Penetration Testing mailing list archives
RE: Mag Stripe reader for POS terminal pentest
From: Omar Herrera <oherrera () prodigy net mx>
Date: Wed, 15 Nov 2006 22:32:22 -0600
Hi Jason, 2 resources might be useful: http://www.outpost9.com/how-to/hackfaq-cards.shtml and a classic from Phrack magazine: http://www.hackcanada.com/ice3/card/phrack37-6.txt I can't recommend a commercial reader, but you have enough time, this seemed to me a good alternative when I first saw this article in alt2600: http://www.sephail.net/articles/magstripe/ (software is on the webpage and the components are neither expensive nor difficult to find but it won't write). You should be able to read even non standard tracks with this one. Cloning is trivial because magnetic technology does not offer any protection against copying. You might save some encoded or encrypted information on the card but preventing cloning is virtually impossible (save for a few tricks, like using non-standard-tracks). However if you are required to physically demonstrate that cloning is possible you will definitely need a reader with writing capability and a few test cards (Some magnetic stripe hotel cards of the same size could be useful, but you need to make sure they are of the same type). There are several readers available on the net (this is an example of one that might be useful to you: http://www.wbe.com.cn/ProductsView.asp?id=150), but be careful, many have old interfaces (e.g. serial or PS/2 connectors) and some sites that sell card reading hardware and software, especially if advertised with "unique" capabilities might be targeted for another market (cloning cards after all is not a core task of pentesting ;-) ) Finally, don't forget to check with your lawyer and your client the scope. Testing the terminals is one thing but cloning a card to test the terminals (you already know they are gone to accept the cloned cards as long as you copy all data) is a different thing, especially if we are talking about credit/debit cards. Cloning those is illegal in most parts of the world so I wouldn't go there. Remember that the cards are property of the issuer, so even if you get permission from the card holder it really doesn't belong to him/her. If I were in your situation, I would try to convince them with all available literature that all these terminals are vulnerable to cloning simply because of the limitations of technology itself, and then I would simply show them how cloning any card (a previously written blank card) is possible with things like the devices shown in the 3rd link. I hope this helps, Omar Herrera
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Can anyone recommend a good value magnetic stripe reader / writer for pentesting POS terminals, specifically Micros POS terminals in a retail environment? I'm looking for anyone who has some insight or experience in this area. I'm not positive, but I think these are HiCo magnetic stripe cards with relevant track data on track 2, but a reader/writer for tracks 1, 2, and 3 would be great. This would be used to test for potentially fraudalent usage of magnetic cards such as cloning them, fraudalent transactions, manipulation of track data and encoding of cards. Any help or insight very much appreciation! Thanks, Jason ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600 000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Mag Stripe reader for POS terminal pentest Jason Ostrom (Nov 15)
- RE: Mag Stripe reader for POS terminal pentest Omar Herrera (Nov 15)
- <Possible follow-ups>
- Mag Stripe reader for POS terminal pentest Bharat Puri (Nov 15)