Schneier on Security
A blog covering security and security technology.
« The Case of the Stolen BlackBerry and the Awesome Chinese Hacking Skills |
| Speed Cameras Record Every Car »
July 22, 2008
Washington DC Metro Farecard Hack
Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.
My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold Farecards on the street at half face value.
Posted on July 22, 2008 at 12:29 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Now that's clever. I always wondered about messing with the Farecard magnetic strip using a standard card reader. It wouldn't surprise me if the data integrity protection is weak or non-existent.
This, however, is a low-tech attack that bypasses whatever encryption might exist. Just give the machine enough of a strip with money to read, combined with enough of a strip without money to write to. I wonder what else this sort of thing might work with.
Metro now also puts out hard plastic "SmartTrip" cards for longer-term use. I believe they use RFID; you just wave them near a reader. It wouldn't surprise me if an RFID signal eavesdropping and replay attack would work -- though SmartTrips have a unique serial number and might be easier to track.
Perhaps they left fingerprints on the cards too. Do you get back the same card the machine after you add fare or a new one?
Adding fare generates a new ticket.
I wonder if the vulnerability would apply to BART as well.
Sounds like a pretty big design flaw in the system itself. You can NEVER trust your inputs and trusting something that external parties have physical access to is just plain stupid.
Rewriting the card with a new value, cloning it, even making up new ones from scratch, (they're obviously not serialized or only the first of the four strips would have worked in the hack above).
Your guesses about how they were caught are corroborated by the article:
"The theft was detected when a Metro employee who monitors financial transactions noticed a large number of $40 Farecards being purchased at one time, the source said."
Once again, human intelligence, not technology provides the proper security check.
Any card with a magnetic stripe puts control over inputs in the hands of users, some of them definitely malicious and technically adept.
NYC Metrocards use a magnetic stripe as well, although the cards are a thin, tough plastic (except for single-ride cards, which expire after a few hours anyway). The only stories we hear about them being hacked is the "one last ride" crease--which involves folding the cards in a specific spot to yield a single fare. Apparently the encryption is good enough.
This has been a well known hack on the Bay Area's BART trains as well. Works in exactly the same manner.
@Nicholas and Mojo:
I think BART enforces a limit on the amount of value a ticket can already have when you want to add fare. Now I can't remember where I read that, though, and my google-fu seems to be failing me. It occurs to me that this could be a defense against this attack, by limiting the amount you could steal to just a few dollars at a time.
The articles about this fraud say Metro is lowering the maximum value for a farecard that can be traded in from $40 to $7 for exactly that reason.
In the case of the RFID SmartTrip Cards, the max value is $300, and you can add money to any one with less than that. (As of 2 years ago, anyway.) I wonder if this will become an issue too someday.
>Metro now also puts out hard plastic "SmartTrip" cards for longer-term use. I
>believe they use RFID; you just wave them near a reader. It wouldn't surprise
>me if an RFID signal eavesdropping and replay attack would work -- though
>SmartTrips have a unique serial number and might be easier to track.
It does not matter if the unique serial number is more easily trackable. A successful eavesdropping-replay attack means you as an attacker can change IDs for every transaction (you have a different victim for each transaction). You just need to bring your equipment with you.
This sort of reminds my of the old BT green phone card that had a high tec hologram on it that was erased by a laser.
Somebody discovered that a thin application of clear nail varnish alowed the card to be used over and over again (if I remember correctly the laser burnt the nail polish and obscured the hologram and the sensor thought the hologram had been erased, a simple application of polish remover removed the burnt polish).
@Mike, @Knowler Longcloak
I wonder if this is really an RFID system, which has the problems you describe, or whether it might be smarter.
The Tokyo Metro has a system called Suica and the Tokyo Subway has Pasmo, which are based on proximity cards (range of a few inches). I looked briefly into the technology, and they do a little bit of crypto, which should be robust against bumping-into-people-with-a-card-reader attacks. (wiki: FeliCa)
The NYC Metrocard system is pretty good. Some revision of it was actually designed with the consultation of our blog host himself.
