Hello,
My colleagues and I are enrolled in a course which deals with various aspects of computer security. The particular area we are studying now is security involing magstripe (non-smartcard) systems. Specifically, we have been asked to analyze the security of the card based vending machines on campus.
Our initial conclusion is that the security will be poor -- the vending machines are not connected to a network so each machines "vision" of the outside world is limited by what is encoded on a card. This would undoubtedly make each machine vulnerable to "double spending attacks". We are currently attempting to investigate the specific details of what information is stored to the card (ie. whether amounts are encrypted, timestamps are used, etc.) Again, these cards are just "dumb" magstripe cards so our analysis will be much simpler than if they were smartcards.
We have purchased a magstrip reader and writer. This unit has the ability to read and write in "raw" mode (independent of any of the ISO standards). The company that manufacturers the vending cards is called "Debitek"
Some questions -- the reader/writer we purchased has what is called an "BPI" (Bits Per Inch) setting. This can be set to either 75 or
210. I assume that this value tells the reader where to look for the next bit as it reads the data -- if Debitek used a value that wasn't 75 or 210, would this explain the reason we are unable to read their magstripe? There are also parity settings (odd or even) and another option that allows us to specify how many leading zeros should precede the sentinel value.Our goal is to read the value on this magstripe. We just want to see the raw binary values. Does anyone have any idea why the magstripe reader is not detecting anything on this magstripe? (We know that it's not empty because the vending machine can read the values from the card). I suppose its possible that Debitek has used some non- standard way to record 1 and 0 onto the card, in which case we need to find a way to observe the contents of the magstripe in terms of the two states it posesses. Any ideas?
We're hoping for a relatively inexpensive way to accomplish this project -- buying the card reader/writer was a huge expense, given that we have no need for it after the project is complete.
I apologize if there was a better newsgroup to which I should have posted my querey -- this one seemed the most appropriate of the groups I found discussing magstripe technology.
Also, for those wondering/concerned, our group has full permission from the school and professor to carry out our research assignment. Obviously, when we are successful in completing our project, we would be able to "steal" from the vending machines, but any theft would lead to failing grades for all group members. Although the vending machines are not in real-time communication with each others or a "home base", when the funds are collected a transaction log is downloaded so any discrepancies would immediately be detected.
Any suggestions, tips and advice are greatly appreciated.
Thanks,
Jacob