Security optimize

Counterfeit credit/debit card fraud: Let's stop it now

Counterfeit credit/debit card fraud accounts for billions of dollars and experts agree it is the number-one way terrorists fund themselves. Michael Kassner reports on the technology that can help change that.

I came across a ComputerWorld article by Tom Patterson. He was offering advice about credit/debit card behavior. Mr. Patterson is well-known in the security world, so it was easy to pay attention to him.

I would like to share those tips. Then, I'd like to move on to a  related subject that Mr. Patterson is especially dedicated to.

Mr. Patterson's tips

These tips may seem obvious, but mentioning them again can't hurt. It's your hard-earned money at stake, after all:

  • Stare: It's no longer considered rude to stare at your card for the entire time it's in the hands of a clerk or waiter.
  • Shield: When using your debit card, lean in and cover your PIN entry from every angle, the digits you protect equal the money in your account.
  • Change: The bad guys have figured out the number-increment algorithm many banks use. If at all possible, make sure the last eight digits of the new credit/debit card's number are different.
  • Check: The average time between stealing credit card information and using it on-line has dropped from 10 days to three. It is recommended that you check your on-line accounts at least that often.
Mr. Patterson's endeavor

Those tips are important. Yet, they are overshadowed by Mr. Patterson's real quest. Here is what he wants to do:

"Completely eradicate counterfeit card fraud world-wide in the next 24 months. With the banks losing over 4 billion dollars a year and growing rapidly, the industry is ready to fight back. Organized crime has declared this fight, and it will take a unified effort to repel."

We all know about credit/debit card fraud. What surprised me was the scope of counterfeit card fraud. Expert after expert pointed out that using counterfeit cards or information obtained from credit/debit cards supports most illegal activity throughout the world.

Counterfeit cards

This YouTube video will give you an idea of how simple it is to steal information embedded in a credit/debit card's magnetic strip. As the video shows, the only hardware required is a computer, card reader, and magnetic strip card writer. One expert commented on how easy it is to buy card skimmers (readers) on eBay. So, I looked and, sure enough (courtesy of eBay):

Mr. Patterson commented that most gangs and organized criminals have several card printers, to keep up with the multitude of people who are skimming credit/debit cards for money. Thankfully, obtaining the software and expertise to transfer information from the real card to a counterfeit one isn't quite that easy.

MagTek's solution

Most of you know, I am a big fan of "outside the box" solutions. Well, MagTek Inc., where Mr. Patterson is CSO, has developed such a solution to combat the counterfeit-card problem. MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.

Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.

Let's walk through a transaction. When a credit/debit card is issued to a customer, a Reference MagnePrint is created and stored on the card issuer's customer database.  Regarding the customer, every time they use the associated credit card, a Transaction MagnePrint is created.

The Transaction MagnePrint and the purchase details are sent to the card issuer. The validity of the Transaction MagnePrint is determined by comparing it to the customer's Reference MagnePrint. If they agree, the transaction goes through. If the transactions fails, what happens depends on the  financial institution.

Counterfeit card will not work

Since each card's magnetic strip is unique, having someone skim your credit card is no longer a problem. A flag will be raised when the Transaction MagnePrint is different from the Reference MagnePrint. The following slide shows the difference between an original and copied magnetic strip:

Some questions

The principle is surprisingly simple to understand. It also appears incorporating the system would not require extensive hardware changes or significant costs, especially considering the huge losses incurred from counterfeit cards.

I did have a few questions about implementing the MagnePrint technology. Mr. Patterson was kind enough to take time from his busy schedule and provide the following answers:

Question: Is the MagnePrint system in production at this time? Answer: Yes, MagTek ships about 3 million MagnePrint read heads per year, and it has completed brand testing, and multi-year banking trials. Magnesa.Net is the fully operational MagnePrint exchange service, where banks and merchants can go to score their card. Question: What happens if the magnetic strip is damaged or worn out? Will the customer still be able to make a purchase? Answer: Information on mag stripes degrade much faster than the underlying MagnePrint. If there is still data that can be read on the card (i.e., their acct. number, etc.), then the MagnePrint will still work. Question: Will this technology work with any magnetic strip? For instance, would it make sense to use this on driver licenses as well? Answer: MagnePrint works on any mag stripe card, as it is independent of both the formatting (i.e., three tracks) and data written on it. It works on my driver's license! Question: Could you explain why using MagnePrint technology is better than RFID chips? Answer: I could give you 20 billion reasons, each with George Washington's face on it. But beyond the huge cost involved in replacing every one of the 3 billion mag stripe cards in use, and every one of the tens of millions of mag stripe readers in use, there are additional factors.

