Reading credit cards with a tape head

A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.

[Steve]‘s work in decoding credit card data builds off [Count Zero]‘s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.

The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.

[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.

EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.

Comments

  1. Dave says:

    I remember doing almost the same sort of thing with credit cards on Beta Max players back in the 80’s. You’d run the player and run the CC over the magnetic tape head and see the CC number show up on the screen. Can’t believe history repeats it’s self once again but only smaller.

    • nes says:

      Wait, what??!?

      This sounds a bit like that myth that if you taped a bit of betamax tape to the back of a credit card the ATM would spontaneously eject all of its cash, Superman III style. All my friends were doing that ;)

      • Dave says:

        The Superman III thing I’d call a myth, but if you look around the Betamax trick was a well documented concept that I believe even 2600 did an article about many many many moons ago.

    • Faelenor says:

      What are you talking about?!

    • Haku says:

      I have a Betamax player, and some old bank cards with magnetic stripes on, but I don’t believe that wiping the card next to the head will produce a number on screen.

    • GS says:

      It should be noted that the CVC or security code is NOT ON ANY TRACKS OF THE MAG STRIPE. That would defeat the whole purpose of the the code

      • slashsplat says:

        Actually, the human readable CVV2 (Visa), CVC2 (MC), CID (Disc/Amex) is not on the stripe, BUT there IS (usually) an embedded security code within the stripe data. It is used when the tracks are sent in for processing to validate the tracks. It would go in the “discretionary data” field on Track one just before the end sentinel.

  2. Stephen says:

    Damn that was fast!

  3. rasz says:

    code for the audio credit card reader:

    http://www.gae.ucm.es/~padilla/extrawork/soundtrack.html

  4. Steve says:

    There is one more component in the Square reader, which is a 5.2k resistor between the read head and mic line. I’ll put up another pic on the post which shows that.
    And I DO plan on putting up the app, and the android library which makes it work. I just haven’t quite done it yet.

  5. kevin mcguigan says:

    it is interesting that square has to “verify” your identity in order to get the reader. square is using https secure address but i just thought it was odd. why do they ask that i wonder. i ordered mine and will see what happens.

  6. Colecago says:

    I don’t feel comfortable giving my last 4 and birth date for one of those :-/

    • graphmastur says:

      You don’t have to, I bought mine at a nearby Walmart. You can still accept cash payments (kinda pointless there), it just won’t let you accept credit cards through their system.

    • DeAuthThis says:

      I don’t think most of you understand it..
      If your going to use it for transactions they NEED to know who you are for tax purposes..

      Shit, they have my full SSN and address, and right they should. Like any other credit card processor, Just as right paypal also has my SSN and address.

      I feel bad for this little start-up though. They wanted to partner with paypal.. Instead paypal said no, then released the PayPal here! It’s the same device (just fancier looking) its also free (not in stores, yet) but you have to upgrade your paypal account to business class (also free, but your fees change)..

      The idea was it’d be nicer and faster to get cash to your paypal account.

      I wouldn’t say this IRL but I use mine for little cash-advances dirt cheap from my credit card..

  7. Colecago says:

    Nice, and if you try and use a fake last 4, they ask for the full social. No thanks.

  8. Camerin says:

    I heard a story from our schools lab tech (an old ham operator and repairmen), he claims that when the magnetic swipe was being developed, one company made a set and gave it to some engineers and told that that if they can get the account information off of this magnetic strip they can have the money. The lab tech claims that every group got their money and the first group did this sort of hack using a tape deck.
    It isn’t supprising. Remember the guys that were recording the numbers off the readers at the ATM in eastern europe. Credit cards are really not that secure.

  9. Brad says:

    I was at a conference a year or so ago, and Square reps walked around handing them out to every vendor/booth that would take them. Nobody kept them, so I ended up with 10 or so. Plan is to make a sort of musical instrument that generates sound based on the swiped data.

  10. Eliot says:

    Those are the old readers. The new readers are a litte more sophisticated including lots more hardware and a battery http://venturebeat.com/2012/03/26/square-adds-encryption-to-its-square-reader/ These just started shipping in the last month. Adding encryption to the reader was one of the requirements that came as part of Visa’s investment in the company.

    Competitor VeriFone took issue with the lack of encryption last year http://www.engadget.com/2011/03/09/verifone-calls-out-square-for-gaping-security-hole-publishes/ but that backfired for them.

