84

While I was walking in the street, somebody carrying a laptop bag bumped into me, and the next day I found out that my storage unit was burglarized and some important items were stolen.

My storage unit door uses a magnetic-stripe card without a PIN, and I have several important items there. The items don't include money or anything that has intrinsic value itself, but they could be important to some parties.

I do realize my mistake, I shouldn't have trusted a storage unit with important items. I should have stored them in a deposit box in a bank.

To help you guys help me, I'll try to give as much information about the situation as possible:

  • I vividly remember his bag hitting my back pocket in an unnatural way.
  • I immediately checked my wallet after the bump, I made sure my ID, money, and the card were there.
  • The stolen items are of some importance to some people and they would hire PI.
  • I've already informed the police and filed a report.
  • The security cameras in the storage area hallway show a masked person opening the door normally, and there are no signs of forced entry.

My question is: Could that person have cloned my card when he bumped into me? Is it really as easy as touching the person's pocket? Does the process really take that small amount of time (1-2 seconds)?

Update: After investigation it turned out that the card has an RFID tag inside it, but the storage space operators didn't know about it. It was there just in case they wanted to change the locks to support RFID. The magnetic stripe and the RFID tag both contained the same data, so the thief copied the RFID tag and made a new magnetic card with the information.

Yesterday the police caught the thief after catching the person who hired him trying to sell the items to a blackmarket honeypot operated by the police. I identified the thief as the person who bumped into me and he later admitted.

Green Fly
  • 1,957
  • 1
  • 16
  • 21
  • 24
    Are you sure it's a magnetic strip, and not a RFID chip, that activates the lock? – apnorton Jun 10 '13 at 22:52
  • I will go with the answer of @schroeder magnetic tap require to be close enough to touch the device, its practically not possible, until and unless it RFID device.. as the answer is protected I am not able to answer in detail.. – MarmiK Jun 11 '13 at 11:41
  • Green Fly, congrats! Was there any insider element in the story? – Deer Hunter Jun 13 '13 at 16:35
  • @DeerHunter so far we know nothing. we're waiting for the police to continue their investigation. – Green Fly Jun 13 '13 at 16:43
  • 3
    This post seems incredible to me - the alleged thief had very specific information that could only have come from the poster - such as the location and interesting contents of his storage unit - and also technical savvy to capture and clone his card data. But at the same time was caught trying to pawn what he stole? – ddyer Jun 13 '13 at 16:49
  • 9
    @ddyer the thief himself was not selling anything, he just stole the items for some other person who turned out to be an old acquaintance of mine. the thief just gave the items to someone else. when the police asked me to give a list of people who might be interested in the item, I gave them a list that included that person (the person who hired the thief). the police monitored the person and caught him selling the items. when they caught the person, he admitted he hired a thief and then the thief was caught. – Green Fly Jun 13 '13 at 16:57
  • Ahh, OK, an acquaintance = insider. Thanks for the heads-up. – Deer Hunter Jun 13 '13 at 17:04
  • @DeerHunter okay, that's what you meant! i thought you were asking if someone from the storage area employees was involved. – Green Fly Jun 13 '13 at 17:06
  • 2
    What kind of a security concept is this? Allowing entrance just with data off a magnetic stripe without an accompanying secret? Having the same data stored in plain and without cryptographic safeguards available through RFID? A "masked person" entering the hallway without anybody paying attention? – syneticon-dj Jun 26 '13 at 21:16

5 Answers5

46

It sounds unlikely. As @schroeder says - a mag stripe must be physically run through a reader. So if you must "swipe" the card to get access, you must swipe the card to copy it. While a pickpocket can take a card out of your pocket, if the card is still in your possession, it's unlikely that this interaction was part of the theft.

Keep in mind, however, that a single instant in time is not the only case of potential intrusion:

  • any time the card was left unattended for any time is an opportunity
  • any access to a master card is an opportunity - generally a storage unit will have a master key card - they are loaning you this space, if you default on your rent, or the police have a warrant, they will need to access your space.

