Member
- Joined
- Oct 14, 2023
- Messages
- 42
- Thread Author
- #1
Few people think about it, but credit cards are rewritable media with a small capacity (~2 KB). If you swipe the magnetic stripe of a credit card across the head of a tape recorder, you will hear a sound. This is a modulated signal that contains the account number, the cardholder's name, and some additional information. Of course, modern credit cards are a little more complicated than a regular tape recorder, but the principle of operation is absolutely identical. As is often the case with many technical solutions that are outdated, but accepted and used everywhere, because of the implementation itself, credit cards do not actually have any serious copy protection.
How does a typical credit card work?
Depending on the bank and card type, there may be 3 elements installed on the card:
1. Magnetic stripe on the back of the card — in fact, there are three magnetic stripes, the so-called Track 1, 2 and 3.
The surface of the magnetic layer of a credit card under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic cardfrom acorns and matches but it's easier to buy a ready-made one or use an old expired credit card. (Yes, banks cut invalid credit cards precisely to prevent such fraud). Various VISA gift cards are ideally suited for such purposes, in addition to the recordable magnetic layer, they also have a presentable appearance.
Head of the card reader, three elements for reading magnetic tracks are clearly visible.
Credit cards usually use Track 1 and 2. In the past, the PIN code was stored in encrypted form on track number 3, so that you can work with ATMs in offline mode. But with the development of communication systems and the blatant vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Currently, Track 3 is practically not used in credit cards.
2. EMV (Europay, MasterCard, Visa Chip) chip-similar to a SIM card and having similar electronic characteristics. This chip is responsible for checking card transactions on EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
I didn't deal with this problem seriously, but as far as I understand, it's not enough just to copy the contents of the chip to another card, primarily because there is often no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check is performed at the hardware level, and there are references on the Internet that the ATM generates a certain number, to which the chip should give the correct answer. However, in many banks, the check is simply for the presence of an EMV chip from this bank. In particular, this is how Sberbank cards worked a few years ago (I don't know how they work now).
In other words, if you write a magnetic stripe on a card without an EMV chip or a card with an EMV chip of another bank, the ATM will not accept such a card, but if you roll up the track on an expired card of the same bank with the correct EMV chip,you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only a magnetic card is still read without EMV.
3. RFID (Radio-frequency identification) — chip and antenna for contactless card reading. Usually, RFID is embedded in the plastic itself and is visible if you look at the card in bright light at an angle.
The RFID contactless payment system has no hardware connection to the operation of the EMV chip and the magnetic layer. In particular, the number of the RFID chip that is used to make payments has nothing to do with the number on the plastic or magnetic strip. All communication is done exclusively through bank servers, where account, credit card, and RFID chip numbers are associated with a single account.
In fact, if you remove the RFID chip and antenna by dissolving the card in acetone, the RFID will work, while the magnetic card will be destroyed. Banks just want ordinary people to associate all these functions with a single payment document. Unlike EMV, an RFID chip does not participate in card authentication at an ATM or anywhere else and does not affect your ability to create a clone of the magnetic layer of a particular card. Such a copy will simply not be able to make contactless payments. It is possible to copy an RFID chip, but this is the topic of a separate large article.
4. CVC2 (Card Verification Number 2) – a control number of 3 digits usually on the reverse side (sometimes CVC2 is printed on the front side) for making online purchases. CVC2 is printed on the card itself, but is not stored anywhere on the magnetic track.
All other elements, such as holograms, various printing, letters and numbers stamped in plastic, are purely cosmetic elements. As we have already seen, a credit card is a carrier of information, and it is the information that makes the card credit.
How do I copy cards with a magnetic stripe?
Hardware: MSR 206
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and there is the most software available for them. They are purchased through any online store such as Ebay or Amazon. The device operates via a serial com port interface. But don't worry if you don't have a com port: most readers have a built-in converter and connect via USB. The cost ranges from $ 100 to $ 300, the devices differ in configuration and design, but there is no fundamental difference between them.
After connecting the device to the system, in the Task Manager, pay attention to which com the device is installed on.
