3

I recently got a magnetic card reader that plugs into my computer because I was bored. I decided to scan my ID and bank card through it and I was surprised to see my ID number/bank card number show up plainly on the screen. Therefore, can you load a custom value onto a blank card (say, another number or SQL injection string) easily with off-the-shelf equipment? And do these attacks occur frequently?

svbnet
  • 133
  • 3
  • The attack you describe is known as [white card fraud](http://abcnews.go.com/Technology/story?id=4773999) and (used to be extremely) commonplace. It is one of the main reasons that EMV was introduced: see [Why are chips safer than magnetic stripes?](http://security.stackexchange.com/q/49234) – eggyal Apr 25 '14 at 19:31

1 Answers1

1

The ID and bank card number isn't exactly private information. After all, these numbers are simply printed on the physical card, so it makes sense that they can be read out as-is by an electronic card reader. This information is analogous to a user name of an email account, for instance.

Actions that involve using the card's embedded microchip, except the most basic ones, require its holder to successfully authenticate, usually done by entering the card's associated Personal Identification Number (PIN).

The cards contain (at least) one certificate (usually X.509), which can be used to sign a document digitally, e.g. a financial transaction (among other things). The document's receiver can then use the digital signature to validate the signer's identity claim.

The certificate(s) comes from a trusted certificate authority (CA), which are also digitally signed by the same CA. In the case of an electronic identity card, this is most commonly the government who issued the card.

So can you easily forge an chipped ID or bank card? The answer is no, because

  1. You'll need more than just the card to use it effectively;
  2. The certificate on the card is very difficult to forge.
Steven Volckaert
  • 1,193
  • 8
  • 15