A group of high school kids figured out how to crack how subway cards store money. Essentially, they could add .25 cents to a card, then change that amount to over 300 dollars. A quick summary of the journey started with attempting to identify what data changes on the card when money changes. They had to figure out the math behind how the subway cards hide such changes through checksums. Finally, test by adding money, applying modifiers, run through a lookup table created from trial and error and confirm the new amount.
You can watch the entire talk HERE.
I’ve personally …. “in magic land” went through this experience in college. Back in my day, “some people” would purchase card readers and attempt to get free satellite TV. Similar to what these kids did, “some people” would go online and download code to clone working satellite cards. In magic land, I would read data from cards, attempt to find what changes from a dead card vs working card and started creating my own modifications to unlock my own cards (well in magic land). This way my TV cards worked a lot longer than the online ones that continuously got shut down due to the Internet sharing them. Later in magic land, I found my college ID had two payment systems … one that was a black strip (credit card) and other the same chip as the satellite TV. Using the same strategy of reading the card, adding a dollar, and reading again, I (in magic land) was able to find the money bits (that’s how the DEFCON kids called it). There wasn’t any check sums, salts, etc. to deal with so it was super easy to just make changes and see what was accepted leading to the creation of my own lookup table I could use to convert change to dollars. I even got my card up to 99999999 dollars once I figured out what to change. This (in magic land) led to free vending machines as those accepted the chip vs credit strip.
I bet these DEFCON kids would have accomplished more than I did as they were dealing with harder variables to overcome. It’s a interesting talk to watch via not just what they did, but how they got there. Check it out