Magnetic Stripe Reading

Preamble

This is the article text as it appears in the Spring 2005 issue of 2600 Magazine. Also available as a PDF.

In order to clear up some confusion, my pen name for this and the New York City's MTA Exposed! article was Redbird. I am the author of these articles and no, they're not being published without citation. I hereby give credit to the author: myself.

Introduction

Good magnetic stripe readers are hard to come by. Most are expensive, only capable of reading one or two tracks, and have inconvenient interfaces. In this article I will describe the process of making an extremely cheap, simple, and reliable single-track reader from parts that are readily available. We will be interfacing the reader to the microphone input of a sound card, which is very convenient for use with most laptops and desktops.

I will not be discussing the theory and concepts of magnetic stripe technology and the assumption is made that you are somewhat familiar with the topic. For a simplistic overview of magnetic stripe technology that is easy to read and understand, I recommend that you read the classic article "Card-O-Rama: Magnetic Stripe Technology and Beyond" by Count Zero, which can be found quickly by doing a web search for keywords in the title.

Materials

Below is a list of materials you'll need to construct the reader.

- Magnetic head
Magnetic heads are extremely common. Discarded cassette tape players contain magnetic heads of almost the exact size needed (the small difference won't matter for our application). Simply obtain a discarded cassette tape player and remove the magnetic head without damaging it. These heads are usually secured with one or two screws which can be useful when building the reader, so don't discard them.
- 3.5mm mono phone plug (with 2-conductor wire)
You can find this on a discarded monaural earphone or in an electronics store.
- Soldering iron with solder

Optional:

- Wood (or other sturdy material) base to mount magnetic head
- Ruler or other straight edge to slide cards on

Construction

The actual hardware design is incredibly simple. The interface consists of simply connecting the output of the magnetic head directly to the mic input of a sound card. Solder the wire connecting the 3.5mm mono phone plug (base and tip) to the leads of the magnetic stripe head. Polarity does not matter.

I recommend that you mount the head in a way that makes it easy to swipe a card over it with a constant velocity. This is where your custom hardware ingenuity comes in. Mount a ruler (or other straight edge) perpendicular to the magnetic head, with the reading solenoid (usually visible as a black rectangle on the head) at the correct distance from the base for the corresponding track. Track 1 starts at 0.223" from the bottom of the card, Track 2 starts at 0.333", and Track 3 starts at 0.443".

Alternatively, you can purchase a surplus reader with no interface (i.e., scrapped or with a cheap TTL interface) and follow the same instructions with the exception that the magnetic head will already be mounted. Most surplus readers come preset to Track 2, although it is usually a simple hardware mod to move it to the track you'd like to read. This will save you the trouble of building a custom swiping mechanism and will also improve the reliability of the reads. There are surplus readers that can be purchased for less than $10 US at various online merchants.

Software

In this project, the software does all the heavy lifting. The "dab" utility included in this article takes the raw DSP data from your sound card, decodes the FSK (frequency shift keying - a.k.a. Atkin Biphase) modulation from the magnetic stripe, and outputs the binary data. Additionally, you can decode the binary data using the "dmsb" utility to output the ASCII characters and perform an LRC check to verify the integrity of the data, provided that the stripe conforms to the specifications described in ISO 7811, 7813, and optionally ISO 4909 (for the uncommon Track 3). Becoming familiar with these specifications will help you understand the contents of the magnetic stripe when viewing the decoded data.

The provided software is more proof-of-concept than production code, and should be treated as such. That said, it does its job well. It is open source and released under the MIT license. Feel free to contribute.

Requirements

- Linux (or the desire to port to another operating system)
- A configured 16-bit sound card
- Access to the /dev/dsp device
- libsndfile

Note that "dab" can also take input from any audio file supported by libsndfile. However, it must be a clean sample that starts at the beginning of the file. This is useful to eliminate the requirement of a sound card and allow samples to be recorded from another device (e.g., an MP3 player/recorder) and decoded at another time.

Download

dab.c (v0.7)- Decode Atkin Biphase

dmsb.c (v0.1)- Decode (standard) Magnetic Stripe Binary

Compiling

Edit any configuration #defines near the top of the dab.c file and proceed to compile the source with the following commands:

cc dab.c -o dab -lsndfile
cc dmsb.c -o dmsb

Usage

Usage: dab [OPTIONS]

  -a,  --auto-thres   Set auto-thres percentage
                      (default: 30)
  -d,  --device       Device to read audio data from
                      (default: /dev/dsp)
  -f,  --file         File to read audio data from
                      (use instead of -d)
  -h,  --help         Print help information
  -m,  --max-level    Shows the maximum level
                      (use to determine threshold)
  -s,  --silent       No verbose messages
  -t,  --threshold    Set silence threshold
                      (default: automatic detect)
  -v,  --version      Print version information

Usage: dmsb [OPTIONS]

  -V,  --verbose      Verbose messages

  -h,  --help         Print help information
  -v,  --version      Print version information

dmsb will wait on stdin for raw magnetic stripe data (string of 0s and 1s
followed by a newline) and print the decoded data to stdout.

