
MagSpoof – wireless credit card/magstripe spoofer - pornel
https://github.com/samyk/magspoof
======
peteretep
One day in the future, Samy (the creator of this) will stop being the coolest
person on the internet, but today isn't that day. Previous projects include:

The Samy MySpace worm:
[https://en.wikipedia.org/wiki/Samy_%28computer_worm%29](https://en.wikipedia.org/wiki/Samy_%28computer_worm%29)

EverCookies: [http://samy.pl/evercookie/](http://samy.pl/evercookie/)

SkyJack:
[https://en.wikipedia.org/wiki/SkyJack](https://en.wikipedia.org/wiki/SkyJack)

And so much more... [http://samy.pl/](http://samy.pl/)
[https://en.wikipedia.org/wiki/Samy_Kamkar](https://en.wikipedia.org/wiki/Samy_Kamkar)

~~~
negativity

      SkyJack is a drone engineered to autonomously seek out, 
      hack, and wirelessly take over other drones within wifi 
      distance, creating an army of zombie drones under your 
      control.
    

...and then:

    
    
      No authentication or encryption is used by the Parrot 
      to secure the connection with the pilot.
    

Well, there's your problem!

~~~
akama
It's actually just a wireless network that you connect to and send commands to
the Parrot. It makes it really easy to control it from your laptop. There is a
library for it that makes it possible to be up and running in under 5 minutes.

Library: [https://github.com/felixge/node-ar-
drone](https://github.com/felixge/node-ar-drone)

------
brokentone
It's stunning how bad many card issuing systems are (as noted in the post,
AmEx et al). When I was in college all of the administrative buildings,
student common areas as well as many of the student housing areas were
controlled by magstripe. Meals were also kept track of by card.

I knew from people losing their cards which continued working some places but
not others there was a relationship in the issuing. I got a reader, decoded
the card (zeropadded student ID, issue number, and XOR checksum).

I found other places to find the student ID number, and could enumerate a few
issue numbers. I built this spoofer: [http://www.instructables.com/id/Arduino-
Magstripe-Emulator/](http://www.instructables.com/id/Arduino-Magstripe-
Emulator/) Then I could get into my friend's apartments (as a POC with their
permission of course).

I disclosed and got a thank you (I built a good relationship with my IT dept
over the years), but never figured out if they fixed it.

~~~
sliverstorm
It could have been "good enough". Remember the whole "keeps an honest man
honest" bit. Retooling their security system might cost a lot more than some
spoofed meals, and we all know doors & tumbler locks are never impervious.

~~~
slirpee
Yeah, until a man gains easy access to 17-year-old girls' housing, then
everyone will flip out. I mean, it's one thing to break stuff to get in, or
conspicuously pick a lock, it's another to casually slide a card like everyone
else and leave no trail other than maybe video surveillance or access logs
showing the same card being used at two ends of campus faster than possible
(which nobody will check until something bad happens and they go looking at
that data.)

I had a similar experience at my university. I found easy unauthenticated
sourcing of most of the data needed to clone the card of anybody by name. The
issue number was the only thing to guess, but easy to bruteforce on something
low-stakes like vending machines. The card was used for food, a debit-card-
like system, automated door locks to semi-public buildings and on-campus
housing.

With the permission and cooperation of the university security, I made a card
of a high-level security guy (who could have been targeted using the
public/semi-public org chart) and swiped into their datacenter where all the
university data is hosted, along with that of some partners with sensitive
data. Luckily the innermost parts need an RFID or something which I didn't
have access to, but potentially I could have tailgated or social-engineered my
way into that. They weren't interested in letting me research whether I could
crack the RFID. :(

I was told my demo made a big splash, but IIRC I checked a year or two later
and my source for the ID data was still wide open. There's having imperfect
locks and then there's leaving all your keys out in public.

~~~
sliverstorm
_it 's another to casually slide a card like everyone else_

How about to casually insert a duplicated key like everyone else?

~~~
slirpee
It's true, I didn't consider this enough. But I had a way to create a key
without ever possessing the original. If it could only be copied from the
original, as even a semi-competent implementation of a magstripe would be,
there would still be the chance that someone notices a theft of a key, and
it's just harder to pull off if you have to find and covertly steal a key.

My point is that being able to trivially hijack arbitrary identities without
even knowing the person let alone physically finding them, is not "good
enough." It'd be like if you could make arbitrary car keys with just a VIN,
and the VIN is displayed prominently, it would be silly to say "Well now, it
keeps honest people honest, so it's good enough."

------
pornel
There's more gems in there, e.g. a couple of Amex vulnerabilities:

[https://github.com/samyk/magspoof#american-express-card-
numb...](https://github.com/samyk/magspoof#american-express-card-number-
prediction)

> I found a global pattern that allows me to accurately predict American
> Express card numbers by knowing a full card number, even if already reported
> lost or stolen. > This means if I were to obtain your Amex card and you
> called it in as lost or stolen, the moment you get a new card, I know your
> new credit card number.

~~~
sjtgraham
Anyone who has an Amex would notice this immediately. The last digit is the
Luhn check digit and the digit before that increments each time a card is
issued, starting from 0.

~~~
viraptor
Either it's only a specific kind of amex, or it's not starting from 0, or this
is incorrect information.

I've got 2 AMEX cards - one reissued and ends with 0, another issued the first
time and ends with non-0. (I'm ignoring the check digit)

~~~
sjtgraham
I've just pulled a load of expired my Amex cards. It looks like I got the
incrementing digit wrong. On my cards it's the 4th from last that increments.
UK Amex FWIW.

------
guyzero
This is how Samsung Pay works, right? edit: And LoopPay which I guess Samsung
acquired.

