Schneier on Security
A blog covering security and security technology.
« Fingerprint-Lock Failure in a Prison |
| The Beginnings of a U.S. Government DNA Database »
September 27, 2005
Forging Low-Value Paper Certificates
Both Subway and Cold Stone Creamery have discontinued their frequent-purchaser programs because the paper documentation is too easy to forge. (The article says that forged Subway stamps are for sale on eBay.)
It used to be that the difficulty of counterfeiting paper was enough security for these sorts of low-value applications. Now that desktop publishing and printing is common, it's not. Subway is implementing a system based on magnetic stripe cards instead. Anyone care to guess how long before that's hacked?
Posted on September 27, 2005 at 7:43 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If the data is stored on the cards, about 1 week. If it's stored on one or more servers, 2 weeks.
Ahh, but by introducing a higher cost-of-entry into the frequent-purchasing-card forging racket, you can eliminate alot of casual counterfeiting.
who would go through the effort of forging a Cold Stone Creamery card? Have you ever had one of those? [shrug]
Just yesterday I was thinking how easy it would be to forge automatic teller produced parking validation slips. It doesn't have to be good, because the parking enforcer, IMO, rarely looks at the numbers on the slip, just that it is there on your dash.
How long before it's hacked? Probably not long. But the real question is: does it matter?
Scanners and printers are now a commodity. It has become easy for just about anyone to make a nearly indistinguishable replica of a frequent customer coupon.
Magstripe scanners and coders are not a household commodity. While the protection scheme may be easy to break if you know a tad about cryptography and have the appropriate hardware to create a fake, most people don't have those resources.
It's no longer as easy as posting PDF file on the web for people to download and print out, which is exactly what Subway and Coldstone want to prevent.
If you look at the economics, it's worth allowing that 1 savvy percent the opportunity to create fake coupons. The other 99% are the ones you're worried about. Subway wants to sell sandwiches. It's not interested in ISO 17799 certification.
If its an online protocol (so the cards are just an ID token) it actually wont' be easy to meaningfully hack.
You'd need to get on the central server or the communication links, and that would be an arms race that the company could keep up with (by standard IDSing), and you could probably catch company insiders who abuse the system, at least enough to act as deterrance.
If the cards hold the value? Two options: No/lously crypto? 1 day-1 week. Real crypto? Probably not, would require too much data for a mag strip card.
Could they not continue to use paper, but instead of a stamp, use a distinctly-shaped punch? This is how things have been done on (at least some) railroads for decades.
So the counterfeiter's tool of choice goes from a printer to a Dremel?
Precisely, thereby lowering the number of fake tickets.
Well, the obvious solution is to only allow people who go often enough to be recognized by the staff to get a discount. That's the old tried-and-true method of showing some appreciation for your repeat customers.
I never really understood the point of the punch/stamp cards. They have always been insecure and inconvenient compared to just being recognized and given benefits as a local/friend. And if someone wants to go to the trouble of impersonating me in order to get a discount on coffee, I say go for it. I can't wait until two of me show up at the same time...
having worked at subway, i'd like to point out that you dont even need to forge anything per se. when they run out of stamps the manager just initials the card (illegibly, usually) with a store number. how much smaller cost-of-entry can you get?
They say the old system started being phased out in January. In my market, the swipe cards appeared much earlier (perhaps we were a test market). My guess is that they haven't detected fraud yet, or it's going to take a good deal longer to catch.
In the end, I'm not sure it matters. I think some people have gotten so caught up in eliminating ALL 'shrinkage' that they're missing the bigger picture: you need customers to frequent your store, and occasionally enjoy buying things from you.
There are a still a few shops around this city that, lacking a credit card machine, will issue you store credit on the spot (hoping you'll gladly pay them Tuesday for a hamburger today). If the rate of failure to pay is lower than their margins (plus Visa and Mastercard's cut of the take), they've still made more money off the deal than if you went away empty handed. I think you can safely call that a win-win situation.
I couldn't get to the link above. Don't know if it's exactly the same but this link worked for me:
The story ends:
"And while the new system's upfront costs might be high, it may reap larger rewards for the companies in the long run. As grocery stores have learned, the market research gleaned through establishing databases while handing out discounts can turn swipe cards into a winning formula very quickly."
Ah, but then the grocery stores also learned that they were suddenly sitting on huge databases of poorly-secured sensitive information regulated by the government and/or payment card industry with heavy penalties for a breach.
And the grocery stores may also soon discover that people are starting to associate all the junk mail they get with "swipe cards", and therefore hate the grocers who offer the cards so much that they go out of their way to abuse/cheat the system.
Not to mention that prices are often artificially raised in order to make swipe cards seem like they're giving you a deal. For example I found a small local grocer, who is usually more expensive but friendly, was selling a quart of icecream for $3. The giant chain-grocer down the street was selling the same exact icecream for $5, or $3 with a swipe card. In other words, while you might think you are saving $2 by giving up your identity to a giant corporation, you actually may just be fooled into giving it away for free...
"And the grocery stores may also soon discover that people are starting to associate all the junk mail they get with "swipe cards", and therefore hate the grocers who offer the cards so much that they go out of their way to abuse/cheat the system."
I have friends that actively trade their safeway club cards, to purposely poison the database. At this point, they have no idea what the ID associated with the cards that they use are, and it doesn't matter to them. It gets them the discounts, and they're happy.
