Unlocking The Power Of the Magstripe

Acidus writes "While researching for an embedded systems project (a magstripe enabled Coke machine), I was shocked by the lack of magstripe information: Programs/code that would run on a modern OS were all but nonexistant, articles that were 6-10 years old, etc. Further research proved hard, because I had become google's authoritative source. So Stripe Snoop was born, and is now at 1.5 . Stripe Snoop is a suite of research tools that captures, modifies, validates, generates, analyzes, and shares magstripe data, with an ever-growing database of card formats. Decoding everything from driver's licenses to banking cards, its features can analyze non-standard cards, such as NYC's Metrocard."

Good link checking, well done the mods...

[REBloomfield]

The requested URL /acidus/coke.html was not found on this server.

Re:Good link checking, well done the mods...

[LiquidCoooled]

http://www.yak.net/acidus/magstripe/coke.html

Re:Good link checking, well done the mods...

You could have at least linked to a decent pr0n site instead, since obviously the mods don't actually click on the links before posting the article.

Re:Good link checking, well done the mods...

[gl4ss]

proof that editors don't even read the links, much less read the mails sent to them to the 'future' before post goes live?

why can't they recruit some people, like a 1000 or so from the slashdot readers who are active(write texts that get modded up from being really informative or insightful and who write lots of them) and before any story gets live some ~20-40 of the 1000 checkers would have to mark the story as valid? the checkers could also get a head start and comment _in_ the story itself the obvious understanding mistakes people _always_ have about the stories(would reduce the amount of misinformative posts dramatically if some of the obvious if you would rtfa things were stated in the writeup itself - like in the new "2tb memory card" story, it should be obvious and stated that the format just happens to support up to 2tb and not actually hold that much yet).

and while technically this isn't the place for such discussion - on slashdot comments on stories are the only things that get actually read by anyone.

and the karma system is broken because excellent is so easy to gain that anyone gets it even if you're writing total bullshit that's both uninsightful and misinformative.

Re:Good link checking, well done the mods...

[nolife]

proof that editors don't even read the links, much less read the mails sent to them to the 'future' before post goes live?

Who realy cares. If it does not work or a link is dead move along. Same with dupes, yes it happens but does it really matter?

Re:Good link checking, well done the mods...

[REBloomfield]

When it's a core part of the submission, yes it does.

Also in 2600

[Noryungi]

There was also an interesting article in this summer 2600 magazine about magstrips. Some information and code were supplied...

Re:Also in 2600

[pacc]

Linked from the Stripe Snoop page:

An article I wrote that is being published in the Summer 2004 issue of 2600 that is all about magstripe interfacing. This provided the basis for Stripe Snoop. Another application is this homebrew coke machine I built.

Re:Also in 2600

[Noryungi]

I stand corrected [RTFA and all that]... =)

(Thanks for the information)

Re:Also in 2600

[shepmaster]

I consider myself lucky, in that I have met Acidus in person, and have actually shared a class with him. It was an embedded programming class, and we each had to do a semester project. As mentioned in the blurb, his project was a Coke dispenser that worked off magstripe technology.

What was far more interesting was the software backend he developed to run the system. It was very professional, and the software itself incorporated some intrigueing concepts, such as what to do when the system was cut off from the real world. I hope Acidus will care to chime in and explain some more of his higher-level ideas.

One thing that I was impressed with was the security concerns that he evidently thought of. Unlike other programmers I know, security was not an afterthought, but incorporated into the design (this was also evidenced in his Blackboard dissection, previously discussed on Slashdot).

I hope that Acidus has a chance to go far, he is one of those bright young Computer Scientists with a good future in front of him.

Cheers!

Re:Also in 2600

[brandonY]

He was president of our theatre organization. Do you know how many times we had to swear that we wouldn't let him get near the buzzcard reader in order to get one?

Working link

[Zorilla]

Here's the real link to the article:

Linky.

Re:El-Off-Topic-Postino: 'Nonexistant'

whatz a sphellchekker vern??

How long before DMCA is used?

[gilesjuk]

I can imagine some card company out there will try and put a stop to this, purely to save their own skins for putting out fairly weak systems.

Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)

Re:How long before DMCA is used?

"Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)"

Smiley noted, but it's comments like this that make people think of "hackers" as criminals. Another example: P2P could be a useful tool though, I'd love to save the cost of a CD.

RIAA and the MPAA may be a bunch of wankers, but let's not encourage them. Let the same logic apply to smart & mag card manufacturers.

Re:How long before DMCA is used?

[t_allardyce]

I think its happened before - people calling up their bank etc and saying "hey, your card is insecure it stores your pin in plaintext" and the bank says "you shouldnt have a card reader! what do you think you're doing"

Its the standard bullshit you'll get from clueless people and experience says most cards in your wallet are probably badly designed, so yep, its probably not worth it to try and help these people by explaining whats wrong and what they can do because they are more likely to try and sue you.

Bu I think technically you have a legal right to see whats on the strip - its your personal data and would fall under the data-protection act?

Re:How long before DMCA is used?

[gilesjuk]

The difference is, I'm not the one hacking the system. Therefore the person who has hacked the system should be a bit more responsible in putting out the information.

Anyway, the said car parking charges are extortionate. Typically £5-7 and I'm only there around three hours. I doubt I would "hack" it anyway, would mean leaving a laptop in the car for starters.

Re:How long before DMCA is used?

[nz_mincemeat]

Wouldn't that depend on what is actually written on the card? After all doesn't a magstrip simply serves a generic storage role like a floppy disk?

IANAL but if the content is encrypted or even just a checksum added, then trying to make sense of it would become a crime.

And if it's a simple enough scheme and the judge orders the destruction of the circumvention appartus, it might be lobotomy time ;-)

Re:How long before DMCA is used?

I can imagine some card company out there will try and put a stop to this

I used to work for a company that produced access control devices, including card readers. We managed to reverse engineer all of our competitor's card formats (the one's that didn't use the well-documented Wiegand standard) and build support for them into our product to reduce the cost of getting customers to switch. Most competitor's just shrugged it off, half of them were doing the same thing anyway, but one company that relied on defence contracts for a lot of its business got its lawyers to write a letter threatening to report us to the NSA for "breaking their triple-DES level encryption scheme". We sent the lawyers back full documentation of their snakeoil and pointed out that they'd lose a lot of Government and defense business if the NSA got wind of the fact that what was being marketed as "triple-DES level encryption" was in fact an 4-bit XOR pattern.

Re:How long before DMCA is used?

[hackstraw]

Magstrips are terribly insecure. They are a reprogramable single number on a card. Do you know why at retail stores that they scan your card, and then put in the last 4 digits manually? And wonder why those 4 digits are under a hologram? Its because its trivial to reprogram one of these with a new number. A magstripe writer new costs like $500 or $600. Trust me, I could get a pretty return on investment with that upfront cost. CC numbers all have some kind of checksumming algorithm with them, and if someone put a random valid number on a card, it still would not match the last 4 numbers. I've heard that phonecards in europe had to go with smartcards because people were getting fake magstrip cards.

I'm actually shocked that magstripe reprogramming is not more common. Since CCs are taken everywhere now, and most of them are self swipe, hmm....

Re:How long before DMCA is used?

[gd23ka]

Even though most parking garage systems appear simple and vulnerable they are not. Many parking systems (but probably not all) keep track of whether your car is in the garage or not. A couple of years ago I let a friend park in our garage. We left in the evening and I drove out of the garage with my car. I handed the card to my friend the system let him leave too. The next day however, when I tried to get into the garage it didn't let me. Instead the garage attendant came over and screamed at me that he had me and my friend on video and if I ever did that again they would take my card and charge me with fraud.

A better way of hacking the system is to have your friend drive behind you bumper to bumper after you. That way the system registers only one car passing through.

Re:How long before DMCA is used?

The difference is, I'm not the one hacking the system. Therefore the person who has hacked the system should be a bit more responsible in putting out the information.

The difference is, I'm not the one making the gun. Therefore the person who manufactures guns in the first place should be a bit more responsible about the deaths he's causing.

Re:How long before DMCA is used?

"The difference is, I'm not the one hacking the system."

Just Because You Can, Doesn't Mean You Should. Here in the UK you'd still be done for fraud - You would have knowingly used a fake card to obtain a "pay for service" for free.

If I were you, if you don't like the cost of parking in a particular building, then find another, get a lift, use a bike or take public transport instead.

Re:How long before DMCA is used?

Posting Anonymously to protect the guilty...

I used to work for a company that produced a system of cards with magnetic strips to track clients (it was a rewards points type system).

Because of this, to test our systems and software upgrades we had a magnetic card reader/writer in the office.

Of course, the Engineering team leader liked to "test" this machine on his toll road card. The information was insecure, so it was easy for him to continuously update the card and never pay the toll again....

Re:How long before DMCA is used?

[byolinux]

Hacking - playful cleverness.
Cracking - computer crime.

I think trying to defraud a system would probably all under the Computer Misuse Act in the UK.

Re:How long before DMCA is used?

[-brazil-]

I'm pretty sure PINs on bank cards were never stored in plaintext on the cards. Even the very earliest systems had them encrypted, but of course they had the retry counter also on the card, making a brute force attack on the tiny keyspace feasible (if tedious).

Re:How long before DMCA is used?

A magstripe writer new costs like $500 or $600.

