Magstripe cards are things like credit cards or hotel room cards. I know they can be read and reprogrammed easily.
In movies, though, you sometimes see characters breaking into places with a device that looks like a magstripe “card” with wires attached to a small tablet/smartphone like device, the idea being that you can directly program the magnetic stripe on there and not need to program a separate card before inserting it into the door.
Does such a device really exist? What are they called?
Also, there are apparently Bluetooth-enabled magstripe cards that can dynamically reprogram its own stripe, so you don’t even need the wires coming out of it. Is there a special name for those, too?
I just want to find one to play around with.
I hope you find one, but before you invest too much time in it, please be aware that magnetic stripe credit and debit cards are going away. Most of the world outside the United States is well into the process of converting their cards to the Chip-based EMV standard. The United States is being dragged in that direction kicking and screaming. This is causing a lot of headaches for international travelers when they find their cards are incompatible with some of the local payment devices or shop clerks don’t know how to process cards that don’t adhere to the prevalent local standard.
Heh, good luck with that. We’ll adopt smartcards about as quickly as we adopt the Metric system or give up fundamentalist Christianity. The US doesn’t care what the rest of the modern, sane world uses because we’re a big enough, and arrogant enough, market on our own.
Hopefully the liability shifts will finally get us.
Coin is working on a product that reprograms the magstripe as necessary so that a single card can be all your cards.
The credit card companies will save money on these; this change is going to happen.
Remember that a magstripe is an emulsion of fine magnetic particles. They are uspended in the emulsion and can be “flipped” to point one way or the other with a strong magnetic field.
To read it, you run it past a device wired as an electromagnet (the “reading head”) and the magnetic field of the stripe induces a current in the head. It’s exactly the same tech as a casette tape or reel-to-reel tape recorder or a VCR.
So to simulate a magstripe swipe, all you need is a low-powered electro-magenet no thicker than a credit card; position it in front of the read head, run a current through it that changes the magnetic field in a certain pattern and you mimic a swipe.
The question is whether a device will accept multiple incorrect swipes before accepting the correct one. Obviously the bank card reader is pretty fussy, and verification is mae against a central computer with the PIN, so just having the correct stripe contents is not enough. Too many incorrect tries with a pin card and your card is suspended.
I have no idea how door locks (like hotels) work. Obviously, it’s more complex than a simple “OPEN” code, since it only opens your door (and select oher doors, like the pool or gym). It must be date stamped, since it can expire automatically it seems. I don’t know if all the locks talk every swipe to the central computer, but based on cop shows where they know who entered, which card and what time - probably they do talk all the time. So the answer to the OP is - it depends how fancy and security-conscious the door system is.
For example, early garage door opener remotes just used a 3-digit random code and a standard encoding. The joke was that you could hook a 555IC timer to a serial chip and a radio, and drive around a neighbourhood. The electronics would count through a whole cycle (000 to 999) in plenty of time to be in range of any door you drove by. garage door opener manufacturers stated making numbers longer and adding “rolling codes” and such to make faking it harder.
Supposedly Beckham’s “keyless” BMW X5 was stolen by theives with a laptop and radio transmitter that recorded his key transmission and figured out the progression pattern to fake the key fob. I assume BMW has updated their software since then.
So it depends how secure the swipe-lock door software is.
This implies that you can mimic a swipe without even having a moving magnetic surface in front of the read head.
In fact, I saw a device of this sort 15-some years ago that did just exactly this. Electronic cameras were becoming popular, and had enough memory to store many images before you had to upload them to somewhere else. But computers of the day didn’t have USB ports. Here is one device I saw:
There was a removable memory chip in the camera that held the images. Separately, there was a device that was exactly the size and shape of a floppy diskette (the little one, with the rigid plastic case and the sliding metal cover that moves aside to expose a portion of the disk surface). Under that sliding cover was a non-moving magnetic surface that could mimic the moving magnetic disk surface in real time exactly as md2000 describes here.
So you put your memory chip from the camera into a slot in this device and stuck the whole thing into your floppy disk drive. It proceeded to twiddle the magnetic fields of the exposed fake diskette surface, in such a way as to mimic not only the image data, but it faked an entire DOS diskette file system. Then, you just used whatever standard DOS commands you wanted to list the files there and copy them.
There have been “cassette adapters” for many years that you attached to a Walkman (or iPod, for those of you cool kids) and then inserted in your tape deck, in order to play music on devices without a line-in input.
I’ve never heard why, exactly, the chip cards are better for the consumer than the magnetic strip swipe cards. It seems to me a card that can be read remotely without touching the device is much more apt to have it’s information stolen. Or perhaps the previous person’s purchase might be charged to your card if you happen to be too close.
“Chip” credit cards can’t be read remotely.
ETA: “RFID” cards can, but they are not the same thing.
If I was designing a door security system, the cards and locks would simply carry serial numbers. Every lock would query the system when a card was inserted: “Is card number 34567 allowed to open lock number 123456?” You could program all sorts of permissions and limitations. Of course, there would always be an old-fashioned metal key as a backup if communications links or power failed.
In the context of banking cards, there are two types of contactless (RFID) card. One is an interface to the processing power and encryption of the EMV chip, the same as the contacts on the EMV card, and the other provides the data that the magstripe uses. I do not know whether an EMV contactless card can fall back to operating as a magstripe contactless card if EMV is not available.
But two-way wireless communication takes battery power, and you would need relays over large distances (hotel floors, college campuses, etc.)
I don’t know if any of them do it this way, but I think public key cryptography could be used so that each door lock can tell if the latest key card came from the right authorizer. Part of the reason I’m asking about this is because I want to study how these cards usually work. I found out that my old college stores my social security number on the magstripe in plain text, for example. Disturbing.
According to this old thread, some of the might be networked and some of them might use one-time pads, with each new validated keycard reprogramming its predecessor’s commands with newer instructions.
In the movies they might use something like that to look cool. IRL, you’d use a magstrip writer like this one. Just like your cassette deck and VCR record as well as play back, there’s not much more to a mag reader to write to a card instead of just read.
Card forgers used to be found with piles of credit or gift cards or loyalty cards or whatever, all re-coded to be Visa / Mastercards with their details written on in markers.
Don’t worry though - the US will be modernized in maybe 18 months. 
Right, but if you had the Hollywood kind, you could stick your dongle into the slot and brute force it by running a bunch of different code combinations sequentially. Hard to do with key cards if you have to pull out, change up, and re-enter every time.
Your dongle’s going to get awfully sore after doing all that for a while.
Don’t they have that already? I caught an overnight ferry from Tasmania last year, and was given a hotel room-style card to open my cabin door. Somewhere in the fine print on the paper cover the card came in, it said (not in as many words): “Don’t waste your time trying to steal this card. The code is randomly changed for each new passenger.”
Or are we talking about different things?
Edit: my workplace RFID is similar. People can program the system to tell it which doors I can open with it, and which I can’t. If I go to another facility (even in another state), they’ll just adjust the system to allow me to access the building before I get there, and cancel it after I leave.
There was a presentation at BlackHat a couple years ago demonstrating a hotel lock hack using a ‘black box’, report here. It gets access through the data port and not the card slot, so not exactly what you’re looking for.
Yeah, that was a neat (if unsurprising) hack. I always assumed these systems were not built with very stringent security practices (at least not the consumer kind), and it’d be fun to play around with them in the real world. Not to malicious intent.