7/31/2019 phrack37

1/15

Card-O-Rama:MagneticStripeTechnologyandBeyondor"ADayintheLifeofaFluxReversal"

Writtenby

oooOOCountZeroOOoooRestrictedDataTransmissions

November22,1992

Loo inyourwallet.Chancesareyouownatleast3cardsthathavemagneticstripesonthebac .ATMcards,creditcards,callingcards,frequentflyercards,IDcards,passcards,...cards,cards,cards!AndchancesareyouhaveNOideawhatinformationisonthosestripesorhowtheyareencoded.Thisdetaileddocumentwillenlightenyouandhopefullyspar yourinterestinthisfascinatingfield.Noneofthisinfois"illegal"...butMANYorganizations(thegovernment,creditcardcompanies,securityfirms,etc.)wouldrather eepyouinthedar .Also,manypeoplewillIMMEDIATELYassumethatyouareaCRIMINALifyoumerely"mention"thatyouare"interestedinhowmagneticstripecardswor ."Watchyourself,o ?Justrememberthatthereisnothingwrongwithwantingto nowhowthingswor ,althoughinourpresentsociety,

youmaybelabelleda"deviant"(orworse,a"hac er")!

Anyway,Iwillexplainindetailhowmagstripesareencodedandgiveseveralexamplesofthedatafoundonsomecommoncards.Iwillalsocoverthetechnicaltheorybehindmagneticencoding,anddiscussmagneticencodingalternativestomagstripes(Wiegand,bariumferrite).Non-magneticcardtechnology(barcode,infrared,etc.)willbedescribed.Finally,therewillbeanenddiscussiononsecuritysystemsandtheramificationsofemergent"smartcard"andbiometrictechnologies.

*DISCLAIMER*

UsethisinfotoEXPLORE,nottoEXPLOIT.Thistextispresentedfor

informationalpurposesonly,andIcannotbeheldresponsibleforanythingyoudooranyconsequencesthereof.Idonotcondonefraud,larceny,oranyothercriminalactivities.

*AWARNING*

Lately,I'venoticedafew"boo s"and"magazines"forsalethatwereFILLEDwithFILESonavarietyofcomputertopics.ThesefilewereoriginallyreleasedintotheNetwiththeintentionofdistributingthemforFREE.HOWEVER,thesefilesarenowbeingPACKAGEDandsoldFORPROFIT.Thisreallypissesmeoff.IamwritingthistobeSHAREDforFREE,andIas nopayment.Feelfreetoreprintthisinhardcopyformatandsellitifyoumust,butNOPROFITSmustbemade.Notafuc ingDIME!IfANYONEreprintsthisfileand

triestosellitFORAPROFIT,Iwillhuntyoudownandma eyourlifemiserable.How?Useyourimagination.Therealitywillbeworse.

**MAGSTRIPEFIELDS,HEADS,ENCODING/READING**

Now,I'llgetdowntobusiness!

First,Iamgoingtoexplainthebasicsbehindfields,heads,encodingandreading.TryandabsorbtheTHEORYbehindencoding/reading.Thiswillhelp

7/31/2019 phrack37

2/15

yougreatlyifyoueverdecidetobuildyourownencoder/readerfromscratch(moreonthatlater).FERROMAGNETICmaterialsaresubstancesthatretainmagnetismafteranexternalmagnetizingfieldisremoved.ThisprincipleisthebasisofALLmagneticrecordingandplaybac .MagneticPOLESalwaysoccurinpairswithinmagnetizedmaterial,andMAGNETICFLUXlinesemergefromtheNORTHpoleandterminateattheSOUTH.TheelementalpartsofMAGSTRIPESareferromagneticparticlesabout20millionthsofaninchlong,eachofwhichactsli eatinybarmagnet.Theseparticlesarerigidlyheldtogetherbyaresinbinder.Themagneticparticlesaremadebycompanieswhichma ecoloringpigmentsforthepaintindustry,andareusuallycalledpigments.Whenma ingthemagstripemedia,theelementalmagneticparticlesarealignedwiththeirNorth-Southaxesparalleltothemagneticstripebymeansofanexternalmagneticfieldswhilethebinderhardens.

TheseparticlesareactuallypermanentbarmagnetswithTWOSTABLEPOLARITIES.Ifamagneticparticleisplacedinastrongexternalmagneticfieldoftheoppositepolarity,itwillFLIPitsownpolarity(NorthbecomesSouth,SouthbecomesNorth).TheexternalmagneticfieldstrengthrequiredtoproducethisflipiscalledtheCOERCIVEFORCE,orCOERCIVITYoftheparticle.Magneticpigmentsareavailableinavarietyofcoercivities(moreonthatlateron).

AnunencodedmagstripeisactuallyaseriesofNorth-Southmagneticdomains(seeFigure1).TheadjacentN-Sfluxesmerge,andtheentirestripeactsasasinglebarmagnetwithNorthandSouthpolesatitsends.

Figure1:N-S.N-S.N-S.N-S.N-S.N-S.N-S.N-SN-----------------------------S

However,ifaS-Sinterfaceiscreatedsomewhereonthestripe,thefluxeswillREPEL,andwegetaconcentrationoffluxlinesaroundtheS-Sinterface(samewithN-Ninterface).ENCODINGconsistsofcreatingS-SandN-Ninterfaces,andREADINGconsistsof(youguessedit)detecting'em.TheS-SandN-NinterfacesarecalledFLUXREVERSALS.

||||||||||||

TheexternalmagneticfieldusedtoflipthepolaritiesisproducedbyaSOLENOID,whichcanREVERSEitspolaritybyreversingthedirectionofCURRENT.AnENCODINGheadsolenoidloo sli eabarmagnetbentintotheshapeofaringsothattheNorth/Southpolesareverycloseandfaceeachotheracrossatinygap.Thefieldofthesolenoidisconcentratedacrossthisgap,andwhenelementalmagneticparticlesofthemagstripeareexposedtothisfield,theypolarizetotheOPPOSITE(unli epolesattract).MovementofthestripepastthesolenoidgapduringwhichthepolarityofthesolenoidisREVERSEDwillproduceaSINGLEfluxreversal(seeFigure3).Toeraseamagstripe,the

encodingheadisheldataCONSTANTpolarityandtheENTIREstripeismovedpastit.Nofluxreversals,nodata.

||

7/31/2019 phrack37

3/15

\NS/

7/31/2019 phrack37

4/15

*1*0*0*1*1*

Thereyouhaveit.Dataisencodedin"bitcells,"thefrequencyofwhichisthefrequencyof'0'signals.'1'signalsareexactlyTWICEthefrequencyof'0'signals.Therefore,whiletheactualfrequencyofthedatapassingthereadheadwillvaryduetoswipespeed,datadensity,etc,the'1'frequencywillALWAYSbeTWICEthe'0'frequency.Figure5Cshowsexactlyhow'1'and'0'dataexistssidebyside.

We'regettingclosertoreadDATA!Now,we'reallfamiliarwithbinaryandhownumbersandletterscanberepresentedinbinaryfashionveryeasily.Thereareobviouslyan*infinite*numberofpossiblestandards,butthan fullytheAmericanNationalStandardsInstitute(ANSI)andtheInternationalStandardsOrganization(ISO)havechosen2standards.Thefirstis

**ANSI/ISOBCDDataformat**

Thisisa5-bitBinaryCodedDecimalformat.Itusesa16-characterset,whichuses4ofthe5availablebits.The5thbitisanODDparitybit,whichmeanstheremustbeanoddnumberof1'sinthe5-bitcharacter..theparitybitwill"force"thetotaltobeodd.Also,theLeastSignificantBitsarereadFIRST

onthestrip.SeeFigure6.

Thesumofthe1'sineachcaseisodd,than stotheparitybit.Ifthereadsystemaddsupthe5bitsandgetsanEVENnumber,itflagsthereadasERROR,andyougottoscanthecardagain(I* now*alotofyououtthere*already*understandparity,butIgottocoverallthebases...noteveryonesleepswiththeirmodemandcanrecitetheentireATcommandsetatwill,you now).SeeFigure6fordetailsofANSI/ISOBCD.

Figure6:ANSI/ISOBCDDataFormat---------

*Rememberthatb1(bit#1)istheLSB(leastsignificantbit)!

*TheLSBisreadFIRST!*HexadecimalconversionsoftheDataBitsaregiveninparenthesis(xH).

--DataBits--Parityb1b2b3b4b5CharacterFunction

000010(0H)Data100001(1H)"010002(2H)"110013(3H)"001004(4H)"101015(5H)"011016(6H)"

111007(7H)"000108(8H)"100119(9H)"01011:(AH)Control11010;(BH)StartSentinel00111(EH)Control11111?(FH)EndSentinel

7/31/2019 phrack37

5/15

*****16Character5-bitSet*****10NumericDataCharacters3Framing/FieldCharacters3ControlCharacters

ThemagstripebeginswithastringofZerobit-cellstopermittheself-cloc ingfeatureofbiphaseto"sync"andbegindecoding.A"StartSentinel"characterthentellsthereformattingprocesswheretostartgroupingthedecodedbitstreamintogroupsof5bitseach.Attheendofthedata,an"EndSentinel"isencountered,whichisfollowedbyan"LongitudinalRedundancyChec (LRC)character.TheLRCisaparitychec forthesumsofallb1,b2,b3,andb4databitsofallprecedingcharacters.TheLRCcharacterwillcatchtheremoteerrorthatcouldoccurifanindividualcharacterhadtwocompensatingerrorsinitsbitpattern(whichwouldfoolthe5th-bitparitychec ).

