Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Magnetic Stripe Snooping at Home 397

pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
This discussion has been archived. No new comments can be posted.

Magnetic Stripe Snooping at Home

Comments Filter:
  • by niteice ( 793961 ) <icefragment@gmail.com> on Tuesday March 01, 2005 @10:00AM (#11812279) Journal
    *puts on tinfoil hat*
  • POS (Score:2, Interesting)

    by BrianHursey ( 738430 )
    This would be intresting to use for some open source point of sale systems... *Project ideas flying through head*
    • Re:POS (Score:2, Interesting)

      by dhbiker ( 863466 )
      A nice idea but isn't magnetic stripe rapidly becoming obsolete (and being replaced by Chip and Pin)
  • by Reignking ( 832642 ) on Tuesday March 01, 2005 @10:02AM (#11812298) Journal
    Gives new meaning to the Capital One tagline "What's in your wallet?"
  • by jgbishop ( 861610 ) on Tuesday March 01, 2005 @10:04AM (#11812308) Homepage
    I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...
    • by caino59 ( 313096 )
      Yah know - I have wondered that myself so many damned times.

      Hell, just put my pin on there while we're at it. Just put in a fingerprint reader for some biometric authentication.

      Now that'd be nice. Just get rid of the card altogether, pay for that purchase with a fingerprint.

      Ugh, I better stop, someone is bound to be watching and realize that's a great way to generate a more accurate, more complete, and constantly updated finger print database....
      • PayByTouch (Score:5, Informative)

        by plover ( 150551 ) * on Tuesday March 01, 2005 @10:31AM (#11812576) Homepage Journal
        There are companies offering just that. We looked at PayByTouch [paybytouch.com], a company that offers a "digital wallet" that you can access at participating retailers. As a customer, you go to a kiosk, register your fingerprint, and swipe the cards you want to store in the "wallet". At the point of purchase, you key your phone number and touch the fingerprint reader, and the PIN pad brings up your wallet where you can scroll through your cards and select the one you want for this transaction.

        According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.

        I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.

    • by Anonymous Coward
      Actually there is a place for this on the stripe but since many Banks do not issue cards with this information:

      a) Another Bank cannot assume the information is correct
      b) The Bank that does not do this reliably itself has to assume everyone else is just as reliable (at its own ATMs)
      c) The Bank that does do this reliably assumes that no one else does (see b)

      So the result is that only if you are at one of you own Bank's ATM's and they know they do it reliably will you be likely to get the correct language di
    • by swillden ( 191260 ) * <shawn-ds@willden.org> on Tuesday March 01, 2005 @10:16AM (#11812421) Homepage Journal

      I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish.

      Well, if you were the engineering committee assigned the task of defining the standard data structures to be placed on all ATM cards, thinking about account codes, card verification codes, etc., and realizing that you have limited space to work with without adding more tracks (meaning more expensive readers and perhaps even slightly more expensive cards), would it have occurred to you to put the cardholder's language preference in there?

      I can tell yout that it wouldn't have occurred to me. And these data layouts can't be changed without going through a formal standards process, because they have to work in every ATM in the world (and now at many grocery stores, department stores, etc.).

      So, I'm not surprised at all that that data isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card. That's the sort of feature that a bank can offer to its own customers at its own ATMs without having to get the rest of the world to agree.

      • Well, everything is online AFAIK, so good SW engeneer will tell you that it needs only unique GUID of person to be stored on the card. Everything else ATM can download from the central (distributed) server. Adding new informations/functions only requires update/inovation on ATM side, not changing cads.
      • by Otter ( 3800 ) on Tuesday March 01, 2005 @10:37AM (#11812628) Journal
        If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card.

        Exactly. There's no reason why that should be on the card, and my banks (Bank of America, formerly Fleet, formerly BankBoston, formerly Bay Bank, formerly...) have stored a language preference in the account data as far back as I can recall.

