Slashdot Mirror
Unlocking The Power Of the Magstripe
Acidus writes "While researching for an embedded systems project (a magstripe enabled Coke machine), I was shocked by the lack of magstripe information: Programs/code that would run on a modern OS were all but nonexistant, articles that were 6-10 years old, etc. Further research proved hard, because I had become google's authoritative source. So Stripe Snoop was born, and is now at 1.5 . Stripe Snoop is a suite of research tools that captures, modifies, validates, generates, analyzes, and shares magstripe data, with an ever-growing database of card formats. Decoding everything from driver's licenses to banking cards, its features can analyze non-standard cards, such as NYC's Metrocard."
Here's the real link to the article:
Linky.
It would be cool if it didn't suck.
http://www.yak.net/acidus/magstripe/coke.html
liqbase
Linked from the Stripe Snoop page:
An article I wrote that is being published in the Summer 2004 issue of 2600 that is all about magstripe interfacing. This provided the basis for Stripe Snoop. Another application is this homebrew coke machine I built.
Having worked on retail apps, working with magstripes is a pretty trivial thing. Most magstripe readers are either RS-232 or keyboard wedge, and it's quite easy to tell where you have to look for the data you're interested in by just looking at what comes up when you swipe the kind of card you are interested in.
The biggest problem was dealing with keyboard wedge scanners - if your app expects some kind of event, or possibly a dedicated communication channel (like a serial port) you have to muck around with keyboard hooks to make it work.
Oolite: Elite-like game. For Mac, Linux and Windows
Magstrips are terribly insecure. They are a reprogramable single number on a card. Do you know why at retail stores that they scan your card, and then put in the last 4 digits manually? And wonder why those 4 digits are under a hologram? Its because its trivial to reprogram one of these with a new number. A magstripe writer new costs like $500 or $600. Trust me, I could get a pretty return on investment with that upfront cost. CC numbers all have some kind of checksumming algorithm with them, and if someone put a random valid number on a card, it still would not match the last 4 numbers. I've heard that phonecards in europe had to go with smartcards because people were getting fake magstrip cards.
I'm actually shocked that magstripe reprogramming is not more common. Since CCs are taken everywhere now, and most of them are self swipe, hmm....
Here's a fine guide on serial port programming from none other than the guys who brought us the cups printing system:
Serial Programming Guide for POSIX Operating Systems
Actually it is a federal offense since it would be considered counterfeiting, but what is even more interesting is the security that have in place to stop that.
Remember when it first came out and the cards were blue? Apparently a bunch of people figured out that you could dupe 50$ of value to used ones, and sell them to idiots on the platform. They would swipe it to show the dope there was a value and get cash for it.
I sat in on a security lecture once where the expert discussed the complexities of preventing unauthorized use in a system that big. Basically every time you swipe it writes back to your card and a log at that turnstyle. Every 5 minutes or so that log is uploaded to a regional center and that in turn is uploaded to a central location. They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.
The cooler thing is that then when you use a modified card that was blacklisted the little color lights on the opposite side flash yellow or red instead of green. Alerting the police who like to stand and watch people try to jujmp or squeeze by to pick you up.
I thought it was a brilliant use of a relativly old and low-security technology.
All ye all ye outs in free!
This project would open up to many more people if a more simplistic way of interfacing to the card reader was introduced. How 'bout via the soundcard?
I was poking around the links provided on the site, and found this: The simplest magnetic stripe reader. He wrote software to analyze the audio generated by the card when passed over the read head. This means that any old cassette player has a chance at being used to hack magstripes! Any comments on how accurate this method is, versus the F2F decoder chips?
There are three tracks on the magstripe. Each track is
Track one is 210 bits per inch (bpi), and holds 79 six-bit plus parity bit read-only characters.
Track two is 75 bpi, and holds 40 four-bit plus parity bit characters.
Track three is 210 bpi, and holds 107 four-bit plus parity bit characters.
I just visited Singapore and those guys are like ten years into the future compared to us. Everything, and I mean everything, takes debit or credit cards.
From soda machines to subway ticket machines, etc.
It's strange that it's almost only credit cards that's used in the US. The only ones who gain from that is Visa and Mastercard. Debit cards without any fees is the future.
True. Some are even more. I worked at a security company a few years ago testing, among other things, mag-stripe cards/readers/interfaces. We used American Magnetics' (I believe) Model 700's - and that 700 was roughly equivalent to the base-model price. It depended, of course, on whether you bought the models that could read just one stripe, two stripes, or all three stripes on a standard card - the 3-stripers were more, of course, but for some purposes unnecessary. For example, another tester and I duplicated the first two stripes of his ATM card (ignoring the third because either we didn't know what character set it was encoded in, or else we didn't yet have access to a 3-stripe reader/writer, I forget which), and successfully used it in an ATM (just to do a balance inquiry - not to actually withdraw cash - we were too afraid of setting off some kind of alarm). We'd suspected that would work beforehand, since the first two stripes were in ABA (American Bankers' Association) 7-bit (or was it 5-bit? - it's been three years, and I've slept since then) and the third stripe wasn't, so therefore probably not used for banking applications. We were satisfied enough when it succeeded to not experiment further.
