Swipe This
Have you ever looked at your credit/debit card or driver license and wondered what data lie within the magnetic stripe or barcode? Cards are convenient, and you probably swipe them at a lot of stores. Some stores now require that they swipe or scan your driver license for alcohol purchases. What data is on your card, and what is the retailer storing in their system?
To find out what’s on your cards, you can build a magstripe reader for under $50 and use open-source software to read them. Stripe Snoop is software that not only reads your card’s data, but also parses it, identifies the card issuer, and tells you what the content means. On the hardware section of the site, you’ll find instructions for using some inexpensive components to make your own card reader. Make Volume 1 from O’Reilly has an article by the same author with nice detailed illustrations and directions (the link is just an excerpt).
At work, I have access to a retailer commercial card swipe and barcode scanner, so I decided to take a peek at some of my cards. Read on to find out what I found.
There are standards around the magstripe on cards, governed by the American National Standards Institute (ANSI) and the International Standards Organization (ISO). Not all cards use them, but cards issued by financial institutions and state governments do. The magstipe actually has 3 tracks encoded on it, with track 2 being used the most often and track 3 being used the least often. Actually, I don’t think the card reader I used could even read track 3.
Track 2. For my credit and debit cards, it contains the account number, expiration date, and encrypted PIN (debit). For my driver license, it contains a six-digit code for Ohio (636023), license number, expiration date, and my birth date.
Track 1. My credit, debit, and driver license all contain my name and address.
Even though I have my SSN listed on my driver license, it is not encoded on the magstripe. My birth date is in YYYYMMDD format, but the expiration date is in YYMM format. I guess everyone’s software has to use date windowing to handle the century problem. Having my name and address on track 1 explains why I get so much junk mail from a national store after shopping there. I thought it was because they were purchasing my information from the card issuer, but it turns out that a quick swipe gave them all the marketing information they needed.
The Ohio driver license also has a 1D barcode (code128 symbology) on the front, which simply contains the license number. The American Association of Motor Vehicle Administrators (AAMVA) defines the standards around the magstripe and barcodes for state driver licenses and ID cards. Most states are now implementing 2D barcodes, which contain the same information as the magstripe. My scanner looks like the Borg as it uses multiple laser patterns and paths to scan the PDF417 symbology barcode. These puppies can store around 1K of data.
Considering the data that the standards define could be put on my cards, I’m happy that I found only the minimum required. In the future, I might find my SSN, sex, height, weight, photo, and even fingerprint. Now, if I could build a card writer to wipe out my name and address information… hm…