True. Some are even more. I worked at a security company a few years ago testing, among other things, mag-stripe cards/readers/interfaces. We used American Magnetics' (I believe) Model 700's - and that 700 was roughly equivalent to the base-model price. It depended, of course, on whether you bought the models that could read just one stripe, two stripes, or all three stripes on a standard card - the 3-stripers were more, of course, but for some purposes unnecessary. For example, another tester and I duplicated the first two stripes of his ATM card (ignoring the third because either we didn't know what character set it was encoded in, or else we didn't yet have access to a 3-stripe reader/writer, I forget which), and successfully used it in an ATM (just to do a balance inquiry - not to actually withdraw cash - we were too afraid of setting off some kind of alarm). We'd suspected that would work beforehand, since the first two stripes were in ABA (American Bankers' Association) 7-bit (or was it 5-bit? - it's been three years, and I've slept since then) and the third stripe wasn't, so therefore probably not used for banking applications. We were satisfied enough when it succeeded to not experiment further.

But, with that in mind, it's immediately clear that you could earn back the initial hardware investment in a big hurry if you were of a black-hat kind of mind-set.

One of the more interesting/cute little facts when you're working with mag-stripe cards is that, to determine where some failures lie, you can use a spray-can of very fine iron or iron-oxide dust (basically, rust) to spray on the stripe and actually SEE the encoded magnetic patterns. If the patterns are sharp, then it's the reader's fault; if the patterns aren't there, then it's the card's fault.

Here's another project for someone with a bit more in-depth hardware knowledge than I have: figure out what encoding scheme is on the thin little cards used at some arcades where you buy credit on a proprietary card - I tried reading one of those in a 3-stripe reader and got unreadable, in consistent and totally unuseful results.

Re:How long before DMCA is used?

[Smidge204]

The difference is, I'm not the one hacking the system. Therefore the person who has hacked the system should be a bit more responsible in putting out the information.

In other words, not release it at all?

Let's ban chemistry books, then, because the informatioon in there can be used to develop lethal toxins and explosives. Those publishers shold be a bit more responsible in putting out the information.

Don't be an asshat. Information is information. He is not advokating it's use for illegal/immoral activities (quite the opposite, actually). If you choose to apply this knowledge to break the law, then you are responsible. Don't blame the publisher of the book if someone uses the information to build a bomb and don't blame the maintainer of the website if you use the information to commit fraud.
=Smidge=

Re:How long before DMCA is used?

This already happened at GA Tech. Some students apparently found out how to defeat the campus wide BuzzCard system. The BuzzCard is used for meal plans, building access, and some spending money via Coke machines, etc.

More on the Blackboard hack vs. DMCA

They were basically put under restraining order by a judge not to divulge specifics of how they defeated the system.

Re:How long before DMCA is used?

Stooping - asshat post.

And I'm offended by your abuse of the letter "e", do you even know what it means?

Re:How long before DMCA is used?

[Muad+Dweeb]

Asshat? I detect a Farker.

Re:How long before DMCA is used?

Then the garage attendant wonders why a bus came parking in his garage.

Re:How long before DMCA is used?

[LookSharp]

I am not familiar with a time in my time as a banking customer or employee of a banking company when PINs were encoded on a magstrip. All ATM systems I have ever used compare an entered PIN with one on a secure, remote system.

I agree you should be able to see what's on a strip, but let's not get less knowledgeable people excited here, OK?

Re:How long before DMCA is used?

[Telecommando]

Hmmm...
So do you suppose that all those "high security" cards the government buys are actually low/no security cards?

I feel safer already.

Re:How long before DMCA is used?

[FLEB]

(looking at product brochure)

Yeah, but how'd you break the "invisible quadruple-ROT13 encryption mechanism"?

Re:How long before DMCA is used?

[fishbowl]

"They were basically put under restraining order by a judge not to divulge specifics of how they defeated the system."

Then they broke the first rule of petty crime:

Don't Get Caught.

Re:How long before DMCA is used?

[SegFault(CoreDumped)]

Something like this has happened in the past. Google for the Blackboard system which tried to use legal measures to stop research into the system's insecurities. Quick source of info

Re:How long before DMCA is used?

>I think its happened before - people calling up
>their bank etc and saying "hey, your card is
>insecure it stores your pin in plaintext" and the
>bank says "you shouldnt have a card reader! what
>do you think you're doing"

You are certainly not going about it the right way.

Do you really think the contact person at the bank has any possible way to deal with this problem?

I doubt their response is even as cogent as "you shouldn't do that."

But the problem is, unless you can show that damage has been done, i.e., in the form of a lawsuit, you really don't have any standing to affect the way the bank does business. Take your money elsewhere, or sue them for damages.

Calling the customer service number and saying their system is insecure isn't going to accomplish much.

Re:How long before DMCA is used?

[budgenator]

save their own skins for putting out fairly weak systems
considering that they use track 2, and that track only contains 40 characters, using a 32 character md5sum of two data fields and a secret field would be out of the question.
If your bound and determined to commit retail fraud; I'd think you would want more for your prison sentence than free parking though.

Re:How long before DMCA is used?

[casuist99]

Rather than chemistry books, the magcard software is more analogous to a bomb-making kit or toxin-making kit. It's not an analogy that I would have picked or even necessarily support, but it's a correction of your logic. As another point, the 1's and 0's along with the computer and programming documentation are more similar to the alphabet and chemistry book.

Re:How long before DMCA is used?

[ACPosterChild]

No, No! It's the GUN that kills people, not the person who pulls the trigger!

It's the video game that made the kid snap! Not bullies, hostile teachers, and a crappy home environment!

It's the fault of the guy who programmed tcpdump! It's not my fault for using it to sniff passwords instead of troubleshoot legitimate networking problems!

[/sarcasm]

Don't you love 12 year-olds trying to find their way through the complex world of BASIC ETHICS?

Re:How long before DMCA is used?

I firsthand know how insecure they are, and how easy it is to obtain credit card information and then write it to new cards. I had it happen while vacationing in Spain. When I got back, there were a bunch of charges that occurred after I'd left the country. Turns out that the employees of a restaurant that I went to were creating counterfeit cards from their often foreign patrons.

Re:How long before DMCA is used?

I kinda got into the same situation. But I just walked over to the entrance, swiped the card there (so I had "left" and come back "in"). This stopped working after a bit (they probably figured this out, and decided to check the sensor if there's a car actually there). But if your creative, there are ways around this as well, I suppose. No video cameras at my work, though, so now I just drive around the gate.....
It's not terribly secure. And it's most definitely not fraud, no matter what some underpaid parking attendant with overblown sense of purpose thinks...

oh and something I've wanted to do... to "hack" the systems that just give you a paper ticket from
a dispenser.Just walk up a short bit before you leave, take a ticket, and walk away. It's not a crime, so all they can do is yell at you....

Re:How long before DMCA is used?

[ddent]

I know someone who is always getting his cards demagnetized. Rather than figure out why, he decided it would be easier to always leave his original card at home and just carry around a copy he made for himself :).

Re:How long before DMCA is used?

OK, Lets say I have a kit on how to pick locks and enter into property. You think that should be banned? Cause obviously this is for the use of stealing right?

Think twice, even bomb-making kits and toxin-making kits have legitamate uses. The above guide would be EXTREMELY useful for a learning locksmith, and may even be a requirement for the job. If you knocked it off the streets, watch the locksmith prices skyrocket and next time you get locked out of your car... well, just remember the keys rights?

Bomb making kits are excellent for chemistry. I've made many small explosives in my life, but never once have I made an explosive with the intent of destroying something. I typically do this type of thing strictly for the learning experience.

Toxin making kits may not be as useful to your common person, but would be extremely useful to students of microbiology (such as my sister) who have to often inject rats with various different chemicals/toxins for testing purposes in order to come out with the cures for our next generation of diseases.

Sure I can Use these things to steal, blow down a house, or to poison someone. But I can also use them to help people, learn about chemistry, and to come up with cures for our generation's or next generation's diseases.

Please, don't be stupid, it's too common in our society.

Re:How long before DMCA is used?

[wolrahnaes]

Since no one has jumped on this yet, the person who figured out Blackboard (the system BuzzCard uses) is the same person who submitted this article and developed the linked software.

Re:How long before DMCA is used?

[a2800276]

Of course it's a crime: fraud.

Re:How long before DMCA is used?

[raju1kabir]

Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)

And I'd like to copy my ATM card's stripe over some old unused card like a library card from a city I don't live in anymore. Ought to add some useful security-through-obscurity to my wallet in case it's stolen. Who's going to stick a library card in an ATM?

Has anyone done this? What sort of equipment do I need to write to a card?

Re:El-Off-Topic-Postino: 'Nonexistant'

Konqueror is nonexistant on Windows, no Safari on Windows either. Is this a hiddon OS troll?

parking gates

[millahtime]

When I was in college they had bar code scanners for the parking gates. That was easy enough to duplicate. But, right when I was leaving they switched to mag stripes. Now it's easy for a new generation to figure them out and make working cards.

Re:parking gates

Ehm ... but what if they don't record the time you arrived, but rather an id, linked to a central database containing arrival times?

Then, you can copy to your likings, without being able to actually cheat.

Not Difficult At All

Hey all...

I have worked with developing Linux-based solutions with products from MagTek (manufacturer of hundreds of devices like stripe and card/check readers) and I have to point out that you may not find much information on the subject because the programming for such is so simplistic that a manual is not really needed. I am curious if other products from other providers work in a similar fashion.

MagTek devices will decode the stripes for you. The data contained within is sent to the computer in serialized format, so once the string of characters is received, you simply have to break the data into whatever pieces you need by looking for sentinal characters in ISO-defined positions. A dozen lines of code at most will handle this under most common programming languages.

