Reading credit cards with a tape head

A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.

[Steve]’s work in decoding credit card data builds off [Count Zero]’s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.

The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.

[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.

EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.

101 thoughts on “Reading credit cards with a tape head

  1. I remember doing almost the same sort of thing with credit cards on Beta Max players back in the 80’s. You’d run the player and run the CC over the magnetic tape head and see the CC number show up on the screen. Can’t believe history repeats it’s self once again but only smaller.

    1. Wait, what??!?

      This sounds a bit like that myth that if you taped a bit of betamax tape to the back of a credit card the ATM would spontaneously eject all of its cash, Superman III style. All my friends were doing that ;)

      1. The Superman III thing I’d call a myth, but if you look around the Betamax trick was a well documented concept that I believe even 2600 did an article about many many many moons ago.

      1. Actually, the human readable CVV2 (Visa), CVC2 (MC), CID (Disc/Amex) is not on the stripe, BUT there IS (usually) an embedded security code within the stripe data. It is used when the tracks are sent in for processing to validate the tracks. It would go in the “discretionary data” field on Track one just before the end sentinel.

  2. There is one more component in the Square reader, which is a 5.2k resistor between the read head and mic line. I’ll put up another pic on the post which shows that.
    And I DO plan on putting up the app, and the android library which makes it work. I just haven’t quite done it yet.

      1. I’m not 100% certain of the value of mine. I’m no hardware guy. But I did try to measure it with a multimeter and got a value in agreement with what I thought I decoded the stripes to.
        I wouldn’t be particularly surprised to find that the actual resistors used vary.

  3. it is interesting that square has to “verify” your identity in order to get the reader. square is using https secure address but i just thought it was odd. why do they ask that i wonder. i ordered mine and will see what happens.

    1. You don’t have to, I bought mine at a nearby Walmart. You can still accept cash payments (kinda pointless there), it just won’t let you accept credit cards through their system.

    2. I don’t think most of you understand it..
      If your going to use it for transactions they NEED to know who you are for tax purposes..

      Shit, they have my full SSN and address, and right they should. Like any other credit card processor, Just as right paypal also has my SSN and address.

      I feel bad for this little start-up though. They wanted to partner with paypal.. Instead paypal said no, then released the PayPal here! It’s the same device (just fancier looking) its also free (not in stores, yet) but you have to upgrade your paypal account to business class (also free, but your fees change)..

      The idea was it’d be nicer and faster to get cash to your paypal account.

      I wouldn’t say this IRL but I use mine for little cash-advances dirt cheap from my credit card..

  4. I heard a story from our schools lab tech (an old ham operator and repairmen), he claims that when the magnetic swipe was being developed, one company made a set and gave it to some engineers and told that that if they can get the account information off of this magnetic strip they can have the money. The lab tech claims that every group got their money and the first group did this sort of hack using a tape deck.
    It isn’t supprising. Remember the guys that were recording the numbers off the readers at the ATM in eastern europe. Credit cards are really not that secure.

    1. well, the whole point of the credit card swipe IS NOT security but convenience/speed during transactions. it’s digitizing the old carbon paper credit card swipe. that’s why we still have raised numbers on the card, so they can be quickly swiped on carbon paper. in any case, the card # is right there on the front of the card.

  5. I was at a conference a year or so ago, and Square reps walked around handing them out to every vendor/booth that would take them. Nobody kept them, so I ended up with 10 or so. Plan is to make a sort of musical instrument that generates sound based on the swiped data.

  6. Those are the old readers. The new readers are a litte more sophisticated including lots more hardware and a battery These just started shipping in the last month. Adding encryption to the reader was one of the requirements that came as part of Visa’s investment in the company.

    Competitor VeriFone took issue with the lack of encryption last year but that backfired for them.

    1. I dunno why it needs to be encrypted from the reader, it’s on the card in plaintext. Do the encrypting on the phone, using the extremely suitable hardware. If I can figure this out, who’s in charge at Visa?

      I remember instructions for one of these, using a read and write tape head, an op-amp, and mounting it to a bit of wood, to make a simple hand-swiped card copier. Some old BBS doc, might’ve even been the Jolly Roger. ALL IN CAPS, APPLE ][ STYLE!

    2. Not only that, but I thought they were trying to slowly kill off the mag-stripe, in favour of the much safer smart chips. Subject to a suitable port on the phone, a smart-card reader should be easier to make. Why not launch tiny little USB smartcard readers? There must be next to nothing in ’em.

