Magnetic Stripe Snooping at Home

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."

From the "Why Use It?" portion

[Reignking]

Open your wallet. How many cards in there have magstripes on them? Three? Four? Five? Ever wonder what was encoded on them?

I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.

Hoffman

[delirium+of+disorder]

Billy Hoffman, aka Acidus, is one of the top up and comming security experts; he probably knows more about card systems and ATMs then anyone outside "the industry". I had the privilage of seeing him speak and phreaknic and hope his contributions to the hacking community continue. People like him keep the rest of us free and informed dispite the massive corporate, academic, and government powers that would have otherwise. So....Thanks!

More info....

[thoughtcr1mes]

Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ -enjoy, it's a really good show!

Re:could be worrying

['nother+poster]

Last I checked, my PINs are by card. My PIN and my wifes PIN are different, but access the same accounts. At least for my financial institution, the pin is stored on the card, but in tripple DES encryption. When I perform a transaction, the pin I enter, and the encrypted PIN are both sent to my bank, which encrypts the PIN I enter with thier key, and compares them. No matchee, no money. When I changed my PIN a few years back, they punched my account data into a terminal, I put in the pin I wanted, and then swipped the card. When I walked back to the loby, my card worked with the new PIN, no problem.

PayByTouch

[plover]

There are companies offering just that. We looked at PayByTouch, a company that offers a "digital wallet" that you can access at participating retailers. As a customer, you go to a kiosk, register your fingerprint, and swipe the cards you want to store in the "wallet". At the point of purchase, you key your phone number and touch the fingerprint reader, and the PIN pad brings up your wallet where you can scroll through your cards and select the one you want for this transaction.

According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.

I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.

Re:DMCA time?

[JavaNPerl]

Most of the information about credit cards is contained within various ISOs. IANAL but, I don't think legal actions could be taken against software which implements a public specification. Although this project is nice, there isn't much you can't figure out about CCs by reading the specs. Personally I've found the most interesting information is contained on cards which are not well defined like student ID cards, video rental cards, etc.

ISO 7810 Physical Characteristics of Credit Card Size Document
ISO 7811-1 Embossing
ISO 7811-2 Magnetic Stripe - Low Coercivity
ISO 7811-3 Location of Embossed Characters
ISO 7811-4 Location of Tracks 1 and 2
ISO 7811-5 Location of Track 3
ISO 7811-6 Magnetic Stripe - High Coercivity
ISO 7813 Financial Transaction Cards
ISO 4909 Track 3 Data Format

my bank *does* do this

[sbma44]

Bank of America has rolled out new color touchscreen ATMs in the DC/Metro area that retrieve user preferences based on the inserted card. You have to set them the first time, of course, but then it'll pull it up automatically. In addition to language choice, it also tracks whether you want receipts (and for which transactions) and some other preferences (how much money you want when you hit "fast cash").

It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.

Still, the general idea seems right. Keeping the GUID on the card is the right idea.

Re:Encrypted PIN on credit cards?

It can't be "brute forced" or "cracked", any more than you can tell what the OTP enciphered message "htpn juio gowew" says without the pad. In modern banking systems it's part of a two factor system, in which you need the algorithm plus ANY TWO of the following in order to figure out the third

* Real PIN (typically stored in customer's brain, sometimes also on a PostIt stuck inside their desk drawer)

* PIN offset (stored on magstripe of card)

* Stored PIN from database (stored in a secure machine at the bank, probably along with your current balance)

You can imagine that the function used is XOR, but actually there are various methods that could work, and I've never investigated which one is used. However this system lets several moderately clever things happen...

1. You can have two cards (e.g husband and wife) for the same account with different PINs, yet store only one PIN in the database

2. ATMs can change the PIN by knowing your old and new PIN, then applying the changed offset to the magstripe.

3. By leaving the PIN unchanged and issuing a card with a different offset the bank can send you a new card, with a new PIN, without instantly disabling your old card and PIN.

4. Knowing the PIN, and having a valid card number are not sufficient to validate yourself to the ATM network. You don't know the offset that goes with that PIN, you'd have to steal (or at least read) the customer's card to get a valid offset.

5. The real PIN is never sent over the network. So if you have an opportunity to eavesdrop on bank network traffic you don't learn the PIN for anyone's card.

This is actually pretty clever stuff, the banks can be many things, but they're not stupid, you don't last long in financial circles if you are.

Re:Changing the Strip

[hackstraw]

How easy would it be to edit the data on the strips?

Its trivial. You can get a magstripe writer for a couple hundred bucks, max.

For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?

Depends on how the bus tickets are set up. If they have a unique identifier on them and it looks up your balance against a central database. No luck. If the info is stored on the ticket itself, it should be trivial. Although the paper bus and train tickets are not the same as standard CC style cards.

