G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
with that let's get started and welcome Sam and will ya Sima bull sorry noggin thanks alright good evening everybody I'm well Sam today we're gonna be talking about cash in the aisles how gift cards are easily exploited this talks been accumulating for about two years we actually started researching this in about 2015 reached out to a lot of vendors that use these gift cards some of them of fix them some of them haven't it's pretty trivial how to do this so if you guys want to follow along if you have burp intruder or burp suite we're gonna walk you through how you do it step by step I'll show you some examples of companies that don't know what they're doing so I might have fixed it and how you can basically steal other people's values off their gift cards write them to your own gift cards and go use their money for food so without to start myself William cap it started in the Marine Corps with cryptography worked at ey BWC go comm NTT Security Sam yeah some of the organization's I'm involved with at the moment dc50 the DEF CON Group närcon you can see my shirt here it's a conference in Northern California we just heard the second year and idea fab labs is NT coats a makerspace hackerspace type of thing cool all right so what you typically think on it activated gift cards have no value you go into a store you have their all those cards sitting out on front you go to like a restaurant fast-food joint there's all these gift cards sitting out front on there on the just you just take them right they don't have any value on them but with what we're gonna show you here you can actually you know create value for them or find the patterns on the cards and use those patterns to find cards that were sold prior or loaded they're obviously they're out in the open so you can take them VA they don't have any you know security measures on them at least some of them don't now some of them have CAPTCHAs or whatnot you can enumerate them and yeah so quite a bit of fraud that's possible so kind of what I stated here will find the value of the vulnerable card will determine the in valid and invalid card numbers enumerate the valley card numbers and then write the data to the card to use in the physical store alright so you see these out you know pretty much any store restaurant fast-food place you go in you pick up a stack of them you flip them over it's kind of hard to see but we'll have a clearer slide next there's stuff you know there's two twelve digit numbers on the back those numbers follow a pattern and if everybody looks at this can everybody determine the pattern that is on these cards it's pretty much universal so you see the last four octet Tsar pseudo-random and then the 11th digit I'm sorry wait yeah 12th digit goes up by one and increments by one so those are the ones that are sitting in you know at the restaurant at so that the you know the place you're trying to you know take advantage of what we can do is determine that the cards that are not there have been sold to somebody so somebody's coming in picked one up and says I like to put 50 bucks on this card so many loads it takes it home for the kid or whatever for a gift that cards been sold so we just iterate in Reverse so the cards that we're sitting there we know are six five six six well 6-4 6-3 6-2 are gone right most likely sold somebody bought them so how do we determine valid and invalid responses for these cards this is what broken shooter comes into play and this is another example so checking a balance on a card you put a card number in you can look at the the message that it gives back you tell the difference between valid and invalid message so that's kind of what we're gonna be talking about here so here's a valid card you guys are familiar with post requests use a proxy tool use burp is what we use here for this particular example the post request it has the gift card number in it you you know send that through for a valid card the response comes back you know this card doesn't have any money on it so you know it's a valid card an invalid card you just make up a random number for it it comes back with you know another different error with your card balance so there's there's a in response if you have a difference in our response you can use burp to enumerate Valley cards based upon that response so here's if you've used burp before I'll walk you through it quickly you intercept your post request you set it to burp intruder you put the markers on the last four digits of that card because we know the last four digits are the ones changing right we don't know those four digits we know the one before it goes up by one so we're going backwards by one so you put your marker there you set your payload set to a number you're going to do sequential from 0 0 0 1 2 9 9 9 9 step of 1 4 digits so this is the random 4 digits not the ones that are incrementing so we know that we know the first 12 right so the first 12 we basically say this is a card number we're gonna minus 1 from the card number we need to find the last four digits of the card so we can now use burp intruder to hammer away at those four digit so it's gonna make about 10,000 requests looking and looking for a response we know the the invalid response error with gift card balance so we can put that into the grep match and then sort based upon what it doesn't find so you can have all but one response saying error the one that doesn't say error is the one that has the money on it so you run it through the attack will run the free version of burp does this so if you guys download it you can even try this at home on your own card so you open the valid request it'll say okay this is the gift card number and we've exit out the numbers there because uh I still have money on that