TheSTARTSENTINEL,ENDSENTINEL,andLRCarecollectivelycalled"FramingCharacters",andarediscardedattheendofthereformattingprocess.

**ANSI/ISOALPHADataFormat**

Alphanumericdatacanalsobeencodedonmagstripes.ThesecondANSI/ISOdataformatisALPHA(alphanumeric)andinvolvesa7-bitcharactersetwith64characters.Asbefore,anoddparitybitisaddedtotherequired6databitsforeachofthe64characters.SeeFigure7.

Figure7:---------ANSI/ISOALPHADataFormat

*Rememberthatb1(bit#1)istheLSB(leastsignificantbit)!*TheLSBisreadFIRST!*HexadecimalconversionsoftheDataBitsaregiveninparenthesis(xH).

------DataBits-------Parityb1b2b3b4b5b6b7CharacterFunction

0000001space(0H)Special1000000!(1H)"0100000"(2H)"1100001#(3H)"0010000$(4H)"1010001%(5H)StartSentinel0110001&(6H)Special1110000'(7H)"0001000((8H)"1001001)(9H)"

0101001*(AH)"1101000+(BH)"0011001,(CH)"1011000-(DH)"0111000.(EH)"1111001/(FH)"

00001000(10H)Data(numeric)10001011(11H)"01001012(12H)"

7/31/2019 phrack37

6/15

11001003(13H)"00101014(14H)"10101005(15H)"01101006(16H)"11101017(17H)"00011018(18H)"10011009(19H)"

0101100:(1AH)Special1101101;(1BH)"0011100(1EH)"1111100?(1FH)EndSentinel0000010@(20H)Special

1000011A(21H)Data(alpha)0100011B(22H)"1100010C(23H)"0010011D(24H)"1010010E(25H)"0110010F(26H)"1110011G(27H)"0001011H(28H)"

1001010I(29H)"0101010J(2AH)"1101011K(2BH)"0011010L(2CH)"1011011M(2DH)"0111011N(2EH)"1111010O(2FH)"0000111P(30H)"1000110Q(31H)"0100110R(32H)"1100111S(33H)"0010110T(34H)"1010111U(35H)"

0110111V(36H)"1110110W(37H)"0001110X(38H)"1001111Y(39H)"0101111Z(3AH)"

1101110[(3BH)Special0011111\(3DH)Special1011110](3EH)Special0111110^(3FH)FieldSeparator1111111_(40H)Special

*****64Character7-bitSet*****

*43AlphanumericDataCharacters*3Framing/FieldCharacters*18Control/SpecialCharacters

ThetwoANSI/ISOformats,ALPHAandBCD,allowagreatvarietyofdatatobestoredonmagstripes.Mostcardswithmagstripesusetheseformats,butoccasionallysomedonot.Moreaboutthoselateron.

7/31/2019 phrack37

7/15

**Trac sandEncodingProtocols**

Nowwe nowhowthedataisstored.ButWHEREisthedatastoredonthemagstripe?ANSI/ISOstandardsdefine*3*Trac s,eachofwhichisusedfordifferentpurposes.TheseTrac saredefinedonlybytheirlocationonthemagstripe,sincethemagstripeasawholeismagneticallyhomogeneous.SeeFigure8.

Figure8:---------_________________________________________________________________|^^^|------------------|0.223"--|---------|-------------------------|||0.353"|^|..................|.........|.........|0.493"||Trac #10.110"||||............................|.........|...|||||............................|.........|...||Trac #20.110"|||......................................|...|||||......................................|...||Trac #30.110"|

|..........................................||||------------------------------------------------------------------|||

Youcanseetheexactdistancesofeachtrac fromtheedgeofthecard,aswellastheuniformwidthandspacing.Placeamagstripecardinfrontofyouwiththemagstripevisibleatthebottomofthecard.Dataisencodedfromlefttoright(justli ereadingaboo ).SeeFigure9.

Figure9:---------ANSI/ISOTrac 1,2,3Standards

Trac NameDensityFormatCharactersFunction--------------------------------------------------------------------1IATA210bpiALPHA79ReadName&Account2ABA75bpiBCD40ReadAccount3THRIFT210bpiBCD107ReadAccount&*Encode*Transaction

***Trac 1Layout:***

|SS|FC|PAN|Name|FS|AdditionalData|ES|LRC|

SS=StartSentinel"%"FC=FormatCodePAN=PrimaryAcct.#(19digitsmax)FS=FieldSeparator"^"Name=26alphanumericcharactersmax.AdditionalData=ExpirationDate,offset,encryptedPIN,etc.ES=EndSentinel"?"

