Slashdot Mirror

← Back to Stories (view on slashdot.org)

Magnetic Stripe Snooping at Home

Posted by ryuzaki0 on from the because-you-can dept.

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."

10 of 397 comments (clear)

  1. Missing Information by jgbishop · · Score: 4, Insightful

    I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...

    --
    Go, and never darken my towels again! -- Rufus
    1. Re:Missing Information by swillden · · Score: 5, Insightful

      I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish.

      Well, if you were the engineering committee assigned the task of defining the standard data structures to be placed on all ATM cards, thinking about account codes, card verification codes, etc., and realizing that you have limited space to work with without adding more tracks (meaning more expensive readers and perhaps even slightly more expensive cards), would it have occurred to you to put the cardholder's language preference in there?

      I can tell yout that it wouldn't have occurred to me. And these data layouts can't be changed without going through a formal standards process, because they have to work in every ATM in the world (and now at many grocery stores, department stores, etc.).

      So, I'm not surprised at all that that data isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card. That's the sort of feature that a bank can offer to its own customers at its own ATMs without having to get the rest of the world to agree.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Time to start the over/under pool by aendeuryu · · Score: 5, Insightful

    Since one of the listed articles talks about common security blunders with cards, it's time to start the over/under pool on how long it takes before this guy gets shut down by some corporation claiming DMCA violations.

    I call one week.

  3. Nothing new to thieves by szlevente · · Score: 5, Insightful

    I don't think articles such as this one will bring anything new to those who are in the business of credit card stealing. But it should serve as an eye-opener and for raising awareness for the average card user. Being a little more careful with that card should help a lot, I guess. Besides, I let the bank use my money for a reason, right? They should take the risk on themselves...

  4. Your worries are misplaced by Laurentiu · · Score: 3, Insightful

    The average Joe is very careful with his plastics, and won't loose the suspicious waiter from his sights while the later handles his credit card. The same Joe will thoughtlessly type away his credit card number as a means of "age verification" in some random Paris Hilton pictorial site.

    A hacker getting through his poorly set up XP box and stealing his credit card number is more dangerous than a device needing the presence of a physical card. And, of course, there are this kind of occurences, which are the most worrying of all.

    --
    Just /. IT
  5. Re:DMCA time? by swillden · · Score: 3, Insightful

    The DMCA's anti-circumventions provisions only apply to (a) copyrighted materials that are (b) "protected" by an anti-copying technology. Account codes and cardholder info are pure data, which is not copyrightable, and there is no anti-copying technology applied here, so there's nothing to circumvent.

    So, no, the DMCA doesn't apply.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Re:Encrypted PIN on credit cards? by rhombic · · Score: 3, Insightful

    "it can't be too hard to brute force number-only PINs."

    Yeah, especially since all the ATM cards I've ever used use only four digit PINs (securing all of your cash with a 14bit key???)

    I doubt if you'd even have to brute force it. Look in the right places, you can probably find the hashing algorithm (even if they're not using something obvious, which they probably are). Just generate all 10000 hashes and use it as a lookup table for all the cards you can get your hands on. Yikes.

    --
    1984 was supposed to be a warning, not an instruction manual.
  7. The proper place for this information...l by wowbagger · · Score: 3, Insightful

    The proper place for information like language preference is not on the card, but rather in the bank's database that the ATM accesses.

    Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).

    By seperating the prefs from the card, you can update the card without losing the prefs.

    (Slashbots: Notice that the word is losing, not loosing!)

    --
    www.eFax.com are spammers
  8. Re:Why do I get the impression by DigitalSorceress · · Score: 3, Insightful
    "Can someone point out why Stripe Snoop is better than my solution?"
    Not just because it's cheaper, but the author of Stripe Snoop is showing people how to build their own from parts (encouraging an interest in Electronics) as well as providing Open Source software that not only reads from the hardware he built, but also will deal with data from your reader, and provides added functionality (as the article compares) sort of like a CDDB that will help you figure out what some of the data means... Software you can take apart and put back together again in your own way to maybe learn something and create something new by building on his work.
    --

    The Digital Sorceress
  9. Re:University IDs by dave420 · · Score: 4, Insightful
    What do you mean privacy? Someone could follow you around, quite legally, and make a note of ALL of that information. That's just as legal.

    I'm not being weird here, but if you're in public you don't have a right to privacy. That's why it's called public and not private.

    Fair enough if they were spying in your private residence or something, but seeing when you go into a room is nothing. Especially considering it's their university, so like you in your house, can do anything that doesn't violate a law. As they violated no laws, it's all cool.