When I was approached by my former employer to create a product with Linux and MagTek devices, (in mid-2000) I found absolutely no documentation on the devices whatsoever on the Net other than sales literature. The customer support personel did send me several pages of specs and such via FedEx Overnight, and when I received them, I saw that most of their then-current product line operated in a similar manner.

If possible, connect your reader device to some sort of I/O port and watch the data that is sent to the port with a terminal program (serial I/O in this case, similar methods used for parallel and USB-style interfaces...) Perform enough tests, and you should be able to get a more than adequate idea on how to parse the data sent.

In case you are really curious, go look at the older (now defunct?) Serial I/O HowTo at linux.org (or one of the mirrors). There are more than enough examples within to show you how to handle any type of serial-based interfacing project.

Hope this helps...

Brian

Re:Not Difficult At All

[wackysootroom]

Here's a fine guide on serial port programming from none other than the guys who brought us the cups printing system:
Serial Programming Guide for POSIX Operating Systems

Re:Not Difficult At All

[1shooter]

I work with this stuff all the time. Mag stripes typically have up to 3 tracks of information encoded. Usually all the data is in tracks one and two and of the many millions of cards the company has encode and shipped, none have used track three. The hardest part about decoding data is writing the regular expression to parse in to 3 lines. Now what you do with the data is whole nother thing.

So wait, how do i hack my metrocard?

[StingRayGun]

I't not like a federal offense or anything is it?

Re:So wait, how do i hack my metrocard?

[Zorilla]

Great, I can just hear Homer Simpson singing his fake ID song, only like this:

"It was a very good bus ride. My name was Brian McGee, when I was seventeen."

Re:So wait, how do i hack my metrocard?

[hatrisc]

I believe metrocards get rewritten everytime they are read. They have to actually, in order to keep a balance. Once you figure out exactly the scheme, you can add $50 to it, and use it as usual. However, you need a writer, not just a reader. Once you've run out of money, another $50 programmed on will work fine.

Re:So wait, how do i hack my metrocard?

[niks42]

One hopes that the authorities would encrypt the data in the hope of stopping people from simply adding to their card. It wouldn't stop the problem of people copying a card with 50 bucks on, and then restoring that image - and their 50 bucks - back onto the card. However, I know that a lot of places that use magstripe (and chip) cards for small amounts of money do a periodic check back to the main database; you need to get data back to the database from all places - machines, stores, news stands - where you can legitimately increase the value of a card. If the value of the card magically increases, and there is no corresponding revenue activity, send out to all of the card writers, when the card is seen next to mark it as 'unreadable'. I think the machines out there can maintain a list of card serial numbers that are due for deactivation when they are next seen.

Re:So wait, how do i hack my metrocard?

Oh, but it is a federal offense. That sort of hacking is considered a form of counterfeiting. The Secret Service, when it's not guarding POTUS and other VIPs, has the job of investigating these crimes. I know. I worked for them awhile back developing an application to help them track these offenses.

Re:So wait, how do i hack my metrocard?

[hatrisc]

that's possible, but what about buses? is there a wireless/satelite connection to this database? or... does the bus have to plugin the cat5 cable when coming back to the place they park? As far as subway stations and such, I would assume that yes indeed it would work some way. There may also be some sort of checksum that has to match or else the card is invalid. who knows.

Re:So wait, how do i hack my metrocard?

The answer to that question is probably indefinite detention in Guantanamo.

Re:So wait, how do i hack my metrocard?

[Zebra_X]

"They have to actually, in order to keep a balance"

No. The card could have a unique id, which is then linked to an account stored on a very large system. Everytime you walk through the turnstyle, the account, with the associated ID, is updated.

To update your card, a cash machine accepts money and places it in your account.

Oh wait, thats the OTHER global transactional system.

In the context of subways, the method is also tamper proof, unless of course you lose your card.

Re:So wait, how do i hack my metrocard?

[bellevueGeek]

Actually it is a federal offense since it would be considered counterfeiting, but what is even more interesting is the security that have in place to stop that.

Remember when it first came out and the cards were blue? Apparently a bunch of people figured out that you could dupe 50$ of value to used ones, and sell them to idiots on the platform. They would swipe it to show the dope there was a value and get cash for it.

I sat in on a security lecture once where the expert discussed the complexities of preventing unauthorized use in a system that big. Basically every time you swipe it writes back to your card and a log at that turnstyle. Every 5 minutes or so that log is uploaded to a regional center and that in turn is uploaded to a central location. They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.

The cooler thing is that then when you use a modified card that was blacklisted the little color lights on the opposite side flash yellow or red instead of green. Alerting the police who like to stand and watch people try to jujmp or squeeze by to pick you up.

I thought it was a brilliant use of a relativly old and low-security technology.

Re:So wait, how do i hack my metrocard?

[hatrisc]

In the context of subways, the method is also tamper proof, unless of course you lose your card.

And in the context of buses?

Re:So wait, how do i hack my metrocard?

[hatrisc]

http://www.techfreakz.org/oldstuff/metrocrd.html

Re:So wait, how do i hack my metrocard?

[sporty]

Which part if the federal crime? The study of reproducing it, the reproduction, the public disclosure or the usage? It's so not black and white, that black and white laws seem inappropriate.

Re:So wait, how do i hack my metrocard?

[Lawrence_Bird]

They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.

So you are saying that letting the person(s) behind me in my group use my card will invalidate it? I've not heard of this happening to anybody.

Re:So wait, how do i hack my metrocard?

[rhsanborn]

I doubt it, but letting the person 40 miles from you use it 2 minutes after you might raise a flag or two.

Re:So wait, how do i hack my metrocard?

[Alibi]

So you are saying that letting the person(s) behind me in my group use my card will invalidate it? I've not heard of this happening to anybody.

This doesn't happen with the cards that have some amount of money on them, but there are cards that allow unlimited travel for some number of days instead of just storing a balance. These cards aren't supposed to be used twice at the same turnstile within a short amount of time, otherwise a group of people could share one card.

Re:So wait, how do i hack my metrocard?

[mikeboone]

They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes.

This second one screwed me, a first-time visitor to NYC. We took the stairs down to the subway at a station somewhere near Times Square. I slipped my Metrocard through and entered, only to find out that in this particular station, you could only get to the other side of the tracks by going back up to the street, coming down another set of stairs, and reentering the gates. The card reader promptly informed us that we were reusing our cards too soon. It's not like I was trying to simultaneously use it halfway across the city or something. After an unpleasant conversation with a bitchy and hard-to-understand attendant, we were allowed to enter the correct platform. I think the Metrocards are too picky!

Re:So wait, how do i hack my metrocard?

[proj_2501]

with the unlimited metrocard, the minimum time between swipes is 18 minutes, i think. you'll see a lot of guys who buy a few of those, then they'll swipe you through for a dollar instead of the usual two.

mta doesn't like that much.

2600 tried to do this without charging and they still got in trouble!

Re:So wait, how do i hack my metrocard?

[cccpkgb]

I still don't understand how this works with busses, however. Do they send/recieve this informatin wirelessly somehow?

Or is it uploaded on a daily basis when they are stationed at the depot?

Both seem quite unlikely.

Re:So wait, how do i hack my metrocard?

[Zebra_X]

I wasn't saying that the card's information wasn't changed. Simply, that that's not the only way to approach such a system.

Re:So wait, how do i hack my metrocard?

The reason behind your not being let in wasn't the "you can't be in two places at once" security feature, it was because when you buy an unlimited ($7 dollars a day, $30 a week, etc) you can't use your card again within 18 minutes, which prevents people from buying an unlimited card and using it for all their friends.

Re:So wait, how do i hack my metrocard?

It's wifi when they pass near terminals.

Re:So wait, how do i hack my metrocard?

Tamper proof, and slow as hell. Imagine the network traffic for a system like this at rush hour.

Re:So wait, how do i hack my metrocard?

[hatrisc]

Obviously there are multiple ways to create a system like this. However, with the crazy amount of buses that MTA provides and the remote subway locations, it would be nearly impossible to make sure all of these places have access to the network to check balances. The fact is, they would be stupid to do it that way since it could mean crazy revenue losses if a) main database server goes down b) network service goes down, or maybe even ATM service or whatever

That's also not to say, that there isn't some sort of communication going on at the end of the day. Consider a turnstile issuing randomly generated 'tokens' SecurID style, which get written back. And at the end of the day, all the tokens given out are sent back to some main system for validation. Invalid tokens get sent back, and therefore "flagged" for the next day. Who knows.

Re:So wait, how do i hack my metrocard?

[fishbowl]

"Actually it is a federal offense since it would be considered counterfeiting"

I'd expect it to be a forgery offense, against the State of New York (if you're talking about NYC Metrocards), but I hardly think the Federal Government has a case here, unless maybe you traffic in counterfeit metrocards across state lines or something. See, the NYC transportation department isn't a federal agency, and the card isn't a federal reserve note.

Still a bad idea of course, New York's justice system being just as scary as federal...

"They would swipe it to show the dope there was a value and get cash for it."

You didn't mention whether or not it would get you on the train.

Re:So wait, how do i hack my metrocard?

[orac2]

Every MetroCard *does* have a unique id, and if you used a credit or debit card to purchase it, the id and card # get stored in the MTA's database together.

This allows a number of things: if your monthly card gets lost or stolen, you can call the MTA up, give them your credit card number and they'll blacklist the missing card and send you a new one for the remaining days left on your Metrocard.