MagCard Write\Read Utility Program 2.01
The software that comes with the device driver on disk doesn't work well. In my opinion, its development has remained unchanged since 2002. Most of the cards I tried to write using the official utility didn't work. Errors when reading and writing, an inconvenient interface (in particular, it is very easy to call the card erase command by mistake), periodic loss of communication with the device, and the most disgusting thing is that after the first launch, the program monopolizes the com port on which MSR206 is connected, and interferes with the work of other applications, up to the inevitable uninstall. Therefore, I do not advise you to install this monster from programming even out of curiosity, because there is The Jerm — one of the best applications for working with magnetic cards.
The Jerm MSR206 Utility
An application created by a well-known carder and specialist in document forgery, under the network nickname Jerm, so the program is named after the author. Until 2007, new versions of the utility were published on the site cardingzone.org. But this project has been closed for several years, and the development of the program is frozen at version 1.78. But the existing functions are more than enough. According to rumors, Jerm is either serving a prison sentence for his overly productive activities, or he decided to just lie low.
Attention!
Before proceeding, start your firewall and close the application completely TheJerm.exe Internet access. This can be done using the standard Windows firewall: "Control Panel\System and Security \ Windows Firewall" or your main firewall program, for example, in KIS, you need to add the program to the list of weak restrictions or simply block all network traffic. The programs in this article do not contain malicious code and do not show any network activity, but you can not take risks and trust anyone in this case. There are a lot of fake versions of TheJerm that look the same, some even perform their function, but send data about the cards you read to attackers. This precaution will not be superfluous when working with any software for working with cards, except for our own software. Ideally, it is better to use a separate computer for all actions without an Internet connection.
Actions Tab
To work with the program, you will need the Actions tab
Read — read the card. The indicator on the MSR206 will turn yellow. After the card is read, its contents will appear in the ASCII and HEX windows, as well as in the Track 1, 2, and 3 fields.If you want to save the image of the received card, click "File\Save as...". If you want to make a duplicate right away, click Write. And swipe a blank card over MSR206 — the card is copied.
Erase Track (s) — if you want to rewrite a card that already has some information (for example, an expired bank card), then you need to clear the card before using it again. To do this, select all three tracks (for reliability), click Erase, and swipe the card across the device. If you want, you can delete a single track, such as Tack 2, without affecting the rest, but usually this is not necessary. Be careful, if you haven't saved the card image on your computer before, the card will be lost.
Converting Track 2 data to Track 1 - If you only have Track 2 but don't have Track 1, paste Track 2 in the appropriate line, and then double-click Track 1. Then the program will generate the correct Track 1 based on Track 2. However, you will have to register the cardholder's name yourself — Track 2 doesn't contain it.
How does a typical credit card work?
Depending on the bank and card type, there may be 3 elements installed on the card:
1. Magnetic stripe on the back of the card — in fact, there are three magnetic stripes, the so-called Track 1, 2 and 3.
The surface of the magnetic layer of a credit card under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic card
Head of the card reader, three elements for reading magnetic tracks are clearly visible.
Credit cards usually use Track 1 and 2. In the past, the PIN code was stored in encrypted form on track number 3, so that you can work with ATMs in offline mode. But with the development of communication systems and the blatant vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Currently, Track 3 is practically not used in credit cards.
2. EMV (Europay, MasterCard, Visa Chip) chip-similar to a SIM card and having similar electronic characteristics. This chip is responsible for checking card transactions on EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
I didn't deal with this problem seriously, but as far as I understand, it's not enough just to copy the contents of the chip to another card, primarily because there is often no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check is performed at the hardware level, and there are references on the Internet that the ATM generates a certain number, to which the chip should give the correct answer. However, in many banks, the check is simply for the presence of an EMV chip from this bank. In particular, this is how Sberbank cards worked a few years ago (I don't know how they work now).
In other words, if you write a magnetic stripe on a card without an EMV chip or a card with an EMV chip of another bank, the ATM will not accept such a card, but if you roll up the track on an expired card of the same bank with the correct EMV chip,you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only a magnetic card is still read without EMV.
3. RFID (Radio-frequency identification) — chip and antenna for contactless card reading. Usually, RFID is embedded in the plastic itself and is visible if you look at the card in bright light at an angle.
The RFID contactless payment system has no hardware connection to the operation of the EMV chip and the magnetic layer. In particular, the number of the RFID chip that is used to make payments has nothing to do with the number on the plastic or magnetic strip. All communication is done exclusively through bank servers, where account, credit card, and RFID chip numbers are associated with a single account.