      • by sbma44 ( 694130 ) on Tuesday March 01, 2005 @10:41AM (#11812656)
        Bank of America has rolled out new color touchscreen ATMs in the DC/Metro area that retrieve user preferences based on the inserted card. You have to set them the first time, of course, but then it'll pull it up automatically. In addition to language choice, it also tracks whether you want receipts (and for which transactions) and some other preferences (how much money you want when you hit "fast cash").

        It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.

        Still, the general idea seems right. Keeping the GUID on the card is the right idea.

      • by Aidtopia ( 667351 ) on Tuesday March 01, 2005 @11:51AM (#11813295) Homepage Journal
        So, I'm not surprised at all that that data [language preference] isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card.

        I'm sure things have changed a lot in how the ATM networks work, and such a scheme may be feasible now, but this wouldn't have fit the model they had when first introduced. Throughout the 1970s, my mother, father, and step-father all wrote code for banking terminal systems and some of the first ATMs. From them I learned:

        There was one roundtrip to the bank's central computers after you had entered everything for the transaction. I assume this was for scalability. The ATM would collect your card number, PIN, and transaction request and send it as a single request the central computer. That's why they wouldn't tell you about a mistyped PIN until you've entered everything else for your transaction. Transactions were stored in a secondary database which were posted to your real account record overnight.

        In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen). Instead, to activate your account, you went to your local branch. A teller would come out to the ATM with you, put his/her card into the machine, enter his/her PIN, then insert your card, and finally turn his/her back while you entered a PIN of your choice. PINs were hashed in the ATM and the bank only ever had the hash, not the original value.

        • In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen).

          My bank (Bank of New York) doesn't discuss PINs, ever. If you need a new one, get to a branch. When I set my PIN, it was similar to what you describe, except we did not use the ATM, just a standalone reader and keypad that I assume was hooked into their central system. I fi
    • The card is not yours!

      You didn't read the small print:

      This card is the property of The Big Bank and will remain so. The Big Bank reserves the right to demand the return of the card at any time.

    • I generally agree, but one of the common assignments for GUI development classes is to redesign an ATM. You would be amazed at the horrible interfaces that reasonably intelligent people can come up with and they all seem to keep the language selection. I'm thankful it's the only really irritating feature. Plus, the magnetic stripes have a fairly limited character count and getting banks to agree on a standard format would be a nightmare, so any customization would only work at one of your branches.

      I'm w
    • by wowbagger ( 69688 ) on Tuesday March 01, 2005 @10:38AM (#11812636) Homepage Journal
      The proper place for information like language preference is not on the card, but rather in the bank's database that the ATM accesses.

      Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).

      By seperating the prefs from the card, you can update the card without losing the prefs.

      (Slashbots: Notice that the word is losing, not loosing!)
    • I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card?

      Hell, it doesn't even need to be on the card. When you put in the card it should pop up two soft key definitions. One on one side that says "Enter PIN and press here" and one on the other side that says the same thing in spanish. They needlessly complicated the process by making it a separate question.

    • by evilandi ( 2800 ) <andrew@aoakley.com> on Tuesday March 01, 2005 @10:56AM (#11812800) Homepage
      jgbishop: every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card?

      In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.

      This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).

      However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.

      There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).

      So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.

      [1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.

      [2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.

    • by fons ( 190526 ) on Tuesday March 01, 2005 @11:12AM (#11812932) Homepage
      Where I live, the language of preference is stored on the server.

      All ATM's in Belgium can work in 4 langauges, but I never had to choose a language at an ATM. So I suppose the bank knows i want to be served in Dutch.

      When a foreigner uses an ATM in Belgium, he gets to choose a language. (And when I go abroad, I get to choose a language too)
    • Sometimes I like to use the spanish option for fun. I don't speak or understand most spanish, but I never have a problem getting through it to get some cash.

      When I first got my drivers license, the "written" test was actually taken at a computer terminal. There was a long line at every one except for the spanish-language one. I asked what happened if one failed the test -- the DMV lady said that you could re-take it right then up to three times a day until you passed (obviously this is to ensure that there
    • I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish. Shouldn't that information be on the card? I mean, the card is *mine* - they know who I am. Surely that should indicate what language I speak...

      Working for a bank, this one should be a home run, and a shameless plug...except that I'm not going to name my employer. There's several different reasons why that stuff isn't stored on a card itself.
  • by aendeuryu ( 844048 ) on Tuesday March 01, 2005 @10:04AM (#11812310)
    Since one of the listed articles talks about common security blunders with cards, it's time to start the over/under pool on how long it takes before this guy gets shut down by some corporation claiming DMCA violations.

    I call one week.
    • There's no DMCA potential here, the data's not encryped or anything. I used to with with card scanners that just plug into your keyboard port. You swipe a bank card through and up comed your name and address and some other stuff. Never examined it in much detail (shoulda thrown it into a hex editor), but it's not exactly secret.

    • I knew someone would say something like this. I also correctly predicted that no attempt whatsoever would be made to justify the statement, what with the mag stripes not being encrytped in any way, belonging to universal standards regarding how the data be read (and written) on the multitude of devices out there. Nice easy way to bumb your karma up!
      • Feel free to go google DMCA abuse [google.com]. There's about 100,000 hits, and you might find one or two in there that might lead you to understand WHY it's reasonable to think that a corporation might go after this, using the DMCA as a weapon, because [drmwatch.com] they've [typepad.com] done [lockergnome.com] it [wired.com] before [holysmoke.org].

        The FatWallet one is particularly educational. I invite you to go read it. It's even less applicable to the DMCA than card-stripe reading, and it happened anyway.
  • by Reignking ( 832642 ) on Tuesday March 01, 2005 @10:05AM (#11812323) Journal
    Open your wallet. How many cards in there have magstripes on them? Three? Four? Five? Ever wonder what was encoded on them?

    I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.
  • Hoffman (Score:4, Informative)

    by delirium of disorder ( 701392 ) on Tuesday March 01, 2005 @10:06AM (#11812328) Homepage Journal
    Billy Hoffman, aka Acidus, is one of the top up and comming security experts; he probably knows more about card systems and ATMs then anyone outside "the industry". I had the privilage of seeing him speak and phreaknic and hope his contributions to the hacking community continue. People like him keep the rest of us free and informed dispite the massive corporate, academic, and government powers that would have otherwise. So....Thanks!
  • by szlevente ( 705483 ) on Tuesday March 01, 2005 @10:06AM (#11812335)
    I don't think articles such as this one will bring anything new to those who are in the business of credit card stealing. But it should serve as an eye-opener and for raising awareness for the average card user. Being a little more careful with that card should help a lot, I guess. Besides, I let the bank use my money for a reason, right? They should take the risk on themselves...
  • More info.... (Score:5, Informative)

    by thoughtcr1mes ( 815081 ) on Tuesday March 01, 2005 @10:09AM (#11812363)
    Stripe Snoop was discussed in detail by its author on a show called Binary Revolution Radio awhile back. You can download the ep, #56, at: http://www.binrev.com/radio/archive.html/ [binrev.com] -enjoy, it's a really good show!
  • by Anonymous Coward on Tuesday March 01, 2005 @10:09AM (#11812367)
    One of the screenshots shows that there's an encrypted PIN stored on credit cards. How soon before we are able to de-encrypt that? Then all a thief needs is a magstripe reader, this free program, and the decrypter program, to start his business.
    Even if it's irreversible, it can't be too hard to brute force number-only PINs.
    • "it can't be too hard to brute force number-only PINs."

      Yeah, especially since all the ATM cards I've ever used use only four digit PINs (securing all of your cash with a 14bit key???)