card so and the response says you know there's five dollars on this card and we basically sorted those burp intruder responses for the inverse of error so there's five bucks on that card so all right I'll show you how to make your card first I'm going to talk about some microfiber basics for those of you who haven't looked at this kind of thing with credit cards it's basically the same technology you have up to three tracks of data you don't need all three tracks just write one or two the format that gift cards usually use is ISO format and when you're using the tools I'll show you in a bit you can just read in the raw format if you have something that's not ISO it's something else the tool came with the reader writer we have will also do a MVA and California DMV although I tried it with my driver's license and I'm from California and it didn't work it was probably an older version I checked to see if it was Canada and there's only one province in Canada that uses the phrase already uses the term DMV so I don't think that's it [Music] that cut off the bottom there's also high and low coercivity it's the magnetic field strength of the card and this measure and ørsted your hotel cards public transportation that's usually low coercivity and that's usually a brown stripe instead of a black one so that's usually for temporary cards the other settings I had down there usually you won't need to mess with so if you have some type of custom format on your card so this is the card reader we use is MSR 606 you pick it up on Amazon for about $80 yeah it comes with driver for windows and a demo program on that CD there and you can also get the driver and demo program online at the first link there's also a Python library and tli utility that's cost platform and the programmers manual has some useful information that's from the Python library that github for that alright so using the Python library this is just a quick and dirty loop and bash to jump to a file this is just a really quick solution it'll ignore control see you just like it so yeah the capital R option will read ISO format and that'll just keep dumping it to a file and so there's three lines one for each track and then there's a new line after that so here's the other read/write options there's a lot more options if you want to change the settings or whatnot you write ISO format with a capital W and just give three strings if you give less than that it'll only write however many tracks you give it and the same thing for just read and write that's just in RAW format and clone it'll just it will read and then write in that order so um you get your card that you want to read and type it this is the demo program that works in Windows it comes with it the Windows one is much easier to use in my opinion no offense to Linux people out there but you're three tracks are marked right there so you you swipe your demo card that you get from the restaurant the tracks are there you find your valid card number that you did using burp intruder and you just write it into that one space and then you can use that card when you walk into the store this card is written with a different number but it's got the one with money on it and they'll swipe it and then you'll use their balance so this is easier to use you don't learn the command-line options you just select read and write from the I need on the bottom right and then you swipe the card and then you have to hit cancel and so same thing for loading a blank card you put two information in there and then you click write and then swipe it it slow so the first time we did this I did we didn't have the writer so we just read it on the valid corner on a piece of paper and took it in and they honored it so it so you know one of the things they said well we'll just require the card I'm like okay then we bought the writer so then we just write the card number to it you know different card or the blank ones take it in so that's safeguard is not really a safeguard so other things we can do and a lot of vendors have done is implement a CAPTCHA so when you're going to check the gift card balance so we're trying to you know find the valid cards you'll get hit with that it'll slow down your your your ability to find the valid card numbers and what a lot of them have been doing because of this research is now they have that four digit PIN at the end so if you have gift cards in your wallet look most them all have like a four digit PIN that has like a piece of tape over it or something where you can't see it so that's a that's a let's say a speed bump on the way to safeguarding especially if you don't implement it correctly and we'll show you some examples of how they haven't done that so Davina from the beginning when I showed you with all those cards implemented the four-digit pin I wonder if you can tell who that is and then you can look up your gift card balance and then they have a CAPTCHA so you have now they have two safeguards in place they're pretty secure so we moved on to you know like they said the lowest hanging fruit the easier targets out there here's another example of someone you know doing it correctly they have a four-digit pin they're still incrementing by you know a single number on the twelth octet but they have you know the CAPTCHA in place or whatnot here's another one these are just more examples this one has a five digit random number each one is incrementing by one again so you're kind of seeing a pattern here right so anytime you go anywhere now in a restaurant you're gonna grab a stack of these you like I see a pattern and you can pretty much do this yourself this these people got really paranoid and they just blocked off everything so you'll see some of these out there and you'll be like thinking what does that prevent well we got so lazy that we