Decoding magnetic cards Path: ux1.cso.uiuc.edu!uwm.edu!wupost!zaphod.mps.ohio-state.edu!

uakari.primate.wisc.edu!ames!agate!dog.ee.lbl.gov!network.ucsd.edu!ucsd.edu!brian From:
brian@ucsd.edu (Brian Kantor) Newsgroups: sci.electronics Subject: Re: Encoding Scheme of Mag Stripe
Cards? Message-ID: Date: 10 Jan 92 20:58:00 GMT References:
<1992Jan10.202240.2789@ux1.cso.uiuc.edu> Organization: The Avant-Garde of the Now, Ltd. Lines: 373
NNTP-Posting-Host: ucsd.edu Path: ucsd!usc!cs.utexas.edu!uunet!mcsun!hp4nl!ooc.uva.nl!ropg ~From:
ropg@ooc.uva.nl (Rop Gonggrijp) ~Newsgroups: sci.electronics ~Subject: Re: Credit card encoding
Message-ID: <13619@slice.ooc.uva.nl> ~Date: 26 Sep 90 13:09:59 GMT ~References:
<28174@pasteur.Berkeley.EDU> Organization: uvabick ~Lines: 28 e142-aq@hercules.Berkeley.EDU
(Alan Nishioka) writes: >Does anybody know how information is encoded on the magnetic stripe for
>credit cards, bank cards, my student id, etc.? Any references? A trip >to the library and looking thru the
reader 's guide didn't get me anywhere. Well, there's three tracks (ISO 3554), all 0.110" wide. The top
one is 210 BPI and has 7 bits per chr. (incl. parity). Total 79 alpha-num. chrs. The second track has 75 BPI,
5 bits per chr. (incl. par.) total 40 digits The third track has agian 210 BPI, 5 bits per chr (yeah incl. par.)
total 107 digits. Data is coded reversing the polarity of the magnetic field once or twice in the field for
that bit. Since you cannot double of half the speed of the card within the space for 1 bit, it all works. >I
just bought a card reader which had 5 ttl level outputs. Two for each >of 2 head tracks and a 5th that
goes low when a card is being run thru. >The chips don't seem to be identifiable. Well, the bad news is
that you'll have to write the decoding software yourself. Not much to it, I did it on a Commodore-64.
Our magazine ("Hack-Tic") printed the full specs on all this in the last issue. -- Rop Gonggrijp
(ropg@ooc.uva.nl) is also editor of Hack-Tic (hack/phreak mag.) quote: "We don't care about freedom of
the mind, | Postbus 22953 (in DUTCH) freedom of signature will do just fine" | 1100 DL AMSTERDAM
Any opinions in this posting are wasted on you | tel: +31 20 6001480 From ucsd!swrinde!
zaphod.mps.ohio-state.edu!julius.cs.uiuc.edu!psuvax1!rutgers!dayton!jad Fri Sep 28 04:18:32 PDT 1990
> Article <28174@pasteur.Berkeley.EDU> From: e142-aq@hercules.Berkeley.EDU > (Alan Nishioka)
>Does anybody know how information is encoded on the magnetic stripe for >credit cards, bank cards,
my student id, etc.? Any references? A trip >to the library and looking thru the reader 's guide didn't get
me anywhere. You'll want to see the American National Standard X4.16 (which I just happen to have
sitting in my lap.) It is available from the American National Standards Institute, Inc. 1430 Broadway New
York, NY 10018 My version is dated 1983. I suspect it has been superceded by now. It details everything
(everything!) you ever could possibly want to know about mag stripe encoding for financial services
cards. >I just bought a card reader which had 5 ttl level outputs. Two for each >of 2 head tracks and a
5th that goes low when a card is being run thru. >The chips don't seem to be identifiable. In most all of
the MSR's I've taken apart, the chips are custom. One of our vendor's configurations for the wiring
looked like this: 1 RDT1 Data from track 1 2 RCL1 Clock from track 1 3 GND 4 +5V 5 n/c 6 RCL2 Clock
from track 2 7 CLD Card Presence 8 RDT2 Data from track 2 You could use a scope to determine which is
which -- track 2 is recorded at 75 bits/inch while track 1 is 210 bits/inch. Just watch the blinking! The
data is self clocking. _____ __ __ _____ __ | |_____| |__| |__| |__| |_____ ^ ^ ^ ^ ^ ^ ^ 0 0 1 1 0 1 0 >I
discovered that cards seem to use two different levels of stripe, for >a total of 4 tracks on my bank card,
but only two on my student id, which >are at the wrong level for my reader. Your bank card will typically
only use the read-only tracks one and two. Track 3 is a read/write track that has the same
electromagnetic properties as track 1, but its usage is not standardized within the industry. Many cards
issued today do not even have magnetic media at the location for track 3. (It was originally intended for
off-line ATM authorization, but guess what happened to that idea!) >The code must be self-clocking and
I would guess just have simple >error checking (parity) since the card can just be run thru again if
>necessary. The parity checking is pretty impressive. Track 1 characters are 6 bits plus one (odd) parity
bit. There is also an LRC (Longitudinal Redundancy Check) character after the end sentinel character. The
LRC bits are parity bits for all the characters in the track such that the total one bits are odd. (The LRC
parity bit is simply a parity check on the LRC character.) This scheme protects against almost all random
card damage, as you would have to have four bits wrong (the corners of a rectangle, physically) to
escape detection. Track 2 parity detection is the same, but track 2 characters are only 4 bits plus one
(odd) parity bit. The character sets are fairly simple subsets of ASCII. Tracks 1 & 3 use this table: 0 1 2 3
00 01 10 11 <-MSD 0 0000 SP 0 @a P 1 0001 !a 1 A Q 2 0010 "a 2 B R 3 0011 #b 3 C S 4 0100 $ 4 D T 5
0101 %c 5 E U 6 0110 &a 6 F V 7 0111 'a 7 G W 8 1000 ( 8 H X 9 1001 ) 9 I Y A 1010 *a :a J Z B 1011 +a ;a
K [d C 1100 ,a a N ^c F 1111 / ?c O _d a For the encoding of data on magnetic stripe cards, these
character positions shall not contain information characters (data content). b Optional additional
graphic. c These characters shall have the following meaning for this application: 25 % represents start
sentinel. 3F ? represents end sentinel. 5E ^ represents separator. d These character positions are
reserved for additional national characters when required. They shall not be used internationally. Track
1 format: Format A. Reserved for proprietary use of card issuer. Format B. Start sentinel 1 character
Format code = "B" 1 character - alpha only Primary Account Number Up to 19 characters (Note 1)
Separator 1 character Country code 3 characters (Note 2) Name 2-26 characters (note 3) Surname
Surname separator="/" First name or initial Space (when required) (Note 4) Middle name or initial
Period (when followed by title) Title (when used) Separator 1 character Expiration date or 4 characters
or 1 character separator (Note 5) Discretionary data The balance to maximum record length End sentinel
1 character LRC 1 character (see above for LRC calculation) Total 79 characters max. Notes: 1 In
accordance with the account numbering scheme in ANSI X4.13-1983. 2 When the primary account
number commences with major industry identifier "5" followed by "9", the encoding of the country in
this position is mandatory. In all other situations, the expiration date or separator shall immediately
follow the separator that terminates the primary account number. The country code for the United
States is 840. 3 The absolute minimum data encoded in the name field will be a single alpha character in
the surname area and the surname separator (/). 4 The space character is required to separate the
logical elements of the name field other than the surname. The separator terminating the name field
should be encoded following the last logical element of the name field. If only the surname is encoded,
it will follow the surname separator. 5 In accordance with ANSI X3.30-1971. If no expiration date is
associated with the card, a separator shall be encoded. The format for the expiration date is YYMM.
