@BEGIN_FILE_ID.DIZHow to read the magnetic stripe from cardz
@END_FILE_ID.DIZ
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Card-O-Rama: Magnetic Stripe Technology and Beyond
or
"A Day in the Life of a Flux Reversal"
Written by
oooOO Count Zero OOooo
Restricted Data Transmissions
November 99, 1999
Look in your wallet. Chances are you own at least 3 cards that have magnetic
stripes on the back. ATM cards, credit cards, calling cards, frequent flyer
cards, ID cards, passcards,...cards, cards, cards! And chances are you have
NO idea what information is on those stripes or how they are encoded. This
detailed document will enlighten you and hopefully spark your interest in
this fascinating field. None of this info is "illegal"...but MANY
organizations (the government, credit card companies, security firms, etc.)
would rather keep you in the dark. Also, many people will IMMEDIATELY
assume that you are a CRIMINAL if you merely "mention" that you are
"interested in how magnetic stripe cards work." Watch yourself, ok? Just
remember that there is nothing wrong with wanting to know how things work,
although in our present society, you may be labelled a "deviant"
(or worse, <gasp> a "hacker")!
Anyway, I will explain in detail how magstripes are encoded and give several
examples of the data found on some common cards. I will also cover the
technical theory behind magnetic encoding, and discuss magnetic encoding
alternatives to magstripes (Wiegand, barium ferrite). Non-magnetic card
technology (bar code, infrared, etc.) will be described. Finally, there will
be an end discussion on security systems and the ramifications of emergent
"smartcard" and biometric technologies.
Use this info to EXPLORE, not to EXPLOIT. This text is presented for
informational purposes only, and I cannot be held responsible for anything
you do or any consequences thereof. I do not condone fraud, larceny,
or any other criminal activities.
Lately, I've noticed a few "books" and "magazines" for sale that were filled
with files on a variety of computer topics. These file were originally
released into the Net with the intention of distributing them for free.
However, these files are now being packaged and sold for profit. This really
pisses me off. I am writing this to be shared for free, and I ask no
payment. Feel free to reprint this in hardcopy format and sell it if you must
but no profits must be made. Not a f***ing dime ,Deutschmark, Punt, Lira,
Pound, or Centime! If anyone reprints this file and tries to sell it for a
profit, I will hunt you down and make your life miserable.
?????????????????????????????????????????????????????????????????????????????
How?
?????????????????????????????????????????????????????????????????????????????
Use your imagination. The reality will be worse.
First, I am going to explain the basics behind fields, heads, encoding and
reading. Try and absorb the theory behind encoding/reading. This will help
you greatly if you ever decide to build your own encoder/reader from scratch
(more on that later). Ferromagnetic materials are substances that retain
magnetism after an external magnetizing field is removed. This principle is
the basis of all magnetic recording and playback. Magnetic poles always occur
in pairs within magnetized material, and magnetic flux lines emerge from the
north pole and terminate at the south. The elemental parts of megstripes are
ferromagnetic particles about 20 millionths of an inch long, each of which acts
like a tiny bar magnet. These particles are rigidly held together by a resin
binder. The magnetic particles are made by companies which make coloring
pigments for the paint industry, and are usually called pigments. When making
the magstripe media, the elemental magnetic particles are aligned with their
North-South axes parallel to the magnetic stripe by means of an external
magnetic fields while the binder hardens.
These particles are actually permanent bar magnets with two stable polarities.
If a magnetic particle is placed in a strong external magnetic field of the
opposite polarity, it will reverse its own polarity (North becomes South,
South becomes North). The external magnetic field strength required to
produce this flip is called the coercive force, and is a measure of the
coercivity of the particle. Magnetic pigments are available in a variety of
coercivities (more on that later on).
An unencoded magstripe is actually a series of North-South magnetic domains
(see Figure 1). The adjacent N-S fluxes merge, and the entire stripe acts as a
single bar magnet with North and South poles at its ends.