NYC Metrocards don't have encryption per se; they have a unique ID and a read/write section that contains the value of the card. The turnstiles trust the value the card claims to have when letting you through, so that they can let people through quickly and aren't dependent on a remote link. Later, they check in regularly with a central system, and cards that have been found to be lying are invalidated. The central system pushes lists of invalid card IDs back to the turnstiles, which then refuse entry.
The end result is that it's not that hard to fake out a Metrocard turnstile once, but it's impractical to scale the attack like the DC scammers did.
Ah, you're right. Yeah, bart limits old tickets to a low value, which may make the attack still possible but uneconomical.
"bart limits old tickets to a low value"
hmmm, i guess this depends on your definition of low.
the cost of a round-trip fare on bart can easily exceed $12 so the upgrades allow enough room to make a ticket practical. if you can generate four $20 cards from one i still see a plausible threat.
@Peter Hentges :
> "The theft was detected when a Metro employee who monitors financial
> transactions noticed a large number of $40 Farecards being purchased at
> one time, the source said."
> Once again, human intelligence, not technology provides the proper
> security check.
Yeah, right. Unless you really believe that an extraordinarily diligent employee sat there manually sifting through the millions of transactions that occur daily, it seems pretty likely that the Metro employee was "monitoring" financial transactions by using by using some kind of powerful analytical software to look for unusual patterns -- a fiendish, evil activity whose name must not be mentioned on this blog! (But I'll give you a hint: the initials are "DM".)
The basic problem here is that a cheap magnetic card has no computational power, so the message it transmits to the reader cannot be modified by any sort of freshness value provided by the reader. This makes the protocol trivially vulnerable to replay attacks.
There are two common approaches to solve it.
One relies on a central authority which conceptually stores all messages and forbids replayed messages (in practice, it stores card IDs and account balances, and invalidates inconsistent messages.) This has two problems itself: it is highly intrusive of the privacy of the system's users; and it suffers all the problems of a networked system (DoS attacks, unavailability, time delays due to congestion, etc.) So the compromise seems to be to limit transactions to small values, and let the central authority occasionally vet past transaction.
The second requires cryptographic communications between the (assumed trustworthy) card and the reader, and puts into play all the theory we have developed about secure transactions. Unfortunately, this means the card must have a computer on board, which is widely regarded as too expensive. Furthermore, even though such a system could in principle respect privacy, there are no guarantees (except with the Digicash protocol!)
I'm a bit disturbed that everybody is a "thief" these days, regardless of whether they actually stole anything or not. These people were cheaters, fraudsters, swindlers, whatever... but they were not thieves. To call them thieves merely insults the reader's intelligence.
I'm a regular D.C. Metro rider. The things that made this vulnerable were a) the fact that these cards are exchangeable for brand new cards in the machine, b) the fact that they are paper and paper is easy to doctor and c) the fact that the strip's thickness has no bearing on the data printed on it. It's a dumb hack that people knew about for a long time and the WMATA is so bureaucratic and slow that they didn't do anything about it until the castle was on fire.
This same organization can't even keep its elevators and escalators working, has regular delays due to track work and electrical problems, and has raised fares and parking fees to the point where the benefit of taking mass transit doesn't even outweigh driving, which is why we still have a huge traffic problem in D.C. The idea that they would actually have ever found these abuses programmatically rather than through accidental humint seems laughable to me. WMATA needs to be beaten with a clue stick, both in security and in normal operational efficiency and customer service.
>>This has been a well known hack on the Bay Area's BART trains as well. Works in exactly the same manner.
BART has moved on to plastic tickets. Same 1970's magstripe technology, but it's at least harder to peel a magstripe off a plastic card than it is to peel it off of paper.
@gotpasswords: the plastic cards don't add any security, as anyone can just buy a card reader / writer from ebay, of build a duplicator from an old cassette recorder.
One word: dumb.
I shouldn't even have to say it on this blog: You never trust user input. Even if it's from a card you made yourself.
What is this "cassette" you speak of? Is it MP3 compatible?
@Alfred: "You never trust user input. Even if it's from a card you made yourself."
I think the real lesson is, never trust that what you are seeing is actually a card you made yourself.
