Spotted in 2600: Spoofing Singapore’s National Library

2600: Singapore Library Mischief
Click here to enlarge photo…

In the recent issue of 2600: The Hacker Quarterly (autumn 2006), there’s a writeup by Ghostie about spoofing the Singapore Library’s RFID and barcode checkout scanners. Note that this zine probably isn’t available in Singapore, so I thought it would be educational from a security perspective.

Frankly speaking, this form of tech-related crime has been around for a while. While it’s probably the first time I’ve heard of this in the Singaporean context, barcode swiping has been a popular crime in the States ever since barcode generating software (e.g. Barcode Magic) reached the hands of consumers. What’s disturbing though, is that our Singaporean I/C numbers are floating everywhere, whether on the web, tv or in print (e.g. announcing contest winners). Like the U.S. Social Security, that should be something that’s made private where possible.

Perhaps the Rambling Librarian could tell us the probability of carrying out this hack… then share what the library would do about it.

One thought on “Spotted in 2600: Spoofing Singapore’s National Library

  1. Thanks for the alert. As you mentioned, the magazine isn’t available in Singapore but I can roughly make out enough of the text in the scanned picture. From what I do know about the RFID and barcode technology (which is very little, and strictly from end-user point of view), the hack sounds plausible. I understand that potential security implications have been considered when NLB jointly developed the system but overall, in view of the probability and customer expectations (e.g. not all want to have additional passwords or security codes), the decision was to implement it as what was described in the article. I can’t “share with the library intends to do about it” bec. I don’t represent the official view of the library. All I can say is that if anyone has any concerns about their library transaction account and/ or the current system, do write in to the NLB to seek clarifications.

    Also to add — in the same context of the security issue highlighted in the article, similar security hacks exist for credit cards (which, in my opinion, has higher likelihood of someone devoting time and expense to hack). The potential securiy problems with credit cards are well known but hasn’t made a dent as far as credit card take-up is concerned. My point being — everything can be hacked, and there will be cases. But somehow everyone accepts that as a fact and there’s an implied willingness to live with some trade-offs. My 2-cents ­čÖé

Comments are closed.