Slashdot Mirror
Magnetic Stripe Snooping at Home
pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
This would be intresting to use for some open source point of sale systems... *Project ideas flying through head*
Linux is like a teepee. It has no windows, no gates, and there's an Apache inside.
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards? ack...
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
One of the screenshots shows that there's an encrypted PIN stored on credit cards. How soon before we are able to de-encrypt that? Then all a thief needs is a magstripe reader, this free program, and the decrypter program, to start his business.
Even if it's irreversible, it can't be too hard to brute force number-only PINs.
Yah know - I have wondered that myself so many damned times.
Hell, just put my pin on there while we're at it. Just put in a fingerprint reader for some biometric authentication.
Now that'd be nice. Just get rid of the card altogether, pay for that purchase with a fingerprint.
Ugh, I better stop, someone is bound to be watching and realize that's a great way to generate a more accurate, more complete, and constantly updated finger print database....
I've actually done this myself, purchased the magnetic reader, some electrical parts, soldered the thing together. Once I had things going, when you swipe say a Visa, it lists the card #, the expiry date, and the issuing bank. I've also tried it with a bank card, and it does list the bank card #, and an 'encrypted pin', which, if I understand correctly, is encrypted with triple DES (that's what I remember, I may be wrong). I also swiped my University student card, but can't yet make out what it has stored. Finally, I swiped an M&M Meat Shops Max Member card and all it has on it is the max member #, nothing more. Also, the person I did this with created some shims to raise the card so as to read the 2nd and 3rd track. It was overall a neat project.
There is another kind of evil which we must fear most, and that is the indifference of good men. -- Boondock Saints
you can use it (like he did) to build your own coke machine....
http://www.yak.net/acidus/magstripe/coke.html
That's why, when you go to an ATM and put your pin in, you could put the wrong in one and it isn't going to tell you until you actually make the withdrawal/deposit. It has to connect to whatever-the-hell-it-connects-to and send it the pin info account info and the request and if the pin is invalid, then it spits out your card and tells you you messed up.
:O
I wonder if the information sent to whatever-the-hell-it-is is encrypted...
You didn't read the small print:
This card is the property of The Big Bank and will remain so. The Big Bank reserves the right to demand the return of the card at any time.
Old COBOL programmers never die. They just code in C.
How easy would it be to edit the data on the strips?
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
I bought a magstripe reader that connects to the keyboard port of my laptop and looks like a keyboard. Don't need any special software to read the output because it emulates key presses. I just go into the emacs scratch buffer and swipe the card. The reader even puts end-of-line characters at the end of each track.
Can someone point out why Stripe Snoop is better than my solution?
John.
And these data layouts can't be changed without going through a formal standards process, because they have to work in every ATM in the world (and now at many grocery stores, department stores, etc.).
Well I *am* surprised they don't have an extensible system, e.g. define tag 0xf0 as owner language, ignore tags you don't understand, etc.
BTW, I am a contractor and we use the same types of cards you are talking about. Not in the office I work at, but at other offices we have. In one office I can think of the doors actually authenticate you _and_ open the door automatically as you walk towards it. Pretty neat stuff.
It's the battle of the minds, and everyone's unarmed.
The first issue of Make had a whole article, with parts list and clear directions, on how to attach a card reader to your computer and use the Stripe Snoop software to read off the information.
I'm an undergrad student in the University of Maryland system. I managed to write some simple C and Perl programs a while back for a reader I obtained, and ran quite a few cards through them. I found that our university issued ID cards have our social security numbers stored on them, unencrypted. A friend filed some public information request acts requesting to know if the university stored data such as the time and locations of card swipes, and if that data was attached to the student in any way. After initially denying this, the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. I'm no engineer or programmer, and I was able to do this fairly easily; it can't be that hard to build an intercept and install it within a reader that's attached to a door, and voila - hundreds of SSNs. We're trying to contact some people in the school media and administration and have something done.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Feel free to go google DMCA abuse. There's about 100,000 hits, and you might find one or two in there that might lead you to understand WHY it's reasonable to think that a corporation might go after this, using the DMCA as a weapon, because they've done it before.
The FatWallet one is particularly educational. I invite you to go read it. It's even less applicable to the DMCA than card-stripe reading, and it happened anyway.
In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.
This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).
However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.
There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).
So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.
[1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.
[2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.
Andrew Oakley - www.aoakley.com
This makes me think of the after-hours door-entry things at bank ATMs, where you have to insert a card in order to unlock the door to the vestibule where the ATM is. Invariably, any such door I've tried will respond to any magnetic card at all.
