Farewell Magnetic Stripe

For decades, the magnetic stripe has been ubiquitous on everything from credit cards to tickets to ID badges. But the BBC reports — unsurprisingly — that the mag stripe’s days are numbered. Between smartphones, QR codes, and RFID, there’s just less demand for the venerable technology.

IBM invented the stripe back in the early 1960s. The engineer responsible, [Forrest Parry], was also involved in developing the UPC code. While working on a secure ID for the CIA, his wife suggested using an iron to melt a strip of magnetic tape onto the card. The rest is history.

Continue reading “Farewell Magnetic Stripe”

Make Your Own 1970s Magnetic Stripe Cards

We’re now all used to near-limitless storage on flash and other semiconductor technologies, but there was a time when persistent storage was considerably less easy to achieve. A 1970s programmable calculator from Sharp approached the problem with magnetic strips on special cards, and since [Menadue] has one with no cards, he set about making his own.

These cards are a little different to the credit-card-style cards we might expect, instead they’re a narrow strip with a magnetic stripe down their centre. The unusual feature can be found at the edge, where a row of perforations provide the equivalent of a clock line.

The newly manufactured cards have the clock slots machined along their edges, and then the magnetic part formed from self-adhesive magnetic strip. This last thing is a product we were not aware existed, and can think of plenty of possible applications.

The result as you can see in the video below the break are some cards with variable reliability. There’s a suggestion that white cards might work less well with the infrared light used in the clock detector, also a suspicion the low batteries make reading less easy, but still he’s able to retrieve a stored program. An extinct medium is revived.

Longtime readers will know we’ve spent time in calculator country before.

Continue reading “Make Your Own 1970s Magnetic Stripe Cards”

The Jookbox Is A Post-Modern Jukebox

The family of [Chris Patty] decided that their holiday gifts would have to be handmade. So, he decided to make something new for his father: a jukebox with a twist. Instead of a touchscreen or web interface, his jukebox uses swipe cards. To play a track, you find the card for the song you want to hear, swipe it, and the jukebox plays the requested track. The whole thing is built into a wooden box that hides its digital nature, which is built using a Raspberry Pi and a credit card stripe reader.

Continue reading “The Jookbox Is A Post-Modern Jukebox”

Hacking Oklahoma State University’s Student ID Cards

[Sam] took an information security class at Oklahoma State University back in 2013. For his final project, he and a team of other students had to find a security vulnerability and then devise a theoretical plan to exploit it. [Sam’s] team decided to focus on the school’s ID cards. OSU’s ID cards are very similar to credit cards. They are the same size and shape, they have data encoded on a magnetic strip, and they have a 16 digit identification number. These cards were used for several different purposes. Examples include photo ID, physical access to some areas on campus, charges to an online account, and more.

[Sam] and his team analyzed over 100 different cards in order to get a good sample. They found that all cards started with same eight digits. This is similar to the issuer identification number found in the first six digits of a credit card number. Th analysis also showed that there were only three combinations used for the next two digits. Those were either 05, 06, or 11. With that in mind, the total possible number of combinations for card numbers was mathematically calculated to be three million.

OSU also had a URL printed on the back of each card. This website had a simple form with a single field. The user can enter in a 16 digit card number and the system would tell the user if that card was valid. The page would also tell you if the card holder was an employee, a student, or if there were any other special flags on the card. We’re not sure why every student would need access to this website, but the fact is that the URL was printed right on the back of the card. The website also had no limit to how many times a query could be made. The only hint that the university was aware of possible security implications was the disclaimer on the site. The disclaimer mentioned that usage of the tool was “logged and tracked”.

The next step was to purchase a magnetic card reader and writer. The team decoded all of the cards and analyzed the data. They found that each card held an expiration date, but the expiration date was identical for every single card.  The team used the reader/writer to copy the data from [Sam’s] card and modify the name. They then wrote the data back onto a new, blank magnetic card. This card had no printing or markings on it. [Sam] took the card and was able to use it to purchase items from a store on campus. He noticed that the register reached back to a server somewhere to verify his real name. It didn’t do any checks against the name written onto the magstripe. Even still, the cashier still accepted a card with no official markings.

