phrack37
TRANSCRIPT
-
7/31/2019 phrack37
1/15
Card-O-Rama:MagneticStripeTechnologyandBeyondor"ADayintheLifeofaFluxReversal"
Writtenby
oooOOCountZeroOOoooRestrictedDataTransmissions
November22,1992
Loo inyourwallet.Chancesareyouownatleast3cardsthathavemagneticstripesonthebac .ATMcards,creditcards,callingcards,frequentflyercards,IDcards,passcards,...cards,cards,cards!AndchancesareyouhaveNOideawhatinformationisonthosestripesorhowtheyareencoded.Thisdetaileddocumentwillenlightenyouandhopefullyspar yourinterestinthisfascinatingfield.Noneofthisinfois"illegal"...butMANYorganizations(thegovernment,creditcardcompanies,securityfirms,etc.)wouldrather eepyouinthedar .Also,manypeoplewillIMMEDIATELYassumethatyouareaCRIMINALifyoumerely"mention"thatyouare"interestedinhowmagneticstripecardswor ."Watchyourself,o ?Justrememberthatthereisnothingwrongwithwantingto nowhowthingswor ,althoughinourpresentsociety,
youmaybelabelleda"deviant"(orworse,a"hac er")!
Anyway,Iwillexplainindetailhowmagstripesareencodedandgiveseveralexamplesofthedatafoundonsomecommoncards.Iwillalsocoverthetechnicaltheorybehindmagneticencoding,anddiscussmagneticencodingalternativestomagstripes(Wiegand,bariumferrite).Non-magneticcardtechnology(barcode,infrared,etc.)willbedescribed.Finally,therewillbeanenddiscussiononsecuritysystemsandtheramificationsofemergent"smartcard"andbiometrictechnologies.
*DISCLAIMER*
UsethisinfotoEXPLORE,nottoEXPLOIT.Thistextispresentedfor
informationalpurposesonly,andIcannotbeheldresponsibleforanythingyoudooranyconsequencesthereof.Idonotcondonefraud,larceny,oranyothercriminalactivities.
*AWARNING*
Lately,I'venoticedafew"boo s"and"magazines"forsalethatwereFILLEDwithFILESonavarietyofcomputertopics.ThesefilewereoriginallyreleasedintotheNetwiththeintentionofdistributingthemforFREE.HOWEVER,thesefilesarenowbeingPACKAGEDandsoldFORPROFIT.Thisreallypissesmeoff.IamwritingthistobeSHAREDforFREE,andIas nopayment.Feelfreetoreprintthisinhardcopyformatandsellitifyoumust,butNOPROFITSmustbemade.Notafuc ingDIME!IfANYONEreprintsthisfileand
triestosellitFORAPROFIT,Iwillhuntyoudownandma eyourlifemiserable.How?Useyourimagination.Therealitywillbeworse.
**MAGSTRIPEFIELDS,HEADS,ENCODING/READING**
Now,I'llgetdowntobusiness!
First,Iamgoingtoexplainthebasicsbehindfields,heads,encodingandreading.TryandabsorbtheTHEORYbehindencoding/reading.Thiswillhelp
-
7/31/2019 phrack37
2/15
yougreatlyifyoueverdecidetobuildyourownencoder/readerfromscratch(moreonthatlater).FERROMAGNETICmaterialsaresubstancesthatretainmagnetismafteranexternalmagnetizingfieldisremoved.ThisprincipleisthebasisofALLmagneticrecordingandplaybac .MagneticPOLESalwaysoccurinpairswithinmagnetizedmaterial,andMAGNETICFLUXlinesemergefromtheNORTHpoleandterminateattheSOUTH.TheelementalpartsofMAGSTRIPESareferromagneticparticlesabout20millionthsofaninchlong,eachofwhichactsli eatinybarmagnet.Theseparticlesarerigidlyheldtogetherbyaresinbinder.Themagneticparticlesaremadebycompanieswhichma ecoloringpigmentsforthepaintindustry,andareusuallycalledpigments.Whenma ingthemagstripemedia,theelementalmagneticparticlesarealignedwiththeirNorth-Southaxesparalleltothemagneticstripebymeansofanexternalmagneticfieldswhilethebinderhardens.
TheseparticlesareactuallypermanentbarmagnetswithTWOSTABLEPOLARITIES.Ifamagneticparticleisplacedinastrongexternalmagneticfieldoftheoppositepolarity,itwillFLIPitsownpolarity(NorthbecomesSouth,SouthbecomesNorth).TheexternalmagneticfieldstrengthrequiredtoproducethisflipiscalledtheCOERCIVEFORCE,orCOERCIVITYoftheparticle.Magneticpigmentsareavailableinavarietyofcoercivities(moreonthatlateron).