But, with that in mind, it's immediately clear that you could earn back the initial hardware investment in a big hurry if you were of a black-hat kind of mind-set.
One of the more interesting/cute little facts when you're working with mag-stripe cards is that, to determine where some failures lie, you can use a spray-can of very fine iron or iron-oxide dust (basically, rust) to spray on the stripe and actually SEE the encoded magnetic patterns. If the patterns are sharp, then it's the reader's fault; if the patterns aren't there, then it's the card's fault.
Here's another project for someone with a bit more in-depth hardware knowledge than I have: figure out what encoding scheme is on the thin little cards used at some arcades where you buy credit on a proprietary card - I tried reading one of those in a 3-stripe reader and got unreadable, in consistent and totally unuseful results.
the green/yellow/red indicates the type of card used. student metrocards light up one color when they are used. if a 40 year old man sets off that color, arrest him for improper use of a student's metrocard (possibly stolen or purchased illegally).
this also indicates MTA employees and senior discounted metrocards.
if you're blacklisted, it will be similar to when you attempt to use an empty card or an expired unlimited card... "INSUFFICIENT FARE"
Okay. Really quick: the reason niche software is expensive and yet poorly written is not because it is considered "elite." It is because there is not a lot of money in the niche. See, if you need to bring in $100k with a program, and you have an audience of 2000 people, you can easily charge $50 for it. But if your audience is only 100 people...you have to charge $1000. In a niche, you really have no way to increase the size of the market, and your market often has little choice but to pay the high cost for what's essentially one step down from custom software.
...).
And if you're one of the 100 people, that software might save you hours and hours of work, tens of thousands of dollars on custom software, and maybe even save you having to hire somebody. All that for $1000 is a pretty sweet deal, and doesn't seem ridiculous at all. Granted, if you could get the same thing for $50, you'd take it. But on a business scale, $1000 is fucking chump change.
Furthermore, many niche software companies use the cheapest programmers and cheapest practices to get the job done. This means VB, which is a powerful tool when you want to make a program in less than an hour. Sloppy code is sometimes the fault of bad programmers (what do you expect, offering 35% or less than the going rate) but just as often is the fault of high pressure development. Customers paying $1000 for software are VERY insistant and many times their complaints will almost completely drive development. If Customer A asks for some feature unique to their business flow, you have to put it in, even if it doesn't make any damn sense. Our old software (which I had nothing to do with or it'd be all objects) is 20% functionality and 80% stupid business logic (if company = "company a" then
Incidentally, with Linux gaining ground in a lot of these market niches, expect to see a lot of really shitty TCL or VB code showing up in closed source Linux packages. It's lack of money that creates stupid software...
Hey freaks: now you're ju
"Actually it is a federal offense since it would be considered counterfeiting"
I'd expect it to be a forgery offense, against the State of New York (if you're talking about NYC Metrocards), but I hardly think the Federal Government has a case here, unless maybe you traffic in counterfeit metrocards across state lines or something. See, the NYC transportation department isn't a federal agency, and the card isn't a federal reserve note.
Still a bad idea of course, New York's justice system being just as scary as federal...
"They would swipe it to show the dope there was a value and get cash for it."
You didn't mention whether or not it would get you on the train.
-fb Everything not expressly forbidden is now mandatory.
This was done by an art museum in Pittsburgh: see this article at Wired for details.
Actually, many access control card schemes incorporate an "issue code" as part of the data on the card. Once a card with a "later" issue code in a sequence is used, the lock recognizes that "earlier" issue codes are no longer valid. No communication back to a server is needed, although any other offline locks to which a given card has access of course won't be updated until the new card is used in them. The sequence of available numbers for issues codes is simpply made large enough to make it impractical/improbable for someone to manage to cycle through the entire series just to cause an older card to become valid again.
And, on the subject of communications - some locks are fully "online" (and the communications and power cables are very unobtrusive), and others are offline (and communications may be done either manually on a periodic schedule, uploading the data from a reader via a PDA and then to a server, or wirelessly through an RF transmitter). In either case for offline locks, power can be supplied by a 'pack' of several rechargeable or replaceable AA batteries. If the hardware/processor/etc., in the door is optimized enough for power consumption, a single set of 4 AAs can last several months, making the maintenance sufficiently cheap.
I've just assumed that the power is delivered via hinges and wires buried in the door (which would mean custom doors or some sophisticated drilling to retrofit).
That retrofitting expense is why some facilities choose the wireless or offline versions.
The card is not making good contact with the reader. The plastic makes the card wider and it makes better contact. The magnetic stripe is still readable through the plastic.
It doesn't sore your PIN number, it stores an offset.
Well this is the standard anyway (Its been several years, so the standard name escapes me)
Its been a while, but either the offset is added to a number the bank knows to match your PIN, or the offset is added to your PIN to match the number the bank knows. I can't remember which one it is.
An offset is used so that the number stored on the card stays the same (its written in the read only portion of the card), but you can change your PIN, by changing the number the bank stores.
This is pretty old and well known standard, so the bank must be pretty cheap to encode the PIN directly (so that the machine can validate the PIN locally, rather then having to contact a central system). My advice would be to run and not look back from this "bank".