actually just went in and took pictures of cards and put them back instead of like going through the process of like enumerating the valid card numbers we just took a picture of the cards and put them back on the stack that way you can just wait this they're sold you already know the number and just write it so you know so they already need something over yeah so now that you know they decided to cover well this vendor did and I'm saying this because not all of them have and that's why we've kind of waited two years to present this and say okay the hell with a we're gonna go going live doing it wrong so this is a local coffee merchants from back in California you can see that they have a reg code they have multiple cards under the same octet so it's not going to be one card per 10,000 tries to be multiple you check with an invalid card you just put a random number in it says invalid card number you put a valid card number in it asks you for the Reg code you see a problem here so you can just guess those and and then one to say what's your reg code you can say oh I got a card then you could brute-force the reg code or you could just write the card and go in and see if it has money on it either or depending on how you know how much time you want to spend on it so valid cards ask for a reg code invalid card just give an error we can enumerate valid cards based upon the response so if you're going to ask for a reg code don't do it once the card has been told to be valid because you're kind of defeating the purpose of the register rich code I don't think we had any issues with I don't think anybody implemented a time out or limiting or anything nothing so here's here's the burp intruder on that so you see there's three valid cards per per per batch so each time you want to increment the number you're gonna find three cards that will potentially have money on them for that coffee chain and then you can just write those out and then say one of these might have money on it and you see what happens that's the track using that Windows tool you can see there's there's three tracks on or actually two with data and you just basically write the number you rewrite the number there's at the beginning so just you know oh you know highlight it put in your new number write it to the card walk in see what happens we're doing it wrong this is a prominent movie theater chain now you could say okay what's the pattern here how about I tell you that increment by one so they just increment individually I got these at different times in different places there's a distinct pattern to them they're balanced checking site you can put in the number check balance responds back with with the gift card balance no matter about this the reason that says thank you no script is because I went to that's how I entered the card number and and I had no script enabled and I just gave me that just return the Ajax response yeah and there's no CAPTCHA no nothing to this day so go to your local movie theater chain I want to tell you which one get a couple gift cards see if you can see a pattern and then go to the movies for free with cards that you purchased here's the post request for it so another like I said using burp intruder you're gonna you're gonna grab that post request you're gonna put your markers in the last four digits or two digits or whatever you want to however big of a sample size you want to go at because I said they increment by one you can put in you know 100 card numbers so it'll be like three digits and just go through them find out which ones have money on them and you just you know you're gonna look for anything instance gift card balance whatever and then there's your response again so as Sam pointed out is just a standard you know JSON response and this is what intruder comes back with so when we go through and we find the ones that say there's a gift card balance we open it it's like 40 bucks on it you can then write that number to the card and I think I just left it wide open and readable to you on this screenshot here so yeah enjoy the $40 whoever gets to it first all right more doing it wrong you see a problem yeah yeah that's that's real yeah yeah so it's a restaurant they're just incremented by a single digit so I mean all you have to do is know how to subtract and write an 84 card an 83 82 know you just basically just go grab a stack of them and then just subtract from them and walk in is I got something on one of these cards and get some free food and if you write it to a blank card that doesn't have anything printed on the front prolong I'm not gonna accept that but you already have a few cards yeah though given to you in the restaurant you can just take them like I said there's the they're sitting out there for you to take they're thinking you'll load them later or a send-up of money on them so you just grab a stack or you know you can just take a picture put them back wait whatever you want to do and then right right one to right the value to a different card this is a player's club card it increments by one I want to tell you what casino but yeah if you want someone else' Players Club points just you know subtract it's a single track card so you know it's just the number on it so you can write 50 49 48 47 tri for you one of them will pop and you'll have you know somebody's Players Club points certain a lot of doing it wrong huh this is another movie theater this one you have to input the card number and pin into the request and the response comes back with you know if invalid gift card number so if you read if you put the application with the supplied pin is invalid the server sends an error message to the client is below not the correct account number so you get two different errors based upon either the account number of the pin and then if you get a