AnunencodedmagstripeisactuallyaseriesofNorth-Southmagneticdomains(seeFigure1).TheadjacentN-Sfluxesmerge,andtheentirestripeactsasasinglebarmagnetwithNorthandSouthpolesatitsends.
Figure1:N-S.N-S.N-S.N-S.N-S.N-S.N-S.N-SN-----------------------------S
However,ifaS-Sinterfaceiscreatedsomewhereonthestripe,thefluxeswillREPEL,andwegetaconcentrationoffluxlinesaroundtheS-Sinterface(samewithN-Ninterface).ENCODINGconsistsofcreatingS-SandN-Ninterfaces,andREADINGconsistsof(youguessedit)detecting'em.TheS-SandN-NinterfacesarecalledFLUXREVERSALS.
||||||||||||
TheexternalmagneticfieldusedtoflipthepolaritiesisproducedbyaSOLENOID,whichcanREVERSEitspolaritybyreversingthedirectionofCURRENT.AnENCODINGheadsolenoidloo sli eabarmagnetbentintotheshapeofaringsothattheNorth/Southpolesareverycloseandfaceeachotheracrossatinygap.Thefieldofthesolenoidisconcentratedacrossthisgap,andwhenelementalmagneticparticlesofthemagstripeareexposedtothisfield,theypolarizetotheOPPOSITE(unli epolesattract).MovementofthestripepastthesolenoidgapduringwhichthepolarityofthesolenoidisREVERSEDwillproduceaSINGLEfluxreversal(seeFigure3).Toeraseamagstripe,the
encodingheadisheldataCONSTANTpolarityandtheENTIREstripeismovedpastit.Nofluxreversals,nodata.
||
-
7/31/2019 phrack37
3/15
\NS/
-
7/31/2019 phrack37
4/15
*1*0*0*1*1*
Thereyouhaveit.Dataisencodedin"bitcells,"thefrequencyofwhichisthefrequencyof'0'signals.'1'signalsareexactlyTWICEthefrequencyof'0'signals.Therefore,whiletheactualfrequencyofthedatapassingthereadheadwillvaryduetoswipespeed,datadensity,etc,the'1'frequencywillALWAYSbeTWICEthe'0'frequency.Figure5Cshowsexactlyhow'1'and'0'dataexistssidebyside.
We'regettingclosertoreadDATA!Now,we'reallfamiliarwithbinaryandhownumbersandletterscanberepresentedinbinaryfashionveryeasily.Thereareobviouslyan*infinite*numberofpossiblestandards,butthan fullytheAmericanNationalStandardsInstitute(ANSI)andtheInternationalStandardsOrganization(ISO)havechosen2standards.Thefirstis
**ANSI/ISOBCDDataformat**
Thisisa5-bitBinaryCodedDecimalformat.Itusesa16-characterset,whichuses4ofthe5availablebits.The5thbitisanODDparitybit,whichmeanstheremustbeanoddnumberof1'sinthe5-bitcharacter..theparitybitwill"force"thetotaltobeodd.Also,theLeastSignificantBitsarereadFIRST
onthestrip.SeeFigure6.
Thesumofthe1'sineachcaseisodd,than stotheparitybit.Ifthereadsystemaddsupthe5bitsandgetsanEVENnumber,itflagsthereadasERROR,andyougottoscanthecardagain(I* now*alotofyououtthere*already*understandparity,butIgottocoverallthebases...noteveryonesleepswiththeirmodemandcanrecitetheentireATcommandsetatwill,you now).SeeFigure6fordetailsofANSI/ISOBCD.
Figure6:ANSI/ISOBCDDataFormat---------
*Rememberthatb1(bit#1)istheLSB(leastsignificantbit)!
*TheLSBisreadFIRST!*HexadecimalconversionsoftheDataBitsaregiveninparenthesis(xH).
--DataBits--Parityb1b2b3b4b5CharacterFunction
000010(0H)Data100001(1H)"010002(2H)"110013(3H)"001004(4H)"101015(5H)"011016(6H)"
111007(7H)"000108(8H)"100119(9H)"01011:(AH)Control11010;(BH)StartSentinel00111(EH)Control11111?(FH)EndSentinel
-
7/31/2019 phrack37
5/15
*****16Character5-bitSet*****10NumericDataCharacters3Framing/FieldCharacters3ControlCharacters
ThemagstripebeginswithastringofZerobit-cellstopermittheself-cloc ingfeatureofbiphaseto"sync"andbegindecoding.A"StartSentinel"characterthentellsthereformattingprocesswheretostartgroupingthedecodedbitstreamintogroupsof5bitseach.Attheendofthedata,an"EndSentinel"isencountered,whichisfollowedbyan"LongitudinalRedundancyChec (LRC)character.TheLRCisaparitychec forthesumsofallb1,b2,b3,andb4databitsofallprecedingcharacters.TheLRCcharacterwillcatchtheremoteerrorthatcouldoccurifanindividualcharacterhadtwocompensatingerrorsinitsbitpattern(whichwouldfoolthe5th-bitparitychec ).
