Magnetic Card Writing Curiousity

[thebluecoat]

First post after being hooked on hak5 videos, I figured I'd bring this question I've always been wondering about to this place. I wont ask

"how to" because of the nature of the issue.

# I've been thinking for a long time how ownage it would be to utilize a card writer on (member benefits cards) my main example is at a local food spot called "subway". Every time you buy a sub you give them your card and it will load "points" on it based on the dollar denomination you spend at the point of sale. $1 = 1pt. 75pts for a "free" foot long sub (yum)

1) Is it possible to utilize a card writer to modify the amount of points on the card for more free yummage?

2) Would this sort of thing be simple?

===========================================

## Where I am there is also a local bus transit system that gives you (paper based) change cards sort of like NYC metro cards.

1) Would it be possible to carry out the same sort of system above on a card like this for more free transportation?

===========================================

Thank you in advance for your input

[digininja]

For Subway no, the card is only an id, the points are stored in some back end system somewhere and the card just tells the backend which account to credit the points to.

For the bus cards, maybe as they won't likely be talking back to some other system. It isn't magnetic based but check out the work that has been done on cracking the Oyster card in the UK.

[Infiltrator]

Looks like they've done some real thinking before implementing this points system. Obviously they don't want people walk in and out of the store and getting things for free.

I am mean, it would be a loss for them if someone managed to write points to the card.

[digip]

The questions is not about the card holding points, but how their points system works in general. Is the points system exploitable in some manner, say by putting info on the card that could make it a "test" card, say for diagnostic purposes. Its possible they have an account that does the free sandwich thing using a special card.

I'm just talking out loud, but I'm thinking this might be the case because ATM machines at banks use special cards when setting them up for testing, that use a special number and pin. Each bank would have their own for their specific bank. Its not a real bank account tied to the card, but something internally that can be used to dispense money, in our case, paper. We used to have ATMs at work that would be customized and they had fake money, kind of like monopoly money, that would spit out of the machine when used with these special cards (the ATM doesn't care whats loaded in it, it only checks the validity of the card itself by dialing home to the main system), but this was more for testing and setting up custom ATMs that were branded with the banks logos, colors, menus, videos, etc. They made their own housings for the ATM machines in house and used the cards to set them up during testing. It was also something they did I think when testing bank fraud on the ATMs but the point is, they had a special account that could spit out money.

If the Subway points system has something similar, I imagine being able to put this special account on a card to generate free tokens.

Edited February 5, 2011 by digip