How I Misunderstood and Improved the MagSpoof

The story of a silly misunderstanding, by way of which I significantly improved the efficiency of the MagSpoof (Samy Kamkar‘s famous project).

Home made MagStripe Reader deceiver coil
Home made MagStripe Reader deceiver coil

The MagSpoof

Samy, as you probably know, is a super cool hacker, and among other things, he discovered some weaknesses in American Express credit cards and the way they are issued. About four months ago Samy released a video where he described his findings, and presented the MagSpoof. The MagSpoof is a little proof-of-concept electronic circuit with a copper wire coil, a DC motor driver IC, and an ATtiny85 MCU programmed to match. This device creates an alternating electromagnetic field, carefully timed in a way that fools ordinary magnetic card readers into thinking that a real, physical card is being swiped in them.

I have no intention to counterfeit American Express cards – or any other cards, for that matter – but I was really intrigued by the MagSpoof hardware. So I got a simple MagStripe reader (about $15 from China), collected the components, uploaded Samy’s example code and tried it.  It worked. But then I looked into the code itself, and found something that struck me as odd.

Mystery #1

Before we continue, here’s some background. The credit card’s magnetic stripe contains up to three long “bar codes”, made from thin lines of magnetic material with spaces between them. Samy demonstrated this by dipping a card into fine iron powder; the iron stuck to the lines and made them visible. Card readers have sensitive magnetic sensors, which recognize these lines as they pass by when the card is swiped. The MagSpoof replicates the effect of these lines on the sensors by switching the polarity of a strong electromagnetic field nearby.

This scheme obviously worked, but I didn’t understand why.  I assumed that the card reader only recognizes the presence or absence of magnetic material (the “bar code” lines), and if that’s the case, what’s the point of changing the polarity? Wouldn’t it be more logical to simply switch the same electromagnetic field on and off?

Mystery #2

After a little experimentation with the code, I was able to show that I was right: the polarity reversal is not required. Turning the field on and off was enough to transmit the same data to the reader, from a similar distance (by rough estimate – I did not measure).

A simple USB MagStripe reader
A simple USB MagStripe reader

Still, something did not add up. Both in Samy’s original code and in mine, we actually ignored the spaces in the “Bar code”, treating only the lines as triggers to changes in the field. But of course, the spaces do exist, and they contain no magnetic material. The sensors must “see” them when a real card is swiped, so how can the MagSpoof be working without them?

The solution(?)

At that point I learned my big mistake: the lines in the magnetic stripe are not just magnetized – they have specific polarities which alternate between one line and the next. Knowing this, Samy’s code makes much more sense. My code, on the other hand, which does not change the field’s polarity, shouldn’t work at all. But it did!

These mysteries are solved if we assume that the card reader does not care about polarity per se, but about extreme changes in the field; and that it determines what counts as extreme by looking at the field levels detected during the first “sync” bits in the “bar code”.

In this scenario, when you swipe an actual card, or use Samy’s MagSpoof, the card reader identifies the opposite polarities as the extremes, and ignores smaller changes – such as the difference between a line and a space. In other words, the MagSpoof works despite ignoring the spaces, because the card readers themselves ignore the spaces. In my modified MagSpoof, the extremes are different, but the card reader treats them the same, so the spaces are still not required.

Cheap & Efficient

What does it all mean, practically? For a proof-of-concept one-off, like the original MagSpoof, it means nothing; but had I wanted to mass-produce a MagSpoof, my method would have been superior because:

  1. I have current flowing through the coil in one direction only, so I don’t need the DC motor driver IC – just one little transistor.
  2. During operation, I turn the field on and off instead of reversing its polarity, so the total power consumption drops in half.

Concluding remarks

I find this story quite interesting, because had I read all the relevant material thoroughly in advance, I wouldn’t have come up with this significant hardware improvement. This is a pretty rare thing to happen – usually, mistakes and misunderstandings only make things worse.

I wrote to Samy about this little discovery. If anyone can confirm (or correct) my assumptions regarding the card reader’s way of working, I’ll be happy to hear.

Until next time…

7 thoughts on “How I Misunderstood and Improved the MagSpoof”

  1. I’m very interested in making this as a hobby project, and I think that I have most of the necessary knowledge about the topic, but some parts of the assembly are unclear to me, like how to load all the cards to the microcontroller and some other parts of the project. I was wondering if there was any sort of step by step guide to this project that could help me assemble it. If you do have one or are able to easily find or make one, please reply with a link to the guide.

  2. So, what exact changes did you have to make to the Magspoof code? I attempted to recreate this as you described unsuccessfully . I intend to produce a dozen or so magspoofs for a club event and simplifying the hardware like this would be great!

    1. Well, I don’t remember by heart… but Samy’s code operates a motor driver IC (in two directions), and mine just turns a signal on/off for a transistor, so look for the part that outputs the data signals and change accordingly 🙂

  3. Interesting, maybe we can switch to your method down the road. We’ve got a new version of the magspoof in production that has a few convenience improvements. More at [URL removed, please don’t put commercial links here, thanks].

    1. [Sorry – momentary memory fail, I updated this comment!] I did not run exact experiments and measurements, and did not notice a significant difference between the versions. Both gave me a range of a few centimeters, close enough to what Sami presented, so I let it go at that.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × four =