Magnetic Stripe Snooping at Home 397
pbrinich writes "Have you ever wondered what information is actually stored on all those cards you have in your wallet? Well, it turns out you can find out yourself! An excellent project, Stripe Snoop started by Billy Hoffman, a Georgia Tech computer science student, contains schematics, source code and a wide variety of information about the standards used to store all sorts of information on your magnetic cards."
to sum up a lot of comments... (Score:5, Funny)
Re:to sum up a lot of comments... (Score:5, Funny)
Re:to sum up a lot of comments... (Score:2, Funny)
KER-CHUNK-click.
'Have a nice day sir!'
Re:to sum up a lot of comments... (Score:2)
Re:to sum up a lot of comments... (Score:2)
Re:to sum up a lot of comments... (Score:4, Funny)
You need this [ehowa.com] as well.
POS (Score:2, Interesting)
Re:POS (Score:2, Interesting)
Gives new meaning... (Score:5, Funny)
Re:Gives new meaning... (Score:2)
Not a Capital One credit card?
Tom
Missing Information (Score:4, Insightful)
Re:Missing Information (Score:2, Interesting)
Hell, just put my pin on there while we're at it. Just put in a fingerprint reader for some biometric authentication.
Now that'd be nice. Just get rid of the card altogether, pay for that purchase with a fingerprint.
Ugh, I better stop, someone is bound to be watching and realize that's a great way to generate a more accurate, more complete, and constantly updated finger print database....
PayByTouch (Score:5, Informative)
According to PayByTouch, the phone number is used as an index to speed fingerprint matching. The PBT computer located at the point of sale device turns the fingerprint data into a hash on the spot prior to sending the request over the network, so the "clear" fingerprint isn't stored or sent anywhere.
I personally thought customers would find "fingerprinting" to be too Big-Brotherish, but many pilot customers preferred the idea of using a fingerprint over carrying a wallet full of credit cards and shopper loyalty cards. But at the time we looked at them, Visa refused to certify them as being as secure as a mag stripe, so the idea died around here.
Re:Missing Information (Score:3, Insightful)
Re:Missing Information (Score:2, Insightful)
a) Another Bank cannot assume the information is correct
b) The Bank that does not do this reliably itself has to assume everyone else is just as reliable (at its own ATMs)
c) The Bank that does do this reliably assumes that no one else does (see b)
So the result is that only if you are at one of you own Bank's ATM's and they know they do it reliably will you be likely to get the correct language di
Re:Missing Information (Score:5, Insightful)
I'm just shocked at what *isn't* on my cards. For example, every time I go to my bank's ATM, I have to indicate whether I want to do business in English or Spanish.
Well, if you were the engineering committee assigned the task of defining the standard data structures to be placed on all ATM cards, thinking about account codes, card verification codes, etc., and realizing that you have limited space to work with without adding more tracks (meaning more expensive readers and perhaps even slightly more expensive cards), would it have occurred to you to put the cardholder's language preference in there?
I can tell yout that it wouldn't have occurred to me. And these data layouts can't be changed without going through a formal standards process, because they have to work in every ATM in the world (and now at many grocery stores, department stores, etc.).
So, I'm not surprised at all that that data isn't there. If you want to be surprised by this, you should probably be surprised that the bank didn't choose to store your language preference in their database and then look it up when you swipe your card. That's the sort of feature that a bank can offer to its own customers at its own ATMs without having to get the rest of the world to agree.
Re:Missing Information (Score:2, Insightful)
Re:Missing Information (Score:4, Informative)
Exactly. There's no reason why that should be on the card, and my banks (Bank of America, formerly Fleet, formerly BankBoston, formerly Bay Bank, formerly...) have stored a language preference in the account data as far back as I can recall.
my bank *does* do this (Score:5, Informative)
It's a decent system, but it's sloooow compared to the old monochrome monitors. And worse: the biggest problem is the touchscreens break all the time.