Format Codes C through M. The format codes are reserved for use by ANSI Subcommittee X3B10 in
connection with other data formats of track 1. Format Codes N through Z. Available for use by individual
card issuers. Track 2 uses the following 4 bit character set: 0 0000 0 1 0001 1 2 0010 2 3 0011 3 4 0100 4
5 0101 5 6 0110 6 7 0111 7 8 1000 8 9 1001 9 A 1010 Note 1 B 1011 Start sentinel (start character) C
1100 Note 2 D 1101 Separator E 1110 Note 1 F 1111 End sentinel (stop character) Notes: 1 These
characters are available for hardware control purposes and shall not be used for data content. 2 This
character is reserved for future definition in connection with the data format on track 2. Track 2 format:
Start sentinel 1 character Primary Account Number Up to 19 characters (Note 1) Separator 1 character
Country code 3 characters (Note 2) Expiration date or 4 characters or 1 character separator (Note 3)
Discretionary data The balance to maximum record length End sentinel 1 character LRC 1 character (see
above for LRC calculation) Total 40 characters max. Notes: 1 In accordance with the account numbering
scheme in ANSI X4.13-1983. 2 When the primary account number commences with major industry
identifier "5" followed by "9", the encoding of the country in this position is mandatory. In all other
situations, the expiration date or separator shall immediately follow the separator that terminates the
primary account number. The country code for the United States is 840. 3 In accordance with ANSI
X3.30-1971. If no expiration date is associated with the card, a separator shall be encoded. The format
for the expiration date is YYMM. >BTW, I just want to read, not commit bank fraud :-) I would have to
build >another card input/output assembly for that :-) I've seen some scams based on ATM card fraud,
but it may be tough to fool Mother Visa...particularily when you have to hand your card to a living,
breathing human. Do me a favor and mail me a copy of your interface circuit when you get it working,
OK? -j, now you know all our little secrets, eh? -- J. Deters Ask me about my PS/2. // INTERNET:
jad@dayton.DHDSC.MN.ORG Then, // UUCP: ...!bungia!dayton!jad ask me about my Amiga! \\ // ICBM:
44^58'36"N by 93^16'12"W \X/ From ucsd!dog.ee.lbl.gov!pasteur!cory.Berkeley.EDU!atn Wed May 8
07:41:21 PDT 1991 Just got my new California driver's license. No, I'm not 17, but I take the bus a lot. It
has a holographic plastic laminate of "DMV" and the California Seal. My color picture was digitized into
and IBM computer as was my thumb print and my signature. The mag stripe on the back has three
tracks. Just for fun, I thought I'd try to read it. I had previously been able to read bank cards (with help
from sci.electronics). I found that the information encoded is basically just what is printed on the card.
Kinda uninteresting. Of course I couldn't figure out what little extra information was encoded.... (marked
unidentified below) It took me a little while to figure out the format, and I suppose it is documented
somewhere (anyone know where?) but it was fun. Bank Cards -- conform to ANSI/ISO 7810-1985 ($10)
Track 1: 6 bit word with 1 bit parity. LSB first. code offset 32 below ASCII code. Track 2: 4 bit word with 1
bit parity. LSB first. Numbers only. Driver's License -- Track 1: 6 bit word with no parity. Otherwise same
as Bank Card. Track 2: Same as Bank Card. California Driver's License: --------------------------- Track 2: (low
density) 8 unidentified digits License Number Separator Expiration Date (YYMM) Separator Date of Birth
(YYYYMMDD) Track 1: (High density) DALAN TAKEO NISHIOKA $ 974 TULARE AVE ALBANY Name (58
characters) Address (29 characters) City (13 characters) Track 3: (High density. Can't reposition read
head. ); Great Western Bank ATM Card: --------------------------- Track 2: Account number on the front of
the card Separator Expiration date (no country code) Other (propietary) data Track 1: Format B Account
number Separator Name (from front of card) Separator Expiration date (no country code) Other data
AT&T Universal Card: ------------------- Track 1: Format B Account Number Separator Name Separator
Expiration Date (YYMM) 6 Unknown chars Calling Card Number (10 digits) Track 2: Account Number
Separator Expiration Date (YYMM) 3 Unknown chars Citibank ATM Card: ----------------- Track 1: Format A
(proprietary) Name Separator Account Number Separator Expiration Date (MMYY) 7 Unidentified chars
Track 2: Account Number Separator Expiration Date (MMYY) 7 Unidentified chars
----------------------------------------------------------------------------- Alan Nishioka KC6KHV
atn@cory.berkeley.edu ...!ucbvax!cory!atn 974 Tulare Avenue, Albany CA 94707-2540 37'52N/122'15W
+1 415 526 1818 Newsgroups: sci.electronics From: pam@kaarne.cs.tut.fi (Ala-M{yry
Pekka,,,OHJ,52774,1052) Subject: Re: Magnetic Stripe Cards Originator: pam@kaarne.cs.tut.fi Nntp-
Posting-Host: kaarne.cs.tut.fi Reply-To: pam@kaarne.cs.tut.fi Organization: Tampere University of
Technology, Dep. of Computer Science Date: Sat, 14 May 1994 22:42:32 GMT From article , by
lware@voxel.com (Lance Ware): > A while back I saw some info on mag stripe cards here. Can anyone
point > me to it? I am interested in how much data the various (Credit, Hotel > Room, etc . . .)stripes can
hold. > > Lance Ware > IS Manager & VOXEL Guru > VOXEL I have a copy of a German version (EN 27
811) of a standard ISO 7811-2 and German version of standard ISO 4909. And English version of ISO
7830. The quotes of the original are in parenthesis. I'm not very good at German so please correct if I am
wrong. EN 27 811 (ISO 7811-2) The data density (Bit-Dichte) at three of the tracks: Alphanumeric track
(Alphanumerische Spur 1): 8,3bits/mm [210 bits/inch] Numeric track (Numerische Spur 2): 3bits/mm [75
bits/inch] Read-Write track (Schreib-Lesespur 3): 8,3bits/mm [210 bits/inch] Format of track 1 data: 6
bits of data with odd parity (6-Bit-Zeichencode mit ungerader Paritat) Format of tracks 2 and 3: BCD-4
bit code with odd parity (BCD-4-Bit-Code mit ungerader Paritat) ISO 7830 Track 1 - Structure B: 79
characters Track 2 - Standard structure: 40 digits ISO 4909 Track 3 - Max. 107 characters (Maximal
Gesamt 107) -- pam@cs.tut.fi Pekka Ala-Mayry Tampere Univ. of Tech. Tampere, FINLAND Summary of
replies to the following request: Subject: Mag Card Swipe Reader: Need Help! Hello, Everybody. I just
picked up one of those swipe readers for mag stripes on credit cards etc. from a surplus outfit (American
Science & Surplus in Evanston, IL 708/475-8440 for those who are interested). It's not the complete unit
with keypad, display, etc. but rather just the guts of the subassembly which actually reads the card (hey,
what do you expect for $2.50?? ;-) Since it's surplus and taken out of a larger piece of equipment, I have
no docs for this sucker. My hope is that someone else picked up one of these things to play with and has
some docs or has figured out enough about it to get it to work, OR can tell me who to contact to get
more info on this beast. I figured this would be a good place to ask since I've seen people asking about
swipe card readers recently. Anyway, here's a description: The unit is about 6" long, 1" wide, and maybe
2" high. It consists of a metal backing plate, attached to which is a black plastic guide channel through
which you swipe the card. On one side of the plastic channel is a read head for the mag stripe; on the
opposite side is a small printed circuit board. Removing the plastic guide from the mounting plate
reveals that the manufacturer is SR&D corporation of Tokyo, Japan. The model number is MCR-175-1R-
0803; a serial number is also listed. The SR&D logo-lettering appears on the component side of the PC
board, and on the foil side of the board the SR&D is repeated along with the code "FNC -065-1" in the
upper right hand corner. The board has one IC on it (I can't easily see what the numbers are on this chip,
so I'm not sure what kind it is other than a 16 pin DIP). There is a spot for another chip, an 8-pin DIP for
which the screened label reads "IC2 6914", but this chip and some other resistors, capacitors, etc. are
missing. Finally, there are 5 wires coming from the assembly and terminating in a small connector similar
to power supply connectors for 3.5" floppy drives. The wires are red, yellow, green, blue, and black. I
haven't hacked on this thing at all yet, since I don't know what its power requirements are or even
which are power leads and which are data leads. If anyone has any information on this puppy which
might help me, I'd love to hear from you! Please email me. I'll share whatever I find out with anyone
who's interested. Thanks! --- [Editor's Note: The following is a concatenation of the replies I received to
the net.request above. After the replies I have included information which was posted to the net on how
mag stripe cards are encoded (in case anyone missed it). Finally, I have included some software that I
threw together to play with the card reader. This file contains all the information I have on this subject.