      I doubt if you'd even have to brute force it. Look in the right places, you can probably find the hashing algorithm (even if they're not using something obvious, which they probably are). Just generate all 10000 hashes and use it as a lookup table for all the cards you can get your hands on. Yikes.
      • Not really... As said earlier the 'PIN' on the card is not actually the PIN at all. It is merely an offset which is used along with a DES key and the PAN to calculate the real PIN. Your bank may either store the real PIN on their host system or use this offset calculation method. The PIN is transmitted over the line during a transaction (unless the ATM verifies for you). It is either DES or TDES encrypted, so technically that could be brute-forced.

      • I've changed my pin before on my bank cards, but I never gave the card to anybody to reprogram.

        I believe it is looked up upon entry, or at least that would make sense to me. Its too easy to buy a reader and brute force it offline.

        Even if there is a number of failed attempts lockout of trying to brute force a PIN at an ATM. Most people would get tired of standing there before getting near the right PIN.

        If I've mistakenly put in the wrong PIN on my card, it silently accepts it, and makes me go through th
    • by Anonymous Coward on Tuesday March 01, 2005 @10:48AM (#11812726)
      It can't be "brute forced" or "cracked", any more than you can tell what the OTP enciphered message "htpn juio gowew" says without the pad. In modern banking systems it's part of a two factor system, in which you need the algorithm plus ANY TWO of the following in order to figure out the third

      * Real PIN (typically stored in customer's brain, sometimes also on a PostIt stuck inside their desk drawer)

      * PIN offset (stored on magstripe of card)

      * Stored PIN from database (stored in a secure machine at the bank, probably along with your current balance)

      You can imagine that the function used is XOR, but actually there are various methods that could work, and I've never investigated which one is used. However this system lets several moderately clever things happen...

      1. You can have two cards (e.g husband and wife) for the same account with different PINs, yet store only one PIN in the database

      2. ATMs can change the PIN by knowing your old and new PIN, then applying the changed offset to the magstripe.

      3. By leaving the PIN unchanged and issuing a card with a different offset the bank can send you a new card, with a new PIN, without instantly disabling your old card and PIN.

      4. Knowing the PIN, and having a valid card number are not sufficient to validate yourself to the ATM network. You don't know the offset that goes with that PIN, you'd have to steal (or at least read) the customer's card to get a valid offset.

      5. The real PIN is never sent over the network. So if you have an opportunity to eavesdrop on bank network traffic you don't learn the PIN for anyone's card.

      This is actually pretty clever stuff, the banks can be many things, but they're not stupid, you don't last long in financial circles if you are.
  • by Anonymous Coward on Tuesday March 01, 2005 @10:10AM (#11812373)
    It said "Paul is dead"

    What's that mean?
  • I've done this (Score:5, Interesting)

    by The Hobo ( 783784 ) on Tuesday March 01, 2005 @10:14AM (#11812406)
    I've actually done this myself, purchased the magnetic reader, some electrical parts, soldered the thing together. Once I had things going, when you swipe say a Visa, it lists the card #, the expiry date, and the issuing bank. I've also tried it with a bank card, and it does list the bank card #, and an 'encrypted pin', which, if I understand correctly, is encrypted with triple DES (that's what I remember, I may be wrong). I also swiped my University student card, but can't yet make out what it has stored. Finally, I swiped an M&M Meat Shops Max Member card and all it has on it is the max member #, nothing more. Also, the person I did this with created some shims to raise the card so as to read the 2nd and 3rd track. It was overall a neat project.
  • by zoharroy ( 855463 ) on Tuesday March 01, 2005 @10:15AM (#11812414)
    you can use it (like he did) to build your own coke machine....
    http://www.yak.net/acidus/magstripe/coke.html [yak.net]
  • Transcript (Score:3, Funny)

    by mushupork ( 819735 ) on Tuesday March 01, 2005 @10:17AM (#11812439)
    As Dave starts sliding his cards thru the reader, looking at all of his private info flashing up on his monitor...a red camera eye fills the screen:
    Dave Bowman: What's the problem?