It's also been used by the NYPD for verifying alibis, when Metrocards found on suspects can be traced to specific stations at specific times. If you say "At the time, officer, I was commuting to work just like I do every day", and your card shows you actually using a completely different station than you normally use and which happens to be two blocks from the crime, well then Lucy, you got some 'splainin to do...

And indeed, disabled and elderly Metrocard users can update their cards electronically without having to visit a machine, but it's not generally available, for logistical rather than technological reasons.

Re:So wait, how do i hack my metrocard?

[dangerburger]

Reminds me of a good article.
From The New York Times:
A Disgusting Practice Vanishes With the Token By RANDY KENNEDY
In five days, when the last New York City subway token slides through the slot of the last booth to sell them, few people will notice and fewer will care. There will be no official ceremony to mark the passing. If there is music in the background, it will not be taps; it will be the bleating song that turnstiles sing to valid MetroCards.
But off in a corner, hidden in the shadows where things begin to smell bad, at least a few observers will notice and care quite a lot. They belong to a sad and desperate breed of criminal that has been in decline for a long time, one that will soon become as irrelevant as bootleggers and horse thieves.
Officially, the crime is classified as theft of Transit Authority property. But among transit police officers it is more accurately and less delicately known as token sucking. Unfortunately for everyone involved, it is exactly what it sounds like.
The criminal carefully jams the token slot with a matchbook or a gum wrapper and waits for a would-be rider to plunk a token down. The token plunker bangs against the locked turnstile and walks away in frustration. Then from the shadows, the token sucker appears like a vampire, quickly sealing his lips over the token slot, inhaling powerfully and producing his prize: a $1.50 token, hard earned and obviously badly needed.
Even among officers who had seen it all, it was widely considered the most disgusting nonviolent crime ever to visit the subway.
"It gave you the willies," said Brendan J. McGarry, a veteran transit police officer. "We've had cases every so often, these guys would end up choking and swallowing the tokens. Then what do you do? You've got to wait for the evidence to come out?"
In truth, most token suckers usually had enough evidence already in their pockets to warrant locking them up some of the most dedicated were able to extract more than $50 worth of tokens a day. And deterrence, when dealing with someone willing to clamp his mouth to one of the most public surfaces in all of New York City, was next to impossible.
"These guys were on their last legs," Officer McGarry said. "If they were going to jail, it was just an inconvenience for them." (In an interview with a reporter for The Los Angeles Times in the early 1990's, one token sucker acknowledged the depths of his desperation. "Hard times makes you do it," he explained, adding: "Anyways, I've kissed women that's worse.")
Eddie Cassar, a retired transit officer, recalled making his first token-sucker arrests in the late 1970's, and by the time he retired in 1982, there was already a dedicated corps of inhalers, mostly teenagers and homeless men, working the station at 42nd Street and Eighth Avenue. By 1989, with the rise of the crack trade, token sucking reached almost unbelievable proportions.
During a typical summer week, repair crews were sent on 1,779 calls to fix turnstiles in a system that had 2,897 turnstiles in all. More than 60 percent of the calls involved paper stuffed into the token slots. (A related subway crime involved people who disabled the turnstiles and charged riders cut-rate fees to enter through the gates, to which they had stolen keys. These criminals, somewhat higher on the social ladder than token suckers, were known affectionately as trolls.)
Occasionally, methods other than incarceration were employed to dissuade the suckers. Token booth clerks were known to sprinkle chili powder into the token slots most often jammed. Some officers resorted to spraying a small amount of Mace around the regular slots and keeping an eye out for the usual suspects. The ones with bright red lips were then arrested.
By the time the MetroCard was introduced in the mid-1990's, token suckers could sense the beginning of the end. But Officer McGarry said that even the introduction of advanced new turnstiles did little more than thin their ranks. By the late 1990's, he said, he was on a firs

Re:So wait, how do i hack my metrocard?

[radish]

Only if it's an unlimited card. The regular stored-value cards are allowed to be used by multiple people.

Re:So wait, how do i hack my metrocard?

[djdavetrouble]

he said:
I think the Metrocards are too picky!


You may think so as a tourist, but new york city is the most crime ridden city in the USA. More than that, crime is organized. If there was a way to scam metrocards you could be sure that there would be a racket surrounding it. I remember early rumors of places in chinatown that would re-up your card for you, but never had them substantiated. Walk around manhattan... first floor windows are barred up, Gates have hardened steel padlocks, anything that may be worth more than a dollar is installed permanently, park benches are bolted to the ground. Why? if it can be stolen here it will. Hell, I have seen guys ripping the aluminum cores out of air conditioners because they fetch 20 bux at a scrap metal yard. This is the city where the mob had red boxes mass produced. My red box worked anywhere in the usa but NYC when i moved here. Can't get your quarter back from a pay phone? Some guy has wedged some shit up in the coin return slot so he can return later for a jackpot. This is a city of opportunity and crime is no exception. I think that tokens were obsoleted because they couldn't stay ahead of the slug manufacturers. I knew a girl that bought bags of fake tokens .... in chinatown.....

Re:So wait, how do i hack my metrocard?

[ZBM-2]

Depending on where you live,there might also be a human factor involved. When I lived in the DC area,the Metro cards had the value left on the card stamped next to the mag stripe. Every time you used it,the gate would restamp it. And if you added value at one of the machines,it would spit out a completely new card(they were only paper). So as long as you just interacted with the machines,you'd prolly be ok. But if for some reason you had to show the card to a person(Metro personnel are allowed to ask to see your card at any time,IIRC) then you'd be busted. Several times I had a gate spit back my card with the error message,"please see station attendant".

Re:So wait, how do i hack my metrocard?

[Uart]

You probably bought the unlimited day-pass metrocard, didn't you? I know its tempting man, but its a pain in the ass when you screw up like that.

The lock-out only happens on those cards, because they don't want people to buy an unlimited card, and then sell subway rides to people for 50 cents a pop (they'd just stand there and swipe you in). People were doing that. To stop them, they initiated the lock-out.

Regular set-dollar-amount cards won't behave in that way. Hell, I know I've made the mistake of entering the wrong platform. Its a pain in the ass, but if you just get a 10 dollar card or something, you can go right through a turnstile on the other side without waiting (or even swipe your friend in ahead of you).

Re:So wait, how do i hack my metrocard?

[Uart]

Sadly, they are never ever offering one dollar rides while I am around...

$4 round trip for me.

Re:So wait, how do i hack my metrocard?

[mikeboone]

Yeah, it was the unlimited day card. I'll know better next time.

Re:So wait, how do i hack my metrocard?

[BK425]

What, counterfeiting bus passes or asking for legal advice on /.?

Re:So wait, how do i hack my metrocard?

[jaoswald]

Except, if you make the same mistake with a monetary value card, you're out the $1.50 (or is it up to $2 now?) instead of just 18 minutes of your time.

Re:So wait, how do i hack my metrocard?

[extra88]

but new york city is the most crime ridden city in the USA

No it's not. While the topic at hand is petty crimes, NYC is the safest of the big cities (1 million+ pop.) and I'd guess that the rates for non "index" crimes similar. Here's just one of many URLs found by Google http://www.nycvisit.com/content/index.cfm?pagePkey =1091

Re:So wait, how do i hack my metrocard?

[djdavetrouble]

Good stats, but I believe it is bullshit. Those stats are for things like murders, and other reported crimes. As far as unreported unrecorded crimes, who the hell can say, but I know what I have seen. I don't know any other place in the US where you can buy drugs at a bodega. What I am trying to say is crime is institutionalized and organized here, not to mention the staggering number of petty thefts and other crimes that go unreported (flashers, mashers, turnstile jumpers, shoplifters, etc.). NYC has been on a publicity campaign ever since giulliani 'cleaned up the streets' to show how little crime there is. The title of a book I love comes to mind: How to lie With Statistics.

Cheers

Re:So wait, how do i hack my metrocard?

[albertoiii]

Since washington DC is federal land, its a federal offence [im pretty sure the poster is talking about WMATA metrocards used in Wash DC]

Re:So wait, how do i hack my metrocard?

[Jardine]

other crimes that go unreported (flashers

Flashing's a crime? Oh crap.

Re:So wait, how do i hack my metrocard?

[Uart]

yeah, you should really just watch the signs as you enter the subway stop. Thats the best way to do it.

hotels

[millahtime]

I have always been told to take the mag stripe keys from hotels I stay in and cut them up. I wonder what kind of personal info they actually do store on those cards.

Re:hotels

[rampant+poodle]

Normally none. The card will have a unique number, (usually room nr.), and some instructions telling the lock the validity periiod of the guest key. If you just checked in it will also invalidate all previous guest keys. In some cases the card will also have additional information about your entitlements such as health club, meal plans, etc. Note that the ID number on the card is very likely linked to the hotel's property management system -- which has all of the information you gave when you made your reservation.

Re:hotels

[GuyFawkes]

Speaking today at the holiday inn chain of motels in the room cards definitely record the time and date the card is used, eg every time you use it to enter your room, and every wrong room you try it in.

HTH etc

(PS, this hotel chain still relies on PC's running windows 95b for all the booking / reservation / billing stuff.)

Re:hotels

[jrumney]

They don't store anything on the card (the door readers are read-only). Its all in a centralized database, so taking the card away and cutting it up does nothing to protect your privacy.

Re:hotels

Speaking today at the holiday inn chain of motels in the room cards definitely record the time and date the card is used

Commas and grammar are your friends. How did this get modded up, it's not even a coherent thought?

Re:hotels

[Giggle+Stick]

... i'm typing this one handed while rolling a fag in my left hand.