TheSTARTSENTINEL,ENDSENTINEL,andLRCarecollectivelycalled"FramingCharacters",andarediscardedattheendofthereformattingprocess.
**ANSI/ISOALPHADataFormat**
Alphanumericdatacanalsobeencodedonmagstripes.ThesecondANSI/ISOdataformatisALPHA(alphanumeric)andinvolvesa7-bitcharactersetwith64characters.Asbefore,anoddparitybitisaddedtotherequired6databitsforeachofthe64characters.SeeFigure7.
Figure7:---------ANSI/ISOALPHADataFormat
*Rememberthatb1(bit#1)istheLSB(leastsignificantbit)!*TheLSBisreadFIRST!*HexadecimalconversionsoftheDataBitsaregiveninparenthesis(xH).
------DataBits-------Parityb1b2b3b4b5b6b7CharacterFunction
0000001space(0H)Special1000000!(1H)"0100000"(2H)"1100001#(3H)"0010000$(4H)"1010001%(5H)StartSentinel0110001&(6H)Special1110000'(7H)"0001000((8H)"1001001)(9H)"
0101001*(AH)"1101000+(BH)"0011001,(CH)"1011000-(DH)"0111000.(EH)"1111001/(FH)"
00001000(10H)Data(numeric)10001011(11H)"01001012(12H)"
-
7/31/2019 phrack37
6/15
11001003(13H)"00101014(14H)"10101005(15H)"01101006(16H)"11101017(17H)"00011018(18H)"10011009(19H)"
0101100:(1AH)Special1101101;(1BH)"0011100(1EH)"1111100?(1FH)EndSentinel0000010@(20H)Special
1000011A(21H)Data(alpha)0100011B(22H)"1100010C(23H)"0010011D(24H)"1010010E(25H)"0110010F(26H)"1110011G(27H)"0001011H(28H)"
1001010I(29H)"0101010J(2AH)"1101011K(2BH)"0011010L(2CH)"1011011M(2DH)"0111011N(2EH)"1111010O(2FH)"0000111P(30H)"1000110Q(31H)"0100110R(32H)"1100111S(33H)"0010110T(34H)"1010111U(35H)"
0110111V(36H)"1110110W(37H)"0001110X(38H)"1001111Y(39H)"0101111Z(3AH)"
1101110[(3BH)Special0011111\(3DH)Special1011110](3EH)Special0111110^(3FH)FieldSeparator1111111_(40H)Special
*****64Character7-bitSet*****
*43AlphanumericDataCharacters*3Framing/FieldCharacters*18Control/SpecialCharacters
ThetwoANSI/ISOformats,ALPHAandBCD,allowagreatvarietyofdatatobestoredonmagstripes.Mostcardswithmagstripesusetheseformats,butoccasionallysomedonot.Moreaboutthoselateron.
-
7/31/2019 phrack37
7/15
**Trac sandEncodingProtocols**
Nowwe nowhowthedataisstored.ButWHEREisthedatastoredonthemagstripe?ANSI/ISOstandardsdefine*3*Trac s,eachofwhichisusedfordifferentpurposes.TheseTrac saredefinedonlybytheirlocationonthemagstripe,sincethemagstripeasawholeismagneticallyhomogeneous.SeeFigure8.
Figure8:---------_________________________________________________________________|^^^|------------------|0.223"--|---------|-------------------------|||0.353"|^|..................|.........|.........|0.493"||Trac #10.110"||||............................|.........|...|||||............................|.........|...||Trac #20.110"|||......................................|...|||||......................................|...||Trac #30.110"|
|..........................................||||------------------------------------------------------------------|||
Youcanseetheexactdistancesofeachtrac fromtheedgeofthecard,aswellastheuniformwidthandspacing.Placeamagstripecardinfrontofyouwiththemagstripevisibleatthebottomofthecard.Dataisencodedfromlefttoright(justli ereadingaboo ).SeeFigure9.
Figure9:---------ANSI/ISOTrac 1,2,3Standards
Trac NameDensityFormatCharactersFunction--------------------------------------------------------------------1IATA210bpiALPHA79ReadName&Account2ABA75bpiBCD40ReadAccount3THRIFT210bpiBCD107ReadAccount&*Encode*Transaction
***Trac 1Layout:***
|SS|FC|PAN|Name|FS|AdditionalData|ES|LRC|
SS=StartSentinel"%"FC=FormatCodePAN=PrimaryAcct.#(19digitsmax)FS=FieldSeparator"^"Name=26alphanumericcharactersmax.AdditionalData=ExpirationDate,offset,encryptedPIN,etc.ES=EndSentinel"?"
-
7/31/2019 phrack37
8/15
LRC=LongitudinalRedundancyChec
***Trac 2Layout:***
|SS|PAN|FS|AdditionalData|ES|LRC|
SS=StartSentinel";"PAN=PrimaryAcct.#(19digitsmax)FS=FieldSeparator"="AdditionalData=ExpirationDate,offset,encryptedPIN,etc.ES=EndSentinel"?"LRC=LongitudinalRedundancyChec
***Trac 3Layout:**Similartotrac s1and2.Almostneverused.Manydifferentdatastandardsused.
Trac 2,"AmericanBan ingAssociation,"(ABA)ismostcommonlyused.Thisisthetrac thatisreadbyATMsandcreditcardchec ers.TheABAdesignedthespecificationsofthistrac andallworldban smustabidebyit.Itcontainsthecardholder'saccount,encryptedPIN,plusotherdiscretionarydata.
Trac 1,namedafterthe"InternationalAirTransportAssociation,"containsthecardholder'snameaswellasaccountandotherdiscretionarydata.Thistrac issometimesusedbytheairlineswhensecuringreservationswithacreditcard;yournamejust"popsup"ontheirmachinewhentheyswipeyourcard!
SinceTrac 1canstoreMUCHmoreinformation,creditcardcompaniesaretryingtourgeretailerstobuycardreadersthatreadTrac 1.The*problem*isthatmostcardreadersreadeitherTrac 1orTrac 2,butNOTBOTH!AndtheinstalledbaseofreaderscurrentlyisbiasedtowardsTrac 2.VISAUSAisatthefrontofthis'exodus'toTrac 1,tothepointwheretheyareofferingTrac 1readersatreducedpricesthruparticipatingban s.Aspo espersonfor
VISAcommented:
"Wethin thatTrac 1representsmoreflexibilityandthepotentialtodelivermoreinformation,andweintendtobuildnewservicesaroundtheincreasedinformation."
Whatnewservices?Wecanonlywaitandsee.
Trac 3isunique.ItwasintendedtohavedatareadandWRITTENonit.CardholderswouldhaveaccountinformationUPDATEDrightonthemagstripe.Unfortunately,Trac 3isprettymuchanorphanedstandard.Its*original*designwastocontroloff-lineATMtransactions,butsinceATMsarenowon-lineALLTHETIME,it'sprettymuchuseless.Plusthefactthatretailersandban s
wouldhavetoinstallNEWcardreaderstoreadthattrac ,andthatcosts$$.
Encodingprotocolspecifiesthateachtrac mustbeginandendwithalengthofallZerobits,calledCLOCKINGBITS.Theseareusedtosynchtheself-cloc ingfeatureofbiphasedecoding.SeeFigure10.
Figure10:endsentinelstartsentinel|longitudinalredundancychec|||000000000000000SS.................ESLRC0000000000000000
-
7/31/2019 phrack37
9/15
leadingdata,data,datatrailingcloc ingbitscloc ingbits(lengthvaries)(lengthvaries)
THAT'SIT!!!ThereyouhavetheANSI/ISOSTANDARDS!Completelyexplained.Now,thebadnews.NOTEVERYCARDUSESIT!CreditcardsandATMcardswillfollowthesestandards.BUT,therearemanyothertypesofcardsoutthere.Securitypasses,copymachinecards,IDbadges,andEACHofthemmayuseaPROPRIETARYdensity/format/trac -locationsystem.ANSI/ISOisREQUIREDforfinancialtransactioncardsusedintheinternationalinterban networ .Allothercardscanplaytheirowngame.
Thegoodnews.MOSTothercardsfollowthestandards,becauseit'sEASYtofollowastandardinsteadofWORKINGtoma eyourOWN!MostmagstripecardsotherthancreditcardsandATMcardswillusethesameTrac specifications,anduseeitherBCDorALPHAformats.
**ABitAboutMagstripeEquipment**
"Wow,nowI nowhowtointerpretallthatdataonmagstripes!But.waitasec,what indofequipmentdoIneedtoreadthestripes?WherecanIbuyareader?Idon'tseeanyinRadioShac !!"
Sorry,butmagstripeequipmentishardtocomeby.Forobviousreasons,cardreadersarenotmadecommonlyavailabletoconsumers.Howtobuildoneisthetopicforanotherfile(thisfileisalreadytoolong).
YourbestbetsaretotryandscopeoutElectronicsSurplusStoresandfleamar ets.Donotevenbothertryingtobuyonedirectlyfromamanufacturer,sincetheywillimmediatelyassumeyouhave"criminalmotives."AndasforgettingyourhandsonamagstripeENCODER...well,goodluc !Thoserarebeautiesareworththeirweightingold.Keepyoureyesopenandloo around,andMAYBEyou'llgetluc y!AbitofsocialengineeringcangoaLONGway.