What is the point of these? Obviously not security. I suppose it must be to keep homeless people out, since they are least likely to carry any kind of magnetic card.
-b
myselfmusic
Q: Why did you release Stripe Snoop under the GPL?
A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.
Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.
A very simple way is to buy a ps/2 magnetic card reader and up your favorite text editor. Swipe a card and all the info appears. In my state the driver's license has a strip too with lots of information on it.
hack a day
I'm sure things have changed a lot in how the ATM networks work, and such a scheme may be feasible now, but this wouldn't have fit the model they had when first introduced. Throughout the 1970s, my mother, father, and step-father all wrote code for banking terminal systems and some of the first ATMs. From them I learned:
There was one roundtrip to the bank's central computers after you had entered everything for the transaction. I assume this was for scalability. The ATM would collect your card number, PIN, and transaction request and send it as a single request the central computer. That's why they wouldn't tell you about a mistyped PIN until you've entered everything else for your transaction. Transactions were stored in a secondary database which were posted to your real account record overnight.
In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen). Instead, to activate your account, you went to your local branch. A teller would come out to the ATM with you, put his/her card into the machine, enter his/her PIN, then insert your card, and finally turn his/her back while you entered a PIN of your choice. PINs were hashed in the ATM and the bank only ever had the hash, not the original value.
Cute young lady walks up to you.
"Oh hi, your cute.
Can I get your pone number?
Great, hold my drink while I write it down."
She goes home pulls your print from the cup, makes a false fingertip.
You get cleaned out.
"I'm not high, just stupid" --JY
In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen).
My bank (Bank of New York) doesn't discuss PINs, ever. If you need a new one, get to a branch. When I set my PIN, it was similar to what you describe, except we did not use the ATM, just a standalone reader and keypad that I assume was hooked into their central system. I figured every bank did it this way, but based on your language, that is apparently not the case.
I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...
Working for a bank, this one should be a home run, and a shameless plug...except that I'm not going to name my employer. There's several different reasons why that stuff isn't stored on a card itself. The two biggest are bandwidth and the availability of equipment to re-encode a card with your preferences.
However, that does not mean that the ATM network servers cannot store your preferences. The bank I work for has begun rolling out a "My Preferences" feature on the new Diebold ATM machines. It lets you set a language, receipt option (yes/no), fast cash amount, and some other options. When you stick your card in, not only does it authenticate your PIN, but it pulls your preference file from the server. You can make updates any time from the on screen selections. It's pretty neat, you can cut at least three screens out by setting up those default responses.
It has been interesting to see the marketing stats on how many times customers interface with the ATM before they decide to press the "Set up My Preferences" button. Right now the average is about 3 for those that are going to use the feature.
And just for more information, track 2 has space for only 40 bytes of numeric data (it's a 4 bit character set that has no alpha capacity.) It has provisions for a country code, but only for cards in a specific format. The country code is to be used primarily to determine and display exchange rates to the cardholder. Currently, most credit cards issued in the United States use anywhere from 29 to 36 of the 40 available bytes. Many European cards use 33 to all 40. And some cards violate the standards, and exceed the maximums. Customers of these banks get turned away by retailers whose driver software refuses to parse these tracks.
Any remaining space not covered by the required fields falls into a "discretionary data" field. This can be anywhere from 0 - 11 digits. Typically banks place a random nonce into the cards to ensure that the stripe could not be created without the card present.
Technically, a specific bank could choose to issue cards that have an ISO language code embedded in their own discretionary data field, and could program their ATMs to respond to their cards. (They could also choose to have their own 0-9 language code, offering ATM services in one of 10 languages.) But any such system would be proprietary, and would not be respected outside of their own private network. That's why people see "Retrieving preferences" messages: the card is looked up first, and the preferences are transmitted back to the ATM. This method can be implemented by any ATM system, and will work regardless of what the issuing bank does on the mag stripes.
Something else to keep in mind is that mag stripes turn over very slowly. That means you cannot just change the stripe format and expect magic to happen overnight. These cards are issued at great expense once every four years or so. I believe it costs somewhere around $2.50 or $3.00 to create and mail a new card. Multiply that by a million card holders, and that's an expense you want to avoid as much as possible.
Finally, keep in mind that all this is based on 1970s era technology, and was developed with a distinctly American bias. Languages and disabilities were not a part of the landscape of the era.
John