    3. The new standards from the Payment Card Industry are forcing a move to end-to-end encryption, regardless of the source of the data. This means that the data is AT LEAST protected in transit. I suspect that the Square application encrypts the data after it gets it from the head, and BEFORE it sends it to the network. That is a minimal requirement of the PCI DSS standards. They do NOT (yet) require the card data to be encrypted from the point of reading (head) to the computer application (smartphone program) as that is not considered a “network” connection. MagTek and others have created hardware that encrypts the data IN the head. That will be deployed over time. Eventually, it truly WILL be encrypted from head to network server.

  7. From their website about the reader:
    Fully encrypted: Square performs data encryption within the card reader at the moment of swipe.

    Can anybody explain how this is happening with the minimal components in the reader?

  8. One day there will be no more cash and the government/corps will truly own you.

    You will swipe/rfid all transactions with your GPS enabled phone. When, where, how much and even what. All recorded to be mined by companies, the IRS, your health insurance, etc.

    This is phase 3… give everyone card readers.

  9. So the new ones do encryption. First off WHY? if someone is swiping your card they can simply see the numbers. Encrypting over the network I can see and should have been done from day 1.

    Second, This takes me back to the 80’s it always amazes me when I see projects using swipes that they paid 10 bucks for when these are pretty much all you need.

    Good article and thanks for posting the guts, I always expected that was all it consisted of but never wanted to give out my full info’s to get one.

    1. Why? because it is difficult for a waiter to memorize the numbers of every card encountered during his shift, but with a device like this he could easily get 50 CC numbers a night.

      1. Most ARM OSs use trustzone hardware isolation to handle the data.. You have to find holes in each manufacturers trustzone kernel to dump the protected memory and inject code.. Even non-TZ chips have a software isolation.

          1. I’m talking about the major vendors, they have chip crypto that buffers over the audio API in to an isolated process that usus ARM TZ or Android jails. The key-data is all generated and passed within TrustZone which has hardware isolation.

        1. reached reply depth, so the issue with this from back in 2012 was that you can snoop the audio/microphone traffic easily. I’m aware of TrustZone and how it works, but this wasn’t doing it. I still am not sure if the audio thats coming in is not snoopable, the solution for them was to add more encryption hardware to the square device, which meant if you can snoop it, its encrypted at the end.

          1. The PayPal and Amazon reader have hardware crypto that protect MITM on the audio API. Trustzone and software-jails protect the decryption handler and key-data. These cheap reader-heads to jack readers don’t so TZ doesn’t matter there..

            I was pretty interested in this when the readers were first interested. Buffer overflows are needed to dump TZ over the because of how “Secure Configuration Register (SCR)” handles things.

  10. that’s scary that all the info is there possibly unencrypted.

    that means anyone with an ios device could skim your card and get everything thy need to use the card or even copy the card.

      1. Or the nearly invisible passthru skimmers dropped over the actual “dip” style slot on ATMs which log cards used there and the skimmer doesn’t even need to be there. They have motorized rollers and detect and inhale the card just like the normal slot does, feeding it into the machine’s actual slot behind the “parasite”. Most of them use memories so they have to come back and get it, but no reason it couldn’t be wireless and remotely report the info so they could plant it and never return to the scene (info blasted to some untraceable SMS endpoint via burner phone account?). When numbers stop rolling in, go plant another. Hardware cost is no issue as the scammed info definitely buys the new parts once you invest in building one “skim bug” and get even a few. And it’s molded plastic so it really doesn’t look much different unless you pay attention to every curve and design detail on the mini-ATM at your gas station… not many people do, and they are all made with weird and nonsensical “whoops” and “waves” on the front anyhow so how would you know some weird ass slot thing is not supposed to be there, if it looks like the same plastic as the main case, and it didn’t feel all Playskool and hacky when you rammed your card in. Basically nobody finds them until maintenance comes out to refill or service.

        I think a fun social experiment would be to make a R/W version of a parasitic slot skimmer that would read and log cards like usual, but then also write the previous users info on the way out. That way whoever used the ATM would end up with someone elses card cloned onto their stripe and be ‘scamming’ each other completely unknown and unaided. Musical credit cards! I bet companies would quit using stripes almost immediately then…

  11. They didn’t ask for my full social only the last four, but… If they are giving you the power to accept credit cards for financial transactions there are probably certain reporting requirements consistent with the governments desire to hinder money laundering operations, ID theft, and other activities contrary to US law.