7/31/2019 phrack37

8/15

LRC=LongitudinalRedundancyChec

***Trac 2Layout:***

|SS|PAN|FS|AdditionalData|ES|LRC|

SS=StartSentinel";"PAN=PrimaryAcct.#(19digitsmax)FS=FieldSeparator"="AdditionalData=ExpirationDate,offset,encryptedPIN,etc.ES=EndSentinel"?"LRC=LongitudinalRedundancyChec

***Trac 3Layout:**Similartotrac s1and2.Almostneverused.Manydifferentdatastandardsused.

Trac 2,"AmericanBan ingAssociation,"(ABA)ismostcommonlyused.Thisisthetrac thatisreadbyATMsandcreditcardchec ers.TheABAdesignedthespecificationsofthistrac andallworldban smustabidebyit.Itcontainsthecardholder'saccount,encryptedPIN,plusotherdiscretionarydata.

Trac 1,namedafterthe"InternationalAirTransportAssociation,"containsthecardholder'snameaswellasaccountandotherdiscretionarydata.Thistrac issometimesusedbytheairlineswhensecuringreservationswithacreditcard;yournamejust"popsup"ontheirmachinewhentheyswipeyourcard!

SinceTrac 1canstoreMUCHmoreinformation,creditcardcompaniesaretryingtourgeretailerstobuycardreadersthatreadTrac 1.The*problem*isthatmostcardreadersreadeitherTrac 1orTrac 2,butNOTBOTH!AndtheinstalledbaseofreaderscurrentlyisbiasedtowardsTrac 2.VISAUSAisatthefrontofthis'exodus'toTrac 1,tothepointwheretheyareofferingTrac 1readersatreducedpricesthruparticipatingban s.Aspo espersonfor

VISAcommented:

"Wethin thatTrac 1representsmoreflexibilityandthepotentialtodelivermoreinformation,andweintendtobuildnewservicesaroundtheincreasedinformation."

Whatnewservices?Wecanonlywaitandsee.

Trac 3isunique.ItwasintendedtohavedatareadandWRITTENonit.CardholderswouldhaveaccountinformationUPDATEDrightonthemagstripe.Unfortunately,Trac 3isprettymuchanorphanedstandard.Its*original*designwastocontroloff-lineATMtransactions,butsinceATMsarenowon-lineALLTHETIME,it'sprettymuchuseless.Plusthefactthatretailersandban s

wouldhavetoinstallNEWcardreaderstoreadthattrac ,andthatcosts$$.

Encodingprotocolspecifiesthateachtrac mustbeginandendwithalengthofallZerobits,calledCLOCKINGBITS.Theseareusedtosynchtheself-cloc ingfeatureofbiphasedecoding.SeeFigure10.

Figure10:endsentinelstartsentinel|longitudinalredundancychec|||000000000000000SS.................ESLRC0000000000000000

7/31/2019 phrack37

9/15

leadingdata,data,datatrailingcloc ingbitscloc ingbits(lengthvaries)(lengthvaries)

THAT'SIT!!!ThereyouhavetheANSI/ISOSTANDARDS!Completelyexplained.Now,thebadnews.NOTEVERYCARDUSESIT!CreditcardsandATMcardswillfollowthesestandards.BUT,therearemanyothertypesofcardsoutthere.Securitypasses,copymachinecards,IDbadges,andEACHofthemmayuseaPROPRIETARYdensity/format/trac -locationsystem.ANSI/ISOisREQUIREDforfinancialtransactioncardsusedintheinternationalinterban networ .Allothercardscanplaytheirowngame.

Thegoodnews.MOSTothercardsfollowthestandards,becauseit'sEASYtofollowastandardinsteadofWORKINGtoma eyourOWN!MostmagstripecardsotherthancreditcardsandATMcardswillusethesameTrac specifications,anduseeitherBCDorALPHAformats.

**ABitAboutMagstripeEquipment**

"Wow,nowI nowhowtointerpretallthatdataonmagstripes!But.waitasec,what indofequipmentdoIneedtoreadthestripes?WherecanIbuyareader?Idon'tseeanyinRadioShac !!"

Sorry,butmagstripeequipmentishardtocomeby.Forobviousreasons,cardreadersarenotmadecommonlyavailabletoconsumers.Howtobuildoneisthetopicforanotherfile(thisfileisalreadytoolong).

YourbestbetsaretotryandscopeoutElectronicsSurplusStoresandfleamar ets.Donotevenbothertryingtobuyonedirectlyfromamanufacturer,sincetheywillimmediatelyassumeyouhave"criminalmotives."AndasforgettingyourhandsonamagstripeENCODER...well,goodluc !Thoserarebeautiesareworththeirweightingold.Keepyoureyesopenandloo around,andMAYBEyou'llgetluc y!AbitofsocialengineeringcangoaLONGway.

