Magnetic Stripe Snooping at Home

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."

Encrypted PIN on credit cards?

One of the screenshots shows that there's an encrypted PIN stored on credit cards. How soon before we are able to de-encrypt that? Then all a thief needs is a magstripe reader, this free program, and the decrypter program, to start his business.
Even if it's irreversible, it can't be too hard to brute force number-only PINs.

I've done this

[The+Hobo]

I've actually done this myself, purchased the magnetic reader, some electrical parts, soldered the thing together. Once I had things going, when you swipe say a Visa, it lists the card #, the expiry date, and the issuing bank. I've also tried it with a bank card, and it does list the bank card #, and an 'encrypted pin', which, if I understand correctly, is encrypted with triple DES (that's what I remember, I may be wrong). I also swiped my University student card, but can't yet make out what it has stored. Finally, I swiped an M&M Meat Shops Max Member card and all it has on it is the max member #, nothing more. Also, the person I did this with created some shims to raise the card so as to read the 2nd and 3rd track. It was overall a neat project.

But the important part is...

[zoharroy]

you can use it (like he did) to build your own coke machine....
http://www.yak.net/acidus/magstripe/coke.html

Changing the Strip

[n0dalus]

How easy would it be to edit the data on the strips?
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?

University IDs

[langelgjm]

I'm an undergrad student in the University of Maryland system. I managed to write some simple C and Perl programs a while back for a reader I obtained, and ran quite a few cards through them. I found that our university issued ID cards have our social security numbers stored on them, unencrypted. A friend filed some public information request acts requesting to know if the university stored data such as the time and locations of card swipes, and if that data was attached to the student in any way. After initially denying this, the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. I'm no engineer or programmer, and I was able to do this fairly easily; it can't be that hard to build an intercept and install it within a reader that's attached to a door, and voila - hundreds of SSNs. We're trying to contact some people in the school media and administration and have something done.

In Europe the ATMs inform YOU!

[evilandi]

jgbishop: every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card?

In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.

This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).

However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.

There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).

So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.

[1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.

[2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.

Re:Waay back when I was a youngun

[g0at]

This makes me think of the after-hours door-entry things at bank ATMs, where you have to insert a card in order to unlock the door to the vestibule where the ATM is. Invariably, any such door I've tried will respond to any magnetic card at all.

What is the point of these? Obviously not security. I suppose it must be to keep homeless people out, since they are least likely to carry any kind of magnetic card.

-b

Guy's not an RMS fan

[JackBuckley]

From Deep in TFA (tm):

Q: Why did you release Stripe Snoop under the GPL?

A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.

Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.

Re:Missing Information

[Aidtopia]

So, I'm not surprised at all that that data [language preference] isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card.

I'm sure things have changed a lot in how the ATM networks work, and such a scheme may be feasible now, but this wouldn't have fit the model they had when first introduced. Throughout the 1970s, my mother, father, and step-father all wrote code for banking terminal systems and some of the first ATMs. From them I learned:

There was one roundtrip to the bank's central computers after you had entered everything for the transaction. I assume this was for scalability. The ATM would collect your card number, PIN, and transaction request and send it as a single request the central computer. That's why they wouldn't tell you about a mistyped PIN until you've entered everything else for your transaction. Transactions were stored in a secondary database which were posted to your real account record overnight.

In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen). Instead, to activate your account, you went to your local branch. A teller would come out to the ATM with you, put his/her card into the machine, enter his/her PIN, then insert your card, and finally turn his/her back while you entered a PIN of your choice. PINs were hashed in the ATM and the bank only ever had the hash, not the original value.