Slashdot Mirror
Magnetic Stripe Snooping at Home
pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
Open your wallet. How many cards in there have magstripes on them? Three? Four? Five? Ever wonder what was encoded on them?
I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.
One man's Funny is another man's Offtopic.
except it isn't............
Billy Hoffman, aka Acidus, is one of the top up and comming security experts; he probably knows more about card systems and ATMs then anyone outside "the industry". I had the privilage of seeing him speak and phreaknic and hope his contributions to the hacking community continue. People like him keep the rest of us free and informed dispite the massive corporate, academic, and government powers that would have otherwise. So....Thanks!
------ Take away the right to say fuck and you take away the right to say fuck the government.
Your pin is not stored on the card at all. If you have two cards for one account, and go to an ATM with one, switch your pin, the other will have been switched also without being put in a machine. The pin is connected to an account, not a particular card.
Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ -enjoy, it's a really good show!
I wonder if the information sent to whatever-the-hell-it-is is encrypted...
Yes. Even those standalone-shady-looking ATM's that dialup an 800 number and connect at 1200baud will have encrypted transmissions.
At least it's been off the front page a while this time.
PINs aren't stored in the stripe. Not plaintext, not encrypted, not at all.
is competition good, or is duplication of effort bad?
The new Make magazine has a heavily-photographed and pretty intelligible partslist / walkthrough of building the actual device, as well. http://make.oreilly.com/
Nothing exciting is in that barcode; just what is on the front of your license, at least in new york state where I tried it. I had written a PDF417 barcode reader a couple years back and we used the back of our licenses as some test data just to see. It is literally just everything from the front side (name, address, height, wieght, etc). The interesting stuff will be in the database that this info is the key for!
.plan!! what plan?
Last I checked, my PINs are by card. My PIN and my wifes PIN are different, but access the same accounts. At least for my financial institution, the pin is stored on the card, but in tripple DES encryption. When I perform a transaction, the pin I enter, and the encrypted PIN are both sent to my bank, which encrypts the PIN I enter with thier key, and compares them. No matchee, no money. When I changed my PIN a few years back, they punched my account data into a terminal, I put in the pin I wanted, and then swipped the card. When I walked back to the loby, my card worked with the new PIN, no problem.
According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.
I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.
John
Most of the information about credit cards is contained within various ISOs. IANAL but, I don't think legal actions could be taken against software which implements a public specification. Although this project is nice, there isn't much you can't figure out about CCs by reading the specs. Personally I've found the most interesting information is contained on cards which are not well defined like student ID cards, video rental cards, etc.
ISO 7810 Physical Characteristics of Credit Card Size Document
ISO 7811-1 Embossing
ISO 7811-2 Magnetic Stripe - Low Coercivity
ISO 7811-3 Location of Embossed Characters
ISO 7811-4 Location of Tracks 1 and 2
ISO 7811-5 Location of Track 3
ISO 7811-6 Magnetic Stripe - High Coercivity
ISO 7813 Financial Transaction Cards
ISO 4909 Track 3 Data Format
Exactly. There's no reason why that should be on the card, and my banks (Bank of America, formerly Fleet, formerly BankBoston, formerly Bay Bank, formerly...) have stored a language preference in the account data as far back as I can recall.
What I'm listening to now on Pandora...
It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.
Still, the general idea seems right. Keeping the GUID on the card is the right idea.
It can't be "brute forced" or "cracked", any more than you can tell what the OTP enciphered message "htpn juio gowew" says without the pad. In modern banking systems it's part of a two factor system, in which you need the algorithm plus ANY TWO of the following in order to figure out the third
* Real PIN (typically stored in customer's brain, sometimes also on a PostIt stuck inside their desk drawer)
* PIN offset (stored on magstripe of card)
* Stored PIN from database (stored in a secure machine at the bank, probably along with your current balance)
You can imagine that the function used is XOR, but actually there are various methods that could work, and I've never investigated which one is used. However this system lets several moderately clever things happen...
1. You can have two cards (e.g husband and wife) for the same account with different PINs, yet store only one PIN in the database
2. ATMs can change the PIN by knowing your old and new PIN, then applying the changed offset to the magstripe.
3. By leaving the PIN unchanged and issuing a card with a different offset the bank can send you a new card, with a new PIN, without instantly disabling your old card and PIN.
4. Knowing the PIN, and having a valid card number are not sufficient to validate yourself to the ATM network. You don't know the offset that goes with that PIN, you'd have to steal (or at least read) the customer's card to get a valid offset.
5. The real PIN is never sent over the network. So if you have an opportunity to eavesdrop on bank network traffic you don't learn the PIN for anyone's card.
This is actually pretty clever stuff, the banks can be many things, but they're not stupid, you don't last long in financial circles if you are.
I used one to snoop my cards and found some interesting information...
Try this link: http://www.posguys.com/category.asp?catID=4
There are three truths: my truth, your truth, and the truth. - Chinese proverb
I did this over six years ago... A lot of the info was on the net then and it is incredibly dull how little info is really stored. Worse, Japanese credit cards have a hidden stripe on the FRONT of the card (just in case you wanted to know). You can get a mag-stripe reader for these pretty easily. Personally, I still think RFID is more interesting...
IANAL, but I've seen actors play them on TV
How easy would it be to edit the data on the strips?
Its trivial. You can get a magstripe writer for a couple hundred bucks, max.
