Breaking Bus Tickets – MagStripe Hacks And You

Presented at THOTCON 0x5 (2014), April 25, 2014, 7:30 p.m. (45 minutes).

Magnetic stripes store little data, so often times these are used as references back to a centralized database (as in credit cards). This isn’t always possible or practical, however, so implementations must sometimes store all the data that is needed on magnetic stripe itself. When this is used to store identification data only, this usually isn’t a problem. In those cases, as long as you don’t give the card to the bad guy, he can’t read them. But what about ticketing systems? In ticketing systems (like bus tickets), you are giving all the information to the person who is most interested in subverting that information. Many of these systems use proprietary data formats. However, with some reverse engineering and selective purchasing of tickets, these can be decoded. I will discuss not only how to perform this reverse engineering on the tickets, I will display the format the tickets I analyzed (those for the Minneapolis/St. Paul area transit), but also discuss protections to prevent these, and how those protections can fail.


Presenters:

  • Mike Jackson
    Mike is a security researcher in the Minneapolis/St. Paul area. In his day job, he does security testing. Then he goes home and does more security testing. Sometimes, he even has a personal life. Sometimes.

Similar Presentations: