Header Ads

MagSpoof a device that can spoof credit cards/magstripes, disable Chip & PIN

MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work "wirelessly", even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.

On Mr. Robot Season 6 we seen Darlene break into a hotel room using a combination of wigs, gadgets, and sleight of hand. It all happens pretty fast, and the upshot is basically "she got into the room with technology," but what she’s doing is a lot more grounded and plausible than you might think.

 (print screen from samy kamkar youtube)

The core trick here is cloning the maid’s hotel key, which can open any room in the hotel. The card itself is just a number encoded on a magnetic stripe. Getting the number is as simple as swiping the card, which we see Darlene doing with what looks like a Square reader. Most credit card readers don’t store the number after it’s gone through (that would be asking for fraud), but there’s no technical measure stopping them from storing the number and reproducing. That’s how most ATM fraud happens, and as long as you’re dealing with magnetic stripes, this kind of attack will be a problem.

MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Live demonstration and more details available in the video: 

MagSpoof - "wireless" credit card/magstripe spoofer
  • Allows you to store all of your credit cards and magstripes in one device
  • Works on traditional magstripe readers wirelessly (no NFC/RFID required)
  • Can disable Chip-and-PIN
  • Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
  • Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
  • Easy to build using Arduino or other common parts
By @SamyKamkar  he aslo talk at DefCon 18
  MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST, Squareup and Coin.

source: http://samy.pl/magspoof/

No comments

blogmytuts. Powered by Blogger.