Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
38Activity
0 of .
Results for:
No results containing your search query
P. 1
thesis

thesis

Ratings: (0)|Views: 1,395|Likes:
Published by Yzabelle04

More info:

Published by: Yzabelle04 on Sep 01, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/09/2013

pdf

text

original

 
Magnetic Swipe Card System Security
A case study of the University of Maryland, College Park Daniel RamsbrockStepan Moskovchenko Christopher Conroydramsbro@umd.edustevenm86@gmail.comcconroy@gmail.com
Abstract
This paper provides a comprehensive security analysis of the Lenel magnetic swipe card systemused at the University of Maryland at College Park. We first explore the cards and hardwarecomponents which comprise the system, and then present several plausible points and methods of attack on the system. We chose several of these attacks and demonstrated them using a $240commercial card reader/writer and a customized unit powered by a microcontroller, which costabout $20 in parts. We developed the capability to read cards, write arbitrary data to cards,simulate card swipes through a reader using a flux reversal pattern generator, and “sniff” datafrom up to 16 live swipes using a single microcontroller which can be easily hidden in thereader's housing. We tested and successfully demonstrated these capabilities on the live Lenelsystem under the supervision of the university's Department of Public Safety. Based on our findings, we recommend that the university use neither social security nor university ID numberson the cards, that it use magnetic card access only in low-security areas, and that it use a moresophisticated and secure system such as proximity smart cards for access to high-security areas.While the analysis and recommendations presented in this paper are aimed at the University of Maryland, building security professionals everywhere can use the material presented here toenhance the security of their own swipe card systems.Magnetic Swipe Card System SecurityPage 1 of 26
 
Table of Contents
Abstract............................................................................................................................................1Acknowledgments............................................................................................................................3Introduction and Motivation............................................................................................................4The University of Maryland's Access System..................................................................................5Uses of University Identification Cards......................................................................................5Information Stored on the Magnetic Stripe.................................................................................5Lenel Hardware...........................................................................................................................6Two Access Systems: Residential and Academic Buildings......................................................8Student Database Connectivity...................................................................................................8Planned Changes in May 2006....................................................................................................9Points and Methods of Attack........................................................................................................10Magnetic Stripe Cards...............................................................................................................10Connection Between Reader and DRI.......................................................................................11Connection Between DRI and ISC............................................................................................11Connection Between ISC and OnGuard Server........................................................................11Chosen Methods of Attack.............................................................................................................12Attacks with a Commercial Card Reader/Writer......................................................................12Attacks with Custom-Built Hardware and Software.................................................................13Technical Details of the Custom-Built Hardware and Software...............................................14Specific Security Implications.......................................................................................................15Broader Privacy Issues...................................................................................................................17Recommendations..........................................................................................................................18Conclusion.....................................................................................................................................21Appendix A: Technical Details of the Custom-Built Hardware and Software..............................22Low-Level Encoding.................................................................................................................22Card Layout...............................................................................................................................22Our Electromagnetic Interface..................................................................................................22Computer Audio Interface.........................................................................................................22Music Player Interface...............................................................................................................23The Flux Reversal Pattern Generator........................................................................................23FRP Generator Internals............................................................................................................23Card Encoder Design................................................................................................................24Skimmer Design........................................................................................................................25Skimmer Data Retrieval............................................................................................................25Infrared Data Retrieval..............................................................................................................25Magnetic Swipe Card System SecurityPage 2 of 26
 
Acknowledgments
First, we would like to thank Dr. Jonathan Katz in the Computer Science Department for beingthe primary advisor on this project. He taught an undergraduate class titled “CMSC414:Computer and Network Security” in the fall of 2004, and Daniel Ramsbrock was one of hisstudents. One of the many topics that semester was magnetic-stripe based systems. When Mr.Ramsbrock approached Dr. Katz regarding undergraduate research, Dr. Katz immediatelysuggested investigating the university's swipe card system. He has been an invaluable resourceduring this project, providing expert advice and guidance on this sensitive project.We would like to thank Dr. Timothy Horiuchi in the Electrical and Computer EngineeringDepartment. He spent many hours in the lab working with Mr. Ramsbrock to develop an earlyversion of the microcontroller software used to read and store swipe card information.We would like to thank Mark McGuigan in the Department of Public Safety. He cooperated withus throughout this project, providing nearly all of the information in this paper relating to theLenel system on campus as well as a sample Mercury Security MR-10 card reader.We would like to thank Dr. James Purtilo for his assistance to Mr. Conroy in his initialinvestigation of the privacy issues of the swipe card system. The Maryland Public InformationAct requests which provided a great deal of valuable information about the system weresubmitted as part of a class assignment for Dr. Purtilo's HONR239R class.Finally, we would like to thank Austin Parker and Nathan Waisbrot for lending us theiMAKStripe R2TAO reader/writer unit for the duration of this project.Magnetic Swipe Card System SecurityPage 3 of 26

Activity (38)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Mary Joy Alcodia liked this
alzoriki liked this
Glacer Granados liked this
Robynne Gelera liked this
Princess Bonador liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->