[IP] more on Hacked Speedpass, Hotel mag cards

To: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Hacked Speedpass, Hotel mag cards
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 22 Sep 2005 09:29:43 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <20050922132237.73214.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx

Begin forwarded message:

From: Tom Gray <tom_gray_grc@xxxxxxxxx>
Date: September 22, 2005 9:22:37 AM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] more on Hacked Speedpass, Hotel mag cards

For IP, if you wish

One thing that a;ways puzzles me when similar issues
are brought up is that it is easy to perform a creidt
card fraud without any technological assistance.

I found transactions on my credit card bill for a web
porn site. I complained to the credit card company.
They obtained the 'authorization' slip from the porn
company. They claimed that they obtained the card
number from a call and that the name provided was 'A
Guy'. When I mentioned to the credit card company
agent that this was an obvious fraud, she was shocked.

There is a common fraud in which unethical companies
will generate possible credit card numbers that pass
the simple validity checks performed by the banks.
They then attempt to bill these numbers until they
find hits. They then charge small amounts ($25 or so)
to the cards in hope that the charges will not be
noticed. In my case, Charges cen then be made at
intervals. I noted the charges immediately and
complaimed but there had already been another charge
for a porn service.

So I find all this concern about the hacking of RFIDs
and credit card stripes rather puzzling. Why go to the
bother whrn the credit card system is so open for
abuse.

Tom Gray

--- David Farber <dave@xxxxxxxxxx> wrote:



Begin forwarded message:

From: Jim Thompson <jim@xxxxxxxxxxx>
Date: September 21, 2005 7:35:52 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>,
jadams01@xxxxxxxxxxx
Cc: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: Re: [IP] more on Hacked Speedpass, Hotel
mag cards

So? In this case, we've got an actual, live

individual making

fairly specific claims. Still could be a hoax, but

as the snopes

page points out, one chain did formerly do just

what was claimed.

Are you willing to bet that non-chains motels and

hotels, and

cheaper chains, aren't doing this? Snopes is good

at documenting

urban legends, but I don't regard that as superior

to actually

testing the cards and finding out the truth of the

matter.


The follow-up from Robert Mitchell points

something interesting out:


"What's interesting to me is that while everyone

has an opinion as

to whether its possible that hotels would  -

either knowingly or

unknowingly - store such information on a card

key, only one person

who posted here claims to have tried this at

several hotels

(without success). Given past discussions and all

of the news

stories going back to at least 2003, I am

surprised that no one

else among this tech savvy group has tried this

and reported in."


Hmm...now where could I find a tech-savvy group to

supply data? Any

thoughts?



Dave (and John),

There is a body of GPL code that would allow anyone
to decode the mag-
stripe on these types of cards named "Stripe Snoop"

http://stripesnoop.sourceforge.net/

The site includes instructions on how to build (or
modify) a mag-
stripe card reader:
http://stripesnoop.sourceforge.net/hardware/
hardware.html

A related toolkit allows the casual user to decode
the 1-D and 2-D
barcodes used on most state drivers licenses:
http://turbulence.org/Works/swipe/barcode.html

All that said, the Speedpass cards use a mag stripe,
but rather
RFID.  Its been hacked:  http://rfidanalysis.org/

In my experience, the hotel room keys work as
described.
(Literally the only information is a room number and
a limit on when the
room key is valid.)

However, your security can be compromised in other
ways whilst
staying in a hotel.  On more than one occasion I've
been handed a key
which opens more than one room, and I've been handed
a key for an
already occupied room.  (You can imagine the
surprise of both parties
in that one.)

Also, the TV in your room has been cracked, with
quite possible
negative privacy aspects.
http://www.wired.com/news/privacy/
0,1848,68370,00.html

Jim



-------------------------------------
You are subscribed as tom_gray_grc@xxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at:

http://www.interesting-people.org/archives/interesting-people/





__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] James Carroll: Church, state, and Katrina
Next by Date: [IP] European Commission: data retention voice: 1 year and Internet 6 months
Previous by thread: [IP] more on Hacked Speedpass, Hotel mag cards
Next by thread: [IP] more on Hacked Speedpass, Hotel mag cards
Index(es):
- Date
- Thread