Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Hardware

Unlocking The Power Of the Magstripe 224

Acidus writes "While researching for an embedded systems project (a magstripe enabled Coke machine), I was shocked by the lack of magstripe information: Programs/code that would run on a modern OS were all but nonexistant, articles that were 6-10 years old, etc. Further research proved hard, because I had become google's authoritative source. So Stripe Snoop was born, and is now at 1.5 . Stripe Snoop is a suite of research tools that captures, modifies, validates, generates, analyzes, and shares magstripe data, with an ever-growing database of card formats. Decoding everything from driver's licenses to banking cards, its features can analyze non-standard cards, such as NYC's Metrocard."
This discussion has been archived. No new comments can be posted.

Unlocking The Power Of the Magstripe

Comments Filter:
  • Also in 2600 (Score:5, Interesting)

    by Noryungi ( 70322 ) on Monday August 09, 2004 @06:16AM (#9918840) Homepage Journal

    There was also an interesting article in this summer 2600 magazine [2600.com] about magstrips. Some information and code were supplied...
    • Re:Also in 2600 (Score:5, Informative)

      by pacc ( 163090 ) on Monday August 09, 2004 @06:28AM (#9918879) Homepage
      Linked from the Stripe Snoop [sourceforge.net] page:

      An article I wrote that is being published in the Summer 2004 issue of 2600 that is all about magstripe interfacing. This provided the basis for Stripe Snoop. Another application is this homebrew coke machine I built.
    • ...to forget how to program in original basic, I thank you.

      Now, get to work on bar codes!

      I'm going to go buy a card writer, and make a million selling counterfeit Kinkos cards. BWHAHAHA!
    • Re:Also in 2600 (Score:4, Interesting)

      by shepmaster ( 319234 ) on Monday August 09, 2004 @12:38PM (#9921670) Homepage Journal
      I consider myself lucky, in that I have met Acidus in person, and have actually shared a class with him. It was an embedded programming class, and we each had to do a semester project. As mentioned in the blurb, his project was a Coke dispenser that worked off magstripe technology.

      What was far more interesting was the software backend he developed to run the system. It was very professional, and the software itself incorporated some intrigueing concepts, such as what to do when the system was cut off from the real world. I hope Acidus will care to chime in and explain some more of his higher-level ideas.

      One thing that I was impressed with was the security concerns that he evidently thought of. Unlike other programmers I know, security was not an afterthought, but incorporated into the design (this was also evidenced in his Blackboard dissection, previously discussed on Slashdot).

      I hope that Acidus has a chance to go far, he is one of those bright young Computer Scientists with a good future in front of him.

      Cheers!
  • Working link (Score:5, Informative)

    by Zorilla ( 791636 ) on Monday August 09, 2004 @06:18AM (#9918843)
    Here's the real link to the article:

    Linky [yak.net].
  • by gilesjuk ( 604902 ) <giles.jones@nospaM.zen.co.uk> on Monday August 09, 2004 @06:22AM (#9918855)
    I can imagine some card company out there will try and put a stop to this, purely to save their own skins for putting out fairly weak systems.

    Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)
    • by Anonymous Coward

      "Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)"

      Smiley noted, but it's comments like this that make people think of "hackers" as criminals. Another example: P2P could be a useful tool though, I'd love to save the cost of a CD.

      RIAA and the MPAA may be a bunch of wankers, but let's not encourage them. Let the same logic apply to smart & mag card manufacturers.

      • The difference is, I'm not the one hacking the system. Therefore the person who has hacked the system should be a bit more responsible in putting out the information.

        Anyway, the said car parking charges are extortionate. Typically £5-7 and I'm only there around three hours. I doubt I would "hack" it anyway, would mean leaving a laptop in the car for starters.
        • Hacking - playful cleverness.
          Cracking - computer crime.

          I think trying to defraud a system would probably all under the Computer Misuse Act in the UK.
        • by Smidge204 ( 605297 ) on Monday August 09, 2004 @09:04AM (#9919694) Journal
          The difference is, I'm not the one hacking the system. Therefore the person who has hacked the system should be a bit more responsible in putting out the information.

          In other words, not release it at all?

          Let's ban chemistry books, then, because the informatioon in there can be used to develop lethal toxins and explosives. Those publishers shold be a bit more responsible in putting out the information.

          Don't be an asshat. Information is information. He is not advokating it's use for illegal/immoral activities (quite the opposite, actually). If you choose to apply this knowledge to break the law, then you are responsible. Don't blame the publisher of the book if someone uses the information to build a bomb and don't blame the maintainer of the website if you use the information to commit fraud.
          =Smidge=
    • by t_allardyce ( 48447 ) on Monday August 09, 2004 @06:47AM (#9918940) Journal
      I think its happened before - people calling up their bank etc and saying "hey, your card is insecure it stores your pin in plaintext" and the bank says "you shouldnt have a card reader! what do you think you're doing"

      Its the standard bullshit you'll get from clueless people and experience says most cards in your wallet are probably badly designed, so yep, its probably not worth it to try and help these people by explaining whats wrong and what they can do because they are more likely to try and sue you.

      Bu I think technically you have a legal right to see whats on the strip - its your personal data and would fall under the data-protection act?
      • by commonchaos ( 309500 ) on Monday August 09, 2004 @08:10AM (#9919297) Homepage Journal
        I just got the idea of setting up a computer running Strip Snoop in a public place. Put a single board computer inside, a cheap LDC and card reader outside.

        It should be made to look offical and be housed in an hard-to-destroy case. It would be bolted down on the sidewalk in the middle of the night, near an ATM or in a shopping center.

        Have a big sign that says "what is REALLY on your magnetic cards?".

        If you are an art student you could pull off doing something like that and get credit for doing instalation art. :-)
      • I am not familiar with a time in my time as a banking customer or employee of a banking company when PINs were encoded on a magstrip. All ATM systems I have ever used compare an entered PIN with one on a secure, remote system.

        I agree you should be able to see what's on a strip, but let's not get less knowledgeable people excited here, OK?

    • by Anonymous Coward on Monday August 09, 2004 @07:11AM (#9919016)
      I can imagine some card company out there will try and put a stop to this

      I used to work for a company that produced access control devices, including card readers. We managed to reverse engineer all of our competitor's card formats (the one's that didn't use the well-documented Wiegand standard) and build support for them into our product to reduce the cost of getting customers to switch. Most competitor's just shrugged it off, half of them were doing the same thing anyway, but one company that relied on defence contracts for a lot of its business got its lawyers to write a letter threatening to report us to the NSA for "breaking their triple-DES level encryption scheme". We sent the lawyers back full documentation of their snakeoil and pointed out that they'd lose a lot of Government and defense business if the NSA got wind of the fact that what was being marketed as "triple-DES level encryption" was in fact an 4-bit XOR pattern.

    • Magstrips are terribly insecure. They are a reprogramable single number on a card. Do you know why at retail stores that they scan your card, and then put in the last 4 digits manually? And wonder why those 4 digits are under a hologram? Its because its trivial to reprogram one of these with a new number. A magstripe writer new costs like $500 or $600. Trust me, I could get a pretty return on investment with that upfront cost. CC numbers all have some kind of checksumming algorithm with them, and if
      • by Anonymous Coward on Monday August 09, 2004 @09:01AM (#9919663)
        A magstripe writer new costs like $500 or $600.

        True. Some are even more. I worked at a security company a few years ago testing, among other things, mag-stripe cards/readers/interfaces. We used American Magnetics' (I believe) Model 700's - and that 700 was roughly equivalent to the base-model price. It depended, of course, on whether you bought the models that could read just one stripe, two stripes, or all three stripes on a standard card - the 3-stripers were more, of course, but for some purposes unnecessary. For example, another tester and I duplicated the first two stripes of his ATM card (ignoring the third because either we didn't know what character set it was encoded in, or else we didn't yet have access to a 3-stripe reader/writer, I forget which), and successfully used it in an ATM (just to do a balance inquiry - not to actually withdraw cash - we were too afraid of setting off some kind of alarm). We'd suspected that would work beforehand, since the first two stripes were in ABA (American Bankers' Association) 7-bit (or was it 5-bit? - it's been three years, and I've slept since then) and the third stripe wasn't, so therefore probably not used for banking applications. We were satisfied enough when it succeeded to not experiment further.