Some of these include the cost of retraining the consumer away from the ‘swipe' that they trust, the fact that RFID introduces new vulnerabilities into the payment system (see the YouTube videos on reading card info off cards in your wallet from 3 feet away!), and the fact that the main reason for moving to RFID smartcards was that ‘magstripe wasn't safe', and now we know that's not the case.

Question: Your technology only prevents the bad guys from replicating the actual physical card. Is it correct to assume that skimmed information is still usable for Internet transactions? Answer: Anytime a card number is entered via a keyboard, it's as good as gone. We believe that the answer for online is the same as for real world, and are working with a variety of hardware manufacturers to integrate an unsecure swipe reader into their computers, phones, and accessories.

With that, when a consumer sees something they want to buy, in addition to the variety of insecure payment options, they could be prompted to simply swipe their credit or debit card when ready. As long as the reader employs end-to-end encryption and performs card authentication, this becomes the easiest and most secure method of online payments.

Final thoughts

The technology is available to prevent counterfeit credit/debit cards from working. So, why isn't this approach more widely used? I suspect Mr. Patterson understands, hence his goal of 24 months to figure this out. Hopefully, the financial industry will listen, as it's in everyone's best interest.

As a final note, I want to thank Mr. Patterson for his help making this article possible and wanting to fix a real problem.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

90 comments
Kertezy
Kertezy

Next Tuesday American Express will offer its latest prepaid debit card. The business, though usually associated with higher-end luxury consumers, is branching out to target the regular consumer. It is expected that different card issuers will even jump on the prepaid bandwagon. I found this here: American Express to issue a new prepaid car

DriMark
DriMark

DriMark's new Counterfeit Detector System checks authenticity of U.S currency with a duel-test marker and UV light to stop counterfeit money from getting in the register drawer. It works the same way with credit cards and checks as it detects the hidden security thread. It is inexpensive and easy to use. See how it works on YouTube: http://www.youtube.com/watch?v=bdUyM1LXnFY.?

femtobeam
femtobeam

The new PassWindow system Femtobeam will be using eliminates man in the middle attacks by using a combination of unique one time only symbols which combine with symbols on a card with the user. Also, today, Microsoft announced the real action against child pornography with the microsoftphotodna.com abilities. This post is nearly impossible to read... everything is in light blue and there is no contrast. I had to download and save the article to Word to read it.

jlarson
jlarson

My husband's debit card number was stolen last year by a waitress; her methed out boyfriend then placed a dymo label with our debit card number on it onto the back of a VISA gift card, nd used the bogus VISA at three stores before it was confiscated and the guy captured on security video. Not very high-tech, but it got him over $100 in liquor and some toys from the sporting goods store before the jig was up. We were shocked. Doesn't take a gang, just an opportunist!

seanferd
seanferd

A clever way to use natural noise. I love it.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Where is the YouTube Video that Mr. Patterson talks about in the question and answer section? I found one that uses a regular reader, but the distance on that is fairly limited. Bill

jkameleon
jkameleon

All cards have chips and magnetic stripes. Magnetic stripes are no longer accepted, but they are useful if you travel to some place without chip readers. That's how they look http://www.najdi.si/najdi_slike.jsp?q=maestro+kartica As far as I know, chip can't be replicated.

philipp.schaumann
philipp.schaumann

The REAL solution is to move away from magnetic stripe technology (as is done in Europe) and use proven cryptogrphic technologies as in the European Chip&PIN technology. The cards contain a smart-card chip and authentication is against the credentials on that card. The magnetic stripe technology can never be made as secure as a public key based system.

MattPW
MattPW

I am suprised the industry isnt doing something like this already, actually the same theory is being used by smartchip manufacturers to try to cut down smartcard cloning by looking at tiny imperfections in the onboard memory which also have unique patterns and can be used as a signature, however my concern would be that unlike memory the magnetic stripe data is more vulnerable to natural modification by outside magnetic interfereance at such fine resolutions. Widespread testing should reveal any problems with this. This doesnt help online credit card security but it could be a great card verifier if it can utilize standard magstripe readers which dont already have the EMV reader built in (the current industry solution for in person authentication).