Additions are most welcome. You'll notice I didn't get any farther than simply reading the raw signal
from the card; of the two card readers I ordered, one was completely DOA, and the other had a faulty
clock output (at least I assume that it was a clock output; I was never able to read any sort of signal from
that line). Someone with a fully functional reader can easily extend what I wrote to get it to decode the
actual data content of the card. If you do decide to make modifications and/or extensions, I'd appreciate
a copy of whatever changes you make (email to tmkk@uiuc.edu). Enjoy!] Subject: Re: Mag Card Swipe
Reader: Need Help! I am truly amazed that someone else is trying to use this device! I got mine about 2
years ago and spent some time trying to find the manufacturer. I found a listing for SR&D in the Noth
America technical directory at the public library. I found the listing for the American sales office in Los
Angeles. I tried calling but the company had gone out of business. There was no listing in the local phone
directory either. I then tried calling the head office in Japan, but they also had gone out of business. I
haven't seen the company listed in any recent electronics directories, so I think they really are gone. I
have spent about an hour looking at the signals on the outputs of the device. One signal line is a
/STATUS line which indicates when a card is been moved through the unit. The other 2 lines pulse in
response to a magnetic card. I believe the IC performs Manchester decoding and clock recovery for the
read channel, so one output line is DATA and the other is CLOCK. That is as far as I got 2 years ago and I
had forgot about it until now. If you receive any other info, please send a copy to me! --- >Finally, there
are 5 wires coming from the assembly and terminating in a >small connector similar to power supply
connectors for 3.5" floppy drives. >The wires are red, yellow, green, blue, and black. If its anything like
the units I worked with, I think you will find that the five wires are: +5v Gnd Clock Data Card detected
But I don't know active levels, or which wire is what. --- I picked few week ago a magnetic credit card
reader from a another surplus outfit. It cost about the sam es yours. My card reader was made by
MAGTEK and was diffrent from your reder in many ways. The reader I have has 4 ICs and some of them
are standard TTL chip, so I could easily quess the power requiments (5V) and power connectors. My card
reader had 6 pin connector. I put the power to the reader and started to examine the signals with
multimeter and a little crystal earphine (my favourite electronics hacking tool). I found that output
signals were something like that: data out, data clock out, data readable and and card ath the end of the
reader. Then I connected the reader to the joystick port of my 386SX and made a little Turbo Pascal
program for reading the card. Spare printer port is the interface I use very often to connect diffrent
hardware circuit to my computer. This time I decided to use game port beacuse it can also provide the
power to the reader. My program simply prints out the bits from the card. I have not found the way to
decode the bits to corresponding numbers. The program so prints all 237 bits form the card to screen. If
you have any information about data coding, I an interrested in hearing that. Here is the meanings of
the bytes in port $201: D7: 0 -> card pushed to the end of the reader D6: the read data from card D5: 0 -
> data stream readable D4: the data clock Program CardReader; Uses Crt,Binary; Const gameport=$201;
Procedure Wait_start; Begin Repeat Until (Port[gameport] and 32)=0; End; Function
data_readable:boolean; Begin data_readable:=((Port[gameport] and 32)=0); End; Procedure Wait_clock;
Begin Repeat Until (Port[gameport] and 16)=0; End; Procedure Wait_clock_end; Begin Repeat Until
(Port[gameport] and 16)=16; End; Function data_input:byte; Begin If (Port[gameport] and 64)=0 Then
data_input:=0 Else data_input:=1; End; Function card_at_end:boolean; Begin
card_at_end:=((Port[gameport] and 128)=0); End; Procedure test; Begin Wait_start; Repeat
Writeln(ByteBin(Port[$201])); Until keypressed; End; Begin ClrScr; Wait_start; While data_readable Do
Begin Wait_clock; Write(data_input); Wait_clock_end; End; Repeat Until KeyPressed; End. --- Wiring
color code for the SR&D MCR-175-1R-0803 mag stripe card reader: Red: +5V Black: Gnd Yellow: /Card
Detect Green: Clock (?? - non-functional on the unit I have) Blue: /Data The leading '/' indicates an active
low TTL signal. --- Quick 'n Dirty guide to the enclosed reader software
---------------------------------------------------- Hooking the SR&D MCR-175-1R-0803 card reader to your PC:
The included software is written specifically for the following configuration; if your wiring is different,
you'll need to make corresponding changes to the software. Note also that the port address is hard-
coded to look for LPT2's status port (at address 0x279). If you're using a different port address, be sure
to change the port address value. SR&D Wire Printer Port Pin Port Bit Signal --------- ---------------- --------
------ Yellow 11 7 /CARD DETECT Blue 10 6 /DATA Black 18 N/A (Ground) Power to the reader was
provided by a separate power supply, basically one of those black plastic DC power packs fed through a
7805 regulator chip. Compiling the software: Compile SWIPE.C (using SMALL memory model), assemble
SWIPEISR.ASM, and link the two together. Using the software: To use SWIPE.EXE, simply hook the
reader up to your LPT2: port, power it up, then run SWIPE. When you're ready, press the ENTER key, and
swipe a card through the reader. The program will read the data from the card and store it in a buffer
(but will not decode the data; that is left as an excercise ;-). After the card has been read, press ENTER
again and the contents of the buffer will be dumped to stdout. To save the card data to a file, simply
redirect SWIPE's output on the command line, e.g. SWIPE > citibank.out Please let me know of any
changes, bug fixes, or improvements you make to this code. Send email to tmkk@uiuc.edu. Thanks, and
have fun! --- CUT HERE --- /* * S W I P E . C * * Written: * 1/11/92 * * Description: Quick 'n Dirty reader
program for SR&D mag stripe card reader. * Reads data from the input port as long as a card is detected
in the * card slot. After sampling, the data is dumped to stdout, and may * be redirected to a file if
desired. * * Note: Written for Borland C++ 3.0 - may require changes to compile under * MSC or others.
