Bitcoin Forum
March 18, 2018, 12:19:59 AM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
   Home   Help Search Donate Login Register  
Pages: [1]
Author Topic: MagSpoof V1 / V2  (Read 1681 times)
Offline Offline

Activity: 2
Merit: 0

View Profile
February 09, 2017, 01:06:34 AM
Version 1


I have build a handful of these devices originally built by samyk. I have taken the design from his build and made a much more powerful version with large mag coils for increased range and usability.

Also we have all the coding present and working for all bypass methods for EMV and card prediction generation...

  • Allows you to store all of your credit cards and magstripes in one device
  •     Works on traditional magstripe readers wirelessly (no NFC/RFID required)
  •     Can disable Chip-and-PIN
  •     Correctly predicts Amex credit card numbers + expirations from previous card number or canceled card!
  •     Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously

As with samyk design we have improved the range of the device and we have all functioning modules working and present.

One of the primary issues I've found is that some of the new forms of security (well, new in the US) are set in the "service code" portion of the magstripe, most specifically Chip-and-PIN.

The service code within a credit card magstripe defines several attributes of the card, including whether the card can dispense cash, where it can work (nationally, internationally), and most interestingly, whether the card has a built in IC (Chip) and if it has a pin (Chip-and-PIN / EMV).

If your card has a chip inside and you go to a retailer that supports Chip but swipe just your magstripe, the point of sale (PoS) system will ask you to dip your card/chip for additional security if it supports it.

However, the bits stating the card has Chip-and-PIN can be turned off from the magstripe. This means if you take a card to a retailer that would normally request you to dip, you can actually get away with not dipping your chip at all while performing a successful transaction, evading the security measures altogether.

#include <avr/sleep.h>
#include <avr/interrupt.h>

#define PIN_A 0
#define PIN_B 1
#define ENABLE_PIN 3 // also green LED
#define SWAP_PIN 4 // unused
#define BUTTON_PIN 2
#define CLOCK_US 200

#define BETWEEN_ZERO 53 // 53 zeros between track1 & 2

#define TRACKS 2

// consts get stored in flash as we don't adjust them
const char* tracks[] = {
";123456781234567=YYMMSSSDDDDDDDDDDDDDD?\0" // Track 2

char revTrack[41];

const int sublen[] = {
  32, 48, 48 };
const int bitlen[] = {
  7, 5, 5 };

unsigned int curTrack = 0;
int dir;

void setup()
  pinMode(PIN_A, OUTPUT);
  pinMode(PIN_B, OUTPUT);

  // blink to show we started up
  blink(ENABLE_PIN, 200, 3);

  // store reverse track 2 to play later

void blink(int pin, int msdelay, int times)
  for (int i = 0; i < times; i++)
    digitalWrite(pin, HIGH);
    digitalWrite(pin, LOW);

I noticed many of the amex digits were similar.
I pulled up the numbers to several other Amex cards I had, and then compared against more than 20 other Amex cards and replacements and found a global pattern that allows me to accurately predict American Express card numbers by knowing a full card number, even if already reported lost or stolen.

MasterCard: ^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$ MasterCard numbers either start with the numbers 51 through 55 or with the numbers 2221 through 2720. All have 16 digits.
American Express: ^3[47][0-9]{13}$ American Express card numbers start with 34 or 37 and have 15 digits.
Diners Club: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$ Diners Club card numbers begin with 300 through 305, 36 or 38. All have 14 digits. There are Diners Club cards that begin with 5 and have 16 digits. These are a joint venture between Diners Club and MasterCard, and should be processed like a MasterCard.
Discover: ^6(?:011|5[0-9]{2})[0-9]{12}$ Discover card numbers begin with 6011 or 65. All have 16 digits.
JCB: ^(?:2131|1800|35\d{3})\d{11}$ JCB cards beginning with 2131 or 1800 have 15 digits. JCB cards beginning with 35 have 16 digits.

This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number.

I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.

The CID (aka CVV2 on Visa) printed on the card is protected by a secret 3DES key that encrypts the PAN (Primary Account Number, aka credit card number), service code (see table above), and expiration. The service code can be easily determined as most cards will contain the same service code.

I also determined that the CSC (essentially behaves like a CID or CVV2 on the magstripe) for a lost or stolen card continues to work for a newer, predicted card. An attacker would be able to use a stolen card's CSC with the predicted card number and expiration to make actual purchases.

To actually perform the transaction without arousing suspicion, an attacker would be able to use a magstripe writer (e.g., the well known MSR605), or a device like MagSpoof, to "load" the newly devised card information onto a card like Coin. Coin itself does not actually verify the CID (CVV2), thus allowing an attacker to load data, and then use the Coin card in person without knowing the CID and exploiting these various issues, as well as disabling Chip-and-PIN.

void sleep()
  GIMSK |= _BV(PCIE);                     // Enable Pin Change Interrupts
  PCMSK |= _BV(PCINT2);                   // Use PB3 as interrupt pin
  ADCSRA &= ~_BV(ADEN);                   // ADC off
  set_sleep_mode(SLEEP_MODE_PWR_DOWN);    // replaces above statement

  MCUCR &= ~_BV(ISC01);
  MCUCR &= ~_BV(ISC00);       // Interrupt on rising edge
  sleep_enable();                         // Sets the Sleep Enable bit in the MCUCR Register (SE BIT)
  sei();                                  // Enable interrupts
  sleep_cpu();                            // sleep

  cli();                                  // Disable interrupts
  PCMSK &= ~_BV(PCINT2);                  // Turn off PB3 as interrupt pin
  sleep_disable();                        // Clear SE bit
  ADCSRA |= _BV(ADEN);                    // ADC on

  sei();                                  // Enable interrupts

I have a 5 available to ship and are working on a order based system from then on.

Payment BTC Only.

Price $2500 - Device With Full Source Code For Exploit

Device only - $1200

Device only comes with firmware loaded competent coder could write in around 10/15 day possibly also supplied are  resources related to our own project with device.

============ MagSpoof V2 - Card Spoofing Device ============

Ladies and gentlemen let me introduce to you today MAGSPOOF V2
Its now time to SPOOF A CARD!!!

Preorder is available!

Price $120.99
BTC Only
Limited first run of 20 cards!

More info soon!

We understand that securlty delivering this device world wide of this is paramount we ship via UPS / FEDEX / Or selected shipping of your choice to any location.
We also require when buying and sending your deliver address you encrypt this with PGP this is for your safety!

PM for our PGP Key

Delivery times can depending where in the world the device is being shipped.

All payments are final.. There are no refunds if your device gets lost in the post or intercepted. We will however reship if this happens and can be PROVED.

Jabber -
OTR Required!

===List Of Tested Devices NFC===

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Offline Offline

Activity: 1
Merit: 0

View Profile
March 06, 2017, 03:15:58 AM


I was looking at the possibility of making the MagSpoof a substitute for college swipe cards, where the magnetic strip data in the card could be put into the MagSpoof and allow for wireless "swiping" into dorms, dining halls, etc.

This is our prospect for the business venture my classmates and I are pitching for a class at Babson College where we study.

Please let me know what you think of this, we are looking forward to your feedback.

Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!