Still, the general idea seems right. Keeping the GUID on the card is the right idea.
Re:Missing Information (Score:4, Interesting)
I'm sure things have changed a lot in how the ATM networks work, and such a scheme may be feasible now, but this wouldn't have fit the model they had when first introduced. Throughout the 1970s, my mother, father, and step-father all wrote code for banking terminal systems and some of the first ATMs. From them I learned:
There was one roundtrip to the bank's central computers after you had entered everything for the transaction. I assume this was for scalability. The ATM would collect your card number, PIN, and transaction request and send it as a single request the central computer. That's why they wouldn't tell you about a mistyped PIN until you've entered everything else for your transaction. Transactions were stored in a secondary database which were posted to your real account record overnight.
In the good old days, the bank didn't assign a PIN for you, store it in a database (which could be snooped by employees), printed it on paper (which could be discovered by anyone), and send it to you in the mail (which could be stolen). Instead, to activate your account, you went to your local branch. A teller would come out to the ATM with you, put his/her card into the machine, enter his/her PIN, then insert your card, and finally turn his/her back while you entered a PIN of your choice. PINs were hashed in the ATM and the bank only ever had the hash, not the original value.
Re:Missing Information (Score:3, Interesting)
My bank (Bank of New York) doesn't discuss PINs, ever. If you need a new one, get to a branch. When I set my PIN, it was similar to what you describe, except we did not use the ATM, just a standalone reader and keypad that I assume was hooked into their central system. I fi
Re:Missing Information (Score:3, Interesting)
Re:Missing Information (Score:2, Interesting)
You didn't read the small print:
This card is the property of The Big Bank and will remain so. The Big Bank reserves the right to demand the return of the card at any time.
Careful what you wish for (Score:2)
I'm w
The proper place for this information...l (Score:4, Insightful)
Ideally, when the card is first inserted the ATM will ask for non-secure data from the bank - things like language pref and such. If the card is NOT valid, the bank could send back default data (to prevent using that to ease checking of forged cards).
By seperating the prefs from the card, you can update the card without losing the prefs.
(Slashbots: Notice that the word is losing, not loosing!)
Re:Missing Information (Score:2)
Hell, it doesn't even need to be on the card. When you put in the card it should pop up two soft key definitions. One on one side that says "Enter PIN and press here" and one on the other side that says the same thing in spanish. They needlessly complicated the process by making it a separate question.
In Europe the ATMs inform YOU! (Score:5, Interesting)
In Europe it is quite common for the ATMs to automatically work out what language you speak, and automatically present you with an interface in that language.
This works solely by the ATM recognising which bank your card is from. For instance, mine is Barclays, which the ATM knows is a UK bank, so many ATMs in France present me with an English interface by default. I would strongly expect all European ATMs with this ability to present all US cardholders with an English language by default (Spanish-speaking US citizens aren't common tourists).
However this breaks when your country speaks more than one language. I'd expect all ATMs to be very confused about which language a Swiss cardholder prefers; Switzerland has German, French and regional languages as official languages. Belgians probably get a choice of Dutch or French too.
There are also regional variations. For example, when using my Barclays ATM card in Wales [1], I sometimes get the option for the interface in Welsh or English, because Barclays customers in Wales might prefer Welsh over English (for instance, my uncle prefers Welsh for conversing about money and family, but English for talking about science and technology).
So it can be done, but they don't dial back to HQ for your individual preference- the ATMs generally only recognise the default language of your bank. If your bank speaks both Spanish and English, then most ATMs aren't going to know any better.
[1] Wales and England are Kingdoms [2] of the United Kingdom in the same way that California and Texas are States of the United States. The UK isn't just England, any more than the US is just California.
[2] Actually, Wales is a Principality (ruled by a Prince/Princess, not a King/Queen), not a Kingdom, but you get the idea.