        But, with that in mind, it's immediately clear that you could earn back the initial hardware investment in a big hurry if you were of a black-hat kind of mind-set.

        One of the more interesting/cute little facts when you're working with mag-stripe cards is that, to determine where some failures lie, you can use a spray-can of very fine iron or iron-oxide dust (basically, rust) to spray on the stripe and actually SEE the encoded magnetic patterns. If the patterns are sharp, then it's the reader's fault; if the patterns aren't there, then it's the card's fault.

        Here's another project for someone with a bit more in-depth hardware knowledge than I have: figure out what encoding scheme is on the thin little cards used at some arcades where you buy credit on a proprietary card - I tried reading one of those in a 3-stripe reader and got unreadable, in consistent and totally unuseful results.

    • save their own skins for putting out fairly weak systems
      considering that they use track 2, and that track only contains 40 characters, using a 32 character md5sum of two data fields and a secret field would be out of the question.
      If your bound and determined to commit retail fraud; I'd think you would want more for your prison sentence than free parking though.
    • Could be a useful tool though, I'd love to save car parking charges (place where I park sometimes uses magnetic cards) :)

      And I'd like to copy my ATM card's stripe over some old unused card like a library card from a city I don't live in anymore. Ought to add some useful security-through-obscurity to my wallet in case it's stolen. Who's going to stick a library card in an ATM?

      Has anyone done this? What sort of equipment do I need to write to a card?

  • by millahtime ( 710421 ) on Monday August 09, 2004 @06:23AM (#9918862) Homepage Journal
    When I was in college they had bar code scanners for the parking gates. That was easy enough to duplicate. But, right when I was leaving they switched to mag stripes. Now it's easy for a new generation to figure them out and make working cards.
  • Not Difficult At All (Score:5, Interesting)

    by Anonymous Coward on Monday August 09, 2004 @06:24AM (#9918865)
    Hey all...

    I have worked with developing Linux-based solutions with products from MagTek (manufacturer of hundreds of devices like stripe and card/check readers) and I have to point out that you may not find much information on the subject because the programming for such is so simplistic that a manual is not really needed. I am curious if other products from other providers work in a similar fashion.

    MagTek devices will decode the stripes for you. The data contained within is sent to the computer in serialized format, so once the string of characters is received, you simply have to break the data into whatever pieces you need by looking for sentinal characters in ISO-defined positions. A dozen lines of code at most will handle this under most common programming languages.

    When I was approached by my former employer to create a product with Linux and MagTek devices, (in mid-2000) I found absolutely no documentation on the devices whatsoever on the Net other than sales literature. The customer support personel did send me several pages of specs and such via FedEx Overnight, and when I received them, I saw that most of their then-current product line operated in a similar manner.

    If possible, connect your reader device to some sort of I/O port and watch the data that is sent to the port with a terminal program (serial I/O in this case, similar methods used for parallel and USB-style interfaces...) Perform enough tests, and you should be able to get a more than adequate idea on how to parse the data sent.

    In case you are really curious, go look at the older (now defunct?) Serial I/O HowTo at linux.org (or one of the mirrors). There are more than enough examples within to show you how to handle any type of serial-based interfacing project.

    Hope this helps...

    Brian
  • I't not like a federal offense or anything is it?
    • by bellevueGeek ( 260576 ) on Monday August 09, 2004 @07:39AM (#9919146)
      Actually it is a federal offense since it would be considered counterfeiting, but what is even more interesting is the security that have in place to stop that.

      Remember when it first came out and the cards were blue? Apparently a bunch of people figured out that you could dupe 50$ of value to used ones, and sell them to idiots on the platform. They would swipe it to show the dope there was a value and get cash for it.

      I sat in on a security lecture once where the expert discussed the complexities of preventing unauthorized use in a system that big. Basically every time you swipe it writes back to your card and a log at that turnstyle. Every 5 minutes or so that log is uploaded to a regional center and that in turn is uploaded to a central location. They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.

      The cooler thing is that then when you use a modified card that was blacklisted the little color lights on the opposite side flash yellow or red instead of green. Alerting the police who like to stand and watch people try to jujmp or squeeze by to pick you up.

