Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unlocking The Power Of the Magstripe

Posted by timothy on from the slurp dept.

Acidus writes "While researching for an embedded systems project (a magstripe enabled Coke machine), I was shocked by the lack of magstripe information: Programs/code that would run on a modern OS were all but nonexistant, articles that were 6-10 years old, etc. Further research proved hard, because I had become google's authoritative source. So Stripe Snoop was born, and is now at 1.5 . Stripe Snoop is a suite of research tools that captures, modifies, validates, generates, analyzes, and shares magstripe data, with an ever-growing database of card formats. Decoding everything from driver's licenses to banking cards, its features can analyze non-standard cards, such as NYC's Metrocard."

17 of 224 comments (clear)

  1. Also in 2600 by Noryungi · · Score: 5, Interesting


    There was also an interesting article in this summer 2600 magazine about magstrips. Some information and code were supplied...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  2. Working link by Zorilla · · Score: 5, Informative

    Here's the real link to the article:

    Linky.

    --

    It would be cool if it didn't suck.
  3. Re:Good link checking, well done the mods... by LiquidCoooled · · Score: 5, Informative

    http://www.yak.net/acidus/magstripe/coke.html

    --
    liqbase :: faster than paper
  4. How long before DMCA is used? by gilesjuk · · Score: 5, Insightful

    I can imagine some card company out there will try and put a stop to this, purely to save their own skins for putting out fairly weak systems.

    Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)

    1. Re:How long before DMCA is used? by t_allardyce · · Score: 5, Insightful

      I think its happened before - people calling up their bank etc and saying "hey, your card is insecure it stores your pin in plaintext" and the bank says "you shouldnt have a card reader! what do you think you're doing"

      Its the standard bullshit you'll get from clueless people and experience says most cards in your wallet are probably badly designed, so yep, its probably not worth it to try and help these people by explaining whats wrong and what they can do because they are more likely to try and sue you.

      Bu I think technically you have a legal right to see whats on the strip - its your personal data and would fall under the data-protection act?

      --
      This comment does not represent the views or opinions of the user.
    2. Re:How long before DMCA is used? by Anonymous Coward · · Score: 5, Interesting
      I can imagine some card company out there will try and put a stop to this

      I used to work for a company that produced access control devices, including card readers. We managed to reverse engineer all of our competitor's card formats (the one's that didn't use the well-documented Wiegand standard) and build support for them into our product to reduce the cost of getting customers to switch. Most competitor's just shrugged it off, half of them were doing the same thing anyway, but one company that relied on defence contracts for a lot of its business got its lawyers to write a letter threatening to report us to the NSA for "breaking their triple-DES level encryption scheme". We sent the lawyers back full documentation of their snakeoil and pointed out that they'd lose a lot of Government and defense business if the NSA got wind of the fact that what was being marketed as "triple-DES level encryption" was in fact an 4-bit XOR pattern.

  5. Not Difficult At All by Anonymous Coward · · Score: 5, Interesting

    Hey all...

    I have worked with developing Linux-based solutions with products from MagTek (manufacturer of hundreds of devices like stripe and card/check readers) and I have to point out that you may not find much information on the subject because the programming for such is so simplistic that a manual is not really needed. I am curious if other products from other providers work in a similar fashion.

    MagTek devices will decode the stripes for you. The data contained within is sent to the computer in serialized format, so once the string of characters is received, you simply have to break the data into whatever pieces you need by looking for sentinal characters in ISO-defined positions. A dozen lines of code at most will handle this under most common programming languages.

    When I was approached by my former employer to create a product with Linux and MagTek devices, (in mid-2000) I found absolutely no documentation on the devices whatsoever on the Net other than sales literature. The customer support personel did send me several pages of specs and such via FedEx Overnight, and when I received them, I saw that most of their then-current product line operated in a similar manner.

    If possible, connect your reader device to some sort of I/O port and watch the data that is sent to the port with a terminal program (serial I/O in this case, similar methods used for parallel and USB-style interfaces...) Perform enough tests, and you should be able to get a more than adequate idea on how to parse the data sent.

    In case you are really curious, go look at the older (now defunct?) Serial I/O HowTo at linux.org (or one of the mirrors). There are more than enough examples within to show you how to handle any type of serial-based interfacing project.

    Hope this helps...

    Brian

  6. So wait, how do i hack my metrocard? by StingRayGun · · Score: 5, Funny

    I't not like a federal offense or anything is it?

    1. Re:So wait, how do i hack my metrocard? by bellevueGeek · · Score: 5, Informative

      Actually it is a federal offense since it would be considered counterfeiting, but what is even more interesting is the security that have in place to stop that.

