This is part two of my series on analyzing magnetic stripe (magstripe) cards for security assessors and penetration testers. In the first part of the series I talked about the ISO standards used to define most magstripe cards. Today I'm going to talk about the difference between HiCo and LoCo cards and how this can impact reading and writing cards.

The classic magstripe is black in color, however today they come in a variety of different colors. The strips are made of tiny magnetic particles such as iron oxide or barium ferrite. Ones and zeros are encoded onto the strip by changing the polarity of the particles along the length of the strip, the exact process used to translate the magnet flux changes into ones and zeros will be explained in a future post.

Magnetic stripes are divided into two categories depending on how much force, measured in Oested (Oe) units, it takes to change the polarity of the particles and write data to the strips. This is also referred to as the coercivity of a card. Cards that require a 300 Oe field to write data are classified as Low Coercivity (LoCo) cards and cards that take a 2500-4000 Oe field are classified as High Coercivity (HiCo) cards.

In the past HiCo cards were only used in industrial environments were the cards would encounter strong magnetic fields. For example magstripe access control systems at airports often use HiCo cards. Today many credit cards are being made on HiCo cards so the strips won't be damaged as easily in our interference rich high tech world. Cards that need to be low cost or frequently re-written are generally LoCo cards. For example every hotel card is a LoCo card, this is also why these cards are so delicate and you can't get into your hotel room if you store your room key near your phone or magnetic money clip. The magnetic stripes used on paper mass transit tickets are also LoCo stripes for cost and re-writability reasons.

Now that we know the difference between HiCo and LoCo cards how does this impact reading and writing cards? Coercivity rating has no impact on reading a card. Every reader I have seen, even cheap ones, will read HiCo and LoCo cards. The big difference comes in when you need to write cards. Writers are HiCo and LoCo specific. For the most part I have only found LoCo writers openly available, HiCo writers obviously exist but are pretty hard to come by and very expensive.

Luckily LoCo cards will work just fine most penetration testing and security assessment applications where cards need to be created or manipulated. For instance if you need to make you own cards this can easily be done with a LoCo writer, more on this in a future post. Even if you need to manipulate a HiCo card you can simply read it with a normal card reader, manipulate the data and write it onto a LoCo card. The target reader cannot tell the difference between HiCo and LoCo cards, the LoCo card just may not last as long in an environment with strong magnetic fields. Luckily for most assessment work you will only need to use the card for a short period of time so the fragility of LoCo cards is not an issue.

Next up in the series I'll cover selecting the proper hardware and software to read and write magstripes!

Any questions on the difference between High Coercivity and Low Coercivity magnetic stripe cards?