Slashdot Mirror
Magnetic Stripe Snooping at Home
pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
*puts on tinfoil hat*
ROMANES EUNT DOMUS
Perhaps I'll create a handheld device and carry it with me when I'm on the pull
"So, your name is Claire Smith, you live at
Her: wtf !?!
"Sweet llamas of the Bahamas !"
Now we can look forward to another explosion of credit card and identity theft...
____
~ |rip/\/\aster /\/\onkey
This would be intresting to use for some open source point of sale systems... *Project ideas flying through head*
Linux is like a teepee. It has no windows, no gates, and there's an Apache inside.
Gives new meaning to the Capital One tagline "What's in your wallet?"
One man's Funny is another man's Offtopic.
to find out that your pin is stored in plain text on the magnetic stripe :-|
I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...
Go, and never darken my towels again! -- Rufus
Since one of the listed articles talks about common security blunders with cards, it's time to start the over/under pool on how long it takes before this guy gets shut down by some corporation claiming DMCA violations.
I call one week.
Open your wallet. How many cards in there have magstripes on them? Three? Four? Five? Ever wonder what was encoded on them?
I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.
One man's Funny is another man's Offtopic.
I think this is a very cool project, but somehow I don't think it'll be out there very long. I'm sure the credit card companies, or some other large corporation will be doing the DMCA smackdown dance soon enough, claiming this software could only be used for criminal purposes and serves no academic purpose.
ce n'est pas un Sig.
Billy Hoffman, aka Acidus, is one of the top up and comming security experts; he probably knows more about card systems and ATMs then anyone outside "the industry". I had the privilage of seeing him speak and phreaknic and hope his contributions to the hacking community continue. People like him keep the rest of us free and informed dispite the massive corporate, academic, and government powers that would have otherwise. So....Thanks!
------ Take away the right to say fuck and you take away the right to say fuck the government.
Hmm, I wonder whether it is just a coincidence that the first issue of Make had an article explaining how to hoook up a cheap mag-stripe reader to your computer and use Stripe Snoop to read it.
I don't think articles such as this one will bring anything new to those who are in the business of credit card stealing. But it should serve as an eye-opener and for raising awareness for the average card user. Being a little more careful with that card should help a lot, I guess. Besides, I let the bank use my money for a reason, right? They should take the risk on themselves...
I'm going to go out on a limb here and say credit card number? Your name perhaps?
It's the battle of the minds, and everyone's unarmed.
I've tried this software. It's awesome. It read every stripe I threw at it - even the brown stripe in my jockeys!!!
If you watch TV news, you know less about the world than if you just drank gin straight from the bottle.
Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ -enjoy, it's a really good show!
One of the screenshots shows that there's an encrypted PIN stored on credit cards. How soon before we are able to de-encrypt that? Then all a thief needs is a magstripe reader, this free program, and the decrypter program, to start his business.
Even if it's irreversible, it can't be too hard to brute force number-only PINs.
It said "Paul is dead"
What's that mean?
The average Joe is very careful with his plastics, and won't loose the suspicious waiter from his sights while the later handles his credit card. The same Joe will thoughtlessly type away his credit card number as a means of "age verification" in some random Paris Hilton pictorial site.
A hacker getting through his poorly set up XP box and stealing his credit card number is more dangerous than a device needing the presence of a physical card. And, of course, there are this kind of occurences, which are the most worrying of all.
Just
I've actually done this myself, purchased the magnetic reader, some electrical parts, soldered the thing together. Once I had things going, when you swipe say a Visa, it lists the card #, the expiry date, and the issuing bank. I've also tried it with a bank card, and it does list the bank card #, and an 'encrypted pin', which, if I understand correctly, is encrypted with triple DES (that's what I remember, I may be wrong). I also swiped my University student card, but can't yet make out what it has stored. Finally, I swiped an M&M Meat Shops Max Member card and all it has on it is the max member #, nothing more. Also, the person I did this with created some shims to raise the card so as to read the 2nd and 3rd track. It was overall a neat project.