    • Greenaum says:

      I dunno why it needs to be encrypted from the reader, it’s on the card in plaintext. Do the encrypting on the phone, using the extremely suitable hardware. If I can figure this out, who’s in charge at Visa?

      I remember instructions for one of these, using a read and write tape head, an op-amp, and mounting it to a bit of wood, to make a simple hand-swiped card copier. Some old BBS doc, might’ve even been the Jolly Roger. ALL IN CAPS, APPLE ][ STYLE!

    • Greenaum says:

      Not only that, but I thought they were trying to slowly kill off the mag-stripe, in favour of the much safer smart chips. Subject to a suitable port on the phone, a smart-card reader should be easier to make. Why not launch tiny little USB smartcard readers? There must be next to nothing in ‘em.

    • slashsplat says:

      The new standards from the Payment Card Industry are forcing a move to end-to-end encryption, regardless of the source of the data. This means that the data is AT LEAST protected in transit. I suspect that the Square application encrypts the data after it gets it from the head, and BEFORE it sends it to the network. That is a minimal requirement of the PCI DSS standards. They do NOT (yet) require the card data to be encrypted from the point of reading (head) to the computer application (smartphone program) as that is not considered a “network” connection. MagTek and others have created hardware that encrypts the data IN the head. That will be deployed over time. Eventually, it truly WILL be encrypted from head to network server.

  11. Barefoot says:

    From their website about the reader:
    Fully encrypted: Square performs data encryption within the card reader at the moment of swipe.

    Can anybody explain how this is happening with the minimal components in the reader?

  12. mm777 says:
  13. dad2rtg says:
  14. Stephen says:

    So are these old readers we both have useless?

  15. joshua says:

    thy all ready have it for android so no reason to make your own a Lil to slow that’s prob why he did not release it he gave or sold it to them lmfao

  16. Skeltorr says:

    One day there will be no more cash and the government/corps will truly own you.

    You will swipe/rfid all transactions with your GPS enabled phone. When, where, how much and even what. All recorded to be mined by companies, the IRS, your health insurance, etc.

    This is phase 3… give everyone card readers.

  17. charliex says:

    the new one has a cr2032, amp and an msp430 which has built in TDES.

  18. Jeff L. Richtman says:

    So the new ones do encryption. First off WHY? if someone is swiping your card they can simply see the numbers. Encrypting over the network I can see and should have been done from day 1.

    Second, This takes me back to the 80’s it always amazes me when I see projects using swipes that they paid 10 bucks for when these are pretty much all you need.

    Good article and thanks for posting the guts, I always expected that was all it consisted of but never wanted to give out my full info’s to get one.

  19. ejonesss says:

    that’s scary that all the info is there possibly unencrypted.

    that means anyone with an ios device could skim your card and get everything thy need to use the card or even copy the card.

    • Chris says:

      As opposed to all the other skimming devices available? There have been reports for longer than there have been ios devices of waiters using a device the size of a pager to skim credit card details.

      One such story: http://consumerist.com/2011/08/waitress-gets-revenge-on-tough-customers-by-skimming-their-credit-cards.html

      • Tony says:

        Or the nearly invisible passthru skimmers dropped over the actual “dip” style slot on ATMs which log cards used there and the skimmer doesn’t even need to be there. They have motorized rollers and detect and inhale the card just like the normal slot does, feeding it into the machine’s actual slot behind the “parasite”. Most of them use memories so they have to come back and get it, but no reason it couldn’t be wireless and remotely report the info so they could plant it and never return to the scene (info blasted to some untraceable SMS endpoint via burner phone account?). When numbers stop rolling in, go plant another. Hardware cost is no issue as the scammed info definitely buys the new parts once you invest in building one “skim bug” and get even a few. And it’s molded plastic so it really doesn’t look much different unless you pay attention to every curve and design detail on the mini-ATM at your gas station… not many people do, and they are all made with weird and nonsensical “whoops” and “waves” on the front anyhow so how would you know some weird ass slot thing is not supposed to be there, if it looks like the same plastic as the main case, and it didn’t feel all Playskool and hacky when you rammed your card in. Basically nobody finds them until maintenance comes out to refill or service.

