Premium Essay

Magnetic Swipe Card System Security

In:

Submitted By nikshah0007
Words 11974
Pages 48
Magnetic Swipe Card System Security
A case study of the University of Maryland, College Park

Daniel Ramsbrock dramsbro@umd.edu

Stepan Moskovchenko stevenm86@gmail.com

Christopher Conroy cconroy@gmail.com

Abstract
This paper provides a comprehensive security analysis of the Lenel magnetic swipe card system used at the University of Maryland at College Park. We first explore the cards and hardware components which comprise the system, and then present several plausible points and methods of attack on the system. We chose several of these attacks and demonstrated them using a $240 commercial card reader/writer and a customized unit powered by a microcontroller, which cost about $20 in parts. We developed the capability to read cards, write arbitrary data to cards, simulate card swipes through a reader using a flux reversal pattern generator, and “sniff” data from up to 16 live swipes using a single microcontroller which can be easily hidden in the reader's housing. We tested and successfully demonstrated these capabilities on the live Lenel system under the supervision of the university's Department of Public Safety. Based on our findings, we recommend that the university use neither social security nor university ID numbers on the cards, that it use magnetic card access only in low-security areas, and that it use a more sophisticated and secure system such as proximity smart cards for access to high-security areas. While the analysis and recommendations presented in this paper are aimed at the University of Maryland, building security professionals everywhere can use the material presented here to enhance the security of their own swipe card systems.

Magnetic Swipe Card System Security

Page 1 of 26

Table of Contents

Similar Documents

Premium Essay

Magnetic Swipe Card System Security

...Magnetic Swipe Card System Security Magnetic Swipe Card System Security A case study of the University of Maryland, College Park Daniel Ramsbrock dramsbro@umd.edu Stepan Moskovchenko stevenm86@gmail.com Christopher Conroy cconroy@gmail.com Abstract This paper provides a comprehensive security analysis of the Lenel magnetic swipe card system used at the University of Maryland at College Park. We first explore the cards and hardware components which comprise the system, and then present several plausible points and methods of attack on the system. We chose several of these attacks and demonstrated them using a $240 commercial card reader/writer and a customized unit powered by a microcontroller, which cost about $20 in parts. We developed the capability to read cards, write arbitrary data to cards, simulate card swipes through a reader using a flux reversal pattern generator, and “sniff” data from up to 16 live swipes using a single microcontroller which can be easily hidden in the reader's housing. We tested and successfully demonstrated these capabilities on the live Lenel system under the supervision of the university's Department of Public Safety. Based on our findings, we recommend that the university use neither social security nor university ID numbers on the cards, that it use magnetic card access only in low-security areas, and that it use a more sophisticated and secure system such as proximity smart cards for access to high-security areas. While the...

Words: 281 - Pages: 2

Free Essay

Thesis

...Automated Attendance Tracking System A card reader is an automated system that collects class attendance by students swiping their DeVry ID cards for every scheduled lecture and lab session. The card readers are conveniently located in each classroom and lab. Additional individual instructor policies for determining tardiness and absence are outlined in course syllabi. Remember to swipe your card for every class you attend. Many students have shown absences (especially in labs) for classes that they have been attending because they have forgotten to swipe. Please remember to swipe your card for lecture and lab attendance. If you forget to swipe your card, you may request that your instructor submit an 'Attendance Revision Form' to update your attendance. Check with your instructors (or course syllabus) to find out whether or not their attendance recording policy will allow for modifications after the class session has been conducted. Please do not get into the habit of swiping more than one card. It is in your own best interest to be the one in control of your ID card and your attendance record. Swiping your classmates' cards can be considered a violation of Article III of the student code of conduct and is subject to the disciplinary actions outlined in Article V of the Student Handbook. Students are not allowed to use an instructor's ID code or card to record attendance for a class. This is for your protection. If the instructor is running late, please wait for the instructor...

Words: 5672 - Pages: 23

Premium Essay

Biometric Devices

...building you have to swipe your finger. It is not like just swiping a card. You have to physically be there to gain access. Teachers could require swiping your finger or getting your retina scanned to take attendance. This takes away the option of possibly having a friend sign you in if there was an emergency and you could not make it. Also, those records could be collected and future employers could possibly gain access to them. A person with bad attendance probably should not get a job over someone with good attendance, but the person with bad attendance could be automatically taken out of competition with no chance to explain. Although biometrics can legitimately address a host of problems from slow lunch lines, lost lunch money, cumbersome payment, fraud and bullying, to falling National School Lunch Program participation, In most school lunch biometric systems, students place a forefinger on a small fingerprint reader. In seconds, the system translates the electronic print into a mathematical pattern, discards the fingerprint image, and matches the pattern to the student's meal account information. Though some providers claim that biometrics speed up every school lunch line, this isn't always the case. Biometric systems will speed lunch lines where cash is primarily used because students, especially younger ones, are prone to losing or misplacing cash and extra time is taken to make correct change. Personal Identification Number based systems and magnetic card-based...

