Slashdot Mirror
Magnetic Stripe Snooping at Home
pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
*puts on tinfoil hat*
ROMANES EUNT DOMUS
This would be intresting to use for some open source point of sale systems... *Project ideas flying through head*
Linux is like a teepee. It has no windows, no gates, and there's an Apache inside.
Gives new meaning to the Capital One tagline "What's in your wallet?"
One man's Funny is another man's Offtopic.
I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...
Go, and never darken my towels again! -- Rufus
Since one of the listed articles talks about common security blunders with cards, it's time to start the over/under pool on how long it takes before this guy gets shut down by some corporation claiming DMCA violations.
I call one week.
Open your wallet. How many cards in there have magstripes on them? Three? Four? Five? Ever wonder what was encoded on them?
I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.
One man's Funny is another man's Offtopic.
except it isn't............
Billy Hoffman, aka Acidus, is one of the top up and comming security experts; he probably knows more about card systems and ATMs then anyone outside "the industry". I had the privilage of seeing him speak and phreaknic and hope his contributions to the hacking community continue. People like him keep the rest of us free and informed dispite the massive corporate, academic, and government powers that would have otherwise. So....Thanks!
------ Take away the right to say fuck and you take away the right to say fuck the government.
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards? ack...
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
I don't think articles such as this one will bring anything new to those who are in the business of credit card stealing. But it should serve as an eye-opener and for raising awareness for the average card user. Being a little more careful with that card should help a lot, I guess. Besides, I let the bank use my money for a reason, right? They should take the risk on themselves...
Your pin is not stored on the card at all. If you have two cards for one account, and go to an ATM with one, switch your pin, the other will have been switched also without being put in a machine. The pin is connected to an account, not a particular card.
Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ -enjoy, it's a really good show!
One of the screenshots shows that there's an encrypted PIN stored on credit cards. How soon before we are able to de-encrypt that? Then all a thief needs is a magstripe reader, this free program, and the decrypter program, to start his business.
Even if it's irreversible, it can't be too hard to brute force number-only PINs.
It said "Paul is dead"
What's that mean?
The average Joe is very careful with his plastics, and won't loose the suspicious waiter from his sights while the later handles his credit card. The same Joe will thoughtlessly type away his credit card number as a means of "age verification" in some random Paris Hilton pictorial site.
A hacker getting through his poorly set up XP box and stealing his credit card number is more dangerous than a device needing the presence of a physical card. And, of course, there are this kind of occurences, which are the most worrying of all.
Just
I've actually done this myself, purchased the magnetic reader, some electrical parts, soldered the thing together. Once I had things going, when you swipe say a Visa, it lists the card #, the expiry date, and the issuing bank. I've also tried it with a bank card, and it does list the bank card #, and an 'encrypted pin', which, if I understand correctly, is encrypted with triple DES (that's what I remember, I may be wrong). I also swiped my University student card, but can't yet make out what it has stored. Finally, I swiped an M&M Meat Shops Max Member card and all it has on it is the max member #, nothing more. Also, the person I did this with created some shims to raise the card so as to read the 2nd and 3rd track. It was overall a neat project.
There is another kind of evil which we must fear most, and that is the indifference of good men. -- Boondock Saints
you can use it (like he did) to build your own coke machine....
http://www.yak.net/acidus/magstripe/coke.html
That's why, when you go to an ATM and put your pin in, you could put the wrong in one and it isn't going to tell you until you actually make the withdrawal/deposit. It has to connect to whatever-the-hell-it-connects-to and send it the pin info account info and the request and if the pin is invalid, then it spits out your card and tells you you messed up.
:O
I wonder if the information sent to whatever-the-hell-it-is is encrypted...
Currently bidding on sig
that a few weeks after ordering the necessary hardware, you'd get sued or arrested.
If someone says he and his monkey have nothing to hide, they almost certainly do.
How easy would it be to edit the data on the strips?
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
I wonder if the information sent to whatever-the-hell-it-is is encrypted...
Yes. Even those standalone-shady-looking ATM's that dialup an 800 number and connect at 1200baud will have encrypted transmissions.
The DMCA's anti-circumventions provisions only apply to (a) copyrighted materials that are (b) "protected" by an anti-copying technology. Account codes and cardholder info are pure data, which is not copyrightable, and there is no anti-copying technology applied here, so there's nothing to circumvent.
So, no, the DMCA doesn't apply.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
At least it's been off the front page a while this time.
PINs aren't stored in the stripe. Not plaintext, not encrypted, not at all.
is competition good, or is duplication of effort bad?
The new Make magazine has a heavily-photographed and pretty intelligible partslist / walkthrough of building the actual device, as well. http://make.oreilly.com/
I did something like this once. Back in 2001 I worked at a company that had Internet Kiosks across Manhattan. I went to a cafe to upgrade a machine. There was a certain attractive young lady on the terminal when I got there. I called my manager (who was a friend) and told him it would be a few minutes before I could get on, and mentioned the cute girl.
