A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.
[Steve]’s work in decoding credit card data builds off [Count Zero]’s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.
The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.
[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.
EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.
I remember doing almost the same sort of thing with credit cards on Beta Max players back in the 80’s. You’d run the player and run the CC over the magnetic tape head and see the CC number show up on the screen. Can’t believe history repeats it’s self once again but only smaller.
Wait, what??!?
This sounds a bit like that myth that if you taped a bit of betamax tape to the back of a credit card the ATM would spontaneously eject all of its cash, Superman III style. All my friends were doing that ;)
The Superman III thing I’d call a myth, but if you look around the Betamax trick was a well documented concept that I believe even 2600 did an article about many many many moons ago.
What are you talking about?!
I have a Betamax player, and some old bank cards with magnetic stripes on, but I don’t believe that wiping the card next to the head will produce a number on screen.
It should be noted that the CVC or security code is NOT ON ANY TRACKS OF THE MAG STRIPE. That would defeat the whole purpose of the the code
Actually, the human readable CVV2 (Visa), CVC2 (MC), CID (Disc/Amex) is not on the stripe, BUT there IS (usually) an embedded security code within the stripe data. It is used when the tracks are sent in for processing to validate the tracks. It would go in the “discretionary data” field on Track one just before the end sentinel.
Yeah, but the pin is, just encrypted. Other than that it’s mostly boring format data and what’s on the front of the card and address
Damn that was fast!
I don’t even need to use google anymore. Just ask people on HaD…
code for the audio credit card reader:
http://www.gae.ucm.es/~padilla/extrawork/soundtrack.html
There is one more component in the Square reader, which is a 5.2k resistor between the read head and mic line. I’ll put up another pic on the post which shows that.
And I DO plan on putting up the app, and the android library which makes it work. I just haven’t quite done it yet.
Mine has a 100ohm resistor instead. Makes me wonder if Square is recycling, using old new stock of cassette readers.
I’m not 100% certain of the value of mine. I’m no hardware guy. But I did try to measure it with a multimeter and got a value in agreement with what I thought I decoded the stripes to.
I wouldn’t be particularly surprised to find that the actual resistors used vary.
lol they are free…
it is interesting that square has to “verify” your identity in order to get the reader. square is using https secure address but i just thought it was odd. why do they ask that i wonder. i ordered mine and will see what happens.
A year ago, they didn’t care. I suppose they want more realistic customers, unlike people like me who just wanted one to throw into my pile of gadgets, and later take apart.
Ive seen them for sale at Bestbuy for 10$. I doubt they will ask for any info there.
Lazy crooks can use these to skim. This is ‘supposed’ to help discourage that, I’d wager.
I don’t feel comfortable giving my last 4 and birth date for one of those :-/
You don’t have to, I bought mine at a nearby Walmart. You can still accept cash payments (kinda pointless there), it just won’t let you accept credit cards through their system.
I don’t think most of you understand it..
If your going to use it for transactions they NEED to know who you are for tax purposes..
Shit, they have my full SSN and address, and right they should. Like any other credit card processor, Just as right paypal also has my SSN and address.
I feel bad for this little start-up though. They wanted to partner with paypal.. Instead paypal said no, then released the PayPal here! It’s the same device (just fancier looking) its also free (not in stores, yet) but you have to upgrade your paypal account to business class (also free, but your fees change)..
The idea was it’d be nicer and faster to get cash to your paypal account.
I wouldn’t say this IRL but I use mine for little cash-advances dirt cheap from my credit card..
Nice, and if you try and use a fake last 4, they ask for the full social. No thanks.
I got rejected and I used all real info. I just messaged them, I could use this for when I mod arcade sticks for people at home, so they don’t have to run to the bank for cash.
A bit more about your Arcade stick mod(s) please?
I heard a story from our schools lab tech (an old ham operator and repairmen), he claims that when the magnetic swipe was being developed, one company made a set and gave it to some engineers and told that that if they can get the account information off of this magnetic strip they can have the money. The lab tech claims that every group got their money and the first group did this sort of hack using a tape deck.
It isn’t supprising. Remember the guys that were recording the numbers off the readers at the ATM in eastern europe. Credit cards are really not that secure.
and by they way, just build one…. it is 3 parts, old tape head from any tape player, 100 ohm resistor, and a 4 pin audio jack. it would take 3 minutes to solder.
This would make a great HAD tutorial, using some ancient tape player for parts. We could even use the recording parts to reprogram one I bet!
Any body know of a cheep source for the 4 pin headphone jacks?
Those old tangled headphones shoved to the back of your desk drawer. If not there, maybe in that old backpack in your closet.
well, the whole point of the credit card swipe IS NOT security but convenience/speed during transactions. it’s digitizing the old carbon paper credit card swipe. that’s why we still have raised numbers on the card, so they can be quickly swiped on carbon paper. in any case, the card # is right there on the front of the card.