Interesting trivia on the subject.

Ever wonder why the person swipes your credit card and then enters the last 4 digits that are hologram embossed on the card manually?

Because its trivial to put any account number on the card.

CC numbers have an internal checksum, so you cant simply make up a number that will match the last 4 digits. The odds of reprogramming your card with an active and valid account that matches your last 4 digits printed on your card are pretty low.

Re:could be worrying

[plover]

Your PIN is never stored on your card, and hasn't been since the early 1980s. Not even in an encrypted format.

When you key your PIN, the PIN pad accepting it will encrypt the PIN along with other transactional information plus its own serial number using a key injected securely by a representative of the issuing bank.

This blob plus the other data is transmitted to an authorizer, where the account is looked up and a local copy of the blob is created. If it matches the incoming blob, it's a go.

The bank almost certainly did not encode your card in the scenario you described above. Encoding is usually done with a machine-fed stripe writer, and is almost never done by hand-swiping the stripe anymore. (The timing is usually better on machine fed devices.) What the bank most likely did was to generate a blob similar to the one I described above for transmission to their authorizing computer, who immediately stored it and activated it for use.

Yes, the original intent of mag stripes was to enable offline transactions. However, bad guys quickly figured out how to read stripes and forge PINs, so everyone went to strictly on-line authorizing in the early 1980s.

Re:Lovely...

[swillden]

wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards?

First, they're not RFID cards, they're contactless smart cards, which are a very different. Different frequency, different range, different capabilities, different protocols, and very different security.

Second, smart card credit cards are a good thing, and you as a credit card user should want them because they'll reduce fraud. Granted, the banks and merchants mostly bear the brunt of the fraud, not the cardholder, but since all of the money ultimately comes from our pockets that's a distinction without a difference.

Finally, your implied notion ("ack") that contactless smart cards are a bad thing for cardholders shows that you don't know anything about them. A fully-implemented EMV card:

1. Won't divulge any data other than a public key until after your PIN has been presented to it in a secure (mutually-authenticated and encrypted) session.
2. Allows transactions to be conducted off-line, making your checkout quicker for low-value transactions.
3. Can make decisions about whether or not transactions should require a real-time connection back to your bank to verify the account status. This counters the increased fraud opportunity provided by the greater convenience of fast transactions.
4. Provides very strong authentication to the transaction, making it nearly impossible for a thief to perform a "card-present" transaction without actually obtaining your card (and PIN). "Skimming" is the #1 type of credit card fraud, and these cards eliminate it.
5. With card readers built into PCs, offers a mechanism for doing "card present" on-line transactions. This will reduce the card fees paid by on-line merchants, which will (after a delay, probably) reduce your costs as well. Oh, and you can also use an EMV card to make logging into your bank's web site easier and more secure.
6. With an additional calculator-like device (or a PC and reader), offers a mechanism for doing secure over-the-phone transactions as well. Maybe in the future the cards will have a display and PIN pad integrated right into the card, eliminating the need for the extra device.
7. Offers credit card issuers to provide "value added" services on the chip. It's not clear how valuable this is; at present they're talking about things like storing your bookmarks on the card, so that you can carry them with you. It's possible that other, more useful, ideas will arise.

The security in these cards is very well thought-out and banks have zero interest in intruding on your privacy, because it would piss you off. If you don't believe they're careful with your privacy, consider the fact that they already know about every purchase you make with any credit card -- how often do you get marketers calling you because they got information from your bank about a recent purchase you made on your credit card?

If you don't care to believe me about how the security is designed, please review it for yourself. Complete EMV specifications are published on the EMV web site at http://www.emvco.com.

I'm a security expert of sorts -- and fairly paranoid by nature -- and the main concerns I have with this technology will arise if the US banks decide not to fully implement the technology.

1. They may decide that cardholders like signature authorization and don't want PINs. That would mean the card would have to be willing to communicate with anyone and it would become possible for handheld readers to collect card numbers in a crowd. Personally, I would love to use a PIN rather than signing. Signing is slow, and inherently must be done at the end of the process, meaning it can't be parallelized. With chip and PIN, I can insert my card and enter my PIN while the cashier is still scanning my items. As soon as (s)he's done, the transaction can be executed, which takes <2 seconds, including printing th

Re:could be worrying

[swillden]

so everyone went to strictly on-line authorizing in the early 1980s.

Everyone in the US did, anyway. Much of the rest of the world still does off-line transactions with magstripe. That's a big part of the reason why chip cards are being deployed so much more aggressively outside of the US, because they don't want to do on-line authentication (due to higher communications costs), and allowing off-line transactions with magstripe is just asking for high fraud rates.

In France, for example, a few years ago fraud was insanely high. Since they've gone to chip cards skimming fraud has dropped to zero and overall credit card fraud is miniscule.