Therearedifferent indsofmagstripereaders/encoders.Themostcommononesare"swipe"machines:thetypeyouhavetophysicallyslidethecardthru.
Othersare"insertion"machines:li eATMmachinesthey'eat'yourcard,thenregurgitateitafterthetransaction.Costsareinthethousandsofdollars,butli eIsaid,fleamar etsandsurplusstoreswilloftenhaveGREATdealsonthesethings.Anotherproblemisdocumentationforthesemachines.Ifyoucallthemanufacturerandsimplyas for'em,theywillprobablydenyyoutheliterature."Heyson,whatareyoudoingwithourmodelXYZswipereader?Thatbelongsinthehandsofa"qualified"merchantorretailer,notsomepunidtryingto"findouthowthingswor !"Again,somesocialengineeringmay
berequired.Tell'emyou'resettingupanewbusiness.Tell'emyou'rewor ingonascienceproject.Tell'emanythingthatwor s!
2600Magazinerecentlyhadagoodarticleonhowtobuildamachinethatcopiesmagstripecards.Notmuchinfoontheactualdataformatsandencoding
schemes,butthedevicedescribedisastart.Withsomemodifications,Ibetyoucouldroutetheoutputtoadumbterminal(orthruanullmodemcable)inordertoREADthedata.Worthchec ingouttheschematics.
Asforma ingyourowncards,justpastealengthofVCR,reel-to-reel,oraudiocassettetapetoacut-outposterboardorplasticcard.Wor sjustasgoodastherealthing,andusefultoexperimentwithifyouhavenoexpiredor'dead'ATMorcallingcardslyingaround(SAVEthem,don'tTOSSthem!).
-
7/31/2019 phrack37
10/15
**ExamplesofDataonMagstripes**
TherealfuninexperimentingwithmagstripetechnologyisREADINGcardstofindoutWHATTHEHELLisONthem!Haven'tyouwondered?Thefollowingcardsaretheresultofmyown'research'.Datasuchasspecificaccountnumbersandnameshasbeenchangedtoprotecttheinnocent.Nonethecardsusedtoma ethislistwerestolenoracquiredillegally.
NoticethatIma ecarefulnoteof"commondata."ThisisdatathatInoticedwasthesameforallcardsofaparticulartype.Thisishighlightedbelowthedatawithasteris s(*).WhereIfoundvaryingdata,Iindicateitwith"x"'s.Inthosecases,NUMBERofCHARACTERSwasconsistent(thenumberof"x"'sequalsthenumberofcharacters...onetoonerelationship).
Istilldon't nowwhatsomeofthedatafieldsarefor,buthopefullyIwillbefollowingthisfilewithasequelafterIcollectmoredata.ItISN'Teasytofindlotsofcardstoexamine.As yourfriends,family,andco-wor erstohelp!"Hey,canI,ahh,li eBORROWyourMCIcallingcardtonight?I'mwor ingonan,ahh,EXPERIMENT.Please?"Just...behonest!Also,dosometrashing.PeoplewilloftenBENDexpiredcardsinhalf,thenthrowthemout.Simplybendthembac intotheirnormalshape,andthey'llusuallywor (I'vedoneit!).Theymaybeexpired,butthey'renotERASED!--------------------------------------------------------------------------------=Mastercard=-Numberonfrontofcard->1111222233334444
Expirationdate->12/99
Trac 2(BCD,75bpi)->;1111222233334444=99121010000000000000?***Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN?*Notethatthe"101"wascommontoallMCcardschec ed,aswellasthe"B".--------------------------------------------------------------------------------=VISA=-Numberonfrontofcard->1111222233334444Expirationdate->12/99
Trac 2(BCD,75bpi)->;1111222233334444=9912101xxxxxxxxxxxxx?
***Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN^9912101xxxxxxxxxxxxx?*
Notethatthe"101"wascommontoallVISAcardschec ed,aswellasthe"B".Also,the"xxx"indicatesnumericdatathatvariedfromcardtocard,withnoapparentpattern.Ibelievethisistheencryptedpinforusewhencardholdersget'cashadvances'fromATMs.Ineverycase,tho,Ifound*13*digitsofthestuff.--------------------------------------------------------------------------------=Discover=-Numberonfrontofcard->1111222233334444Expirationdate->12/99
Trac 2(BCD,75bpi)->;1111222233334444=991210100000?********
Trac 1(ALPHA,210bpi)->%B1111222233334444^PUBLIC/JOHN___^991210100000?********Note,the"10100000"and"B"werecommontomostDISCOVERcardschec ed.Ifoundafewthathad"10110000"instead.Don't nowthesignificance.NotetheunderscoresafterthenameJOHN.Ifoundconsistentlythatthenamedatafieldhad*26*characters.Whateverwasleftofthefieldafterthenamewas"padded"withSPACES.So...forallofyouwithnameslongerthan25(exclude
-
7/31/2019 phrack37
11/15
the"/")characters,PREPAREtobeTRUNCATED!;)--------------------------------------------------------------------------------=USSprintFON=-Numberonfrontofcard->11122233334444
Trac 2(BCD,75bpi)->;xxxxxx11122233339==xxx4444xxxxxxxxxx=?*
Trac 1(ALPHA,210bpi)->%B^/^^xxxxxxxxxxxxxxxxx?*
Strange.NoneofthecardsIchec hadnamesintheTrac 1fields.Trac 1loo sunused,yetitwasalwaysformattedwithfieldseparators.The"xxx"stuffvariedfromcardtocard,andIdidn'tseeapattern.I nowitisn'taPIN,soitmustbeaccountdata.--------------------------------------------------------------------------------=FleetBan =-Numberonfrontofcard->1111112223333333Expirationdate->12/99
Trac 2(BCD,75bpi)->;1111112223333333=9912120100000000xxxx?****
Trac 1(ALPHA,210bpi)->%B1111112223333333^PUBLIC/JOHN___^9912120100000000000000xxxx000000?*****
Notethatthe"xxx"datavaried.ThisistheencryptedPINoffset.Always4digits(hmmm...).The"1201"wasalwaysthesame.Infact,ItriedmanyATMcardsfromDIFFERENTBANKS...andtheyallhad"1201".-------------------------------------------------------------------------------(Can'tleave*this*oneout;)-=RadioShac =-Numberonfrontofcard->1111222333333NOEXPIRATIONdataoncard
Trac 2(BCD,75dpi)->;1111222333333=9912101?*******
Notethatthe"9912101"wastheSAMEforEVERYRadioShac cardIsaw.Loo s
li ewhentheydon'thave'real'datatoputintheexpirationdatefield,theyhavetostic SOMETHINGinthere.-------------------------------------------------------------------------------
Well,that'sallI'mgoingtoputoutrightnow.Asyoucansee,themajortypesofcards(ATMs,CC)allfollowthesamerulesmoreorless.Ichec edoutanumberofsecuritypasscardsandtimecloc entrycards..andtheyALLhadrandomstuffwrittentoTrac 2.Trac 2isbyFARtheMOSTutilizedtrac onthecard.AndtheformatisprettymuchalwaysANSI/ISOBCD.I*did*runintosomehotelroomaccesscardsthat,whenscanned,wereGARBLED.Theymostli elyusedacharactersetotherthanASCII(iftheywereaudiotones,myreaderwouldhaveputoutNOTHING...asopposedtoGARBLEDdata).Asyoucansee,onecouldwriteaBOOKlistingdifferenttypesofcarddata.Iintended
onlytogiveyousomeexamples.Myresearchhasbeenlimited,butItriedtoma elogicalconclusionsbasedonthedataIreceived.
**CardsofAllFlavors**
PeoplewantedtostoreALOTofdataonplasticcards.Andtheywantedthatdatatobe'invisible'tocardholders.Herearethedifferentcardtechnologiesthatwereinventedandareavailabletoday.
-
7/31/2019 phrack37
12/15
HOLLERITH-Withthissystem,holesarepunchedinaplasticorpapercardandreadoptically.Oneoftheearliesttechnologies,itisnowseenasanencodedroom eyinhotels.Thetechnologyisnotsecure,butcardsarecheaptoma e.
BARCODE-Theuseofbarcodesislimited.Theyarecheap,butthereisvirtuallynosecurityandthebarcodestripcanbeeasilydamaged.INFRARED-Notinwidespreaduse,cardsarefactoryencodedbycreatinga"shadowpattern"withinthecard.Thecardispassedthruaswipeorinsertionreaderthatusesaninfraredscanner.Infraredcardpricingismoderatetoexpensive,andencodingisprettysecure.Infraredscannersareopticalandthereforevulnerabletocontamination.
PROXIMITY-Hands-freeoperationistheprimarysellingpointofthiscard.Althoughseveraldifferentcircuitdesignsareused,allproximitycardspermitthetransmissionofacodesimplybybringingthecardnearthereader(6-12").Thesecardsarequitethic ,upto0.15"(theABAstandardis0.030"!).
WIEGAND-Namedafteritsinventor,thistechnologyusesaseriesofsmalldiameterwiresthat,whensubjectedtoachangingmagneticfield,induceadiscretevoltageoutputinasensingcoil.Tworowsof
wiresareembeddedinacodedstrip.Whenthewiresmovepastthereadhead,aseriesofpulsesisreadandinterpretedasbinarycode.ThistechnologyproducescardsthatareVERYhardtocopyoralter,andcardsaremoderatelyexpensivetoma e.Readersbasedonthistechareepoxyfilled,ma ingthemimmunetoweatherconditions,andneithercardnorreadersareaffectedbyexternalmagneticfields(don'tworryaboutleavingthesecardsontopofthetelevisionset...youcan'thurtthem!).Here'sanexampleofthelayoutofthewiresinaWiegandstrip:
|||||||||||||||||||||||||||||||||||||||||||
ThewiresareNOTvisiblefromtheoutsideofthecard,butifyourcardiswhite,placeitinfrontofaVERYbrightlightsourceandpeerinside.Noticethatthespacingsbetweenthewiresisuniform.