Words: 624 - Pages: 3

Free Essay

Marketing on the Web

...Briefly explain Electronic Cash A system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on real dollar bills, the digital cash numbers are unique. Each one is issued by a bank and represents a specified sum of real money. One of the key features of digital cash is that, like real cash, it is anonymous and reusable. That is, when a digital cash amount is sent from a buyer to a vendor, there is no way to obtain information about the buyer. This is one of the key differences between digital cash and credit card systems. Another key difference is that a digital cash certificate can be reused. 2- Briefly explain ActiveX Control ActiveX control is a control using Microsoft ActiveX technologies. An ActiveX control can be automatically downloaded and executed by a Web browser. ActiveX is not a programming language, but rather a set of rules for how applications should share information. Programmers can develop ActiveX controls in a variety of languages, including C, C++, Visual Basic, and Java. An ActiveX control is similar to a Java applet. Unlike Java applets, however, ActiveX controls have full access to the Windows operating system. This gives them much more power than Java applets, but with this power comes a certain risk that the applet may damage software or data on your machine. To control this risk, Microsoft developed a registration system so that browsers can identify and...

Words: 3674 - Pages: 15

Premium Essay

Credit Card Frauds

...Topic : CREDIT CARD FRAUDS Problem Statement : Analyse the effect of credit card frauds in today’s era of globalization Hyphothesis : Credit card fraud could damage the economy in the long run Research questions : 1)What are the different types of frauds 2)How fraudsters attempt to take advantage of loopholes 3)What are the impact of credit card fraud on card holders, merchants, issuers INTRODUCTION As for in today’s business environment, Credit Card Fraud has became one of the biggest threats to business establishments t. However, to fight the fraud effectively, it is important to first understand the mechanisms of executing a fraud. Credit card fraudsters employ a large number of techniques to commit fraud. In simple terms, Credit Card Fraud is defined as: When an individual uses another individuals’ credit card for personal reasons while the owner of the card and the card issuer are not aware of the fact that the card is being used. Further, the individual using the card has no connection with the cardholder or issuer, and has no intention of either contacting the owner of the card or making repayments for the purchases made. Credit card frauds are committed in the following ways: * An act of criminal deception (mislead with intent) by use of unauthorized account and/or personal information * Illegal or unauthorized use of account for personal gain * Misrepresentation of account information to obtain goods and/or services...

Words: 1878 - Pages: 8

Premium Essay

It Failure Paper

...2014, hackers infiltrated Target’s credit card system. These hackers obtained over 40 million customer’s credit card information along with 70 million customer’s personal information. What should have been Target’s most profitable season, actually turned into its worst. They lost many loyal customers while obtaining numerous lawsuits. Before this catastrophe, Target was known for being an extremely technologically advanced and secure corporation. This is why many customers are left wondering what happened and how it could have been prevented. The hackers that breached Target’s system supposedly used a piece of software called BlackPOS (Monocello, 2014). This piece of malware obtained its information from the black magnetic stripe on the back of each credit card as it was swiped. Stores use a POS system to swipe credit cards. This is how they obtain required information. However, the information does not come encrypted, so it is easy information for an advanced hacker to receive. A simple way to encrypt this information is by using an EMV chip and EMV chip reader. According to Rash (2013), “The EMV chip that's embedded in my credit card is actually a microprocessor that holds an encrypted version of the information that's on the mag stripe” (p. 1). To use these cards, a cardholder must obtain one from their bank (which most banks will provide upon request). The store must also have an EMV chip reader attached to their POS system. It is an easy concept to use once installed...

Words: 898 - Pages: 4

Free Essay

Internal Control and Risk Evaluation

...outside controls, that Kudler Fine Foods may need to upgrade the computer systems. Analysis of Risks of Computer Systems After reviewing the previous flowcharts it is recommended that Kudler Fine Foods automate more of its accounts payable, accounts receivable, inventory, and payroll processes and standardize these processes across all Kudler locations. Therefore, increased computer controls will be needed to ensure the security of data. Computer data could be compromised if proper computer controls are not in place. Risks include theft of confidential and sensitive information stored on computer servers such as company bank account information or personnel records of Kudler clientele and staff. If proper internal controls are not implemented breaches of sensitive data stored in folders that are accessible through the Internet will be exposed through file sharing software with the other Kudler locations. Identify risks and internal control points Identifying risks and internal controls are imperative when information systems are used extensively throughout the fundamental business processes. Information systems general controls are the policies and procedures that apply to all of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of internal control points. Internal control points include security management, logical and physical access, configuration management, segregation...

