Magnetic card stripe spoofer

This hodge-podge of components is capable of spoofing the magnetic stripe on a credit card. [Sk3tch] built an electromagnet using a ferrous metal shim wrapped in enameled magnet wire. While he was doing the windings [Sk3tch] connected his multimeter to the metal shim and one end of the wire, setting it to test continuity. This way, if he accidentally scraps the enamel coating and grounds the wire on the metal the meter will sound and alarm and he’ll know about the short immediately. An Arduino takes over from here, actuating the coil to simulate the different data sections of a magnetic stripe.

From his schematic we see that the electromagnet is directly connected to two pins of the Arduino. We haven’t looked into the code but is seems there should be either some current limiting, or the use of a transistor to protect the microcontroller pins (we could be wrong about this).

[Sk3tch's] realization of this spoofer can be made quickly with just a few parts. Card data must be written in the code and flashed to the Arduino. If you want to see what a more feature-rich version would entail take a look at this spoofer that has a keypad for changing data on the go.

[via Lifehacker]

Comments

  1. James says:

    I’m a bit ignorant in these matters, but don’t the magnetic stripes have 3 sub-stripes? Does this spoof all of them, or just simple cards like those used to give carpark access?

  2. JJ says:

    Rather than setting up some sort of alarm to detect if the enamel was scrapped off on the metal shim, why not just insulate the metal shim with some electrical tape? That wouldn’t effect the electromagnet.

  3. Jay Boy says:

    “We haven’t looked into the code but is seems there should be either some current limiting, or the use of a transistor to protect the microcontroller pins (we could be wrong about this).”

    what kind of half arsed reporting is this?

  4. Andrew says:

    @James

    Having worked extensively on this protocol for an independent study, there is no way to spoof all 3 tracks using just one coil. That being said spoofing a single track is usually sufficient for access systems, membership cards, etc… Basically anything not in the financial sector.

    @hackaday
    Shame on you for not reviewing you past postings. This project is a derivative work based on several projects already covered by this site. Its also a damn shotty implementation. The code is terrible. Most importantly, this guy is driving a very inductive load straight from the digital pins of an avr. Frankly I’m surprised that works at all and it will eventually destroy the arduino. To anyone looking to duplicate this please use a transistor and a flywheel diode.

    note: I know I’m being critical but that’s only because this is a derivative work. More to the point, its a derivative work that’s significantly lower quality than the project being copied.

  5. Gdogg says:

    Yeah, couldn’t you simply attach an h bridge w/diode (forget what the chips called but I have a bunch) for 30c and protect your arduino from back voltage?

  6. smoker_dave says:

    H bridge?

    You just need a transistor (BC547??) and a 1n4004 diode.

    Simples.

  7. Rich T Kirk says:

    I was going to mention the back EMF – I am surprised the IO pin and or AVR has not been completely destroyed.

    When changing the current direction through the coil 4 diodes are needed and an H bridge.

    1/2 of an L293 is probably the easiest option.

  8. derp says:

    magnets, how do they work?

  9. Paul says:

    Just wait for citibank to roll their new cards out, then hack them…

    http://www.internetbits.com/programmable-credits-cards-may-be-new-dynamics/54918/

  10. biozz says:

    i think i have seen this here before with an ipod

  11. M4CGYV3R says:

    @Paul
    One step closer to credchips! I love it!

  12. arfink says:

    Wow, is that ever a lovely dirty hack. Something inside me says it’s still cool though. Dirty code, no back EMI protection, etc. Something Macgyver would come up with for a single use or something like that. Nothing like a 10 minute hack for a 10 minute job.

  13. Gdogg says:

    @smoker_dave

    Yeah, but the h bridge includes both, and I have that handy ;)

  14. macw says:

    If this were something built out of garbage by a homeless man to spoof door access cards so he could find a place to sleep or something…then I’d be really impressed. Or if it were built in a post-apocalyptic wasteland. But outside that context, this is….not very well done.