Compile in SMALL model. * */ #include #include #include #include #include #include #include
#include /* timer chip programming register port addresses */ #define COMMAND_REG 0x43 #define
CHANNEL0 0x40 /* size of sample buffer */ #define MAXSAMPLE 4096 typedef unsigned char byte; /*
global variables */ byte *databuf; /* buffer for the sampled data */ /* interprocess communication data
*/ byte *bufp; /* data buffer pointer */ unsigned nsamp; /* number of samples to be made */ unsigned
port; /* input port address */ int enab=0; /* flag to enable/disable sampling */ int start=0; /* flag
indicating that sampling has begun */ /* ISR prototype */ extern void interrupt shand(void); void
program_timer(int channel, unsigned count) /* * P R O G R A M _ T I M E R * * Description: Programs
the given count value into the specified channel of * the IBM 825x timer chip. Channel 0 is the time-of-
day-clock interrupt; * channel 2 is the speaker pulser. * * Parameter: * channel (in) - Channel to be
programmed. * count (in) - Count value with which to program timer chip. * */
{ outportb(COMMAND_REG, 0x36); /* set up for reprogramming */ outportb(CHANNEL0 + channel,
count & 0xff); /* lo byte first */ outportb(CHANNEL0 + channel, count >> 8); /* then hi byte */ } void
sample_data(int count) /* * S A M P L E _ D A T A * * Description: Sets up for data collection from the
printer port using * the SHAND interrupt service routine (see SWIPEISR.ASM). This routine * reprograms
the timer chip for the desired sampling rate, sets up * the interprocess communication area, and starts
the sampling process. * The actual sampling is done in the SHAND procedure. This routine * waits until
sampling has been completed before returning. * */ { void interrupt (*oldhand)(void); /* pointer to old
interrupt vector */ /* save old interrupt vector */ oldhand = getvect(0x1c); /* clear enable flag */ enab =
0; start = 0; /* install new vector */ setvect(0x1c, shand); /* set up interprocess communications area */
nsamp = 0; bufp = databuf; port = 0x279; /* address of printer status register */ cprintf("Sampling at
%fHz (= %fms)....", 1193180.0 / (float)count, (float)count / 1193.18); /* reprogram timer chip */
program_timer(0, count); /* enable sampling */ enab = 1; /* wait until sampling is completed */ while
(enab) ; /* restore standard timing value */ program_timer(0, 0); /* reinstall old handler vector */
setvect(0x1c, oldhand); cprintf(" completed.\r\n"); } void main() { unsigned i; /* allocate memory */
databuf = calloc(MAXSAMPLE, sizeof(byte)); assert (databuf != NULL); cprintf("Press when ready to
swipe card:"); getchar(); sample_data(12); /* This works out to about a 100kHz sampling rate */
cprintf("Sampling completed, %u samples total.\r\n", nsamp); cprintf("Press to dump data.\r\n\r\n");
getchar(); /* dump data to stdout */ for (i=0; i); Sat, 18 Jan 1992 19:44:44 -0600 Received: from
spica.bu.edu by mrcnext.cso.uiuc.edu (NeXT-1.0 (From Sendmail 5.52)/NeXT-1.0) id AA02279; Sat, 18
Jan 92 19:42:18 CST Received: by spica.bu.edu (5.61+++/Spike-2.1) id AA12820; Sat, 18 Jan 92 20:43:39 -
0500 Date: Sat, 18 Jan 92 20:43:39 -0500 From: count0@spica.bu.edu (Bobby Newmark) Message-Id:
<9201190143.AA12820@spica.bu.edu> To: khan@mrcnext.cso.uiuc.edu Subject: Re: Encoding Scheme
of Mag Stripe Cards?
******************************************************************************* * * *
Card-O-Rama: Magnetic Stripe Technology and Beyond * * * * or * * * * "A Day in the Life of a Flux
Reversal" * * * * * * * * by: ..oooOO Count Zero OOooo.. .RDT. 11/22/91 * * *
******************************************************************************* ---A
production of : -=Restricted -=Data -=Transmissions : : : : "Truth is cheap, but information costs." : Look
in your wallet. Chances are you own at least 3 cards that have magnetic stripes on the back. ATM cards,
credit cards, calling cards, frequent flyer cards, ID cards, passcards,...cards, cards, cards! And chances are
you have NO idea what information is on those stripes or how they are encoded. This detailed
document will enlighten you and hopefully spark your interest in this fascinating field. None of this info
is 'illegal'...but MANY organizations (government, credit card companies, security firms, etc.) would
rather keep you in the dark. Also, many people will IMMEDIATELY assume that you are a CRIMINAL if
you merely "mention" that you are "interested in how magnetic stripe cards work." Watch yourself, ok?
Just remember that there's nothing wrong with wanting to know how things work, altho in our present
society, you may be labelled a "deviant" (or worse, a "hacker!"). Anyway, I will explain in detail how
magstripes are encoded and give several examples of the data found on some common cards. I will also
cover the technical theory behind magnetic encoding, and discuss magnetic encoding alternatives to
magstripes (Wiegand, barium ferrite). Non-magnetic card technology (bar code, infrared, etc.) will be
described. Finally, there will be an end discussion on security systems and the ramifications of emergent
"smartcard" and biometric technologies. *DISCLAIMER* Use this info to EXPLORE, not to EXPLOIT. This
text is presented for informational purposes only, and I cannot be held responsible for anything you do
or any consequences thereof. I do not condone fraud, larceny, or any other criminal activities. *A
WARNING* I've noticed lately a few "books" and "magazines" for sale that were FILLED with PHILES on a
variety of computer topics. These philes were originally released into the Net with the intention of
distributing them for FREE. HOWEVER, these philes are now being PACKAGED and sold FOR PROFIT. This
really pisses me off. I am writing this to be SHARED for FREE, and I ask no payment. Feel free to reprint
this in hardcopy format and sell it if you must, but NO PROFITS must be made. Not a fucking DIME! If
ANYONE reprints this phile and tries to sell it FOR A PROFIT, I will hunt you down and make your life
miserable. How? Use your imagination. The reality will be worse. ** MAGSTRIPE FIELDS, HEADS,
ENCODING/READING ** Whew! I'll get down to business now. First, I am going to explain the basics
behind fields, heads, encoding and reading. Try and absorb the THEORY behind encoding/reading. This
will help you greatly if you ever decide to build your own encoder/reader from scratch (more on that
later). FERROMAGNETIC materials are substances that retain magnetism after an external magnetizing
field is removed. This principle is the basis of ALL magnetic recording and playback. Magnetic POLES
always occur in pairs within magnetized material, and MAGNETIC FLUX lines emerge from the NORTH
pole and terminate at the SOUTH. The elemental parts of MAGSTRIPES are ferromagnetic particles
about 20 millionths of an inch long, each of which acts like a tiny bar magnet. These particles are rigidly
held together by a resin binder. The magnetic particles are made by companies which make coloring
pigments for the paint industry, and are usually called pigments. When making the magstripe media, the
elemental magnetic particles are aligned with their North-South axes parallel to the magnetic stripe by
means of an external magnetic fields while the binder hardens. These particles are actually permanent
bar magnets with TWO STABLE POLARITIES. If a magnetic particle is placed in a strong external magnetic
field of the opposite polarity, it will FLIP its own polarity (North becomes South, South becomes North).
The external magnetic field strength required to produce this flip is called the COERCIVE FORCE, or
COERCIVITY of the particle. Magnetic pigments are available in a variety of coercivities (more on that
lateron). An unencoded magstripe is actually a series of North-South magnetic domains (see Figure 1).
The adjacent N-S fluxes merge, and the entire stripe acts as a single bar magnet with North and South
poles at its ends. Figure 1: N-S.N-S.N-S.N-S.N-S.N-S.N-S.N-S <-particles in stripe --------- represented as->
N-----------------------------S However, if a S-S interface is created somewhere on the stripe, the fluxes will
REPEL, and we get a concentration of flux lines around the S-S interface. (same with N-N interface)
ENCODING consists of creating S-S and N-N interfaces, and READING consists of (you guessed it)
detecting 'em. The S-S and N-N interfaces are called FLUX REVERSALS. ||| ||| <-flux lines Figure 2:
N------------N-N-S-S-----------------S --------- flux lines -> ||| ||| The external magnetic field used to flip the
polarities is produced by a SOLENOID, which can REVERSE its polarity by reversing the direction of
CURRENT. An ENCODING head solenoid looks like a bar magnet bent into the shape of a ring so that the
North/South poles are very close and face each other across a tiny gap. The field of the solenoid is
concentrated across this gap, and when elemental magnetic particles of the magstripe are exposed to
this field, they polarize to the OPPOSITE (unlike poles attract). Movement of the stripe past the solenoid
gap during which the polarity of the solenoid is REVERSED will produce a SINGLE flux reversal (see Figure
3). To erase a magstripe, the encoding head is held at a CONSTANT polarity and the ENTIRE stripe is
moved past it. No flux reversals, no data. | | <----wires leading to solenoid | | (wrapped around
ring) /-|-|-\ / \ Figure 3: | | <----solenoid (has JUST changed polarity) --------- \ / \ N S / <---gap in ring..
