I came across a ComputerWorld article by Tom Patterson. He was offering advice about credit/debit card behavior. Mr. Patterson is well-known in the security world, so it was easy to pay attention to him.
I would like to share those tips. Then, I'd like to move on to a related subject that Mr. Patterson is especially dedicated to.Mr. Patterson's tips
These tips may seem obvious, but mentioning them again can't hurt. It's your hard-earned money at stake, after all:
- Stare: It's no longer considered rude to stare at your card for the entire time it's in the hands of a clerk or waiter.
- Shield: When using your debit card, lean in and cover your PIN entry from every angle, the digits you protect equal the money in your account.
- Change: The bad guys have figured out the number-increment algorithm many banks use. If at all possible, make sure the last eight digits of the new credit/debit card's number are different.
- Check: The average time between stealing credit card information and using it on-line has dropped from 10 days to three. It is recommended that you check your on-line accounts at least that often.
Those tips are important. Yet, they are overshadowed by Mr. Patterson's real quest. Here is what he wants to do:
"Completely eradicate counterfeit card fraud world-wide in the next 24 months. With the banks losing over 4 billion dollars a year and growing rapidly, the industry is ready to fight back. Organized crime has declared this fight, and it will take a unified effort to repel."
We all know about credit/debit card fraud. What surprised me was the scope of counterfeit card fraud. Expert after expert pointed out that using counterfeit cards or information obtained from credit/debit cards supports most illegal activity throughout the world.Counterfeit cards
This YouTube video will give you an idea of how simple it is to steal information embedded in a credit/debit card's magnetic strip. As the video shows, the only hardware required is a computer, card reader, and magnetic strip card writer. One expert commented on how easy it is to buy card skimmers (readers) on eBay. So, I looked and, sure enough (courtesy of eBay):
Mr. Patterson commented that most gangs and organized criminals have several card printers, to keep up with the multitude of people who are skimming credit/debit cards for money. Thankfully, obtaining the software and expertise to transfer information from the real card to a counterfeit one isn't quite that easy.MagTek's solution
Most of you know, I am a big fan of "outside the box" solutions. Well, MagTek Inc., where Mr. Patterson is CSO, has developed such a solution to combat the counterfeit-card problem. MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.
Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.
Let's walk through a transaction. When a credit/debit card is issued to a customer, a Reference MagnePrint is created and stored on the card issuer's customer database. Regarding the customer, every time they use the associated credit card, a Transaction MagnePrint is created.
The Transaction MagnePrint and the purchase details are sent to the card issuer. The validity of the Transaction MagnePrint is determined by comparing it to the customer's Reference MagnePrint. If they agree, the transaction goes through. If the transactions fails, what happens depends on the financial institution.
Since each card's magnetic strip is unique, having someone skim your credit card is no longer a problem. A flag will be raised when the Transaction MagnePrint is different from the Reference MagnePrint. The following slide shows the difference between an original and copied magnetic strip:
The principle is surprisingly simple to understand. It also appears incorporating the system would not require extensive hardware changes or significant costs, especially considering the huge losses incurred from counterfeit cards.
I did have a few questions about implementing the MagnePrint technology. Mr. Patterson was kind enough to take time from his busy schedule and provide the following answers:Question: Is the MagnePrint system in production at this time? Answer: Yes, MagTek ships about 3 million MagnePrint read heads per year, and it has completed brand testing, and multi-year banking trials. Magnesa.Net is the fully operational MagnePrint exchange service, where banks and merchants can go to score their card. Question: What happens if the magnetic strip is damaged or worn out? Will the customer still be able to make a purchase? Answer: Information on mag stripes degrade much faster than the underlying MagnePrint. If there is still data that can be read on the card (i.e., their acct. number, etc.), then the MagnePrint will still work. Question: Will this technology work with any magnetic strip? For instance, would it make sense to use this on driver licenses as well? Answer: MagnePrint works on any mag stripe card, as it is independent of both the formatting (i.e., three tracks) and data written on it. It works on my driver's license! Question: Could you explain why using MagnePrint technology is better than RFID chips? Answer: I could give you 20 billion reasons, each with George Washington's face on it. But beyond the huge cost involved in replacing every one of the 3 billion mag stripe cards in use, and every one of the tens of millions of mag stripe readers in use, there are additional factors.
Some of these include the cost of retraining the consumer away from the ‘swipe' that they trust, the fact that RFID introduces new vulnerabilities into the payment system (see the YouTube videos on reading card info off cards in your wallet from 3 feet away!), and the fact that the main reason for moving to RFID smartcards was that ‘magstripe wasn't safe', and now we know that's not the case.Question: Your technology only prevents the bad guys from replicating the actual physical card. Is it correct to assume that skimmed information is still usable for Internet transactions? Answer: Anytime a card number is entered via a keyboard, it's as good as gone. We believe that the answer for online is the same as for real world, and are working with a variety of hardware manufacturers to integrate an unsecure swipe reader into their computers, phones, and accessories.
With that, when a consumer sees something they want to buy, in addition to the variety of insecure payment options, they could be prompted to simply swipe their credit or debit card when ready. As long as the reader employs end-to-end encryption and performs card authentication, this becomes the easiest and most secure method of online payments.
The technology is available to prevent counterfeit credit/debit cards from working. So, why isn't this approach more widely used? I suspect Mr. Patterson understands, hence his goal of 24 months to figure this out. Hopefully, the financial industry will listen, as it's in everyone's best interest.
As a final note, I want to thank Mr. Patterson for his help making this article possible and wanting to fix a real problem.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.