There is another kind of evil which we must fear most, and that is the indifference of good men. -- Boondock Saints
you can use it (like he did) to build your own coke machine....
http://www.yak.net/acidus/magstripe/coke.html
Currently bidding on sig
that a few weeks after ordering the necessary hardware, you'd get sued or arrested.
If someone says he and his monkey have nothing to hide, they almost certainly do.
How easy would it be to edit the data on the strips?
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
...that should remain secret from you. I hope that the Bush admin locks this terrorist in prison and throws away the key. The reason that mag stripes where chosen as a way of encoding the information on your IDs was to keep you from screwing with it. You'd better believe that people who do this kind of thing are up to no good. What possible reason do you have to not trust the authorities who are responsible for access to this information? Business and the Bush administration only have your best interests at heart and just want to keep the entire world safe. I think the problem with people like this guy is that they are too smart for their own good and ask too many questions. When you have an inquisitive person on your hands, you have a dangerous individual on your hands. A lo[tt] of people are complaining that the state of today's educational institutions is bad. I say they are wrong. There is too much access to information and people who are encouraged to think a little too much. If anything, we need some kind of informational quota system to make certain that people with more natural inquisitiveness are limited more strictly from information than people who are less inquisitive. If this can be done, the world will be a safer place. I can't believe that people would applaud the work of a criminal like this. It's disgusting.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
That allows you to read what's stored on all those floppy and hard drives you have at home. For project details and parts just go to newegg.
At least it's been off the front page a while this time.
The new Make magazine has a heavily-photographed and pretty intelligible partslist / walkthrough of building the actual device, as well. http://make.oreilly.com/
They put a mag strip access lock to the computer lab in college. We were complaining at having to now carry around our student I.D.s to get access to the labs when I found out ALL of my credit cards allowed access to the lab. (Not smart, but hey, this was 1989)
Turns out the Lab assistant that installed the lock thought it'd be cool if any card he pulled out of his wallet would open the door. But the local bank's first 9 digits on the mag strip was the same for ALL cards they issued.
"Draco dormiens nunquam titillandus."
Nothing exciting is in that barcode; just what is on the front of your license, at least in new york state where I tried it. I had written a PDF417 barcode reader a couple years back and we used the back of our licenses as some test data just to see. It is literally just everything from the front side (name, address, height, wieght, etc). The interesting stuff will be in the database that this info is the key for!
.plan!! what plan?
According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.
I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.
John
written on what appears to be a napkin...
I generally agree, but one of the common assignments for GUI development classes is to redesign an ATM. You would be amazed at the horrible interfaces that reasonably intelligent people can come up with and they all seem to keep the language selection. I'm thankful it's the only really irritating feature. Plus, the magnetic stripes have a fairly limited character count and getting banks to agree on a standard format would be a nightmare, so any customization would only work at one of your branches.
I'm waiting for the short-range, wireless solution that allows a consistent, custom interface on my phone, which can communicate with any nearby ATM. Choose your language once, make some shortcuts for common transactions, then key in transactions (safely) from your car and pass your phone over the cash slot to dispense. It has the added bonus of never having to touch those funk-nasty keypads.
What if (tm) someone made a card that looked just like a bona-fide card, _only_ that this 'magic' card could 'scoop up' the magnetic -debris (if any; I'm talking way out of line here) that normal cards leave behind in the readers; I'm sure something must be torn off, (cards wear to the render of uselessness, due to 'hard usage',) and among that "something", there's bound to be magnetic information, or? ...
... I mean, if the scooper card had some sort of magnet, or absorbator, whatever ..?
Well let's say this 'scooper card' stores all the random magnetism stuck to the card-reader -slot, and the 'magician' goes home to sort out the coherent bits, -if any-, to use them for fraudalent endaevours.. --Could something along these lines technically happen?