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
Depends on how the bus tickets are set up. If they have a unique identifier on them and it looks up your balance against a central database. No luck. If the info is stored on the ticket itself, it should be trivial. Although the paper bus and train tickets are not the same as standard CC style cards.
Interesting trivia on the subject.
Ever wonder why the person swipes your credit card and then enters the last 4 digits that are hologram embossed on the card manually?
Because its trivial to put any account number on the card.
CC numbers have an internal checksum, so you cant simply make up a number that will match the last 4 digits. The odds of reprogramming your card with an active and valid account that matches your last 4 digits printed on your card are pretty low.
When you key your PIN, the PIN pad accepting it will encrypt the PIN along with other transactional information plus its own serial number using a key injected securely by a representative of the issuing bank.
This blob plus the other data is transmitted to an authorizer, where the account is looked up and a local copy of the blob is created. If it matches the incoming blob, it's a go.
The bank almost certainly did not encode your card in the scenario you described above. Encoding is usually done with a machine-fed stripe writer, and is almost never done by hand-swiping the stripe anymore. (The timing is usually better on machine fed devices.) What the bank most likely did was to generate a blob similar to the one I described above for transmission to their authorizing computer, who immediately stored it and activated it for use.
Yes, the original intent of mag stripes was to enable offline transactions. However, bad guys quickly figured out how to read stripes and forge PINs, so everyone went to strictly on-line authorizing in the early 1980s.
John
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards?
First, they're not RFID cards, they're contactless smart cards, which are a very different. Different frequency, different range, different capabilities, different protocols, and very different security.
Second, smart card credit cards are a good thing, and you as a credit card user should want them because they'll reduce fraud. Granted, the banks and merchants mostly bear the brunt of the fraud, not the cardholder, but since all of the money ultimately comes from our pockets that's a distinction without a difference.
Finally, your implied notion ("ack") that contactless smart cards are a bad thing for cardholders shows that you don't know anything about them. A fully-implemented EMV card:
The security in these cards is very well thought-out and banks have zero interest in intruding on your privacy, because it would piss you off. If you don't believe they're careful with your privacy, consider the fact that they already know about every purchase you make with any credit card -- how often do you get marketers calling you because they got information from your bank about a recent purchase you made on your credit card?
If you don't care to believe me about how the security is designed, please review it for yourself. Complete EMV specifications are published on the EMV web site at http://www.emvco.com.
I'm a security expert of sorts -- and fairly paranoid by nature -- and the main concerns I have with this technology will arise if the US banks decide not to fully implement the technology.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Nope.d .pdf
Card formats are in the original article. No PIN in the stripes. http://stripesnoop.sourceforge.net/devel/layoutst
(CVV/CVC are not your PIN, they are an additional security check. They are also different from CVV2/CVC2, which is printed on the card but not in the stripe.)
There is indeed encryption used - but it's not on the card. When you perform a transaction, *the pin you manually enter* is encrypted (with a public key tied to the merchant or particular signature capture device transaction, depending on technology used) and sent to the processor. This is decrypted and compared to what the processor has on file for you. Nothing related to the PIN on the card itself, it's solely based on what you keyed in.
is competition good, or is duplication of effort bad?
Where I live, the language of preference is stored on the server.
All ATM's in Belgium can work in 4 langauges, but I never had to choose a language at an ATM. So I suppose the bank knows i want to be served in Dutch.
When a foreigner uses an ATM in Belgium, he gets to choose a language. (And when I go abroad, I get to choose a language too)
so everyone went to strictly on-line authorizing in the early 1980s.
Everyone in the US did, anyway. Much of the rest of the world still does off-line transactions with magstripe. That's a big part of the reason why chip cards are being deployed so much more aggressively outside of the US, because they don't want to do on-line authentication (due to higher communications costs), and allowing off-line transactions with magstripe is just asking for high fraud rates.
In France, for example, a few years ago fraud was insanely high. Since they've gone to chip cards skimming fraud has dropped to zero and overall credit card fraud is miniscule.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I noticed a 3 track reader for $59 from Kanecal.net. This looks like a very quick and cheap approach to data extraction. The advantage of making your own is that you need not limit yourself to cards following the ISO specifications for track positions and character encodings.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
The magnetic stripe standards, of course. The card is a test card I printed while I was building an ID card system for a client. The front lists the track standard and the allowed chars:
S TUVWXYZ[\]^ _
Track 1 (IATA data max. 76 chars):
!"#$%&'()*+,-./0123456789:;<=>@ABCDEFGHIJKLMNOPQR
Track2 (ABA data, max 37 chars): 0123456789;;<=>
Track 3(TTS data, max. 104 chars):
0123456789:;<=>
The allowed chars have been encoded onto the stripe on the back.
FreeSpeech.org
The checksum method for credit cards is well known and isn't even close to sha-1 or md4/md5 in terms of security. It isn't that much harder to break than crc32 is for programs that check their crc32 checksum. Of course it would take time unless you just happened to have a large database of active credit card numbers available such as one from Choicepoint.
This is purely software writer's choice. We do write POS software and we wait until the total button is pressed. Makes a lot of sense, you don't want the customer do any authorisation before he/she is informed how much they are going to pay.
Your PIN is four digits extracted from a hash of your account number and a single secret code. A banks own ATMs have a tamper-proof cryptographic processor containing the secret code so they can verify PINs without a round trip to the central server.
So, how can you change your PIN? The magnetic stripe on your card contains the difference between your chosen PIN and the real PIN. When you enter your PIN, the ATM adds in the difference and compares the result to the real PIN.