Embed Size (px)
Citation preview
Magnetic Card Emulator Carmen Bovalino
Computer Engineering Technology Rochester Institute of Technology
May 2013
1
Table of Contents Abstract ......................................................................................................................................................... 2
Technology .................................................................................................................................................... 2
1.2 How a magnetic stripe card is read............................................................................................... 2
1.3 How a magnetic card is encoded .................................................................................................. 3
1.4 How a card reader decodes data .................................................................................................. 5
Security Vulnerabilities 2.1 Introduction ................................................................................................... 6
2.2 Electromagnets ............................................................................................................................. 6
2.3 Designing a Handheld Device ........................................................................................................ 6
Conclusion ................................................................................................................................................... 13
References .................................................................................................................................................. 14
Appendix ..................................................................................................................................................... 15
Schematic of Magnetic Card Emulator - Main Board ............................................................................. 15
Schematic of I2C LCD Backpack ............................................................................................................... 16
Schematic of I2C Pushbuttons ................................................................................................................. 17
2
Abstract
The objective of this project is to demonstrate security flaws in current magnetic stripe reader systems.
Magnetic stripe readers are used by the majority of the world, every day in different applications, but
mostly regarding secure access to information. Some examples of where magnetic stripe cards and
readers are used are cash registers, gas pumps, vending machines, hotel rooms, and door access
systems. The device presented is an embedded system using multiple TI devices that can emulate a
magnetic card swipe by bit banging data wirelessly to any card reader through an electromagnet. The
data to be sent can be manually entered or swiped into the device. The goal of this work is to bring light
to the major security holes that are around us every day. The demonstration of this project shows how
the device can be used to read a magnetic card, or manually enter a card number, and then re-play the
card data back to any reader. The device demonstrates how we can create interesting devices using
embedded systems.
Technology
1.1 What is a Magnetic Stripe Card?
The black stripe on the back of credit cards, gift cards, rewards cards, hotel room keys, etc. is
called a magnetic stripe or magstripe. The magstripe is made up of tiny iron-based magnetic
particles in a plastic-like film. The magstripe stores data by modifying the magnetism of the tiny
iron-based magnetic particles.
1.2 How a Magnetic Stripe Card is Read
The magnetic stripe of a card is read by swiping it past a magnetic reading head such as in a
cassette tape player. Data is encoded in the F2F (Frequency – Double Frequency) format. F2F
encoding provides self-clocking data – meaning the serial data stream of one and zero bits
3
provides the timing information for the reader to determine which bit is which. Self-clocking
data allows the data bits to be extracted without the need to control the speed of the card
swipe.
1.3 How a Magnetic Card is Encoded
The F2F (Frequency – Double Frequency) encoding technique places flux transitions on the
magnetic stripe separated by a defined distance for zero bits and one half that distance for on
bits. Figure 1.1 demonstrates the flux transitions encoded along the magnetic stripe of a card.
There are three separate “tracks” of data that can be encoded onto a magnetic stripe – this
document will focus on Track 2. Before the first character can be encoded on the track, a Start
Sentinel character must be encoded. The Start Sentinel is a defined series of bits which signifies
the start of the data bits. After the last character of data, an End Sentinel must also be encoded,
signifying the end of data bits. Immediately after the End Sentinel, an LRC (Longitudinal
Redundancy Check) character is encoded – this is a special error checking character.
Figure 1.1 – Bit Cell – Flux Transition
4
Before the Start Sentinel and after the End Sentinel, “clocking bits” are encoded. These clocking
bits provide card readers with timing to start their synchronization process before encountering
the Start Sentinel. Figure 1.2 shows where the different data is encoded along the magnetic
stripe of a card.
The Track 2 data format includes the following items:
1) Leading clocking zeros (approximately 22)
2) The Start Sentinel (hexadecimal “B”)
3) Up to 37 hexadecimal numeric characters
4) The End Sentinel (hexadecimal “F”)
5) The LRC (Longitudinal Redundancy Check) character
6) Trailing clocking zeros (minimum of 22)
Each data character is in a 5-bit (4 plus parity) numeric format. Example: The data message “123” is encoded onto the card as follows:
1) “00…00” Leading clocking zeros Approximately 22
2) “11010” The character “hex B” (01011) The Start Sentinel
3) “10000” The character “1” (00001)
Figure 1.1 – Bit Cell – Flux Transition
5
4) “01000” The character “2” (00010)
5) “11001” The character “3” (10011)
6) “11111” The character “F” (11111) The End Sentinel
7) “00100” The character “4” (00100) The LRC (check character)
8) “00…00” Trailing clocking zeros A minimum of 22 to the end of the card
1.4 How a Card Reader Decodes Data
Based on the F2F (Frequency – Double Frequency) encoded data read by the magnetic head, the
card reader outputs three signals: Card Present, Data, and Strobe. These outputs are then
interpreted by a microcontroller.