        I think a fun social experiment would be to make a R/W version of a parasitic slot skimmer that would read and log cards like usual, but then also write the previous users info on the way out. That way whoever used the ATM would end up with someone elses card cloned onto their stripe and be ‘scamming’ each other completely unknown and unaided. Musical credit cards! I bet companies would quit using stripes almost immediately then…

  20. Chris says:

    They didn’t ask for my full social only the last four, but… If they are giving you the power to accept credit cards for financial transactions there are probably certain reporting requirements consistent with the governments desire to hinder money laundering operations, ID theft, and other activities contrary to US law.

  21. Joe says:

    I loved the 2600 article about this.

  22. Hyratel says:

    After reading this, I took a dig through my parts bins for other reasons and grabbed a read head which I would not have otherwise given even a second glance. Thank you!

  23. SnD says:

    Idea: take the new one with battery, hack the electronics (or made a custom PCB) to record every swipe, let’s say it can store 3-4 card’s data. Add a button to toggle between “stored cards”(by number of presses) and automagically pass the data to the iDevice after 2 seconds…
    Just passed my mind, don’t know how to continue.

  24. Galane says:

    I have a website where I can take payments from credit cards with PayPal.

    But for the convenience of being able to swipe a card instead of typing the number in, I have to pay more money.

    Phooey! What would be great is a simple app that takes the number data and directly enters it into any text entry field.

    I could then simply go to the checkout on my site with my phone, tap on the CC number field then swipe the card for exactly the same result without paying a cent more.

  25. Jo says:

    Cool.. though I’ve had one for my android over a year ago…

  26. ohm says:

    Could it read checks MICR?

  27. Hacktic says:

    Something similar was published in “hacktic” magazine in The Netherlands in 1990.
    The published circuit used magnetheads of a casette tape players to copy creditcards.

    http://hacktic.nl/magazine/0820.htm

  28. amras3 says:

    I live in canada and its a states only thing?? possible anyone would be willing to send me one??

  29. Johannes says:

    Not cool of Square to require registration before letting us know it’s US only. It wouldn’t be that hard to just put “US residents only” on the register page.

    Also, money handling sites that has no, or hard to find contact info pisses me off. That’s why I’m writing this here, haha.

  30. Maave says:

    They gave these out at my uni, fun little devices they are. I doubt anybody actually registered, we just wanted a handy card reader.

  31. ThunderMoose says:

    Hey
    I had picked up one of these Readers on ebay, and have since not used it even once.

    I was wondering if anyone could point me in the direction of software (linux, windows, or android) that can actually be used to read the data off of a magnetic stripe using the Square reader?

  32. mp says:

    what about drivers licences any way to read the stripes

  33. parkerlreed says:

    Found another way to use it. Record the audio with an Echo smartpen.

  34. Lynda says:

    So, how “safe” is the latest reader from Square? Anyone hacked it?

  35. Fraudfinder says:

    There appears to be some confusion around what is and is not on a credit card.

    There are two security features or keys if you like.

    One is the CVC2 M/C or CVV2 Visa. This value is on the back of the card. It is the three digit value you input to make an Internet purchase.

    On the magnetic stripe is the CVC1 M/C or CVV1 Visa value.

    That is why the mag needs to be read. Once captured you use a “write” head to create a counterfeit card. Yes there is some value in capturing the visible information, but the value to create a counterfeit card lies embedded in the mag stripe.

    Crooks can create hundreds of clone from a single swipe minutes or seconds after the card is swiped.

    The original Square device allowed for a cheap and convenient way to steal the card mag. They put encryption on the device to prevent this.

    So now the crooks have to purchase their card swlipers on eBay rather than get their swlipers for free from Square.

  36. Andrew says:

    I just opened a new one. It uses a TI msp430g2412 microcontroller — for the encryption I assume.

  37. Anders says:

    Has anyone opened up the paypal card reader?
    Why does the readers need a battery, how about harvesting power from the phone?

  38. Craig says:

    Does anyone have the a library we can install for iPhone to read the data?

  39. awo says:

    please i need to decoded my terminal machine , when ever customer want to buy a goods the terminal demand for pin code i want to disativated it, how can i do this

  40. Google says:

    is updated frequently with free advice about Google Ad –
    Words strategy, tactics, tips tricks and techniques for success in Ad – Words advertising.
    In addition, the observing surgeons could transmit their comments to
    the operating surgeon, who could read them on the Google Glass
    monitor. Reputation Defense Online an around the world Cyber
    Investigation along with Litigation Assistance Agency for
    Net Defamation, often receives inquiries from attorneys along
    with law enforcement agencies on the way to subpoena
    Google’s Legal Division.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 97,539 other followers