I shop at a local store, which does have a "market card", but in addition to the discounts it gives, it spits out coupons based on what we buy and donates 2% to the local schools. So, yeah, we get a circular weekly from them, but it's no big deal (tends to go in the trash). They don't sell the data off to other companies.
(Not that I'd notice after buying a house, and seeing what that does for the amount of spam you get as you hit the county databases...)
"I have friends that actively trade their safeway club cards"
Good point. No need to counterfeit if you can get easy access to a ready supply of cards without giving any identity information. It's free, you do not have to give up anything and you still get the discounts, which is almost the same thing as what Subway and Stone Cold are calling fraud.
As far as I know Safeway's system does not have any controls to prevent a blank/unregistered token or even a token ID from being used. This could be because it takes over a month for their system to register the data from a paper form into their database, and they want to enable the cards on the spot. Trade-offs, eh?
Here's an idea: have a www.bugmenot.com equivalent for loyalty cards! A service such as loyaltycardmenot.com would benefit people on travel (and locals of course) AND throw mud at the database. Win-win. Any webmasters among you?
On the specific case of loyalty cards, simply ask the cashier to use theirs. I try to avoid stores with loyalty card discounts, but every once in a while visiting my preferred grocery store isn't feasible. So when they ask, "Do you have a Copp's Card?" (Copp's is a local chain), I simply ask, "No, would you mind using yours?" I have yet to be turned down. I don't think they actually use their card, they appear to have a card at the register specifically for this purpose. I know I get the discount. I tried this after seeing it suggested online, so I doubt I'm the only one doing so. And by doing so I'm sending a more active message that I disagree with their system.
No need to counterfeit if you can get easy access to a ready supply of cards without giving any identity information
Wegmans asked for my driver's license when I went for a card there. I'm ashamed to say that I didn't call them out on it. I felt better about it when they completely mangled my name in the printed card.
Saar, there are other people doing that. http://www.cockeyed.com/pranks/safeway/... and there's some linkes on the bottom of that page for a Giant Supermarket version.
Never been to a safeway, but Stop & Shop and Shaws, the two supermarkets in my area that take cards (Market Basket being the third, but that doesn't have a card AFAIK), don't really seem to care.
I just tell the clerk that I forgot my card. At Shaws they type in some code that I assume is a default number, and at Stop & Shop they just hit a button and it puts on in automatically.
Gift certificates and the like are being phased out in favor of gift cards. Each card has a unique identity encoded in either an ISO standard mag stripe or bar-code. Each use of a card results in querying a remote database, just as with a credit card.
(1) Clone a card and fill up on free ice cream. Easy, you just need access to a card with a balance. E.g., inside job: you clone all the cards at the front counter and then start using or selling the clones as customers activate the real ones).
(2) Make up a card that happens to be valid. Quite difficult, since the number space is vast, you don't know which accounts have a balance, and it's easy for the issuer to add a crypto checksum to the mag stripe.
Some gift cards feature scratch-off PINs, but these are typically only required if you use the card over the net or phone.
Sony's Felica chip has probably been discussed here before; it's a fairly standard smart chip designed for contactless cards that can hold various applications. (It's also got encryption support and all that.) The mobile phone providers here in Japan are now putting them in phones, as well, and you can download and manipulate new applications over the web (all phones here have web browsers).
One interesting benefit they've been advertising is the use of these for loyalty programs. Rather than carry my "Bic Camera" point card with me, having the shop scan it every time I buy something, I can just wave my phone over the reader and Bic Camera can access their application in the Felica chip in the phone.
The easiest attack I see isn't technical, but social (as usual).
Get a card, run a magnet over it to destroy the data. Rough it up a bit so the card looks used.
Then make a big fuss about mistreatment of valued customers when the card fails to validate at the checkout. Do this at rush-hour,hold up the queue. Talk loudly. Ask to see the manager. Threaten to call the media.
I have an Albertson's "loyalty" card that doesn't have any personal identification attached to it. I got them to give me the card & forms but said I was going to fill it out later. Never did, and of course the card keeps working. From their perspective, it's pretty much just as useful since they can still track what I buy.
At Safeway I use a friend's phone number, as do a bunch of other people. This leads to the odd surprise when you get discount coupons or buy-10-get-one-free offers at checkout from other people's spending
Research shows that prices at stores with loyalty cards are higher (*after* the loyalty card discount) than at stores without loyalty cards. Locally here, Tops food and drug (no card) is usually cheaper than Safeway (card required)
Here they actively try to screw you if you don't have a card. Eggs were $0.89 a dozen at Price Chopper for card holders and $2.99 a dozen for non-card-holders. The typical price at a convenience store is about $1.39. (details not exact, but that's the gist of the story)
Just card trading gets other people junk mail - faking the data and card trading seems to be the best strategy - especially if you know where the store manager lives.
If as the above poster mentioned with the Albertsons card, there is no PII attached all is well and good, but.. If you pay with plastic of any kind or a check, yes, your purchases can be tracked to your PII and a history built. This of course can and will enable other data mining as well. Lesson is... PAY CASH... Yes, your purchases will be tracked to your phoney "loyalty" card, but guess what, no PII. For those who don't like cash, when's the last time you heard of anyone having their identity stolen from a $20 bill... Wake up folks, technology is not the solution, it's the damn problem. A 30-year IT veteran.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..