search
Carter Cole LinkedInCarters Twitter PageCarter Cole on FacebookCarters YouTubeCarter Coles RSS

Sunday, December 12, 2010

Decoding SquareUp.com Card Reader Audio



So Squareup.com gives you credit card merchant services on your phone... but the reader can read any magnetic stripe... when you swipe things like drivers licences or gift cards you can read data into the square program and show the last for digits of an id or something, but what else is on there? Thats where all you internet people come in... i need some engineers who are smarter than me to give me some guidance on how to decode the signal the card reader produces. Ive found some of what I think I need here on  "A Day in the Life of a Flux Reversal" using a free spectrum analyzer app im able to see positive and negative waves as I swipe the card that seem to be alot like the flux lines the guy talks about...

But I thought my life would be much easier with data so I got a bunch of old cards and swiped them a few times each, recording the output from the square dongle so i can have some samples to decode with some known data


  1. Texas-Trust-Mastercard-5105-9400-0109-1438.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
  2. JCPenny-Gift-Card-6006492001928534134.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
  3. HEB-Gift-Card-6006-49668-81060-07754.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
  4. Dave-Busters-94937573.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
  5. Carnival-Sign-Sail-05411183.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
  6. AMC-Gift-Card-6006491324135697820.mp3
    In order to view this object you need Flash Player 9+ support!

    Get Adobe Flash player
These are all the cards i used and the id numbers I could find

So if anybody wants to help me build an open source app to decode the data off other cards with the square reader drop me a line im @cartercole

Also: based on what ive seen from this instructable called "Magnetic stripe card spoofer" with just a little tinkering you could play back these recordings into an electromagnet and drive the reader to spoof the data you recorded. I know.. like super cool spy toys :) I now take this time to remind you that neither CarterCole.com or Carter Cole condone illegal activity and all information shared here is for curious who are people without malicious intent ( do you think that disclaimer protects me? )

24 comments:

  1. Decompiling their .apk reveals some interesting things. Reviewing some of the information in their exposed repository also reveals some interesting things. From the brief look I had at it, they're recording audio of the mag swipe (no surprise there) and the file is sent to their servers for analysis. Constant track markers in the card (a question mark, a semi-colon, etc.) set the starting and ending calculation points. Because a card can swipe at different speeds, the frequencies in the audio capture can be higher or lower. So the markers are located to determine their frequency and compare the rest of the frequencies against them. Since there's one at the beginning and end of a Track2, if the frequencies aren't within the same relative range per swipe, the server will reject the swipe and require it to be done again. So inconsistent speed during the swipe would cause a failure in card data recognition.

    Once a card is identified on the server, the partial data (last four digits, name, etc.) are returned to the handheld device for confirmation and use. My guess is that a transaction ID is also sent with that data so that when it is completed, the device is just responding with an amount, ID, and basic data (signature, time, etc.) but no complete card number. This would ensure PCI security compliance. FYI: The code I reviewed showed Track1 and Track2, so yes, it's pretty useful for almost all cards out there. Track3 is not very commonly used.

    I saw in the code that the audio file from the card swipe is immediately tossed, so the application has no lasting memory of the event or data. You may be able to deconstruct the data frequencies to actual numbers/letters/symbols, but given the variations of speed in swiping, and the variety of cards available to swipe, you've got your work cut out for you to duplicate what they've done. The physical card swiper is about as simple as designs go. But the backend work to interpret it...that's got some good heads designing that. Even obtaining their mobile platform source code would not reveal the translation process they're using to result a card number. They did it right: server side (cloud) for the important stuff, dumbed down front-end for everything unimportant. I haven't taken the time to run Shark on the device to identify protocols/data/destinations, but attempting to identify and track their servers is probably not the smartest idea.

    ReplyDelete
  2. Decompiling their .apk reveals some interesting things. Reviewing some of the information in their exposed repository also reveals some interesting things. From the brief look I had at it, they're recording audio of the mag swipe (no surprise there) and the file is sent to their servers for analysis. Constant track markers in the card (a question mark, a semi-colon, etc.) set the starting and ending calculation points. Because a card can swipe at different speeds, the frequencies in the audio capture can be higher or lower. So the markers are located to determine their frequency and compare the rest of the frequencies against them. Since there's one at the beginning and end of a Track2, if the frequencies aren't within the same relative range per swipe, the server will reject the swipe and require it to be done again. So inconsistent speed during the swipe would cause a failure in card data recognition.

    Once a card is identified on the server, the partial data (last four digits, name, etc.) are returned to the handheld device for confirmation and use. My guess is that a transaction ID is also sent with that data so that when it is completed, the device is just responding with an amount, ID, and basic data (signature, time, etc.) but no complete card number. This would ensure PCI security compliance. FYI: The code I reviewed showed Track1 and Track2, so yes, it's pretty useful for almost all cards out there. Track3 is not very commonly used.

