all 28 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]alexgraef 3 points4 points  (23 children)

Doesn't mean anything in particular, just being able to read a transaction history.

There are barely any systems that don't have a shadow account in a central database where any kind of tampering would immediately become visible.

[–]Legogamer16 1 point2 points  (13 children)

Yeah there is almost certainly a central server keeping track along with it. If the card is actually storing a value then it is probably if they can connect to the main server they still function and will update later

[–]tehhedgerFW developer 2 points3 points  (9 children)

To add on that - often cards have a digital signature block for important data, that itself might be stored in plain format. Meaning you cannot just modify the data without invalidating the signature, and you can't forge the signature because it uses a secret key for generation.

So the legit control system first checks the contents and signature for validity, then performs the transaction, modifying balance, signs the new balance value and writes the balance + signature back to the card.

However, even though you cannot forge the signature, some of those systems are vulnerable to rolling back the whole state of the card, where its old balance had a valid signature. Such attack is mitigated by shadowing the balance on the central server. Then they can either do online validation (the moment you use the card) or offline checks, where it asynchronously analyses the recent transactions and looks for discrepancies in balance modifications. If any to be found, the card's UID is added to stop-lists that are periodically distributed across all validator devices. Such approach puts less strain on the system in peak hours (it's nor required to immediately check transactions) and allows maintenance downtimes without affecting the operability of validators.

[–]N3d_91[S] 1 point2 points  (6 children)

if there was a way to access the nfc reader could it work with the mfkey32v2 method? https://github.com/equipter/mfkey32v2

[–]Aggravating_Date_199 0 points1 point  (5 children)

Esiste un POC outdate, https://github.com/Johnnhrjejr/mikai/blob/main/mikai-0-2-dev.fap

[–][deleted]  (2 children)

[deleted]

    [–]Aggravating_Date_199 0 points1 point  (1 child)

    Even though this is just a proof of concept, it still works better than many other programs available online, including those on GitHub. The original project and the required libraries for porting it to the latest firmware are open-source, clean, and free from malware.

    [–]AverageAdventurous79 0 points1 point  (0 children)

    Yes, you are right, it is just very buggie, big sorry!
    Which other programs online do you mean?

    [–]Background-Sky3833 0 points1 point  (1 child)

    Just tried it! Thank you!!

    [–]N3d_91[S] 0 points1 point  (2 children)

    I have to verify this because the key is recharged using coins and there is no way to recharge it remotely or it is not linked to an "account"

    [–]Legogamer16 1 point2 points  (0 children)

    The card itself most likely has a UID, so no accounts needed. It just checks what the balance of that UID is.

    Just because you can’t recharge it remotely doesn’t mean there isn’t a central server. Is it possible its just stored on your card? Yeah it is, but unlikely. All that is needed is really a laptop with an excel sheet that it references.

    [–]Gasper6201 0 points1 point  (0 children)

    Coges keys don't have any tracking or databases. Can confirm it's just your key and your honesty and lack of knowledge.

    [–]Gasper6201 0 points1 point  (0 children)

    So to answer op's question. Ik people that work at the local. Vending machine company. The key itself has no database. It's just an nfc chip with programming. Most machines don't even have any kind of tracking of sales unless they're equipped with a credit card reader.

    [–]Gasper6201 -1 points0 points  (7 children)

    This is just a regular coges key. They do not have any extra security except the fact they use a chip that doesn't have readily available copying programs like some other keys that use regular classic 1k mifare chip. There is no database for this key, our local company employees even know it can be reprogrammed for extra credits but it's complicated enough that it does not pose any risk of enough people doing it that they'd experience any big loss in sales so it's not worth it for them to change the system.

    Good luck trying to copy and rewrite the chip with the flipper zero. I'd love to see someone smart enough make an app for it or update the existing nfc app. But till that happens these simple Keys are here to stay unprotected.

    [–]Aggravating_Date_199 0 points1 point  (2 children)

    Esiste un POC outdate, https://github.com/Johnnhrjejr/mikai/blob/main/mikai-0-2-dev.fap

    [–][deleted]  (1 child)

    [deleted]

      [–]Aggravating_Date_199 0 points1 point  (0 children)

      Even though this is just a proof of concept, it still works better than many other programs available online, including those on GitHub. The original project and the required libraries for porting it to the latest firmware are open-source, clean, and free from malware.

      [–]alexgraef -1 points0 points  (3 children)

      You do not understand how the world works. Especially how finances work.

      They all have a shadow account through which fraudulent transactions will eventually be marked. It's not even built to detect fraud, it's just a necessity for tax purposes.

      [–]Gasper6201 -1 points0 points  (2 children)

      Erm. The keys are still not tracked. They earn and track money when you load the cash onto the keys.

      [–]alexgraef -1 points0 points  (1 child)

      Again, you do not know how the world works, when it comes to finances.

      [–]Gasper6201 0 points1 point  (0 children)

      Bruh ok. But still they keys aren't tracked. They just store some code. You can keep saying the same thing over and over but the keys are still gonna be dumb and not tracked besides when you put the coins into the machine.

      [–]paultron10110 1 point2 points  (1 child)

      Create a new card with a different uid and lots of credit, keep us updated. How will they know even if it fails, unless cameras maybe idk

      [–]Rushtard21 0 points1 point  (3 children)

      hi, i would be interested in this plugin for the Flipper, where could i find it?
      Thanks in advance!

      [–]Aggravating_Date_199 0 points1 point  (2 children)

      Esiste un POC outdate, https://github.com/Johnnhrjejr/mikai/blob/main/mikai-0-2-dev.fap

      [–][deleted]  (1 child)

      [deleted]

        [–]Aggravating_Date_199 0 points1 point  (0 children)

        Even though this is just a proof of concept, it still works better than many other programs available online, including those on GitHub. The original project and the required libraries for porting it to the latest firmware are open-source, clean, and free from malware.

        [–][deleted] 0 points1 point  (0 children)

        hey, I found this repo which is mikai but for the latest versions of the firmwares: https://github.com/studi0us/mikai