A horse can't be sick, you know, even if he wants to.
I dont think you can read the strips without being more than a couple millimeters away.
However I heard of a of scam to read the the RFIDs in car key and car opener devices. These can be read a foot or two away (e.g. in elevator or mall). Its been shown that a modest computation can break the car entry security. So do we need foil-lined wallets, pockets, and purses?
On the screenshots page http://stripesnoop.sourceforge.net/screenshots.htm l there's a screenshot that has the text "Possibly a: "AAMVA Compliant North American Driver's License"
then below that "Issuing Territory: California"
It also says the standard is used in some parts of Canada as well. Where's my tin foil hat?
The proper place for information like language preference is not on the card, but rather in the bank's database that the ATM accesses.
Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).
By seperating the prefs from the card, you can update the card without losing the prefs.
(Slashbots: Notice that the word is losing, not loosing!)
www.eFax.com are spammers
We can still sue you for possible DMCA violations and watch you impoverish yourself trying to defend yourself. It is the (not-so-new) common strategy to shut people up.
Whether or not this is an actual DMCA violation does not matter.
There is not nearly enough love in the world, but there is far too much trust.
The first issue of Make had a whole article, with parts list and clear directions, on how to attach a card reader to your computer and use the Stripe Snoop software to read off the information.
Aah, but it IS encrypted - with double-rot-13.
The living have better things to do than to continue hating the dead.
It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.
Still, the general idea seems right. Keeping the GUID on the card is the right idea.
No.
I used one to snoop my cards and found some interesting information...
Try this link: http://www.posguys.com/category.asp?catID=4
There are three truths: my truth, your truth, and the truth. - Chinese proverb
I did this over six years ago... A lot of the info was on the net then and it is incredibly dull how little info is really stored. Worse, Japanese credit cards have a hidden stripe on the FRONT of the card (just in case you wanted to know). You can get a mag-stripe reader for these pretty easily. Personally, I still think RFID is more interesting...
IANAL, but I've seen actors play them on TV
I'm an undergrad student in the University of Maryland system. I managed to write some simple C and Perl programs a while back for a reader I obtained, and ran quite a few cards through them. I found that our university issued ID cards have our social security numbers stored on them, unencrypted. A friend filed some public information request acts requesting to know if the university stored data such as the time and locations of card swipes, and if that data was attached to the student in any way. After initially denying this, the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. I'm no engineer or programmer, and I was able to do this fairly easily; it can't be that hard to build an intercept and install it within a reader that's attached to a door, and voila - hundreds of SSNs. We're trying to contact some people in the school media and administration and have something done.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
I've seen all of the data on my UK bank cards, and to be honest it's not all the interesting or unexpected. What I'd relly like to know is what's stored in the chip.
Philip
Signatures are broken
Feel free to go google DMCA abuse. There's about 100,000 hits, and you might find one or two in there that might lead you to understand WHY it's reasonable to think that a corporation might go after this, using the DMCA as a weapon, because they've done it before.
The FatWallet one is particularly educational. I invite you to go read it. It's even less applicable to the DMCA than card-stripe reading, and it happened anyway.
I know some Europeans have been using chips on cards for some time now & they're rolling it out here in the UK as well now.
http://www.chipandpin.co.uk/
Many shops I go into now don't even swipe the card, just slot it in the reader. Might there be a plan to eliminate using the mag stripe for the sensitive data (or even having one at all) in the longer term?? Obviously the ATM's...etc will need updating first
I've had a couple of dozy shop staff put my card over the antitheft magnet under the counter, there's an immediate benefit.
In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.
This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).
However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.
There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).
So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.
[1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.
[2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.
Andrew Oakley - www.aoakley.com
mag stripe reader kits have been out for years and years. There have been articles in 2600 in the past decade that covered how to read the mag stripes off of NYC's metrocards for subway systems. At various conferences in the 90s mag stripe kits were given out during presentations and phrack had a few articles dedicated to magstripe readers. Why is this news now, in 2005?
