ABSTRACT
A large amount of credit card fraud that occurs every year results from the copying of an authentic card’s data to a skim card. One method for preventing this fraud is to design a system with the ability to dynamically differentiate between two unique cards regardless of the binary information encoded on them. Due to the imperfect alignment of ferromagnetic particles in a magnetic stripe, each magnetic strip card contains a unique, data-independent fingerprint (MagnePrint™) that may be detected with a card reader and used for authentication. We successfully designed a system to store card swipes in a database, extract the MagnePrint™ from each swipe, and correlate these MagnePrints™ together in order to determine the authenticity of a given swipe.
MAGNETIC CARD SWIPE BASICS
Electric data signal with embedded MagnePrint™
The stripes on cards are composed of ferromagnetic rods fixed in a resin. Data is encoded on the card by changing the polarity of the rods at specific points along the card. During a swipe, the time-varying magnetic field from the polarity shifting of the rods at an inductive read head yields an electric signal with an amplitude proportional to the density of the rods and to the swipe speed. Ideally, all of these rods are perfectly aligned with the length of the magnetic stripe, meaning a switch in polarity would yield an electrical data signal with maximum amplitude. However, the rods are not perfectly aligned with the length of the magnetic stripe, yielding a small signal embedded within the data signal. This small signal causes the amplitude of the data signal to vary from ideal at a greater frequency than the data signal. From the literature, we know that this small signal is at about -40dB relative to the data signal, and has an amplitude of about 20µVpk/IPS. This small signal is unique to each magnetic stripe and is independent of the encoded data, thus it may be used for card authentication. Any given card may be authenticated by correlating the small signal, extracted at the point of sale, with its MagnePrint™, extracted by the card manufacturer and stored in a secure database.
MAGNAPRINT™ SIMULATIONS
The spatial sensitivity of the read head is limited to 1/λ, where λ is the gap length in inches. Therefore, because λ = 0.005” for the MagTek™ readers, the magnetic signal we measure is band-limited to 2,000 cycles/inch. The fact that MagnePrints™ resemble differentiated, band-limited, White-Gaussian noise, we were able to accurately simulate repeatable magnetic stripe characteristics (RMSC) signals to test our system.
TRACK 1 DATA MAGNAPRINT™ COLLECTION AND ANALYSIS
The next step in designing our system involved harvesting MagnePrint™ signals from a blank (no transitions in polarization along the stripe) Track 1. This involves several steps. First, we used a MagTek™ brand reader, a high fidelity amplifier, and the 16-bit ADC on the Elvis II Prototyping boards available in our lab in order to capture swipes. These swipes are essentially RMSC signals. The parameters that dictate how the MagnePrints™ are generated include the total number of samples (M), the spacing between samples (Δ), and the number of bits used to represent each sample (numBits). We varied one of these parameters while holding the other two constant, and measured how the separation (S) between the reject and accept correlation coefficients was affected. These results are shown in the figures below:
TRACK 2 DATA MAGNAPRINT™ COLLECTION AND ANALYSIS
The major challenge of adapting our Track 1 system to extract and analyze MagnePrint™ signals from Track 2 measurements was that Track 2 has bits encoded on it. Because we desire MagnePrints™ that are independent of the information stored on the magnetic stripe, it was necessary to devise a way of filtering out the signal containing the bit encodings before harvesting the MagnePrint™ samples. As previously mentioned, we determined that a mean smoothing filter would be the optimal solution. The specific implementation of the filter is detailed in patent 7,478,751 2B. It includes a cascade of two mean smoothing filters. Mean smoothing filters, also known as moving averages, are FIR filters that calculates the average of a subset of N samples and subtracts this average from the N/2 sample. The length of the filter is equal to 1/8 of the bit length in samples, which in our case is 33 samples. After filtering the Track 2 RMSC waveform, we then extracted MagnePrint™ and analyzed the system performance in a similar way as with Track 1. The major difference is that the MagnePrint™ samples were only harvested from the center of a zero bit, for a total of 4 samples per zero bit. The results are shown in the figure below.
RESULTS
We ran a variety of tests to determine the optimal value of the following parameters when generation and analyzing MagnePrints™: The number of bits per sample (numBits), the spacing between samples (delta), and the total number of samples per MagnePrint™ (M). The separation (S) is defined as µA - σR - σA. The results are summarized in the table below:
FUTURE DIRECTIONS
Other modifications should be done to make the system commercially viable. To help test the system, we treated the forward and backward swipes of each card as two different cards. This was possible because the MagnePrint™ of a backward swipe is flipped, and therefore correlates with the corresponding forward swipe to zero, as would two different cards. In a real-world application, the MagnePrint™ for a backward swipe should be flipped in time so that the swipe direction has no effect on the authentication process. Another necessity to implement the system commercially is to create a server to store the MagnePrints™ associated with each card, as opposed to storing the data locally. Finally, the sampling speed of card reader ADC should be increased to allow for swipes with speeds greater than 40 IPS to be accurately recorded and processed.
LITERATURE CITED
1. Morley, Jr. et al. Method and Apparatus For Authentication a Magnetic Fingerprint Signal Using a Filter Capable of Isolating a Remnant Noise Related Signal Component. U.S. Patent 7,478,751 B2, filed December 17, 2004, and issued January 20, 2009.
2. Gallagher, Sean. “Automated robbery: how card skimmers (still) steal millions from banks.” Arstechnica. Conde Nast, 27 June 2012. 10 April 2013. http://arstechnica.com/security/2012/06/automated-robbery-how-card-skimmers-still-steal-millions-from-banks/.
3. “Normal Distribution”. Wikipedia, The Free Encyclopedia. 30 April 2013. 10 April 2013. < https://en.wikipedia.org/wiki/Normal_distribution>.
4. “Magnetic Card Stripe”. Wikipedia, The Free Encyclopedia. 30 April 2013. 10 April 2013. < http://en.wikipedia.org/wiki/Magnetic_stripe_card>.
2. Gallagher, Sean. “Automated robbery: how card skimmers (still) steal millions from banks.” Arstechnica. Conde Nast, 27 June 2012. 10 April 2013. http://arstechnica.com/security/2012/06/automated-robbery-how-card-skimmers-still-steal-millions-from-banks/.
3. “Normal Distribution”. Wikipedia, The Free Encyclopedia. 30 April 2013. 10 April 2013. < https://en.wikipedia.org/wiki/Normal_distribution>.
4. “Magnetic Card Stripe”. Wikipedia, The Free Encyclopedia. 30 April 2013. 10 April 2013. < http://en.wikipedia.org/wiki/Magnetic_stripe_card>.