correct it gives you the balance information and QR code associated with the membership number so another another example a little bit different than the earlier examples but still doing it wrong so let's go to our safeguards again CAPTCHA very important have a hidden four-digit pin don't increment cards by a single digit and cashier should verify the card number matches the physical card so that's your final piece here that you know the physical security of it if we're writing card numbers to cards that don't match the actual number that could you could shut someone down doing this or as this company did they just took it offline like you can't check your gift card balance anymore call us so that was their the way of fixing it is just to go old-school telephone how we doing on time say 619 oh my goodness we went too fast all right all right so time for your question well yeah a lot of Q&A if you want we have the maximum writer up here so if you guys want to see how it works we'll go through that about us though we are founders of the noir con hacker convention in Chico California we're on our we just had our second convention there's a website we actually pay for speakers to come out and hotels so if you guys have anything you want to talk about or want to attend you know hit us up that's my twitter and if you want another walkthrough of this if you want like more detailed slides you can go to that link and it'll walk you through step-by-step how to do this and Sam yeah I just very quick shout out to ntt security for the help to us with this yes mandatory vlog before MTT security all right any questions sorry thank you a lot of this was how you affect the card did you try anything like affecting the systems that take the cards we didn't because we didn't have access to those that would require somebody if we you know I wouldn't got a job at you know I mean well somewhere and work there I could probably find a way to find the valley cards but suits be a lot of systems that take cards now and said just places right and they're usually to explain yeah so like there's a couple restaurant chains you know that have kiosks that you can go in there and you could you know swipe your cards so we're trying to we try to keep it offline to where we do all the hacking you know there and then we take the cards in that work versus trying to exploit at the actual restaurant location I you know I really don't wanna go to jail so it's kind of keeps it in the safe zone I guess you could say question so in your research did you find that there was like a higher I guess a higher rate of companies that were doing it wrong versus doing it right well initially everyone was doing it wrong and I'm not exaggerating we've got to the point where I'd say about half of them of remedy the the problem because they use the save card manufacturer and I think Sam you actually did some research on like the different companies that make the cards and yeah one of the big ones is value link and you can see when you swipe the card they all have a similar format the ones that you saw you link and it'll usually say in the middle the company name that's using them and then Sasha call you link reveal something like that and they did pretty good yeah so they started to fix him and there's others that just haven't more done it wrong as we pointed out trying to you know create a fix so it's not not working properly and more questions yes what was the response from manufacturers when he actually pointed this out was it cause like this isn't a problem what do they have an oh moment um the ones I was working for specific companies doing a pen test and they were there was an oh moment they then reported it to the card manufacturer who then went across the board with all of their companies and tried to fix it the other ones just really didn't even respond they didn't really care so you know I'm I'm I could have gone in and you know you know used people's money but I didn't you know kind of just demonstrated that it's possible provided them the information I mean it's kind of standard though right they ignore it until you make it public and then then they then they pay attention to you hi so I noticed there's some barcodes on the back of that so you were taking pictures just to the picking them up take a picture and redo the number did you happen to take a look at what the barcodes were that they were like the exact same number or worth digging through the code because I would see that happening them are some of the more difference of the barcodes are just to buy the card oh they're just said for the register code you know trying to pull that up barcode I guess it was further down like this one yeah so yeah that's the purchase they're all the same yeah the card number itself is what's gonna have the value so they're yeah they're a little separate questions more yes I see most of your well the entirety of you talk focused on stored value cards like gift cards for restaurants and movie theaters did you try things like store value cards for like cash money like vanilla visa cards no I didn't go after visa visa as you have to purchase those cards in store so if he purchased them in store you've kind of you know I guess you keep buy a stack of them and see if you can you know find the value of the cards this is mainly further just what's sitting out front they you just take and as far as I know they're a little bit better about security yeah visa is a little better with security you have to have the you know three digit PIN etc zip zip code I assume with vanilla I don't know but also you talked about well you mostly talked about taking the value that was on the cards did you try changing the value that was stored on the cards like I don't know if that was possible to do these these II didn't have