I'll give him 2 days before the DMCA guys come knockin' on his dorm-room door.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
Where I live, the language of preference is stored on the server.
All ATM's in Belgium can work in 4 langauges, but I never had to choose a language at an ATM. So I suppose the bank knows i want to be served in Dutch.
When a foreigner uses an ATM in Belgium, he gets to choose a language. (And when I go abroad, I get to choose a language too)
Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist
LOL! I could not have said it better!!!
Q: Why did you release Stripe Snoop under the GPL?
A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.
Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.
I noticed a 3 track reader for $59 from Kanecal.net. This looks like a very quick and cheap approach to data extraction. The advantage of making your own is that you need not limit yourself to cards following the ISO specifications for track positions and character encodings.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
The magnetic stripe standards, of course. The card is a test card I printed while I was building an ID card system for a client. The front lists the track standard and the allowed chars:
S TUVWXYZ[\]^ _
Track 1 (IATA data max. 76 chars):
!"#$%&'()*+,-./0123456789:;<=>@ABCDEFGHIJKLMNOPQR
Track2 (ABA data, max 37 chars): 0123456789;;<=>
Track 3(TTS data, max. 104 chars):
0123456789:;<=>
The allowed chars have been encoded onto the stripe on the back.
FreeSpeech.org
Admitted, I didn't RFTS, but what's new? Go buy a simple $30 cardreader and plug it into your serial port. Open a terminal program on the port and swipe the card.
Most cards are physically encoded according to the ISO standards and the majority of the card data is formattede according to the financial standards (forget the organization name).
If you can't operate a terminal program, get a reader which works with the keyboard interface and open your favority editor and start swiping.
Heh...I wrote this article back in 1991: http://www.textfiles.com/hacking/magnet.02 Great to see stuff in this area still popping up. I'll have to check out this software. Been a long time since I played with stripes... -Count Zero
I would like to recall reading the article that Count Zero wrote for Phrack when I was tooling around BBS's in the early '90's. It certainly looks familiar.
Personally, I think that most of the irrational fear of hacking that has invaded the hearts and minds of "normal" people is from that time. Way before the commercialized Internet. I think of this as the Golden Age of hacking. Roughly, from the mid '80's to 1993. Pre-Internet.
IMO, Hacking experienced a renaissance after the goldrush of the Internet while standards such as SSL were being developed, implemented and refined. While I don't think the irrational fear that users have of hacking was justified during the Golden Age of hacking, it is certainly justified now as company after company is hacked and social security numbers and other assorted personal information are released like pigeons at the Olympic games.
Anyway back on point, Count Zero's article brought back memories for me.
"What the hell is an aluminum falcon?"
Step 1: Build your own mag-strip reader that looks like a typical pay-by-cc device.
Step 2: Setup a stand on the streets of NY
Step 3: Sell stuff just to get people to swipe CC and steal info.
Step 4: Profit???
A very simple way is to buy a ps/2 magnetic card reader and up your favorite text editor. Swipe a card and all the info appears. In my state the driver's license has a strip too with lots of information on it.
hack a day
Chip + Pin is
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
A lemonade stand with an credit card paypoint.
I wonder what the kids do with all that info.
I posted about magnetic developer, and now I can't find that post. I mean come on, you don't even need electronics to read what's on a mag stripe, the density is so low you can do it by eye... Just wipe on some magnetic developer.
FYI, the author probably just received his copy of Make Magazine from O'Reilly. Stripe Snoop is discussed in an article (page 106) about building your own magnetic stripe reader.
