This hodge-podge of components is capable of spoofing the magnetic stripe on a credit card. [Sk3tch] built an electromagnet using a ferrous metal shim wrapped in enameled magnet wire. While he was doing the windings [Sk3tch] connected his multimeter to the metal shim and one end of the wire, setting it to test continuity. This way, if he accidentally scraps the enamel coating and grounds the wire on the metal the meter will sound and alarm and he’ll know about the short immediately. An Arduino takes over from here, actuating the coil to simulate the different data sections of a magnetic stripe.
From his schematic we see that the electromagnet is directly connected to two pins of the Arduino. We haven’t looked into the code but is seems there should be either some current limiting, or the use of a transistor to protect the microcontroller pins (we could be wrong about this).
[Sk3tch’s] realization of this spoofer can be made quickly with just a few parts. Card data must be written in the code and flashed to the Arduino. If you want to see what a more feature-rich version would entail take a look at this spoofer that has a keypad for changing data on the go.
Here’s a hack that makes business sense. [PT] recalls last year’s HOPE conference when their booth was using a virtual credit card terminal for purchases that required manual entry of card information. This year they’ll have the same virtual terminal but this magnetic stripe reader will fill it out automatically.
A magstripe reader (reading only, no funny business here) from Mouser grabs data from the card. A Teensy microcontroller board, which identifies itself as a USB keyboard, automatically fills out the virtual terminal from the parsed data. The real question, are his customers comfortable sliding their plastic through a hacked reader?
You may want to be more careful where you put that ATM card. There are now ATM skimmers with SMS notification. ATM skimmers are placed over real ATM slots and the information off the cards as they’re inserted. The new models will send the skimmed information via SMS notifications to a phone that’s attached to a computer. This solves the problem of scammers needing to retrieve their skimmers without attracting the attention of police. ATM skimmer manufacturers have so far been really successful because of their commitment to security, from the paint they use to cover their skimmers to their exclusive clientele. The manufacturer of this particular model claims that none of their clients who’ve used this new ATM skimmer has been arrested, and they only accept business from “recommended” clients. We think it’s interesting and ironic how these criminals have adapted their security procedures to deal with institutions we wish were more secure.