Words: 1267 - Pages: 6

Free Essay

Nfc Technology

...NFC Near Field Communication (NFC) technology makes life easier and more convenient for consumers around the world by making it simpler to make transactions, exchange digital content, and connect electronic devices with a touch (NFC 2011). Cell phone carriers, such as AT&T, use NFC capabilities in their cell phones as a selling point to the consumer. Some companies, like Samsung, use NFC TecTiles to help their consumers find what they need with just a simple glide of their phone. Major credit card companies use the NFC technology in their credit cards to make it simpler for customers to pay for merchandise without having to swipe there card. With the advancement of the first telephone to modern day smartphones, AT&T has been there. AT&T has always had a unique way of staying ahead and on track with the quick advancement of technology. Numerous smartphone application developers have tried to create software that will allow you to no longer worry about having your wallet. As long as you have your smartphone and the application, you still have the ability to pay for merchandise. With AT&T’s new application, ISIS, Near Field Communication technology is something they are continuing to move forward with. ISIS is a smartphone application that has been successfully designed to replace your wallet and put all your information in one program. Some people might say it sounds crazy, but Ben Spencer (2013) had done studies that have shown, “that cell phone users cannot...

Words: 1482 - Pages: 6

Free Essay

Identity Theft

...How does Technology help Criminals Commit Identity Theft? Identity theft is becoming one of the fastest growing criminal offenses in the United States. Identity theft is a form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name (Kiesbye). It is important for one to know that identity theft is not just a financial crime. It is a serious crime that can cause havoc on finances, credit history, and reputation. Identity theft can go unnoticed and can take time, money, and patience to resolve. Technology is constantly evolving making identity theft an easier crime to commit (Kiesbye). There are several ways in which technology plays a major role in assisting criminals commit identity theft (Knight Ridder/Tribune Business News). Some ways include computer hacking, telephone bugging, and old-fashioned stealing. Identity theft has become a very serious business for criminals (Knight Ridder/Tribune Business News). . Identity theft has been around for a number of years. The term identity theft was coined in 1964 however it does not mean to steal an identity but rather to impersonate another individual to commit fraud or deception (Vacca). Identity theft is not easily detectable by the individuals. Someone can steal or misappropriate personal information without the individual knowing then commit identity theft using the stolen...

Words: 1341 - Pages: 6

Premium Essay

Final Information Security Policy

...1. Executive Summary 2 2. Introduction 3 2.1 Company Overview 3 2.2 Security Policy Overview 4 2.3 Security policy goals 4 2.3.1 Confidentiality 4 2.3.2 Integrity 5 2.3.3 Availability 5 3. Disaster Recovery Plan 6 3.1 Risk Assessment 6 3.1.1Critical Business Processes 7 3.1.2 Internal, external, and environmental risks 7 3.2 Disaster Recovery Strategy 8 3.3 Disaster Recovery Test Plan 8 3.3.1 Walk-throughs 8 3.3.2 Simulations 9 3.3.3 Checklists 9 3.3.4 Parallel testing 9 3.3.5 Full interruption 9 4. Physical Security Policy 10 4.1 Security of the building facilities 10 4.1.1Physical entry control 10 4.1.2 Security offices, rooms and facilities 11 4.13.Isolated delivery and loading areas 12 4.2 Security of the information systems 12 4.2.1Workplace protections 12 4.2.2Unused ports and cabling 13 4.2.3 Network/server equipment 13 4.2.4 Equipment maintenance 13 4.2.5 Security of laptops/roaming equipment 13 5. References 14 Executive Summary The objective of this proposal is to present the information security policy created for Bloom Design Group. The issue of a company’s network security continues to be crucial because the results of data loss or significant system failure can be disastrous for a company. An alarming number of companies fail to realize how vulnerable their network is to internal, external, and environmental risks. One of the top priorities of an organization should be maintaining...

Words: 3568 - Pages: 15

Free Essay

Mobile Payment

...business fields. With cell phones equipped with the Near-field Communications (NFC) chip, users are capable of completing transactions by simply waving them in front of a NFC-enabled reader (Crowe, Rysman & Stavins, 2010). Generally, in global markets, the value of this type of trade reached approximately $250 billion in 2012 and was forecasted to expand 68% annually. In particular, this carrier has been heavily adopted in Japan and several European countries for years. However, according to a recent survey, the adoption of this technology in the United States has been hindered (Fonte, 2013). The sales of this approach only has less than half of one percent of the market, and the majority of payments are implemented by credit and debit cards. It is confusing that, as the economic center worldwide, America has not dominated the leading position of mobile payments acceptance. Therefore, this report focuses on analyzing the obstacles in the process of spreading and proposing practical solutions. Barriers The obstacles of the popularization mainly originate from the aspects of markets, consumers, and retailers. Referring to appropriate markets, this payment method requires highly concentrated banking circumstances that are cash-intensive and technologically advanced, such as those found in Japan (Crowe, Rysman & Stavins, 2010). Although American markets fulfill the demands above, they focus on utilizing current mature payment methods. Those already offered considerable...

