Slashdot Mirror

← Back to Stories (view on slashdot.org)

Magnetic Stripe Snooping at Home

Posted by ryuzaki0 on from the because-you-can dept.

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."

6 of 397 comments (clear)

  1. More info.... by thoughtcr1mes · · Score: 5, Informative

    Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ -enjoy, it's a really good show!

  2. Re:could be worrying by 'nother+poster · · Score: 5, Informative

    Last I checked, my PINs are by card. My PIN and my wifes PIN are different, but access the same accounts. At least for my financial institution, the pin is stored on the card, but in tripple DES encryption. When I perform a transaction, the pin I enter, and the encrypted PIN are both sent to my bank, which encrypts the PIN I enter with thier key, and compares them. No matchee, no money. When I changed my PIN a few years back, they punched my account data into a terminal, I put in the pin I wanted, and then swipped the card. When I walked back to the loby, my card worked with the new PIN, no problem.

  3. PayByTouch by plover · · Score: 5, Informative
    There are companies offering just that. We looked at PayByTouch, a company that offers a "digital wallet" that you can access at participating retailers. As a customer, you go to a kiosk, register your fingerprint, and swipe the cards you want to store in the "wallet". At the point of purchase, you key your phone number and touch the fingerprint reader, and the PIN pad brings up your wallet where you can scroll through your cards and select the one you want for this transaction.

    According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.

    I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.

    --
    John
  4. Re:Encrypted PIN on credit cards? by Anonymous Coward · · Score: 5, Informative

    It can't be "brute forced" or "cracked", any more than you can tell what the OTP enciphered message "htpn juio gowew" says without the pad. In modern banking systems it's part of a two factor system, in which you need the algorithm plus ANY TWO of the following in order to figure out the third

    * Real PIN (typically stored in customer's brain, sometimes also on a PostIt stuck inside their desk drawer)

    * PIN offset (stored on magstripe of card)

    * Stored PIN from database (stored in a secure machine at the bank, probably along with your current balance)

    You can imagine that the function used is XOR, but actually there are various methods that could work, and I've never investigated which one is used. However this system lets several moderately clever things happen...

    1. You can have two cards (e.g husband and wife) for the same account with different PINs, yet store only one PIN in the database

    2. ATMs can change the PIN by knowing your old and new PIN, then applying the changed offset to the magstripe.

    3. By leaving the PIN unchanged and issuing a card with a different offset the bank can send you a new card, with a new PIN, without instantly disabling your old card and PIN.

    4. Knowing the PIN, and having a valid card number are not sufficient to validate yourself to the ATM network. You don't know the offset that goes with that PIN, you'd have to steal (or at least read) the customer's card to get a valid offset.

    5. The real PIN is never sent over the network. So if you have an opportunity to eavesdrop on bank network traffic you don't learn the PIN for anyone's card.

    This is actually pretty clever stuff, the banks can be many things, but they're not stupid, you don't last long in financial circles if you are.

  5. Re:could be worrying by plover · · Score: 5, Informative
    Your PIN is never stored on your card, and hasn't been since the early 1980s. Not even in an encrypted format.

    When you key your PIN, the PIN pad accepting it will encrypt the PIN along with other transactional information plus its own serial number using a key injected securely by a representative of the issuing bank.

    This blob plus the other data is transmitted to an authorizer, where the account is looked up and a local copy of the blob is created. If it matches the incoming blob, it's a go.

    The bank almost certainly did not encode your card in the scenario you described above. Encoding is usually done with a machine-fed stripe writer, and is almost never done by hand-swiping the stripe anymore. (The timing is usually better on machine fed devices.) What the bank most likely did was to generate a blob similar to the one I described above for transmission to their authorizing computer, who immediately stored it and activated it for use.

    Yes, the original intent of mag stripes was to enable offline transactions. However, bad guys quickly figured out how to read stripes and forge PINs, so everyone went to strictly on-line authorizing in the early 1980s.

    --
    John
  6. Re:Lovely... by swillden · · Score: 5, Informative

    wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards?

    First, they're not RFID cards, they're contactless smart cards, which are a very different. Different frequency, different range, different capabilities, different protocols, and very different security.

    Second, smart card credit cards are a good thing, and you as a credit card user should want them because they'll reduce fraud. Granted, the banks and merchants mostly bear the brunt of the fraud, not the cardholder, but since all of the money ultimately comes from our pockets that's a distinction without a difference.

    Finally, your implied notion ("ack") that contactless smart cards are a bad thing for cardholders shows that you don't know anything about them. A fully-implemented EMV card:

    1. Won't divulge any data other than a public key until after your PIN has been presented to it in a secure (mutually-authenticated and encrypted) session.
    2. Allows transactions to be conducted off-line, making your checkout quicker for low-value transactions.
    3. Can make decisions about whether or not transactions should require a real-time connection back to your bank to verify the account status. This counters the increased fraud opportunity provided by the greater convenience of fast transactions.
    4. Provides very strong authentication to the transaction, making it nearly impossible for a thief to perform a "card-present" transaction without actually obtaining your card (and PIN). "Skimming" is the #1 type of credit card fraud, and these cards eliminate it.
    5. With card readers built into PCs, offers a mechanism for doing "card present" on-line transactions. This will reduce the card fees paid by on-line merchants, which will (after a delay, probably) reduce your costs as well. Oh, and you can also use an EMV card to make logging into your bank's web site easier and more secure.
    6. With an additional calculator-like device (or a PC and reader), offers a mechanism for doing secure over-the-phone transactions as well. Maybe in the future the cards will have a display and PIN pad integrated right into the card, eliminating the need for the extra device.
    7. Offers credit card issuers to provide "value added" services on the chip. It's not clear how valuable this is; at present they're talking about things like storing your bookmarks on the card, so that you can carry them with you. It's possible that other, more useful, ideas will arise.

    The security in these cards is very well thought-out and banks have zero interest in intruding on your privacy, because it would piss you off. If you don't believe they're careful with your privacy, consider the fact that they already know about every purchase you make with any credit card -- how often do you get marketers calling you because they got information from your bank about a recent purchase you made on your credit card?

    If you don't care to believe me about how the security is designed, please review it for yourself. Complete EMV specifications are published on the EMV web site at http://www.emvco.com.

    I'm a security expert of sorts -- and fairly paranoid by nature -- and the main concerns I have with this technology will arise if the US banks decide not to fully implement the technology.

    1. They may decide that cardholders like signature authorization and don't want PINs. That would mean the card would have to be willing to communicate with anyone and it would become possible for handheld readers to collect card numbers in a crowd. Personally, I would love to use a PIN rather than signing. Signing is slow, and inherently must be done at the end of the process, meaning it can't be parallelized. With chip and PIN, I can insert my card and enter my PIN while the cashier is still scanning my items. As soon as (s)he's done, the transaction can be executed, which takes <2 seconds, including printing th
    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.