NS polarity across gap N----------------------SS-N-------------------------S ^^ <<<<<-direction of stripe
movement S-S flux reversal created at trailing edge of solenoid! So, we now know that flux reversals are
only created the INSTANT the solenoid CHANGES its POLARITY. If the solenoid in Figure 3 were to remain
at its current polarity, no further flux reversals would be created as the magstripe moves from right to
left. But, if we were to change the solenoid gap polarity from NS to *SN*, then (you guessed it) a *N-N*
flux reversal would instantly be created. Just remember, for each and every reversal in solenoid polarity,
a single flux reversal is created (commit it to memory..impress your friends..be a tech weenie!). An
encoded magstripe is therefore just a series of flux reversals (NN followed by SS followed by NN ...).
DATA! DATA! DATA! That's what you want! How the hell are flux reversals read and interpreted as data?
Another solenoid called a READ HEAD is used to detect these flux reversals. The read head operates on
the principle of ELECTROMAGNETIC RECIPROCITY: current passing thru a solenoid produces a magnetic
field at the gap, therefore, the presence of a magnetic field at the gap of a solenoid coil will *produce a
current in the coil*! The strongest magnetic fields on a magstrip are at the points of flux reversals. These
are detected as voltage peaks by the reader, with +/- voltages corresponding to NN/SS flux reversals
(remember, flux reversals come in 2 flavors). See Figure 4. magstripe---> -------NN--------SS--------
NN---------SS------ Figure 4: voltage-----> .......+.........-.........+...........-..... --------- ---------- ------------- peak
readout--> | | | | --------| |----------| |---- The 'peak readout' square waveform is critical. Notice that the
voltage peak remains the same until a new flux reversal is encountered. Now, how can we encode
DATA? The most common technique used is known as Aiken Biphase, or 'two-frequency coherent-phase
encoding' (sounds impressive, eh?). First, digest the diagrams in Figure 5. Figure 5: ---------- ----------
---------- --------- | | | | | | <- peak a) | |--------| |--------| | readouts * 0 * 0 * 0 * 0 * 0 * ----- ----- ----- -----
----- - | | | | | | | | | | | b) | |----| |----| |----| |----| |----| * 1 * 1 * 1 * 1 * 1 * ----- ---------- ----- ----- - | | |
| | | | | | c) | |----| |--------| |----| |----| * 1 * 0 * 0 * 1 * 1 * There ya have it. Data is encoded in 'bit
cells,' the frequency of which is the frequency of '0' signals. '1' signals are exacty TWICE the frequency of
'0' signals. Therefore, while the actual frequency of the data passing the read head will vary due to
swipe speed, data density, etc, the '1' frequency will ALWAYS be TWICE the '0' frequency. Figure 5C
shows exactly how '1' and '0' data exists side by side. We're getting closer to read DATA! Now, we're all
familiar with binary and how numbers and letters can be represented in binary fashion very easily. There
are obviously an *infinite* number of possible standards, but thankfully the American National
Standards Institute (ANSI) and the International Standards Organization (ISO) have chosen 2 standards.
The first is ** ANSI/ISO BCD Data format ** This is a 5-bit Binary Coded Decimal format. It uses a 16-
character set, which uses 4 of the 5 available bits. The 5th bit is an ODD parity bit, which means there
must be an odd number of 1's in the 5-bit character..the parity bit will 'force' the total to be odd. Also,
the Least Significant Bits are read FIRST on the strip. See Figure 6. The sum of the 1's in each case is odd,
thanks to the parity bit. If the read system adds up the 5 bits and gets an EVEN number, it flags the read
as ERROR, and you gotta scan the card again. (yeah, I *know* a lot of you out there *already*
understand parity, but I gotta cover all the bases...not everyone sleeps with their modem and can recite
the entire AT command set at will, you know ;). See Figure 6 for details of ANSI/ISO BCD. Figure 6:
ANSI/ISO BCD Data Format --------- * Remember that b1 (bit #1) is the LSB (least significant bit)! * The
LSB is read FIRST! * Hexadecimal conversions of the Data Bits are given in parenthesis (xH). --Data Bits--
Parity b1 b2 b3 b4 b5 Character Function 0 0 0 0 1 0 (0H) Data 1 0 0 0 0 1 (1H) " 0 1 0 0 0 2 (2H) " 1 1 0 0
1 3 (3H) " 0 0 1 0 0 4 (4H) " 1 0 1 0 1 5 (5H) " 0 1 1 0 1 6 (6H) " 1 1 1 0 0 7 (7H) " 0 0 0 1 0 8 (8H) " 1 0 0 1 1
9 (9H) " 0 1 0 1 1 : (AH) Control 1 1 0 1 0 ; (BH) Start Sentinel 0 0 1 1 1 < (CH) Control 1 0 1 1 0 = (DH)
Field Separator 0 1 1 1 0 > (EH) Control 1 1 1 1 1 ? (FH) End Sentinel ***** 16 Character 5-bit Set *****
10 Numeric Data Characters 3 Framing/Field Characters 3 Control Characters The magstripe begins with
a string of Zero bit-cells to permit the self-clocking feature of biphase to "sync" and begin decoding. A
"Start Sentinel" character then tells the reformatting process where to start grouping the decoded
bitstream into groups of 5 bits each. At the end of the data, an "End Sentinel" is encountered, which is
followed by an "Longitudinal Redundancy Check (LRC) character. The LRC is a parity check for the sums
of all b1, b2, b3, and b4 data bits of all preceding characters. The LRC character will catch the remote
error that could occur if an individual character had two compensating errors in its bit pattern (which
would fool the 5th-bit parity check). The START SENTINEL, END SENTINEL, and LRC are collectively called
"Framing Characters", and are discarded at the end of the reformatting process. ** ANSI/ISO ALPHA
Data Format ** Alphanumeric data can also be encoded on magstripes. The second ANSI/ISO data
format is ALPHA (alphanumeric) and involves a 7-bit character set with 64 characters. As before, an odd
parity bit is added to the required 6 data bits for each of the 64 characters. See Figure 7. Figure 7: ---------
ANSI/ISO ALPHA Data Format * Remember that b1 (bit #1) is the LSB (least significant bit)! * The LSB is
read FIRST! * Hexadecimal conversions of the Data Bits are given in parenthesis (xH). ------Data Bits-------
Parity b1 b2 b3 b4 b5 b6 b7 Character Function 0 0 0 0 0 0 1 space (0H) Special 1 0 0 0 0 0 0 ! (1H) " 0 1 0
0 0 0 0 " (2H) " 1 1 0 0 0 0 1 # (3H) " 0 0 1 0 0 0 0 $ (4H) " 1 0 1 0 0 0 1 % (5H) Start Sentinel 0 1 1 0 0 0 1
& (6H) Special 1 1 1 0 0 0 0 ' (7H) " 0 0 0 1 0 0 0 ( (8H) " 1 0 0 1 0 0 1 ) (9H) " 0 1 0 1 0 0 1 * (AH) " 1 1 0 1 0
0 0 + (BH) " 0 0 1 1 0 0 1 , (CH) " 1 0 1 1 0 0 0 - (DH) " 0 1 1 1 0 0 0 . (EH) " 1 1 1 1 0 0 1 / (FH) " 0 0 0 0 1 0
0 0 (10H) Data (numeric) 1 0 0 0 1 0 1 1 (11H) " 0 1 0 0 1 0 1 2 (12H) " 1 1 0 0 1 0 0 3 (13H) " 0 0 1 0 1 0 1
4 (14H) " 1 0 1 0 1 0 0 5 (15H) " 0 1 1 0 1 0 0 6 (16H) " 1 1 1 0 1 0 1 7 (17H) " 0 0 0 1 1 0 1 8 (18H) " 1 0 0 1
1 0 0 9 (19H) " 0 1 0 1 1 0 0 : (1AH) Special 1 1 0 1 1 0 1 ; (1BH) " 0 0 1 1 1 0 0 < (1CH) " 1 0 1 1 1 0 1 =
(1DH) " 0 1 1 1 1 0 1 > (1EH) " 1 1 1 1 1 0 0 ? (1FH) End Sentinel 0 0 0 0 0 1 0 @ (20H) Special 1 0 0 0 0 1 1
A (21H) Data (alpha) 0 1 0 0 0 1 1 B (22H) " 1 1 0 0 0 1 0 C (23H) " 0 0 1 0 0 1 1 D (24H) " 1 0 1 0 0 1 0 E
(25H) " 0 1 1 0 0 1 0 F (26H) " 1 1 1 0 0 1 1 G (27H) " 0 0 0 1 0 1 1 H (28H) " 1 0 0 1 0 1 0 I (29H) " 0 1 0 1 0
1 0 J (2AH) " 1 1 0 1 0 1 1 K (2BH) " 0 0 1 1 0 1 0 L (2CH) " 1 0 1 1 0 1 1 M (2DH) " 0 1 1 1 0 1 1 N (2EH) " 1