  12. After reading this, I took a dig through my parts bins for other reasons and grabbed a read head which I would not have otherwise given even a second glance. Thank you!

  13. Idea: take the new one with battery, hack the electronics (or made a custom PCB) to record every swipe, let’s say it can store 3-4 card’s data. Add a button to toggle between “stored cards”(by number of presses) and automagically pass the data to the iDevice after 2 seconds…
    Just passed my mind, don’t know how to continue.

  14. I have a website where I can take payments from credit cards with PayPal.

    But for the convenience of being able to swipe a card instead of typing the number in, I have to pay more money.

    Phooey! What would be great is a simple app that takes the number data and directly enters it into any text entry field.

    I could then simply go to the checkout on my site with my phone, tap on the CC number field then swipe the card for exactly the same result without paying a cent more.

  15. Not cool of Square to require registration before letting us know it’s US only. It wouldn’t be that hard to just put “US residents only” on the register page.

    Also, money handling sites that has no, or hard to find contact info pisses me off. That’s why I’m writing this here, haha.

  16. Hey
    I had picked up one of these Readers on ebay, and have since not used it even once.

    I was wondering if anyone could point me in the direction of software (linux, windows, or android) that can actually be used to read the data off of a magnetic stripe using the Square reader?


      The problem is those audio connectors can only output one head reading without a chip to queue SRAM or flash/eeprom stored buffers filled with each heads input. Plus the square reader only has a one-head-head so the part isn’t good for much anyway.

      If you want to do it right and get all data from cards get one of the proto boards from here or the other make sites, and get a 3-head 3mm head off the net and write a firmware that sends the data over USB or does all the waveform to ASCII in firmware and allows download over USB.

    1. State and country IDs use arbitrary encryption and signing. I think the primary magstripe ids have a reference number used on databases because lack of space. That encoded block on some is also encrypted.

      I like europe cards because they have chip&pin and use browser plugins for verification to streamline auth.

  17. There appears to be some confusion around what is and is not on a credit card.

    There are two security features or keys if you like.

    One is the CVC2 M/C or CVV2 Visa. This value is on the back of the card. It is the three digit value you input to make an Internet purchase.

    On the magnetic stripe is the CVC1 M/C or CVV1 Visa value.

    That is why the mag needs to be read. Once captured you use a “write” head to create a counterfeit card. Yes there is some value in capturing the visible information, but the value to create a counterfeit card lies embedded in the mag stripe.

    Crooks can create hundreds of clone from a single swipe minutes or seconds after the card is swiped.

    The original Square device allowed for a cheap and convenient way to steal the card mag. They put encryption on the device to prevent this.

    So now the crooks have to purchase their card swlipers on eBay rather than get their swlipers for free from Square.

        1. Didn’t read the link, but it makes sense you could just blast loud tones out the “headphones” into the swiper and get some DC power from that, enough to charge up a capacitor and then run long enough to do the swipe handling. Similar to how the RFID stuff uses near-field energy to power up (no battery).

  18. is updated frequently with free advice about Google Ad –
    Words strategy, tactics, tips tricks and techniques for success in Ad – Words advertising.
    In addition, the observing surgeons could transmit their comments to
    the operating surgeon, who could read them on the Google Glass
    monitor. Reputation Defense Online an around the world Cyber
    Investigation along with Litigation Assistance Agency for
    Net Defamation, often receives inquiries from attorneys along
    with law enforcement agencies on the way to subpoena
    Google’s Legal Division.

  19. Stuff on all CCs: Name, Expiration, Address, Encrypted Pin and some format data. This is T1 and T2

    You need in addition the CVV from the back for online transactions, and the pin for ATM transactions. The encrypted pin is arbitrarily encrypted and encoded, so even brute-force is a no go..

    I think the Amazon reader is also just the head, because it also uses the long 3.5mm jack that has has the mic support, but maybe they do an encoding or hardware encryption.

    Anyway you need to be able to read at least 1 and 2 tracks in one swipe..

    1. By the way, there are tape heads out there that are like 2mmx2mmx1mm. This is what was used in that super stealthy skimmer that was in the news not long ago. Hard to source unless you destroy some $20 readers..

  20. Wow I’ve been researching. There are 3mm 3-head reader heads but they’re $70.00 on the net.. I might get one and work on my own design.

    Making your own requires very fragile hand crafting of micro parts given it’s basically 3 coils that have to comply with the ISO spec..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s