Language preference stored on bank-side (Score:4, Informative)
All ATM's in Belgium can work in 4 langauges, but I never had to choose a language at an ATM. So I suppose the bank knows i want to be served in Dutch.
When a foreigner uses an ATM in Belgium, he gets to choose a language. (And when I go abroad, I get to choose a language too)
Re:Missing Information (Score:3, Funny)
When I first got my drivers license, the "written" test was actually taken at a computer terminal. There was a long line at every one except for the spanish-language one. I asked what happened if one failed the test -- the DMV lady said that you could re-take it right then up to three times a day until you passed (obviously this is to ensure that there
Re: (Score:3, Interesting)
Re:Missing Information (Score:3, Insightful)
Time to start the over/under pool (Score:5, Insightful)
I call one week.
Re:Time to start the over/under pool (Score:2)
Re:Time to start the over/under pool (Score:2)
Threni? Meet Google. Google? This is Threni! (Score:2, Interesting)
The FatWallet one is particularly educational. I invite you to go read it. It's even less applicable to the DMCA than card-stripe reading, and it happened anyway.
From the "Why Use It?" portion (Score:4, Informative)
I know I did. I had six cards in my wallet with magstripes. One day a friend of mine had a $200 Magstripe reader, so I ran my cards through. Aside from the expected credit card numbers, I was surprised by the amount of personal information encoded on them. In fact, for reasons I still don't know, 2 cards contained my social security number.
Contents of drivers license barcode (Score:3, Informative)
Re:From the "Why Use It?" portion (Score:2, Interesting)
BTW, I am a contractor and we use the same types of cards you are talking about. Not in the office I work at, but at other offices we have. In one office I can think of the doors actually authenticate you _and_ open the door automatically as you walk towards it. Pretty neat stuff.
Hoffman (Score:4, Informative)
Re:Hoffman (Score:2)
We started at GT the same semester, we were actually paired up for the two day freshman orientation. Talked way more than I could handle, but nice guy.
I'm just surprised nobody's mentioned the trouble with Blackboard...I know there were multiple
Nothing new to thieves (Score:5, Insightful)
More info.... (Score:5, Informative)
Encrypted PIN on credit cards? (Score:4, Interesting)
Even if it's irreversible, it can't be too hard to brute force number-only PINs.
Re:Encrypted PIN on credit cards? (Score:3, Insightful)
Yeah, especially since all the ATM cards I've ever used use only four digit PINs (securing all of your cash with a 14bit key???)
I doubt if you'd even have to brute force it. Look in the right places, you can probably find the hashing algorithm (even if they're not using something obvious, which they probably are). Just generate all 10000 hashes and use it as a lookup table for all the cards you can get your hands on. Yikes.
Re:Encrypted PIN on credit cards? (Score:2, Insightful)
Re:Encrypted PIN on credit cards? (Score:2)
I've changed my pin before on my bank cards, but I never gave the card to anybody to reprogram.
I believe it is looked up upon entry, or at least that would make sense to me. Its too easy to buy a reader and brute force it offline.
Even if there is a number of failed attempts lockout of trying to brute force a PIN at an ATM. Most people would get tired of standing there before getting near the right PIN.
If I've mistakenly put in the wrong PIN on my card, it silently accepts it, and makes me go through th
Re:Encrypted PIN on credit cards? (Score:5, Informative)
* Real PIN (typically stored in customer's brain, sometimes also on a PostIt stuck inside their desk drawer)
* PIN offset (stored on magstripe of card)
* Stored PIN from database (stored in a secure machine at the bank, probably along with your current balance)
You can imagine that the function used is XOR, but actually there are various methods that could work, and I've never investigated which one is used. However this system lets several moderately clever things happen...
1. You can have two cards (e.g husband and wife) for the same account with different PINs, yet store only one PIN in the database
2. ATMs can change the PIN by knowing your old and new PIN, then applying the changed offset to the magstripe.
3. By leaving the PIN unchanged and issuing a card with a different offset the bank can send you a new card, with a new PIN, without instantly disabling your old card and PIN.
