Balázs Bucsay, the founder of Mantra Information Security, which deals with IT security, recently talked about a critical error reported in the European Mandatory Redemption System (DRS), which in theory could give malicious actors the opportunity to make significant financial gains. The experts did not commit any specific fraud, they drew the attention of the system operators to the problem in compliance with the ethical rules, and made suggestions on how to make the recycling system based on barcodes more secure.
This summer, the European Parliament and the Council’s SUP (only single-use plastics) directive, which was published in 2019 and aims to facilitate the transition to a circular economy, was put into practice in our country this summer. As a result, many member countries have introduced return systems, in certain member states earlier, and in our country from July 1st, the REpoint system, with which everyone can easily return drink packaging.
The basic principle of the exchange system is simple: customers can place the undamaged bottles in an uncompressed state with a clearly legible barcode in the displayed machines, where they can claim back the exchange fee included in the price of the product, which can be requested in three ways (voucher, transfer, charity), if found in the database barcode readable on the bottle.
Machine recruiting: you may not like it
AI has become irreversibly integrated into the recruitment process.
The most popular solution is the voucher, which can also be exchanged for printed cash, on which, in addition to the information on the returned bottles, you can see the amount and a wider-than-usual bar code bordered by a long row of numbers at the bottom. Like most one-dimensional (1D) barcodes, this string of numbers contains the most important information encoded in a variety of thick and thin strips in a format that is understandable for barcode readers. The number under the barcode is the same as the string of numbers stored in it, which can be easily read by anyone.
Mantra’s experts noticed that a part of the series of numbers shown under the barcode shows the value of the voucher, the change of which could give rise to possible abuse if an additional method is followed by malicious parties. After collecting several samples, the experts identified that the last two key elements of the voucher’s 26-digit code are the amount and the check digit, as well as identifiers such as the store’s unique code or a simplified time stamp.
The check digit is essentially an error-checking code that confirms the validity of the sequence of numbers at the cash registers. Debit or credit cards using the Luhn algorithm (Visa, Mastercard, Amex) are also based on this concept. This algorithm allows the last digit of the card number to be calculated based on the previous ones, allowing systems to detect errors in the case of incorrectly entered digits before attempting to complete a transaction.
Although the vouchers produced by the machine do not use the Luhn algorithm, the solution is very similar, and if a malicious party were able to decipher the error checking code of the vouchers, they could theoretically generate valid codes with unique amounts, even very high ones.
According to Bucsay’s post, they managed to crack the error checking code and then implement it in a Python script. With a program, essentially by entering any code of the voucher (except for the check digit), the correct check digit can be calculated. This means that if someone were to change the amount in the voucher code, they would be able to generate a new valid voucher. Producing barcode strips is not particularly difficult either, and can be done using open source tools or online resources.
Mantra specialists do not plan to make the Python script or the mathematical formula behind it public; the experts, following the ethical rules, did not commit any abuse in practice. The company responsible for the underlying infrastructure has already been contacted, which has acknowledged the existence of the error, and is working on solutions to curb abuse of the system, according to the registration. After examining vouchers not only from Hungary, but also from other EU countries, Mantra came to the conclusion that the problem may be broader.
The vulnerability essentially means that the value of the voucher is encoded directly into the barcode and is not protected by any security mechanism to prevent offline attacks. If someone is able to generate or modify the barcode, in theory they can immediately change the value of the voucher without detection. According to the experts’ suggestion, the ideal solution would be if the coded value were replaced by random identifiers without internal content, these random numbers would be generated by the system during printing and stored securely in a central database.
When presenting the voucher, the store’s system could verify its validity by checking the central database online, guaranteeing that only real vouchers are accepted. However, implementing such a solution would require additional resources and time, but would significantly increase security and prevent unauthorized manipulation of voucher values. The proposed solution could be technically feasible within the existing framework, increasing the safety and reliability of the DRS. It is worth adding that in the current system, fraudsters would have to pay attention to other factors in order to carry out a specific abuse, for example, the vouchers are printed on paper with a special watermark.
Source: www.hwsw.hu