I was at a conference a year or so ago, and Square reps walked around handing them out to every vendor/booth that would take them. Nobody kept them, so I ended up with 10 or so. Plan is to make a sort of musical instrument that generates sound based on the swiped data.
Mellotron.
Wasn’t familiar with the Mellotron, and holy crap! What a funky machine.
name it creditfraudotron
Those are the old readers. The new readers are a litte more sophisticated including lots more hardware and a battery http://venturebeat.com/2012/03/26/square-adds-encryption-to-its-square-reader/ These just started shipping in the last month. Adding encryption to the reader was one of the requirements that came as part of Visa’s investment in the company.
Competitor VeriFone took issue with the lack of encryption last year http://www.engadget.com/2011/03/09/verifone-calls-out-square-for-gaping-security-hole-publishes/ but that backfired for them.
I dunno why it needs to be encrypted from the reader, it’s on the card in plaintext. Do the encrypting on the phone, using the extremely suitable hardware. If I can figure this out, who’s in charge at Visa?
I remember instructions for one of these, using a read and write tape head, an op-amp, and mounting it to a bit of wood, to make a simple hand-swiped card copier. Some old BBS doc, might’ve even been the Jolly Roger. ALL IN CAPS, APPLE ][ STYLE!
Not only that, but I thought they were trying to slowly kill off the mag-stripe, in favour of the much safer smart chips. Subject to a suitable port on the phone, a smart-card reader should be easier to make. Why not launch tiny little USB smartcard readers? There must be next to nothing in ’em.
The new standards from the Payment Card Industry are forcing a move to end-to-end encryption, regardless of the source of the data. This means that the data is AT LEAST protected in transit. I suspect that the Square application encrypts the data after it gets it from the head, and BEFORE it sends it to the network. That is a minimal requirement of the PCI DSS standards. They do NOT (yet) require the card data to be encrypted from the point of reading (head) to the computer application (smartphone program) as that is not considered a “network” connection. MagTek and others have created hardware that encrypts the data IN the head. That will be deployed over time. Eventually, it truly WILL be encrypted from head to network server.
From their website about the reader:
Can anybody explain how this is happening with the minimal components in the reader?
Whoops, [Eliot] beat me to it.
With the magic of marketing.
here android
https://play.google.com/store/apps/details?id=com.squareup
intuit and paypal have these as well.
http://gopayment.com/
https://www.paypal.com/webapps/mpp/new-payment-solutions?intl_cid=3484-150736-8030-1
So are these old readers we both have useless?
thy all ready have it for android so no reason to make your own a Lil to slow that’s prob why he did not release it he gave or sold it to them lmfao
One day there will be no more cash and the government/corps will truly own you.
You will swipe/rfid all transactions with your GPS enabled phone. When, where, how much and even what. All recorded to be mined by companies, the IRS, your health insurance, etc.
This is phase 3… give everyone card readers.
the new one has a cr2032, amp and an msp430 which has built in TDES.
Builtin DES on a msp, that I’d like to see.
Any pics/specs of the new reader?
Don’t have any specs on it and haven’t done a complete teardown on it yet, just got it in today, but I’ve got some pics in an album: http://imgur.com/a/jJ11x
So the new ones do encryption. First off WHY? if someone is swiping your card they can simply see the numbers. Encrypting over the network I can see and should have been done from day 1.
Second, This takes me back to the 80’s it always amazes me when I see projects using swipes that they paid 10 bucks for when these are pretty much all you need.
Good article and thanks for posting the guts, I always expected that was all it consisted of but never wanted to give out my full info’s to get one.
Why? because it is difficult for a waiter to memorize the numbers of every card encountered during his shift, but with a device like this he could easily get 50 CC numbers a night.
simple, because the phone is unescured so its possible that an app can sneak in and sniff it.
Most ARM OSs use trustzone hardware isolation to handle the data.. You have to find holes in each manufacturers trustzone kernel to dump the protected memory and inject code.. Even non-TZ chips have a software isolation.
not completely sure, but i don’t think the audio subsystem is using trustzone.
I’m talking about the major vendors, they have chip crypto that buffers over the audio API in to an isolated process that usus ARM TZ or Android jails. The key-data is all generated and passed within TrustZone which has hardware isolation.
reached reply depth, so the issue with this from back in 2012 was that you can snoop the audio/microphone traffic easily. I’m aware of TrustZone and how it works, but this wasn’t doing it. I still am not sure if the audio thats coming in is not snoopable, the solution for them was to add more encryption hardware to the square device, which meant if you can snoop it, its encrypted at the end.