LarryLaser
LarryLaser

That focus on improving security for Credit/Debit systems would be grateful. But there is a problem. The finance group that is the main leaders are not interested in solving our problems, they are interested in gaining control over any and all operations in the world. By pushing legislation for their relief, like tax breaks for financial failures, like bankrupts, gives them more and more control. If we (Citizens) could get this information out generally to all people, with the right to drop that account if the Bank/Finance Member will not address the security issues, it will begin to return these Greedy Finance Groups back to the normal level. Including the Legislative Members as well.

jturner
jturner

you want a fool proof system, have a system like the always changeing number key fobs but give it a fifteen min window so if the clocks are off slightly it can compensate. but it would have to switch from a swipe system to a plug your card in system so it would just download the number instead of swiping, and each time you did it you would get a corasponding safey code that would have to match up with the credit card system.

Craig_B
Craig_B

It seems like there are many different options to help with counterfeiting, identity theft, etc. however it seems the U.S. Banks are in no hurry to educate the public or roll out the technology. I have read about various methods to reduce these types of crime (many of them covered by Michael Kassner) but I don?t seem to see any change with the banks.

MattPW
MattPW

Actually as Ocie mentioned PassWindow and MagnePrint would work well togeather as they are really designed for different security purposes. PassWindow is designed primarily to protect online authentication specifically having the advantage of preventing MITB trojan attacks by being able to encode transaction information into the challenge itself. MagnePrint is primarily designed to prevent actual card cloning utilizing the existing magnetic stripe technology. As a low cost solution both are protecting different sides of the same coin. *disclaimer - as the inventor of PassWindow I have contacted Tom and we are exchanging information.

jkameleon
jkameleon

Magnetic stripe with a read only layer of permanent magnets, ground to dust. Data on read-write layer contain digitally signed random data from read-only layer. That made replication of the card impossible. As far as I know, it was not commercially succesful. Readers were too complicated for the time, I guess.

SObaldrick
SObaldrick

That's what I was getting at for replacing the US system Les.

andydeignan
andydeignan

MagnePrint is a dynamic card authentication technology based on the unique physical properties of the magnetic stripe, also referred to as the stripe?s digital identifier or (DI). It provides validation that the card itself is genuine and that its encoded data has not been altered. The term itself is derived from ?Magne? as in magnetics, and ?Print? as in fingerprint. Just as fingerprints can uniquely identify human beings, Magnetic Fingerprints (MagnePrint) can uniquely identify magstripe cards. This is possible because of the stripe composition. A magnetic stripe is created from billions of ferrous oxide particles. The particles are various shapes and sizes and are mixed in a random pattern when the magnetic slurry is prepared. They are sealed in place when the slurry dries, during the tape manufacturing process. Once this occurs, the stationary particles emit a permanent, repeatable and distinctive magnetic signal, which is the MagnePrint. The MagnePrint, like a fingerprint, remains basically unchanged for the life of the card. The MagnePrint is in the background of the stripe. It is sometimes referred to as ?noise?. It does not interfere with the cardholder personal data encoded in the foreground. Nor can the encoded data remove or erase the MagnePrint. Furthermore, the MagnePrint and the cardholder personal encoded data can be linked. MagnePrint technology offers four layers of security. These are increasingly impregnable layers that act as barriers to prevent the compromise of MagnePrint technology. The first layer is inherent in the complexity of the particulate distribution on a standard magnetic stripe. The MagnePrint algorithm leverages the fact that the 3.375 inches of stripe space along each card?s encoding area are populated by a persistent random distribution of particles that are perma?nently fixed. Changes in the magnetic stripe?s physical structure that occur during a card?s lifetime, e.g., by abrasion during normal use, are statistically insignificant. Furthermore, the likelihood that two different cards will yield identical particle distributions, given the randomness inherent in the process by which magnetic stripes are manufactured, is in the range of one in 900 million. And the hundreds of millions of particles make it statistically and practically impos?sible for an existing magnetic stripe to be cloned with a particle distribution pattern that will yield an equivalent MagnePrint value. As a second layer, MagnePrint technology determines the 54-byte MagnePrint value in reference to the positions of the flux reversals of the encoded card data. The data pattern is larger, by orders of magnitude, than the particle pattern. Therefore, if a valid card with a known particle pattern were to be re-encoded with identical data, it would show non-trivial variances in the way the encoded data pat?tern microscopically aligns with the physically permanent particle structures of the magnetic stripe on the card. As a result, cards with altered data can be detected with MagnePrint technology. The random variations inherent in each incidence of reading a card offer a third layer of security. Each read of a card, whether the card is swiped by hand, or inserted into a motorized or dip reader, is a stochastic process. Due to the principle of entropy and certain factors of imprecision such as swipe speed, pressure, direction, acceleration and reader to reader variations, the MagnePrint will change unpredictably with each swipe but within boundaries that allow it to be measured and validated. Paradoxically, this means that a transaction MagnePrint value that is identical to a previous Magne?Print value on file is almost certainly fraudulent and will be rejected by the host. Multiple MagnePrint values taken from the same card on successive reads are expected to vary, within a statistical range. The probability of an exact match on all 54 bytes in separate card reads is in the range of one in 100 million. This inherent variability provides a statistically probable, unique transaction value for every card swipe, adding far greater security to the payment system and reducing the value of card data obtained through criminal cardholder database breaches. Finally, as a fourth security level, the MagnePrint authorization process is protected against fraud by the simple fact that it depends on information that is in plain view. There is nothing hidden about the particulate structure of the card or the encoded alphanumeric data. This means that there is no ?secret? to the fundamental MagnePrint technology that, if cracked, would compromise the system. Determining acceptance criteria: It is important to understand that MagnePrint does not guarantee the authenticity of the transaction. It provides the card acceptor or authorizer a data point represent?ing the probability that a given card used for a transaction is authentic. By using this data point, a card acceptor or issuer can establish an acceptance criterion for a financially acceptable level of risk. MagnePrint technology has been successfully tested by two of the three largest card brands, and been validated as ?effective, robust, and scalable.? MagnePrint has also been used in multiple bank trials, resulting in more than a million MagnePrint transactions, and saving millions of dollars in counterfeit card fraud. Details are available to qualified financial community recipients under appropriate non-disclosures.