A “low” card present signal signifies that a card is present in the reader. When the Strobe signal
goes low, it indicated that the processor should check the Data signal and store the value as a
“bit.” When the Data signal is high, this means the bit is a zero; when the signal is low, this
means the bit is a one. Figure 1.3 shows an example of the three output signals from a card
reader.
Figure 1.3 – Output Signals from a Card Reader
6
Security Vulnerabilities
2.1 Introduction
Now that we know how magnetic cards work, let’s talk about some of the security
vulnerabilities related to magnetic cards. Most of us use magnetic cards on a daily basis – this
technology is used for credit cards, gift cards, rewards/membership cards, hotel room keys,
access control systems, some driver’s licenses, MetroCards, etc. The point of this technology is
that only the person in possession of the magnetic card should able to use it. Since we know
exactly how the technology works, what if we could come up with a way to “spoof” a reader,
transmitting any number that we wanted without having the physical card?
2.2 Electromagnets
An electromagnet is a type of magnet that generates a magnetic field by the flow of electric
current. The card reader senses changes in the magnetic field to determine the data bits
encoded on the stripe. What if we generated our own magnetic field and changed the polarity
in the exact sequence a magnetic card would generate as it passed through a reader?
2.3 Designing a Handheld Device
In order to create an electromagnet, we need a ferrous metal (a metal containing iron). I was
able to find a spare piece of steel air ducting which is ferrous. I made an electromagnet by
wrapping wire into a coil around the steel.
To drive the electromagnet, a 9V battery was used. The Texas Instruments MSP430G2553 and
MSP430G2452 microcontrollers were both used in different prototypes when building the
device. The initial prototype was built on a breadboard out of an MSP430G2452 along with a
2N3904 transistor to sink the electromagnet. The microcontroller was programmed to energize
7
and de-energize the electromagnet in the exact sequence of a magnetic card swipe. The data to
be transmitted was hard-coded in the initial prototype and a push button was used to initiate
the data transmission. Figure 2.1 shows the initial prototype.
The second prototype was also built on a breadboard but included an LCD display that was used
along with pushbuttons to manually enter the data to transmit “on-the-fly.” The LCD was
controlled through a TI PCF8574 I/O Expander over the I2C bus. The second prototype is shown
in Figure 2.2.
Figure 2.1 – Initial Prototype
8
The third prototype was built inside a cardboard box and included circuit included circuit boards
made out of perfboard. This prototype also included a magnetic card reader to pull data from
Track 2 of any card swiped. The prototype also included eight menu buttons which were
monitored by a TI PCF8574 I2C I/O Expander. The third prototype is shown in Figure 2.3.
Figure 2.2 – Second Prototype
9
The circuit boards made for the third prototype are shown in Figures 2.4 – 2.9 below.
Figure 2.3 – Third Prototype
Figure 2.4 – I2C LCD Backpack – Prototype Bottom
Figure 2.5 – I2C LCD Backpack – Prototype Top
10
Figure 2.6 – I2C Pushbuttons – Prototype Bottom
Figure 2.7 – I2C Pushbuttons – Prototype Top
Figure 2.8 – Mainboard – Prototype Top
Figure 2.9 – Third Prototype – Interior
11
The fourth prototype was built inside a plastic case. Custom circuit boards using surface-mount
components were manufactured for this prototype. This prototype also includes a number pad
for easier data entry. Two TI PCF8574A I2C I/O Expanders were used to monitor the number
pad. This prototype is shown in Figure 2.10 below.
The custom circuit boards that were manufactured are shown below in Figures 2.11 – 2.14.
Figure 2.10 – Fourth Prototype
12
Figure 2.15 shows the interior of the fourth prototype will all circuit boards mounted.
Figure 2.13 – Custom PCBs – Populated Top
Figure 2.14 – Custom PCBs – Populated Bottom
Figure 2.11 – Custom PCBs – Unpopulated Top
Figure 2.12 – Custom PCBs – Unpopulated Bottom
13
Conclusion
This project successfully demonstrates how a microcontroller and an electromagnet can be used to
emulate a magnetic card swipe. This project shows the security vulnerabilities associates with current
magnetic stripe cards. Smart cards are becoming more and more common on credit cards, especially in
other countries. This device shows how easy it is to “spoof” magnetic card readers on-the-fly and adds
to the list of reasons we should move to more modern technologies, such as smart cards, for every day
use.
Figure 2.15 – Fourth Prototype – Internal
14
References Mag-Tek. I/O Interface For TTL Magnetic Stripe Readers - Technical Reference Manual. Carson, CA: Mag-
Tek, 2003.
Appendix
Schematic of Magnetic Card Emulator - Main Board
15
Schematic of I2C LCD Backpack
16
Schematic of I2C Pushbuttons
17