OK, now you're just trolling. Yes I am aware of the different meaning that English speakers have for the word fag, than American speakers.

Re:hotels

...that is, until you realize that "GuyFawkes" is more lazy typing: he meant "GuyFawker."

Re:hotels

[4of12]

PS, this hotel chain still relies on PC's running windows 95b for all the booking / reservation / billing stuff.

An important and practical lesson that what is good enough to get the job done gets used and used and used. No matter that it smells bad to those of us on the bleeding edge of technology.

Re:hotels

So exactly how much memory do these cards have? Couldn't I just try it in the wrong lock 50 times to wipe out all the old records? I was under the impression that mag cards had only a few hundred bytes available.

Or do you mean that the central DB tracks my card and keeps these records. That makes a lot more sense, but doesn't have the same kind of implications as storing this data on the card.

epos

[che.kai-jei]

i was going post as AC but i dont want people not taking this seriously. i have had to research this technology deeply for legitimate and non legitimate applications for different clients. the reason there is little info or programs or source code -- as mentioned in an issue of 2600.

it is because that there is alot of poor win32 closed source software out there costing $1000 upwards!

all pooorly written in VB and the like by programmers whose pooor coding is more than obvious once a button is pressed or a menu selected.

ramcwin , rencode 2000 being obvious candidates.

it seems this is one of those few areas in software applications where even on the vast breadth of the internet a conspiracy of supression of knowledge . non open code. [not that the code is worth anything to learn from] in order to force the sale of ridiclous 1000 dollar licences for extremely poor code. my project i s free open source mag stripe oswftare compatible with as many reders and writesr as possible including portable code and libraries to embed in dumb terminals for people wanting to make thin open source terminal clients for EPOS systems.

i hate poor elite pricey specialised software.

for instance in a few months a large electronics chain has moved over to linux for their epos. i will make sure their "custom" software does not violate the gpl. [i just applied for a job !!]

Re:epos

[cortana]

Just remember, their "custom" software cannot violate the GPL unless they distribute it outside of the company.

Re:epos

[che.kai-jei]

well its just that ACs just shoot their mouths off so much, y'know?

Re:epos

[che.kai-jei]

i think they will be . my experience of their it subcontractors and their internal it team would lead me to belive they will hnce applying for a job as till operator. also i failed to mention how great the actual snoops spwftare is .

Re:epos

[VirtualWolf]

it seems this is one of those few areas in software applications where even on the vast breadth of the internet a conspiracy of supression of knowledge . non open code. [not that the code is worth anything to learn from] in order to force the sale of ridiclous 1000 dollar licences for extremely poor code. my project i s free open source mag stripe oswftare compatible with as many reders and writesr as possible including portable code and libraries to embed in dumb terminals for people wanting to make thin open source terminal clients for EPOS systems.

I hope your coding is better than your spelling.

:D

Re:epos

Was the job application in English?

If so, best of luck. You'll need it.

Re:epos

[dasmegabyte]

Okay. Really quick: the reason niche software is expensive and yet poorly written is not because it is considered "elite." It is because there is not a lot of money in the niche. See, if you need to bring in $100k with a program, and you have an audience of 2000 people, you can easily charge $50 for it. But if your audience is only 100 people...you have to charge $1000. In a niche, you really have no way to increase the size of the market, and your market often has little choice but to pay the high cost for what's essentially one step down from custom software.

And if you're one of the 100 people, that software might save you hours and hours of work, tens of thousands of dollars on custom software, and maybe even save you having to hire somebody. All that for $1000 is a pretty sweet deal, and doesn't seem ridiculous at all. Granted, if you could get the same thing for $50, you'd take it. But on a business scale, $1000 is fucking chump change.

Furthermore, many niche software companies use the cheapest programmers and cheapest practices to get the job done. This means VB, which is a powerful tool when you want to make a program in less than an hour. Sloppy code is sometimes the fault of bad programmers (what do you expect, offering 35% or less than the going rate) but just as often is the fault of high pressure development. Customers paying $1000 for software are VERY insistant and many times their complaints will almost completely drive development. If Customer A asks for some feature unique to their business flow, you have to put it in, even if it doesn't make any damn sense. Our old software (which I had nothing to do with or it'd be all objects) is 20% functionality and 80% stupid business logic (if company = "company a" then ...).

Incidentally, with Linux gaining ground in a lot of these market niches, expect to see a lot of really shitty TCL or VB code showing up in closed source Linux packages. It's lack of money that creates stupid software...

Re:epos

[dasmegabyte]

Er, I meant to say "TCL or Perl" code, but I thought of a much better example. PHP. PHP is another powerful tool for fast development, and there are some really HORRIBLE PHP packages out there. To the point that when we bought an ASP and discovered it ran PHP, we decided to EOL the product and write a new one. It would take less time than trying to untangle the conditional blocks...

Writing the stripe

[DrStrangeLug]

Some newer card printers will actually write the magstripe as they print the card. The problem is that they're not too informative as to how you get the magstripe data into the printer to encode.

Usually this is achieved by a setting within the printer driver which defines which stripe (of the three) to write to and how to get the data out of the printing data. The sequence is usually marked out with start and stop character sequences (on Javelin printers these are usually "${n" and "}$" for start and stop, where n is the track number.)

This saves people the trouble of printing the cards and then writing them seperately.

Re:Writing the stripe

[nogginthenog]

*newer*? I used to work at a place about 10 years ago where we had a machine that churned out personalised (with name & photo) cards and wrote the data too.

It was a bloody great big clunky thing attached to a DOS based PC.

Storage capacity

Does anyone know how much data you can store on a typical strip?

Re:Storage capacity

[Orne]

Here's a summary, but to recap:

There are three tracks on the magstripe. Each track is .110-inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:

Track one is 210 bits per inch (bpi), and holds 79 six-bit plus parity bit read-only characters.

Track two is 75 bpi, and holds 40 four-bit plus parity bit characters.

Track three is 210 bpi, and holds 107 four-bit plus parity bit characters.

Re:Storage capacity

10 Megs. Enough for a few Doom 3 save games.

Re:El-Off-Topic-Postino: 'Nonexistant'

It is "Et al." by the way, as it is an abbreviation of "et alii, aliae, or alia..

Also, et al. means "and others" or "and elsewhere" in reference to people or places in text, not a further enumeration of similar entities in a list. I believe "etc." would be grammatically correct.

Turnabout is fair play ;)

Do it the good ole way

[Rosco+P.+Coltrane]

When I was at school, in the physics lab, we had a jar of very fine iron powder that was used to demonstrate ferromagnetic liquids properties. We used to pour a little on the backside of a credit card, lightly shake the credit card to spread it around, and we could see the patterns left by the magnetic record on the stripes (which, incidently, weren't located where the visible black stripes were).

I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

Re:Do it the good ole way

[xsbellx]

Buddy, when I started working we used to do this on a daily basis to get data off of damaged magenetic tapes for input to a billing system. There was a product called "Visimag" or something similar. Essentially, it was the same sutff as you used in your physics lab, iron powder suspension in some type of alcohol.

For those who are old enough to remember such things, the tapes were 100bpi/7 track used on a Univac III. And this was the upgrade from 4 inch wide punched paper tape.

Re:Do it the good ole way

[dbc]

I recall a product called "Magna-See" or some such. This was in the GCR tape era -- strictly 9 track, nobody was using less dense than 800 BPI in those days, in fact 800 BPI was hard to find, most were doing either 1600 BPI or GCR. I guess I am exposing myself as a youngster.

OH, BTW -- ssg r00lz! (ssg may have been called sgr back in the Univac III days...)

Re:Do it the good ole way

[Animats]

Oh, yes. We used Visimag when tapes were in strange formats we had trouble reading, and when the drive that wrote them had been misaligned. There was also a hand-held tape viewer, with a particle-filled liquid in suspension between a Mylar bottom and a glass window top. This could be placed against tapes. ("Aha, it's 1000 BPI 10 track phase-modulated, from a Uniservo IIIC").

I was so glad when tape tracks became self-clocking.

Re:Do it the good ole way

[mdielmann]

I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

You're working too hard. www.sci-toys.com mentions that the easiest way for a person to get iron filings is to drag a magnet through the sand at a beach...what am I talking about? This is /.! Grind away!

Re:Do it the good ole way

[Christopher+Thomas]

I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

You're working too hard. www.sci-toys.com mentions that the easiest way for a person to get iron filings is to drag a magnet through the sand at a beach.

Your particle size has to be finer than the size of the domains you're trying to look at. As another posted noted, standard magstripe cards work with domain sizes of about 5-10 mil, and the tapes mentioned by other posters have even finer domain sizes.

When I was a kid sifting magnetite out of sand for fun, typical grain size was much larger.

HOKY SHIT! THERE'S LIKE NO MAGSTRIPE INFORMATION!

[Chess_the_cat]

I was shocked by the lack of magstripe information.

Maybe you were mildly suprised?

Re:El-Off-Topic-Postino: 'Nonexistant'

[krumms]

Go do something worthwhile and interesting, like the OP did.

Then you can come back here and bitch about grammar. :)

MSR

[Alioth]

Having worked on retail apps, working with magstripes is a pretty trivial thing. Most magstripe readers are either RS-232 or keyboard wedge, and it's quite easy to tell where you have to look for the data you're interested in by just looking at what comes up when you swipe the kind of card you are interested in.

The biggest problem was dealing with keyboard wedge scanners - if your app expects some kind of event, or possibly a dedicated communication channel (like a serial port) you have to muck around with keyboard hooks to make it work.