    HAL: I think you know what the problem is just as well as I do.
    Dave Bowman: What are you talking about, HAL?
    HAL: This mission is too important for me to allow you to jeopardize it.
    Dave Bowman: I don't know what you're talking about, HAL.
    Errie, eh?
  • by Anita Coney ( 648748 ) on Tuesday March 01, 2005 @10:18AM (#11812448) Homepage
    that a few weeks after ordering the necessary hardware, you'd get sued or arrested.

    • I bought a magstripe reader that connects to the keyboard port of my laptop and looks like a keyboard. Don't need any special software to read the output because it emulates key presses. I just go into the emacs scratch buffer and swipe the card. The reader even puts end-of-line characters at the end of each track.

      Can someone point out why Stripe Snoop is better than my solution?

      John.
      • "Can someone point out why Stripe Snoop is better than my solution?"

        Not just because it's cheaper, but the author of Stripe Snoop is showing people how to build their own from parts (encouraging an interest in Electronics) as well as providing Open Source software that not only reads from the hardware he built, but also will deal with data from your reader, and provides added functionality (as the article compares) sort of like a CDDB that will help you figure out what some of the data means... Software

      • Like this? (Score:3, Informative)

        by First Person ( 51018 )

        I noticed a 3 track reader for $59 from Kanecal.net [kanecal.net]. This looks like a very quick and cheap approach to data extraction. The advantage of making your own is that you need not limit yourself to cards following the ISO specifications for track positions and character encodings.

  • Changing the Strip (Score:5, Interesting)

    by n0dalus ( 807994 ) on Tuesday March 01, 2005 @10:18AM (#11812449) Journal
    How easy would it be to edit the data on the strips?
    For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
    • by hackstraw ( 262471 ) * on Tuesday March 01, 2005 @10:55AM (#11812790)
      How easy would it be to edit the data on the strips?

      Its trivial. You can get a magstripe writer for a couple hundred bucks, max.

      For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?

      Depends on how the bus tickets are set up. If they have a unique identifier on them and it looks up your balance against a central database. No luck. If the info is stored on the ticket itself, it should be trivial. Although the paper bus and train tickets are not the same as standard CC style cards.

      Interesting trivia on the subject.

      Ever wonder why the person swipes your credit card and then enters the last 4 digits that are hologram embossed on the card manually?

      Because its trivial to put any account number on the card.

      CC numbers have an internal checksum, so you cant simply make up a number that will match the last 4 digits. The odds of reprogramming your card with an active and valid account that matches your last 4 digits printed on your card are pretty low.
    • i don't know where you live, but in chicago, where a friend of mine worked on a project with the cta, all the cards store is an id number. the number of trips is only stored in the transit agencies computer system.
  • Dupe! (Score:2, Informative)

    by Anonymous Coward
  • by WOV ( 652967 ) on Tuesday March 01, 2005 @10:22AM (#11812484)

    The new Make magazine has a heavily-photographed and pretty intelligible partslist / walkthrough of building the actual device, as well. http://make.oreilly.com/ [oreilly.com]

  • They put a mag strip access lock to the computer lab in college. We were complaining at having to now carry around our student I.D.s to get access to the labs when I found out ALL of my credit cards allowed access to the lab. (Not smart, but hey, this was 1989)

    Turns out the Lab assistant that installed the lock thought it'd be cool if any card he pulled out of his wallet would open the door. But the local bank's first 9 digits on the mag strip was the same for ALL cards they issued.
  • I dont think you can read the strips without being more than a couple millimeters away.
    However I heard of a of scam to read the the RFIDs in car key and car opener devices. These can be read a foot or two away (e.g. in elevator or mall). Its been shown that a modest computation can break the car entry security. So do we need foil-lined wallets, pockets, and purses?
  • On the screenshots page http://stripesnoop.sourceforge.net/screenshots.htm l [sourceforge.net] there's a screenshot that has the text "Possibly a: "AAMVA Compliant North American Driver's License"
    then below that "Issuing Territory: California"
    It also says the standard is used in some parts of Canada as well. Where's my tin foil hat?
  • by neile ( 139369 ) on Tuesday March 01, 2005 @10:39AM (#11812642)
    The first issue of Make [makezine.com] had a whole article, with parts list [makezine.com] and clear directions, on how to attach a card reader to your computer and use the Stripe Snoop software to read off the information.
  • by jdw242b ( 856901 ) on Tuesday March 01, 2005 @10:49AM (#11812745) Journal
    for the record, less expensive readers are available.
    I used one to snoop my cards and found some interesting information...