    No protection diodes or isolators, driving an inductive load directly from the AVR pins, the coiling and soldering both look shoddy, and the whole thing is just zip-tied together? I think it’s pretty telling that HaD thought it was worth writing about how he used the continuity test function on his meter while assembling the coil…because everything else in the project shows zero foresight.

  15. Andrew says:

    @macw

    My thoughts exactly. HAD has really lowered their standards.

    Interesting side note. For those without an H-bridge this can be done without reversing the polarity of the coil. Due to the properties of the current stored in the inductor you can treat a 1 as on and a 0 as off. The act of disconnecting the inductor generates enough of a induced current in the opposite direction to provide the necessary flux reversal for the reader to register a 0. This lowers the part count to 1 transistor and 1 diode or 1 mosfet with integrated diodes (my preference).

  16. Concino says:

    I am not sure why we are all concerned about this guys Arduino? You know it is missing the H bridge, so don’t replicate what he did. This site is not named Engineering a Day, it is Hack a Day, and some hacks are dirty and some are not.
    I think it is not the HAD’s standards is the problem, I think the audience got a little bit picky and elitist.

  17. macw says:

    I agree that the audience here is usually picky and elitist, usually too much so, but it would be good for HaD to say clearly “this guy is going to blow up his arduino, DON’T DO THIS” for the people who may not have as much experience as others and would just try it as depicted. I don’t have a problem with really dirty hacks being posted as long as the editors explain why they might not be a great idea to duplicate on your own — they can even be a learning experience that way.

    (The wishy-washy “we could be wrong about this” isn’t needed…it’s obviously bad practice to drive any powerful load directly from the i/o pins and it only costs like a nickel of parts to keep everything safe, so there’s really no excuse).

  18. zeropointmodule says:

    @macw, this is a useful tip for those people wanting to wind their own coils for other applications (i.e. small HV generators and fluorescent/EL drivers) as it allows the fault to be rectified before it ruins hours of hard work.

  19. echodelta says:

    Winding coils always requires extreme insulation on the core, and kink free, damage free winding.
    Tension control too, because it builds up too much pressure at the core.
    If you expect something might fail, just do the right thing. Just because it works does not mean it’s working
    Probability says if the wire might short out while winding, then it surely will at more points than one later! All that pressure bears down on any defect and onto the sharp edges of the core.

  20. Gdogg says:

    I think HaD should have just mentioned what he was doing wrong, and mentioned how we could mitigate these risks. It’s still interesting enough to warrant a post, imo.

  21. Tomasito says:
  22. error404 says:

    Well, the AVR I/O pins are pretty robust. They include diodes to ground and Vcc, and an internal current limit. Yeah, it’s not proper, but it’s not going to destroy it instantly either.

    It’s a hack.

  23. ejonesss says:

    i think a store would become suspicious of the use of a stolen card if you tried to use this in a store.

    however it does make a great way to learn how the spoofing works.

    if you are worried about someone getting the number from the card you can fold a piece over the card or cut a protector envelope and slide it over the card so only the magnetic strip shows.

    if the store needs to see the card they can peel it back to see it but other customers in line are not as likely to see it

  24. Whatnot says:

    It’s sort of interesting that many chips have internal protection but us being scared causes us to add protection on top of it.
    Obviously you get reverse current but the power coming from the raw pin isn’t that high to start with nor is the coil and metal that bulky, so perhaps that means extensive protection is less important.
    And it’s using PWM pins right? Does that mean it’s using PWM and that limits the return force since the field collapses all the time with not enough time to build up a coherent return?

    Maybe somebody needs to make one of those ‘how long until it fails’ project from this concept :)

    And this project also nicely works to explain the concept by not having protection, so it has some merit based on that I guess.

  25. Rich T Kirk says:

    I was just pointing out the “traditional engineering” approach :P

    I think inbuilt diodes are only usually designed for ESD discharges – picking up the device with your hands etc. Early CMOS IC’s (4000 series before the B designator) had no such diodes and could be destroyed very easily.

    Would be interesting to see how tough these IO pins are though – that said I have really abused some 18F PIC’s, and they just keep going.

  26. john585 says:

    Plus you could use it to shank your cellmate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,402 other followers