Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unlocking The Power Of the Magstripe

Posted by timothy on from the slurp dept.

Acidus writes "While researching for an embedded systems project (a magstripe enabled Coke machine), I was shocked by the lack of magstripe information: Programs/code that would run on a modern OS were all but nonexistant, articles that were 6-10 years old, etc. Further research proved hard, because I had become google's authoritative source. So Stripe Snoop was born, and is now at 1.5 . Stripe Snoop is a suite of research tools that captures, modifies, validates, generates, analyzes, and shares magstripe data, with an ever-growing database of card formats. Decoding everything from driver's licenses to banking cards, its features can analyze non-standard cards, such as NYC's Metrocard."

15 of 224 comments (clear)

  1. Also in 2600 by Noryungi · · Score: 5, Interesting


    There was also an interesting article in this summer 2600 magazine about magstrips. Some information and code were supplied...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:Also in 2600 by shepmaster · · Score: 4, Interesting

      I consider myself lucky, in that I have met Acidus in person, and have actually shared a class with him. It was an embedded programming class, and we each had to do a semester project. As mentioned in the blurb, his project was a Coke dispenser that worked off magstripe technology.

      What was far more interesting was the software backend he developed to run the system. It was very professional, and the software itself incorporated some intrigueing concepts, such as what to do when the system was cut off from the real world. I hope Acidus will care to chime in and explain some more of his higher-level ideas.

      One thing that I was impressed with was the security concerns that he evidently thought of. Unlike other programmers I know, security was not an afterthought, but incorporated into the design (this was also evidenced in his Blackboard dissection, previously discussed on Slashdot).

      I hope that Acidus has a chance to go far, he is one of those bright young Computer Scientists with a good future in front of him.

      Cheers!

  2. Not Difficult At All by Anonymous Coward · · Score: 5, Interesting

    Hey all...

    I have worked with developing Linux-based solutions with products from MagTek (manufacturer of hundreds of devices like stripe and card/check readers) and I have to point out that you may not find much information on the subject because the programming for such is so simplistic that a manual is not really needed. I am curious if other products from other providers work in a similar fashion.

    MagTek devices will decode the stripes for you. The data contained within is sent to the computer in serialized format, so once the string of characters is received, you simply have to break the data into whatever pieces you need by looking for sentinal characters in ISO-defined positions. A dozen lines of code at most will handle this under most common programming languages.

    When I was approached by my former employer to create a product with Linux and MagTek devices, (in mid-2000) I found absolutely no documentation on the devices whatsoever on the Net other than sales literature. The customer support personel did send me several pages of specs and such via FedEx Overnight, and when I received them, I saw that most of their then-current product line operated in a similar manner.

    If possible, connect your reader device to some sort of I/O port and watch the data that is sent to the port with a terminal program (serial I/O in this case, similar methods used for parallel and USB-style interfaces...) Perform enough tests, and you should be able to get a more than adequate idea on how to parse the data sent.

    In case you are really curious, go look at the older (now defunct?) Serial I/O HowTo at linux.org (or one of the mirrors). There are more than enough examples within to show you how to handle any type of serial-based interfacing project.

    Hope this helps...

    Brian

    1. Re:Not Difficult At All by 1shooter · · Score: 4, Interesting

      I work with this stuff all the time. Mag stripes typically have up to 3 tracks of information encoded. Usually all the data is in tracks one and two and of the many millions of cards the company has encode and shipped, none have used track three. The hardest part about decoding data is writing the regular expression to parse in to 3 lines. Now what you do with the data is whole nother thing.

      --
      6F 9E A9 1E 96 9F 74 27 ED B8 81 6D 0C 4E 1E 78
      My other Sig is a 229.
  3. epos by che.kai-jei · · Score: 5, Interesting

    i was going post as AC but i dont want people not taking this seriously. i have had to research this technology deeply for legitimate and non legitimate applications for different clients. the reason there is little info or programs or source code -- as mentioned in an issue of 2600.

    it is because that there is alot of poor win32 closed source software out there costing $1000 upwards!

    all pooorly written in VB and the like by programmers whose pooor coding is more than obvious once a button is pressed or a menu selected.

    ramcwin , rencode 2000 being obvious candidates.

    it seems this is one of those few areas in software applications where even on the vast breadth of the internet a conspiracy of supression of knowledge . non open code. [not that the code is worth anything to learn from] in order to force the sale of ridiclous 1000 dollar licences for extremely poor code. my project i s free open source mag stripe oswftare compatible with as many reders and writesr as possible including portable code and libraries to embed in dumb terminals for people wanting to make thin open source terminal clients for EPOS systems.

    i hate poor elite pricey specialised software.

    for instance in a few months a large electronics chain has moved over to linux for their epos. i will make sure their "custom" software does not violate the gpl. [i just applied for a job !!]

