From: stevenw@best.com (Steven Weller)
Date: Sun, 2 Jun 1996 15:40:30 +0800
To: cypherpunks@toad.com
Subject: RISKS: Pachinko card counterfeiting update
Message-ID: <v01540b00add6cfd2c035@[206.86.1.35]>
MIME-Version: 1.0
Content-Type: text/plain


------------------------------

Date: Tue, 28 May 1996 22:09:28 +0900 (JST)
From: Chiaki Ishikawa <ishikawa@personal-media.co.jp>
Subject: re: TILT! Counterfeit pachinko cards ... (Wayner, RISKS-18.15)

I would like to add some background as someone who has played in pachinko
parlors in Japan.  (The origin of the game of pachinko is rather vague.
Some say it is based on the ball game popular after the WW-II in U.S.A..
Anyway, it is a gambling business.)

The card in question acts as a kind of debit card inside the pachinko
parlors.  It was introduced a few years ago by an former police official,
with the expressed intention of keeping the money flow easy to track. (I
would say it was a ruse to make a few companies where the ex-police
officials can find jobs after retirement from the office. But I digress.)

The cards are sold to the pachinko parlors and the customers buy the cards
from the parlors, and obtain steel balls to play the game by inserting the
card into the slot next to the game machine.

Pachinko gambling works as follows.  When you win the game, the number of
steel balls in your possession increases and the customer can exchange the
balls with gifts.  (Therein lies a complication. Japanese law prohibits
gambling, and so exchanging the steel balls with real money is illegal.
*However*, first exchanging the balls with gifts, and then exchanging the
gifts with money at a third party outlet [which is quite likely to be
operated by the parlor owner] has been allowed by the police.) Speaking of
loophole! Some people do bring back the gifts to homes: depending on the
places, parlors carry game-boy cartridges, latest bestseller books, snack
food such as cookies, instant noodles, umbrella, purse, movie video tape,
music CD, to name a few as gifts. But if the customer wants to exchange
his/her win indirectly to money at the outlet, then he/she has to ask for
special gifts used essentially as money tokens by these establishments.
These are often a tiny gold/silver foil embedded in thin plastic slab, etc..
Each parlor/outlet pair uses different stuff. In my hometown, a special
brand of silk stocking was used as money token. This whole thing is a farce
in view of the anti-gambling law in Japan.)

Back to the card: the cards in question are used by two leading card
manufacturers. (There are another couple of late-entry companies whose cards
are not known to be attacked yet.) The card is based on the design done by
NTT Data.  NTT is the Japanese equivalent of old Ma Bell in the USA.  NTT
Data is a company that specializes in computer software integration,
communication and such.  I believe it designs the telephone card (debit card
used for pay-phone in Japan), too.

The pachinko card is the size of name card and plastic.  The details are not
published. To the best of my knowledge, I think there is a magnetic strip
that contains the card ID information such as its serial number and the
amount of debit money.

There were 10,000 yen, 5,000 yen, 3,000 yen, 2,000 yen, and 1,000 yen cards.
(I said "were" because 10,000 yen and 5,000 yen cards are no longer
available.)

Attack method:

>From what I saw and read, the first card verification mechanism used by the
pachinko game machine was so primitive to defy rational explanation: each
time the card was used, a tiny hole was punched to indicate the amount left
in the card. As the customer uses the card, the position of the punched hole
on card shifts toward the zero position. Once there is a hole on the zero
position, the card is no longer usable.

The first simple attack as far as I can tell was to fill in the hole in the
card with tiny plastic (essentially the chaff produced when the hole is
punched was used to fill in the hole).  I am not sure if such simple attack
was possible, but it seemed possible really at the beginning with crude
modification of the magnetic data.

Then, of course, the magnetic information on the card was also modified in
more sophisticated ways when the card was used.

However, the bad people also learned and somebody stole the reader mechanism
and figure out the part of the magnetically-coded information: the result
was that bad people could buy the pristine 10,000 yen card and then uses up
to 2500 yen of the debit amount legally and then "re-fill" the card to 9500
yen worth, thus gaining 2000 yen for free again and again.  (Until 3000 yen
was used from the 10,000 yen card, the physical hole was not produced on the
card, and only the magnetic information was changed. Hence the mere
counterfeiting of the magnetic information was necessary to "revive" the
card. No physical re-filling of the card was necessary. Physically
re-filling the hole is easy to spot visually and was avoided by the bad
guys.)

