PDA

View Full Version : OT: Why would this work?



wierdscience
02-03-2009, 09:40 PM
Okay I have seen this twice now and haven't heard a good answer as to why it works.

Was standing in line at the local grocery when the lady in front of me couldn't get the card reader to read her debit card ten times in a row.The cashier took the card,slipped it in a plastic grocery bag and swiped it through the reader it worked instantly on the first try.

Why did this work? I could see it if the card readers used a laser scanner like a bar code reader,but don't they just read the mag signature strip on the card???

aboard_epsilon
02-03-2009, 09:43 PM
she could of taken out of the bag ..the bag got rid of the static ..

all the best.,markj

mochinist
02-03-2009, 09:53 PM
No idea, but this sounds good


"The theory I vote for is the one posted by Julie which suggests the added spacing helps average out the read errors caused by deterioration of the magnetic data over time."

Evan
02-03-2009, 10:05 PM
Two things;

It keeps the card at a constant spacing from the read head which causes the AGC (automatic gain control) to step up the amplification and the bag provides some extra friction which makes the card speed more consistent.

doctor demo
02-03-2009, 10:23 PM
I've been places where the bag would not work and then gone down the street and used the same card without any problems,with out the bag.
I think it could be more reader error than card error.

Steve

ckelloug
02-03-2009, 10:27 PM
There was a post over on global spec engineer's edge about this from a guy who designs some related equipment. He said that it had to do with the distance from the sensor somewhat but not quite like Evan said.

The post over there said that as particles get out of place on the mag stripe from wear, they decrease the signal to noise ratio of the sensor reading the strip. Since the particles that wear on the strip are mostly random, their effect is small but measurable and disruptive. The increased distance from the added plastic attenuates both the mag stripe and the displaced particle signals when the card is read. Since the displaced particle signal is fairly small in comparison to the actual stripe signal, the few thousandths of increased distance attenuate the noise from the displaced particles back to near-zero while only slightly attenuating the real signal from the stripe.

Using credit cards a fair bit for expense tracking purposes, I'd say that the design on some of these readers is abysmal. They have terrible noise immunity and the worst ones behave like they have a fixed amplifier gain and no signal filtering. There are a lot of cases where it works down the street but doesn't work where you are. I've also noticed by observing at the stores that some brands of readers are complete crap while others are almost universally good. They'd probably do better if they were cleaned more and the sensors replaced more often.

darryl
02-04-2009, 12:42 AM
Just a guess- in the absence of a signal, the amplifier gain is up high. When the card is swiped, the gain has to instantly drop so the signal is read properly- this could possibly mean that the first part of the signal is clipped and not read properly. With the card in a bag, the gain needs to be high, so there wouldn't be such a drastic shift in the gain while reading the signal. In this case, all of the signal is registered properly and the card info is deemed valid.

I'm a bit surprised that a magnetic strip can be read properly with the pickup head spaced away from the stripe by the few thou thickness of the bag. The data on the card must be fairly crude, and probably is quite strongly encoded on the stripe.

I can also see the potential (sic) for static to interfere with the reading electronics. If there's a discharge from the card to the sensor, that could instantly run the gain down to a very low point in which case the reading could be too weak to be processed.

Evan
02-04-2009, 02:59 AM
The data on the card is very crude with a bit size similar to the stripes of a bar code. There is very little encoded in the mag stripe, just the card number, the pin and a checksum plus on some cards a few extra characters.

You can see the data strips on the card by sprinkling some fine magnetic dust on the card. The perfect material is magnetic printer toner. Just take a pinch and let it drift onto the stripe and it will reveal the code.
http://metalshopborealis.ca/pics/code1.jpg

The encoding on the stripe is a NRZ type code (Non Return to Zero) so detection accuracy is sensitive to variation in spacing from the read head especially if it varies during the swipe.

Cameron,

I don't buy that explanation. The signal to noise ratio won't change with distance. It is also very easy to filter as it will present as 1/f^2 noise.

Ian B
02-04-2009, 03:03 AM
Just a personal bitch on the swipe card readers; why can't the manufacturers put two read heads in the reader, facing each other? How many times do people swipe a card, see that nothing has happened and then turn the card around & swipe it again? Yes, there's normally a minute sticker saying "strip this side" or something, but this rarely seems to be read by anyone.

Wouldn't a second read head fix this?

Ian

Evan
02-04-2009, 03:26 AM
why can't the manufacturers put two read heads in the reader, facing each other?

