Reprogrammable magstripe card chip thingies -- are they real?

[md2000]

Yes, the casette adaptor is essentally the same idea as a programmable “swipe card”. Considering how little current a thin magnetic stripe would generate as it passes a read head, you don’t need a very thick bulky magenet to achieve the same effect. It does not need to move (like the swipe card does) because the changing electrical current changes the magnetic field North-South-North-south with timing similar to a swipe card’s magnetized stripe going by.

there are two types of chips. The “CHIP AND PIN” chip are those little gold contacts you see on your credit card if you live in a technologically advanced country instead of the USA. They’re a pattern about a quarter-inch square near the middle of the card (more to one side). Insert the card in the reader correctly, and the reader fires up the little computer on the card and talks to it.

It goes through a challenge-response conversation using certificate encryption public key technology much the same as you see in HTTPS secure websites. Unlike a magstripe which is simply read, this is a conversation. The chip has to answer correctly, and programming that encryption (or reading the chip to copy it) is a heck of a lot more difficult. You need to type in your PIN number to make the card work correctly. I think there’s even more secure handshaking using the chip certificate, between the card reader and the bank.

For a swipe card, all you have to do is copy the contents verbatim and the swipe reader can’t tell teh difference. Pretty insecure.

The new credit cards now, unfortunately,come with another chip embedded that’s like RFID and does near-field communications (or whatever they call it). These usually carry a logo that looks like the three arcs of a wifi symbol but facing sideways. These credit cards can be read by waving them over the reader.

So they’ve added super secure encryption technology, you need a private PIN number - and then they’ve added the ability to charge stuff by simply reading the card from a (short) distance. Brilliant! At least, as I understand, it also does some form of secure encryption verification handshake so it’s not just a matter of reproducing a wireless signal. Plus, this technology is (supposedly) only for minor transactions under a certain amount. However, I’ve seen it used in movie theatres for admission, so it seems “a small amount” could be $50 or $100?

I can’t see a card simply carrying a serial number, and not some more complex data for a room lock. Otherwise, you just insert your programmable swipe card and try all combinations. If they’ve got a dozen cleaning staf with random numbers, plus hotel security and administration - you may hit a correct number soon unless it’s 6 to 10 digits or more. A clever system would also flag too many tries from a single lock.

(I once wrote a program for a commodore 64- count to a million. With numbers flying by the screen, it took about 3 hours. A calculator tells me to try a million numbers in an hour, you’d need to do 277 tries a second. I bet that’s too fast for most lock readers.)

[The_Lurker_Above]

md2000:

I have no idea how door locks (like hotels) work. Obviously, it’s more complex than a simple “OPEN” code, since it only opens your door (and select oher doors, like the pool or gym). It must be date stamped, since it can expire automatically it seems. I don’t know if all the locks talk every swipe to the central computer, but based on cop shows where they know who entered, which card and what time - probably they do talk all the time. So the answer to the OP is - it depends how fancy and security-conscious the door system is.

The locks at my hotel don’t communicate wireless to a central computer, it would be expensive power-wise and is completely unnecessary. (Almost) all communication from the computer to the lock is via the keys.

Each lock has a clock, the seed for a pseudo-random number generator and just enough memory to recall the last several keys used and the next few pseudo-random numbers. The central computer knows what seed is used for which lock and how to calculate the next number in the sequence.

When a key is made it is encoded with the time the key is made, the time the key is to expire and the next pseudo-random number in the sequence. When you swipe it through the lock the lock knows that you have the current key and won’t open to any older keys.

In the very rare cases when the lock and computer get out of step the manager has to physically go to the lock with a terminal and re-program a lock. This looks almost exactly like the bad-guys in the movie breaking in (with fewer blinking lights and rolling number displays). It can freak out the guests when they see me doing it. If for some reason we or the cops want to know who went into a room when the same machine is used to physically go to the lock to download the last several card swipes.

[md2000]

Interesting, thanks! I’ve learned my new thing for today.

I assume the resultant number code on the card is too complex or too long to be practically cracked by trying every number in turn.

[The_Lurker_Above]

md2000:

I assume the resultant number code on the card is too complex or too long to be practically cracked by trying every number in turn.

Exactly, and like logging into a computer ‘too many’ failed attempts locks the system until a manager comes by to reprogram the lock.

Of course this does nothing to stop someone with an axe from chopping down the door, so there’s a practical cap on how much security improved crypto gives.