BARIUMFERRITE-Theoldestmagneticencodingtechnology(beenaroundfor40yrs!)itusessmallbitsofmagnetizedbariumferritethatareplacedinsideaplasticcard.Thepolarityandlocationofthe"spots"determinesthecoding.Thesecardshaveashortlifecycle,andareusedEXTENSIVELYinpar inglots(highturnoverrate,minimalsecurity).BariumFerritecardsareONLYusedwithINSERTIONreaders.
Thereyouhavethemostcommonlyusedcards.MagstripesarecommonbecausetheyareCHEAPandrelativelysecure.
**MagstripeCoercivity**
Magstripesthemselvescomeindifferentflavors.TheCOERCIVITYofthemagneticmediamustbespecified.Thecoercivityisthemagneticfieldstrengthrequiredtodemagnetizeanencodedstripe,andthereforedeterminestheencodeheadfieldstrengthrequiredtoencodethestripe.Arangeofmedia
-
7/31/2019 phrack37
13/15
coercivitiesareavailablerangingfrom300Oerstedsto4,000Oe.ThatboilsdowntoHIGH-ENERGYmagstripes(4,000Oe)andLOW-ENERGYmagstripes(300Oe).
REMEMBER:sinceallmagstripeshavethesamemagneticremanenceregardlessoftheircoercivity,readersCANNOTtellthedifferencebetweenHIGHandLOWenergystripes.Botharereadthesamebythesamemachines.
LOW-ENERGYmediaismostcommon.Itisusedonallfinancialcards,butitsdisadvantageisthatitissubjecttoaccidentaldemagnetizationfromcontactwithcommonmagnets(refrigerator,TVmagneticfields,etc.).Butthesecardsare eptsafeinwalletsandpursesmostofthetime.
HIGH-ENERGYmediaisusedforIDBadgesandaccesscontrolcards,whicharecommonlyusedin'hostile'environments(wornonuniform,usedinstoc rooms).Normalmagnetswillnotaffectthesecards,andlow-energyencoderscannotwritetothem.
**NotAllthatFluxesisDigital**
Notallmagstripecardsoperateonadigitalencodingmethod.SOMEcardsencodeAUDIOTONES,asopposedtodigitaldata.Thesecardsareusuallyusedwithold,outdated,industrial-strengthequipmentwheresecurityisnotanissueandnotagreatdealofdataneedbeencodedonthecard.Somesubway
passesareli ethis.Theyrequireonlyexpirationdataonthemagstripe,andashortseriesofvaryingfrequenciesanddurationsareenough.Frequencieswillvarywiththespeedofswiping,butRELATIVEfrequencieswillremainthesame(forinstance,tone1istwicethefreq.oftone2,and.5thefreqoftone3,regardlessoftheoriginalfrequencies!).Grabanoscilloscopetovisualizethetones,andlistentothemonyourstereo.Ihaven'texperimentedwiththesetypesofcardsatall.
**SecurityandSmartcards**
Manysecuritysystemsutilizemagstripecards,intheformofpasscardsandIDcards.It'sinteresting,butIfoundinaNUMBERofcasesthattherewasa
seriousFLAWinthesecurityofthesystem.Inthesecases,therewasacodenumberPRINTEDonthecard.Whenscanned,Ifoundthisnumberencodedonthemagstripe.Problemwas,theCODENUMBERwasALLIfoundonthemagstripe!Meaning,byjustloo ingatthefaceofthecard,Iimmediately newexactlywhatwasencodedonit.Ooops!Ma esitprettydamneasytojustglanceatJoe'scardduringlunch,thengohomeandpopoutmyOWNcopyofJoe'saccesscard!Fortunately,Ifoundthisflawonlyin'smaller'companies(sometimesevenuniversities).Biggercompaniesseemto nowbetter,andDON'TprintALLofthemagstripedatarightoncardinbig,easilylegiblenumbers.Atleastthebigcompanies*I*chec ed.;)
OthersecurityblundersincludepasscardmagstripesencodedONLYwiththeowner'ssocialsecuritynumber(yeah,realdifficulttofindoutaperson's
SS#...GREATidea),andhavingpasscardswithonly3or4digitcodes.