1 1 1 0 1 0 O (2FH) " 0 0 0 0 1 1 1 P (30H) " 1 0 0 0 1 1 0 Q (31H) " 0 1 0 0 1 1 0 R (32H) " 1 1 0 0 1 1 1 S
(33H) " 0 0 1 0 1 1 0 T (34H) " 1 0 1 0 1 1 1 U (35H) " 0 1 1 0 1 1 1 V (36H) " 1 1 1 0 1 1 0 W (37H) " 0 0 0 1
1 1 0 X (38H) " 1 0 0 1 1 1 1 Y (39H) " 0 1 0 1 1 1 1 Z (3AH) " 1 1 0 1 1 1 0 [ (3BH) Special 0 0 1 1 1 1 1 \
(3DH) Special 1 0 1 1 1 1 0 ] (3EH) Special 0 1 1 1 1 1 0 ^ (3FH) Field Separator 1 1 1 1 1 1 1 _ (40H)
Special ***** 64 Character 7-bit Set ***** * 43 Alphanumeric Data Characters * 3 Framing/Field
Characters * 18 Control/Special Characters The two ANSI/ISO formats, ALPHA and BCD, allow a great
variety of data to be stored on magstripes. Most cards with magstripes use these formats, but
occasionally some do not. More about those lateron. ** Tracks and Encoding Protocols ** Now we know
how the data is stored. But WHERE is the data stored on the magstripe? ANSI/ISO standards define *3*
Tracks, each of which is used for different purposes. These Tracks are defined only by their location on
the magstripe, since the magstripe as a whole is magnetically homogeneous. See Figure 8. Figure 8:
--------- _________________________________________________________________ | ^ ^ ^
|------------------| 0.223"--|---------|------------------------- | | | 0.353" | ^ |..................|.........|.........| 0.493" |
| Track #1 0.110" | | | |............................|.........|... | | | | |............................|.........|... | | Track #2
0.110" | | |......................................|... | | | | |......................................|... | | Track #3 0.110" |
|.......................................... | | | |------------------------------------------------------------------ | | | You can see
the exact distances of each track from the edge of the card, as well as the uniform width and spacing.
Place a magstripe card in front of you with the magstripe visible at the bottom of the card. Data is
encoded from left to right (just like reading a book, eh?). See Figure 9. Figure 9: --------- ANSI/ISO Track
1,2,3 Standards Track Name Density Format Characters Function
-------------------------------------------------------------------- 1 IATA 210 bpi ALPHA 79 Read Name & Account 2
ABA 75 bpi BCD 40 Read Account 3 THRIFT 210 bpi BCD 107 Read Account & *Encode* Transaction ***
Track 1 Layout: *** | SS | FC | PAN | Name | FS | Additional Data | ES | LRC | SS=Start Sentinel "%"
FC=Format Code PAN=Primary Acct. # (19 digits max) FS=Field Separator "^" Name=26 alphanumeric
characters max. Additional Data=Expiration Date, offset, encrypted PIN, etc. ES=End Sentinel "?"
LRC=Longitudinal Redundancy Check *** Track 2 Layout: *** | SS | PAN | FS | Additional Data | ES |
LRC | SS=Start Sentinel ";" PAN=Primary Acct. # (19 digits max) FS=Field Separator "=" Additional
Data=Expiration Date, offset, encrypted PIN, etc. ES=End Sentinel "?" LRC=Longitudinal Redundancy
Check *** Track 3 Layout: ** Similar to tracks 1 and 2. Almost never used. Many different data
standards used. Track 2, "American Banking Association," (ABA) is most commonly used. This is the track
that is read by ATMs and credit card checkers. The ABA designed the specifications of this track and all
world banks must abide by it. It contains the cardholder's account, encrypted PIN, plus other
discretionary data. Track 1, named after the "International Air Transport Association," contains the
cardholder's name as well as account and other discretionary data. This track is sometimes used by the
airlines when securing reservations with a credit card; your name just "pops up" on their machine when
they swipe your card! Since Track 1 can store MUCH more information, credit card companies are trying
to urge retailers to buy card readers that read Track 1. The *problem* is that most card readers read
either Track 1 or Track 2, but NOT BOTH! And the installed base of readers currently is biased towards
Track 2. VISA USA is at the front of this 'exodus' to Track 1, to the point where they are offering Track 1
readers at reduced prices thru participating banks. A spokesperson for VISA commented: "We think that
Track 1 represents more flexibility and the potential to deliver more information, and we intend to build
new services around the increased information." What new services? We can only wait and see. Track 3
is unique. It was intended to have data read and WRITTEN on it. Cardholders would have account
information UPDATED right on the magstripe. Unfortunately, Track 3 is pretty much an orphaned
standard. Its *original* design was to control off-line ATM transactions, but since ATMs are now on-line
ALL THE TIME, it's pretty much useless. Plus the fact that retailers and banks would have to install NEW
card readers to read that track, and that costs $$. Encoding protocol specifies that each track must begin
and end with a length of all Zero bits, called CLOCKING BITS. These are used to synch the self- clocking
feature of biphase decoding. See Figure 10. Figure 10: end sentinel start sentinel | longitudinal
redundancy check | | | 000000000000000 SS.................ES LRC 0000000000000000 leading data, data,
data trailing clocking bits clocking bits (length varies) (length varies) THAT'S IT!!! There you have the
ANSI/ISO STANDARDS! Completely explained. Now, the bad news. NOT EVERY CARD USES IT! Credit
cards and ATM cards will follow these standards. BUT, there are many other types of cards out there.
Security passes, copy machine cards, ID badges, and EACH of them may use a PROPRIETARY
density/format/track-location system. ANSI/ISO is REQUIRED for financial transaction cards used in the
international interbank network. All other cards can play their own game. The good news. MOST other
cards follow the standards, because it's EASY to follow a standard instead of WORKING to make your
OWN! Most magstripe cards other than credit cards and ATM cards will use the same Track
specifications, and use either BCD or ALPHA formats. ** A Bit About Magstripe Equipment ** "Wow,
now I know how to interpret all that data on magstripes! But... waitasec, what kind of equipment do I
need to read the stripes? Where can I buy a reader? I don't see any in Radio Shack!!" Sorry, but
magstripe equipment is hard to come by. For obvious reasons, card readers are not made commonly
available to consumers. How to build one is the topic for another phile (and THIS phile is already too
long!). Your best bets are to try and scope out Electronic Surplus Stores and flea markets. Don't even
bother trying to buy one directly from a manufacturer, since they will immediately assume you have
"criminal motives." And as for getting your hands on a magstripe ENCODER...well, good luck! Those rare
beauties are worth their weight in gold. Keep your eyes open and look around, and MAYBE you'll get
lucky! A bit of social engineering can go a LONG way. There are different kinds of magstripe
readers/encoders. The most common ones are "swipe" machines: the type you have to physically slide
the card thru. Others are "insertion" machines: like ATM machines they 'eat' your card, then regurgitate
it after the transaction. Costs are in the thousands of dollars, but like I said, flea markets and surplus
stores will often have GREAT deals on these things. Another problem is documentation for these
machines. If you call the manufacturer and simply ask for 'em, they will probably deny you the literature.
