A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.
[Steve]’s work in decoding credit card data builds off [Count Zero]’s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.
The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.
[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.
EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.
I remember doing almost the same sort of thing with credit cards on Beta Max players back in the 80’s. You’d run the player and run the CC over the magnetic tape head and see the CC number show up on the screen. Can’t believe history repeats it’s self once again but only smaller.
Wait, what??!?
This sounds a bit like that myth that if you taped a bit of betamax tape to the back of a credit card the ATM would spontaneously eject all of its cash, Superman III style. All my friends were doing that 😉
The Superman III thing I’d call a myth, but if you look around the Betamax trick was a well documented concept that I believe even 2600 did an article about many many many moons ago.
What are you talking about?!
I have a Betamax player, and some old bank cards with magnetic stripes on, but I don’t believe that wiping the card next to the head will produce a number on screen.
It should be noted that the CVC or security code is NOT ON ANY TRACKS OF THE MAG STRIPE. That would defeat the whole purpose of the the code
Actually, the human readable CVV2 (Visa), CVC2 (MC), CID (Disc/Amex) is not on the stripe, BUT there IS (usually) an embedded security code within the stripe data. It is used when the tracks are sent in for processing to validate the tracks. It would go in the “discretionary data” field on Track one just before the end sentinel.
Damn that was fast!
I don’t even need to use google anymore. Just ask people on HaD…
code for the audio credit card reader:
http://www.gae.ucm.es/~padilla/extrawork/soundtrack.html
There is one more component in the Square reader, which is a 5.2k resistor between the read head and mic line. I’ll put up another pic on the post which shows that.
And I DO plan on putting up the app, and the android library which makes it work. I just haven’t quite done it yet.
Mine has a 100ohm resistor instead. Makes me wonder if Square is recycling, using old new stock of cassette readers.
I’m not 100% certain of the value of mine. I’m no hardware guy. But I did try to measure it with a multimeter and got a value in agreement with what I thought I decoded the stripes to.
I wouldn’t be particularly surprised to find that the actual resistors used vary.
it is interesting that square has to “verify” your identity in order to get the reader. square is using https secure address but i just thought it was odd. why do they ask that i wonder. i ordered mine and will see what happens.
A year ago, they didn’t care. I suppose they want more realistic customers, unlike people like me who just wanted one to throw into my pile of gadgets, and later take apart.
Ive seen them for sale at Bestbuy for 10$. I doubt they will ask for any info there.
Lazy crooks can use these to skim. This is ‘supposed’ to help discourage that, I’d wager.
I don’t feel comfortable giving my last 4 and birth date for one of those :-/
You don’t have to, I bought mine at a nearby Walmart. You can still accept cash payments (kinda pointless there), it just won’t let you accept credit cards through their system.
I don’t think most of you understand it..
If your going to use it for transactions they NEED to know who you are for tax purposes..
Shit, they have my full SSN and address, and right they should. Like any other credit card processor, Just as right paypal also has my SSN and address.
I feel bad for this little start-up though. They wanted to partner with paypal.. Instead paypal said no, then released the PayPal here! It’s the same device (just fancier looking) its also free (not in stores, yet) but you have to upgrade your paypal account to business class (also free, but your fees change)..
The idea was it’d be nicer and faster to get cash to your paypal account.
I wouldn’t say this IRL but I use mine for little cash-advances dirt cheap from my credit card..
Nice, and if you try and use a fake last 4, they ask for the full social. No thanks.
I got rejected and I used all real info. I just messaged them, I could use this for when I mod arcade sticks for people at home, so they don’t have to run to the bank for cash.
A bit more about your Arcade stick mod(s) please?
I heard a story from our schools lab tech (an old ham operator and repairmen), he claims that when the magnetic swipe was being developed, one company made a set and gave it to some engineers and told that that if they can get the account information off of this magnetic strip they can have the money. The lab tech claims that every group got their money and the first group did this sort of hack using a tape deck.
It isn’t supprising. Remember the guys that were recording the numbers off the readers at the ATM in eastern europe. Credit cards are really not that secure.
and by they way, just build one…. it is 3 parts, old tape head from any tape player, 100 ohm resistor, and a 4 pin audio jack. it would take 3 minutes to solder.
This would make a great HAD tutorial, using some ancient tape player for parts. We could even use the recording parts to reprogram one I bet!
Any body know of a cheep source for the 4 pin headphone jacks?
well, the whole point of the credit card swipe IS NOT security but convenience/speed during transactions. it’s digitizing the old carbon paper credit card swipe. that’s why we still have raised numbers on the card, so they can be quickly swiped on carbon paper. in any case, the card # is right there on the front of the card.
I was at a conference a year or so ago, and Square reps walked around handing them out to every vendor/booth that would take them. Nobody kept them, so I ended up with 10 or so. Plan is to make a sort of musical instrument that generates sound based on the swiped data.
Mellotron.
Wasn’t familiar with the Mellotron, and holy crap! What a funky machine.
name it creditfraudotron
Those are the old readers. The new readers are a litte more sophisticated including lots more hardware and a battery http://venturebeat.com/2012/03/26/square-adds-encryption-to-its-square-reader/ These just started shipping in the last month. Adding encryption to the reader was one of the requirements that came as part of Visa’s investment in the company.
Competitor VeriFone took issue with the lack of encryption last year http://www.engadget.com/2011/03/09/verifone-calls-out-square-for-gaping-security-hole-publishes/ but that backfired for them.