~~~
UnoriginalGuy
Yes.

And Samsung is really in a panic right now since the chip & pin rollout is
going to effectively nullify their investment. Initially they can just strip
the "require pin" flag from the magstripe, but eventually opt-out won't be
supported.

So Samsung is investing massively into Samsung Pay adverts and promotions in
order to get people using it, with the hope that once this functionality
breaks that people will continue using it via NFC supported terminals.

I believe they give you $50-100 just to use Samsung Pay right now for one
example.

~~~
sliverstorm
Did they ever think chip & pin wouldn't roll out? I took the magstripe
emulation as a bridge play, to be the first truly viable mobile payments
option in order to take pole position in the coming mobile payments scuffle.

------
JaggedJax
I was very surprised to learn there's no check for Chip and Pin requirements
beyond what the magstripe requests. I naively assumed if the card had that
feature the terminal could force it to be used. What would happen with the
other fields he mentions, like whether or not you can withdraw cash with the
card?

~~~
chrisfosterelli
The terminal has no method to determine if the card is Chip and Pin enabled
aside from the magstripe.

Sure it could check for the actual chip, but credit card fraudsters aren't
creating fake cards that include the chip so that wouldn't help either.

I would argue the way they _should_ implement it is such that the bank itself
rejects the transaction if it knows the card is chip enabled and the terminal
is as well.

~~~
Strilanc
I always assumed that chip/pin being used was at least _checked_ by the credit
card company. The machine should be telling them if it supports chip/pin, and
the cc company independently knows all the information about your card, so...
urrrrgh.

~~~
seanp2k2
What's also interesting about our chip readers here in the US is that they
only do chip + signature for credit cards, so they're not adding anything if
someone physically has your card (I've had the ones they auto-reissue, which
Chase claims they cannot stop in their system, stolen from my mailbox).

------
mistercow
> What's incredible is that the magstripe reader requires no form of wireless
> receiver, NFC, or RFID

Another way of looking at it is that the magstripe reader _is_ a wireless
receiver. It just usually works with signals so weak that they can only be
transmitted a miniscule distance.

------
oxplot
Hmm, I'm very surprised that magstripe readers don't have sensors that detect
physical presence of a card, even to this date. But regardless, the main point
for me was how trivially one could downgrade the security by setting the bit
about Chip/PIN capability off.

~~~
rplnt
I'm surprised magstripe readers still exist. I don't think I've used one in
years. They are often there.. but I don't see their purpose. Last non-chip
card I've seen was maybe 12 years ago.

~~~
fluxquanta
You're obviously not in America, then. Out of the 6 cards in my wallet only 2
even have a chip yet (my bank promises my most frequently used card has a chip
equivalent in the mail).

------
deutronium
I wrote a little tool that decodes the data optically from a credit card,
using a photo of the credit card and an iron solution.

[https://www.anfractuosity.com/projects/optical-magnetic-
stri...](https://www.anfractuosity.com/projects/optical-magnetic-stripe-
reading/)

I'm planning on seeing if I can decode data from higher density mediums with
the same approach, when I can get my hands on some iron nanoparticles.

------
the_mitsuhiko
The shitty thing is that because of Samsung Pay it's impossible for a merchant
to distinguish a cloned magstripe from a legitimate samsung pay transaction
using MST. I wrote a bit about this a few months ago:
[http://lucumr.pocoo.org/2015/8/31/the-thing-about-samsung-
pa...](http://lucumr.pocoo.org/2015/8/31/the-thing-about-samsung-pay/)

------
vermilingua
Can anyone explain the legality of building and using one of these (for your
own cards, obviously)? I know there are similar appliances, but do they need
to be accredited?

------
JimmaDaRustla
It mentions "disabling chip and pin", meaning it will convert the sentinel
character on the magnetic stripe which tells the terminal that it is a chip
card. By disabling the sentinel character and using this on a chip enabled
terminal, the financial institute (BASE24) SHOULD decline the transaction
because the Track 2 data will be incorrect.

Edit: I meant on an EMV compliant terminal.

Edit: Also, that is considered fraud and your best not testing it, unless you
like the prison environment.

------
Justin_K
I found Josh's code a couple years ago and had this very project working. Not
as well documented but the concept has been around for some time.

[https://github.com/joshlf/magspoof](https://github.com/joshlf/magspoof)

------
0x2015
I recall people demonstrating something similar this with passports at defcon
some years back from quite the distance. Picking up credit card data and ids
wirelessly is definitely not new. This is why I use small magnetic / RFID
blocking case while traveling.

~~~
corin_
This submission isn't about that.

------
Animats
It should be possible to detect this with a reader firmware upgrade, if the
reader reads more than one track on the card. If both read heads are showing
similar signals, the signal isn't coming from a normal card.

~~~
dfox
That depends on whether the terminal has physical capability to read more than
one track of card data. I have Ingenico Alphira terminal in my junk box and
from casual inspection it looks like the magnetic head has two coils, but
while there are footprints for two sense amplifiers, only one is populated.

------
xseven
So much for Coin

~~~
scentedmeat
It's actually mentioned that this was to overcome poor performance with Coin.

------
Smushman
This is too damn cool to pass up - talk about convenience... I would have been
willing to pay for such an item!

Yes everyone is going to run around and scream 'security!!' when they realize
how ridiculously trivial this process always has been, but it does not change
facts - it has always been this easy, but this is a new way to highlight that
fact.