4. Knowing the PIN, and having a valid card number are not sufficient to validate yourself to the ATM network. You don't know the offset that goes with that PIN, you'd have to steal (or at least read) the customer's card to get a valid offset.
5. The real PIN is never sent over the network. So if you have an opportunity to eavesdrop on bank network traffic you don't learn the PIN for anyone's card.
This is actually pretty clever stuff, the banks can be many things, but they're not stupid, you don't last long in financial circles if you are.
I just tried mine... (Score:3, Funny)
What's that mean?
Re:I just tried mine... (Score:2)
I've done this (Score:5, Interesting)
Re:I've done this (Score:2)
But the important part is... (Score:3, Interesting)
http://www.yak.net/acidus/magstripe/coke.html [yak.net]
Transcript (Score:3, Funny)
Why do I get the impression (Score:3, Funny)
Re:Why do I get the impression (Score:3, Interesting)
Can someone point out why Stripe Snoop is better than my solution?
John.
Re:Why do I get the impression (Score:3, Insightful)
Not just because it's cheaper, but the author of Stripe Snoop is showing people how to build their own from parts (encouraging an interest in Electronics) as well as providing Open Source software that not only reads from the hardware he built, but also will deal with data from your reader, and provides added functionality (as the article compares) sort of like a CDDB that will help you figure out what some of the data means... Software
Like this? (Score:3, Informative)
I noticed a 3 track reader for $59 from Kanecal.net [kanecal.net]. This looks like a very quick and cheap approach to data extraction. The advantage of making your own is that you need not limit yourself to cards following the ISO specifications for track positions and character encodings.
Changing the Strip (Score:5, Interesting)
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
Re:Changing the Strip (Score:5, Informative)
Its trivial. You can get a magstripe writer for a couple hundred bucks, max.
For example, would it be possible for me to take my magnetic bus ticket and easily add another 10 trips to it?
Depends on how the bus tickets are set up. If they have a unique identifier on them and it looks up your balance against a central database. No luck. If the info is stored on the ticket itself, it should be trivial. Although the paper bus and train tickets are not the same as standard CC style cards.
Interesting trivia on the subject.
Ever wonder why the person swipes your credit card and then enters the last 4 digits that are hologram embossed on the card manually?
Because its trivial to put any account number on the card.
CC numbers have an internal checksum, so you cant simply make up a number that will match the last 4 digits. The odds of reprogramming your card with an active and valid account that matches your last 4 digits printed on your card are pretty low.
Re:Changing the Strip (Score:2)
Dupe! (Score:2, Informative)
Schematics and instructions. (Score:4, Informative)
The new Make magazine has a heavily-photographed and pretty intelligible partslist / walkthrough of building the actual device, as well. http://make.oreilly.com/ [oreilly.com]
Waay back when I was a youngun (Score:5, Funny)
Turns out the Lab assistant that installed the lock thought it'd be cool if any card he pulled out of his wallet would open the door. But the local bank's first 9 digits on the mag strip was the same for ALL cards they issued.
Re:Waay back when I was a youngun (Score:5, Interesting)
What is the point of these? Obviously not security. I suppose it must be to keep homeless people out, since they are least likely to carry any kind of magnetic card.
-b
can you read these remotely? (Score:2)
However I heard of a of scam to read the the RFIDs in car key and car opener devices. These can be read a foot or two away (e.g. in elevator or mall). Its been shown that a modest computation can break the car entry security. So do we need foil-lined wallets, pockets, and purses?
proof of national ID? (Score:2)
then below that "Issuing Territory: California"
It also says the standard is used in some parts of Canada as well. Where's my tin foil hat?
Building the reader is in Make (Score:3, Interesting)
pay to play (but not that much) (Score:3, Informative)
I used one to snoop my cards and found some interesting information...
