Fly Buys – Where security is an afterthought

By Steve Biddle, in , posted: 20-Jan-2014 22:04

In late 2012 Fly Buys launched an interactive advertising campaign with advertising company Adshel. Bus stops signs, and a much larger display that was located in Wellington Airport for some time offered customers the chance to swipe their Fly Buys card and receive a free gum ball. You can see photos of these, and read more about the campaign here.

I’d never actually seen one of these in real life, but after seeing comments on Twitter on Friday about one of these not accepting an Air NZ Airpoints card (which it is supposed to do according to both the display and a Fly Buys rep on Twitter), I thought I’d have a look at one of these machines which is currently running in an Adshel bus stop in Manners St in Wellington with a few other Geekzoners.

The machine was broken and wouldn’t give us a gum ball, no matter what card we tried.

BeZe3pCCAAAhnlA

The Adshel sign welcomes me to swipe my Fly Buys card or my Airpoints card and receive a free gum ball. Innocent enough – until you consider the security implications of this.

A basic Fly Buys card has your 16 digit number printed on it, and the magnetic stripe on your Fly Buys card contains this number. The format of your Fly Buys number is identical to a credit card and uses the LUN10 algorithm – the initial 6 digits are a BIN range 6014 35 (unique to Fly Buys) followed by 9 digits which make up your Fly Buys number, and the last digit which is a check digit. The number is also present  on a barcode on the back of your Fly Buys card in an EAN13 format. EAN barcodes normally start with the GS1 member country code, which you can see on goods manufactured in New Zealand which will typically start with a barcode in the range of 940-949. The 264 range is not allocated specifically to Fly Buys, but is one they’re permitted to use. After the 264 your Fly Buys number is shown, and the last digit as with all EAN13 barcodes is a check digit.

If you swipe your Fly Buys card through this mag stripe reader in the hope of getting a free gum ball, the risks are minimal. If somebody has maliciously tampered with the mag stripe reader and replaced this with a skimming device to capture card numbers your Fly Buys number isn’t going to be of any real use to a fraudster. Your Airpoints card however is another matter entirely.

Air New Zealand partnered with Fly Buys several years ago allowing Air New Zealand Airpoints members to accrue Fly Buys points directly to their Airpoints account. Not long after this Air New Zealand launched a new Airpoints card that used the Rev platform to offer a prepaid Mastercard Debit card capable of storing multiple foreign currencies, your regular Airpoints card, and Fly Buys card. The card is EMV compliant and supports Mastercard PayPass NFC technology as well as a chip , and can also be used at NFC capable Air New Zealand kiosks and gates to identify the card holder. Because the magnetic strip on the card has to be used for the Mastercard component, the Fly Buys number barcode has to be scanned at retailers, it can’t be swiped through a mag stripe reader like a regular Fly Buys card.

 

airpoints card

By now you’re probably starting to realise the security implications of swiping your Airpoints card through a random mag stripe reader attached to a bus stop. Rather than simply giving your 16 digit Fly Buys number away, you’re giving away your 16 digit credit card number, your name, and your Airpoints number. Anybody who decides to maliciously tamper with the mag stripe reader and replace it with a skimming device now has access to a constant stream of credit card numbers from unsuspecting people. Of course not everybody who swipes their card will have their OneSmart card activated, or have money in their account, but the security aspect is exceptionally scary.

With the number of recent cases of ATM tampering where skimming devices have been attached to machines, Air New Zealand and BNZ (who provide the OneSmart Mastercard product) should be terrified that Fly Buys is encouraging their customers to willingly swipe their card in a public place in a mag stripe reader that would require absolutely no skills to tamper with and replace with a skimming device. It really does makes a mockery of all the security messages that banks try and send to their customers about protecting their cards.

 

EXTRA:

I had to dig out my mag stripe gear to show the data on the Airpoints/OneSmart card. I’ve PAN masked some of my personal data including my Airpoints number, expiry dates and OneSmart credit card numbers with a *.

c10B5314*********376^BIDDLE/STEVEN^****2213106060***14007****16002?3a205314*********376=****22100000310?093100

It was also pointed out to me that the billboard will not work with a Kiwibank Airpoints Card by somebody who had attempted to use one in the past thinking that the reference to “Airpoints card” would include this card. I wonder what Kiwibank think of their customers swiping their credit cards through a mag stripe reader in a public area attached to a bus stop that could so easily be tampered with?



Other related posts:
Air New Zealand launches Flexitime Membership (and how it can save you $$$)
Have an interest in retail payments and credit card interchange rates? Here’s your chance to have a say.
Fairfax takes journalism ethics and integrity to a whole new low with Stuff fibre








Comment by sonyxperiageek, on 20-Jan-2014 22:30

Now an amateur who is reading this will probably think: "Hmmm maybe I'll give that a try!" :)


Comment by Zeon, on 21-Jan-2014 00:52

As always a good blog Steve. Let's wait to see this one in the media.


Comment by ubernoob, on 23-Jan-2014 20:10

Thanks, interesting info.
I have just got myself an Airpoints card and hadn't realised from their website that it was also a credit card "on the back". Unfortunately there was some problem on the website at the time and I ended up with 6 Airpoints cards all under my name and address etc. When I contacted air nz to let them know they put me through to Kiwi bank, but it wasn't one of their cards. In the end I got the right people and they just told me to cut up the cards I didn't want and just keep one

Doesn't really instil one with confidence


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

sbiddle's profile

Steve Biddle
Wellington
New Zealand


I'm an engineer who loves building solutions to solve problems.


I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)
  -Polycom
  -Cisco
  -Linksys
  -Patton
  -Zyxel
  -Snom
  -Sangoma
  -Audiocodes

*Telecommunications/Broadband
  -xDSL deployments
  -WiMAX
  -GSM/WCDMA
  -WiFi

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
   
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.


+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.


You can contact me here or by email at stevenbiddle@gmail.com

twitter.com/stevebiddle