I was demoing mag stripe readers attached to PCs 20 years ago (OK, I exaggerate, I think it was actually 19 years ago). It was entertaining getting volunteers to swipe their cards and 'accidentally' reveal their balances. But even then it was embarassing having French people repeatdely ask me why I was demonstrating such outdated equipment when they'd already been using smart cards for a while.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
How much longer before the beloved DMCA will be expanded to include reading the data from, or deciphering the data on, these cards? All these companies have to do is perform some kind of mild encryption, which they can then claim is some kind of copy protection. They can claim copy protection is necessary to "protect" some kind of innocuous piece of "proprietary" information, and claim that to gain access to it would amount to a violation of trade secrets (or something similar). One more reason NOT to use plastic.
Is that those who disagree vehemently with the politics of RMS can still see the GPL for what it is: the Right Way to license software, if you want to see it live, grow, and prosper.
The cure for cancer is coming: Reovirus
...before the FBI or Secret Service shut down the project.
That, or one of the various companies who depend on magstripe cards, such as the makers of Blackboard university groupware software (which ties in w/ uni students' ID cards), with whom Acidus has already dealt once...
Is Capitalism Good for the Poor?
...at least not here.
Bank of America has rolled out the same ATMs in my area (color, touch-screen NCR models.) Every time you insert a card, it flashes "Retrieving user customizations" or something like that.
Indeed, it keeps track of my preferred Fast Cash amount.
But it still asks me every time whether I would like English or Español. I guess it's hoping I'll learn Spanish someday.
In the "doctor's parking lot" card reader where I did residency, any object slid into the reader would open the gate. I typically used a tongue depressor since it had slightly better "reach" and I didn't have to get my car so close to the machine.
any one know whats on gameworks cards ?
Slightly off topic, but:
Does it drive anyone else crazy that credit cards do not follow the "somthing you have and something you know" security measure? Even something as simple as a 4-digit code would be sufficient to provide an exponential amount of physical (and digital, if done properly) security.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Wow, that's a lot of FUD. To upgrade "these cards" to use some mild form of encryption, you have to upgrade every card station, gas pump, vending machine, ID verifier, payphone, ATM Machine, and any other magnetic strip reader in the world to support this new form of encryption. For what, to make it illegal for a few nerds with too much time on their hands from viewing data stored on a card in their own possession? Why? The companies shouldn't be storing anything on the card they don't want the consumer to know about, anyway.
And I'm curious, what are the other reasons NOT to use plastic?
Today I didn't even have to use my AK; I got to say it was a good day -- Icecube
I don't understand what is important about this... There have been hundreds of magstripe readers with software out for years, some of which are free (software, obviously, not hardware). And it's not like he had to decrypt the stuff... they're called standards for a reason: it's usually public knowledge how to get the info off of a card.
every time I ... have to indicate whether I want ... English or Spanish. Shouldn't that information be on the card?
... It seems all the machines provide at least 4 languages, maybe more for some. I guess it's the same across Europe)
You must be in the US, the same country where it seems that your account is only protected by a user name and a password, leading to all these phishing mails I get with some US bank in the From: header.
Maybe it's time for American slashdotters to educate their bank managers or go work for their bank.
(In CH, the language is on the cards, and is used everywhere: ATMs, shops, gas stations,
...but doesn't anyone carry CASH anymore?
The House Between - Original Sci-Fi Series
In Soviet Union, magnetic stripe snoops YOU!
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
Comment removed based on user account deletion
You can buy a std. reader that outputs the info from a card as clear text thru a std. keyboard port (via a passthru plug)... directly to wherever your cursor is... it is in common use in Denmark for raeding social security cards. There are nothing specially secret in this.
This is why banks are switching to chip-cards now... If he have gone into the chip-cards he would have everyone (all banks, police, Interpol and FBI) on his neck...
You may see an example for this kind reader here : PS/2 passthru reader
Pricetag: $49 for 2-track, $59 for 3-track...
If you don't want the info on a magnetic stripe to be readable, run a magnet over it a few times. That's what I did with the stripe on the back of my drivers' license.