Therearedifferent indsofmagstripereaders/encoders.Themostcommononesare"swipe"machines:thetypeyouhavetophysicallyslidethecardthru.

Othersare"insertion"machines:li eATMmachinesthey'eat'yourcard,thenregurgitateitafterthetransaction.Costsareinthethousandsofdollars,butli eIsaid,fleamar etsandsurplusstoreswilloftenhaveGREATdealsonthesethings.Anotherproblemisdocumentationforthesemachines.Ifyoucallthemanufacturerandsimplyas for'em,theywillprobablydenyyoutheliterature."Heyson,whatareyoudoingwithourmodelXYZswipereader?Thatbelongsinthehandsofa"qualified"merchantorretailer,notsomepunidtryingto"findouthowthingswor !"Again,somesocialengineeringmay

berequired.Tell'emyou'resettingupanewbusiness.Tell'emyou'rewor ingonascienceproject.Tell'emanythingthatwor s!

2600Magazinerecentlyhadagoodarticleonhowtobuildamachinethatcopiesmagstripecards.Notmuchinfoontheactualdataformatsandencoding

schemes,butthedevicedescribedisastart.Withsomemodifications,Ibetyoucouldroutetheoutputtoadumbterminal(orthruanullmodemcable)inordertoREADthedata.Worthchec ingouttheschematics.

Asforma ingyourowncards,justpastealengthofVCR,reel-to-reel,oraudiocassettetapetoacut-outposterboardorplasticcard.Wor sjustasgoodastherealthing,andusefultoexperimentwithifyouhavenoexpiredor'dead'ATMorcallingcardslyingaround(SAVEthem,don'tTOSSthem!).

7/31/2019 phrack37

10/15

**ExamplesofDataonMagstripes**

TherealfuninexperimentingwithmagstripetechnologyisREADINGcardstofindoutWHATTHEHELLisONthem!Haven'tyouwondered?Thefollowingcardsaretheresultofmyown'research'.Datasuchasspecificaccountnumbersandnameshasbeenchangedtoprotecttheinnocent.Nonethecardsusedtoma ethislistwerestolenoracquiredillegally.

NoticethatIma ecarefulnoteof"commondata."ThisisdatathatInoticedwasthesameforallcardsofaparticulartype.Thisishighlightedbelowthedatawithasteris s(*).WhereIfoundvaryingdata,Iindicateitwith"x"'s.Inthosecases,NUMBERofCHARACTERSwasconsistent(thenumberof"x"'sequalsthenumberofcharacters...onetoonerelationship).

Istilldon't nowwhatsomeofthedatafieldsarefor,buthopefullyIwillbefollowingthisfilewithasequelafterIcollectmoredata.ItISN'Teasytofindlotsofcardstoexamine.As yourfriends,family,andco-wor erstohelp!"Hey,canI,ahh,li eBORROWyourMCIcallingcardtonight?I'mwor ingonan,ahh,EXPERIMENT.Please?"Just...behonest!Also,dosometrashing.PeoplewilloftenBENDexpiredcardsinhalf,thenthrowthemout.Simplybendthembac intotheirnormalshape,andthey'llusuallywor (I'vedoneit!).Theymaybeexpired,butthey'renotERASED!--------------------------------------------------------------------------------=Mastercard=-Numberonfrontofcard->1111222233334444

Expirationdate->12/99

Trac 2(BCD,75bpi)->;1111222233334444=99121010000000000000?***Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN?*Notethatthe"101"wascommontoallMCcardschec ed,aswellasthe"B".--------------------------------------------------------------------------------=VISA=-Numberonfrontofcard->1111222233334444Expirationdate->12/99

Trac 2(BCD,75bpi)->;1111222233334444=9912101xxxxxxxxxxxxx?

***Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN^9912101xxxxxxxxxxxxx?*

Notethatthe"101"wascommontoallVISAcardschec ed,aswellasthe"B".Also,the"xxx"indicatesnumericdatathatvariedfromcardtocard,withnoapparentpattern.Ibelievethisistheencryptedpinforusewhencardholdersget'cashadvances'fromATMs.Ineverycase,tho,Ifound*13*digitsofthestuff.--------------------------------------------------------------------------------=Discover=-Numberonfrontofcard->1111222233334444Expirationdate->12/99

Trac 2(BCD,75bpi)->;1111222233334444=991210100000?********

Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN___^991210100000?********Note,the"10100000"and"B"werecommontomostDISCOVERcardschec ed.Ifoundafewthathad"10110000"instead.Don't nowthesignificance.NotetheunderscoresafterthenameJOHN.Ifoundconsistentlythatthenamedatafieldhad*26*characters.Whateverwasleftofthefieldafterthenamewas"padded"withSPACES.So...forallofyouwithnameslongerthan25(exclude