Would you notice if they did?

ckelloug
02-04-2009, 09:17 AM
Evan,

What you said conflicts with the other discussion. I don't have a dog in the fight. I looked this up over a year ago and found the following discussion which I didn't think would be this easy to find again:

http://cr4.globalspec.com/thread/2432

The above discussion cites the following article in New Scientist:

http://www.newscientist.com/article/mg19225752.500-money-bags.html

Regards all,

Cameron

biometrics
02-04-2009, 10:46 AM
Just a note of clarification. I don't have a dog in this fight either, but I work in computer security and have a great deal of experience specifically in transaction security areas... this includes money cards.

The reason some readers don't read the card easily is because they are CHEAPLY made... that is why they work in one machine but not another.

The reason that they don't always put two read heads inside all the readers to read in either direction is exactly the same reason... COST. The better devices DO have two heads...

It is much cheaper to make you turn the card over than to manufacture the reader with two sets of circuitry to read cards. When you see dual sided readers, it is because the people spec'ing the equipment know the advantages of the small added cost per unit...

and Evan, a minor correction...the PIN is not stored on the card, only the card number, your name as it is printed on the card, and the info to contact the appropriate bank.

That is why if you use an ATM and put in the wrong PIN, it takes several seconds to come back and tell you that you screwed up. It goes through the same process as if you did enter the correct PIN only it returns a mismatch error if it was wrong...

The real PIN is never transmitted back to the ATM... only the PIN you enter is transmitted to the ACH service, and on to the bank. If it matches, what the bank has stored as correct, you get to do your transaction, and if it doesn't you dont'... If the ATM takes your card inside rather than being swiped and you hold it the whole time, it will keep your card if you screw up the PIN 3 times in a row. More and more ATM's are being built with swipe readers because they are cheaper than the motorized and computerized readers that take the card from you and hold it until the transaction is over.

If the PIN were stored on the card, a debit card thief would only have to pass the card through a reader to get the PIN number, and then they could withdraw cash from any ATM.

Stolen cards are almost always used in the credit mode because a PIN is not necessary, unless they have a gun at your head to get you to operate the ATM.

How do PINS get compromised?

Low use merchants use inexpensive payment services whose security is below par, and their computers get hacked... and the PIN information is stolen along with the card numbers. I recommend that you NEVER use your check card as a debit mode unless it is a very large company with the resources for protection of the sensitive data... Walmart is an example.

But the mom & pop gas station where you buy a candy bar, a newspaper, and get $20 cash back using your debit card and PIN buys their services from the cheapest place they can to maximize their revenue and minimize their fees. If that service gets hacked, the hackers have your numbers and PINS...

PINS are also stolen by observation or "shoulder surfing"...

In some cases, small independent privately owned ATM's are just phoney...You try to use them and they tell you that they can't process your transaction because they are out of money... when in reality, they have captured your number, name and PIN and then the theives who own them come pick them up for service and dump the captured data and produce false cards. When you use an ATM in the aisles of the local mall, or other public place, be wary if you have never gotten money from that machine before.

An added security step that I take when using my own cards for "credit" is that I sign the card very small, and then in bold letters put CHECK PHOTO ID.

It is worth the inconvenience when the clerk asks you for ID, that you don't have your Credit account emptied by a con artist. Not all merchants will ask, but better some than none.

I hope this has been helpful.

-John

P.S. Evan, I REALLY enjoy your posts about your projects... keep them coming...please!

Evan
02-04-2009, 11:03 AM
Evan,

What you said conflicts with the other discussion. I don't have a dog in the fight. I looked this up over a year ago and found the following discussion which I didn't think would be this easy to find again:

http://cr4.globalspec.com/thread/2432

The above discussion cites the following article in New Scientist:

http://www.newscientist.com/article/...oney-bags.html


The article is clearly in error since it states that the strength of a magnetic field is governed by inverse square law. That is incorrect as a magnetic field is governed by inverse 3rd power law. That makes a huge difference to the critical distance between card and read head. I worked on coin and card acceptors for many years with Xerox. The smearing explanation is also incorrect as that is a very minor issue. It isn't the transfer of particles to other parts of the stripe that causes the problem, it's the removal of particles from the card entirely by wear that causes signal problems. Particles that merely move are quickly removed.

As for the signal to noise ratio, that won't change with distance because the magnetic fields from random particles obeys the same power law as the data fields.

Biometrics,

It is my understanding that a checksum value for the PIN is stored on the card, not the actual PIN. I oversimplified.


When you see dual sided readers, it is because the people spec'ing the equipment know the advantages of the small added cost per unit...