Security Nightmare

[Natestradamus]

If cardreaders become just another peripheral, Bad Shit will take place. Security through obscurity is, or was, a valid tactic, because who in hell had a cardreader? Hopefully the banks will skip the "attempt to outlaw" phase and implement a fix right quick, because "in the meantime" isn't going to be pretty.

Re:Security Nightmare

Like this one? $77 + S&H from CDW? (and I'm sure you could go cheaper with a search).

Re:Security Nightmare

[t_allardyce]

Anyone has been able to pick up a card reader cheaply for years, most office supply places sell them and that monster-battle toy had one. Or if you cant find one in a skip you could probably make something crude from an old tape-recorder (i guess?). Infact you can pick up an old ATM too! Most people wouldnt have a clue what to do with them, even if you get to the point where you can see the bits/bytes on a computer you still have to have some basic engineering knowledge and instinct to figure out each system or know who to ask. The problem is a quick fix is never quick, most systems will be proprietry code that was written years ago and editing even the slightest thing would require a whole lot of work and money. Hopefully most systems were designed well - its not like its hard, just make sure you understand the premise that anything on a strip is like anything written in pencil on the front of the card: it can be seen and changed by anyone.

Unlocking the *power*?

Do not underestimate the power of the magstripe of the force?

Better interface?

[no_such_user]

This project would open up to many more people if a more simplistic way of interfacing to the card reader was introduced. How 'bout via the soundcard?

I was poking around the links provided on the site, and found this: The simplest magnetic stripe reader. He wrote software to analyze the audio generated by the card when passed over the read head. This means that any old cassette player has a chance at being used to hack magstripes! Any comments on how accurate this method is, versus the F2F decoder chips?

What is REALLY on your card?

[commonchaos]

I just got the idea of setting up a computer running Strip Snoop in a public place. Put a single board computer inside, a cheap LDC and card reader outside.

It should be made to look offical and be housed in an hard-to-destroy case. It would be bolted down on the sidewalk in the middle of the night, near an ATM or in a shopping center.

Have a big sign that says "what is REALLY on your magnetic cards?".

If you are an art student you could pull off doing something like that and get credit for doing instalation art. :-)

Re:What is REALLY on your card?

[CXI]

Yes, and then melt into slag anyone stupid enough to swipe their card in the machine. *sigh*

Re:What is REALLY on your card?

[plover]

And how can I, the gullible public, tell your beneficial kiosk from Tony Soprano's clone-a-card scheme?

I can't.

Of course, I can't tell if Tony Soprano is behind the cash register at the local pizza joint, either. So how do I know who is cloning my Visa card, and who is a legitimate merchant?

I can't.

But, I still wouldn't trust this simply for the purpose of viewing my data. And I would hope that the public wouldn't, either.

Re:What is REALLY on your card?

[commonchaos]

I can't say you represet the gullible public, I'd bet at least 5 people in a hundred would be curious cats.

Re:What is REALLY on your card?

[zempf]

This was done by an art museum in Pittsburgh: see this article at Wired for details.

Re:What is REALLY on your card?

[ryanmfw]

They're called Diebold ATMs and they are *EVERYWHERE*. Can your ATM play Beethoven?

There were also stories about card skimmers that do exactly what you're talking about, except it doesn't tell you what your card says, it just steals the info. :-)

From all of us who will be glad to be able...

[SatanicPuppy]

...to forget how to program in original basic, I thank you.

Now, get to work on bar codes!

I'm going to go buy a card writer, and make a million selling counterfeit Kinkos cards. BWHAHAHA!

Re:From all of us who will be glad to be able...

Here's a 37337 trick from the trade. Go to a 7/11 and buy a pack of gum. Give them a twenty dollar bill. They gives you back alot of cash cos they are stoopid! That's called social engineering. Do it often and you become rich!

Re:From all of us who will be glad to be able...

[Master+of+Transhuman]

Barcodes? I don't understand.

Barcodes are standardized. There are tons of programs, including freeware, that read and write barcodes. There's even a KDE-based barcode program.

I know because I just helped implement barcodes on student ID cards at City College of San Francisco.

More detailed tech discussion on BRR episode 56

[StankDawg]

Acidus was recently on episode 56 of Binary Revolution Radio (http://radio.binrev.com/) where we discussed his 2600 article and went into detail about his stripesnoop project. If anyone is interested in learning about the tech behind it or hearing about the thought processes that went into it, they should check it out.

Passports!!!!

[erykjj]

Passports... Hmm?

Diaspora

Argument by analogy is like a bullfinch with seven testicles.

Re:Diaspora

[WNight]

Clumsy on the ground, graceful in flight, and held in great esteem by other bullfinches?

knock, knock

[eekygeeky]

expect a gentle, yet authoritative tapping at the board beneath your lintel in the near future...the Secret Service, the Justice Dept. and the FBI all read /., ya know.

Re:knock, knock

That's why I post anonymously, line my room with that anti-EM wallpaper to prevent Tempest snooping, and quad-ROT13 all my posts.

Btw

I just visited Singapore and those guys are like ten years into the future compared to us. Everything, and I mean everything, takes debit or credit cards.

From soda machines to subway ticket machines, etc.

It's strange that it's almost only credit cards that's used in the US. The only ones who gain from that is Visa and Mastercard. Debit cards without any fees is the future.

Re:Btw

[raju1kabir]

I just visited Singapore and those guys are like ten years into the future compared to us. Everything, and I mean everything, takes debit or credit cards. From soda machines to subway ticket machines, etc.

Did you also notice the Coke machines that allow you to pay by mobile phone? There's a number written on the machine, you SMS it, they instantly SMS you back a code, and then you punch the code into the machine and get your drink. The price of the drink goes on your phone bill.

How about the bill-payment machines in the subway stations? Slide your phone bill, water bill, whatever through the machine, it OCRs them, shows you the total, then you stick in your debit/credit card and it pays the bills for you.

Re:Btw

[haffi]

Well we have debit cards in Iceland as well. Maestro (owned by Mastercard) and Visa Electron (owned by, suprise, Visa). Each purchase triggers a fee to MC/Visa. Debit cards are better than credit cards in that you are spending the money you own, rather than borrowing and paying a month later with interest. But debit cards are definatley not without fees.

Re:Btw

[flabbergast]

The parent poster is spot on that debit cards without charges is the future. About a year ago or so either Newsweek/Times/WSJ etc did an article about the fleecing of America when it came to check cards, especially when you consider it against the debit card. What's the big deal?

The costs involved in the back end. Debit cards don't cost nearly as much as check cards do. Why? Because check cards are locked into the credit card system, that's why. It costs the store significantly more to process a credit card than it does to process your debit transaction ($1 versus $.10). Its a matter of using the Visa/MC credit processing or a regional ATM network (Cirrus, Tyme etc) to process funds. Look at this Kiplinger article about it. So why do we use it?

Because Visa has made a HUGE push in the US to convince us that the Visa check card rocks! All those commercials with Marion Jones or the rabbits etc where using your Visa check card is better than using checks. Why? Because its more profitable, until they pissed off Wal-Mart.

Me? I don't use a debit or check card. I use credit cards so I don't have my checking account drained it someone gets a hold of my check card number.

As for using a debit card to pay for a coke? Ehhh...the US is still attached to dollar bill so what hope do getting people to change? =D As for the SMS, I don't think SMS is nearly as big as SMS in Europe/the rest of the world because we get locked into $40 a month plans, so we might as well use our minutes.

Re:Btw

[AJWM]

It's strange that it's almost only credit cards that's used in the US. The only ones who gain from that is Visa and Mastercard. Debit cards without any fees is the future.

First of all, plenty of places in the US take debit cards. Gas pumps, grocery stores, etc.

Secondly, I'll never carry a debit card, but I carry credit cards. If I lose it or the card is stolen, my liability on a credit card is limited to $50 (and the CC company has waived that the couple of times it happened to me). If somebody else uses my debit card, my liability is my whole bank balance.

No thanks.

Besides, I like the couple of weeks of float (time between when I purchase the item and when I have to pay the charge) that a credit card gives me -- and I pay the full balance on time so have no interest charges, and use a no-fee card. (Yes, there are still some of those around, and many companies will waive the annual fee if you call them up and ask them to remove it or you'll switch cards.)

For soda or light rail (no subway here) ticket machines, I'll use the convenient, pre-printed paper slips called "dollar bills", which most machines accept.

Re:Btw

[Carnildo]

Me? I don't use a debit or check card. I use credit cards so I don't have my checking account drained it someone gets a hold of my check card number.

I use cash.

Re:Btw

[flabbergast]

I need the reward points. Oooo...shiny pretty things. =D

Re:Btw

[nojomofo]

Huh. I've never (and I mean never) paid a cent of interest for a purchase on my credit card. I just pay it off every month. So the credit card company lends me money for a few weeks for free. Don't see why that's worse (for me) than a debit card.

Re:Btw

[bitspotter]

Depending on what you mean by "credit card", I use my debit card all the time. I have accounts with three major American banks, and all come with "check cards", which pull directly from my checking accounts. One is a MC, the others Visa, and they work just like credit cards. I can't get credit, but I can use these cards anywhere that takes "credit cards", and I can get them at almost any major bank that offers consumer checking accounts.

"Researching an embedded systems project..." ?