7/31/2019 phrack37

11/15

the"/")characters,PREPAREtobeTRUNCATED!;)--------------------------------------------------------------------------------=USSprintFON=-Numberonfrontofcard->11122233334444

Trac 2(BCD,75bpi)->;xxxxxx11122233339==xxx4444xxxxxxxxxx=?*

Trac 1(ALPHA,210bpi)->%B^/^^xxxxxxxxxxxxxxxxx?*

Strange.NoneofthecardsIchec hadnamesintheTrac 1fields.Trac 1loo sunused,yetitwasalwaysformattedwithfieldseparators.The"xxx"stuffvariedfromcardtocard,andIdidn'tseeapattern.I nowitisn'taPIN,soitmustbeaccountdata.--------------------------------------------------------------------------------=FleetBan =-Numberonfrontofcard->1111112223333333Expirationdate->12/99

Trac 2(BCD,75bpi)->;1111112223333333=9912120100000000xxxx?****

Trac 1(ALPHA,210bpi)->%B1111112223333333^PUBLIC/JOHN___^9912120100000000000000xxxx000000?*****

Notethatthe"xxx"datavaried.ThisistheencryptedPINoffset.Always4digits(hmmm...).The"1201"wasalwaysthesame.Infact,ItriedmanyATMcardsfromDIFFERENTBANKS...andtheyallhad"1201".-------------------------------------------------------------------------------(Can'tleave*this*oneout;)-=RadioShac =-Numberonfrontofcard->1111222333333NOEXPIRATIONdataoncard

Trac 2(BCD,75dpi)->;1111222333333=9912101?*******

Notethatthe"9912101"wastheSAMEforEVERYRadioShac cardIsaw.Loo s

li ewhentheydon'thave'real'datatoputintheexpirationdatefield,theyhavetostic SOMETHINGinthere.-------------------------------------------------------------------------------

Well,that'sallI'mgoingtoputoutrightnow.Asyoucansee,themajortypesofcards(ATMs,CC)allfollowthesamerulesmoreorless.Ichec edoutanumberofsecuritypasscardsandtimecloc entrycards..andtheyALLhadrandomstuffwrittentoTrac 2.Trac 2isbyFARtheMOSTutilizedtrac onthecard.AndtheformatisprettymuchalwaysANSI/ISOBCD.I*did*runintosomehotelroomaccesscardsthat,whenscanned,wereGARBLED.Theymostli elyusedacharactersetotherthanASCII(iftheywereaudiotones,myreaderwouldhaveputoutNOTHING...asopposedtoGARBLEDdata).Asyoucansee,onecouldwriteaBOOKlistingdifferenttypesofcarddata.Iintended

onlytogiveyousomeexamples.Myresearchhasbeenlimited,butItriedtoma elogicalconclusionsbasedonthedataIreceived.

**CardsofAllFlavors**

PeoplewantedtostoreALOTofdataonplasticcards.Andtheywantedthatdatatobe'invisible'tocardholders.Herearethedifferentcardtechnologiesthatwereinventedandareavailabletoday.

7/31/2019 phrack37

12/15

HOLLERITH-Withthissystem,holesarepunchedinaplasticorpapercardandreadoptically.Oneoftheearliesttechnologies,itisnowseenasanencodedroom eyinhotels.Thetechnologyisnotsecure,butcardsarecheaptoma e.

BARCODE-Theuseofbarcodesislimited.Theyarecheap,butthereisvirtuallynosecurityandthebarcodestripcanbeeasilydamaged.INFRARED-Notinwidespreaduse,cardsarefactoryencodedbycreatinga"shadowpattern"withinthecard.Thecardispassedthruaswipeorinsertionreaderthatusesaninfraredscanner.Infraredcardpricingismoderatetoexpensive,andencodingisprettysecure.Infraredscannersareopticalandthereforevulnerabletocontamination.

PROXIMITY-Hands-freeoperationistheprimarysellingpointofthiscard.Althoughseveraldifferentcircuitdesignsareused,allproximitycardspermitthetransmissionofacodesimplybybringingthecardnearthereader(6-12").Thesecardsarequitethic ,upto0.15"(theABAstandardis0.030"!).

WIEGAND-Namedafteritsinventor,thistechnologyusesaseriesofsmalldiameterwiresthat,whensubjectedtoachangingmagneticfield,induceadiscretevoltageoutputinasensingcoil.Tworowsof

wiresareembeddedinacodedstrip.Whenthewiresmovepastthereadhead,aseriesofpulsesisreadandinterpretedasbinarycode.ThistechnologyproducescardsthatareVERYhardtocopyoralter,andcardsaremoderatelyexpensivetoma e.Readersbasedonthistechareepoxyfilled,ma ingthemimmunetoweatherconditions,andneithercardnorreadersareaffectedbyexternalmagneticfields(don'tworryaboutleavingthesecardsontopofthetelevisionset...youcan'thurtthem!).Here'sanexampleofthelayoutofthewiresinaWiegandstrip:

|||||||||||||||||||||||||||||||||||||||||||

ThewiresareNOTvisiblefromtheoutsideofthecard,butifyourcardiswhite,placeitinfrontofaVERYbrightlightsourceandpeerinside.Noticethatthespacingsbetweenthewiresisuniform.