stored values on the cards they just had the card number and then it would check the server on the backend to get the value of the card there's a couple places that I didn't include in this talk that write the value to the card itself you might think of places that have video games you know maybe some pizza there you know so those actually write values to the card you can swipe those change the value on the card itself on the fly so there's that that you can look into on your own any more questions who's got the mic right did you look at like rechargeable cards the type that like a car wash part or someone that you put value on to the tracks from we have not I mean that's something we could definitely look into all these cards are rechargeable though in a sense that you can call and put more money on them or steal from other people but we haven't we haven't looked at car wash ones car wash and those places that have video games or what we're kind of going for next so yeah okay this is just something I this is just something I've known for a while and I haven't had any I haven't had any way to actually use this information but for most of the stored value cards like the vanilla visa cards it typically all tied into one bank account that holds all the money and you know when you register one it'll basically say like if you register like a hundred dollar card they'll just basically say okay this one card is allowed to take $100 out and so I don't know this just might be an interesting idea for you to further this research but if you could turn one of those like even a twenty dollar car into a hundred dollar card or a hundred dollar card to a five hundred dollar car that might be an interesting vector I think you should add me on Twitter seriously here yeah I definitely want to look into doing something like that that's that sounds like something we'd like to do have follow-up research any other questions anybody need to go over anything else that we covered or maybe you missed something we got plenty of time so yeah it doesn't seem like there's much sophistication in the cards I would think that there would be a fair number of people and a fair amount of losses is it what seems to prompt through the correction of these issues the amount of loss or is it well there's I mean they're mass-produced cards so they don't to put security into the cards there's not gonna be a chip and pin on something they're giving away it at a store and then lost prevention itself you ever go shopping at Walmart or whatever like they they write off a lot of money a year just on theft so someone loads a gift card puts $100 in it and then they go in and is empty are they was a company gonna get $100 back from them saying I'm sorry I don't know what happened who are they gonna be screwed you don't know I mean I haven't really looked into that but I think they could they could probably have a ways of writing it off or at least addressing like there's going to be a certain amount of loss related to these cards per year or do they even know I mean if you're changing the balance on a card house the user gonna prove that he didn't actually spend it so they may not even know exactly unless it was they can tie it to a certain store in a different state and he lives in a different state you know but that would require some back-end if you know you know detective work and actual you know giving a damn that depends on the vendor as we as we've talked about like some of them care sometime I want to fix some of them just like that whatever but some some of them are getting corrected so that either they're just becoming aware of general security issues or they're aware of actual losses mhmmm may not be losses directly to them but their customers don't want to do something that's insecure a lot of these cards that says you are responsible for this treat this like cash so they're saying you know that's your responsibility to keep this the physical card but you know if I'm stealing your physical card and I'm hurting using it somewhere else who's liable cuz yeah you're responsible for the card I took your card virtually so yes so for the actual for the actual mag card writing like when you've gotten the you've gotten the card number since all of these is all the different types of cards like we have different values on the strips on the tracks and use a different number of tracks will you need a card will you need like a blank card first in order to figure out what to write on the tracks so that when you get to new when you get an actual value you're right on the tracks um yeah you're talking about formatting of how each company form us the data that's on there right so as far as the low-level stuff I think all the ones we've tried our ISO format so that doesn't really change [Music] they do sort in different ways at the high level so some of these are just the number and they'll have a start character that Sigma plays a start of it and amend character some of them like the value link has more information and that one and some other ones will take part of the card number and move it around to different places so yeah generally you want to have one card to see how they store it and then you can write different numbers in the same format yeah so what we actually have one here if you guys want to play with it I got some cards you can swipe you can see how it works if you want to go over any of the screenshots we've still got about 15 minutes so come on up we could demo it show you how it works so thank you
Info
Channel: BSidesLV
Views: 12,660
Rating: undefined out of 5
Keywords: bslv, bslv2017, BSidesLV, BSidesLV2017, G1234!, g1234!, Ground1234!
Id: 5oD5XeoRi8o
Channel Id: undefined
Length: 32min 47sec (1967 seconds)
Published: Sun Aug 27 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.