From what I saw and read, the first card verification mechanism used by the

------------------------------ Date: Tue, 28 May 1996 22:09:28 +0900 (JST) From: Chiaki Ishikawa <ishikawa@personal-media.co.jp> Subject: re: TILT! Counterfeit pachinko cards ... (Wayner, RISKS-18.15) I would like to add some background as someone who has played in pachinko parlors in Japan. (The origin of the game of pachinko is rather vague. Some say it is based on the ball game popular after the WW-II in U.S.A.. Anyway, it is a gambling business.) The card in question acts as a kind of debit card inside the pachinko parlors. It was introduced a few years ago by an former police official, with the expressed intention of keeping the money flow easy to track. (I would say it was a ruse to make a few companies where the ex-police officials can find jobs after retirement from the office. But I digress.) The cards are sold to the pachinko parlors and the customers buy the cards from the parlors, and obtain steel balls to play the game by inserting the card into the slot next to the game machine. Pachinko gambling works as follows. When you win the game, the number of steel balls in your possession increases and the customer can exchange the balls with gifts. (Therein lies a complication. Japanese law prohibits gambling, and so exchanging the steel balls with real money is illegal. *However*, first exchanging the balls with gifts, and then exchanging the gifts with money at a third party outlet [which is quite likely to be operated by the parlor owner] has been allowed by the police.) Speaking of loophole! Some people do bring back the gifts to homes: depending on the places, parlors carry game-boy cartridges, latest bestseller books, snack food such as cookies, instant noodles, umbrella, purse, movie video tape, music CD, to name a few as gifts. But if the customer wants to exchange his/her win indirectly to money at the outlet, then he/she has to ask for special gifts used essentially as money tokens by these establishments. These are often a tiny gold/silver foil embedded in thin plastic slab, etc.. Each parlor/outlet pair uses different stuff. In my hometown, a special brand of silk stocking was used as money token. This whole thing is a farce in view of the anti-gambling law in Japan.) Back to the card: the cards in question are used by two leading card manufacturers. (There are another couple of late-entry companies whose cards are not known to be attacked yet.) The card is based on the design done by NTT Data. NTT is the Japanese equivalent of old Ma Bell in the USA. NTT Data is a company that specializes in computer software integration, communication and such. I believe it designs the telephone card (debit card used for pay-phone in Japan), too. The pachinko card is the size of name card and plastic. The details are not published. To the best of my knowledge, I think there is a magnetic strip that contains the card ID information such as its serial number and the amount of debit money. There were 10,000 yen, 5,000 yen, 3,000 yen, 2,000 yen, and 1,000 yen cards. (I said "were" because 10,000 yen and 5,000 yen cards are no longer available.) Attack method: pachinko game machine was so primitive to defy rational explanation: each time the card was used, a tiny hole was punched to indicate the amount left in the card. As the customer uses the card, the position of the punched hole on card shifts toward the zero position. Once there is a hole on the zero position, the card is no longer usable. The first simple attack as far as I can tell was to fill in the hole in the card with tiny plastic (essentially the chaff produced when the hole is punched was used to fill in the hole). I am not sure if such simple attack was possible, but it seemed possible really at the beginning with crude modification of the magnetic data. Then, of course, the magnetic information on the card was also modified in more sophisticated ways when the card was used. However, the bad people also learned and somebody stole the reader mechanism and figure out the part of the magnetically-coded information: the result was that bad people could buy the pristine 10,000 yen card and then uses up to 2500 yen of the debit amount legally and then "re-fill" the card to 9500 yen worth, thus gaining 2000 yen for free again and again. (Until 3000 yen was used from the 10,000 yen card, the physical hole was not produced on the card, and only the magnetic information was changed. Hence the mere counterfeiting of the magnetic information was necessary to "revive" the card. No physical re-filling of the card was necessary. Physically re-filling the hole is easy to spot visually and was avoided by the bad guys.) [I have to confess that the exact amount involved in the counterfeiting is a little uncertain. But the general idea still holds.] Similar attack was possible with 5,000 yen card. Presumably the gain by attacking 3,000 yen, 2,000 yen and 1,000 yen card was small compared with the risk, the bad guys didn't attack these cards until lately. Now the situation is that of cats and mouse. New counterfeiting methods and counter-measures follow each other in rapid succession. I believe that the cloning of the card was also done. But I don't know the details. Now, the card companies and pachinko parlors stopped issuing 10,000 yen and 5,000 yen cards because the damage was so large. Also, they have installed special readers to verify the validity of the card by incorporating more vigourous checking not available on the readers next to the game machine: it used to be that the cards sold could by used by any pachinko parlors in Japan. Now cards sold elsewhere have to be verified with this machine before used at a local game parlor. Cards sold at the local parlor can be used without such checking. Already, there are reports of counterfeit-card usage: - either the cards are so sophisticated that they can pass the enhanced reader. - Or the bad guys buy the cards locally and then use some of the debit amount and then bring the cards to their factory to re-fill and re-use it at the local store again and again. The card companies have installed countermeasures in selected stores to the cloning of the card by checking the serial number of the card and stopped the operation of the whole game machines in the store if a card with the serial number of the previously used (finished?) card is ever inserted into the game machine. Another simple method of fooling the reader was also reported about a month ago. Essentially, it cuts out a long strip of the 3,000 yen card (now the most expensive card after 10,000 yen and 5,000 yen card are gone) and rotates the strip to invert its direction and then reassembles the card again using cement or something. To my surprise, it was reported to be deemed valid by some readers (!?). Apparently some readers only check for the position of the hole on fixed position and fooled to believe the card is valid if the hole is not in the expected position, etc.. Once not so rigorous readers are distributed, it is very difficult to upgrade all of them in Japan, I guess. The problem is complicated in that the counterfeiting only damages the card company. The parlors report the amount of debit money used in their shops and then compensated for the amount (less the small surcharge by the card company.) This means that every time the counterfeit card is used the card company alone loses money and the local parlor doesn't lose. There have already been reports of the owners of the pachinko parlors involved in the usage of the counterfeit cards. These bad owners allowed the bad guys to use the counterfeit cards in their parlors and pass the used debit amount to the card company and getting compensated. In these cases, the bad guys bring back the money (by simply exchanging the phony debit money into the steel balls, and then without playing (they can play if they wish), exchange the steel balls to the special gifts, and then exchange the gifts with money. [Usually, buying the steel balls and then exchanging them with gifts, and subsequently with money leaves you less money than you started with. The house always wins. In this case, the bad guys started out with counterfeit debit money and ends up with real money, so it is OK for the bad guys.] The parlor also gets the money for the used debit money. So they win, too. Only the card companies lose. Counterfeiting probably has existed since the first money (or equivalent) was ever invented. But, it surprised me that NTT Data approached the whole scheme so naively, especially since there have been reports of telephone card counterfeiting in Japan before. Some of the counterfeiting methods reported seemed so simple, and I have a doubt whether NTT Data was serious enough to deter counterfeiting. At least, I can safely say they have underestimated the ingenuity of the counterfeiters badly and didn't learn from the counterfeiting of telephone cards very well. Ishikawa, Chiaki (family name, given name) Personal Media Corp., Shinagawa, Tokyo, Japan 142 ishikawa@personal-media.co.jp ------------------------------ ------------------------------------------------------------------------- Steven Weller | Technology (n): | | A substitute for adulthood. stevenw@best.com | Popular with middle-aged men.