This is the article text as it appears in the Spring 2005 issue of 2600 Magazine. Also available as a PDF.
In order to clear up some confusion, my pen name for this and the New York City's MTA Exposed! article was Redbird. I am the author of these articles and no, they're not being published without citation. I hereby give credit to the author: myself.
Good magnetic stripe readers are hard to come by. Most are expensive, only capable of reading one or two tracks, and have inconvenient interfaces. In this article I will describe the process of making an extremely cheap, simple, and reliable single-track reader from parts that are readily available. We will be interfacing the reader to the microphone input of a sound card, which is very convenient for use with most laptops and desktops.
I will not be discussing the theory and concepts of magnetic stripe technology and the assumption is made that you are somewhat familiar with the topic. For a simplistic overview of magnetic stripe technology that is easy to read and understand, I recommend that you read the classic article "Card-O-Rama: Magnetic Stripe Technology and Beyond" by Count Zero, which can be found quickly by doing a web search for keywords in the title.
Below is a list of materials you'll need to construct the reader.
The actual hardware design is incredibly simple. The interface consists of simply connecting the output of the magnetic head directly to the mic input of a sound card. Solder the wire connecting the 3.5mm mono phone plug (base and tip) to the leads of the magnetic stripe head. Polarity does not matter.
I recommend that you mount the head in a way that makes it easy to swipe a card over it with a constant velocity. This is where your custom hardware ingenuity comes in. Mount a ruler (or other straight edge) perpendicular to the magnetic head, with the reading solenoid (usually visible as a black rectangle on the head) at the correct distance from the base for the corresponding track. Track 1 starts at 0.223" from the bottom of the card, Track 2 starts at 0.333", and Track 3 starts at 0.443".
Alternatively, you can purchase a surplus reader with no interface (i.e., scrapped or with a cheap TTL interface) and follow the same instructions with the exception that the magnetic head will already be mounted. Most surplus readers come preset to Track 2, although it is usually a simple hardware mod to move it to the track you'd like to read. This will save you the trouble of building a custom swiping mechanism and will also improve the reliability of the reads. There are surplus readers that can be purchased for less than $10 US at various online merchants.
In this project, the software does all the heavy lifting. The "dab" utility included in this article takes the raw DSP data from your sound card, decodes the FSK (frequency shift keying - a.k.a. Atkin Biphase) modulation from the magnetic stripe, and outputs the binary data. Additionally, you can decode the binary data using the "dmsb" utility to output the ASCII characters and perform an LRC check to verify the integrity of the data, provided that the stripe conforms to the specifications described in ISO 7811, 7813, and optionally ISO 4909 (for the uncommon Track 3). Becoming familiar with these specifications will help you understand the contents of the magnetic stripe when viewing the decoded data.
The provided software is more proof-of-concept than production code, and should be treated as such. That said, it does its job well. It is open source and released under the MIT license. Feel free to contribute.
Note that "dab" can also take input from any audio file supported by libsndfile. However, it must be a clean sample that starts at the beginning of the file. This is useful to eliminate the requirement of a sound card and allow samples to be recorded from another device (e.g., an MP3 player/recorder) and decoded at another time.
dab.c (v0.7)- Decode Atkin Biphase
dmsb.c (v0.1)- Decode (standard) Magnetic Stripe Binary
Edit any configuration #defines near the top of the dab.c file and proceed to compile the source with the following commands:
cc dab.c -o dab -lsndfile cc dmsb.c -o dmsb
Usage: dab [OPTIONS] -a, --auto-thres Set auto-thres percentage (default: 30) -d, --device Device to read audio data from (default: /dev/dsp) -f, --file File to read audio data from (use instead of -d) -h, --help Print help information -m, --max-level Shows the maximum level (use to determine threshold) -s, --silent No verbose messages -t, --threshold Set silence threshold (default: automatic detect) -v, --version Print version information Usage: dmsb [OPTIONS] -V, --verbose Verbose messages -h, --help Print help information -v, --version Print version information dmsb will wait on stdin for raw magnetic stripe data (string of 0s and 1s followed by a newline) and print the decoded data to stdout.
Be sure that the mic is set as the recording device for your sound card (using a utility such as aumix or your preferred mixer). Standard usage on the command line with the hardware interfaced directly to the sound card (mic in) will be as follows with standard cards:
./dab | ./dmsb
My original reader. With this reader I would use a ruler as a track guide. This way I could not only read the three standard tracks, but also data on non-standard cards, some of which have tracks in odd positions such as through the middle of the card.