    I saw in the code that the audio file from the card swipe is immediately tossed, so the application has no lasting memory of the event or data. You may be able to deconstruct the data frequencies to actual numbers/letters/symbols, but given the variations of speed in swiping, and the variety of cards available to swipe, you've got your work cut out for you to duplicate what they've done. The physical card swiper is about as simple as designs go. But the backend work to interpret it...that's got some good heads designing that. They put the important work on a server - disconnected from prying eyes, and left a dumbed down front-end in our hands. They did it right. I haven't taken the time to run Shark on the device to identify protocols/data/destinations, but I wouldn't recommend you do that either. Chasing that idea is bound to take one in the path of oncoming traffic.

    ReplyDelete
  3. @mruvsc thanks for the info! the more i look into decoding the signal from the square device, the more difficult it seems, and it makes sense that they'd be sending this off to beefier servers for decoding.

    thanks again for the research.

    ReplyDelete
  4. Hi Carter, please contact me, I'd like to discuss this. Have been having some similar conversations. David. dpingram[at]gmail.com.
    Cheers
    David

    ReplyDelete
  5. Interesting stuff here. Any new updates?

    ReplyDelete
  6. Hey Carter, check out:
    http://www.informationweek.com/news/security/vulnerabilities/231300283

    They talk about using it with software from:
    http://www.makstripe.com

    Perhaps they could assist with things or the software may help get a bite on it. I'd love to hear if any progress is made.

    ReplyDelete
  7. Isn't it dangerous for you to publish the sounds of your credit cards like this? Suppose I started up Square on my phone, and when it asks me to swipe a card, I will feed it your sound recording and your card would get charged, no?

    ReplyDelete
  8. Interesting stuff here. Any new updates?

    ReplyDelete
  9. I want to know how to use it in order to make my own app that uses this reader in a game.

    ReplyDelete
  10. i could help you ;) i have some experience on this shit if you want we can work together i have source codes stuff like that but need to be ported to droid or wince or ios

    ReplyDelete
  11. In 1933 Cartier was commissioned because of the Pasha of Marrakech to make a timepiece made for swimming. The initial Pasha timepiece featured a protective locking cap within the crown that prevented water from entering the way it is and mechanical mechanism inside. The crown around the current Seatimer chronograph includes a similar protective crown cover and is topped using the signature Cartier sapphire cabochon stone. The perfectly round stainless steel case is presented on the signature link bracelet in satin finished stainless. Every single pre-owned uk replica watches sold at our web shop is expertly restored with original manufacturer parts and passes a wide 30-point inspection likewise. These pre-owned replica watches provide the luxurious the way they look and precision craftsmanship of newly-owned models, although at substantial savings because of the pre-owned status. If you are interested in replica handbags or replica watches, you can get more information at http://www.skyteamtrade.com/

    ReplyDelete
  12. hi, im professional decoder, i can decode any sound file to track2!
    if you need a good decoder contactme
    this is im ICQ: 655803449
    jabber : decode.wav@jabbim.cz

    ReplyDelete
  13. I appreciate the effort you made to share the knowledge. The topic here i found was really effective to the topic which i was researching for a long time.Safety vest

    ReplyDelete
  14. 5 / SIZE 10 jordans for cheap Nike Men's Air Jordan 13 Retro CP PE-11 "Chris Paul" jordans for sale 2016 Nike Air Jordan Horizon Premium SZ 10 Multicolor Retro AS PSNY 822333-035 cheap jordan shoes Nike HypervenomX Promimo IC Indoor Court Neymar X Air Jordan Black Silver jordans for cheap 136027-103 nike 2011 air jordan retro 5 v white varsity red navy olympic sz 10 jordans for sale Nike Air Jordan Retro 11 72-10 100% Authentic 378037-002 Black/Red/White yeezy jordans for sale VGUC cheap jordans for sale NEW Nike Air Jordan XIII 13 1997 FLINT FRENCH BLUE 136002-441 sz 8 OG ORIGINAL cheap jordans NIKE AIR JORDAN V 5 RETRO 2013 Fire-Red Black Tongue 136027-120 new jordans for sale Nike Air Jordan True Flight 342964-112 Men Size 10 Black White Red jordans for sale Nike Air Jordan 11 XI Retro Low Varsity Red Cherry White 528895 102 Sz 9.5 cheap jordan shoes SAC DAIM GRIS CLAIR PORTE MAIN LONGCHAMP AUTHENTIQUE LONGCHAMP sac longchamp pas cher Sac Pliage LONGCHAMP Toile Déperlante Noire SAC POCHETTE LONGCHAMP PLANETES EDITION LIMITEEGucci Outlet Tote Bag Leather-Trimmed Monogram Taffeta Chocolate gucci replica Authentic GUCCI Round Zipper Purse Calf Pink Outlet Goods 321117 8RK

    ReplyDelete