Slashdot Mirror

← Back to Stories (view on slashdot.org)

Magnetic Stripe Snooping at Home

Posted by ryuzaki0 on from the because-you-can dept.

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."

23 of 397 comments (clear)

  1. Missing Information by jgbishop · · Score: 4, Insightful

    I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...

    --
    Go, and never darken my towels again! -- Rufus
    1. Re:Missing Information by Anonymous Coward · · Score: 2, Insightful

      Actually there is a place for this on the stripe but since many Banks do not issue cards with this information:

      a) Another Bank cannot assume the information is correct
      b) The Bank that does not do this reliably itself has to assume everyone else is just as reliable (at its own ATMs)
      c) The Bank that does do this reliably assumes that no one else does (see b)

      So the result is that only if you are at one of you own Bank's ATM's and they know they do it reliably will you be likely to get the correct language dialog offered by default.

    2. Re:Missing Information by swillden · · Score: 5, Insightful

      I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish.

      Well, if you were the engineering committee assigned the task of defining the standard data structures to be placed on all ATM cards, thinking about account codes, card verification codes, etc., and realizing that you have limited space to work with without adding more tracks (meaning more expensive readers and perhaps even slightly more expensive cards), would it have occurred to you to put the cardholder's language preference in there?

      I can tell yout that it wouldn't have occurred to me. And these data layouts can't be changed without going through a formal standards process, because they have to work in every ATM in the world (and now at many grocery stores, department stores, etc.).

      So, I'm not surprised at all that that data isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card. That's the sort of feature that a bank can offer to its own customers at its own ATMs without having to get the rest of the world to agree.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Missing Information by should_be_linear · · Score: 2, Insightful

      Well, everything is online AFAIK, so good SW engeneer will tell you that it needs only unique GUID of person to be stored on the card. Everything else ATM can download from the central (distributed) server. Adding new informations/functions only requires update/inovation on ATM side, not changing cads.

      --
      839*929
    4. Re:Missing Information by Grishnakh · · Score: 2, Insightful

      All official business in the US is done in English. I see nothing wrong with assuming US residents know English, and letting them select otherwise later.

    5. Re:Missing Information by Politburo · · Score: 2, Insightful

      I would think that this was done for security. If a malicious person had a person's card and PIN, and wanted to lock someone out of the account, they couldn't do so immediately, and if they did not have access to the person's mail, they would be SOL. I don't think that them sending you a new card means that the PIN is definitely embedded in the stripe. That doesn't seem logical.

  2. Time to start the over/under pool by aendeuryu · · Score: 5, Insightful

    Since one of the listed articles talks about common security blunders with cards, it's time to start the over/under pool on how long it takes before this guy gets shut down by some corporation claiming DMCA violations.

    I call one week.

  3. DMCA time? by newdamage · · Score: 1, Insightful

    I think this is a very cool project, but somehow I don't think it'll be out there very long. I'm sure the credit card companies, or some other large corporation will be doing the DMCA smackdown dance soon enough, claiming this software could only be used for criminal purposes and serves no academic purpose.

    --
    ce n'est pas un Sig.
    1. Re:DMCA time? by Anonymous Coward · · Score: 1, Insightful

      Doubtful. There is no reverse-engineering here, nor are any protections being overcome. That dude built a reader that does the very thing you're supposed to do with a magnetic stripe. How information is stored on these stripes is pretty much standardized and has been public knowledge for ages.

    2. Re:DMCA time? by swillden · · Score: 3, Insightful

      The DMCA's anti-circumventions provisions only apply to (a) copyrighted materials that are (b) "protected" by an anti-copying technology. Account codes and cardholder info are pure data, which is not copyrightable, and there is no anti-copying technology applied here, so there's nothing to circumvent.

      So, no, the DMCA doesn't apply.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Inspired by article in Make? by Anonymous Coward · · Score: 1, Insightful

    Hmm, I wonder whether it is just a coincidence that the first issue of Make had an article explaining how to hoook up a cheap mag-stripe reader to your computer and use Stripe Snoop to read it.

  5. Nothing new to thieves by szlevente · · Score: 5, Insightful

    I don't think articles such as this one will bring anything new to those who are in the business of credit card stealing. But it should serve as an eye-opener and for raising awareness for the average card user. Being a little more careful with that card should help a lot, I guess. Besides, I let the bank use my money for a reason, right? They should take the risk on themselves...

  6. Your worries are misplaced by Laurentiu · · Score: 3, Insightful

    The average Joe is very careful with his plastics, and won't loose the suspicious waiter from his sights while the later handles his credit card. The same Joe will thoughtlessly type away his credit card number as a means of "age verification" in some random Paris Hilton pictorial site.