Michael Kassner
Michael Kassner

I expect that from you though. I will pass your questions onto Mr. Patterson. As soon as I know anything I will let you know.

andydeignan
andydeignan

The system Mr. Patterson is speaking about delivers a "dynamic", ?one-time use?, 54-byte value that is generated with each and every swipe. In essence, it?s a OTP or one time password. The 54-bytes is the Magnetic fingerprint. Think of it like placing your fingerprint down on to a surface 5 times. Each fingerprint will look different depending on pressure, angle, etc., but there are enough "points of minutia" to correlate to the original fingerprint. With each swipe of a magstripe card, the 54-bytes will change but there are enough magnetic ?points of minutia? to perform the same type of correlation. If the system detects the EXACT same 54-bytes ever again, the system could flag that as fraudulent since the odds of two swipes producing the EXACT same 54-bytes output are ?improssible?. Improssible = statistically improbable to the extent it can be considered impossible for all practical purposes. Because of the interaction (and varaibility) between the card, the card reader, and the person swiping the card, it is impossible to predict what a "future" magnetic fingerprint or MagnePrint will be, therefore the data is always dynamic and unknown per transaction until the swipe event generates the dynamic 54 bytes. Traditional key fobs require the human to first read (and maybe even before that generate the OTP) and then type the data into the authetication engine/software. The system Mr. Patterson is speaking of relies on the magstripe reader or (secure card reader authenticator) to read the card and make the 54-bytes (dynamic data) available to the authetication engine/software. Hence, no need to read and type, just swipe.

Michael Kassner
Michael Kassner

The malware Zeus completely bypasses one time passcode technology. It waits until the user is logged in. The MagTek technology is to prevent someone from duplicating your credit/debit card and using it.

jared
jared

As a bank technology officer, I can offer an insider's perspecive on some of the issues here. One: Banks are often at the mercy of their card vendors and electronic payment processing service providers for the security of their technology. In my part of the country there is one dominant card/payment company, and we depend on them to adopt security enhancements to their system. Two: Once new security technology becomes available, it is expensive to put in place. Consider that a single ATM machine might cost tens of thousands of dollars, depending on the machine type. Muliplying that cost by the total number of machines in your ATM fleet and you're looking at some serious bucks. As for cards, replacing each customer's card would be a very serious undertaking, not only in terms of monetary expense but operational overhead. It would take a whole team of employees several weeks or months to accomplish this. Therefore, it makes sense to take a "wait and see" approach to identify a mature, robust, secure solution rather than jumping on the first cool new concept that comes along (Hey, RFID chip cards for everyone! No? Oh, darn!). Three: Banks, merchants, card processors, and consumers share responsibility for keeping card information secure; however, consumers are the ones in this group who bear pretty much none of the liability for unauthorized purchases. Sure, it's a major annoyance when your card is compromised and you have to go through the hassle of disputing the charges and replacing the card, but at least you don't end up paying for those unauthorized purchases in the end.

giese@fnal.gov
giese@fnal.gov

There is no incentive for US banks to spend anything to improve security. Any losses due to fraud are easily recovered by raising fee on customers with a GOOD payment history. They will use any excuse (change in credit history, etc) to jack you. (Probably write the loss off anyway)

Michael Kassner
Michael Kassner

You hit it, Craig. I think that is the battle that Mr. Patterson is fighting with his 24 month goal.

santeewelding
santeewelding

As a matter of your record in this, you be fine by me.