He did a query of the database to get her name from the credit card she swiped. As she was getting up I said "have a good day, Jen". Scared the CRAP out of her until I explained how I did it. We are now married and have three lovely children
Ok, that last part isn't true.
It has to connect to whatever-the-hell-it-connects-to
It's called a computer. I know, I'm using one right now and in a few years, they'll be everywhere and you'll buy one to play games!
They put a mag strip access lock to the computer lab in college. We were complaining at having to now carry around our student I.D.s to get access to the labs when I found out ALL of my credit cards allowed access to the lab. (Not smart, but hey, this was 1989)
Turns out the Lab assistant that installed the lock thought it'd be cool if any card he pulled out of his wallet would open the door. But the local bank's first 9 digits on the mag strip was the same for ALL cards they issued.
"Draco dormiens nunquam titillandus."
Nothing exciting is in that barcode; just what is on the front of your license, at least in new york state where I tried it. I had written a PDF417 barcode reader a couple years back and we used the back of our licenses as some test data just to see. It is literally just everything from the front side (name, address, height, wieght, etc). The interesting stuff will be in the database that this info is the key for!
.plan!! what plan?
Last I checked, my PINs are by card. My PIN and my wifes PIN are different, but access the same accounts. At least for my financial institution, the pin is stored on the card, but in tripple DES encryption. When I perform a transaction, the pin I enter, and the encrypted PIN are both sent to my bank, which encrypts the PIN I enter with thier key, and compares them. No matchee, no money. When I changed my PIN a few years back, they punched my account data into a terminal, I put in the pin I wanted, and then swipped the card. When I walked back to the loby, my card worked with the new PIN, no problem.
According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.
I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.
John
Where can I find a copy of your new book; How to collect restraining orders.
Luck favors the prepared, darling.
Most of the information about credit cards is contained within various ISOs. IANAL but, I don't think legal actions could be taken against software which implements a public specification. Although this project is nice, there isn't much you can't figure out about CCs by reading the specs. Personally I've found the most interesting information is contained on cards which are not well defined like student ID cards, video rental cards, etc.
ISO 7810 Physical Characteristics of Credit Card Size Document
ISO 7811-1 Embossing
ISO 7811-2 Magnetic Stripe - Low Coercivity
ISO 7811-3 Location of Embossed Characters
ISO 7811-4 Location of Tracks 1 and 2
ISO 7811-5 Location of Track 3
ISO 7811-6 Magnetic Stripe - High Coercivity
ISO 7813 Financial Transaction Cards
ISO 4909 Track 3 Data Format
The proper place for information like language preference is not on the card, but rather in the bank's database that the ATM accesses.
Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).
By seperating the prefs from the card, you can update the card without losing the prefs.
(Slashbots: Notice that the word is losing, not loosing!)
www.eFax.com are spammers
We can still sue you for possible DMCA violations and watch you impoverish yourself trying to defend yourself. It is the (not-so-new) common strategy to shut people up.
Whether or not this is an actual DMCA violation does not matter.
There is not nearly enough love in the world, but there is far too much trust.
The first issue of Make had a whole article, with parts list and clear directions, on how to attach a card reader to your computer and use the Stripe Snoop software to read off the information.
It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.
Still, the general idea seems right. Keeping the GUID on the card is the right idea.
I'm still looking for a publisher, actually. All the ones that I took it to originally have taken out restraining orders against me.
134 and counting, baby!
"Ok, that last part isn't true"
What, your children are ugly? Such honesty is refreshing.
"As God is my witness, I thought turkeys could fly." A. Carlson
I used one to snoop my cards and found some interesting information...
Try this link: http://www.posguys.com/category.asp?catID=4
There are three truths: my truth, your truth, and the truth. - Chinese proverb
I did this over six years ago... A lot of the info was on the net then and it is incredibly dull how little info is really stored. Worse, Japanese credit cards have a hidden stripe on the FRONT of the card (just in case you wanted to know). You can get a mag-stripe reader for these pretty easily. Personally, I still think RFID is more interesting...
IANAL, but I've seen actors play them on TV
I'm an undergrad student in the University of Maryland system. I managed to write some simple C and Perl programs a while back for a reader I obtained, and ran quite a few cards through them. I found that our university issued ID cards have our social security numbers stored on them, unencrypted. A friend filed some public information request acts requesting to know if the university stored data such as the time and locations of card swipes, and if that data was attached to the student in any way. After initially denying this, the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. I'm no engineer or programmer, and I was able to do this fairly easily; it can't be that hard to build an intercept and install it within a reader that's attached to a door, and voila - hundreds of SSNs. We're trying to contact some people in the school media and administration and have something done.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Feel free to go google DMCA abuse. There's about 100,000 hits, and you might find one or two in there that might lead you to understand WHY it's reasonable to think that a corporation might go after this, using the DMCA as a weapon, because they've done it before.