I dunno why it needs to be encrypted from the reader, it’s on the card in plaintext. Do the encrypting on the phone, using the extremely suitable hardware. If I can figure this out, who’s in charge at Visa?
I remember instructions for one of these, using a read and write tape head, an op-amp, and mounting it to a bit of wood, to make a simple hand-swiped card copier. Some old BBS doc, might’ve even been the Jolly Roger. ALL IN CAPS, APPLE ][ STYLE!
Not only that, but I thought they were trying to slowly kill off the mag-stripe, in favour of the much safer smart chips. Subject to a suitable port on the phone, a smart-card reader should be easier to make. Why not launch tiny little USB smartcard readers? There must be next to nothing in ’em.
The new standards from the Payment Card Industry are forcing a move to end-to-end encryption, regardless of the source of the data. This means that the data is AT LEAST protected in transit. I suspect that the Square application encrypts the data after it gets it from the head, and BEFORE it sends it to the network. That is a minimal requirement of the PCI DSS standards. They do NOT (yet) require the card data to be encrypted from the point of reading (head) to the computer application (smartphone program) as that is not considered a “network” connection. MagTek and others have created hardware that encrypts the data IN the head. That will be deployed over time. Eventually, it truly WILL be encrypted from head to network server.
From their website about the reader:
Can anybody explain how this is happening with the minimal components in the reader?
Whoops, [Eliot] beat me to it.
With the magic of marketing.
here android
https://play.google.com/store/apps/details?id=com.squareup
intuit and paypal have these as well.
http://gopayment.com/
https://www.paypal.com/webapps/mpp/new-payment-solutions?intl_cid=3484-150736-8030-1
So are these old readers we both have useless?
thy all ready have it for android so no reason to make your own a Lil to slow that’s prob why he did not release it he gave or sold it to them lmfao
One day there will be no more cash and the government/corps will truly own you.
You will swipe/rfid all transactions with your GPS enabled phone. When, where, how much and even what. All recorded to be mined by companies, the IRS, your health insurance, etc.
This is phase 3… give everyone card readers.
the new one has a cr2032, amp and an msp430 which has built in TDES.
Builtin DES on a msp, that I’d like to see.
Any pics/specs of the new reader?
So the new ones do encryption. First off WHY? if someone is swiping your card they can simply see the numbers. Encrypting over the network I can see and should have been done from day 1.
Second, This takes me back to the 80’s it always amazes me when I see projects using swipes that they paid 10 bucks for when these are pretty much all you need.
Good article and thanks for posting the guts, I always expected that was all it consisted of but never wanted to give out my full info’s to get one.
Why? because it is difficult for a waiter to memorize the numbers of every card encountered during his shift, but with a device like this he could easily get 50 CC numbers a night.
simple, because the phone is unescured so its possible that an app can sneak in and sniff it.
that’s scary that all the info is there possibly unencrypted.
that means anyone with an ios device could skim your card and get everything thy need to use the card or even copy the card.
As opposed to all the other skimming devices available? There have been reports for longer than there have been ios devices of waiters using a device the size of a pager to skim credit card details.
One such story: http://consumerist.com/2011/08/waitress-gets-revenge-on-tough-customers-by-skimming-their-credit-cards.html
They didn’t ask for my full social only the last four, but… If they are giving you the power to accept credit cards for financial transactions there are probably certain reporting requirements consistent with the governments desire to hinder money laundering operations, ID theft, and other activities contrary to US law.
I loved the 2600 article about this.
After reading this, I took a dig through my parts bins for other reasons and grabbed a read head which I would not have otherwise given even a second glance. Thank you!
Idea: take the new one with battery, hack the electronics (or made a custom PCB) to record every swipe, let’s say it can store 3-4 card’s data. Add a button to toggle between “stored cards”(by number of presses) and automagically pass the data to the
iDevice after 2 seconds…Just passed my mind, don’t know how to continue.
I have a website where I can take payments from credit cards with PayPal.
But for the convenience of being able to swipe a card instead of typing the number in, I have to pay more money.
Phooey! What would be great is a simple app that takes the number data and directly enters it into any text entry field.
I could then simply go to the checkout on my site with my phone, tap on the CC number field then swipe the card for exactly the same result without paying a cent more.
Cool.. though I’ve had one for my android over a year ago…
Could it read checks MICR?
Something similar was published in “hacktic” magazine in The Netherlands in 1990.
The published circuit used magnetheads of a casette tape players to copy creditcards.
http://hacktic.nl/magazine/0820.htm
I live in canada and its a states only thing?? possible anyone would be willing to send me one??
Yeah I’ll do anything for a fellow hacker. Email me @ mathprophet@gmail.com
I’ll email u when I finish moving, that way i dont have to wait a eternity for canada post to forward it to my new address 🙂
Not cool of Square to require registration before letting us know it’s US only. It wouldn’t be that hard to just put “US residents only” on the register page.
Also, money handling sites that has no, or hard to find contact info pisses me off. That’s why I’m writing this here, haha.
They gave these out at my uni, fun little devices they are. I doubt anybody actually registered, we just wanted a handy card reader.
Hey
I had picked up one of these Readers on ebay, and have since not used it even once.
I was wondering if anyone could point me in the direction of software (linux, windows, or android) that can actually be used to read the data off of a magnetic stripe using the Square reader?
what about drivers licences any way to read the stripes
Found another way to use it. Record the audio with an Echo smartpen.
http://i.minus.com/ibpwNqCyxGb8KN.JPG
once recorded, how can you read the data?
I’m still trying to read the waveform.