SObaldrick
SObaldrick

Is the author suggesting that I follow the waiter around the restaurant while they have my card in their possession? Les. It?s no longer considered rude to stare at your card for the entire time it?s in the hands of a clerk or waiter.

MattPW
MattPW

Thanks for the extensive reply, cant say I didnt have to look up the meaning of stochastic. Very good technology, if the replacement Magtek magnetic reading heads are far cheaper than distributing the EMV system then I see no reason why America or other non EMV countries needs to roll out EMV.

andydeignan
andydeignan

Each read of a card, whether the card is swiped by hand, or inserted into a motorized or dip reader, is a stochastic process and is a microscopically different experience. Due to the principle of entropy and certain factors of imprecision such as swipe speed, pressure, direction, acceleration and reader to reader variations, the MagnePrint will change unpredictably with each swipe but within boundaries that allow it to be measured and validated. Hence, the 54-bytes will never be the same and is therefore dynamic.

Tank252ca
Tank252ca

It certainly is very interesting technology.

Michael Kassner
Michael Kassner

It is dynamic or a one-time digital packet. The magnetic strip signature does not change. The user's financial data does not change. The only data that does change is the transaction information. Now that could be enough to make each Magneprint different. I was not privy to the algorithm or hashing/encrypting process.

Ocie3
Ocie3

has nothing to do with this - it operates in an entirely different context. Even so, if two-factor authentication is required for initiating (setting-up) online transactions, then ZeuS cannot do anything but watch. I have spoken with the bank about the possibility of ZeuS changing a cell phone number to which an SMS is sent (one of two methods for a pseudorandom authentication number). They are aware of that and have measures to deal with it. I am not totally satisfied with them, though, but that is for discussion some other time. :-( Two-factor authentication (card - perhaps plus PIN - plus pseudorandom number for each transaction) is quite secure for using a credit card. The combination of a pseudorandom number with the credit card (account) number essentially creates a one-time-use credit card number. It is a bit awkward to use. Of course, you do not want to give a waiter both your credit card and the pseudorandom number generator, but I suppose that you could give them the card and the next 6-digit number. :-) Personally, I have always paid my bill at the cashier's workstation, so the credit card is always in my sight. The only way that anyone can duplicate that for a given credit card is to know both the PIN and be able to obtain the series of pseudorandom numbers. That is not impossible to do, but it should be difficult, so it becomes unlikely. That said, I like the concept behind the MagTek technology and its application. It would stop counterfeiting cold. The thief would have to have the card that was actually issued to the account holder. If two-factor authentication is also adopted, obtaining the second factor that I have described could be a challenge. It has come to my attention that a certain retailer, who issues credit cards which are usable only in their stores, apparently has Point of Sale (POS) terminals that scan and digitize the card user's signature. That is, they can compare the signature that the customer wrote on the POS terminal to the profile which they have on record for the card. If the deviation is "too much" they will ask the customer to sign again. .... In effect, the signature becomes the card holder's second authentication factor; the first factor is, of course, the card. Curiously, after I use another lender's credit card (at that same or another store), the signature that is written on the POS terminal often appears at the bottom of the sales receipt. But I have never had anyone tell me that my signature on the POS terminal did not match the one on record of the card issuer (lender). There used to be a website created by an artist. What he did was sign a different name (Donald Duck, Mickey Mouse, George Washington, etc.) each time that he used his credit card. He claimed that not even one salesclerk ever noticed the discrepancy between his name on the credit card and the one that he signed on the POS terminal or on a transaction slip. At last report, he had used over 100 different names, just for the variety. :-)

