Magstripe Analysis Part 1 – Introduction to Magstripe Cards
Sunday, December 21, 2008 at 9:30PM From time to time I encounter magnetic stripe (magstripe) cards when performing penetration tests and security assessment. I mainly encounter them when looking at physical access control systems and kiosks. During these assessments it is often important to understand what is encoded onto these cards and what will happen if you change the data stored on the cards, it's amazing how many systems do not sanitize the data received from a magcard.
This post is the first in a multipart series on reading, analyzing and manipulating magnetic stripe (magstripe) cards. Before I get into the fun stuff I'll give a little introduction to magstripes. The “standard” magstripe card is defined by the ISO 7810 standard and a couple of extensions to that standard. ISO 7810 covers the physical characteristics of identification cards such as the dimensions of the card.
ISO 7811 is an extension to 7810 and covers how data is physically recorded onto the card. A standard magstripes can hold up to three tracks of data. The physical dimensions and locations of these tracks are defined in this ISO standard. 7811 also covers the coercivity of the magstrip. The two coercivity ratings, HiCo and LoCo, will be covered in a future post.
ISO 7813 is another extension to 7810 and covers the format used to encode data on financial transaction cards. Although this standard was developed for use on financial transaction cards such as ATM and credit cards it is now the standard used by most magstripe cards. These other cards may not follow the exact specifications listed in 7813 but generally they use the same character set, bits per inch (BPI) and parity bits defined in 7813. This standard only defines track one and two. The third track is defined by the Thrift-Savings industry (ISO 4909). All three standards are presented below.
Track 1 is encoded at 210 bits per inch (BPI), uses 7-bit character (6 data bits and 1 parity bit) and can contain up to 79 alphanumeric characters. The start sentinel at the beginning of the strip is a “%”, fields are generally separated using a “^” or “%” and the end sentinel is a “?”. After the end sentinel is a Longitudinal Redundancy Check (LRC) value.
Track One Layout
Track 2 is encoded at 75 BPI, uses 5-bit characters (4 data bits and 1 parity) and can contain up to 40 numeric characters. Track 2 uses the BCD character set which includes numbers 0-9 and special characters : ; < = > ? . The start sentinel at the beginning of the strip is a “;”, fields are separated using a “=” and the end sentinel is a “?”. After the end sentinel is an LRC value.
Track Two Layout
Track 3 (also called THIFT format) also uses the BCD character set from track 2 but encodes data at 210 BPI and can hold up to 107 numeric characters.
Track Three Layout
I think that's about enough writing for one day. Next in the series I'll be covering the differences between HiLo and LoCo cards!
If you have any specific questions about magstripe cards or topics you'd like me to cover post them in the comments and I'll be sure to include them in future posts.
Reader Comments (11)
interesting info. looking forward to learning more. any readers / writers you've used? ever overflowed a reader?
You might be interested in a post over on my blog regarding how to build your own magstripe reader using a PIC (for security research purposes) rather than relying on a commercial off the shelf solution. If you decide to go down this route please feel free to get in touch and I'll pass on the actual schematic. The code for it is all in the blog posting but I left out the schematic to create a sort of hurdle.
Oops! Would have been good if I left a link to the blog!!
Enclave Forensics Blog
JCran,
In part 3 of this series I'll cover the reader/writer I recommend using.
I've seen a couple of overflow vulnerabilities in systems that accept data from magstripe cards. Sadly I could only crash the application, I was not able to execute any arbitrary code.
Cheers,
Matt
David,
Nice work on making a reader! I can think of a couple of applications where a simple stand alone reader would be handy. Plus for a while now I've wanted to get into playing with PICs. This could be a good project to help me get my feet wet. I'll drop you an email so you can send over the schematics.
Cheers,
Matt
Great series Matt! You should do a segment on the Security Justice podcast about magstripe analysis and some of your research...this is really good stuff!
Matt,
Could you share more information about the current use of the third track? While I understand the standards were created by the Thrift Savings industry, outside of its use on Driver's Licenses, is it really in use today on credit cards, debit cards, gift cards, or other stored value cards?
Thanks fo ryour insight!
- Curious
hi can anyone give me the circuit diagram for a small mag reader output to usb prefere 3 chip configuration with sorce code to up load the pic chip n download info software please help urgent tks please reply me at bobo160000@live.com
CAN SOME ONE PLEASE SEND ME A EXAMPLE AS WHAT IS SEEN ON Track 1, Track 2, and track 3, as the above, and the followinf not making sence to me, I need to see it as it is writen on the card...
:
rack one, Format B:
Start sentinel — one character (generally '%')
Format code="B" — one character (alpha only)
Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
Field Separator — one character (generally '^')
Name — two to 26 characters
Field Separator — one character (generally '^')
Expiration date — four characters in the form YYMM.
Service code — three characters
Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVK, 3 characters)
End sentinel — one character (generally '?')
Longitudinal redundancy check (LRC) — one character (Most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.)
Track 2. This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters : ; < = > ? . The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII range 0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:
Start sentinel — one character (generally ';')
Primary account number (PAN) — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
Separator — one char (generally '=')
Expiration date — four characters in the form YYMM.
Service code — three characters
Discretionary data — as in track one
End sentinel — one character (generally '?')
LRC — one character - (It should be noted that most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.)
David H
david_harner@rock.com
I would like to know if any one has a Circuit Diagram on how to build a Magnetic Strip Writer, and/or the Circuit Diagram for Magnetic Strip reader/Writer
I would like to know if any one has a Circuit Diagram on how to build a Magnetic Strip Writer, and/or the Circuit Diagram for Magnetic Strip reader/Writer
David H
david_harner@rock.com