[El+Kevbo]

While researching for an embedded systems project (a magstripe enabled Coke machine)

In other words you wanted to get a Coke the other day and didn't have any spare change, right? :)

color codes on turnstyle information is incorrect

the green/yellow/red indicates the type of card used. student metrocards light up one color when they are used. if a 40 year old man sets off that color, arrest him for improper use of a student's metrocard (possibly stolen or purchased illegally).

this also indicates MTA employees and senior discounted metrocards.

if you're blacklisted, it will be similar to when you attempt to use an empty card or an expired unlimited card... "INSUFFICIENT FARE"

Blocked!

[W2k]

Couldn't access the site through the computer at work, it was blocked by the Internet filter, something about "Criminal skills". Only application that seemed to have anything to do with the Internet in the taskbar was a Symantec anti-virus/internet shield app. Now why is it a "criminal skill" to know about magcard readers?

"Re-magging"

[AyeRoxor!]

This could save me hassle and money, as well as be an interesting hobby :)

My debit-cards usually only last 6 months. I'm not rough with them. I take it out of my wallet, I swipe it, I put it back. I'm careful to put it between flat cards (with no raised numbers) so the strip doesn't get abused, but still, the stripe wears down. It's a week to 10 days and a nominal fee to get a new card. Imagine making card backups, reapplying some mag material, and re-magging my own card.

Rock on.

Re:Can you please supply some empty ATMs too..

[Micro$will]

It's already been done in the NYC area. Some official looking guys would show up and either replace and existing working ATM or add an ATM to a store, but instead of contacting the banking institutions and dispensing cash, they would just record account and PIN data to be (ab)used later.

Re:color codes on turnstyle information is incorre

[mr_spatula]

Because, you know, there are no syudents that are aged 40 or older.

2600....

[MortisUmbra]

Has an article about magstripes in the issue thats on newstands now....including sample code/diagrams for using readers and writing your own apps....fwiw

PIN number stored on card? WTF?

[Kurt+Gray]

Call me ignorant but this is the first time I realized that the PIN number is stored directly on the magstripe on the card because I assumed no banking system would be that stupid. I assumed the bank system the PIN number and ATM or whatever terminal would simply transmit the PIN as entered. May as well take my money out of the bank and stuff it in coffee cans, it would be just as secure and I wouldn't be charged a service fee.

Re:PIN number stored on card? WTF?

It doesn't sore your PIN number, it stores an offset.

Well this is the standard anyway (Its been several years, so the standard name escapes me)

Its been a while, but either the offset is added to a number the bank knows to match your PIN, or the offset is added to your PIN to match the number the bank knows. I can't remember which one it is.

An offset is used so that the number stored on the card stays the same (its written in the read only portion of the card), but you can change your PIN, by changing the number the bank stores.

This is pretty old and well known standard, so the bank must be pretty cheap to encode the PIN directly (so that the machine can validate the PIN locally, rather then having to contact a central system). My advice would be to run and not look back from this "bank".

Us?

[juuri]

Have you been to a major US city not in the midwest or south recently?

There are debit card enabled things everywhere in NYC, Chicago, SF, etc...

At last!

Here is a way to make a lock for your front door that will solve the "is she 18?" problem

OT: How do they power/commnuicate with the locks?

[swb]

I always wondered that. I've examined the doors closely and haven't seen any way for them to power the locks or communicate with them. I presume communication would be necessary to invalidate the access previously granted to lost or compromised cards.

I've just assumed that the power is delivered via hinges and wires buried in the door (which would mean custom doors or some sophisticated drilling to retrofit). I suppose you could have induction powering and communication of the reader via the door jam (simplifying installs).

Trust Me!

[supersmike]

I won't use your info for nefarious purposes... really, I wont!

bravo!

Cheers! I've been trying to research magstrip info for over 4 years. Most of the stuff that is out there is "commercial" information- anyone ever price the writers? A bit pricy for a hobby application.. Now if someone could just figure out how to add money to the Jillians Players Card...

Its there, and easy to find.

[blanks]

I write software for kiosks, Internet, ad based etc. We deal with coin, bill, credit cards, pay per use cards etc.

All we ever needed to do was contact the companies that we wanted to support, and they would always supply is with documentation, and even source code.

All that we needed to say was, we want to support your and we need specifications. Within a few days we always get it...

The main thing with this type of hardware, is 9 out of 10 the manufacture only supplies them to companies that will be supplying their own type of interface to the bill validator, so they always have some type of spec sheet available to developers.

Re:OT: How do they power/commnuicate with the lock

[smatthew]

Actually the just have to change out battery packs occasionally. It's kinda like the little automatic flushers on toilets. No wires - just occasionally the batteries have to be replaced.

Another DMCA aplication

[cbr2702]

If the data on the card is at all encrypted, then the DMCA applies and all three of your acts are illegal

Asshats

Asshat may have been coined by JEFFK of SA originally though.

(On Topic: Uhmmm, beowulf cluster of linux powered magstripe reading Tenchi Muyo realdolls, attacking Darl McBride!)

Re:Asshats

Asshat the official site

Added layer of security

[PCM2]

Don't worry, most ATM cards double as credit cards these days anyway. There's no PIN number to buy stuff with a credit card -- they make you sign your name. Scanning the PIN number off a card is difficult enough, but can you imagine the astronomical odds that your wallet will get stolen by a thief with the same name as you?

Re:Added layer of security

[Kurt+Gray]

It's also a joke that anyone can use your credit card even in person, 90% of all store clerks do not check the signature with a photo ID. Even if they are brazen enough to do this a big store with survellance cameras they get ways with it because the police are not going to bother reviewing the tape and try to catch the criminal, the cops just tell you to call your credit card company and have the charge dropped. Fraudulent credit card charges can be easily reversed when you report them. ATM withdrawals on the other hand are not so easily reversed. The robber withdraws the cash directly from your account faster than you can speak to a customer rep at the bank and the bank says "well that's too bad for you"

Re:Added layer of security

[mi]

The robber withdraws the cash directly from your account faster than you can speak to a customer rep at the bank and the bank says "well that's too bad for you"

$500 per day is the limit my bank places on all debit cards...

Re:Added layer of security

[fallacy]

Not sure about the US, but over here in ol' Blighty there's "chip and PIN" - a replacement to signatures: instead of signing for a credit/debit card transaction, the card is put into a terminal with a chip reader and you enter your pin number via a small keypad.

ChipAndPin

Re:Added layer of security

[PCM2]

Yes, I've been to Europe a few times over the last several years and was interested to see those portable credit card terminals that they bring to your table at restaurants. We have nothing of the like in the U.S. (unless you're talking some really large, fancy place that has developed its own wireless handsets for waitstaff).

The way it was once explained to me is that it has everything to do with the ... ready for it? ... telephone system.

In the United States, local telephone calls are essentially free. There are local points-of-presence for all the major credit card validation services, so restaurants can use a standard business phone line to call out to validate an infinite number of credit card transactions at a flat rate for phone service. Because of this, credit card infrastructure in the U.S. has been built up around automatic verification of all credit card transactions. Our credit cards don't come with smart chips or the like, because there's simply no real reason for them. The perception by industry is that it's much easier to just call up and verify your credit directly with the bank than to rely on some "unproven" technology like a smart chip.

And so, given no smart chips, there are no "advanced" authentication schemes like the ones you mention. There are a couple of cards that have rolled out devices like you describe that you can use at home for Internet transactions, but I've never heard of a place of business that supports them. And so, it's a chicken-and-egg problem ... fancy, smart-chipped credit cards never really take off when the banks try them, because who wants a credit card that you can't count on at most restaurants etc.?

It's much easier to launch an entire new credit card product (like Discover, which is still not accepted in Europe but was rolled out in the U.S. maybe 10 years ago) than it is to add a smart chip to Visa cards, because the new card can ostensibly use the same magnetic stripe readers with just a firmware upgrade or something.

The other thing is, I think the cost for the credit card companies to insure themselves against fraud is a lot less than it is to implement new technology. Right now, if somebody steals your credit card in the U.S., walks into a store and purchases something with it, the merchant is going to be the one who comes up liable, nine times out of ten. The merchat will get back neither the merchandise nor the funds from the fraudulent transaction, and the credit card company goes on about its business. So where's the incentive for the credit card industry to reform its security?

Re:Added layer of security

[PCM2]

Only a month's rent? Well, never mind then.

Re:OT: How do they power/commnuicate with the lock

[Yewbert]

I always wondered that. I've examined the doors closely and haven't seen any way for them to power the locks or communicate with them. I presume communication would be necessary to invalidate the access previously granted to lost or compromised cards.

Actually, many access control card schemes incorporate an "issue code" as part of the data on the card. Once a card with a "later" issue code in a sequence is used, the lock recognizes that "earlier" issue codes are no longer valid. No communication back to a server is needed, although any other offline locks to which a given card has access of course won't be updated until the new card is used in them. The sequence of available numbers for issues codes is simpply made large enough to make it impractical/improbable for someone to manage to cycle through the entire series just to cause an older card to become valid again.

And, on the subject of communications - some locks are fully "online" (and the communications and power cables are very unobtrusive), and others are offline (and communications may be done either manually on a periodic schedule, uploading the data from a reader via a PDA and then to a server, or wirelessly through an RF transmitter). In either case for offline locks, power can be supplied by a 'pack' of several rechargeable or replaceable AA batteries. If the hardware/processor/etc., in the door is optimized enough for power consumption, a single set of 4 AAs can last several months, making the maintenance sufficiently cheap.

I've just assumed that the power is delivered via hinges and wires buried in the door (which would mean custom doors or some sophisticated drilling to retrofit).

That retrofitting expense is why some facilities choose the wireless or offline versions.

