Spoofing magnetic swipe cards

About a year ago I threw a magnetic swipe card reader into a larger Digikey order. I didn’t have any specific plans for it at the time; mostly I was just curious to learn about swipe cards and what kind of hidden information I was carrying around in my wallet.

(This site has moved to http://www.flashingleds.net, go there if you have comments or questions)

The reader is one of the Omron V3A series, which if you read some of the many websites discussing swipecard readers is a pretty popular choice due to it being easy to interface. Mine is a 4K model ($30 from Digikey) and reads track 2 data. Ideally you want all three tracks, but it gets expensive and for the majority of cards track 2 is where the interesting data is. For an in-depth discussion about swipe card encoding standards the best reference source is the “Magtek IO” pdf , which is very google-able.

Eventually I did get around to hooking it up to a microcontroller and satisfying my curiosity about my various cards. For the most part there was nothing all that interesting on any of them, until I ran my university ID card through. The only data encoded on it was my university ID number!

Why is that significant? Well, that ID card is used to access a variety of offices and laboratories across the campus. Staff and student ID numbers are publicly available. If you had the ability to either fake a card or encode a blank, this implies that you could open any door provided you knew the name of one person authorized to open it. You’d never need to lay hands on their card – just look up their university ID number, operate your device and walk on in. I was dying to know if the situation could really be that bad.

Card writers are readily available – Sparkfun has one for $140 and blank cards for a dollar. However since I’m not actually planning to illegally access anything or steal equipment (most of the good stuff is in my lab, anyway!) I’m not really keen to sink a lot of money into it. $140 is cheap for the technology, but too pricey just to satisfy my curiosity. We are left with option B: a swipe card spoofer. That is, a device which will fool a card reader into thinking you swiped an arbitrary card.

The basic design behind such a device is not my own work and I’m not the first to do this; you can find a few projects around to implement a device like this. That said, I’m just a dude choosing his projects for no higher purpose than his own amusement, so let’s set aside issues of redundancy and enjoy this, a fourth example of a mag-stripe spoofer.

Very basically, a card stripe contains a certain sequence of magnetic fields which the reader detects as you swipe the card through it.  The basis of all the card-spoofing circuits is to make some kind of electromagnet, put it next to the read-head and manipulate the magnetic field in just the right way to mimic a card. My design is heavily based on Jarek’s design which you can find here (highly recommended reading). The idea is to create your own electromagnet by winding a coil, but since your coil will probably not fit inside the card slot you employ a ‘shim’. In this case that means a thin ferromagnetic core for your electromagnet which nicely couples the field to the detector in the card reader.

Before we go too far into the details, let me show you my finished shim so you have some idea of what I’m talking about:

Completed electromagnet

I used an old knife blade for this purpose. You first need to check that the thickness is good for the card slot and that the blade is ferromagnetic (e.g. will a fridge magnet stick to it?). I used a dremel to file out the dimensions I wanted and get all the edges smooth, which generated all kinds of sparks and made me feel extremely manly. Smooth edges are important for the next step; you can see in the picture where I’ve used some black electrical tape to cover some leftover sharp corners.

I then set about wrapping a coil of enamel coated wire around the shim, the thinnest I could get locally (0.25mm diameter, from Jaycar). Enamel coating is important because you don’t want the coil to short itself out. Sharp edges are bad news because they will cut through the enamel coating and give a short.

The strength of a magnetic field generated by a coil goes linearly with the number of turns, so for best results you want a lot.  I honestly don’t remember how many I did, but it was a lot – maybe 100 or so turns? It was not optimized in any way, I just wanted to be sure it would work first time. If you wanted to keep the size down I’m sure you could do some testing of the minimum field strength required. After I finished I wrapped the coil in some more tape to protect it, and soldered on a standard 0.1″ 2 pin connector.

Now that the difficult part is done, you need something to intelligently power this coil so it creates the right field sequence. I put together an AVR board based on the Tiny2313, which as we will soon discover was not a clever choice.