    Try this link: http://www.posguys.com/category.asp?catID=4 [posguys.com]

  • Snore.... (Score:3, Informative)

    by feloneous cat ( 564318 ) on Tuesday March 01, 2005 @10:50AM (#11812747)
    I did this over six years ago... A lot of the info was on the net then and it is incredibly dull how little info is really stored. Worse, Japanese credit cards have a hidden stripe on the FRONT of the card (just in case you wanted to know). You can get a mag-stripe reader for these pretty easily. Personally, I still think RFID is more interesting...
  • University IDs (Score:5, Interesting)

    by langelgjm ( 860756 ) on Tuesday March 01, 2005 @10:50AM (#11812751) Journal
    I'm an undergrad student in the University of Maryland system. I managed to write some simple C and Perl programs a while back for a reader I obtained, and ran quite a few cards through them. I found that our university issued ID cards have our social security numbers stored on them, unencrypted. A friend filed some public information request acts requesting to know if the university stored data such as the time and locations of card swipes, and if that data was attached to the student in any way. After initially denying this, the university eventually admitted that they do store data, and sent the guy a copy of his records, which indicate to the second when and where he swiped his card, in addition to when he went to the gym, how much he bought at the dining halls, etc. So much for privacy. I'm no engineer or programmer, and I was able to do this fairly easily; it can't be that hard to build an intercept and install it within a reader that's attached to a door, and voila - hundreds of SSNs. We're trying to contact some people in the school media and administration and have something done.
    • Re:University IDs (Score:2, Interesting)

      by Reignking ( 832642 )
      Even worse: the University of South Carolina had your SSN in plain site on their ID cards. Oh wait, that's if you could crack the system! It was XssnXX on mine.
    • Re:University IDs (Score:5, Insightful)

      by dave420 ( 699308 ) on Tuesday March 01, 2005 @03:16PM (#11815655)
      What do you mean privacy? Someone could follow you around, quite legally, and make a note of ALL of that information. That's just as legal.

      I'm not being weird here, but if you're in public you don't have a right to privacy. That's why it's called public and not private.

      Fair enough if they were spying in your private residence or something, but seeing when you go into a room is nothing. Especially considering it's their university, so like you in your house, can do anything that doesn't violate a law. As they violated no laws, it's all cool.

  • Wager... (Score:2, Insightful)

    by http101 ( 522275 )
    I'll give him 2 days before the DMCA guys come knockin' on his dorm-room door.
  • Guy's not an RMS fan (Score:5, Interesting)

    by JackBuckley ( 696547 ) on Tuesday March 01, 2005 @11:14AM (#11812959) Homepage
    From Deep in TFA (tm):

    Q: Why did you release Stripe Snoop under the GPL?

    A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.

    Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.

  • by Skjellifetti ( 561341 ) on Tuesday March 01, 2005 @11:17AM (#11812974) Journal
    The magnetic stripe standards [gae.ucm.es], of course. The card is a test card I printed while I was building an ID card system for a client. The front lists the track standard and the allowed chars:

    Track 1 (IATA [iata.org] data max. 76 chars):
    !"#$%&'()*+,-./0123456789:;<=>@ABCDEFGHIJKLMNOPQRS TUVWXYZ[\]^ _

    Track2 (ABA [aba.com] data, max 37 chars): 0123456789;;<=>

    Track 3(TTS data, max. 104 chars):
    0123456789:;<=>

    The allowed chars have been encoded onto the stripe on the back.

Always look over your shoulder because everyone is watching and plotting against you.

Working...