My current reader, made of a modified surplus reader which is only capable of reading the three standard tracks.
Below are some examples of a few (hopefully) less common cards as to get an idea of the sort of data you're likely to find.
Room: 2006 Checkout Date: 12/30/2004 Card 1 Track 2 Data: ;5101152006010912130124000120000000000? Card 2 Track 2 Data: ;5101152006020912130124000120000000000? Room: 2005 Checkout Date: 12/30/2004 Card 1 Track 2 Data: ;5101152005010160230124000120000000000? Card 2 Track 2 Data: ;5101152005020160230124000120000000000?
Month: November 2004 Serial: 001467 Track 2 Data: ;010100110104113004000001467? Month: June 2003 Serial: 002421 Track 2 Data: ;010100060103063003000002421? Month: January 2002 Serial: 028813 Track 2 Data: ;010100010102013102000028813?
Card Number: 603571 010462 1134569 PIN: 9014 Track 1 Data: %B6035710104621134569^^49120000040? Track 2 Data: ;6035710104621134569=49120000040? Card Number: 603571 010462 1132282 PIN: 5969 Track 1 Data: %B6035710104621132282^^49120008147? Track 2 Data: ;6035710104621132282=49120008147?
Card Number: 6015 0613 2715 8426 Track 1 Data: %B6010565061327158^0040/MOMSDAY04^25010004000060018426 ? Track 2 Data: ;6010565061327158=25010004000060018426? Card Number: 6014 5421 5637 9529 Track 1 Data: %B6010564542156377^0027/EXCLUSIVEB2B04^25010004000060019529 ? Track 2 Data: ;6010564542156377=25010004000060019529? Card Number: 6014 5421 6302 5757 Track 1 Data: %B6010564542156377^0027/EXCLUSIVEB2B04^25010004000060019529 ? Track 2 Data: ;6010564542163027=25010004000060015757?
This project was originally started for the New York City MetroCard decoding project that you may have heard about on Off The Hook. Nearly all commercial readers are unable to dump the raw data as it exists on the MetroCard and, even if they could, they are priced way above our (and most hobbyists') budget limitations. This solution has worked very well for us and can aid you in reverse-engineering cards that you may have as well. The "dmsb" application available online can be used for simply decoding standard cards that you have laying around as well.
While my construction example demonstrates a fairly straightforward and typical use of a magnetic stripe reader, many other uses can be considered.
For instance, since all the data obtained from the reader itself is audio, the device can be interfaced to a digital audio recording device, such as one of the many MP3 (and other codec) player/recorders on the market. You could then set the device to record, interfaced the same way with the magnetic stripe reader, and have a stand-alone reader small enough to fit in your pocket. Later, you'd view and edit the captured audio file, saving the clean waveform to a standard .wav file to be analyzed with "dab" (which, in fact, has this capability). You can even construct the reader in an inconspicuous way, so onlookers would never realize the device's capability.
How is this significant? Reading boarding passes with magnetic stripes is a perfect application. These are generally only available in the waiting area of airports. They're issued at check-in and collected when you board, leaving a very small time margin during which the stripe can be scanned. In my case, I had been flagged for additional security and the infamous "SSSS" was printed on my pass. Using my reader, I was able to duck into a bathroom and quickly read the data into my mp3 player/recorder for later analysis. (I discovered a mysterious code on track 2 (normally blank) which read: "C 13190-2******" as well as an "S" at the end of the passenger data on track 1.)
But there are other more sinister applications. What if one of the waiters at your favorite restaurant built this device and swiped the card of everyone who pays with credit? From the data obtained, an exact clone of the credit card could be created. Credit card fraud would quickly become out of control if this were commonplace.
The same principle could be applied to reverse-engineering an unknown magnetic stripe technology. While individual card samples are often much more difficult to obtain, scanning samples as you obtain them enables you to gather samples at an astonishing rate. This way, supporters can loan you cards to scan on the spot. I have personally used this method for the MetroCard decoding project and it works extremely well.
I could go on and on with more examples of the implications of this sort of design, but I'd like to hear back from the readers as to what other ideas may have been thought up. All feedback is appreciated and, time permitting, all questions will be answered.
Hopefully this project makes you realize how certain types of technology are priced way above what they have to be to keep them away from "us" because of the fear of malicious use. I also hope it encourages more projects like this to surface so we can learn about and use technology without the restrictions imposed upon us by big corporations.
Last update: 2007-01-14