One day in the future, Samy (the creator of this) will stop being the coolest person on the internet, but today isn't that day. Previous projects include:
SkyJack is a drone engineered to autonomously seek out,
hack, and wirelessly take over other drones within wifi
distance, creating an army of zombie drones under your
control.
...and then:
No authentication or encryption is used by the Parrot
to secure the connection with the pilot.
It's actually just a wireless network that you connect to and send commands to the Parrot. It makes it really easy to control it from your laptop. There is a library for it that makes it possible to be up and running in under 5 minutes.
Oh wow... shit... it's the same guy for all of these indeed. I think I would've been super proud of myself just for accomplishing even one of these things...
I guess these are the type of guys that would start to approach the definition of a modern polymath maybe?
Not saying he is one necessarily (or that he isn't), but what would examples of modern polymaths are there? considering a lot of the fields to be mastered need enough detail and knowledge that it seems hard to find one.
Yes, he has quite a resume there. However, maybe I'm just older, but my ideal polymath is not just coding/hacking electronics. I personally think it should be those plus knowing more diverse fields and skills such as: applied mathematics, celestial navigation, biohacking, chemistry, milling/lathe work, building machinery from scratch by smelting and casting [1], animatronics, boatbuilding, horology, mechatronics, music, languages etc... I picked these things, because they are things I personally strive to keep learning. They are not everybody's list. I guess today the emphasis is on coding/small electronics because of the world it opens up to you (except those things that are purely mechanical or require other skills).
In any case, my hat is off to him. Impressive!
Do you have any examples of someone that would fit this description?
I think a modern polymath could look a bit different than the ones in the classical sense. To be able to make contributions to the fields you mentioned, I guess you would need more years of study than anyone could dedicate to, just because those fields seem to be very hard, especially considering the degree at which nowadays we would consider someone proficient in any of these.
Well, I'm not sure, I'm actually wondering. For your particular definition, or something close to it, who would you say it gets close?
Ben Krasnow is easily one. The amount that guys knows about everything (electrical engineering, mechanical engineering, material science, chemistry and some programming) is staggering. His Youtube channel is great.
anyone more recent? You see it seems to be that it was a lot easier to know a lot when there was a lot less to know. Now people tend to specialise in one field and know a lot about that field as opposed to knowing quite a bit about a multitude of fields.
You're right. I guess there are polymaths at this age and time, we just don't know about them. Maybe as you imply, it's impossible nowadays to stand out of the crowd the way Newton, Archimedes, Gauss, Tesla (as another commentator pointed out) did in the past.
Wow, surprised to see Gingery books are still around! They got me started melting down aluminum cans with a coffee can charcoal furnace as a kid. I always wanted to build the lathe but never got around to it.
The number of times I've seen what seems like the Hackers script got borrowed and applied to real life - people being banned from using computers for an arbitrary length of time - is just silly.
It's stunning how bad many card issuing systems are (as noted in the post, AmEx et al). When I was in college all of the administrative buildings, student common areas as well as many of the student housing areas were controlled by magstripe. Meals were also kept track of by card.
I knew from people losing their cards which continued working some places but not others there was a relationship in the issuing. I got a reader, decoded the card (zeropadded student ID, issue number, and XOR checksum).
I found other places to find the student ID number, and could enumerate a few issue numbers. I built this spoofer: http://www.instructables.com/id/Arduino-Magstripe-Emulator/
Then I could get into my friend's apartments (as a POC with their permission of course).
I disclosed and got a thank you (I built a good relationship with my IT dept over the years), but never figured out if they fixed it.
When I was in school our student IDs were our social security numbers and encoded directly on our ID cards. Grades were left in folders outside the department office with our full SSNs on them. You could easily take someone else's grades, encode their SSN onto a card, and spend their money.
I'm pretty sure that, aside from the magstripe security issue, that practice (grades left in public identified by SSNs and/or student ID #s) has been a FERPA violation forever. Or since the 1970s, at least.
The law changed in the early 2000's. About a year after I discovered this they changed the ID numbers on the grades to the last 4 digits and shortly after that they moved away from SSNs.