Words: 1380 - Pages: 6

Premium Essay

Transformation of Banks

...buyer’s market. Banks are have now bloomed into one-stop Supermarkets. Their focus is shifting from mass Banking to Class banking with introduction of value added and customized products. Technology now allows banks to create what looks like a branch in a business building’s lobby without having to hire manpower for manual operations. These branches are working on the concept of 24 X 7 working made possible due to Tele banking, ATMs, Internet Banking, Mobile Banking and E - banking. This technology driven delivery channels are used to reach maximum customers at lower cost and in most efficient manner. The beauty of these banking innovations is that it puts both banker and customer in a win-win situation. The need of an hour is to design a system to promote marginal efficiency of investment in technology and widen the gap between marginal benefits and marginal cost involved in Banking transformation with special reference to technological up gradation. Keywords: CRM, ECS, Skimming, Spoofing, ATMs 2.1.OBJECTIVE OF THE STUDY (AGENDA) The objective is two fold: To evaluate the usage pattern of various banking tools To evaluate preventive measures the respondents take against frauds. 2.2. INTRODUCTION The study presents a...

Words: 4187 - Pages: 17

Premium Essay

Banking in Bangladesh

...then Master Card in 1991. At that point of time, ANZ Grindlays Bank had only a few premium Merchants (e.g., Pac pacific Sonargaon, Dhaka Sheraton Hotel & Aarong) to facilitate the card acceptance for the tourist and expertise in Bangladesh. Now after years together of technological expansion, the prosperity of business lies in the adherence of more technological facilities. Business man slowly grabbed this idea in Bangladesh. More young people joined the queue in business, more advancement in technological use. At present the scenario has changed more people want to facilitate EFT POS in their premises. Standard Chartered Bank, pioneer in EFT POS service has got their trend to make it popular and secure. From the merchants view point it will serve them safe accounts transactions and it will also protect them from the risk of carrying money. They can call the bank, supporting agency for the POS for their calculations. In this case study it will be described elaborately. 1.2 Back Ground of Study The study is leading from a succession of events where people first started dreaming of transferring money without carrying it physically. The dream came into reality with the advancement of science. The invention of Electronic fund transfer point of sales (EFT POS) device and its worldwide adaptation. 1.2.1 POS Machine and its values POS Machine is one kind of electronic device that enable the merchant to sell their products and services by swiping the card through the...

Words: 4007 - Pages: 17

Premium Essay

It Business Plan

...Reengineering is used to redesign the way work is done to better support the organization's mission and reduce costs. Within the paper we focus on redesigning the process of the San Antonio identification office as a whole in order to achieve the greatest possible benefits to the organization and their customers. The Texas Department of Public Safety (TDPS) has been around for quite some time and has done things a certain way so implementing a change will not be the easiest task to accomplish. Their mission and goals are not only to protect and serve Texas but to combat terrorism, crime, enhance public safety and provide world class services. In recent reviews over an extended period the TDPS is face with an array of changes in service, funds, and security. The process in the way TDPS must do business is by reengineering identification process within its’ local office. This will enable the DPS to have a faster service process, increase overall wait line to 25% or more and see a Return of Investment (ROI) by moving the line fast with technological advancement. According to the Texas.gov website “An estimate of 147 million in financial transactions and collection more than 19.6 billion” was collected in launching a wide e-commerce. Considering overall advancement...

Words: 2785 - Pages: 12

Premium Essay

Is4550 Unit 1

...INTERNET POLICY USE: Internet use, on Company time, is authorized to conduct Company business only. Internet use brings the possibility of breaches to the security of confidential Company information. Internet use also creates the possibility of contamination to our system via viruses or spyware. Spyware allows unauthorized people, outside the Company, potential access to Company passwords and other confidential information. Removing such programs from the Company network requires IT staff to invest time and attention that is better devoted to progress. For this reason, and to assure the use of work time appropriately for work, we ask staff members to limit Internet use. Additionally, under no circumstances may Company computers or other electronic equipment be used to obtain, view, or reach any pornographic, or otherwise immoral, unethical, or non-business-related Internet sites. Doing so can lead to disciplinary action up to and including termination of employment. EXTERNAL DEVICE USE POLICY: Access Control: ITD reserves the right to refuse, by physical and non-physical means, the ability to connect mobile devices to college-connected infrastructure. ITD will engage in such action if it feels such equipment is being used in such a way that puts the company’s systems, data, users, or students at risk. Prior to initial use on the college network or related infrastructure, all mobile devices must be registered with ITD. ITD will...

Words: 1922 - Pages: 8