[I have to confess that the exact amount involved in the counterfeiting
is a little uncertain. But the general idea still holds.]

Similar attack was possible with 5,000 yen card.

Presumably the gain by attacking 3,000 yen, 2,000 yen and 1,000 yen card was
small compared with the risk, the bad guys didn't attack these cards until
lately.

Now the situation is that of cats and mouse.  New counterfeiting
methods and counter-measures follow each other in rapid succession.

I believe that the cloning of the card was also done. But I don't know the
details.

Now, the card companies and pachinko parlors stopped issuing 10,000 yen and
5,000 yen cards because the damage was so large.

Also, they have installed special readers to verify the validity of the card
by incorporating more vigourous checking not available on the readers next
to the game machine: it used to be that the cards sold could by used by any
pachinko parlors in Japan. Now cards sold elsewhere have to be verified with
this machine before used at a local game parlor. Cards sold at the local
parlor can be used without such checking.

Already, there are reports of counterfeit-card usage:

 - either the cards are so sophisticated that they can pass the enhanced
   reader.
 - Or the bad guys buy the cards locally and then use some of the
   debit amount and then bring the cards to their factory to re-fill
   and re-use it at the local store again and again.

The card companies have installed countermeasures in selected stores to the
cloning of the card by checking the serial number of the card and stopped
the operation of the whole game machines in the store if a card with the
serial number of the previously used (finished?) card is ever inserted into
the game machine.

Another simple method of fooling the reader was also reported about a month
ago. Essentially, it cuts out a long strip of the 3,000 yen card (now the
most expensive card after 10,000 yen and 5,000 yen card are gone) and
rotates the strip to invert its direction and then reassembles the card
again using cement or something. To my surprise, it was reported to be
deemed valid by some readers (!?). Apparently some readers only check for
the position of the hole on fixed position and fooled to believe the card is
valid if the hole is not in the expected position, etc.. Once not so
rigorous readers are distributed, it is very difficult to upgrade all of
them in Japan, I guess.

The problem is complicated in that the counterfeiting only damages the card
company. The parlors report the amount of debit money used in their shops
and then compensated for the amount (less the small surcharge by the card
company.)  This means that every time the counterfeit card is used the card
company alone loses money and the local parlor doesn't lose.

There have already been reports of the owners of the pachinko parlors
involved in the usage of the counterfeit cards.  These bad owners allowed
the bad guys to use the counterfeit cards in their parlors and pass the used
debit amount to the card company and getting compensated.

In these cases, the bad guys bring back the money (by simply exchanging the
phony debit money into the steel balls, and then without playing (they can
play if they wish), exchange the steel balls to the special gifts, and then
exchange the gifts with money. [Usually, buying the steel balls and then
exchanging them with gifts, and subsequently with money leaves you less
money than you started with. The house always wins. In this case, the bad
guys started out with counterfeit debit money and ends up with real money,
so it is OK for the bad guys.] The parlor also gets the money for the used
debit money. So they win, too.  Only the card companies lose.

Counterfeiting probably has existed since the first money (or equivalent)
was ever invented.  But, it surprised me that NTT Data approached the whole
scheme so naively, especially since there have been reports of telephone
card counterfeiting in Japan before.  Some of the counterfeiting methods
reported seemed so simple, and I have a doubt whether NTT Data was serious
enough to deter counterfeiting.

At least, I can safely say they have underestimated the ingenuity of the
counterfeiters badly and didn't learn from the counterfeiting of telephone
cards very well.

Ishikawa, Chiaki  (family name, given name)
Personal Media Corp., Shinagawa, Tokyo, Japan 142 ishikawa@personal-media.co.jp


-------------------------------------------------------------------------
Steven Weller                      |  Technology (n):
                                   |
                                   |     A substitute for adulthood.
stevenw@best.com                   |     Popular with middle-aged men.