Home Hardware MagSpoof – Wireless Credit Card/Magstripe Spoofer

MagSpoof – Wireless Credit Card/Magstripe Spoofer

October 25, 2019 Leave a Comment
MagSpoof - Wireless Credit Card Magstripe Spoofer

With MagSpoof by @SamyKamkar, you can copy and store all your credit cards and anything else with a magnetic stripe in one device, then transmit the desired card data wirelessly without having to have the actual plastic with you. The Magspoof website stresses it wouldn’t also be possible to do any of this with someone else’s credit cards, just for the record, but it’s probably best not to bet against people’s enterprise.

Overview

MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.

Note: MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST and Coin.

MagSpoof - Portable Devices that can copy and store all your credit cards

MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Features

  • Allows you to store all of your credit cards and magstripes in one device
  • Works on traditional magstripe readers wirelessly (no NFC/RFID required)
  • Can disable Chip-and-PIN
  • Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
  • Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
  • Easy to build using Arduino or other common parts

Live demonstration and more details available in the video:

How MagSpoof Works

MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it’s being swiped. What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration).

MagSpoof also uses inexpensive, off the shelf parts (described in the Hardware section), and can be built with almost nothing more than an Arduino, wire and a battery! I use a motor driver to provide a reasonable amount of power.

Normally electromagnets have an iron core, however we lose the core for the sake of space and portability. Also, while the iron core does make the electromagnet more efficient, we still produce more than enough power to work.

MagSpoof improves on new cards such as Coin. I’m a customer of Coin, and while I love their app and the card, the card actually works a very small percentage of the time. After looking over Coin’s FCC docs, I noticed they use two coils to produce a (very small) electromagnetic field, however it’s severely deficient and the card works less than 50% of the time for me, sadly.

MagSpoof - Wireless Credit Card Magstripe Spoofer

I found that by emulating a card with MagSpoof, if I send Track 1 one way, and then send Track 2 reversed, every card reader will assume I simply swiped a card back and forth, use the data from both tracks and my strong electromagnet, and properly read all of the data. This is extremely effective, uses only a single coil, and works for both tracks simultaneously. This also allows MagSpoof to work on Track 3.

Additionally, if you’re using a Chip card with Coin, you still need to bring your actual credit card to dip, however because MagSpoof can disable Chip-and-PIN (see below), it does not require you to bring your card with you.

I’ve removed the Chip-and-PIN disabling functionality from MagSpoof.

Firmware

MagSpoof

MagSpoof’s source code and schematic can be obtained in entirety from my github: https://github.com/samyk/magspoof

MagSpoof is compatible with the Arduino framework and can work on traditional Arduinos as well as ATtiny chips.

Resources

You can learn about magnetic stripes and credit cards from a few places, including:

Contact

Point of Contact: @SamyKamkar

You can see more of my projects at http://samy.pl or contact me at [email protected].

Download MagSpoof

You May Also Like

MetaFinder - Tool for Searching Documents in a Domain with search engine google, bing, baidu, yandex

MetaFinder – Tool for Searching Documents in a Domain

Dirsearch - Web Content Fuzzing Scanner to find juicy APIs or endpoints, sensitive data exposure, config file

Dirsearch – Web Content Discovery Scanner

ApkLeaks - Tool For Scanning Mobile Application APK file to Extract All Data URIs, Endpoints & Secrets

ApkLeaks – Tool For Scanning APK file to Extract URIs, Endpoints & Secrets

Fully automated Log4j RCE Scanning and Exploit Tool Kali Linux

log4j-scan – Log4j RCE Scanning and Exploit Tool

Subzy - Subdomain Takeover Vulnerability Scan Tool

Subzy – Subdomain Takeover Vulnerability Tool

IntruderPayloads - a Collection of Burpsuite Intruder Payloads For Bug Hunting

IntruderPayloads – Collection of Burpsuite Intruder Payloads For Bug Hunting

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 5 =