Be sure that the mic is set as the recording device for your sound card (using a utility such as aumix or your preferred mixer). Standard usage on the command line with the hardware interfaced directly to the sound card (mic in) will be as follows with standard cards:

./dab | ./dmsb

Pictures

My original reader. With this reader I would use a ruler as a track guide. This way I could not only read the three standard tracks, but also data on non-standard cards, some of which have tracks in odd positions such as through the middle of the card.

Original Reader Original Reader

My current reader, made of a modified surplus reader which is only capable of reading the three standard tracks.

Current Reader Current Reader

Examples

Below are some examples of a few (hopefully) less common cards as to get an idea of the sort of data you're likely to find.

Park Inn (Berlin-Alexanderplatz) Door Key Cards

Room: 2006
Checkout Date: 12/30/2004
Card 1
Track 2 Data: ;5101152006010912130124000120000000000?
Card 2
Track 2 Data: ;5101152006020912130124000120000000000?

Room: 2005
Checkout Date: 12/30/2004
Card 1
Track 2 Data: ;5101152005010160230124000120000000000?
Card 2
Track 2 Data: ;5101152005020160230124000120000000000?

SEPTA Monthly TransPass Cards

Month: November 2004
Serial: 001467
Track 2 Data: ;010100110104113004000001467?

Month: June 2003
Serial: 002421
Track 2 Data: ;010100060103063003000002421?

Month: January 2002
Serial: 028813
Track 2 Data: ;010100010102013102000028813?

Sony Connect Cash Cards

Card Number: 603571 010462 1134569
PIN: 9014
Track 1 Data: %B6035710104621134569^^49120000040?
Track 2 Data: ;6035710104621134569=49120000040?

Card Number: 603571 010462 1132282
PIN: 5969
Track 1 Data: %B6035710104621132282^^49120008147?
Track 2 Data: ;6035710104621132282=49120008147?

Starbucks Cards

Card Number: 6015 0613 2715 8426
Track 1 Data: %B6010565061327158^0040/MOMSDAY04^25010004000060018426           ?
Track 2 Data: ;6010565061327158=25010004000060018426?

Card Number: 6014 5421 5637 9529
Track 1 Data: %B6010564542156377^0027/EXCLUSIVEB2B04^25010004000060019529           ?
Track 2 Data: ;6010564542156377=25010004000060019529?

Card Number: 6014 5421 6302 5757
Track 1 Data: %B6010564542156377^0027/EXCLUSIVEB2B04^25010004000060019529           ?
Track 2 Data: ;6010564542163027=25010004000060015757?

Conclusion

This project was originally started for the New York City MetroCard decoding project that you may have heard about on Off The Hook. Nearly all commercial readers are unable to dump the raw data as it exists on the MetroCard and, even if they could, they are priced way above our (and most hobbyists') budget limitations. This solution has worked very well for us and can aid you in reverse-engineering cards that you may have as well. The "dmsb" application available online can be used for simply decoding standard cards that you have laying around as well.

While my construction example demonstrates a fairly straightforward and typical use of a magnetic stripe reader, many other uses can be considered.

For instance, since all the data obtained from the reader itself is audio, the device can be interfaced to a digital audio recording device, such as one of the many MP3 (and other codec) player/recorders on the market. You could then set the device to record, interfaced the same way with the magnetic stripe reader, and have a stand-alone reader small enough to fit in your pocket. Later, you'd view and edit the captured audio file, saving the clean waveform to a standard .wav file to be analyzed with "dab" (which, in fact, has this capability). You can even construct the reader in an inconspicuous way, so onlookers would never realize the device's capability.

How is this significant? Reading boarding passes with magnetic stripes is a perfect application. These are generally only available in the waiting area of airports. They're issued at check-in and collected when you board, leaving a very small time margin during which the stripe can be scanned. In my case, I had been flagged for additional security and the infamous "SSSS" was printed on my pass. Using my reader, I was able to duck into a bathroom and quickly read the data into my mp3 player/recorder for later analysis. (I discovered a mysterious code on track 2 (normally blank) which read: "C 13190-2******" as well as an "S" at the end of the passenger data on track 1.)

But there are other more sinister applications. What if one of the waiters at your favorite restaurant built this device and swiped the card of everyone who pays with credit? From the data obtained, an exact clone of the credit card could be created. Credit card fraud would quickly become out of control if this were commonplace.

The same principle could be applied to reverse-engineering an unknown magnetic stripe technology. While individual card samples are often much more difficult to obtain, scanning samples as you obtain them enables you to gather samples at an astonishing rate. This way, supporters can loan you cards to scan on the spot. I have personally used this method for the MetroCard decoding project and it works extremely well.

I could go on and on with more examples of the implications of this sort of design, but I'd like to hear back from the readers as to what other ideas may have been thought up. All feedback is appreciated and, time permitting, all questions will be answered.

Hopefully this project makes you realize how certain types of technology are priced way above what they have to be to keep them away from "us" because of the fear of malicious use. I also hope it encourages more projects like this to surface so we can learn about and use technology without the restrictions imposed upon us by big corporations.

Last update: 2007-01-14