MagneticCard info - zollak/pentest-notes GitHub Wiki

Magstripes come in two main varieties:

• high-coercivity (HiCo) at 4000 Oe
• low-coercivity (LoCo) at 300 Oe
• but it is not infrequent to have intermediate values at 2750 Oe

HiCo stripes are appropriate for cards that are frequently used, such as a credit card. Other card uses include time and attendance tracking, access control, library cards, employee ID cards and gift cards. High coercivity stripes are nearly black color, exceptions include a proprietary silver-colored formulation on transparent American Express cards.

Typical LoCo applications include hotel room keys, time and attendance tracking, bus/transit tickets and season passes for theme parks. In practical terms, usually low coercivity magnetic stripes are a light brown color.

ISO/IEC 7813

Track 1 has a higher bit density (210 bits per inch vs. 75), is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder's name.

Track 1 is written with code known as DEC SIXBIT plus odd parity. The information on track 1 on financial cards is contained in several formats: A, which is reserved for proprietary use of the card issuer, B, which is described below, C-M, which are reserved for use by ANSI Subcommittee X3B10 and N-Z, which are available for use by individual card issuers:

Format B:

• STX: Start sentinel — one character (generally '%')
• FC: Format code="B" — one character (alpha only)
• PAN: Primary account number — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
• FS: Field Separator — one character (generally '^')
• NM: Name — 2 to 26 characters
• FS: Field Separator — one character (generally '^')
• ED: Expiration date — four characters in the form YYMM.
• SC: Service code — three characters
• DD: Discretionary data — may include Pin Verification Key Indicator (PVKI, 1 character), PIN Verification Value (PVV, 4 characters), Card Verification Value or Card Verification Code (CVV or CVC, 3 characters)
• End sentinel — one character (generally '?')
• Longitudinal redundancy check (LRC) — it is one character and a validity character calculated from other data on the track.

The maximum record length is 79 alphanumeric characters.

This format was developed by the banking industry (ABA). This track is written with a 5-bit scheme (4 data bits + 1 parity), which allows for sixteen possible characters, which are the numbers 0-9, plus the six characters : ; < = > ? . The selection of six punctuation symbols may seem odd, but in fact the sixteen codes simply map to the ASCII range 0x30 through 0x3f, which defines ten digit characters plus those six symbols. The data format is as follows:

• STX: Start sentinel — one character (generally ';')
• PAN: Primary account number — up to 19 characters. Usually, but not always, matches the credit card number printed on the front of the card.
• FS: Separator — one char (generally '=')
• ED: Expiration date — four characters in the form YYMM.
• SC: Service code — three digits. The first digit specifies the interchange rules, the second specifies authorization processing and the third specifies the range of services
• DD: Discretionary data — as in track one
• ETX: End sentinel — one character (generally '?')
• LRC: Longitudinal redundancy check — it is one character and a validity character calculated from other data on the track (according to ISO/IEC 7811-2). Most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader.

The maximum record length is 40 numeric digits (e.g., 5095700000000).

1: International interchange OK
2: International interchange, use IC (chip) where feasible
5: National interchange only except under bilateral agreement
6: National interchange only except under bilateral agreement, use IC (chip) where feasible
7: No interchange except under bilateral agreement (closed loop)
9: Test

0: Normal
2: Contact issuer via online means
4: Contact issuer via online means except under bilateral agreement

0: No restrictions, PIN required
1: No restrictions
2: Goods and services only (no cash)
3: ATM only, PIN required
4: Cash only
5: Goods and services only (no cash), PIN required
6: No restrictions, use PIN where feasible
7: Goods and services only (no cash), use PIN where feasible

Track 3 is virtually unused by the major worldwide networks and often isn't even physically present on the card by virtue of a narrower magnetic stripe.

A notable exception to this is Germany, where Track 3 content was used nationally as the primary source of authorization and clearing information for debit card processing prior to the adoption of the "SECCOS" ICC standards. Track 3 is standardized nationally to contain both the cardholder's bank account number and branch sort code (BLZ).

Parsing Track 1 and Track 2 can be done with Regular Expressions.

^%B([0-9]{1,19})\^([^\^]{2,26})\^([0-9]{4}|\^)([0-9]{3}|\^)([^\?]+)\?$

This Regex will capture all of the important fields into the following groups:

Group 1: Payment card number (PAN)
Group 2: Name (NM)
Group 3: Expiration Date (ED)
Group 4: Service Code (SC)
Group 5: Discretionary data (DD)

^\;([0-9]{1,19})\=([0-9]{4}|\=)([0-9]{3}|\=)([^\?]+)\?$

Group 1: Primary Account Number (PAN)
Group 2: Expiration date (ED)
Group 3: Service code (SC)
Group 4: Discretionary data (DD)

• https://en.wikipedia.org/wiki/Magnetic_stripe_card
• https://samy.pl/magspoof/
• https://github.com/samyk/magspoof
• I forked magspoof repo and two pull request has been added into a new branch: https://github.com/zollak/magspoof