      I thought it was a brilliant use of a relativly old and low-security technology.
      • They then can detect detect things like if a card is used in more than one location, or if more than once in n minutes. If one of these potentially illegal conditions exist the system can add your card to a blacklist and push it back out to the turnstyles all in under 11 minutes.
        So you are saying that letting the person(s) behind me in my group use my card will invalidate it? I've not heard of this happening to anybody.
      • They then can detect detect things like if a card is used in more than one location, or

        if more than once in n minutes.

        This second one screwed me, a first-time visitor to NYC. We took the stairs down to the subway at a station somewhere near Times Square. I slipped my Metrocard through and entered, only to find out that in this particular station, you could only get to the other side of the tracks by going back up to the street, coming down another set of stairs, and reentering the gates. The card reader p

        • he said:
          I think the Metrocards are too picky!


          You may think so as a tourist, but new york city is the most crime ridden city in the USA. More than that, crime is organized. If there was a way to scam metrocards you could be sure that there would be a racket surrounding it. I remember early rumors of places in chinatown that would re-up your card for you, but never had them substantiated. Walk around manhattan... first floor windows are barred up, Gates have hardened steel padlocks, anything that may be
      • "Actually it is a federal offense since it would be considered counterfeiting"

        I'd expect it to be a forgery offense, against the State of New York (if you're talking about NYC Metrocards), but I hardly think the Federal Government has a case here, unless maybe you traffic in counterfeit metrocards across state lines or something. See, the NYC transportation department isn't a federal agency, and the card isn't a federal reserve note.

        Still a bad idea of course, New York's justice system being just as sca
  • hotels (Score:3, Interesting)

    by millahtime ( 710421 ) on Monday August 09, 2004 @06:29AM (#9918881) Homepage Journal
    I have always been told to take the mag stripe keys from hotels I stay in and cut them up. I wonder what kind of personal info they actually do store on those cards.
    • Re:hotels (Score:5, Interesting)

      by rampant poodle ( 258173 ) on Monday August 09, 2004 @06:43AM (#9918926) Homepage
      Normally none. The card will have a unique number, (usually room nr.), and some instructions telling the lock the validity periiod of the guest key. If you just checked in it will also invalidate all previous guest keys. In some cases the card will also have additional information about your entitlements such as health club, meal plans, etc. Note that the ID number on the card is very likely linked to the hotel's property management system -- which has all of the information you gave when you made your reservation.
    • Re:hotels (Score:5, Interesting)

      by GuyFawkes ( 729054 ) on Monday August 09, 2004 @06:43AM (#9918927) Homepage Journal
      Speaking today at the holiday inn chain of motels in the room cards definitely record the time and date the card is used, eg every time you use it to enter your room, and every wrong room you try it in.

      HTH etc

      (PS, this hotel chain still relies on PC's running windows 95b for all the booking / reservation / billing stuff.)
      • Re:hotels (Score:5, Insightful)

        by 4of12 ( 97621 ) on Monday August 09, 2004 @09:29AM (#9919889) Homepage Journal

        PS, this hotel chain still relies on PC's running windows 95b for all the booking / reservation / billing stuff.

        An important and practical lesson that what is good enough to get the job done gets used and used and used. No matter that it smells bad to those of us on the bleeding edge of technology.

    • They don't store anything on the card (the door readers are read-only). Its all in a centralized database, so taking the card away and cutting it up does nothing to protect your privacy.
    • I always wondered that. I've examined the doors closely and haven't seen any way for them to power the locks or communicate with them. I presume communication would be necessary to invalidate the access previously granted to lost or compromised cards.

      I've just assumed that the power is delivered via hinges and wires buried in the door (which would mean custom doors or some sophisticated drilling to retrofit). I suppose you could have induction powering and communication of the reader via the door jam (s
      • I always wondered that. I've examined the doors closely and haven't seen any way for them to power the locks or communicate with them. I presume communication would be necessary to invalidate the access previously granted to lost or compromised cards.

        Actually, many access control card schemes incorporate an "issue code" as part of the data on the card. Once a card with a "later" issue code in a sequence is used, the lock recognizes that "earlier" issue codes are no longer valid. No communication back t

        • Once a card with a "later" issue code in a sequence is used, the lock recognizes that "earlier" issue codes are no longer valid.