The final step was to write a node.js script to scrape the number verification website. With just 15 lines of code, the script will run through all possible combinations of numbers in a random sequence and log the result. The website can handle between three and five requests per second, which means that brute forcing all possible combinations can be completed in roughly two days. These harvested numbers can then be written onto blank cards and potentially used to purchase goods on another student’s account.

[Sam’s] team offers several recommendations to improve the security of this system. One idea is to include a second form of authorization, such as a PIN. The PIN wouldn’t be stored on the card, and therefore can’t be copied in this manner. The primary recommendation was to take down the verification website. So far OSU has responded by taking the website offline, but no other changes have been made.

Hackaday Links Column Banner

Hackaday Links: October 5th, 2014

Good news from CadSoft this week. They didn’t miss all the complaints about their decision to use a Node Lock License for EAGLE 7. This had meant that users of the popular PCB design software would be limit on how many machines they could use the software with a license. They have removed License Management from the package (and all the citizens rejoiced).

We’re tripping over the growing pile of hardware that boast the “next-big-thing” in getting devices onto a network. That’s not a complaint at all. This time around it’s a cell chip, the U-blox SARA-U260, which can connect to 3G on the AT&T network and is just 16x26mm. They call it world’s smallest but we have no idea if that’s true or not. Anyone have a source and/or pricing for these? [Thanks Austin]

This guy loves his Nixie tube. How much? To the extent that he built up a hardware and software interface that behaves much like a pet. It’s voice activated, and the infectious delight of [Glasslinger’s] video demo is in itself worth watching. [Thanks Morris]

Making this Magnetic Stripe Reader work as a USB device is really nothing more than adding a serial-to-USB converter. The journey to find the way to add the converter makes for a fun read though.

We know from watching Breaking Bad that you can kill power to a building by shorting the power lines outside with a huge bouquet of mylar balloons. This installation is a twist on the idea. Connecting one mylar balloon to a Van de Graaff generator and floating it next to another results in an oscillating repel-discharge-repel cycle. [Thanks filnt via NPR]

Generating Music With Credit Cards

mozarts_credit_card

[Steve] was browsing around at a local electronics surplus store when he spotted an old Tranz 330 point-of-sale terminal that seemed pretty interesting. He took it home and after disassembling it, found that it contained a Z-80 based computer. Because the 330 shares the same processor as other hobbyist-friendly devices such as the TRS-80, he figured it would be quite fun to hack.

While the Z-80 processor is pretty common, [Steve] still had to figure out how it was interfaced in this particular device. After spending some time reverse engineering the terminal, he had free reign to run any program he desired. After thinking for a bit, he decided it would be cool to use the terminal to generate music based on whatever card was swiped through the reader – he calls his creation “Mozart’s Credit Card”.

He found that just playing sounds based on the raw contents of the mag strips didn’t produce anything coherent, so he wrote a small application for the terminal based on the Melisma Stochastic Melody Generator. Music is generated somewhat randomly using various card characteristics, as you can see in the video below.

We think it’s pretty cool, but [Steve] says he’s always open to suggestions, so let us know what you think in the comments.

Continue reading “Generating Music With Credit Cards”

Surprisingly Simple Magnetic Card Spoofer

[Craig’s] magnetic card spoofer is both simple and brilliant. There are two parts to spoofing these cards and he took care of both of them. The first part is getting the actual card data. He designed the spoofer board with a header that connects to a card reader for doing this. The second part is the spoofing itself, which is done with an electromagnet. As with past spoofers, he wrapped a shim with enamel-coated magnet wire. An old knife blade was picked for its thickness and ferromagnetism.  This magnet is driven by an ATtiny2313 which stores the data, and is protected by a transistor driving the coil. There were a few design flaws in his board, but [Craig] was able to get the same track data out of the spoof as the original card despite the LED being used as a protection diode and an ‘aftermarket’ resistor on the transistor base.