Tank252ca
Tank252ca

You do not have to replace all cards on mass in one go. In Canada the chip cards are sent to customers when the old card expires. If most credit cards are only valid for 3 years, then you have replaced the majority of cards in 2 years time within your regular replacement cycle. You also imply that the banks would have to replace all ATMs. All that is really required is that the card reader in the ATM be replaced and the software updated, which is a much smaller cost in the end. The new card readers that merchants use in Canada support both old cards and chip cards. They are not everywhere yet, but are becoming more common as companies roll them out as part of regular security improvements. The change has to be evolutionary, not revolutionary. If the U.S. industry looks at this as a magic bullet solution, it is doomed to failure. There was no legislation here requiring all banks to replace all cards and update all ATMs at once at a huge cost. You phase the old technology out over time and spread the cost out to fit your budget. Make the improvements a selling point to draw more customers. Isn't that just common business sense?

paul.simmons
paul.simmons

One incentive is to simply fine banks when they accept a bad card or credit application and trouble the consumer as a result. There should be a large fine for making a false credit report for example if someone steals your identity. Also if they issue you a false charge they should be fined say $35 per occurance and $35 per week it is not corrected. Stop making the vicitims of bank negligence responsible for the negligence. Much of the stolen card information is insider work anyhow. Much of this protection scare stuff is trying to make the victims feel responsible for bank negligence.

andydeignan
andydeignan

As consumers, lets hope there is enough incentive to improve security. At some point, brand damage or the potential for brand damage might be incentive enough for the "fat cats" to finally take security more seriously.

Michael Kassner
Michael Kassner

I am not that familiar, but I suspect like anything else the financial institutions have insurance to cover these huge losses. Still insurance has to cost as well. Hopefully, some with more knowledge will be able to clear it up for us.

jkameleon
jkameleon

But, there are other ways as well. In 2007, a Romanian hacker gang rigged POS terminals in the couple shopping malls with skimming devices. Technically, that's trivial, the only problem was to smuggle into the mall outside of working hours. That's how it looked like (police photo) http://image.24ur.com/media/images/original/Jun2007/60023965.jpg That's the primary reason for replacement of magnetic cards with chip cards here. POS terminals are equipped with magnetic stripe, as well as chip readers. If you have chip card, you have to use chip reader, magnetic reader rejects it. This is the most common model in the shops, with magnetic reader placed horizontally above display, and chip reader in the front bottom http://image.24ur.com/media/images/original/Mar2007/16171528.jpg A chip card only variant, used mostly in gas stations. It is placed in the hands of the customer, who inserts his card himself, and enters PIN http://www.activa.si/chipandpin/imetniki.asp?content=02 This model is intended for restaurants. Waiter brings it to the table, customer inserts his card, and enters PIN http://www.activa.si/pos.asp

Ocie3
Ocie3

may be a dramatization, but it is exactly the sort of thing that has been occurring every day in many restaurants and cafes around the globe, especially in places that are frequented primarily by tourists and/or traveling businessmen (such as conventioneers). Sometimes, theft of the card data is actually done at the cashier's station, and not just on the way to it.

jkameleon
jkameleon

... one MUST enter PIN, there is no other way. Waiter must give the reader with inserted card to the customer, and customers enters PIN. Magnetic cards were replaced after of Romanian & Bulgarian hackers started placing skimming devices on POS terminals and ATM machines. Such frauds were so numerous, that banks & credit card companies had no other choice.

Michael Kassner
Michael Kassner

Make sense to you. I was impressed with the simplicity of it.

RipVan
RipVan

If there is ever only one hardware vendor for a solution, they stand to make a fortune. That was what I got as I read the article and thought about this one company's solution.

Michael Kassner
Michael Kassner

Mr. Patterson suggested. Did you see the YouTube video? It shows how the waiter could swipe your card on the way to the cashier's station. It does seem a bit extreme, but who knows?

Ocie3
Ocie3

I did not mean to be so rude. :-( It seemed to me that he was describing a system like the EVM "Chip & PIN", which essentially makes every transaction with it into an "online transaction". (So in that respect, you were right.) As he suggested, such an "electronic credit card" could include a pseudorandom number generator that would output a string of digits, and the POS terminal would use the card ID number to obtain a corresponding string of digits from the lender. If the two strings match, then that would authenticate the card to the lender. It seems to me that counterfeiting such a card would be quite infeasible, if not impossible. An "electronic credit card" is certainly more expensive than the magnetic stripe cards that we still use today. But it also seems that the MagnePrint system would inexpensively prevent them from being counterfeited, too. Add the Pass Window system for two-factor authentication and that would probably be the least expensive alternative to "electronic credit cards".

Michael Kassner
Michael Kassner

That aspect Ocie. I thought the member was referring to an on-line transaction. If not then it is a completely different situation.