BARIUMFERRITE-Theoldestmagneticencodingtechnology(beenaroundfor40yrs!)itusessmallbitsofmagnetizedbariumferritethatareplacedinsideaplasticcard.Thepolarityandlocationofthe"spots"determinesthecoding.Thesecardshaveashortlifecycle,andareusedEXTENSIVELYinpar inglots(highturnoverrate,minimalsecurity).BariumFerritecardsareONLYusedwithINSERTIONreaders.

Thereyouhavethemostcommonlyusedcards.MagstripesarecommonbecausetheyareCHEAPandrelativelysecure.

**MagstripeCoercivity**

Magstripesthemselvescomeindifferentflavors.TheCOERCIVITYofthemagneticmediamustbespecified.Thecoercivityisthemagneticfieldstrengthrequiredtodemagnetizeanencodedstripe,andthereforedeterminestheencodeheadfieldstrengthrequiredtoencodethestripe.Arangeofmedia

7/31/2019 phrack37

13/15

coercivitiesareavailablerangingfrom300Oerstedsto4,000Oe.ThatboilsdowntoHIGH-ENERGYmagstripes(4,000Oe)andLOW-ENERGYmagstripes(300Oe).

REMEMBER:sinceallmagstripeshavethesamemagneticremanenceregardlessoftheircoercivity,readersCANNOTtellthedifferencebetweenHIGHandLOWenergystripes.Botharereadthesamebythesamemachines.

LOW-ENERGYmediaismostcommon.Itisusedonallfinancialcards,butitsdisadvantageisthatitissubjecttoaccidentaldemagnetizationfromcontactwithcommonmagnets(refrigerator,TVmagneticfields,etc.).Butthesecardsare eptsafeinwalletsandpursesmostofthetime.

HIGH-ENERGYmediaisusedforIDBadgesandaccesscontrolcards,whicharecommonlyusedin'hostile'environments(wornonuniform,usedinstoc rooms).Normalmagnetswillnotaffectthesecards,andlow-energyencoderscannotwritetothem.

**NotAllthatFluxesisDigital**

Notallmagstripecardsoperateonadigitalencodingmethod.SOMEcardsencodeAUDIOTONES,asopposedtodigitaldata.Thesecardsareusuallyusedwithold,outdated,industrial-strengthequipmentwheresecurityisnotanissueandnotagreatdealofdataneedbeencodedonthecard.Somesubway

passesareli ethis.Theyrequireonlyexpirationdataonthemagstripe,andashortseriesofvaryingfrequenciesanddurationsareenough.Frequencieswillvarywiththespeedofswiping,butRELATIVEfrequencieswillremainthesame(forinstance,tone1istwicethefreq.oftone2,and.5thefreqoftone3,regardlessoftheoriginalfrequencies!).Grabanoscilloscopetovisualizethetones,andlistentothemonyourstereo.Ihaven'texperimentedwiththesetypesofcardsatall.

**SecurityandSmartcards**

Manysecuritysystemsutilizemagstripecards,intheformofpasscardsandIDcards.It'sinteresting,butIfoundinaNUMBERofcasesthattherewasa

seriousFLAWinthesecurityofthesystem.Inthesecases,therewasacodenumberPRINTEDonthecard.Whenscanned,Ifoundthisnumberencodedonthemagstripe.Problemwas,theCODENUMBERwasALLIfoundonthemagstripe!Meaning,byjustloo ingatthefaceofthecard,Iimmediately newexactlywhatwasencodedonit.Ooops!Ma esitprettydamneasytojustglanceatJoe'scardduringlunch,thengohomeandpopoutmyOWNcopyofJoe'saccesscard!Fortunately,Ifoundthisflawonlyin'smaller'companies(sometimesevenuniversities).Biggercompaniesseemto nowbetter,andDON'TprintALLofthemagstripedatarightoncardinbig,easilylegiblenumbers.Atleastthebigcompanies*I*chec ed.;)

OthersecurityblundersincludepasscardmagstripesencodedONLYwiththeowner'ssocialsecuritynumber(yeah,realdifficulttofindoutaperson's

SS#...GREATidea),andhavingpasscardswithonly3or4digitcodes.