The features I wanted were:

  • Should be as small as practical so I feel more like an awesome spy. Lots of surface mount components, and a professionally made PCB (from batchPCB.com)
  • Needs a powerful, compact battery to run the coil. Also needs to be something I have hanging around. I went for a 9V, and designed the PCB to have the same outline as a 9V battery so it could sit on top of it.
  • Should be able to store card sequences in memory and let me select which sequence to generate
  • Should be able to interface to a card reader so I can record a new card just by swiping it instead of needing a computer
  • However if I do have a computer handy, I should be able to use it as an RS232 adapter for the card reader and display decoded info on a terminal.

Here’s what I came up with:

Final schematic

Completed, assembled board

(Note the ‘aftermarket’ resistor at the top – I forgot a pulldown resistor for the transistor base. The schematic has been corrected with resistor R4. Also the pullup R2 was actually 4k7, I’m just lazy with putting in component values on schematics)

There is a main on/off power switch and a 5V linear regulator for the Tiny2313, which is running on an internal 1MHz oscillator. The Tiny outputs the selected card sequence once a second on one of its IO pins, but a momentary push switch isolates that from the transistor driver. So nothing actually happens at the coil unless I’m holding down the ‘SEND’ switch. The transistor driver is required since we want to use the highest current possible to get the biggest magnetic field possible. AVRs have pretty high source/drain ratings on IO pins, but we want even more.

Note that you don’t actually need to swap the polarity of the coil current; it suffices to just switch it on and off. That makes the drive electronics a lot easier. I put a reverse biased LED in parallel with the coil to be my snubber diode for the inductive ‘kickback’. I would not in general recommend this, but it was the only kind of diode I had on hand so I went with it. As a nice side effect you get some visual feedback when the coil operates. It turns out you also get some audible feedback – the magstripe reader makes some sick-sounding bleepy noises when you fire the coil with the shim in place. Not entirely sure why, but it heightens the sense of being a wicked cool hacker from a 90’s film.

The rest is pretty ordinary; a menu switch and some leds to cycle through memory slots, headers for a serial link connection and for a magstripe reader connection. The final assembly looks something like this: (Battery ‘unfolded’ from the PCB; logic analyser on the Omron reader)

Tomfoolery in progress

The good news is that it works! As captured by a logic analyser, here is the output from swiping my real ID card, and under that is the output from faking my ID card. The extra channel on the spoofed data shows you what the I/O pin driving the coil was doing to generate this.

Logic capture of an entire card swipe / fake card swipe

To clarify the operation of the ‘card detect’ signal from the reader: I initially thought this was based on some kind of mechanical switch that detected a card in the slot. But it’s not – it’s just based on getting a certain number of coil toggles. So you don’t need to swipe the shim, you can just place it in the swipe slot so it’s sitting on the read-head and go for gold.

Zoomed out this far it doesn’t look like a very good match, but if we look a little closer we can see that the spoofer did indeed make the card reader produce the same output sequence:

Zoomed in logic captures

(This also hopefully clarifies the coil sequence; within one clock period a single toggle causes data high and two toggles causes data low)

So awesome, I succeeded at the dubious art of magstripe spoofing! However as mentioned earlier the Tiny2313 was a bad choice on my part – there was not quite enough program memory to implement all the neat features I listed above. I should have gone with something like a TQFP mega88. Lesson learned, always leave yourself plenty of headroom while you’re still at the prototype stage. Slashed down source code for the Tiny2313 is available here here (link fixed!). It’s very much thrown together; I’m putting it up so you can pick out any interesting parts if you’re having trouble making your own.

So after this technical diversion, let’s resume the story. Now that I can fake a card, was I able to open a door knowing only an ID number?

Sadly (but at the same time happily) no, it didn’t work. There are a few possibilities here, but my suspicion is that whoever designed this security system did a decent job of it and used more than one data track. So in reality there is probably more than just the ID number on the card, but with only a track 2 reader that’s all I saw. The design of the spoofer I’ve discussed can only fake one data track, which could still be interesting in some applications but is not enough here. (In principle you could fake three tracks at once but you would need a very complicated shim).

So my suspicious looking entry device was rejected and my office door remains secure against this manner of skulduggery.

About these ads

About Craig
Craig is getting towards the end of a PhD in experimental nanotechnology. Arguably he might be finished by now if it weren't for all the crap described on this blog. Queries/comments to flashingleds@gmail.com

21 Responses to Spoofing magnetic swipe cards

  1. Pingback: Spoofing Magnetic Swipe Card Project - Hacked Gadgets - DIY Tech Blog

  2. Pingback: [dot]EXE » Spoofing Magnetic Swipe Card Project

  3. Cut up any old card to make height shims for your card reader. Then you can swipe your regular card at different heights and maybe get the other tracks.