Tank252ca
Tank252ca

"In the meantime, we have implemented transaction risk-scoring to try to limit our fraud losses. There's no way to eliminate 100% of fraudulent transactions, but this system does a pretty good job for us." I have already encountered that. I once purchased several memory chips that had a rebate offer. The sales clerk said that the rebate only applied to each sales receipts, not each item, so he ran my credit card through 4 times instead of once to get the rebate on each chip. I then drove two blocks to another electronics retailer and the same card was denied. It only took a phone call that evening to verify the transactions as legitimate, and I carry other cards, but for a young person with their first card it could be a much bigger inconvenience.

Tank252ca
Tank252ca

EMV cards are being adopted by big banks in Canada like Scotiabank. Note that this is just my VISA card; my bank card does not have a chip yet. What I can't answer is the question of who is paying for the upgraded card readers used by merchants. If the cards do indeed reduce fraud, then it is to the advantage of both retailers and the card issuers, so the cost may be covered by either or shared by both.

MattPW
MattPW

Im not sure you will ever be able to find out exact pricing a bank pays but I can say from the big factories in China you are looking at about 70-80 cents per card with a million + order for unprogrammed smartcards. So Iwould guess a couple of bucks each by the time they are programmed, printed and sent off.

Michael Kassner
Michael Kassner

Are you referring to EMV cards or RFID cards? If you are referring to EMV cards, what's wrong with us here in the US. We are really lagging.

jared
jared

Any idea on what chip cards cost (cost to the bank, that is)? I assume it is somewhat more than regular cards, but I've never seen any actual figures. As for ATMs, our provider typically charges us a lot of money for service, hardware/software upgrades, etc., so even if we're not replacing the entire machine, the costs are going to be quite substantial. I would agree with you, though, that cost is not the biggest factor. The main thing is that there is just no infrastructure to support these cards, and no small banks like ours are going to move toward that until the payment companies and card suppliers readily support them. Better card security technology is not much of a selling point if you can't support it. It's not that I think these chip-based cards are necessarily a bad idea; I'm all for more secure card technology. It's just going to take a while for it to even become an option for us. In the meantime, we have implemented transaction risk-scoring to try to limit our fraud losses. There's no way to eliminate 100% of fraudulent transactions, but this system does a pretty good job for us.

Michael Kassner
Michael Kassner

That the EU has a good method involving a smart chip (not RFID) that they feel is better. The problem is cost per card along with other hardware. This gets to my question. I do not understand with the amount of money being lost why something (anything) is not being done.

hiller
hiller

As I understand this technology, implementing it requires replacing every point of sale terminal. If you are committed to replacing every point of sale terminal, then is this the best replacement technology available? Since all cards have an expiration date, they will have to be replaced over the next few years anyway, so they could also be replaced with cards that contained a better technology.

andydeignan
andydeignan

Paul, I am not sure I understand your last sentence. Can you clarify your point? I'd also like to clarify a few things. The technology Mr. Patterson is speaking about does many things to secure transactions and protect the cardholder more than they have ever been protected before. They are the victims and the industry has NOT yet done enough to provide them with meaningful protection, until now. I'd like to point a few items to clarify my position. #1 - Dynamic payment card data makes it impossible for criminals to re-use stolen, static card data (for card present transactions). #2 - The banks and issuers are trying to shift the liability as much as possible to anyone other than themselves when card data is compromised/stolen. They now require through PCI that card data MUST be encrypted while data is at rest or in transit through public networks (I am paraphrasing here). If an organization is found to be out of compliance, they are fined. The issue here is CARD DATA is static and encoded onto magstripes with binary encoding, effectively ?in-the-clear?. That is the root cause of the problem. But that is also part of the solution. There are BILLIONS of magstripe payment cards in use all around the world. It?s a fact. They are NOT going away anytime soon, so we must find a way to protect them, else the thieves will always target them. How can we provide protection for this payment and identification data in a ?practical? way? Do we throw those cards away and issue new cards using encrypted data on a chip? Maybe, but if you start today, how long do you think it will take and how much will it cost, who pays for this and does anyone think the criminals will not innovate again and attack chips and encryption? Sadly, it?s already being done. Without changing the card, the data on the card or the means to issue those cards, we can IMMEDIATELY move to secure the magstripe card by authenticating its magnetic fingerprint with every transaction. It?s already being done by many banking and merchant leaders throughout the globe. #3 ? The magnetic fingerprint of the magnetic stripe itself (dynamically generated as 54-bytes with every swipe) combined with the static card data encoded onto the card creates a powerful transaction message which is good for only one transaction in time (dynamic, so it cannot be used ever again which means there is NO redemption value for thieves to steal it and attempt to re-use it by making a skimmed card, hence NO more data breaches). The 54-bytes is also used to verify the authenticity of the card being presented for the transaction. If a cloned card is used, the 54-byte value will NOT correlate to the original card issued by the bank and therefore the transaction can be declined instantly. Let's hope the practical (and cost effective)way in which magstripe cards can be secured today will be enough incentive for the banks to finally get on board and stop the chicken and egg game. Are there other solutions out there? Yes. Are there others that are MORE practical? I say NO. Any change away from magstripe cards (in the US) would require such massive infrastructure changes that in my opinion, the cost and burden would far outweigh the perceived benefits and therefore, its business as usual. I look forward to your thoughts on this.