Try this link: http://www.posguys.com/category.asp?catID=4 [posguys.com]
Snore.... (Score:3, Informative)
University IDs (Score:5, Interesting)
Re:University IDs (Score:2, Interesting)
Re:University IDs (Score:2)
They use the SSN for everything there.
Re:University IDs (Score:5, Insightful)
I'm not being weird here, but if you're in public you don't have a right to privacy. That's why it's called public and not private.
Fair enough if they were spying in your private residence or something, but seeing when you go into a room is nothing. Especially considering it's their university, so like you in your house, can do anything that doesn't violate a law. As they violated no laws, it's all cool.
Wager... (Score:2, Insightful)
Guy's not an RMS fan (Score:5, Interesting)
Q: Why did you release Stripe Snoop under the GPL?
A: Well, its not because I like Richard Stallman, thats for sure. I don't believe that all code should be Free Software,and think he is pretty much a coding communist. One of the reasons Stripe Snoop was created was the lack of cheap or quality magstripe software, especially that would run on Linux. I have worked very hard on Stripe Snoop, and the last thing I want are the very companies that have expensive, crappy software from using my code and not contributing code themselves. In this regard the GPL provides the protections I want, even if I disagree with most of the creator's politics.
Interesting to see a "security expert" (see earlier post--I can't verify this opinion) who thinks RMS is a code communist.
A testament to the strength of GPL (Score:3, Insightful)
What's in Your Wallet? (Score:4, Informative)
Track 1 (IATA [iata.org] data max. 76 chars):
!"#$%&'()*+,-./0123456789:;<=>@ABCDEFGHIJKLMNOPQR
Track2 (ABA [aba.com] data, max 37 chars): 0123456789;;<=>
Track 3(TTS data, max. 104 chars):
0123456789:;<=>
The allowed chars have been encoded onto the stripe on the back.
Re:could be worrying (Score:2, Informative)
Re:could be worrying (Score:2, Informative)
Re:could be worrying (Score:3, Interesting)
I wonder if the information sent to whatever-the-hell-it-is is encrypted...
Re:could be worrying (Score:3, Informative)
Yes. Even those standalone-shady-looking ATM's that dialup an 800 number and connect at 1200baud will have encrypted transmissions.
Re:could be worrying (Score:5, Funny)
It's called a computer. I know, I'm using one right now and in a few years, they'll be everywhere and you'll buy one to play games!
Re:could be worrying (Score:5, Informative)
Re:could be worrying (Score:5, Informative)
When you key your PIN, the PIN pad accepting it will encrypt the PIN along with other transactional information plus its own serial number using a key injected securely by a representative of the issuing bank.
This blob plus the other data is transmitted to an authorizer, where the account is looked up and a local copy of the blob is created. If it matches the incoming blob, it's a go.
The bank almost certainly did not encode your card in the scenario you described above. Encoding is usually done with a machine-fed stripe writer, and is almost never done by hand-swiping the stripe anymore. (The timing is usually better on machine fed devices.) What the bank most likely did was to generate a blob similar to the one I described above for transmission to their authorizing computer, who immediately stored it and activated it for use.
Yes, the original intent of mag stripes was to enable offline transactions. However, bad guys quickly figured out how to read stripes and forge PINs, so everyone went to strictly on-line authorizing in the early 1980s.
Re:could be worrying (Score:5, Informative)
so everyone went to strictly on-line authorizing in the early 1980s.
Everyone in the US did, anyway. Much of the rest of the world still does off-line transactions with magstripe. That's a big part of the reason why chip cards are being deployed so much more aggressively outside of the US, because they don't want to do on-line authentication (due to higher communications costs), and allowing off-line transactions with magstripe is just asking for high fraud rates.
In France, for example, a few years ago fraud was insanely high. Since they've gone to chip cards skimming fraud has dropped to zero and overall credit card fraud is miniscule.