          Presumably they don't honor newer issue codes UNLESS the "open" code also matches. If they did honor newer issue codes even if the open code was wrong, I could just DoS room locks when I checked in by swiping my card in everyone's lock..

  • epos (Score:5, Interesting)

    by che.kai-jei ( 686930 ) on Monday August 09, 2004 @06:31AM (#9918886)
    i was going post as AC but i dont want people not taking this seriously. i have had to research this technology deeply for legitimate and non legitimate applications for different clients. the reason there is little info or programs or source code -- as mentioned in an issue of 2600.

    it is because that there is alot of poor win32 closed source software out there costing $1000 upwards!

    all pooorly written in VB and the like by programmers whose pooor coding is more than obvious once a button is pressed or a menu selected.

    ramcwin , rencode 2000 being obvious candidates.

    it seems this is one of those few areas in software applications where even on the vast breadth of the internet a conspiracy of supression of knowledge . non open code. [not that the code is worth anything to learn from] in order to force the sale of ridiclous 1000 dollar licences for extremely poor code. my project i s free open source mag stripe oswftare compatible with as many reders and writesr as possible including portable code and libraries to embed in dumb terminals for people wanting to make thin open source terminal clients for EPOS systems.

    i hate poor elite pricey specialised software.

    for instance in a few months a large electronics chain has moved over to linux for their epos. i will make sure their "custom" software does not violate the gpl. [i just applied for a job !!]

    • Re:epos (Score:5, Informative)

      by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Monday August 09, 2004 @09:13AM (#9919767) Homepage Journal
      Okay. Really quick: the reason niche software is expensive and yet poorly written is not because it is considered "elite." It is because there is not a lot of money in the niche. See, if you need to bring in $100k with a program, and you have an audience of 2000 people, you can easily charge $50 for it. But if your audience is only 100 people...you have to charge $1000. In a niche, you really have no way to increase the size of the market, and your market often has little choice but to pay the high cost for what's essentially one step down from custom software.

      And if you're one of the 100 people, that software might save you hours and hours of work, tens of thousands of dollars on custom software, and maybe even save you having to hire somebody. All that for $1000 is a pretty sweet deal, and doesn't seem ridiculous at all. Granted, if you could get the same thing for $50, you'd take it. But on a business scale, $1000 is fucking chump change.

      Furthermore, many niche software companies use the cheapest programmers and cheapest practices to get the job done. This means VB, which is a powerful tool when you want to make a program in less than an hour. Sloppy code is sometimes the fault of bad programmers (what do you expect, offering 35% or less than the going rate) but just as often is the fault of high pressure development. Customers paying $1000 for software are VERY insistant and many times their complaints will almost completely drive development. If Customer A asks for some feature unique to their business flow, you have to put it in, even if it doesn't make any damn sense. Our old software (which I had nothing to do with or it'd be all objects) is 20% functionality and 80% stupid business logic (if company = "company a" then ...).

      Incidentally, with Linux gaining ground in a lot of these market niches, expect to see a lot of really shitty TCL or VB code showing up in closed source Linux packages. It's lack of money that creates stupid software...
      • Er, I meant to say "TCL or Perl" code, but I thought of a much better example. PHP. PHP is another powerful tool for fast development, and there are some really HORRIBLE PHP packages out there. To the point that when we bought an ASP and discovered it ran PHP, we decided to EOL the product and write a new one. It would take less time than trying to untangle the conditional blocks...
  • Writing the stripe (Score:5, Interesting)

    by DrStrangeLug ( 799458 ) on Monday August 09, 2004 @06:32AM (#9918889)
    Some newer card printers will actually write the magstripe as they print the card. The problem is that they're not too informative as to how you get the magstripe data into the printer to encode.

    Usually this is achieved by a setting within the printer driver which defines which stripe (of the three) to write to and how to get the data out of the printing data. The sequence is usually marked out with start and stop character sequences (on Javelin printers these are usually "${n" and "}$" for start and stop, where n is the track number.)