"Hey son, what are you doing with our model XYZ swipe reader? That belongs in the hands of a
'qualified' merchant or retailer, not some punk kid trying to 'find out how things work!" Again, some
social engineering may be required. Tell 'em you're setting up a new business. Tell 'em you're working
on a science project. Tell 'em anything that works! 2600 Magazine recently had a good article on how to
build a machine that copies magstripe cards. Not much info on the actual data formats and encoding
schemes, but the device described is a start. With some modifications, I bet you could route the output
to a dumb terminal (or thru a null modem cable) in order to READ the data. Worth checking out the
schematics. As for making your own cards, just paste a length of VCR, reel-to-reel, or audio cassette tape
to a cut-out posterboard or plastic card. Works just as good as the real thing, and useful to experiment
with if you have no expired or 'dead' ATM or calling cards lying around (SAVE them, don't TOSS them!).
** Examples of Data on Magstripes ** The real fun in experimenting with magstripe technology is
READING cards to find out WHAT THE HELL is ON them! Haven't you wondered? The following cards are
the result of my own 'research'. Data such as specific account numbers and names has been changed to
protect the innocent. None the cards used to make this list were stolen or acquired illegally. Notice that I
make careful note of 'common data'; data that I noticed was the same for all cards of a particular type.
This is highlighted below the data with asterisks (*). Where I found varying data, I indicate it with "x"'s.
In those cases, NUMBER of CHARACTERS was consistent (the number of "x"'s equals the number of
characters...one to one relationship). I still don't know what some of the data fields are for, but
hopefully I will be following this phile with a sequel after I collect more data. It ISN'T easy to find lots of
cards to examine. Ask your friends, family, and co-workers to help! "Hey, can I, um, like BORROW your
MCI calling card tonite? I'm working on an, um, EXPERIMENT. Please?" Just...be honest! Also, do some
trashing. People will often BEND expired cards in half, then throw them out. Simply bend 'em back into
their normal shape, and they'll usually work (I've done it!). They may be expired, but they're not
ERASED! ------------------------------------------------------------------------------- -=Mastercard=- Number on front
of card -> 1111 2222 3333 4444 Expiration date -> 12/99 Track 2 (BCD,75 bpi)-
> ;1111222233334444=99121010000000000000? *** Track 1 (ALPHA,210 bpi)->
%B1111222233334444^PUBLIC/JOHN? * Note that the "101" was common to all MC cards checked, as
well as the "B". ------------------------------------------------------------------------------- -=VISA=- Number on front of
card -> 1111 2222 3333 4444 Expiration date -> 12/99 Track 2 (BCD,75 bpi)-
> ;1111222233334444=9912101xxxxxxxxxxxxx? *** Track 1 (ALPHA,210 bpi)->
%B1111222233334444^PUBLIC/JOHN^9912101xxxxxxxxxxxxx? * Note that the "101" was common to all
VISA cards checked, as well as the "B". Also, the "xxx" indicates numeric data that varied from card to
card, with no apparent pattern. I believe this is the encrypted pin for use when cardholders get 'cash
advances' from ATMs. In every case, tho, I found *13* digits of the stuff.
------------------------------------------------------------------------------- -=Discover=- Number on front of card ->
1111 2222 3333 4444 Expiration date -> 12/99 Track 2 (BCD,75 bpi)-
> ;1111222233334444=991210100000? ******** Track 1 (ALPHA,210 bpi)->
%B1111222233334444^PUBLIC/JOHN___^991210100000? ******** Note, the "10100000" and "B"
were common to most DISCOVER cards checked. I found a few that had "10110000" instead. Don't know
the significance. Note the underscores after the name JOHN. I found consistently that the name data
field had *26* charaters. Whatever was left of the field after the name was "padded" with SPACES.
Soo...for all of you with names longer than 25 (exclude the "/") charaters, PREPARE to be TRUNCATED! ;)
------------------------------------------------------------------------------- -=US Sprint FON=- Number on front of card -
> 111 222 3333 4444 Track 2 (BCD,75 bpi)-> ;xxxxxx11122233339==xxx4444xxxxxxxxxx=? * Track 1
(ALPHA,210 bpi)-> %B^ /^^xxxxxxxxxxxxxxxxx? * Strange. None of the cards I check had names in the
Track 1 fields. Track 1 looks unused, yet it was always formatted with field separators. The "xxx" stuff
varied from card to card, and I didn't see a pattern. I know it isn't a PIN, so it must be account data.
------------------------------------------------------------------------------- -=Fleet Bank=- Number on front of card ->
111111 222 3333333 Expiration date -> 12/99 Track 2 (BCD,75 bpi)-
> ;1111112223333333=9912120100000000xxxx? **** Track 1 (ALPHA,210 bpi) ->
%B1111112223333333^PUBLIC/JOHN___^9912120100000000000000xxxx000000? * **** Note that the
"xxx" data varied. This is the encrypted PIN offset. Always 4 digits (hrmmm...). The "1201" was always
the same. In fact, I tried many ATM cards from DIFFERENT BANKS...and they all had "1201".
------------------------------------------------------------------------------- (Can't leave *this* one out ;) -=Radio
Shack=- Number on front of card -> 1111 222 333333 NO EXPIRATION data on card Track 2 (BCD,75 dpi)-
> ;1111222333333=9912101? ******* Note that the "9912101" was the SAME for EVERY Radio Shack
card I saw. Looks like when they don't have 'real' data to put in the expiration date field, they have to
stick SOMETHING in there. ------------------------------------------------------------------------------- Well, that's all
I'm going to put out right now. As you can see, the major types of cards (ATMs, CC) all follow the same
rules more or less. I checked out a number of security passcards and timeclock entry cards..and they ALL
had random stuff written to Track 2. Track 2 is by FAR the MOST utilized track on the card. And the
format is pretty much always ANSI/ISO BCD. I *did* run into some hotel room access cards that, when
scanned, were GARBLED. They most likely used a character set other than ASCII (if they were audio
tones, my reader would have put out NOTHING...as opposed to GARBLED data). As you can see, one
could write a BOOK listing different types of card data. I intended only to give you some examples. My
research has been limited, but I tried to make logical conclusions based on the data I received. ** Cards
of All Flavors ** People wanted to store A LOT of data on plastic cards. And they wanted that data to be
'invisible' to cardholders. Here are the different card technologies that were invented and are available
today. HOLLERITH - With this system, holes are punched in a plastic or paper card and read optically.