In re peeling strips:
The original BART attack did not involve peeling, but the judicious use of an iron to transfer an image of a ticket to a strip of reel-to-reel tape (pre cassette :-) to be pasted on an old ticket.
The first countermeasure was having platform guard watch for tickets with _brown_ mag-stripes. The counter-counter was to use slightly higher-priced black tape.
I assume the "limit the amount for tickets that are being added to" solution was adopted later.
(Not that I would know anything about the use of this purely hypothetical attack in a parallel timeline :-)
@Mike, @Knowler Longcloak, @jauricchio Is this referring to the Mifare attacks presented at 24C3?
>The [NYC] central system pushes lists of invalid card IDs back..
What's old is new again. This is rather how Usenet "flooding" works, and also STU key acceptance; there was an invalid key list & the phones played "whose is newer?" with each call.
It means you can use the system with off-line readers, with minimal losses. It's my understanding that DC's requires real-time comms, and when they fail, everyone rides for free. [Think buses stopped in bad RF spots for why that's a bad idea; and after a football game where there's a big peak load.]
perhaps wolfger should look up some definitions in the dictionary, all embezzelers are thieves, but not all thieves are embezzlers. the discription of specific method does not change the basics of the seventh commandment.
I "hacked" DC's new smarttrip card by mistake. The new cards allow you to have a negative balance (up to $5, I think), so you can finish a trip you start. You can't start a subway trip with a negative balance, though.
The bus system, in theory, should be the same. But when you go on a bus with a negative balance, the noise it makes doesn't sound any different from the noise of a normal card with a positive balance. The screen shows that the card has a negative balance and that no money was withdrawn from the card, but the bus driver has no way of knowing that a passenger using a negative balance card has not paid properly (unless he/she happened to be scrutinizing the machine's display--which would be hard from where the driver sits).
I rode 2 buses in a row before noticing my balance was negative. On the third bus, I noticed that no money was withdrawn from my account. On the fourth bus I paid cash. The next time I went on the subway, I added money to my card, but the starting value proved that I had ridden three buses for free.
> The idea that they would actually have ever found these abuses programmatically rather than through accidental humint seems laughable to me.
You may laugh, but I think you are very wrong. Finding these sorts of patterns through "accidental humint"* is rather improbable, as there are millions of transaction records created every day, making it essentially impossible to monitor manually. Finding them by scanning with analytical software is straightforward; many companies now do this sort of thing routinely.
* I presume by "accidental humint" you mean by a person scanning transaction logs without the benefit of any analysis tools, and just happening to find the anomaly; the phrase would really seem to mean that a spy somehow stumbled upon the scammers at work, which seems not so much improbable as fantastically unlikely.
@raimundo: Theft, in the UK at least and as the legal systems are related I will assume in the US, is defined as taking something with the intent to deprive the owner of it permanently. This is why "theft" does not apply to making copies of digital things - as the original is still available to the original owner - and fraud, which is the action of getting something for "free" by deception which when we speak of a service such as transport is not taking a tangible something from the owner. i.e. it can't apply to something that doesn't already exist until the time of the offence - faking money or tickets for example.
None of that makes it right, but calling these free-loaders (and file sharers etc.) theives just diluted the clarity of the offences committed by the other.
In NYC at least, it used to be simple for people to enter the subway through the exit gate. The standard charge when they were caught was "theft of service". I don't know if the D.C. laws are the same, but if so "thief" would technically be correct.
If adding fare generates a new card, what happens to the old card. Does the machine return it to the purchaser? Or does the vending machine retain the old card. If the latter, then it could have been someone emptying the machine that found the doctored cards, rather than someone "who monitors financial transactions". Of course refilling the vending machine could be stretched into being called monitoring financial transactions.
you paid $5 for the smartrip card, remember? you are essentially not getting any free rides, you are just avoiding the metro's scam for your money. i regularly bring my account to -$4.20 or so
I worked with a guy who's father was one of the original old-school engineers on the DC Metro project. He explained that the dollar value is recorded on several places down the magnetic strip in order to allow for accurate reading despite any damaged areas. They apparently knew about this hack back then, but assumed that's its discovery and subsequent use would not be widespread.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.