The FatWallet one is particularly educational. I invite you to go read it. It's even less applicable to the DMCA than card-stripe reading, and it happened anyway.
In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.
This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).
However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.
There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).
So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.
[1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.
[2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.
Andrew Oakley - www.aoakley.com
When you key your PIN, the PIN pad accepting it will encrypt the PIN along with other transactional information plus its own serial number using a key injected securely by a representative of the issuing bank.
This blob plus the other data is transmitted to an authorizer, where the account is looked up and a local copy of the blob is created. If it matches the incoming blob, it's a go.
The bank almost certainly did not encode your card in the scenario you described above. Encoding is usually done with a machine-fed stripe writer, and is almost never done by hand-swiping the stripe anymore. (The timing is usually better on machine fed devices.) What the bank most likely did was to generate a blob similar to the one I described above for transmission to their authorizing computer, who immediately stored it and activated it for use.
Yes, the original intent of mag stripes was to enable offline transactions. However, bad guys quickly figured out how to read stripes and forge PINs, so everyone went to strictly on-line authorizing in the early 1980s.
John
I'll give him 2 days before the DMCA guys come knockin' on his dorm-room door.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards?
First, they're not RFID cards, they're contactless smart cards, which are a very different. Different frequency, different range, different capabilities, different protocols, and very different security.
Second, smart card credit cards are a good thing, and you as a credit card user should want them because they'll reduce fraud. Granted, the banks and merchants mostly bear the brunt of the fraud, not the cardholder, but since all of the money ultimately comes from our pockets that's a distinction without a difference.
Finally, your implied notion ("ack") that contactless smart cards are a bad thing for cardholders shows that you don't know anything about them. A fully-implemented EMV card:
The security in these cards is very well thought-out and banks have zero interest in intruding on your privacy, because it would piss you off. If you don't believe they're careful with your privacy, consider the fact that they already know about every purchase you make with any credit card -- how often do you get marketers calling you because they got information from your bank about a recent purchase you made on your credit card?
If you don't care to believe me about how the security is designed, please review it for yourself. Complete EMV specifications are published on the EMV web site at http://www.emvco.com.
I'm a security expert of sorts -- and fairly paranoid by nature -- and the main concerns I have with this technology will arise if the US banks decide not to fully implement the technology.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Nope.d .pdf
Card formats are in the original article. No PIN in the stripes. http://stripesnoop.sourceforge.net/devel/layoutst
(CVV/CVC are not your PIN, they are an additional security check. They are also different from CVV2/CVC2, which is printed on the card but not in the stripe.)
There is indeed encryption used - but it's not on the card. When you perform a transaction, *the pin you manually enter* is encrypted (with a public key tied to the merchant or particular signature capture device transaction, depending on technology used) and sent to the processor. This is decrypted and compared to what the processor has on file for you. Nothing related to the PIN on the card itself, it's solely based on what you keyed in.
is competition good, or is duplication of effort bad?
Where I live, the language of preference is stored on the server.
All ATM's in Belgium can work in 4 langauges, but I never had to choose a language at an ATM. So I suppose the bank knows i want to be served in Dutch.
When a foreigner uses an ATM in Belgium, he gets to choose a language. (And when I go abroad, I get to choose a language too)
so everyone went to strictly on-line authorizing in the early 1980s.
Everyone in the US did, anyway. Much of the rest of the world still does off-line transactions with magstripe. That's a big part of the reason why chip cards are being deployed so much more aggressively outside of the US, because they don't want to do on-line authentication (due to higher communications costs), and allowing off-line transactions with magstripe is just asking for high fraud rates.
In France, for example, a few years ago fraud was insanely high. Since they've gone to chip cards skimming fraud has dropped to zero and overall credit card fraud is miniscule.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Q: Why did you release Stripe Snoop under the GPL?
A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.
Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.
I noticed a 3 track reader for $59 from Kanecal.net. This looks like a very quick and cheap approach to data extraction. The advantage of making your own is that you need not limit yourself to cards following the ISO specifications for track positions and character encodings.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
The magnetic stripe standards, of course. The card is a test card I printed while I was building an ID card system for a client. The front lists the track standard and the allowed chars:
S TUVWXYZ[\]^ _
Track 1 (IATA data max. 76 chars):
!"#$%&'()*+,-./0123456789:;<=>@ABCDEFGHIJKLMNOPQR
Track2 (ABA data, max 37 chars): 0123456789;;<=>
Track 3(TTS data, max. 104 chars):
0123456789:;<=>
The allowed chars have been encoded onto the stripe on the back.
FreeSpeech.org
Is that those who disagree vehemently with the politics of RMS can still see the GPL for what it is: the Right Way to license software, if you want to see it live, grow, and prosper.
The cure for cancer is coming: Reovirus