TMSM Mythbusters: Magicband Hacking and Activation

TMSM Mythbusters logo

The goal of this blog series is to factually prove or disprove rumors and myths in the Disney-verse. Tonight on TMSM Mythbusters we are tackling some of the more “unique” myths and misconceptions we see frequently in Disney based forums. Tonight we are going to take on a few myths regarding MagicBands and TMSM!

Credit Card Theft From Your MagicBand

One of the great urban myths regarding MagicBands is if you are using your MagicBand for room charge your credit card information could get stolen. The fact of the matter is this just isn’t true,
Before I go into WHY this isn’t true let me explain WHY I know this to be. Now what many of you don’t know is TMSM is one of the few Disney fansites to have a Cyber Security Expert on staff. In fact we may be the only one that does.  But here at TMSM we have Drew, grand high cyber security guru, and being married to him I have the pleasure of tagging along to cyber security conferences like DefCon, Bsides and Schmoocon.  What this means is I can carry on a conversation regarding RFID and the security of MagicBands and have a guys with two masters and a bucket full of certifications in the field to correct me when I mess up.
Now let’s get into WHY this is a myth. Every MagicBand has an ID number printed inside it. This is the number you enter into My Disney Experience when you buy a SE/LE Band to connect the band to your account. The number identifies the MagicBand. The MagicBand itself is a RFID tag, all this means in layman’s terms is that inside your MagicBand is a chip that has no personal data stored, all it does is send and receive RFID signals using short and long range antennas that say this band is number 3401-3312-90XX, aka this is Aut. When that signal is received by a FP+ or park entry turnstile, taps a charge sensor, or even gets scanner by a MemoryMaker CM the systems scanning say HEY look it’s Aut! Aut is allowed to charge to her room, she is on this dining plan, she has this many credits, this ticket type, a FP+ at this time etc.

making-the-band-028Now I hear you saying but if my credit card info isn’t ON my band where IS it? Well because MagicBands don’t have hard drives to store data on them the answer to this is super simple, it is on a secure server. When you told Disney they could store it and that you wanted to use room charge MDE was told you had approval to use room charge. Every time you scan your band and enter your pin the MDE system stores the receipt information. Then at the end of your trip or when you hit your pre-approved limit which ever happens first, MDE tells that separate secure server the amount to charge to your card, and the secure system contacts your credit card account to run the charge.
So yes, while RFID systems CAN be skimmed even if someone was to skim your MagicBand they wouldn’t get any personal information WORTH stealing because your band doesn’t hold data.  Making this Disney Myth Busted!

TMSM Mythbusters Busted

MagicBands Need Activated
Oh wow we have people ask us about “activating” their MagicBand all the time. Once again this is a Disney Myth that people just can’t step away from. To go back to the quick version of our first myth MagicBands are merely an RFID chip that tell Disney systems who you are.
Currently Walt Disney World requires guests to physically check into their hotel before using tickets attached to their account, use room charge etc. This I personally believe is just a part of the MDE swap over. The bands that guests arrive with are rarely touched by Cast Members at check in. In fact I carry a zip lock bag full of MagicBands and bounce between them on trips.
This myth seems to have stemmed from people who have had issues with their MDE account. Instead of properly explaining that perhaps Park Guest Minnie didn’t properly link the 6 people in her family she felt the need to create MDE accounts for even though they were all on her resort reservation or that the system was acting glitchy CMs have allegedly* told guests the issue was their band. Here is the thing. Unless the RFID chip IN the band is bad the issue is not the hardware but the software or more times that not a PEBKAC error. Once a CM resolves the issues with the software, account linking etc everything works right because the permissions are fixed in the software. In the rare instances of the band actually being bad CMs issue guests a new band and link those to the guest’s MDE account.
So knowing this basic technology information, as well as knowing the resorts are actively testing a system that allows guests to bypass resort check in all together as long as they completely fill out their online check-in information and provide a cell phone number so that the resort can text the guest’s room number to them, we can in fact say this Disney myth is busted!
TMSM Mythbusters Busted

MagicBand Image from edn.com

*”CMs have allegedly* told guests the issue was their band.” this is a statement guests have mentioned in forums. I have yet to personally experience this statement being said.

 

Michele
Follow Me

Leave a Reply

The Main Street Mouse