Magnetic stripes vulnerable to hackers, shows researcher

Researcher Weston Hecker is unveiling a new way hackers could break into hotel rooms, swipe credit card numbers, swindle grocery store rewards points and, in general, wreak havoc on many systems designed to use magnetic stripes as input. 

At this week’s DEF CON hacker conference, Hecker will demonstrate a device that can create the magnetic signatures of magnetic stripes without creating entirely new cards.

ADVERTISEMENT
Hecker, a security researcher at the firm Rapid7, is coordinating with the U.S. Computer Emergency Readiness Team (US-CERT) to alert vendors of the widespread problem across many brands of card readers. 

“For now, there’s not a whole lot consumers can do around this,” said Hecker. “Stay alert, use a hotel safe, maybe even put a chair against the door.”  

The trouble, notes Hecker, is that much of the security for magnetic stripes comes from the time-consuming process to print a new card.  

When you swipe a hotel keycard, it enters the equivalent of a personal identification number into the lock. If an attacker can guess dozens of cards a minute — Hecker’s device can guess 46 — it becomes more feasible to guess all of the different PINs until the door unlocks. 

The hotel key systems Hecker studied do not use particularly complicated pass codes. Usually, they are unencrypted and based on easy to guess information, like check-in and check-out dates, and a sequentially assigned identification number.

If attackers check into hotels and check their room keys for their own identification numbers, it is likely that any other guest’s sequentially assigned number is within a few hundred of theirs.    

There is a similar problem for the point of sale systems that accept credit cards and the systems that accept rewards program cards. The systems are designed to let a user enter commands by scanning cards as if cards were input from a keyboard.  

Hackers could use similar devices to command a system to download malware or reprogram a grocery store checkout to give all the rewards points from unsuspecting customer’s purchases their own accounts. 

“The original assumption when these were put into production — even something like Samsung Pay — they thought is would be unrealistic for a person to walk into the store with hundreds of cards,” said Hecker. 

A similar problem was demonstrated in the past with barcode scanners, which also use the scanning mechanism as a replacement for keyboards. 

Usually, researchers are able to notify manufacturers of security flaws in their products. That is not possible in this case. Coordinating a way to notify all the various manufacturers of products affected by devices like Heckers is no easy task.

“We don’t have a bat phone that gets to all the appropriate vendors,” said Rapid7’s Principle Security Research Manager Tod Beardsley.

But Beardsley is confident US-CERT is the best way to get the word out.

“CERT’s been doing this for 30 years,” he said. “They have a pretty good system of dealing with multi-vendor, multi-stakeholder systems.”