    • Craig says:

      Good point, I have heard of that trick for reading different tracks but have never gotten around to trying it. It won’t work for the card faker, but would probably tell me what the missing info on the ID card is.

  4. redditor says:

    No, your door isn’t secure… you just haven’t spoofed the swipe correctly.

    Starting with only having about 50 ms of data. And I only see a dozen or so bits… There’s your problem. A swipe is generally closer to 500ms in duration, and the second track should contain 40, 5-bit binary coded digits. (These are not ASCII; the wave driving the coil shouldn’t be a square wave, etc…)

    Let me know in a comment the data you wish to encode and I’ll email you an audio file you can use to drive the electromagnet directly.

    Or you can carry on believing your door is secure… ;)

    • Craig says:

      Hi there,
      I’m not entirely convinced by your arguments. The reason you only see a couple dozen low bits is because there’s only a single 7-digit decimal ID code stored on the track. Track 2 has a maximum capacity of 37 characters, but in this case it’s only using 7. With the 4 databits+parity encoding scheme this doesn’t take many bits to encode.
      As for swipe speed – I can slow it down in the code, but real readers handle the fact that people swipe their cards at different speeds, so within certain reasonable bounds it doesn’t matter.
      Ultimately the proof is in the data, and you can see in the post that the waveforms from the faked and from the real card are essentially identical.
      Of course if you can convince me that I’m wrong and that there’s a problem with the waveform I’m happy to make some modifications and try it again.

  5. Pingback: Tricky Zone – Do It Yourself » Blog Archive » Spoofing Magnetic Swipe Card Project

  6. PhilT says:

    Hi, you can see easily if there is more than one track and if some data is present.
    Spray some iron powder on it and it’ll stick a bit.
    Then apply adhesive tape, remove it and apply it on a paper.
    You’ll have a nice fingerprint of the present tracks and you can even see data density and almost bits themselves.

  7. Rohit says:

    The reason why the coil-shim makes those beeping sounds is because the coil (along with some parasitic capacitance) forms a resonant circuit. This not only causes electrical resonance but also mechanical vibrations. And if the frequency of these vibrations happens to lie somewhere in the audible range you’ll hear a beep. Kinda like the whine you used to hear on old cameras when their flash (capacitor) was charging.

    • Craig says:

      Hi Rohit,
      I think you’re right, mechanical vibrations are the likely cause here. It only makes noise when positioned next to the read head, which I’m assuming is due to the rapidly alternating magnetic field shaking it around. The coil is pulsing at roughly 600Hz, which is certainly in the audible range.

  8. Pingback: Surprisingly simple magnetic card spoofer - Hack a Day

  9. superkuh says:

    The link to your source for the attiny2313 is 404.

    “Slashed down source code for the Tiny2313 is available *here*.”

    http://flashingleds.files.wordpress.com/2010/11/swipecard-actually-a-c-file.doc

    does not exist.

  10. Pingback: Crochetage de serrures à cartes magnétiques - CNIS mag

  11. Jason says:

    You don’t need shims or a fancy reader to be able to read any of the other two tracks.
    You say you bought an Omron V3A model… if so… take off the plastic cover where the maghead is located… and move the maghead itself.
    Move it up one level to read track 3… move it down one level to read track one.
    Granted moving the head each time is a pain… but it will still allow you to gather the info you want.
    See the 4th and 5th pictures on this page: http://stripesnoop.sourceforge.net/hardware/mod.html to see what I’m talking about.

  12. starkwood says:

    Could someone pls explain the code or translate to assembly for some of us newbies?

    • Craig says:

      The source code is a bit of a mess; sorry if you’re having trouble following it. I’m not willing to rewrite it, but if you want to discuss what’s going on feel free to drop me a line (email address is in the source code)

  13. I will try to design this projects. Thanks buddy…

  14. How hard would it be to able to use an iPhone is such a way that you do not have to carry credit cards? Just for normal commercial transactions. not bank transactions

  15. Anonymous says:

    all the the card are available to use in magnetic swipe card???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.