11

I know all systems accepting magnetic stripe cards (card readers, access systems, etc) would reject a cut one. But could and expert still get the data that was on it?

For the record, I mean "cut in half", as often stated in bank instructions.

Ludwik
  • 221
  • 1
  • 6
  • I found answers by googling: https://magstripe.wordpress.com/2013/01/02/about-debit-cards/ [scroll to the end] – schroeder Nov 18 '15 at 22:55
  • 2
    @schroeder - maybe you could have answered this question with information from your results, as now the first google result for "Could data be recovered from cut magnetic stripe card?" is this very question. – JonnyWizz Nov 26 '15 at 16:53
  • @JonnyWizz my point is that the question is answered with a Google search. We expect that people have done at least a little research before posting here so that we do not end up duplicating what is easily found elsewhere. – schroeder Nov 26 '15 at 17:27
  • 2
    @schroeder Your result, while informative, only touches briefly on the subject of my question. It tells me that there is a company that can do it, and law enforcement uses their patent. I asked here because I was curious about the technology, what happens when a card is cut, why that makes it harder to read, and how it then can be read anyways. – Ludwik Nov 26 '15 at 17:36
  • The technical details on the magstripe is a little beyond the scope of this site. In fact, it is going to be up to the individual format used by the card manufacturer. To answer the question "could an expert still get the data", the link answers the question: yes. – schroeder Nov 26 '15 at 17:38
  • Why would you even think of recovering data from an ATM card? all the data you need is written on the card itself, and it can be extracted by joining the two pieces. The debit card contains the card number, name and expiry date of the card. – Sanidhay Nov 27 '15 at 09:48
  • @Sanidhay - It's not just ATM cards that use a magnetic stripe, it could be something like an access card used to open a door that does not contain printed on the card. In any case, I think ATM cards can contain data that is not visible on the card. Wikipedia mentions that there is space for discretionary data that may include PIN verification data (https://en.wikipedia.org/wiki/Magnetic_stripe_card). – JonnyWizz Nov 27 '15 at 10:38

2 Answers2

11

As a former developer for one of the biggest Security Card System organizations in the world, I can confirm with you that the answer is resounding YES depending on the manufacturer and the type of the card.

For example, my company used the standard ISO encoding standard for magnetic stripes for Debit cards, and quite frankly there is not much confidential information in magnetic stripes of the sort to begin with. The encoding is ISO standard, and you can actually search for it online. I included a link to Wikipedia , which is obviously unreliable but that generally holds true. As you can see, there is not much confidential information on the magnetic stripes aside from the name or card number – both of which can be read directly from looking at the card. These information are repeated throughout the stripe maybe twice or three times. The start and end sentinels typically appear just once.

At any rate, some institutions (mostly EMV bound ones) request this data to be lightly encrypted based on EMV standards and appear just once – and as you may have noticed, I said EMV (Visa, MasterCard, AMEX) – so you will never find this on debit cards (unless they are Visa/MS debits). You may or may not be able to extract the data from these types of cards – that would depend on what is lost at the cutoff point. Not all credit cards magnetic stripe info are encrypted – just select ones.

schroeder
  • 123,438
  • 55
  • 284
  • 319
LearnByReading
  • 420
  • 5
  • 8
  • That's interesting, could someone create a cloned card by encoding the magnetic strip on a blank card if hey have just your name and number and the issuer doesn't use encryption? – JonnyWizz Nov 27 '15 at 15:33
  • 2
    Absolutely - except please remember that you need to pass along not just account information but also the password. If you have a card reader, you can obtain all of the information that the magnetic stripe contains - there is no encryption on most magnetic stripe debit cards whatsoever. EMV standards dictate some encryption, but if I remember correctly those mostly relate to preventing clone cards as you mention - they do not hide the data that's on the card. – LearnByReading Nov 27 '15 at 16:13
  • 1
    Chip cards, on the other hand, have operating systems on them (Convego in the case of G&D). The operating system on a chip card contains account information and other types of information on it but *everything* is encrypted. Not too sure about the antenna on the card - I would assume that's encrypted also. I think the same type of info on the antenna is on the chip, so probably encrypted. – LearnByReading Nov 27 '15 at 16:17
8

Did a test with three different cards.

Card 1 (Non-Chipped MC Pre-Paid)

  1. Swiped the card through a USB Magtek MSR Reader, and noted results. Got a clean Track 1 and Track 2 data.

  2. Cut the card vertically straight down the middle into a left piece and right piece.

  3. Took each piece and tried swiping through the card reader. Would only get an %E?;E? which is basically an error and it couldn't read the swipe.

  4. Took the two halves and taped them together as they had not been cut. Just used scotch tape on the front-side, but after a few slow swipes I did get the Track 2 information.

Track 2 information format is as this:

SS=Start Sentinel ";"

PAN=Primary Acct. # (19 digits max)

FS=Field Separator "="

Additional Data=Expiration Date, offset, encrypted PIN, etc.

ES=End Sentinel "?"

LRC=Longitudinal Redundancy Check

Source http://www.acmetech.com/documentation/credit_cards/magstripe_track_format.html

Card 2 (Non-Chipped Visa Pre-Paid)

  1. Swiped the card through a USB Magtek MSR Reader, and noted results. Got a clean Track 1 and Track 2 data.

  2. Cut the card vertically into three equal pieces. Forming a left, middle, right piece.

  3. Took each piece and tried swiping through the card reader. Would only get an %E?;E? which is basically an error and it couldn't read the swipe.

  4. Took the three pieces and taped them together as they had not been cut. Just used scotch tape on the front-side, but many swipes with %E;E?, I did get the Track 2 information again. It did take several more tries to get the information but I did.

Card 3 (Track 2 ISO encoded card, I did on my Zebra P120i card printer)

Just encoded 16 random numbers on the card.

  1. Swiped the card through a USB Magtek MSR Reader, and noted results. Got Track 2 data as expected.

  2. Cut the card horizontally halfway through the magnetic strip, so I was left with a small top piece and large bottom piece.

  3. Took each piece and tried swiping through the card reader. Got 0 response from the card reader, as it didn't detect a card.

  4. Took the two halves and taped them together as they had not been cut. Just used scotch tape on the front-side, and was unable to get any track information.

As others have stated above, if I had a cut card, I could get the information needed from the front of the card.

However, in my test it is possible to get information from that card. Unless they cut horizontally through the magnetic stripe.

I would have tested more cards, but that's all I really had time to test for, and was out of pre-paid cards with 0 balances to destroy.

N. Greene
  • 341
  • 2
  • 6
  • 1
    If something is cut horizontally, yes, you cannot retrieve it. – LearnByReading Nov 27 '15 at 16:21
  • 1
    @LearnByReading I know. Was just wanting to show an example. My card destroying method is cut horizontally once, cut vertically two or three times, and mix the remnants into trash and recycling bins. So even if somebody dumpster dived me they don't have it all. – N. Greene Nov 27 '15 at 16:23
  • 2
    Putting some into the trash immediately and some a week or two later can work, too. – Jon Story Nov 27 '15 at 16:39