Figure 1: N-S.N-S.N-S.N-S.N-S.N-S.N-S.N-S <-particles in stripe
---------
represented as-> N-----------------------------S
However, if a S-S interface is created somewhere on the stripe, the fluxes will
repel, and we get a concentration of flux lines around the S-S interface (same
with N-N interface). Encoding consists of creating S-S and N-N interfaces, and
reading consists of (you guessed it) detecting 'em. The S-S and N-N interfaces
are called flux transitions, or flux reversals.
The external magnetic field used to flip the polarities is produced by a
solenoid, which can reverse its polarity by reversing the direction of current.
An encoding head solenoid looks like a bar magnet bent into the shape of a ring
so that the North/South poles are very close and face each other across a tiny
gap. The field of the solenoid is concentrated across this gap, and when
elemental magnetic particles of the magstripe are exposed to this field, they
polarize to the opposite (unlike poles attract). Movement of the stripe past
the solenoid gap during which the polarity of the solenoid is reversed will
produce a single flux reversal (see Figure 3). To erase a magstripe, the
encoding head is held at a constant polarity and the entire stripe is moved
past it. No flux reversals, no data.
| | <----wires leading to solenoid
| | (wrapped around ring)
/-|-|-\� �, �-�-�-�� Ԍ / \
Figure 3: | | <----solenoid (has JUST changed polarity)
--------- \ /
\ N S / <---gap in ring.. NS polarity across gap
N----------------------SS-N-------------------------S
^^
<<<<<-direction of stripe movement
S-S flux reversal created at trailing edge of solenoid!
So, we now know that flux reversals are only created the INSTANT the solenoid
CHANGES its POLARITY. If the solenoid in Figure 3 were to remain at its
current polarity, no further flux reversals would be created as the magstripe
moves from right to left. But, if we were to change the solenoid gap polarity
>from NS to *SN*, then (you guessed it) a *N-N* flux reversal would instantly be
created. Just remember, for each and every reversal in solenoid polarity, a
single flux reversal is created (commit it to memory). An encoded magstripe is
therefore just a series of flux reversals (NN followed by SS followed by NN).
DATA! DATA! DATA! That's what you want! How the hell are flux reversals read
and interpreted as data? Another solenoid called a READ HEAD is used to detect
these flux reversals. The read head operates on the principle of
ELECTROMAGNETIC RECIPROCITY: current passing thru a solenoid produces a
magnetic field at the gap, therefore, the presence of a magnetic field at the
gap of a solenoid coil will *produce a current in the coil*! The strongest
magnetic fields on a magstripe are at the points of flux reversals. These are
detected as voltage peaks by the reader, with +/- voltages corresponding to
NN/SS flux reversals (remember, flux reversals come in 2 flavors).
The "peak readout" square waveform is critical. Notice that the voltage peak
remains the same until a new flux reversal is encountered.
Now, how can we encode DATA? The most common technique used is known as
Aiken Biphase, or "two-frequency coherent-phase encoding" (sounds impressive,
eh?). First, digest the diagrams in Figure 5.
There you have it. Data is encoded in "bit cells," the frequency of which is
the frequency of '0' signals. '1' signals are exactly TWICE the frequency of
'0' signals. Therefore, while the actual frequency of the data passing the
read head will vary due to swipe speed, data density, etc, the '1' frequency
will ALWAYS be TWICE the '0' frequency. Figure 5C shows exactly how '1' and
'0' data exists side by side.
We're getting closer to read DATA! Now, we're all familiar with binary and how
numbers and letters can be represented in binary fashion very easily. There
are obviously an *infinite* number of possible standards, but thankfully the
American National Standards Institute (ANSI) and the International Standards
Organization (ISO) have chosen 2 standards. The first is
** ANSI/ISO BCD Data format **
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
This is a 5-bit Binary Coded Decimal format. It uses a 16-character set, which
uses 4 of the 5 available bits. The 5th bit is an ODD parity bit, which means
there must be an odd number of 1's in the 5-bit character..the parity bit will
"force" the total to be odd. Also, the Least Significant Bits are read FIRST
on the strip. See Figure 6.