One of the earliest technologies, it is now seen as an encoded room key in hotels. The technology is not
secure, but cards are cheap to make. BAR CODE - The use of bar codes is limited. They are cheap, but
there is virtually no security and the bar code strip can be easily damaged. INFRARED - Not in
widespread use, cards are factory encoded by creating a "shadow pattern" within the card. The card is
passed thru a swipe or insertion reader that uses an infrared scanner. Infrared card pricing is moderate
to expensive, and encoding is pretty secure. Infrared scanners are optical and therefore vulnerable to
contamination. PROXIMITY - Hands-free operation is the primary selling point of this card. Altho several
different circuit designs are used, all proximity cards permit the transmission of a code simply by
bringing the card near the reader (6-12"). These cards are quite thick, up to 0.15" (the ABA standard is
0.030"!). WIEGAND - Named after its inventor, this technology uses a series of small diameter wires that,
when subjected to a changing magnetic field, induce a discrete voltage output in a sensing coil. Two
rows of wires are embedded in a coded strip. When the wires move past the read head, a series of
pulses is read and interpreted as binary code. This technology prodces card that are VERY hard to copy
or alter, and cards are moderately expensive to make. Readers based on this tech are epoxy filled,
making them immune to weather conditions, and neither card nor readers are affected by external
magnetic fields (don't worry about leaving these cards on top of the television set...you can't hurt
them!). Here's an example of the layout of the wires in a Wiegand strip: ||| || || | ||| | || || | || || |
| || | | | | | | |||| || |||| || The wires are NOT visible from the outside of the card, but if your card is
white, place it in front of a VERY bright light source and peer inside. Notice that the spacings between
the wires is uniform. BARIUM FERRITE - The oldest magnetic encoding technology (been around for 40
yrs!) it uses small bits of magnetized barium ferrite that are placed inside a plastic card. The polarity and
location of the "spots" determines the coding. These cards have a short life cycle, and are used
EXTENSIVELY in parking lots (high turnover rate, minimal security). Barium Ferrite cards are ONLY used
with INSERTION readers. There you have the most commonly used cards. Magstripes are common
because they are CHEAP and relatively secure. ** Magstripe Coercivity ** Magstripes themselves come
in different flavors. The COERCIVITY of the magnetic media must be specified. The coercivity is the
magnetic field strength required to demagnetize an encoded stripe, and therefore determines the
encode head field strength required to encode the stripe. A range of media coerciviteis are available
ranging from 300 Oersteds to 4,000 Oe. That boils down to HIGH-ENERGY magstripes (4,000 Oe) and
LOW-ENERGY magstripes (300 Oe). REMEMBER: since all magstripes have the same magnetic
remanence regardless of their coercivity, readers CANNOT tell the difference between HIGH and LOW
energy stripes. Both are read the same by the same machines. LOW-ENERGY media is most common. It
is used on all financial cards, but its disadvantage is that it is subject to accidental demagnetization from
contact with common magnets (refrigerator, TV magnetic fields, etc.). But these cards are kept safe in
wallets and purses most of the time. HIGH-ENERGY meda is used for ID Badges and access control cards,
which are commonly used in 'hostile' environments (worn on uniform, used in stockrooms). Normal
magnets will not affect these cards, and low-energy encoders cannot write to them. ** Not All that
Fluxes is Digital ** Not all magstripe cards operate on a digital encoding method. SOME cards encode
AUDIO TONES, as opposed to digital data. These cards are usually used with old, outdated, industrial-
strength equipment where security is not an issue and not a great deal of data need be encoded on the
card. Some subway passes are like this. They require only expiration data on the magstripe, and a short
series of varying frequencies and durations are enough. Frequencies will vary with the speed of swiping,
but RELATIVE frequencies will remain the same (for instance, tone 1 is twice the freq. of tone 2, and .5
the freq of tone 3, regardless of the original frequencies!). Grab an oscilliscope to visualize the tones,
and listen to them on your stereo. I haven't experimented with these types of cards at all. ** Security
and Smartcards ** Many security systems utilize magstripe cards, in the form of passcards and ID cards.
It's interesting, but I found in a NUMBER of cases that there was a serious FLAW in the security of the
system. In these cases, there was a code number PRINTED on the card. When scanned, I found this
number encoded on the magstripe. Problem was, the CODE NUMBER was ALL I found on the magstripe!
Meaning, by just looking at the face of the card, I immediately knew exactly what was encoded on it.
Ooops! Makes it pretty damn easy to just glance at Joe's card during lunch, then go home and pop out
my OWN copy of Joe's access card! Fortunately, I found this flaw only in 'smaller' companies (sometimes
even universities). Bigger companies seem to know better, and DON'T print ALL of the magstripe data
right on card in big, easily legible numbers. At least the big companies *I* checked. ;) Other security
blunders include passcard magstripes encoded ONLY with the owner's social security number (yeah, real
difficult to find out a person's SS#...GREAT idea), and having passcards with only 3 or 4 digit codes.
Smartcard technology involves the use of chips embedded in plastic cards, with pinouts that temporarily
contact the card reader equipment. Obviously, a GREAT deal of data could be stored in this way, and
unauthorized duplication would be very difficuly. Interestingly enough, not much effort is being put into
smartcards by the major credit card companies. They feel that the tech is too expensive, and that still
more data can be squeezed onto magstripe cards in the future (especially Track 1). I find this somewhat
analagous to the use of metallic oxide disk media. Sure, it's not the greatest (compared to erasable-
writable optical disks), but it's CHEAP..and we just keep improving it. Magstripes will be around for a
long time to come. The media will be refined, and data density increased. But for conventional
applications, the vast storage capabilities of smartcards are just not needed. ** Biometrics: Throw yer
cards away! ** I'd like to end with a mention of biometrics: the technology based on reading the
physical attributes of an individual thru retina scanning, signature verification, voice verification, and
other means. This was once limited to government use and to supersensitive installations. However,
biometrics will soon acquire a larger market share in access control sales because much of its
development stage has passed and costs will be within reach of more buyers. Eventually, we can expect
biometrics to replace pretty much ALL cards..because all those plastic cards in your wallet are there JUST
to help COMPANIES *identify* YOU. And with biometrics, they'll know you without having to read cards.
I'm not paranoid, nor do I subscribe to any grand 'corporate conspiracy', but I find it a bit unsettling that
our physical attributes will most likely someday be sitting in the cool, vast electronic databases of the
CORPORATE world. Accessable by anyone willing to pay. Imagine CBI and TRW databases with your
retina image, fingerprint, and voice pattern online for instant, convenient retrieval. Today, a person can
CHOOSE NOT to own a credit card or a bank card...we can cut up our plastic ID cards! Without a card, a
card reader is useless and cannot identify you. Paying in cash makes you invisible! However, with
biometrics, all a machine has to do is watch... .listen...and record. With government/corporate America
pushing all the buttons.. "Are you paying in cash?...thank you...please look into the camera. Oh, I see
your name is Mr. Smith...uh, oh...my computer tells me you haven't paid your gas bill....afraid I'm going
to have to keep this money and credit your gas account with it....do you have any more cash?...or would
you rather I garnish your paycheck?" heh heh ** Closing Notes (FINALLY!!!!) ** Whew...this was one
MOTHER of a phile. I hope it was interesting, and I hope you distribute it to all you friends. This phile
was a production of "Restricted Data Transmissions"...a group of techies based in the Boston area that
feel that "Information is Power"...and we intend to release a number of highly technical yet entertaining
philes in the coming year....LOOK FOR THEM!! Tomorrow I'm on my way to Xmascon '91.....we made
some slick buttons commemorating the event...if you ever see one of them (green wreath..XMASCON
1991 printed on it)..hang on to it!...it's a collector's item.. (hahahah) Boy, I'm sleepy... Remember....
"Truth is cheap, but information costs!" But -=RDT is gonna change all that... ;) set the info FREE!
Peace. ..oooOO Count Zero OOooo.. Usual greets to Magic Man, Brian Oblivion, Omega, White Knight,
and anyone else I ever bummed a cigarette off..... (1/18/92 addition: Greets to everyone I met at
Xmascon..incuding but not excluding Crimson Death, Dispater, Sterling, Mackhammer, Erik Bloodaxe,
Holistic Hacker, Pain Hertz, Swamp Ratte, G.A.Ellsworth, Phaedrus, Moebius, Lord MacDuff, Judge
Dredd, and of course hats of to *Drunkfux* for organizing and taking responsibility for the whole damn
thing. Hope to see all of you at Summercon '92! Look for Cyber-stripper GIFs at a BBS near you..heh heh)
Comments, criticisms, and discussions about this phile are welcome. I can be reached at
count0@world.std.com count0@spica.bu.edu count0@atdt.org Magic Man and I are the sysops of the
BBS "ATDT"...located somewhere in Massachusetts. Great message bases, technical discussions...data
made flesh...electronic underground.....our own Internet address (atdt.org)... .field trips to the tunnels
under MIT in Cambridge.....give it a call.. ..mail me for more info.. ;)

Read more at: https://www.epanorama.net/documents/smartcard/magcard.html