In fact, if you remove the RFID chip and antenna by dissolving the card in acetone, the RFID will work, while the magnetic card will be destroyed. Banks just want ordinary people to associate all these functions with a single payment document. Unlike EMV, an RFID chip does not participate in card authentication at an ATM or anywhere else and does not affect your ability to create a clone of the magnetic layer of a particular card. Such a copy will simply not be able to make contactless payments. It is possible to copy an RFID chip, but this is the topic of a separate large article.
4. CVC2 (Card Verification Number 2) – a control number of 3 digits usually on the reverse side (sometimes CVC2 is printed on the front side) for making online purchases. CVC2 is printed on the card itself, but is not stored anywhere on the magnetic track.
All other elements, such as holograms, various printing, letters and numbers stamped in plastic, are purely cosmetic elements. As we have already seen, a credit card is a carrier of information, and it is the information that makes the card credit.
How do I copy cards with a magnetic stripe?
Hardware: MSR 206
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and there is the most software available for them. They are purchased through any online store such as Ebay or Amazon. The device operates via a serial com port interface. But don't worry if you don't have a com port: most readers have a built-in converter and connect via USB. The cost ranges from $ 100 to $ 300, the devices differ in configuration and design, but there is no fundamental difference between them.
After connecting the device to the system, in the Task Manager, pay attention to which com the device is installed on.
MagCard Write\Read Utility Program 2.01
The software that comes with the device driver on disk doesn't work well. In my opinion, its development has remained unchanged since 2002. Most of the cards I tried to write using the official utility didn't work. Errors when reading and writing, an inconvenient interface (in particular, it is very easy to call the card erase command by mistake), periodic loss of communication with the device, and the most disgusting thing is that after the first launch, the program monopolizes the com port on which MSR206 is connected, and interferes with the work of other applications, up to the inevitable uninstall. Therefore, I do not advise you to install this monster from programming even out of curiosity, because there is The Jerm — one of the best applications for working with magnetic cards.
The Jerm MSR206 Utility
An application created by a well-known carder and specialist in document forgery, under the network nickname Jerm, so the program is named after the author. Until 2007, new versions of the utility were published on the site cardingzone.org. But this project has been closed for several years, and the development of the program is frozen at version 1.78. But the existing functions are more than enough. According to rumors, Jerm is either serving a prison sentence for his overly productive activities, or he decided to just lie low.
Settings Tab
Launch it TheJerm.exe go to Settings, select the com port where you have MSR206 connected, and click set port. If the connection was successful, the message should appear: INITIALIZING... MSR206 FOUND ON COM X... READY. Where X is the com port number on which MSR206 is installed. If desired, you can get information about the model and firmware version of the card reader, as well as test the LEDs.Attention!
Before proceeding, start your firewall and close the application completely TheJerm.exe Internet access. This can be done using the standard Windows firewall: "Control Panel\System and Security \ Windows Firewall" or your main firewall program, for example, in KIS, you need to add the program to the list of weak restrictions or simply block all network traffic. The programs in this article do not contain malicious code and do not show any network activity, but you can not take risks and trust anyone in this case. There are a lot of fake versions of TheJerm that look the same, some even perform their function, but send data about the cards you read to attackers. This precaution will not be superfluous when working with any software for working with cards, except for our own software. Ideally, it is better to use a separate computer for all actions without an Internet connection.
Actions Tab
To work with the program, you will need the Actions tab
Read — read the card. The indicator on the MSR206 will turn yellow. After the card is read, its contents will appear in the ASCII and HEX windows, as well as in the Track 1, 2, and 3 fields.If you want to save the image of the received card, click "File\Save as...". If you want to make a duplicate right away, click Write. And swipe a blank card over MSR206 — the card is copied.
Erase Track (s) — if you want to rewrite a card that already has some information (for example, an expired bank card), then you need to clear the card before using it again. To do this, select all three tracks (for reliability), click Erase, and swipe the card across the device. If you want, you can delete a single track, such as Tack 2, without affecting the rest, but usually this is not necessary. Be careful, if you haven't saved the card image on your computer before, the card will be lost.
Converting Track 2 data to Track 1 - If you only have Track 2 but don't have Track 1, paste Track 2 in the appropriate line, and then double-click Track 1. Then the program will generate the correct Track 1 based on Track 2. However, you will have to register the cardholder's name yourself — Track 2 doesn't contain it.