The sum of the 1's in each case is odd, thanks to the parity bit. If the read
system adds up the 5 bits and gets an EVEN number, it flags the read as ERROR,
and you got to scan the card again (I *know* a lot of you out there *already*
understand parity, but I got to cover all the bases...not everyone sleeps with
their modem and can recite the entire AT command set at will, you know). See
Figure 6 for details of ANSI/ISO BCD.
Figure 6: ANSI/ISO BCD Data Format
---------
* Remember that b1 (bit #1) is the LSB (least significant bit)!
* The LSB is read FIRST!
* Hexadecimal conversions of the Data Bits are given in parenthesis (xH).
--Data Bits-- Parity
b1 b2 b3 b4 b5 Character Function
***** 16 Character 5-bit Set *****
10 Numeric Data Characters
3 Framing/Field Characters
3 Control Characters
The magstripe begins with a string of Zero bit-cells to permit the self-
clocking feature of biphase to "sync" and begin decoding. A "Start Sentinel"
character then tells the reformatting process where to start grouping the
decoded bitstream into groups of 5 bits each. At the end of the data, an "End
Sentinel" is encountered, which is followed by an "Longitudinal Redundancy
Check (LRC) character. The LRC is a parity check for the sums of all b1, b2,
b3, and b4 data bits of all preceding characters. The LRC character will catch
the remote error that could occur if an individual character had two
compensating errors in its bit pattern (which would fool the 5th-bit parity
check).
The START SENTINEL, END SENTINEL, and LRC are collectively called "Framing
Characters", and are discarded at the end of the reformatting process.
** ANSI/ISO ALPHA Data Format **
Alphanumeric data can also be encoded on magstripes. The second ANSI/ISO data
format is ALPHA (alphanumeric) and involves a 7-bit character set with 64
characters. As before, an odd parity bit is added to the required 6 data bits
for each of the 64 characters. See Figure 7.
Figure 7:
--------- ANSI/ISO ALPHA Data Format
* Remember that b1 (bit #1) is the LSB (least significant bit)!
* The LSB is read FIRST!
* Hexadecimal conversions of the Data Bits are given in parenthesis (xH).
------Data Bits------- Parity
b1 b2 b3 b4 b5 b6 b7 Character Function
1 1 0 1 1 1 0 [ (3BH) Special
0 0 1 1 1 1 1 \ (3DH) Special
1 0 1 1 1 1 0 ] (3EH) Special
0 1 1 1 1 1 0 ^ (3FH) Field Separator
1 1 1 1 1 1 1 _ (40H) Special
� ***** 64 Character 7-bit Set *****
* 43 Alphanumeric Data Characters
* 3 Framing/Field Characters
* 18 Control/Special Characters
The two ANSI/ISO formats, ALPHA and BCD, allow a great variety of data to be
stored on magstripes. Most cards with magstripes use these formats, but
occasionally some do not. More about those later on.
** Tracks and Encoding Protocols **
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Now we know how the data is stored. But WHERE is the data stored on the
magstripe? ANSI/ISO standards define *3* Tracks, each of which is used for
different purposes. These Tracks are defined only by their location on the
magstripe, since the magstripe as a whole is magnetically homogeneous. See
Figure 8.
You can see the exact distances of each track from the edge of the card, as
well as the uniform width and spacing. Place a magstripe card in front of you
with the magstripe visible at the bottom of the card. Data is encoded from
left to right (just like reading a book). See Figure 9.
*** Track 3 Layout: ** Similar to tracks 1 and 2. Almost never used.
Many different data standards used.
Track 2, "American Banking Association," (ABA) is most commonly used. This
is the track that is read by ATMs and credit card checkers. The ABA designed
the specifications of this track and all world banks must abide by it. It
contains the cardholder's account, encrypted PIN, plus other discretionary
data.
Track 1, named after the "International Air Transport Association," contains
the cardholder's name as well as account and other discretionary data. This
track is sometimes used by the airlines when securing reservations with a
credit card; your name just "pops up" on their machine when they swipe your
card!
Since Track 1 can store MUCH more information, credit card companies are trying
to urge retailers to buy card readers that read Track 1. The *problem* is that
most card readers read either Track 1 or Track 2, but NOT BOTH! And the
installed base of readers currently is biased towards Track 2. VISA USA is at
the front of this 'exodus' to Track 1, to the point where they are offering
Track 1 readers at reduced prices thru participating banks. A spokesperson for
VISA commented:
"We think that Track 1 represents more flexibility and the potential
to deliver more information, and we intend to build new services
around the increased information."
What new services? We can only wait and see.
Track 3 is unique. It was intended to have data read and WRITTEN on it.� �, �-�-�-�� ԌCardholders would have account information UPDATED right on the magstripe.
Unfortunately, Track 3 is pretty much an orphaned standard. Its *original*
design was to control off-line ATM transactions, but since ATMs are now on-line
ALL THE TIME, it's pretty much useless. Plus the fact that retailers and banks
would have to install NEW card readers to read that track, and that costs $$.
Encoding protocol specifies that each track must begin and end with a length
of all Zero bits, called CLOCKING BITS. These are used to synch the self-
clocking feature of biphase decoding. See Figure 10.
Figure 10: end sentinel
start sentinel | longitudinal redundancy check
| | |
000000000000000 SS.................ES LRC 0000000000000000
leading data, data, data trailing
clocking bits clocking bits
(length varies) (length varies)
THAT'S IT!!! There you have the ANSI/ISO STANDARDS! Completely explained.
Now, the bad news. NOT EVERY CARD USES IT! Credit cards and ATM cards will
follow these standards. BUT, there are many other types of cards out there.
Security passes, copy machine cards, ID badges, and EACH of them may use a
PROPRIETARY density/format/track-location system. ANSI/ISO is REQUIRED for
financial transaction cards used in the international interbank network. All
other cards can play their own game.
The good news. MOST other cards follow the standards, because it's EASY to
follow a standard instead of WORKING to make your OWN! Most magstripe cards
other than credit cards and ATM cards will use the same Track specifications,
and use either BCD or ALPHA formats.
"Wow, now I know how to interpret all that data on magstripes! But.waitasec,
what kind of equipment do I need to read the stripes? Where can I buy a
reader? I don't see any in Radio Shack!!"
Sorry, but magstripe equipment is hard to come by. For obvious reasons, card
readers are not made commonly available to consumers. How to build one is the
topic for another file (this file is already too long).
Your best bets are to try and scope out Electronics Surplus Stores and flea
markets. Do not even bother trying to buy one directly from a manufacturer,
since they will immediately assume you have "criminal motives." And as for
getting your hands on a magstripe ENCODER...well, good luck! Those rare
beauties are worth their weight in gold. Keep your eyes open and look around,
and MAYBE you'll get lucky! A bit of social engineering can go a LONG way.
There are different kinds of magstripe readers/encoders. The most common ones
are "swipe" machines: the type you have to physically slide the card thru.
Others are "insertion" machines: like ATM machines they 'eat' your card, then
regurgitate it after the transaction. Costs are in the thousands of dollars,
but like I said, flea markets and surplus stores will often have GREAT deals
on these things. Another problem is documentation for these machines. If you
call the manufacturer and simply ask for 'em, they will probably deny you the
literature. "Hey son, what are you doing with our model XYZ swipe reader?
That belongs in the hands of a "qualified" merchant or retailer, not some punk� �,