The PayPal and Amazon reader have hardware crypto that protect MITM on the audio API. Trustzone and software-jails protect the decryption handler and key-data. These cheap reader-heads to jack readers don’t so TZ doesn’t matter there..
I was pretty interested in this when the readers were first interested. Buffer overflows are needed to dump TZ over the because of how “Secure Configuration Register (SCR)” handles things.
reply depth again, yeah it was dumb of square to leave it out.
that’s scary that all the info is there possibly unencrypted.
that means anyone with an ios device could skim your card and get everything thy need to use the card or even copy the card.
As opposed to all the other skimming devices available? There have been reports for longer than there have been ios devices of waiters using a device the size of a pager to skim credit card details.
One such story: http://consumerist.com/2011/08/waitress-gets-revenge-on-tough-customers-by-skimming-their-credit-cards.html
Or the nearly invisible passthru skimmers dropped over the actual “dip” style slot on ATMs which log cards used there and the skimmer doesn’t even need to be there. They have motorized rollers and detect and inhale the card just like the normal slot does, feeding it into the machine’s actual slot behind the “parasite”. Most of them use memories so they have to come back and get it, but no reason it couldn’t be wireless and remotely report the info so they could plant it and never return to the scene (info blasted to some untraceable SMS endpoint via burner phone account?). When numbers stop rolling in, go plant another. Hardware cost is no issue as the scammed info definitely buys the new parts once you invest in building one “skim bug” and get even a few. And it’s molded plastic so it really doesn’t look much different unless you pay attention to every curve and design detail on the mini-ATM at your gas station… not many people do, and they are all made with weird and nonsensical “whoops” and “waves” on the front anyhow so how would you know some weird ass slot thing is not supposed to be there, if it looks like the same plastic as the main case, and it didn’t feel all Playskool and hacky when you rammed your card in. Basically nobody finds them until maintenance comes out to refill or service.
I think a fun social experiment would be to make a R/W version of a parasitic slot skimmer that would read and log cards like usual, but then also write the previous users info on the way out. That way whoever used the ATM would end up with someone elses card cloned onto their stripe and be ‘scamming’ each other completely unknown and unaided. Musical credit cards! I bet companies would quit using stripes almost immediately then…
They didn’t ask for my full social only the last four, but… If they are giving you the power to accept credit cards for financial transactions there are probably certain reporting requirements consistent with the governments desire to hinder money laundering operations, ID theft, and other activities contrary to US law.
I loved the 2600 article about this.
After reading this, I took a dig through my parts bins for other reasons and grabbed a read head which I would not have otherwise given even a second glance. Thank you!
Idea: take the new one with battery, hack the electronics (or made a custom PCB) to record every swipe, let’s say it can store 3-4 card’s data. Add a button to toggle between “stored cards”(by number of presses) and automagically pass the data to the
iDevice after 2 seconds…Just passed my mind, don’t know how to continue.
could just record cards to an mp3 player. and pipe that into the mic input on your squareup enabled phone. not sure why you would want to cache cards. but whatever.
I have a website where I can take payments from credit cards with PayPal.
But for the convenience of being able to swipe a card instead of typing the number in, I have to pay more money.
Phooey! What would be great is a simple app that takes the number data and directly enters it into any text entry field.
I could then simply go to the checkout on my site with my phone, tap on the CC number field then swipe the card for exactly the same result without paying a cent more.
Cool.. though I’ve had one for my android over a year ago…
Could it read checks MICR?
New android APK has micr fonts in it
Something similar was published in “hacktic” magazine in The Netherlands in 1990.
The published circuit used magnetheads of a casette tape players to copy creditcards.
http://hacktic.nl/magazine/0820.htm
I live in canada and its a states only thing?? possible anyone would be willing to send me one??
Yeah I’ll do anything for a fellow hacker. Email me @ mathprophet@gmail.com
I’ll email u when I finish moving, that way i dont have to wait a eternity for canada post to forward it to my new address :)
Not cool of Square to require registration before letting us know it’s US only. It wouldn’t be that hard to just put “US residents only” on the register page.
Also, money handling sites that has no, or hard to find contact info pisses me off. That’s why I’m writing this here, haha.
They gave these out at my uni, fun little devices they are. I doubt anybody actually registered, we just wanted a handy card reader.
Hey
I had picked up one of these Readers on ebay, and have since not used it even once.
I was wondering if anyone could point me in the direction of software (linux, windows, or android) that can actually be used to read the data off of a magnetic stripe using the Square reader?
https://play.google.com/store/apps/details?id=me.cosmodro.app.rhombus
The problem is those audio connectors can only output one head reading without a chip to queue SRAM or flash/eeprom stored buffers filled with each heads input. Plus the square reader only has a one-head-head so the part isn’t good for much anyway.