    This saves people the trouble of printing the cards and then writing them seperately.
  • Storage capacity (Score:5, Interesting)

    by Anonymous Coward on Monday August 09, 2004 @06:34AM (#9918894)
    Does anyone know how much data you can store on a typical strip?
    • Re:Storage capacity (Score:5, Informative)

      by Orne ( 144925 ) on Monday August 09, 2004 @08:21AM (#9919374) Homepage
      Here's a summary [howstuffworks.com], but to recap:

      There are three tracks on the magstripe. Each track is .110-inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:

      Track one is 210 bits per inch (bpi), and holds 79 six-bit plus parity bit read-only characters.

      Track two is 75 bpi, and holds 40 four-bit plus parity bit characters.

      Track three is 210 bpi, and holds 107 four-bit plus parity bit characters.

  • by Rosco P. Coltrane ( 209368 ) on Monday August 09, 2004 @06:39AM (#9918909)
    When I was at school, in the physics lab, we had a jar of very fine iron powder that was used to demonstrate ferromagnetic liquids properties. We used to pour a little on the backside of a credit card, lightly shake the credit card to spread it around, and we could see the patterns left by the magnetic record on the stripes (which, incidently, weren't located where the visible black stripes were).

    I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.
    • by xsbellx ( 94649 ) on Monday August 09, 2004 @09:03AM (#9919682) Homepage
      Buddy, when I started working we used to do this on a daily basis to get data off of damaged magenetic tapes for input to a billing system. There was a product called "Visimag" or something similar. Essentially, it was the same sutff as you used in your physics lab, iron powder suspension in some type of alcohol.

      For those who are old enough to remember such things, the tapes were 100bpi/7 track used on a Univac III. And this was the upgrade from 4 inch wide punched paper tape.
      • by dbc ( 135354 )
        I recall a product called "Magna-See" or some such. This was in the GCR tape era -- strictly 9 track, nobody was using less dense than 800 BPI in those days, in fact 800 BPI was hard to find, most were doing either 1600 BPI or GCR. I guess I am exposing myself as a youngster.

        OH, BTW -- ssg r00lz! (ssg may have been called sgr back in the Univac III days...)

      • Oh, yes. We used Visimag when tapes were in strange formats we had trouble reading, and when the drive that wrote them had been misaligned. There was also a hand-held tape viewer, with a particle-filled liquid in suspension between a Mylar bottom and a glass window top. This could be placed against tapes. ("Aha, it's 1000 BPI 10 track phase-modulated, from a Uniservo IIIC").

        I was so glad when tape tracks became self-clocking.

    • I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

      You're working too hard. www.sci-toys.com mentions that the easiest way for a person to get iron filings is to drag a magnet through the sand at a beach...what am I talking about? This is /.! Grind away!
      • I imagine you could do the same with any magnetic card and a little fine iron sawdust that you could make yourself with a grinder.

        You're working too hard. www.sci-toys.com mentions that the easiest way for a person to get iron filings is to drag a magnet through the sand at a beach.

        Your particle size has to be finer than the size of the domains you're trying to look at. As another posted noted, standard magstripe cards work with domain sizes of about 5-10 mil, and the tapes mentioned by other posters h
  • by Chess_the_cat ( 653159 ) on Monday August 09, 2004 @06:45AM (#9918929) Homepage
    I was shocked by the lack of magstripe information.

    Maybe you were mildly suprised?

  • MSR (Score:5, Informative)

    by Alioth ( 221270 ) <no@spam> on Monday August 09, 2004 @07:10AM (#9919009) Journal
    Having worked on retail apps, working with magstripes is a pretty trivial thing. Most magstripe readers are either RS-232 or keyboard wedge, and it's quite easy to tell where you have to look for the data you're interested in by just looking at what comes up when you swipe the kind of card you are interested in.

    The biggest problem was dealing with keyboard wedge scanners - if your app expects some kind of event, or possibly a dedicated communication channel (like a serial port) you have to muck around with keyboard hooks to make it work.
  • Better interface? (Score:5, Informative)

    by no_such_user ( 196771 ) <[jd-slashdot-200 ... dreamallday.com]> on Monday August 09, 2004 @08:07AM (#9919278)
    This project would open up to many more people if a more simplistic way of interfacing to the card reader was introduced. How 'bout via the soundcard?