Precisely. That is why I asked if "you" would notice. Since it doesn't screw up there is nothing to notice.

biometrics
02-04-2009, 01:52 PM
Some additional information. Evan you are correct about the "hashed" PIN on the card... that was faulty memory on my part, but without the encryption method, the PIN can't be deciphered if the card is locally read.

Here is some formatting info about data on the card:

*** Track 1 Layout: ***

| SS | FC | PAN | Name | FS | Additional Data | ES | LRC |

SS=Start Sentinel "%"
FC=Format Code
PAN=Primary Acct. # (19 digits max)
FS=Field Separator "^"
Name=26 alphanumeric characters max.
Additional Data=Expiration Date, offset, encrypted PIN, etc.
ES=End Sentinel "?"
LRC=Longitudinal Redundancy Check


*** Track 2 Layout: ***

| SS | PAN | FS | Additional Data | ES | LRC |

SS=Start Sentinel ";"
PAN=Primary Acct. # (19 digits max)
FS=Field Separator "="
Additional Data=Expiration Date, offset, encrypted PIN, etc.
ES=End Sentinel "?"
LRC=Longitudinal Redundancy Check


*** Track 3 Layout: ** Similar to tracks 1 and 2. Almost never used.
Many different data standards used.
Souce: http://www.acmetech.com/documentation/credit_cards/magstripe_track_format.html

mlucek
02-04-2009, 02:23 PM
she could of taken out of the bag ..the bag got rid of the static ..
Having worked in clean rooms and at static-safe workstations and getting yearly training/certificate for ESD (Electro-Static Discharge), you are taught that ordinary plastic is a HUGE source of static electricity.

Unless plastic is otherwise labeled or approved for static sensitive components/assemblies, it is forbidden in those labs/areas.

Mike

Evan
02-04-2009, 02:27 PM
I'll add a couple more card safety tips.

Don't let your card out of your sight. This especially applies in a restaurant. Pocket card readers are easily available and can be used to snag your card information on the way to the till.

Here is a card reader next to a cigarette lighter. They don't cost much either.

http://metalshopborealis.ca/pics4/cardread1.jpg

Also, there is a fairly recent scam in operation here. Popular businesses are broken in to and minor items are stolen. What is really done though is a small radio data transmitter is installed in the card reader at the till. Everything operates normally except everything that goes on in the reader is being transmitted to somebody with a laptop parked nearby. This happened recently at a MacDonalds franchise in Vancouver so nobody is immune. Sometimes the device is bugged by somebody who simply shows up and waves a business card saying Acme Card Reader Repair and they swap the unit for a "new" one that is bugged. This works pretty well because there isn't a cashier out there that doesn't think their reader is broken.


Another scam relates to ATMs. In the Vancouver area there have been instances of ATMs that have a false front installed over the card slot that looks very professional, just like the real thing. It has a reader that reads the card as it passes through to the real card reader. Everything operates normally. To make it more worthwhile in some cases there has also been a micro tv camera with battery power installed where it can observe the PIN as it is entered.

aboard_epsilon
02-04-2009, 02:28 PM
Having worked in clean rooms and at static-safe workstations and getting yearly training/certificate for ESD (Electro-Static Discharge), you are taught that ordinary plastic is a HUGE source of static electricity.

Unless plastic is otherwise labeled or approved for static sensitive components/assemblies, it is forbidden in those labs/areas.

Mike

but could the bag take away as well as give?

I've had trouble with my cards more than once ........

The solution was to lick them and wipe them on my jeans ...no dirt came off them ..i assumed i had de-static'ED them.......works very well with the smart chip cards.and.camera cards.

forgot to say ..for the last five years or so all our cards are the smart chip and pin type.

all the best.markj

Evan
02-04-2009, 02:33 PM
Static won't make a difference to reading the card. The reader is designed so that you cannot zap it when you handle it to swipe your card.

It also won't matter to the smart cards all though a big enough zap can destroy your phone card or whatever else you have like that. It's a good idea to keep your fingers away from the gold contacts.

derekm
02-04-2009, 05:33 PM
When is the U.S. going to have smart cards(Chip and Pin) as we are getting hit here in the UK by cards being stolen then shipped to the U.S. We have had smart cards(chip and pin) for quite a while and the technology has been available since 1983 thats 25 years! (I know cos I worked on it).

Derek

tony ennis
02-04-2009, 05:52 PM
I recommend that you NEVER use your check card as a debit mode unless...

No "unless" to it. There's no reason to ever use your debit card as a debit card when you have the option to use it as a credit card. A debit transaction costs the merchant more fees, somehow, and using it as a credit card gives you a little float - and superior protections against fraud.

