RE: Mag Stripe reader for POS terminal pentest

[Omar Herrera <oherrera () prodigy net mx>]

Hi Jason, 2 resources might be useful:
http://www.outpost9.com/how-to/hackfaq-cards.shtml 
and a classic from Phrack magazine:
http://www.hackcanada.com/ice3/card/phrack37-6.txt


I can't recommend a commercial reader, but you have enough time, this seemed
to me a good alternative when I first saw this article in alt2600:
http://www.sephail.net/articles/magstripe/ (software is on the webpage and
the components are neither expensive nor difficult to find but it won't
write). You should be able to read even non standard tracks with this one.

Cloning is trivial because magnetic technology does not offer any protection
against copying. You might save some encoded or encrypted information on the
card but preventing cloning is virtually impossible (save for a few tricks,
like using non-standard-tracks). However if you are required to physically
demonstrate that cloning is possible you will definitely need a reader with
writing capability and a few test cards (Some magnetic stripe hotel cards of
the same size could be useful, but you need to make sure they are of the
same type). 

There are several readers available on the net (this is an example of one
that might be useful to you: http://www.wbe.com.cn/ProductsView.asp?id=150),
but be careful, many have old interfaces (e.g. serial or PS/2 connectors)
and some sites that sell card reading hardware and software, especially if
advertised with "unique" capabilities might be targeted for another market
(cloning cards after all is not a core task of pentesting ;-) )

Finally, don't forget to check with your lawyer and your client the scope.
Testing the terminals is one thing but cloning a card to test the terminals
(you already know they are gone to accept the cloned cards as long as you
copy all data) is a different thing, especially if we are talking about
credit/debit cards. Cloning those is illegal in most parts of the world so I
wouldn't go there. Remember that the cards are property of the issuer, so
even if you get permission from the card holder it really doesn't belong to
him/her.

If I were in your situation, I would try to convince them with all available
literature that all these terminals are vulnerable to cloning simply because
of the limitations of technology itself, and then I would simply show them
how cloning any card (a previously written blank card) is possible with
things like the devices shown in the 3rd link.

I hope this helps,

Omar Herrera


> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>
> Can anyone recommend a good value magnetic stripe reader / writer for
> pentesting POS terminals, specifically Micros POS terminals in a retail
> environment?
>
> I'm looking for anyone who has some insight or experience in this area.
> I'm not positive, but I think these are HiCo magnetic stripe cards with
> relevant track data on track 2, but a reader/writer for tracks 1, 2, and
> 3 would be great.  This would be used to test for potentially fraudalent
> usage of magnetic cards such as cloning them, fraudalent transactions,
> manipulation of track data and encoding of cards.
>
> Any help or insight very much appreciation!
> Thanks,
> Jason
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600
> 000008bOW
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------