If you want to do it right and get all data from cards get one of the proto boards from here or the other make sites, and get a 3-head 3mm head off the net and write a firmware that sends the data over USB or does all the waveform to ASCII in firmware and allows download over USB.
what about drivers licences any way to read the stripes
State and country IDs use arbitrary encryption and signing. I think the primary magstripe ids have a reference number used on databases because lack of space. That encoded block on some is also encrypted.
I like europe cards because they have chip&pin and use browser plugins for verification to streamline auth.
Found another way to use it. Record the audio with an Echo smartpen.
http://i.minus.com/ibpwNqCyxGb8KN.JPG
once recorded, how can you read the data?
I’m still trying to read the waveform.
there are some programs that cean read the wave sound and convertit to ascii….
Techtronix’s program is the only one I know of and I believe it’s DRM and besides license login..
So, how “safe” is the latest reader from Square? Anyone hacked it?
There appears to be some confusion around what is and is not on a credit card.
There are two security features or keys if you like.
One is the CVC2 M/C or CVV2 Visa. This value is on the back of the card. It is the three digit value you input to make an Internet purchase.
On the magnetic stripe is the CVC1 M/C or CVV1 Visa value.
That is why the mag needs to be read. Once captured you use a “write” head to create a counterfeit card. Yes there is some value in capturing the visible information, but the value to create a counterfeit card lies embedded in the mag stripe.
Crooks can create hundreds of clone from a single swipe minutes or seconds after the card is swiped.
The original Square device allowed for a cheap and convenient way to steal the card mag. They put encryption on the device to prevent this.
So now the crooks have to purchase their card swlipers on eBay rather than get their swlipers for free from Square.
I just opened a new one. It uses a TI msp430g2412 microcontroller — for the encryption I assume.
http://i.imgur.com/O4oJW.jpg
Has anyone opened up the paypal card reader?
Why does the readers need a battery, how about harvesting power from the phone?
As the card is swiped it must encrypt the value and transmit. The phone jack cannot power the device.
This application note describes how 7mA at 3.3V can be harvested from an iphone…
http://cdn.energymicro.com/dl/an/pdf/an0054_efm32_phone_audio_jack_interface.pdf
Didn’t read the link, but it makes sense you could just blast loud tones out the “headphones” into the swiper and get some DC power from that, enough to charge up a capacitor and then run long enough to do the swipe handling. Similar to how the RFID stuff uses near-field energy to power up (no battery).
Does anyone have the a library we can install for iPhone to read the data?
please i need to decoded my terminal machine , when ever customer want to buy a goods the terminal demand for pin code i want to disativated it, how can i do this
is updated frequently with free advice about Google Ad –
Words strategy, tactics, tips tricks and techniques for success in Ad – Words advertising.
In addition, the observing surgeons could transmit their comments to
the operating surgeon, who could read them on the Google Glass
monitor. Reputation Defense Online an around the world Cyber
Investigation along with Litigation Assistance Agency for
Net Defamation, often receives inquiries from attorneys along
with law enforcement agencies on the way to subpoena
Google’s Legal Division.
If you have access to the atm how you copy the all transaction or to transfer to the usb?
Stuff on all CCs: Name, Expiration, Address, Encrypted Pin and some format data. This is T1 and T2
You need in addition the CVV from the back for online transactions, and the pin for ATM transactions. The encrypted pin is arbitrarily encrypted and encoded, so even brute-force is a no go..
I think the Amazon reader is also just the head, because it also uses the long 3.5mm jack that has has the mic support, but maybe they do an encoding or hardware encryption.
Anyway you need to be able to read at least 1 and 2 tracks in one swipe..
By the way, there are tape heads out there that are like 2mmx2mmx1mm. This is what was used in that super stealthy skimmer that was in the news not long ago. Hard to source unless you destroy some $20 readers..
Wow I’ve been researching. There are 3mm 3-head reader heads but they’re $70.00 on the net.. I might get one and work on my own design.
Making your own requires very fragile hand crafting of micro parts given it’s basically 3 coils that have to comply with the ISO spec..
Hey Friend i need some help
Any one guide me how to find the dumps pin? or how to try bruteforce on it …
i’m newbie in this please guide me please
please friends
t
I wonder if you could use one of those microphone jack to cassette player adapters to supply your read head? I realize the head there is meant to “write” to the cassette player’s head but I imagine it ought to work both ways. Such adapters can be had at a dollar store for,… well, a dollar.
Hello folks,
So need your valuable suggestion,
When we inserts card in an ATM, it should be inserted only in a proper direction.
As ATM uses Fixed drive Mechanism.
Is their mechanism exists which can read the card independent of its direction?
What i am looking for is a Rotating Drive Mechanism.
Where the Read Head will automatically detect the Magnetic Strip position.