Vulnerability of China High Speed Rail Tickets Through Information Disclosure
The reason why you MUST destroy the China High Speed Rail ticket after usage
This is not really a story on our Android development, though some of us did have the thought to develop an app to reverse what we found. But common sense prevails.Recently I went on a holiday in China and took the famous China High Speed Rail from one city to another. When i examined my ticket, my passport number was printed on the ticket with only the last two characters replaced with a "*". Incidentally, i found a lost ticket next to the seat of mine and it was a ticket belonging to a Chinese resident. I knew it belonged to a resident because of the format of the National Identification number.
My Ticket |
Ticket Found |
The lost ticket have the National Identity Number (see image) and the name of the person who lost the ticket (both details redacted out). When i googled the format of the Chinese National Identity Number, it is as shown:
RRRRRRYYYYMMDDSSSC
where the first six character, RRRRRR, represents the place where the ID was issued,
YYYYMMDD represents the birth date of the person in the year (YYYY), the month (MM) and day (DD), SSS is a a sequential code to distinguish people with identical birth dates and birth places and C is a checksum value over the first 17 digits. The checksum is calculated using ISO 7064:1983, MOD 11-2. A useful or useless point is SSS is a odd number for male and a even number for female citizens.
As you can see from the lost ticket, the replaced digits corresponds to the birth month and birth date of the person. Redacting just the birth month and date just need an attacker to guess 365 or 366 times (by cryptographic standards, the guess is actually halved, i.e. 183, but that is too much maths) to get the real ID. However, with the additional help from the checksum calculation, maybe we can shorten the guessing domain space.
Long story short, i created a simple excel to calculate the number of permutations of birth dates that will result in a correct checksum code, which was also printed in clear on the ticket. The result is 33 to 34, depending on the checksum digit. Conclusion is you will be able to find 33 to 34 correct birth dates that corresponds to the ticket holder, and you will have found the personal name, National ID, gender, birth place and birth date of the ticket holder. And i shiver at the thought of what an attacker can use these information for impersonation or scams.
Thus, for foreign visitors to China, remember to destroy (or tear up the portion with your identity) the ticket after you exit from the gantry. This is because for foreigners, only the last two characters of your identity (could be passport number, work permit) are masked out. And depending on the scheme of encoding, it may be easier to guess your identity than the Chinese ID. For Chinese, it is also important not to throw your ticket into the bins after use. You do not want your identity to be used for impersonation.
What is the possible damage of a stolen identity in China? A Chinese resident in Shenzhen found it costed him USD 12.5 million, where the perpetrator(s) stole and used his identity to borrow money and open credit card accounts.
If you want to know, i returned the lost ticket to the station manager at my stop. Drop a email to fledevstaff@gmail.com if you want to have a copy of the Excel calculation.
Follow us on all critical Android development and security news here.
No comments:
Post a Comment