No, there was no change in FERPA In the early 2000s, except changes in 2000 and 2001 to add additional allowed disclosures (the 2001 changes were party of the USA PATRIOT Act.)
Now, lots of places in the 1970s and 1980s, and some into the 1990s and 2000s, may have been engaging in the practice of posting grades by SSN or student ID #, even though posting by either had long been explicitly prohibited by FERPA regulations.
What did happen in 2001 that may be relevant to awareness of the rule is the publication of a finding in response to a complaint for posting with the last 4 digits of the SSN.
It could have been "good enough". Remember the whole "keeps an honest man honest" bit. Retooling their security system might cost a lot more than some spoofed meals, and we all know doors & tumbler locks are never impervious.
Yeah, until a man gains easy access to 17-year-old girls' housing, then everyone will flip out. I mean, it's one thing to break stuff to get in, or conspicuously pick a lock, it's another to casually slide a card like everyone else and leave no trail other than maybe video surveillance or access logs showing the same card being used at two ends of campus faster than possible (which nobody will check until something bad happens and they go looking at that data.)
I had a similar experience at my university. I found easy unauthenticated sourcing of most of the data needed to clone the card of anybody by name. The issue number was the only thing to guess, but easy to bruteforce on something low-stakes like vending machines. The card was used for food, a debit-card-like system, automated door locks to semi-public buildings and on-campus housing.
With the permission and cooperation of the university security, I made a card of a high-level security guy (who could have been targeted using the public/semi-public org chart) and swiped into their datacenter where all the university data is hosted, along with that of some partners with sensitive data. Luckily the innermost parts need an RFID or something which I didn't have access to, but potentially I could have tailgated or social-engineered my way into that. They weren't interested in letting me research whether I could crack the RFID. :(
I was told my demo made a big splash, but IIRC I checked a year or two later and my source for the ID data was still wide open. There's having imperfect locks and then there's leaving all your keys out in public.
It's true, I didn't consider this enough. But I had a way to create a key without ever possessing the original. If it could only be copied from the original, as even a semi-competent implementation of a magstripe would be, there would still be the chance that someone notices a theft of a key, and it's just harder to pull off if you have to find and covertly steal a key.
My point is that being able to trivially hijack arbitrary identities without even knowing the person let alone physically finding them, is not "good enough." It'd be like if you could make arbitrary car keys with just a VIN, and the VIN is displayed prominently, it would be silly to say "Well now, it keeps honest people honest, so it's good enough."
I think the problem with these systems is that "good enough" should be much more "gooder" than it is, due to being a solved problem for most cases.
For example, if you happen to need a unique ID for each card, and you roll your own "random id generator" you might happen to encounter pitfalls that would've been solved by using UUIDs.
Or you try to get some sort of hash value from the card info (to verify validity or whatever) and instead of using a known hashing algorithm you try to roll your own.
And I would guess a long list of etceteras.
So when a system that should be for the most part trivial to implement correctly is full of these holes then people like GP will start poking around and ultimately start finding a lot of issues that would make it actually not "good enough".
I mean sure, keys are just there to keep honest people out, but if you can use a standard key that would foil both honest AND a few opportunistic dishonest people then why are you instead trying to use your own "custom key" that happens to be much easier to defeat? Especially if said standard key is not really that much harder to implement.
> I found a global pattern that allows me to accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen.
> This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number.
Anyone who has an Amex would notice this immediately. The last digit is the Luhn check digit and the digit before that increments each time a card is issued, starting from 0.
I've just pulled a load of expired my Amex cards. It looks like I got the incrementing digit wrong. On my cards it's the 4th from last that increments. UK Amex FWIW.
Someone I know said they had their card cloned and when the CSR went to reissue there were already attempts to use the new number, so it seems like this may have already been known by fraudsters.
This also happens for me, UK, Bank of Scotland. Actually I find it to be a feature as I have my card number memorized and whenever I need a replacement I only need to remember 5 or maybe 6 new digits (including the three CV2 digits). I wouldn't really call it a vulnerability due to the CV2 being randomized and the fact we have chip and PIN over here.
The chip is being rolled out to keep up with VISA/Mastercard's deployment of chip. Note however that chip transactions are far slower than proximity or magstripe uses, making it completely redundant except for a malfunctioning magstripe reader.