Whichever card is used as a source, making a copy should leave no evidence on the card.

It maybe possible, from digital logs, to see what card was used for access at the time of the break-in. Was it your card?

Chances are, you and the storage space management need to think through who had access to the cards that control your space.

Addition:

Backing up a step to a bigger picture. In any theft, there's a question of due diligence. Any type of security is tricky, and needs a diligent design and careful implementation. This particular issue involves:

  • electronics - the mag strip key card
  • physical - the access to your door, and the facility at large, as well as video survellience,
  • personnel - anyone who was supposed to be watching the video, the people with access to the master card, and overall personnel management

The easiest hack is generally social engineering and working in the nexus of areas of security, where there are often human communication gaps.

The general solution is to work with the site as best you can to determine who might have had access. Accusing them of a lack of due diligence probably isn't going to get the job of finding your stuff done... but sooner or later, you or the PI may need to go there to figure out if you have a insider threat or a fairly clever outside attacker.

As the comment thread shows, there's numerous options out there that are bigger than the incident you mention that are just as (if not more) likely as someone managing to pick your pocket.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • 8
    Another factor that makes this unlikely is that he would have had to have been targeted specifically by the thief. If he had said that he was a jeweler and lost a million dollars worth of gems, then it seems a little more likely that someone would stalk him and clone his access card, but why would a thief pick him out specifically to clone his access card to steal items that have no intrinsic value? It's more likely that the thief was previously a customer (or employee) of the storage company and knew how to create a fake card and getting bumped into was just a coincidence. – Johnny Jun 10 '13 at 19:37
  • 3
    I wasn't going to guess on the paranoia factor, sight unseen. You're right - in a high end environment, stalking an individual is more likely. But I don't know the details here. – bethlakshmi Jun 10 '13 at 21:23
  • 1
    Another possibility: someone installed something like an ATM skimmer, capturing the card one of the times OP accessed the storage unit. – derobert Jun 11 '13 at 21:57
  • 1
    With the caveat that an installation into the site means that either (a) the site's protections and survellience are lousy, (b) the threat is an insider, who probably doesn't need to go to such lengths if he can just copy the master key. – bethlakshmi Jun 12 '13 at 14:59
  • thank you very much for your answer. in case you're interested, check the question for an update on the situation – Green Fly Jun 13 '13 at 16:30
39

Mag strips need to be cloned via a mag strip reader, not by close proximity.

RFID can easily be cloned by proximity.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 8
    And yes, quarter of a second to clone RFID with the kit I have seen demonstrated. – Rory Alsop Jun 10 '13 at 17:08
  • 7
    And possible from a distance, with some demos I have seen. – schroeder Jun 10 '13 at 17:16
  • 5
    In the event that your access card does not use RFID, it's possible an attacker could have cloned *something* RFID-based in your pocket. He could use that to impersonate you somehow and either 1) get issued a new key or 2) get access to your key to clone it. – apsillers Jun 10 '13 at 17:27
  • 1
    If you're concerned about having an RFID card surreptitiously duplicated, you can buy ordinary looking wallets that have a wire mesh layer build in to block RF signals. – Dan Is Fiddling By Firelight Jun 10 '13 at 20:15
  • 1
    @DanNeely - Agree RFID-blocking wallets are great. However, you should try testing the RFID wallet out. While I have found some that work; I've also seen one that only somewhat damped the RFID signal. (E.g., I could open my work door with the card in a closed wallet from ~6 inches away; instead of the three feet with it outside of the wallet. My newer (more expensive) RFID wallet won't work with my work ID from any distance when I tested (on one particular scanner). – dr jimbob Jun 10 '13 at 23:58
  • @drjimbob I have tested mine as best I can without access to a high power reader. The badge readers where I work only have a 3 to 5 inch range normally. Inside of the wallet my badge fails to read both at contact distance with only the side of the wallet between the reader and the badge and with the open end touching the reader. – Dan Is Fiddling By Firelight Jun 11 '13 at 01:09
  • My family bought me an expensive blocking wallet. However, I can open the door with the card in my wallet at the same 3-4 inch range as when it's not in the wallet, so my family got scammed. Be careful. – Mooing Duck Jun 11 '13 at 18:50
  • thank you very much for your answer. in case you're interested, check the question for an update on the situation – Green Fly Jun 13 '13 at 16:30
27

Can magnetic stripes be read from a distance?

