Barcode Attacks In Action
Well well, this time I've moved along from the theoretical area into the more practical one.
So, okay, if you didn't know already, I live in Sweden.
In Sweden there is this very huge company called ICA, and they're basically a nation wide supermarket company.
Of course i needed some verification about my barcode-attack theorem, so i simply went out and tried to be creative.
...and guess what? The first target i tried, eventually turned out to be ICA.
What is this fuzz all about?
In most European countries, there is these machines where you can insert an empty bottle/can, and in exchange get a few coins.
In Swedish they're simply called "pantmaskiner", and by their nature they seem to be rather secure.
- You enter one or several bottles/cans into the machine. More cans is equal to more cash.
- When you're done, you can neither choose to give the small amount of cash to charity or gain a ticket.
(I obviously picked the "ticket" option). - You then bring the ticket to the cashier, and gain a few krones (no euros in Sweden!).
- Afterwards you usually walk away from the store in order to play with your computer.
And guess what! Those tickets got an EAN_13 barcode! The standardized barcode used in all super markets and on all products all across Europe!
Hurray!
...And what could they possibly contain? That's right. The amount of cash the cashier is supposed to give you! (Among some other stuff which will be explained below).
On to the details!
The first thing i did was to scan several random products in the store, and documented their prices and various other details,
using the Barcode Scanning application which can be found in the Google Android cellphones.
I then moved along and started enter a few cans/bottles into the bottle-machine.
It turned out that I had about ~15 cans/bottles.
Because I didn't know what the tickets contained I simply picked that I wished to have a ticket every 2-3 bottle in order to see if any value(s) in the barcode(s) changed.
When I was done, I simply applied the small pile of tickets into my pocket, closed down and saved all settings/open documents in my phone and went back home to my computer.
Once back home, i scanned through the content of all the tickets.
It turned out that first 5 numbers where the constants of 99999 followed by four to five zero's, and then the price in 1/10th krone. Followed by a 1 digit checksum.
The value of 9999900000603 tells the cashier that she is supposed to give me 6.0 SEK (the blue value).
The green value of 99999 seem to be a constant; it appeared on all tickets.
The orange 0's is simply a filler; 0000060 is the same as 60, which turns out to be 6.0 SEK.
The red field is the checksum (the only security whatsoever?).
So. Just what if! What if we changed that blue and orange fields into a bigger number?
And made the checksum valid?
Uhm. Well. You would get cash. Right..?
Let's start off with some VB.Net code for making that checksum shall we? (See it as pseudo code 
)
Module ModMain
Sub Main()
Do
Console.ForegroundColor = ConsoleColor.White
Console.Write("Barcode: ")
Console.ForegroundColor = ConsoleColor.Green
Dim Code As String = Console.ReadLine
If Code.Length = &HC Then
Console.CursorTop -= &H1
Console.CursorLeft = &H15
Console.ForegroundColor = ConsoleColor.Red
Console.WriteLine(CCC13_Checksum(Code))
Else
Console.WriteLine("Error! Enter the 12 first digits of your EAN13 code.")
End If
Loop
End Sub
Private Function CCC13_Checksum(ByVal Line As String) As Byte
Dim Factor As Int32 = &H3
Dim Sum As Int32 = &H0
For Index As Integer = (Line.Length - &H1) To &H0 Step -&H1
Sum = Sum + (CInt(Line.Substring(Index, &H1)) * Factor)
Factor = &H4 - Factor
Next
Return ((&H3E8 - Sum) Mod &HA)
End Function
End Module
By entering the first 12 digits of your home crafted EAN13 code, it will spit out the checksum digit.
Pretty neat huh?
Once you've figured out what your barcode should contain, just go to barcode.ackack.net in order to generate it.
Once generated, it's just for you to print it out.
There is just one slight problem with all this.
The tickets ICA are using got a specially crafted and certified paper from the company of "Wincor Nixdorf International".
...And sadly, I'm not capable of recreating it, so by just handing a barcode over to the cashier would probably end you up with a bill to pay to the guys in blue uniforms...
But don't worry! You have to think about Social Engineering and Logical Business Flaws!
6-packs of coke and beer, tend to be heavier than usual products (2-3kg), and as we all know, people in general want comfort.
So nowadays the cashier don't need to lift those 6-packs up any more, he/she just have it slide over one of those built in barcode readers in the band.
What did I say a few lines up?
"[...] Those tickets got an EAN_13 barcode! The standardized barcode used in all super markets and on all products all across Europe!"
Which means, even the 6-pack got those EAN_13 barcodes.
Here comes a rather simple equation for you to solve:
(Computer to generate barcode) + Printer + Paper + Scissor + Tape + (Bottle Machine) + Cashier = X
...If you didn't figure it out - some common sense tells you that X is equal to money.
And what you've all been waiting for...
A Proof of Concept!
1000 SEK Barcode!
- 9999900100006 = 1000.0 SEK
If you would apply that barcode above the previous barcode of a 6-pack (they're always on the buttom side of the product),
go to the cashier and tries to pay you would end up with a couple of beer, and 1000 SEK more in your wallet (~103 Euro / $130).
I do not tell you to go try this out.
If you get caught, you will get caught by the criminal action of fraud. Which as far as I know is illegal.
So let's put this simple:
I do not take any responsibility of whatever action you might do after you've read this article - it's simply a proof of concept.
This technique can of course be reproduced towards other stores and can-machines,
as I've said a couple of times now, these machines and codes exist all over Europe.
I hope I've enlightened you a little bit on of how barcodes can be abused.
That's it. Ciao!
12 Comments
-
-
-
-
Fredrik Nordberg Almroth says:
Yes of course they would notice. It's too obvious.
But say, you're shopping various products for 1000kr, and "accidentally" put a barcode telling the cash machine to go -100kr. You would simply end up to paying 900kr. It's like shoplifting, just more evolved! (And hopefully, the cashier wont notice).About the UV light thingy, I have never seen one in use against a ticket. Only towards actual cash, to see if it had been stolen or not. So nope, sorry, don't know anything about it.
Haha, yeah, maybe you're right about the paper.
But I don't have any
Feel free to try it out! Or wait, that would be illegal.
Ask for permission first etc.. -
-
Fredrik Nordberg Almroth says:
Santa!
Indeed it is.
How did that work out though? Any success? -
-
Fredrik Nordberg Almroth says:
I can look into it, but don't get your hopes up too much, not sure if it will be successful.
However, if I do succeed, it will be a new post. -
AXL says:
Would be nice if you could evaluate the security with the mobile tickets from SJ. The conductor scans the ticket directly from the mobile. The SL security code is other areas of interest
-
Fredrik Nordberg Almroth says:
Haha so true.
I know that.
However those messages costs money, and I'm not that good with IMEI/IMSI spoofing... In the future perhaps!
But thanks for the input though, I'll try to look into it in my spare time! -
-
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.