It would have been as much software update to have implemented PIN and would've brought security to the level of ATM cards.
The generation and provisioning of card numbers is limited by other systems which includes fraud detection, account processing, auditing and other backend systems.
I wouldn't say "most places" -- after a recent trip to Europe (Ireland, England and France), the only place we couldn't use our "signature-only" card was a train ticket vending machine, every business we went to had a magnetic stripe reader and knew they had to use it when the card had no chip. (my wife's no-foreign-transaction-fee card had no chip, so we tried to use that one as much as possible)
In every case were I used a USA chip card (with no PIN), the card reader prompted for a signature, so it was no problem.
Though I really don't understand why USA issuers and merchants went with a chip-only system, seems like it would have been trivial to allow PIN too.
Though even Chip and PIN only fights a small portion of the fraud - every time I've experienced credit card fraud, it's been with internet purchases. Amex used to let me generate a temporary card number for each merchant, I used that all the time, but they dropped the service for some reason.
how is it slower than swiping the magstripe and signing a receipt? chip and pin has been standard in the EU for a while now and it is very fast, faster than magstripe swipe and sign but nit as fast as contactless.
And Samsung is really in a panic right now since the chip & pin rollout is going to effectively nullify their investment. Initially they can just strip the "require pin" flag from the magstripe, but eventually opt-out won't be supported.
So Samsung is investing massively into Samsung Pay adverts and promotions in order to get people using it, with the hope that once this functionality breaks that people will continue using it via NFC supported terminals.
I believe they give you $50-100 just to use Samsung Pay right now for one example.
Did they ever think chip & pin wouldn't roll out? I took the magstripe emulation as a bridge play, to be the first truly viable mobile payments option in order to take pole position in the coming mobile payments scuffle.
Samsung worked directly with the banks to deploy a tokenization scheme via the magnetic card swipe system so it would be EMV equivalent. It's not sending your actual card number, but a virtual card number provided by the bank that doesn't have the 'chip required' bit.
Yup, however Samsung Pay/LoopPay keep the chip bit meaning you need to bring your cards with you when they require Chip, where MagSpoof can disable the bit, allowing you to leave your cards at home.
Samsung Pay's pitch is that it is (mostly) backwards compatible with existing card readers. When NFC fails, it does fallback to magnetic strip emulation.
I was very surprised to learn there's no check for Chip and Pin requirements beyond what the magstripe requests. I naively assumed if the card had that feature the terminal could force it to be used. What would happen with the other fields he mentions, like whether or not you can withdraw cash with the card?
The problem of tricking the reader will be solved in the US the same way the rest of the world solved the problem. You stop using magnetic stripes.
For the longest time, chip-and-pin readers in most european countries would let you just swipe the magnetic card if you didn't have a chip.. this allowed americans (and whoever else still uses this technology) to be able to shop when they travel.
Unfortunately a disproportionate amount of theft occurs by bypassing the chip-and-pin system. Many european countries and banks finally had enough and said "no more loopholes, chip-and-pin only" and set a date.
Lo and behold this spurred the US banks to finally start releasing chip-and-pin enabled cards, otherwise their clients would find themselves unable to buy things overseas.
The deadlines have come and went in my country, and today it is literally impossible to buy anything with just a magnetic stripe.
I imagine the US will solve the problem the same way.. by no longer allowing magnetic stripes to be used.
I can't claim to spend a ton of time in a huge variety of countries, but in the past year I've been to Iceland, England, Wales, Scotland, Italy, France, and New Zealand, and I can't remember anywhere I had to use the EMV chip in my credit cards except places like parking garages that didn't have the physical facility for a mag stripe swipe. Every retailer terminal could read a magstripe.
More annoyingly, whether I swiped or dipped, a signature was required. Except, again, where there was no way to sign (parking garages). Then, magically, my PIN was "good enough".
I went out of my way to get EMV cards last year due to upcoming trips, because I had only been overseas sporadically over the past decade and assumed that the magstripe was gone. It was not. If anything, merchants seemed more able to deal with them than 10 years ago, where I occasionally had a clerk who couldn't figure out whether to swipe extremely slowly, or quickly enough to set fire to the equipment.