The magnetic field emanating from the magnetized regions in the epitaxial layer on the tape strip is not a directional light-like radiation that can be focused to form an image.

Magnetic tapes are read by a head that is in direct contact with them. Experience shows that in an audio tape deck, dirt on the head, or foreign particles like dust between the tape and the head will cause noticeable drop in high frequency response, as well as in overall volume. If a tape is crumpled so that it does not maintain smooth contact with the head, the degradation is clearly audible.

The magnetized regions are tiny magnetic dipoles. The field strength around a dipole weakens according to an inverse cube law which is an even faster diminishment than the inverse square law.

Furthermore, with increasing distance from the tape it is also less and less possible to resolve the individual magnetized regions, even if you can detect the magnetic field. Say that two adjacent magnetized regions representing 1 and 0 are spaced 0.5 mm apart, and the detector is 1cm away from the tape. The detector is 20 times farther from the regions than they are from each other, and is basically equally influenced by their magnetic fields; it cannot resolve that there are two regions, let alone their orientations and the values they represent. The tape head resolves the 1's and 0's by proximity. As it passes over one magnetized region, it is much closer to that one than to the adjacent ones.

This is why high frequencies go first when an audio tape head is even slightly separated from the tape, and the sound instantly becomes muddy. High frequencies require the greatest resolution between adjacent magnetized grains.

Kaz
  • 2,303
  • 16
  • 17
  • thank you very much for your answer. in case you're interested, check the question for an update on the situation – Green Fly Jun 13 '13 at 16:28
  • @GreenFly Interesting wrap up. I suspected as much, as did more than one commenter. This is a weakness of RFID tags, unfortunately. To guard against this kind of thing, you need a smarter tag with a small microprocessor on it which generates a different code every time based on sequence (tracked in the host system). My garage door opener implements such a scheme. It is built around an IC from Microchip (the PIC people), similar to [this one](http://ww1.microchip.com/downloads/en/DeviceDoc/40035D.pdf). – Kaz Jun 13 '13 at 18:46
16

In the bumping event you describe, they might have put back your magstrip card having stolen and cloned it earlier.

user26997
  • 185
  • 2
  • 7
    While it was my first thought too while reading the question, I'm afraid we have no evidence to support it based on OP's description of events, and more importantly - it does not answer OP's question: _"Could that person have cloned my card when he bumped into me? Is it really as easy as touching the person's pocket? Does the process really take that small amount of time (1-2 seconds)?"_ Please expand on your answer, or convert it into a comment. Thanks! – TildalWave Jun 10 '13 at 20:09
  • thank you very much for your answer. in case you're interested, check the question for an update on the situation – Green Fly Jun 13 '13 at 16:28
0

It defies the laws of physics to read standard magnetic stripe cards with a resolution of 210 bits per inch bits unless your reader playback head gap is closer to the media than the separation between bits. < 1/210" or 5 thou (which is much less than the thickness of your slacks and wallet.) 5 thou is several thicknesses of paper.

It had to be done another way.

Tony Stewart
  • 25
  • 2
  • 1
    While it's true there are limitations due to the laws of physics, there are two false assumptions here: 1) theoretically, you can detect the variation in magnetic field at a greater distance than the separation between emanating source, because the field is not a cube, meaning you can still read the _wave_ (putting it in lay terms for brevity), and 2) data written would have error detection and correction, basically redundant bits of information that can be used to calculate real data, given the discrepancy is not too big (depends on parity data size). – TildalWave Jun 10 '13 at 21:07
  • thank you very much for your answer. in case you're interested, check the question for an update on the situation – Green Fly Jun 13 '13 at 16:42