    I was poking around the links provided on the site, and found this: The simplest magnetic stripe reader [gae.ucm.es]. He wrote software to analyze the audio generated by the card when passed over the read head. This means that any old cassette player has a chance at being used to hack magstripes! Any comments on how accurate this method is, versus the F2F decoder chips?
  • Acidus was recently on episode 56 of Binary Revolution Radio (http://radio.binrev.com/ [binrev.com]) where we discussed his 2600 article and went into detail about his stripesnoop project. If anyone is interested in learning about the tech behind it or hearing about the thought processes that went into it, they should check it out.
  • Btw (Score:2, Informative)

    by Anonymous Coward
    I just visited Singapore and those guys are like ten years into the future compared to us. Everything, and I mean everything, takes debit or credit cards.

    From soda machines to subway ticket machines, etc.

    It's strange that it's almost only credit cards that's used in the US. The only ones who gain from that is Visa and Mastercard. Debit cards without any fees is the future.
    • I just visited Singapore and those guys are like ten years into the future compared to us. Everything, and I mean everything, takes debit or credit cards. From soda machines to subway ticket machines, etc.

      Did you also notice the Coke machines that allow you to pay by mobile phone? There's a number written on the machine, you SMS it, they instantly SMS you back a code, and then you punch the code into the machine and get your drink. The price of the drink goes on your phone bill.

      How about the bill-pa

    • by juuri ( 7678 )
      Have you been to a major US city not in the midwest or south recently?

      There are debit card enabled things everywhere in NYC, Chicago, SF, etc...
    • Re:Btw (Score:2, Interesting)

      by flabbergast ( 620919 )
      The parent poster is spot on that debit cards without charges is the future. About a year ago or so either Newsweek/Times/WSJ etc did an article about the fleecing of America when it came to check cards, especially when you consider it against the debit card. What's the big deal?

      The costs involved in the back end. Debit cards don't cost nearly as much as check cards do. Why? Because check cards are locked into the credit card system, that's why. It costs the store significantly more to process a cre
      • Me? I don't use a debit or check card. I use credit cards so I don't have my checking account drained it someone gets a hold of my check card number.

        I use cash.
    • by AJWM ( 19027 )
      It's strange that it's almost only credit cards that's used in the US. The only ones who gain from that is Visa and Mastercard. Debit cards without any fees is the future.

      First of all, plenty of places in the US take debit cards. Gas pumps, grocery stores, etc.

      Secondly, I'll never carry a debit card, but I carry credit cards. If I lose it or the card is stolen, my liability on a credit card is limited to $50 (and the CC company has waived that the couple of times it happened to me). If somebody else
  • by El Kevbo ( 81125 ) on Monday August 09, 2004 @08:53AM (#9919602)

    While researching for an embedded systems project (a magstripe enabled Coke machine)

    In other words you wanted to get a Coke the other day and didn't have any spare change, right? :)

  • Blocked! (Score:5, Interesting)

    by W2k ( 540424 ) on Monday August 09, 2004 @09:15AM (#9919788) Journal
    Couldn't access the site through the computer at work, it was blocked by the Internet filter, something about "Criminal skills". Only application that seemed to have anything to do with the Internet in the taskbar was a Symantec anti-virus/internet shield app. Now why is it a "criminal skill" to know about magcard readers?
  • This could save me hassle and money, as well as be an interesting hobby :)

    My debit-cards usually only last 6 months. I'm not rough with them. I take it out of my wallet, I swipe it, I put it back. I'm careful to put it between flat cards (with no raised numbers) so the strip doesn't get abused, but still, the stripe wears down. It's a week to 10 days and a nominal fee to get a new card. Imagine making card backups, reapplying some mag material, and re-magging my own card.