As a UK resident with a UK card it's been a long time since I swiped or signed. I think you must have the "require signature always" bit set on your cards because someone in the issuing chain doesn't trust EMV.
Correct. I HAVE a PIN for purchasing, but the card is set to prefer signature so I end up having to sign unless I'm purchasing somewhere without signature capability (eg, an automated kiosk). And yeah, US resident, US card.
You're correct. From my understanding, most issuers have determined that Chip and Signature is secure enough for the US market provided they support DDA. Both of my EMV cards do not even provide a way to create a PIN for them. It will most like be this way for a year or two.
I live in Iceland, and it is not possible for me to buy anything with a magnetic stripe.
Here is the campaign that was ran by the largest payment processor letting everyone know the old system was going away. It was heavily advertised all over the country.
There usually is an exception for foreign cards because otherwise visiting American tourists can't buy anything. Your local card may not even have a magstripe any more, but until the US upgrades most places will keep their magstripe readers.
Perhaps your card marks the use of EMV as optional.
A European-issued card would deny use of the magstripe on an EMV reader. This could possibly by overridden by the cashier, but most won't have the authority to do this. (The merchant takes responsibility for fraud in this case.)
not sure where in the UK you were spending/shopping but I live in the UK and all card readers require chip and pin and there is no signature required. Whilst the readers have a swipe facility if your card has a chip you are required to use it. Perhaps because you were using an international card it allowed you to use the swipe facility although I have no idea why you would choose that as it is significantly slower.
The terminal has no method to determine if the card is Chip and Pin enabled aside from the magstripe.
Sure it could check for the actual chip, but credit card fraudsters aren't creating fake cards that include the chip so that wouldn't help either.
I would argue the way they should implement it is such that the bank itself rejects the transaction if it knows the card is chip enabled and the terminal is as well.
I always assumed that chip/pin being used was at least checked by the credit card company. The machine should be telling them if it supports chip/pin, and the cc company independently knows all the information about your card, so... urrrrgh.
What's also interesting about our chip readers here in the US is that they only do chip + signature for credit cards, so they're not adding anything if someone physically has your card (I've had the ones they auto-reissue, which Chase claims they cannot stop in their system, stolen from my mailbox).
The card company checks whether the card and terminal are EMV capable. But, the whole card system is not built on absolute security but on risk-management and fraud detection, that is somehow balanced with customer convenience. In effects this means that only thing that is absolutely needed for transaction to be authorized is card number, what other data have to be provided and what checks have to pass is function of trustworthiness of various parties involved (mainly of the merchant).
(for example, the EMV standard explicitly handles various failure modes like "PIN-pad is broken", "card holder does not remember PIN" and so on, and allows configurations that accept such transactions)
Agreed. I think for it to truly work it would require support from the terminal in the form of letting the processor know if the terminal does or doesn't support chip & pin.
If the terminal doesn't support it the processor always lets it through. If the terminal does support it the processor only lets it through if using chip and pin. Then again, maybe there won't be non chip and pin terminal much longer so that won't matter.
IIRC from some resarch I did, a decent card provider will reject a magstripe transaction from a terminal with EMV capability if a card is known to also be EMV capable... At least, it could in theory.
I live in Canada and that's what happens with all of my visa/debit chip cards. If you attempt to swipe your card and it, as well as the terminal, are chip enabled then it gives you an error and asks you to insert your card into the terminal.
That is triggered by the magstripe though. The point here is you can trick the reader by turning off that feature on the magstripe and the reader doesn't do any additional check on whether EMV should be required.
Based upon my knowledge of EMV liability, the merchant would still be clear from fraudulent charges if they had an EMV reader. If the device tells the reader it can't do chip & pin, then the buyer is the least secure part of the transaction.
Not in all cases, I believe. For instance, to use my debit card in China, where a lot of payments is still done via magstripe, I have to call my bank and ask them to enable magstripe transactions for me in their system. Otherwise, the bank will keep rejecting transaction attempts.
> IIRC from some resarch I did, a decent card provider will reject a magstripe transaction from a terminal with EMV capability if a card is known to also be EMV capable... At least, it could in theory.
