit.
For a conviction to be sustained, each of those elements would have to be proven beyond a reasonable doubt. The device in a supermarket for reading bar codes fails the 3d element as does pretty much any other legitimate use. The mere fact that a device COULD be used to read one of those specific types of documents is not enough to violate the statute, it has to be designed to do so OR used primarily for that purpose. The law is therefore aimed at conduct and not the device as such, despite how it reads.
According to the site, this bill has already passed the legislature, been signed by the Governor, and will be effective 1 Jan 06.
We'll see how it works out...
There's an interesting exception, which is devices intended to reduce fraud:
This subsection (a-1) does not apply if a federal or
State law, rule, or regulation requires that the card holder's
address be recorded in specified transactions or if the
encrypted information is obtained for the detection or possible
prosecution of criminal offenses or fraud. If the address
information is obtained under this subsection (a-1), it may be
used only for the purposes authorized by this subsection (a-1).
As far as I know, this would be the first US law to forbid all secondary uses of data gathered from an ID document.
On a brighter note, would this make it illegal to use DL info in commercial databases?
A better question is, why? Why do they want to prevent people from reading the magnetic stripes or barcodes on drivers' licenses?
One reason I can think of is to prevent misuse by bars, etc. If your license is machine-readable, when they use it to verify your age, they can just as easily swipe it through a reader and collect a database of the details of all their patrons.
I don't think so. It just makes it illegal to automatically capture the information.
Oh, well. So much for my old tape deck(s).
If Orwell was right, and "Ignorance is strength", then this is one of the strongest laws I've seen yet.
Re: bank cards
Any bank issuing VISA check cards and owned by Synovus Financial (about 60 banks in the southeast US) still encodes the PIN on the magstripe. You can have the PIN changed by walking in to any branch and handing over your card. A bank employee swipes the card through a stand-alone encoder, types the new PIN, and swipes the card again. No network communication...and no ID required.
Problem with the law:
Assuming I wanted to read this top secret data, I just go to another state where it is not illegal to read data from an IL card. IL cannot prosecute me if I commited a "crime" in another state...Esp. if the "crime" isn't a "crime" there.
technology will always run faster than the law. this law looks like it's stuck to a ball and chain.
I'm missing the part in the full text that somehow allows the IL SoS to actually create and issue these cards ... I'm sure it's there somewhere; it would be a shame for them to posess the tools illegally.
Looking at the Illinois law's text, Sec. 6-301.2.b-1 (the section covering reading the "encrypted language" of IL state issued DL/ID cards, it is rather broad. (I also hope that they weren't sloppy with the word "encrypted", using to mean solely the encoding data in a standard magstripe or bar code format. But I might be too optimistic. )
New Jersey has recently enacted a law to criminalizes the unlawful use or possession of a scanning device or reencoder. (Bills A2769/S2617 (P.L.2005, c.225) Apparently, it was designed to address "skimming" of credit & debit cards for the commission of fraud.
A version of the text can be found at http://www.njleg.state.nj.us/2004/Bills/S3000/...
I like the NJ approach in that it ties the illegality of use or possession of the magstripe readers/encoders to certain uses and especially to whether or not the person to whom the card was issued granted consent.
The NJ law covers on ly magstripes used on bank, ATM, credit, debit, and similar financial cards. Doesn't address DLs or IDs. Also, as some banks are going towards RFID/"contactless smart card" tokens, this law doesn't address them. (Not covering such token is actually a good thing, keeping the focus upon the magstripe skims and such.)
@JD Abolins, "some banks are going towards RFID/"contactless smart card" tokens"
One could wish - and it's a pretty big wish, I'll admit - that the banks migrating to contactless smart cards are doing it "right": that is, that the card authenticates the reader as well as the reader authenticating the card.
For context, this page looks to be a decent start:
(Off this topic, but related to smartcards in passports, which has come up a couple times before: the cited webpage mentions international standards for smart cards in passports, including a max reading distance of about 4". Furthermore, the question is re-raised regarding what mutual authentication is proposed for use in such passports as an attempt to deter third-party scans of passport data.)
Max reading distance, hah.
Remember, a really good directional antenna will give you a 30db boost. So multiply all maximum distances by 1000. Try over 300 feet, which is more than enough for nefarious purposes. If there's any way to remotely identify US diplomatic passports, criminals could earn some serious cash on the black market--those things are worth a small fortune.
It's no longer a bill. It's now Public Act 094-0239, effective January 1, 2006. What's really depressing is that I can't immediately think of a constitutional challenge. It's certainly not vague, and it's at least a stretch to argue that it interferes with freedom of speech. It seems likewise a stretch to argue that it violates freedom of association. And there is long precedent, such as the laws against burglar tools, for prohibiting the ownership of items that might be used in crimes.
The upside is that, since it seems to effectively prohibit _all_ magstripe and barcode readers (cf. the phrase "specifically designed
for or primarily used in the reading of encrypted language from the bar code or magnetic strip of an official Illinois...Card", which talks about _reading_ rather than _decoding_ the stripe), businesses will have grounds to lobby for repeal or at least an amendment.
ha,to lil to late my government foes. you cant stop me unless you find me.
Don't Illinois have to have a purpose section? I can't imagine any purpose in doing this, or any state interest in forbidding it!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.