Re:could be worrying (Score:4, Informative)
Card formats are in the original article. No PIN in the stripes. http://stripesnoop.sourceforge.net/devel/layoutst
(CVV/CVC are not your PIN, they are an additional security check. They are also different from CVV2/CVC2, which is printed on the card but not in the stripe.)
There is indeed encryption used - but it's not on the card. When you perform a transaction, *the pin you manually enter* is encrypted (with a public key tied to the merchant or particular signature capture device transaction, depending on technology used) and sent to the processor. This is decrypted and compared to what the processor has on file for you. Nothing related to the PIN on the card itself, it's solely based on what you keyed in.
Re:could be worrying (Score:2)
Re:could be worrying (Score:4, Informative)
Re:Lovely... (Score:3, Interesting)
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards? ack...
Re:Lovely... (Score:5, Informative)
wouldn't it be interesting if this were to cause a groundswell of support for the recently proposed RFID credit cards?
First, they're not RFID cards, they're contactless smart cards, which are a very different. Different frequency, different range, different capabilities, different protocols, and very different security.
Second, smart card credit cards are a good thing, and you as a credit card user should want them because they'll reduce fraud. Granted, the banks and merchants mostly bear the brunt of the fraud, not the cardholder, but since all of the money ultimately comes from our pockets that's a distinction without a difference.
Finally, your implied notion ("ack") that contactless smart cards are a bad thing for cardholders shows that you don't know anything about them. A fully-implemented EMV card:
The security in these cards is very well thought-out and banks have zero interest in intruding on your privacy, because it would piss you off. If you don't believe they're careful with your privacy, consider the fact that they already know about every purchase you make with any credit card -- how often do you get marketers calling you because they got information from your bank about a recent purchase you made on your credit card?
If you don't care to believe me about how the security is designed, please review it for yourself. Complete EMV specifications are published on the EMV web site at http://www.emvco.com [emvco.com].
I'm a security expert of sorts -- and fairly paranoid by nature -- and the main concerns I have with this technology will arise if the US banks decide not to fully implement the technology.
Your worries are misplaced (Score:3, Insightful)
A hacker getting through his poorly set up XP box and stealing his credit card number is more dangerous than a device needing the presence of a physical card. And, of course, there are this kind [slashdot.org] of occurences, which are the
Re:Lovely... (Score:2)
Re:DMCA time? (Score:4, Insightful)
The DMCA's anti-circumventions provisions only apply to (a) copyrighted materials that are (b) "protected" by an anti-copying technology. Account codes and cardholder info are pure data, which is not copyrightable, and there is no anti-copying technology applied here, so there's nothing to circumvent.
So, no, the DMCA doesn't apply.
Truth does not matter (Score:2, Insightful)
Whether or not this is an actual DMCA violation does not matter.
Re:DMCA time? (Score:4, Informative)
ISO 7810 Physical Characteristics of Credit Card Size Document
ISO 7811-1 Embossing
ISO 7811-2 Magnetic Stripe - Low Coercivity
ISO 7811-3 Location of Embossed Characters
ISO 7811-4 Location of Tracks 1 and 2
ISO 7811-5 Location of Track 3
ISO 7811-6 Magnetic Stripe - High Coercivity
ISO 7813 Financial Transaction Cards
ISO 4909 Track 3 Data Format
Re:Hurray ! (Score:5, Funny)
He did a query of the database to get her name from the credit card she swiped. As she was getting up I said "have a good day, Jen". Scared the CRAP out of her until I explained how I did it. We are now married and have three lovely children
Ok, that last part isn't true.
Re:Hurray ! (Score:5, Funny)
Where can I find a copy of your new book; How to collect restraining orders.
Re:Hurray ! (Score:2, Funny)
134 and counting, baby!
Re:Hurray ! (Score:5, Funny)
What, your children are ugly? Such honesty is refreshing.
Re:Inspired by article in Make? (Score:2)