With MagSpoof by @SamyKamkar, you can copy and store all your credit cards and anything else with a magnetic stripe in one device, then transmit the desired card data wirelessly without having to have the actual plastic with you. The Magspoof website stresses it wouldn’t also be possible to do any of this with someone else’s credit cards, just for the record, but it’s probably best not to bet against people’s enterprise.
MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.
Note: MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST and Coin.
MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.
- Allows you to store all of your credit cards and magstripes in one device
- Works on traditional magstripe readers wirelessly (no NFC/RFID required)
- Can disable Chip-and-PIN
- Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
- Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
- Easy to build using Arduino or other common parts
Live demonstration and more details available in the video:
How MagSpoof Works
MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it’s being swiped. What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration).
MagSpoof also uses inexpensive, off the shelf parts (described in the Hardware section), and can be built with almost nothing more than an Arduino, wire and a battery! I use a motor driver to provide a reasonable amount of power.
Normally electromagnets have an iron core, however we lose the core for the sake of space and portability. Also, while the iron core does make the electromagnet more efficient, we still produce more than enough power to work.
MagSpoof improves on new cards such as Coin. I’m a customer of Coin, and while I love their app and the card, the card actually works a very small percentage of the time. After looking over Coin’s FCC docs, I noticed they use two coils to produce a (very small) electromagnetic field, however it’s severely deficient and the card works less than 50% of the time for me, sadly.
I found that by emulating a card with MagSpoof, if I send Track 1 one way, and then send Track 2 reversed, every card reader will assume I simply swiped a card back and forth, use the data from both tracks and my strong electromagnet, and properly read all of the data. This is extremely effective, uses only a single coil, and works for both tracks simultaneously. This also allows MagSpoof to work on Track 3.
Additionally, if you’re using a Chip card with Coin, you still need to bring your actual credit card to dip, however because MagSpoof can disable Chip-and-PIN (see below), it does not require you to bring your card with you.
I’ve removed the Chip-and-PIN disabling functionality from MagSpoof.
MagSpoof’s source code and schematic can be obtained in entirety from my github: https://github.com/samyk/magspoof
MagSpoof is compatible with the Arduino framework and can work on traditional Arduinos as well as ATtiny chips.
You can learn about magnetic stripes and credit cards from a few places, including:
- My video on MagSpoof
- ISO/IEC 7810
- ISO/IEC 7811
- ISO/IEC 7812
- ISO/IEC 7813
- ISO 8583
- ISO/IEC 4909
- MagTek Magnetic Stripe Standards (pdf)
- Magnetic Stripe Card on Wikipedia
- Amex’s Web Services Plural Interface
Point of Contact: @SamyKamkar
You can see more of my projects at http://samy.pl or contact me at [email protected].