      Remember when it first came out and the cards were blue? Apparently a bunch of people figured out that you could dupe 50$ of value to used ones, and sell them to idiots on the platform. They would swipe it to show the dope there was a value and get cash for it.

      I sat in on a security lecture once where the expert discussed the complexities of preventing unauthorized use in a system that big. Basically every time you swipe it writes back to your card and a log at that turnstyle. Every 5 minutes or so that log is uploaded to a regional center and that in turn is uploaded to a central location. They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.

      The cooler thing is that then when you use a modified card that was blacklisted the little color lights on the opposite side flash yellow or red instead of green. Alerting the police who like to stand and watch people try to jujmp or squeeze by to pick you up.

      I thought it was a brilliant use of a relativly old and low-security technology.

      --

      All ye all ye outs in free!
  7. epos by che.kai-jei · · Score: 5, Interesting

    i was going post as AC but i dont want people not taking this seriously. i have had to research this technology deeply for legitimate and non legitimate applications for different clients. the reason there is little info or programs or source code -- as mentioned in an issue of 2600.

    it is because that there is alot of poor win32 closed source software out there costing $1000 upwards!

    all pooorly written in VB and the like by programmers whose pooor coding is more than obvious once a button is pressed or a menu selected.

    ramcwin , rencode 2000 being obvious candidates.

    it seems this is one of those few areas in software applications where even on the vast breadth of the internet a conspiracy of supression of knowledge . non open code. [not that the code is worth anything to learn from] in order to force the sale of ridiclous 1000 dollar licences for extremely poor code. my project i s free open source mag stripe oswftare compatible with as many reders and writesr as possible including portable code and libraries to embed in dumb terminals for people wanting to make thin open source terminal clients for EPOS systems.

    i hate poor elite pricey specialised software.

    for instance in a few months a large electronics chain has moved over to linux for their epos. i will make sure their "custom" software does not violate the gpl. [i just applied for a job !!]

  8. Writing the stripe by DrStrangeLug · · Score: 5, Interesting

    Some newer card printers will actually write the magstripe as they print the card. The problem is that they're not too informative as to how you get the magstripe data into the printer to encode.

    Usually this is achieved by a setting within the printer driver which defines which stripe (of the three) to write to and how to get the data out of the printing data. The sequence is usually marked out with start and stop character sequences (on Javelin printers these are usually "${n" and "}$" for start and stop, where n is the track number.)

    This saves people the trouble of printing the cards and then writing them seperately.

  9. Storage capacity by Anonymous Coward · · Score: 5, Interesting

    Does anyone know how much data you can store on a typical strip?

    1. Re:Storage capacity by Orne · · Score: 5, Informative
      Here's a summary, but to recap:

      There are three tracks on the magstripe. Each track is .110-inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:

      Track one is 210 bits per inch (bpi), and holds 79 six-bit plus parity bit read-only characters.

      Track two is 75 bpi, and holds 40 four-bit plus parity bit characters.

      Track three is 210 bpi, and holds 107 four-bit plus parity bit characters.

  10. Re:hotels by rampant+poodle · · Score: 5, Interesting

    Normally none. The card will have a unique number, (usually room nr.), and some instructions telling the lock the validity periiod of the guest key. If you just checked in it will also invalidate all previous guest keys. In some cases the card will also have additional information about your entitlements such as health club, meal plans, etc. Note that the ID number on the card is very likely linked to the hotel's property management system -- which has all of the information you gave when you made your reservation.

  11. Better interface? by no_such_user · · Score: 5, Informative

    This project would open up to many more people if a more simplistic way of interfacing to the card reader was introduced. How 'bout via the soundcard?

    I was poking around the links provided on the site, and found this: The simplest magnetic stripe reader. He wrote software to analyze the audio generated by the card when passed over the read head. This means that any old cassette player has a chance at being used to hack magstripes! Any comments on how accurate this method is, versus the F2F decoder chips?

  12. What is REALLY on your card? by commonchaos · · Score: 5, Interesting

    I just got the idea of setting up a computer running Strip Snoop in a public place. Put a single board computer inside, a cheap LDC and card reader outside.

    It should be made to look offical and be housed in an hard-to-destroy case. It would be bolted down on the sidewalk in the middle of the night, near an ATM or in a shopping center.

    Have a big sign that says "what is REALLY on your magnetic cards?".

    If you are an art student you could pull off doing something like that and get credit for doing instalation art. :-)

    1. Re:What is REALLY on your card? by zempf · · Score: 5, Informative

      This was done by an art museum in Pittsburgh: see this article at Wired for details.