23-05-2012, 01:40 PM
Magnetic Swipe Card System Security
Magnetic Swipe Card System Security.pdf (Size: 514.37 KB / Downloads: 150)
Abstract
This paper provides a comprehensive security analysis of the Lenel magnetic swipe card system
used at the University of Maryland at College Park. We first explore the cards and hardware
components which comprise the system, and then present several plausible points and methods of
attack on the system. We chose several of these attacks and demonstrated them using a $240
commercial card reader/writer and a customized unit powered by a microcontroller, which cost
about $20 in parts. We developed the capability to read cards, write arbitrary data to cards,
simulate card swipes through a reader using a flux reversal pattern generator, and “sniff” data
from up to 16 live swipes using a single microcontroller which can be easily hidden in the
reader's housing. We tested and successfully demonstrated these capabilities on the live Lenel
system under the supervision of the university's Department of Public Safety.
Introduction and Motivation
Magnetic stripe card systems are widely used by many different organizations to provide both
convenience and security. Hotels use them for room access, credit card companies use them for
handling purchases, and college campuses use magnetic cards for both building access and
electronic payments.
We are trusting these systems with hundreds of thousands of dollars worth of transactions and
equipment. However, it is known among security professionals that magnetic stripe card systems
have many inherent security problems and can be readily circumvented.
The goal of this research paper is to investigate just how easy it is to circumvent such a system,
and based on this, to develop realistic and affordable recommendations for making the system
more secure. We will use the University of Maryland's Lenel system as a case study, and our
recommendations will be specific to this system. However, the general principles behind our
investigation and recommendations will be useful to magnetic card system administrators in any
setting.
Uses of University Identification Cards
Every student, faculty, and staff member at the University of Maryland at College Park (UMD) is
issued a university identification (ID) card. This card has the person's name, photo, signature,
UID number, and issue date printed on the front. The UID is a 9-digit university-assigned number
used for identification in place of an SSN. The card contains a holographic overlaminate with the
UMD logo to discourage counterfeiting. On the back, it contains a magnetic stripe and a 14-digit
bar code
Points and Methods of Attack
In this section we discuss the possible points and methods of attack in the UMD Lenel system.
This is not meant to be an exhaustive list, but merely to give an idea of some feasible attacks.
Magnetic Stripe Cards
The three basic ways the cards can be attacked is through reading, copying, and creation of cards.
Note that all of these attacks also apply to the new UID-based system, with the exception of the
reading attack. This attack becomes a moot point under the new system since the UID number is
also printed on the front of the card, so it would be much easier to simply look at the card and
obtain the UID. Also note that only the reading and copying attacks require the attacker to have
physical access to the card. The creation attack can be carried out without any physical access to
the card.
Under the current system, simply reading someone's card can be considered an attack since it
reveals that person's SSN to the attacker. Knowing someone's name and SSN is the basis for offcampus
identity theft, so this is quite a serious problem. This attack does not require any
specialized knowledge of electronics; all the attacker needs is a commercial magnetic card reader
which attaches to a computer. These devices are available on the Internet for as little as $30 and
are easy to set up and operate.
Another attack is the copying of an existing card. This can also be achieved without any
electronics expertise—commercial card reader/writer combinations are also available on the
Internet for about $240-300. These units allow someone to read in a card and then write out a
copy of that card onto a blank card. As far as the system is concerned, this copy is identical to the
original. The only difference is that the copy will not have the proper credentials printed on the
front of the card, so it will not work for human identification purposes.