  4. Writing the stripe by DrStrangeLug · · Score: 5, Interesting

    Some newer card printers will actually write the magstripe as they print the card. The problem is that they're not too informative as to how you get the magstripe data into the printer to encode.

    Usually this is achieved by a setting within the printer driver which defines which stripe (of the three) to write to and how to get the data out of the printing data. The sequence is usually marked out with start and stop character sequences (on Javelin printers these are usually "${n" and "}$" for start and stop, where n is the track number.)

    This saves people the trouble of printing the cards and then writing them seperately.

  5. Storage capacity by Anonymous Coward · · Score: 5, Interesting

    Does anyone know how much data you can store on a typical strip?

  6. Do it the good ole way by Rosco+P.+Coltrane · · Score: 4, Interesting

    When I was at school, in the physics lab, we had a jar of very fine iron powder that was used to demonstrate ferromagnetic liquids properties. We used to pour a little on the backside of a credit card, lightly shake the credit card to spread it around, and we could see the patterns left by the magnetic record on the stripes (which, incidently, weren't located where the visible black stripes were).

    I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Do it the good ole way by xsbellx · · Score: 4, Interesting

      Buddy, when I started working we used to do this on a daily basis to get data off of damaged magenetic tapes for input to a billing system. There was a product called "Visimag" or something similar. Essentially, it was the same sutff as you used in your physics lab, iron powder suspension in some type of alcohol.

      For those who are old enough to remember such things, the tapes were 100bpi/7 track used on a Univac III. And this was the upgrade from 4 inch wide punched paper tape.

      --
      If VISTA is the answer, you didn't understand the question
  7. Re:hotels by rampant+poodle · · Score: 5, Interesting

    Normally none. The card will have a unique number, (usually room nr.), and some instructions telling the lock the validity periiod of the guest key. If you just checked in it will also invalidate all previous guest keys. In some cases the card will also have additional information about your entitlements such as health club, meal plans, etc. Note that the ID number on the card is very likely linked to the hotel's property management system -- which has all of the information you gave when you made your reservation.

  8. Re:hotels by GuyFawkes · · Score: 4, Interesting

    Speaking today at the holiday inn chain of motels in the room cards definitely record the time and date the card is used, eg every time you use it to enter your room, and every wrong room you try it in.

    HTH etc

    (PS, this hotel chain still relies on PC's running windows 95b for all the booking / reservation / billing stuff.)

    --
    http://slashdot.org/~GuyFawkes/journal
  9. Re:How long before DMCA is used? by Anonymous Coward · · Score: 5, Interesting
    I can imagine some card company out there will try and put a stop to this

    I used to work for a company that produced access control devices, including card readers. We managed to reverse engineer all of our competitor's card formats (the one's that didn't use the well-documented Wiegand standard) and build support for them into our product to reduce the cost of getting customers to switch. Most competitor's just shrugged it off, half of them were doing the same thing anyway, but one company that relied on defence contracts for a lot of its business got its lawyers to write a letter threatening to report us to the NSA for "breaking their triple-DES level encryption scheme". We sent the lawyers back full documentation of their snakeoil and pointed out that they'd lose a lot of Government and defense business if the NSA got wind of the fact that what was being marketed as "triple-DES level encryption" was in fact an 4-bit XOR pattern.

  10. What is REALLY on your card? by commonchaos · · Score: 5, Interesting

    I just got the idea of setting up a computer running Strip Snoop in a public place. Put a single board computer inside, a cheap LDC and card reader outside.

    It should be made to look offical and be housed in an hard-to-destroy case. It would be bolted down on the sidewalk in the middle of the night, near an ATM or in a shopping center.

    Have a big sign that says "what is REALLY on your magnetic cards?".

    If you are an art student you could pull off doing something like that and get credit for doing instalation art. :-)

  11. Blocked! by W2k · · Score: 4, Interesting

    Couldn't access the site through the computer at work, it was blocked by the Internet filter, something about "Criminal skills". Only application that seemed to have anything to do with the Internet in the taskbar was a Symantec anti-virus/internet shield app. Now why is it a "criminal skill" to know about magcard readers?

    --
    Quality, performance, value; you get only two, and you don't always get to pick.
  12. Re:How long before DMCA is used? by Telecommando · · Score: 3, Interesting

    Hmmm...
    So do you suppose that all those "high security" cards the government buys are actually low/no security cards?

    I feel safer already.

    --
    Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047