That's how it works for all countries other than the US. In the US EMV capable terminals are not common so transactions in the US are typically permitted no matter if magstripe or EMV. This is why starting with October this year the US are finally making the switch to EMV and once that roll-out is complete, magstripe transactions could (theoretically) be either disabled or severely limited. For instance you might have to confirm a magstripe transaction with a text message.
They could definitely do this, but I don't think any of them do (or will for quite a while). It's perfectly acceptable for a business to continue sending magstripe transactions if they want. The business just takes the responsibility for chargebacks. This would just look like a transaction where either the reader didn't have the functionality or the merchant decided not to use it.
The business has an interest in using chip & PIN. I forget the details of the contracts they have with the banks, but the chip adds extra protection to the credit card company, and the PIN adds extra protection to the business. Which is why people are annoyed that the credit card companies want to stop at chip & signature.
This would only be an issue for those that don't authorize with the issuer immediately when the card is read. The issuer would know the service code read by the pin pad and should be able to determine that it is incorrect based on the PAN read by the pin pad and the fact that the merchant is certified to support EMV. They could choose to decline the authorization at that point. Most payment processors that I'm aware of in the US do this.
There is a sentinel character on the mag stripe which identifies the card as chip and pin. As mentioned in the README of this repo, it can be disabled - for the purposes of backwards compatibility, this is a necessary evil.
Fortunately, it is easy to detect! The terminal will send the magstripe data online when authorizing the transaction, and the backend systems will identify the corruption in magstripe data and identify it as fraud.
> What's incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID
Another way of looking at it is that the magstripe reader is a wireless receiver. It just usually works with signals so weak that they can only be transmitted a miniscule distance.
Hmm, I'm very surprised that magstripe readers don't have sensors that detect physical presence of a card, even to this date. But regardless, the main point for me was how trivially one could downgrade the security by setting the bit about Chip/PIN capability off.
I'm surprised magstripe readers still exist. I don't think I've used one in years. They are often there.. but I don't see their purpose. Last non-chip card I've seen was maybe 12 years ago.
You're obviously not in America, then. Out of the 6 cards in my wallet only 2 even have a chip yet (my bank promises my most frequently used card has a chip equivalent in the mail).
The shitty thing is that because of Samsung Pay it's impossible for a merchant to distinguish a cloned magstripe from a legitimate samsung pay transaction using MST. I wrote a bit about this a few months ago: http://lucumr.pocoo.org/2015/8/31/the-thing-about-samsung-pa...
Can anyone explain the legality of building and using one of these (for your own cards, obviously)? I know there are similar appliances, but do they need to be accredited?
It mentions "disabling chip and pin", meaning it will convert the sentinel character on the magnetic stripe which tells the terminal that it is a chip card. By disabling the sentinel character and using this on a chip enabled terminal, the financial institute (BASE24) SHOULD decline the transaction because the Track 2 data will be incorrect.
Edit: I meant on an EMV compliant terminal.
Edit: Also, that is considered fraud and your best not testing it, unless you like the prison environment.
I recall people demonstrating something similar this with passports at defcon some years back from quite the distance. Picking up credit card data and ids wirelessly is definitely not new. This is why I use small magnetic / RFID blocking case while traveling.
It should be possible to detect this with a reader firmware upgrade, if the reader reads more than one track on the card. If both read heads are showing similar signals, the signal isn't coming from a normal card.
That depends on whether the terminal has physical capability to read more than one track of card data. I have Ingenico Alphira terminal in my junk box and from casual inspection it looks like the magnetic head has two coils, but while there are footprints for two sense amplifiers, only one is populated.
This is too damn cool to pass up - talk about convenience... I would have been willing to pay for such an item!
Yes everyone is going to run around and scream 'security!!' when they realize how ridiculously trivial this process always has been, but it does not change facts - it has always been this easy, but this is a new way to highlight that fact.
The Samy MySpace worm: https://en.wikipedia.org/wiki/Samy_%28computer_worm%29
EverCookies: http://samy.pl/evercookie/
SkyJack: https://en.wikipedia.org/wiki/SkyJack
And so much more... http://samy.pl/ https://en.wikipedia.org/wiki/Samy_Kamkar