Liger Zero
02-04-2009, 05:56 PM
Another scam relates to ATMs. In the Vancouver area there have been instances of ATMs that have a false front installed over the card slot that looks very professional, just like the real thing. It has a reader that reads the card as it passes through to the real card reader. Everything operates normally. To make it more worthwhile in some cases there has also been a micro tv camera with battery power installed where it can observe the PIN as it is entered.

Not doubting you for an instant but you'd have to be damn foolish to try that around here, most ATMs I go to are covered from at least three angles by video cameras.

mochinist
02-04-2009, 06:31 PM
Not doubting you for an instant but you'd have to be damn foolish to try that around here, most ATMs I go to are covered from at least three angles by video cameras.Its happened here in phoenix a few times in the last few years, apparently its not to hard to put on a disguise for the camera:)

Evan
02-04-2009, 08:14 PM
No "unless" to it. There's no reason to ever use your debit card as a debit card when you have the option to use it as a credit card. A debit transaction costs the merchant more fees, somehow, and using it as a credit card gives you a little float - and superior protections against fraud.


I don't know what the story is in the US but a debit card transaction is MUCH cheaper for the merchant than a credit card. A credit card will cost the merchant from 2 to as much as 5 percent of the sale price of the merchandise depending on what sort of affilliations he has with commercial organizations and how much volume he does. A debit transaction costs about 30 cents transaction fee regardless of the amount. To be able to accept debit cards costs about $45 to $50 per month for the reader and data line and another $15 to $20 for the commercial account to process the transactions.

wierdscience
02-04-2009, 09:30 PM
Okay,I can see cheap reader full of dirt as being likely.I know how dirty a public phone handset can get from skin oil and dust.

What I am wondering now is if/when we see more biometric ID how many finger tips and eyes will be lost to thieves?

ftl
02-07-2009, 09:16 PM
Even is correct that debit is much cheaper than credit from the merchant's point of view in Canada, but he is high on the costs.

I own a small retail store in Calgary. We have paid 9 cents per debit transaction for the last couple of years. It went down a bit last summer/fall but I don't rememeber the exact amount (probably 8.5 cents).

Credit costs us more like 1.6-1.8% (for Visa and Mastercard). Amex is WAY more expensive (more like 3.5%). Amex also drags their feet for a few days before paying us.

We rent the machine for about $31 per month and it authorizes over the Internet connection we already have at at the store so we do not need a seperate telephone line. It will use a telephone as backup if the Internet service is not working, but the only times I have seen that happen out Internet was fine, I think it was a problem on their end - probably something like all the ports on their server being tied up.

When we setup the business I spent a bunch of time shopping around for the best debit/credit rates as it adds up to a pretty big expense. I still check out the competitive rates every now and then to see if it is worth it to change.

Debit is cheap to process in Canada (and very common) because the debit clearing organization is a non-profit corporation owned by the Canadian banks as a joint partnership. Its mandate is to provide the debit services at cost. I'll bet they are sorry they set it up that way years ago.

Evan
02-07-2009, 09:49 PM
I haven't checked on the costs in several years as I closed my store a couple of years ago. It doesn't surprise me that the rates have dropped. Canadians have been and are now the largest per capita users of plastic cash. I don't even carry money with me a lot of the time. The system is reliable and available almost everywhere. I have never had it screw up any of my transactions.

Evan
02-07-2009, 10:04 PM
What I am wondering now is if/when we see more biometric ID how many finger tips and eyes will be lost to thieves?


There are about ten different ways to spoof a fingertip scanner and none of them involve amputation. Iris scanners are too unreliable to trust for anything important. The important statistic for any security device is the numbee of false positive confirmations it generates. Negatives are OK as it doesn't compromise security. It just pisses off users. Security professionals and equipment designers think the way to deal with the false positive error rates is to use multiple methods of verification.

What that shows is how little they know about science and the laws of probability. If two different methods each have a certain failure rate, then combining them increases the failure rate. It not only increases it the rate is method A rate times Method B rate. This is not appreciated or is being withheld by the companies in the biometrics business.

The automated fingerprint system in use in the US has a very bad record of wrongly identifying people. There are some very unsettling horror stories of how innocent people have been identified as wanted criminals by the fingerprint scanners. Biometric technology cannot be made entirely reliable for quick identfication. Even DNA matching technology cannot positively identify somebody. This isn't well known but the primary use of DNA screening is to rule out suspects. DNA can only positively confirm who didn't do it. Confirmation who did do it always has a probable error rate attached.