    Rock on.
  • Has an article about magstripes in the issue thats on newstands now....including sample code/diagrams for using readers and writing your own apps....fwiw
  • Call me ignorant but this is the first time I realized that the PIN number is stored directly on the magstripe on the card because I assumed no banking system would be that stupid. I assumed the bank system the PIN number and ATM or whatever terminal would simply transmit the PIN as entered. May as well take my money out of the bank and stuff it in coffee cans, it would be just as secure and I wouldn't be charged a service fee.
    • Don't worry, most ATM cards double as credit cards these days anyway. There's no PIN number to buy stuff with a credit card -- they make you sign your name. Scanning the PIN number off a card is difficult enough, but can you imagine the astronomical odds that your wallet will get stolen by a thief with the same name as you?
      • It's also a joke that anyone can use your credit card even in person, 90% of all store clerks do not check the signature with a photo ID. Even if they are brazen enough to do this a big store with survellance cameras they get ways with it because the police are not going to bother reviewing the tape and try to catch the criminal, the cops just tell you to call your credit card company and have the charge dropped. Fraudulent credit card charges can be easily reversed when you report them. ATM withdrawals on
      • Not sure about the US, but over here in ol' Blighty there's "chip and PIN" - a replacement to signatures: instead of signing for a credit/debit card transaction, the card is put into a terminal with a chip reader and you enter your pin number via a small keypad.

        ChipAndPin [chipandpin.co.uk]
        • by PCM2 ( 4486 )
          Yes, I've been to Europe a few times over the last several years and was interested to see those portable credit card terminals that they bring to your table at restaurants. We have nothing of the like in the U.S. (unless you're talking some really large, fancy place that has developed its own wireless handsets for waitstaff).

          The way it was once explained to me is that it has everything to do with the ... ready for it? ... telephone system.

          In the United States, local telephone calls are essentially free.
  • I write software for kiosks, Internet, ad based etc. We deal with coin, bill, credit cards, pay per use cards etc.

    All we ever needed to do was contact the companies that we wanted to support, and they would always supply is with documentation, and even source code.

    All that we needed to say was, we want to support your and we need specifications. Within a few days we always get it...

    The main thing with this type of hardware, is 9 out of 10 the manufacture only supplies them to companies that will be su
  • by pen ( 7191 )
    I was at a Starbucks recently, trying to run down my Starbucks Card. Since it's been in my wallet for ages, the magstripe wasn't scanning very well. After a few tries, the person at the register wrapped it in Saran Wrap (I'm not kidding!) and it worked fine. This was repeated once more later in the day.

    She said her manager swears by that method.

    Any idea why this works? Does the plastic wrap just push the card a little closer to the reader?

    (For the non-USians, Saran Wrap is a thin clear plastic wrap, usua

    • After a few tries, the person at the register wrapped it in Saran Wrap (I'm not kidding!)

      Are you sure it was Saran Wrap and not, say, Reynolds Wrap, Glad Wrap, or any of the other hundreds of major name- and noname- brands (many private labeled from other brands) available outside of the mighty US of A? :)
  • by Old Wolf ( 56093 ) on Monday August 09, 2004 @03:49PM (#9923603)
    From the site's FAQ:

    Q: Why is keyboard based reader support so primitive?

    A: Keyboard based readers, while cheap and easy to interface, have several problems. First off, The reader simply decodes each track that is present, from 1 to 3, appending each track to the next. No dividing characters are used, so it very difficult to detrimine where the decode for 1 track ends and the next begins. Not being able to reliably seperate the track data means we can't analyze it using our card database. For now, Keyboard based readers work best with cards that only have 1 track.

    The keyboard-based reader I have, has dip-switches on it so you can put start and end markers around each track, and select which track you want. Sounds like the guy hasn't done much research on available card readers (or available card writers).

    Also, the mag card format is an ISO standard so it isn't as if there is any mysterious behaviour going on here (apart from the non-standard card he mentioned).

    Finally, in case anyone was under the wrong impression, having a mag card writer doesn't mean you can break anyone's bank account (bank cards don't contain security information). The worst you could do would be to copy someone else's card for a building security system, then rob it and try and blame the other guy (somehow I don't think this would be too successful).
  • I do a lot of kiosk and interactive exhibit work that utilizes magnetic stripe readers for a variety of purposes, from Fujitsu and NCR ATM machines, to POS systems from Symbol and @POS, to serial readers from MagTech to off the shelf keyboard wedge readers from ID Tech, and I never managed to run across Acidus' site when doing research. His app StripeSnoop looks fairly interesting as a tool. I wanted to point out that there is in fact a TON of information out there available from vendors and standards orga

You know you've landed gear-up when it takes full power to taxi.

Working...