Smartcardtechnologyinvolvestheuseofchipsembeddedinplasticcards,withpinoutsthattemporarilycontactthecardreaderequipment.Obviously,aGREATdealofdatacouldbestoredinthisway,andunauthorizedduplicationwouldbeverydifficulty.Interestinglyenough,notmucheffortisbeingputintosmartcardsbythemajorcreditcardcompanies.Theyfeelthatthetechistooexpensive,andthatstillmoredatacanbesqueezedontomagstripecardsinthefuture(especiallyTrac 1).Ifindthissomewhatanalogoustotheuseofmetallicoxidedis media.Sure,it'snotthegreatest(comparedtoerasable-

7/31/2019 phrack37

14/15

writableopticaldis s),butit'sCHEAP..andwejust eepimprovingit.Magstripeswillbearoundforalongtimetocome.Themediawillberefined,anddatadensityincreased.Butforconventionalapplications,thevaststoragecapabilitiesofsmartcardsarejustnotneeded.

**Biometrics:Throwyercardsaway!**

I'dli etoendwithamentionofbiometrics:thetechnologybasedonreadingthephysicalattributesofanindividualthruretinascanning,signatureverification,voiceverification,andothermeans.Thiswasoncelimitedtogovernmentuseandtosupersensitiveinstallations.However,biometricswillsoonacquirealargermar etshareinaccesscontrolsalesbecausemuchofitsdevelopmentstagehaspassedandcostswillbewithinreachofmorebuyers.Eventually,wecanexpectbiometricstoreplaceprettymuchALLcards..becauseallthoseplasticcardsinyourwalletarethereJUSTtohelpCOMPANIES*identify*YOU.Andwithbiometrics,they'll nowyouwithouthavingtoreadcards.

I'mnotparanoid,nordoIsubscribetoanygrand"corporateconspiracy,"butIfinditabitunsettlingthatourphysicalattributeswillmostli elysomedaybesittinginthecool,vastelectronicdatabasesoftheCORPORATEworld.Accessiblebyanyonewillingtopay.ImagineCBIandTRWdatabaseswithyourretinaimage,fingerprint,andvoicepatternonlineforinstant,convenient

retrieval.Today,apersoncanCHOOSENOTtoownacreditcardorabancard...wecancutupourplasticIDcards!Withoutacard,acardreaderisuselessandcannotidentifyyou.

Payingincashma esyouinvisible!However,withbiometrics,allamachinehastodoiswatch...listen...andrecord.Withgovernment/corporateAmericapushingallthebuttons."Areyoupayingincash?..Than you...Pleaseloointothecamera.Oh,IseeyournameisMr.Smith...uh,oh...mycomputertellsmeyouhaven'tpaidyourgasbill...afraidI'mgoingtohaveto eepthismoneyandcredityourgasaccountwithit....doyouhaveanymorecash?...orwouldyouratherIgarnishyourpaychec ?"hehheh

**ClosingNotes(FINALLY!!!!)**

Whew...thiswasoneMOTHERofafile.Ihopeitwasinteresting,andIhopeyoudistributeittoallyoufriends.Thisfilewasaproductionof"RestrictedDataTransmissions"...agroupoftechiesbasedintheBostonareathatfeelthat"InformationisPower"...andweintendtoreleaseanumberofhighlytechnicalyetentertainingfilesinthecomingyear....LOOKFORTHEM!!TomorrowI'monmywaytoXmascon'91...wemadesomeslic buttonscommemoratingtheevent...ifyoueverseeoneofthem(greenwreath.XMASCON1991printedonit).hangontoit!...it'sacollector'sitem..(hahahah)Boy,I'msleepy...

Remember...."Truthischeap,butinformationcosts!"

But-=RDTisgonnachangeallthat...;)settheinfoFREE!

Peace.

..oooOOCountZeroOOooo..

UsualgreetstoMagicMan,BrianOblivion,Omega,WhiteKnight,andanyoneelseIeverbummedacigaretteoff.

7/31/2019 phrack37

15/15

(1/18/92addition:GreetstoeveryoneImetatXmascon..includingbutnotexcludingCrimsonDeath,Dispater,Sterling,Mac Hammer,Eri Bloodaxe,HolisticHac er,PainHertz,SwampRatte,G.A.Ellsworth,Phaedrus,Moebius,LordMacDuff,JudgeDredd,andofcoursehatsoffto*Drun fux*fororganizingandta ingresponsibilityforthewholedamnthing.HopetoseeallofyouatSummerCon'92!Loo forCyber-striperGIFsataBBSnearyou..hehheh)

Comments,criticisms,anddiscussionsaboutthisfilearewelcome.Icanbereachedat:count0@world.std.comcount0@spica.bu.educount0@atdt.org

MagicManandIarethesysopsoftheBBS"ATDT"...locatedsomewhereinMassachusetts.Greatmessagebases,technicaldiscussions...datamadeflesh...electronicunderground.....ourownInternetaddress(atdt.org)...fieldtripstothetunnelsunderMITinCambridge.....giveitacall..mailmeformoreinfo..;)