Ocie3
Ocie3

but the lender is, ordinarily, liable for transactions that occur before the account owner notifies them that the card and/or account number is being used without their authorization. Normally, the account owner assumes $50 of the loss and the lender the rest (if any). Which is to assume that the account owner notified the lender [b]promptly[/b] upon realizing that the card had been lost or stolen, or upon realizing that someone else was using the credit card account number (often on a counterfeit card) for transactions that they have neither made nor authorized. Some time can pass before the account holder becomes apprised that unauthorized use of the card has occurred, so a lender must have a solid factual basis to claim that the account owner's notification was not prompt. Merchants become liable for transactions after the credit card servicer (e.g., VISA or Mastercard) notifies them that a specific credit card account has been compromised, usually by adding it to a published list that the merchant can readily obtain and print. However, what often happens now is that a merchant submits a transaction for validation electronically, [i]via[/i] the Internet. Then they might receive a quick response that the credit card account is "closed" or "invalid" or maybe even "stolen". The merchant is asked and expected to retain the card instead of returning it to the customer, and they may receive a reward from the card issuer for doing that. In that context, whether the merchant suffers an actual loss depends, of course, upon whether the customer who tendered the card to them for payment has actually received any goods or services before the transaction was rejected. If so, the customer might still pay for the goods and/or services by another means, especially if they believe that the merchant will not call law enforcement officers to arrest them if they pay. Most merchants do not call the police or sheriff unless the customer has received goods and/or services and leaves or attempts to leave without paying.

Michael Kassner
Michael Kassner

I guess the only time the banks get it, is when a debit card is used to get cash.

Spamosborn
Spamosborn

Hi Michael, Thanks for the article - a very interesting read. Financial institutions sure do have the ability to insure against losses from fraud, and the costs are evidently less than those associated with prevention. Unfortunately, what we're actually debating here is a matter of "corporate responsibility" - that of the hope that a reduction in the ability to commit fraud leads to a reduction in the ability of criminal syndicates and terrorist organizations to finance their operations. The benefits that we the customer may see (perhaps in terms of reduced overheads leading to a reduction in interest rates or charges) are exponentially negligible in comparison to the short term cost avoidance the banks & their shareholders experience whilst they essentially do nothing. As with most debates such as these, (climate change is another topical comparison), the financial arguments don't stack up with much weight other than a suggestion that there's potential for losses due to brand / reputation damage - but this assumes you have competitors against which you can be compared. And again, in the corporate world, being seen to be thrifty and dollar-wise still unfortunately appears to carry more credibility than being seen to be doing the right thing. I sincerely hope the twenty-four month project has a compelling business case because that's essentially what it'll need. I'm really keen to hear more as it progresses...

Ocie3
Ocie3

it is true that the credit-card account holder is normally liable for a maximum of $50 loss. However, it can be more if the account holder does not inform the lender, as soon as the account holder becomes aware that the card is being used without their authorization, regardless of whether it has been lost or stolen. If the maximum loss does apply to the account holder, it is not necessarily the bank that eats the remainder of the loss, or all of it. The merchant who accepted the card in [i]lieu of[/i] other payment (cash, check, traveler's check, blood, labor, etc.) is simply not given money for the transaction by the lender. This happens frequently when the lender has been notified by the account holder that the card has been lost, stolen, or is being used without their authorization. The lender immediately puts the card number on a list, and rejects any further transactions that are submitted for processing for that account. Of course, the list is constantly updated and it is available to the merchants. So, if a merchant neglects to check the list, or to update their list(s), and accepts the card in payment for goods or services, then they suffer the loss, not the lender.