Penetration Testing mailing list archives

Mag Stripe reader for POS terminal pentest

From: "Bharat Puri" <gunit.puri () gmail com>
Date: Thu, 16 Nov 2006 19:30:52 +1300

if theyre part of a POS infrastructure then yes theyll be hico cards
and track 2 will follow the ansi/iso BCD format ~ this track has the
data on it youll likely want to fiddle with.

Personally I wouldnt bother with the MAKI writers as I found the
software rather cumbersome. My experience & research of looking at
ATMs and POS's had the MSR 206 as the daddy in this field in
conjunction with the Exeba software. Try ebay.
If youre looking to save money you may be lucky enough to score a
refurb or secondhand Fargo or Magicard card printer with hico encoder
for less than a new MSR 3 track hico encoder. Ebay again!

There is also an MSRW206 (but this appears to be a slightly cheaper
Chinese clone of the above MSR206 which I have no experience with,
correct me if Im wrong on the clone thing)

The track 2 format allows you a very limited character range from the
insertion of bad chars thatll be accepted by any POS terminal or ATM.
When manipulating dont forget to ensure your badly formatted card
still remains Luhn compliant, this "should" be taken care of in the
encoding sw for you but its good to know how to calc the Luhn (modulus
10) digits (this acts as a basic checksum)
http://en.wikipedia.org/wiki/Luhn_algorithm

Track 2 format:
===========
     --Data Bits--   Parity
       b1  b2  b3  b4   b5    Character  Function

       0   0   0   0    1        0 (0H)    Data
       1   0   0   0    0        1 (1H)      "
       0   1   0   0    0        2 (2H)      "
       1   1   0   0    1        3 (3H)      "
       0   0   1   0    0        4 (4H)      "
       1   0   1   0    1        5 (5H)      "
       0   1   1   0    1        6 (6H)      "
       1   1   1   0    0        7 (7H)      "
       0   0   0   1    0        8 (8H)      "
       1   0   0   1    1        9 (9H)      "
       0   1   0   1    1        : (AH)    Control
       1   1   0   1    0        ; (BH)    Start Sentinel
       0   0   1   1    1        < (CH)    Control
       1   0   1   1    0        = (DH)    Field Separator
       0   1   1   1    0        > (EH)    Control
       1   1   1   1    1        ? (FH)    End Sentinel


By far one of the best papers written on track formats and specs is a
1992 phrack paper written by Count Zero ~
http://www.hackcanada.com/ice3/card/phrack37-6.txt

Rather than just writing bad data to track 2 and hoping for a terminal
fault, think about maybe the compare routines that may take place
between tracks 1 and 2. Because track 1 is in the ANSI/ISO Alpha
format youve got a much greater char set to play with, maybe a null
byte written to track 1 could cause your terminal software problems
during a compare routine?
Then theres the usual suspects such as neg numbers where +ve is expected



Dan Cornforth

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Mag Stripe reader for POS terminal pentest Jason Ostrom (Nov 15)
- RE: Mag Stripe reader for POS terminal pentest Omar Herrera (Nov 15)
- <Possible follow-ups>
- Mag Stripe reader for POS terminal pentest Bharat Puri (Nov 15)