Smartcardtechnologyinvolvestheuseofchipsembeddedinplasticcards,withpinoutsthattemporarilycontactthecardreaderequipment.Obviously,aGREATdealofdatacouldbestoredinthisway,andunauthorizedduplicationwouldbeverydifficulty.Interestinglyenough,notmucheffortisbeingputintosmartcardsbythemajorcreditcardcompanies.Theyfeelthatthetechistooexpensive,andthatstillmoredatacanbesqueezedontomagstripecardsinthefuture(especiallyTrac 1).Ifindthissomewhatanalogoustotheuseofmetallicoxidedis media.Sure,it'snotthegreatest(comparedtoerasable-
-
7/31/2019 phrack37
14/15
writableopticaldis s),butit'sCHEAP..andwejust eepimprovingit.Magstripeswillbearoundforalongtimetocome.Themediawillberefined,anddatadensityincreased.Butforconventionalapplications,thevaststoragecapabilitiesofsmartcardsarejustnotneeded.
**Biometrics:Throwyercardsaway!**
I'dli etoendwithamentionofbiometrics:thetechnologybasedonreadingthephysicalattributesofanindividualthruretinascanning,signatureverification,voiceverification,andothermeans.Thiswasoncelimitedtogovernmentuseandtosupersensitiveinstallations.However,biometricswillsoonacquirealargermar etshareinaccesscontrolsalesbecausemuchofitsdevelopmentstagehaspassedandcostswillbewithinreachofmorebuyers.Eventually,wecanexpectbiometricstoreplaceprettymuchALLcards..becauseallthoseplasticcardsinyourwalletarethereJUSTtohelpCOMPANIES*identify*YOU.Andwithbiometrics,they'll nowyouwithouthavingtoreadcards.
I'mnotparanoid,nordoIsubscribetoanygrand"corporateconspiracy,"butIfinditabitunsettlingthatourphysicalattributeswillmostli elysomedaybesittinginthecool,vastelectronicdatabasesoftheCORPORATEworld.Accessiblebyanyonewillingtopay.ImagineCBIandTRWdatabaseswithyourretinaimage,fingerprint,andvoicepatternonlineforinstant,convenient
retrieval.Today,apersoncanCHOOSENOTtoownacreditcardorabancard...wecancutupourplasticIDcards!Withoutacard,acardreaderisuselessandcannotidentifyyou.
Payingincashma esyouinvisible!However,withbiometrics,allamachinehastodoiswatch...listen...andrecord.Withgovernment/corporateAmericapushingallthebuttons."Areyoupayingincash?..Than you...Pleaseloointothecamera.Oh,IseeyournameisMr.Smith...uh,oh...mycomputertellsmeyouhaven'tpaidyourgasbill...afraidI'mgoingtohaveto eepthismoneyandcredityourgasaccountwithit....doyouhaveanymorecash?...orwouldyouratherIgarnishyourpaychec ?"hehheh
**ClosingNotes(FINALLY!!!!)**
Whew...thiswasoneMOTHERofafile.Ihopeitwasinteresting,andIhopeyoudistributeittoallyoufriends.Thisfilewasaproductionof"RestrictedDataTransmissions"...agroupoftechiesbasedintheBostonareathatfeelthat"InformationisPower"...andweintendtoreleaseanumberofhighlytechnicalyetentertainingfilesinthecomingyear....LOOKFORTHEM!!TomorrowI'monmywaytoXmascon'91...wemadesomeslic buttonscommemoratingtheevent...ifyoueverseeoneofthem(greenwreath.XMASCON1991printedonit).hangontoit!...it'sacollector'sitem..(hahahah)Boy,I'msleepy...
Remember...."Truthischeap,butinformationcosts!"
But-=RDTisgonnachangeallthat...;)settheinfoFREE!
Peace.
..oooOOCountZeroOOooo..
UsualgreetstoMagicMan,BrianOblivion,Omega,WhiteKnight,andanyoneelseIeverbummedacigaretteoff.
-
7/31/2019 phrack37
15/15
(1/18/92addition:GreetstoeveryoneImetatXmascon..includingbutnotexcludingCrimsonDeath,Dispater,Sterling,Mac Hammer,Eri Bloodaxe,HolisticHac er,PainHertz,SwampRatte,G.A.Ellsworth,Phaedrus,Moebius,LordMacDuff,JudgeDredd,andofcoursehatsoffto*Drun fux*fororganizingandta ingresponsibilityforthewholedamnthing.HopetoseeallofyouatSummerCon'92!Loo forCyber-striperGIFsataBBSnearyou..hehheh)
Comments,criticisms,anddiscussionsaboutthisfilearewelcome.Icanbereachedat:[email protected]@[email protected]
MagicManandIarethesysopsoftheBBS"ATDT"...locatedsomewhereinMassachusetts.Greatmessagebases,technicaldiscussions...datamadeflesh...electronicunderground.....ourownInternetaddress(atdt.org)...fieldtripstothetunnelsunderMITinCambridge.....giveitacall..mailmeformoreinfo..;)