    A hacker getting through his poorly set up XP box and stealing his credit card number is more dangerous than a device needing the presence of a physical card. And, of course, there are this kind of occurences, which are the most worrying of all.

    --
    Just /. IT
  7. Re:Encrypted PIN on credit cards? by rhombic · · Score: 3, Insightful

    "it can't be too hard to brute force number-only PINs."

    Yeah, especially since all the ATM cards I've ever used use only four digit PINs (securing all of your cash with a 14bit key???)

    I doubt if you'd even have to brute force it. Look in the right places, you can probably find the hashing algorithm (even if they're not using something obvious, which they probably are). Just generate all 10000 hashes and use it as a lookup table for all the cards you can get your hands on. Yikes.

    --
    1984 was supposed to be a warning, not an instruction manual.
  8. The proper place for this information...l by wowbagger · · Score: 3, Insightful

    The proper place for information like language preference is not on the card, but rather in the bank's database that the ATM accesses.

    Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).

    By seperating the prefs from the card, you can update the card without losing the prefs.

    (Slashbots: Notice that the word is losing, not loosing!)

    --
    www.eFax.com are spammers
  9. Truth does not matter by jimbro2k · · Score: 2, Insightful

    We can still sue you for possible DMCA violations and watch you impoverish yourself trying to defend yourself. It is the (not-so-new) common strategy to shut people up.
    Whether or not this is an actual DMCA violation does not matter.

    --
    There is not nearly enough love in the world, but there is far too much trust.
  10. Re:Why do I get the impression by DigitalSorceress · · Score: 3, Insightful
    "Can someone point out why Stripe Snoop is better than my solution?"
    Not just because it's cheaper, but the author of Stripe Snoop is showing people how to build their own from parts (encouraging an interest in Electronics) as well as providing Open Source software that not only reads from the hardware he built, but also will deal with data from your reader, and provides added functionality (as the article compares) sort of like a CDDB that will help you figure out what some of the data means... Software you can take apart and put back together again in your own way to maybe learn something and create something new by building on his work.
    --

    The Digital Sorceress
  11. Wager... by http101 · · Score: 2, Insightful

    I'll give him 2 days before the DMCA guys come knockin' on his dorm-room door.

    --
    -- Game Developers: Stop porting badly-textured games from crappy console systems!
  12. Re:Encrypted PIN on credit cards? by fixer007 · · Score: 2, Insightful

    Not really... As said earlier the 'PIN' on the card is not actually the PIN at all. It is merely an offset which is used along with a DES key and the PAN to calculate the real PIN. Your bank may either store the real PIN on their host system or use this offset calculation method. The PIN is transmitted over the line during a transaction (unless the ATM verifies for you). It is either DES or TDES encrypted, so technically that could be brute-forced.

  13. Re:Waay back when I was a youngun by atomic_toaster · · Score: 2, Insightful

    ...after-hours door-entry things at bank ATMs... Invariably, any such door I've tried will respond to any magnetic card at all. What is the point of these?

    Especially since most people will be polite and hold the door open for someone behind them... It doesn't even keep homeless people from sheltering in the ATM vestibule, because they just have to wait for someone to go in the door and then slip into the vestibule before the door closes. All the swipe-card locks on ATM vestibules do is make it more annoying to get into the building in the winter, when it means that you have to take your gloves off in the freezing cold to get that stupid card out of your wallet. Yeesh.

  14. Re:University IDs by whovian · · Score: 2, Insightful

    the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. ... We're trying to contact some people in the school media and administration and have something done.

    Have you asked whether they will assign you a new non-SSN ID at your request?

    Kudos for taking the noble approach. In this day and age, I would be tempted to dangle this in front of national media and suggest how victim identity theft is, well, a kind of internal terrorism.

    I'm serious about this because it seems everything *else* is being done to protect people from harm from others as well as themselves and to protect corporations/businesses from people. Why does it seem that government stops short here? Is it to allow businesses to sell "protection services" for your private perosnal info?

    --
    To-do List: Receive telemarketing call during a tornado warning. Check.
  15. A testament to the strength of GPL by bshroyer · · Score: 2, Insightful

    Is that those who disagree vehemently with the politics of RMS can still see the GPL for what it is: the Right Way to license software, if you want to see it live, grow, and prosper.

    --
    The cure for cancer is coming: Reovirus
  16. Re:University IDs by dave420 · · Score: 4, Insightful
    What do you mean privacy? Someone could follow you around, quite legally, and make a note of ALL of that information. That's just as legal.

    I'm not being weird here, but if you're in public you don't have a right to privacy. That's why it's called public and not private.

    Fair enough if they were spying in your private residence or something, but seeing when you go into a room is nothing. Especially considering it's their university, so like you in your house, can do anything that doesn't violate a law. As they violated no laws, it's all cool.