Re:OT: How do they power/commnuicate with the lock

[swb]

Once a card with a "later" issue code in a sequence is used, the lock recognizes that "earlier" issue codes are no longer valid.

Presumably they don't honor newer issue codes UNLESS the "open" code also matches. If they did honor newer issue codes even if the open code was wrong, I could just DoS room locks when I checked in by swiping my card in everyone's lock..

Offtopic

[pen]

I was at a Starbucks recently, trying to run down my Starbucks Card. Since it's been in my wallet for ages, the magstripe wasn't scanning very well. After a few tries, the person at the register wrapped it in Saran Wrap (I'm not kidding!) and it worked fine. This was repeated once more later in the day.

She said her manager swears by that method.

Any idea why this works? Does the plastic wrap just push the card a little closer to the reader?

(For the non-USians, Saran Wrap is a thin clear plastic wrap, usually used for wrapping food items.)

Re:Offtopic

The card is not making good contact with the reader. The plastic makes the card wider and it makes better contact. The magnetic stripe is still readable through the plastic.

Re:Offtopic

[nacturation]

After a few tries, the person at the register wrapped it in Saran Wrap (I'm not kidding!)

Are you sure it was Saran Wrap and not, say, Reynolds Wrap, Glad Wrap, or any of the other hundreds of major name- and noname- brands (many private labeled from other brands) available outside of the mighty US of A? :)

Re:Offtopic

Come-on, man! Every red-blooded American knows the rest of the world is still living in the stone ages! ;-P P-p-p-l-l-aaas-t-iii-c w-rrr-aaa-p? What's that? Wrapping food in? Everyone knows you use intestines for that!

Re:color codes on turnstyle information is incorre

You are telling me a 40 year old man cannot
be a student???

Re:color codes on turnstyle information is incorre

student metrocards are intended for students still in high school or younger. college students pay full rate.

Re:color codes on turnstyle information is incorre

When the poster said "student," I'm sure he was talking about the Metrocards that the city issues to elementary and secondary students; there's no general "student" discount for Metrocards. They're usually valid for a maximum of three trips per day, and they're only valid on days that school is in session. And it's pretty unlikely that a 40-year-old would be in junior high.

beware of clubs/bars swiping your drivers license

[davidsyes]

Hmmm...

Pretty soon, we'll see a market of "Collision Protection" card swipers. Get into a vehicular incident (there are RARELY any "accidents", hence we need to get rid of that "ego assuaging" term and call it what it is... an incident) and drivers will be compelled by state vehicle code to swipe one another's stripes. But, imagine nefarios staging accidents to swipe targetted victim's information. This could become the newest form of fraud, theft and abuse (or, a tool of extortion, bribery, blackmail, and robbery).

==========

Back around 2000 or 2001 I was listening to NPR, I believe.

The topic was about identity cards or such, and there was somewhere in the conversation the mention that east coast bars/night clubs would swipe the entrants' driver's license, ostensibly for 2 main reasons:

1. keep out the underaged
2. keep out those previously ejected

However, someone mentioned having mysteriously received "Happy Birthday" and "Thank you for being a repeat customer... Here is a free pass..."

One club being interviewed (I think it was in New York or Massachussets) sternly claimed it was not violating privacy information, and that anyway it had a right to identify and screen its customers or those attempting to enter, mainly to avoid underage drinking and other issues. They claimed they were not abusing information.

That set off bells of wariness and anger in me.

NO club or bar has any business recording the information on a mag stripe. To my mind, that stripe should only be read by government agencies, such as law enforcement or SSA (Social Securty Administration) or Motor Vehicles Depts (after all, they are issuing it) and maybe the vehicle owner's or user's insurer, or by medical emergency units trying to save someones life.

But, I had resolved to NEVER patronize a club or entertainment venue that tries to swipe my card. My mind is set that when I show it, I hold it and tilt it for the hologram to reveal itself, and I ask what they are going to do with it or whether it is going to be mag-read.

It's just too goddam bad, but bars have no reason to see the stripe's contents. They only need to have read-only, not read-record-compile rights. Marketing and advertising are an abuse of the DL, and screening and rejecting is just a smoke screen to justify their acts with minimal rejection by a sheepish crowd that cannot give up clubbing but can give up their privacy information.

Before 9/11, it was illegal for anyone, and almost any non-person entity to read and record and use this information for non-government reasons. The SSN use to be afforded this level of privacy until companies and colleges began abusing the hell out of it.

Should I evern patronize a facility that later is the instigator behind mail campaigning me for anything, I will find some section of law to sue them out of existence (not to get rich, but to punish them for information abuse).

Anyway, at the time, west coast clubs were testing it, but were not reported to have been crazy about it. I guess clubs are just trying to streamline things for the bouncers, but maybe they need better-paid or commited bouncers.

Come to think of it, many clubs hire/rent cops who stand there in uniform, intimidating would-be troublemakers to leave or behave. Given the presence of uniformed police, THEY should be the ones inspecting and determining the validity of the driver's license when presented. But, usually, the bars will confiscate it and call the police.

David Syes

Free Photocopying

[gavinjolly]

At university (College for you Americans) we had photocopy cards. You could use the machines to load money onto them by inserting your card and the $$notes.

Some brigh cookie discovered you could scratch off one part of the mag strip, insert the card in the old reader on a photocopier and then your card has a $40 balance. Free photocopying for 1 year.

Feel bad about it now as it was theft.

Some misinformation here

[Old+Wolf]

From the site's FAQ:

Q: Why is keyboard based reader support so primitive?

A: Keyboard based readers, while cheap and easy to interface, have several problems. First off, The reader simply decodes each track that is present, from 1 to 3, appending each track to the next. No dividing characters are used, so it very difficult to detrimine where the decode for 1 track ends and the next begins. Not being able to reliably seperate the track data means we can't analyze it using our card database. For now, Keyboard based readers work best with cards that only have 1 track.

The keyboard-based reader I have, has dip-switches on it so you can put start and end markers around each track, and select which track you want. Sounds like the guy hasn't done much research on available card readers (or available card writers).

Also, the mag card format is an ISO standard so it isn't as if there is any mysterious behaviour going on here (apart from the non-standard card he mentioned).

Finally, in case anyone was under the wrong impression, having a mag card writer doesn't mean you can break anyone's bank account (bank cards don't contain security information). The worst you could do would be to copy someone else's card for a building security system, then rob it and try and blame the other guy (somehow I don't think this would be too successful).

Tons of documentation available

[rhall_impossibilitie]

I do a lot of kiosk and interactive exhibit work that utilizes magnetic stripe readers for a variety of purposes, from Fujitsu and NCR ATM machines, to POS systems from Symbol and @POS, to serial readers from MagTech to off the shelf keyboard wedge readers from ID Tech, and I never managed to run across Acidus' site when doing research. His app StripeSnoop looks fairly interesting as a tool. I wanted to point out that there is in fact a TON of information out there available from vendors and standards organizations from credit card track formatting, to ISO specs to you name it, they are all online. Its been said before, but you just need to spend a few minutes with google or talking to your hardware or software vendor and you can find what you need, you just need to dig around a bit. As an example, I recently spoke on the topic of Kiosks and Interactive exhibits at FlashForward 2004 in NY and along with some other things, I demonstrated an application for capturing track data from a keyboard wedge based card reader, and used the freely available specs from AAMVA (American Association of Motor Vehicle Administrators) http://www.aamva.org and their specs available here to decode drivers license information that conforms to their standard of encoding. I have used this in a couple of recent applications. I'm about to post up a version that decodes the most useful bits of credit card info (name, card number, expiration) that would be useful for integrating into POS systems, kiosks, etc. The source files (everything is done in Macromedia Flash Mx 2004 - yes not a lot of Flash fans on slashdot - but this is another example of how to use Flash for REAL applications) and more information can be found here: http://www.impossibilities.com/blog/entry_blog-155 .php - everything is released under Creative Commons Attribution-NonCommercial-ShareAlike 2.0 License - so have at it and start experimenting. It should be fairly simply to add in support for just about any type of track data you want to work with, at least data types that are compatible with keyboard wedge devices - its really just string manipulation and all you need to know are the rules for decoding the data. I use ID Tech's Omni Reader - a USB device that supports all three tracks and barcodes (including infrared barcodes) in one simple USB keyboard wedge device. In the example I put together, youll also find an application for using off the shelf bar code scanners like Symbols - that also hook up via a keyboard wedge interface - to look up UPC info from the free UPC Internet Database. Enjoy! -Rob

Barcode READERS.

[SatanicPuppy]

I've had to program two different types of barcode readers that run on a modified version of original basic. A real nightmare to tie into a unified datacollection model.

For big purchases?

[tepples]

Then how would one buy a new PC or other large appliance with a debit card issued by your bank? A $500 limit isn't "easy as Dell." Or can a customer call ahead and authorize a specific large debit?

Re:For big purchases?

My debit card has a £250 limit on cash machines (ATM) but no limit on purchases.

Re:For big purchases?

[mi]

The $500 limit is on cash withdrawals. In case of purchases, they have some heuristic algorithm, which has once prevented me from -- exactly -- buying the second pair of monitors from Dell.

I had to call the bank and remove the block they placed on my account.

Unlike with a credit card, of course, I'd still be liable for any unauthorized purchases/withdrawals, that went through. But it is not like banks don't care as other posters here alleged.

The security of CCs doesn't come free -- it is paid for by the huge rates and, in my case, huge fees for minor "offenses". That's why I prefer the debit card -- no checks to mail at the end of the month.