Blog article
See all stories »

2009 - is that the year we all went online?


So ...

I have been saying for a long time that the primary cause of plastic card transaction fraud is the idiot policies adopted by the issuing banks - I know how to win friends and influence people.  I did want to use a less emotive word than "idiot", but finding one that conveyed the same meaning eluded me.  I am sure, though, that there will be plenty of issuers only too willing to fill the gap.

Without reiterating the whole explanation, scheme specifications recommended the adoption of an iCVV, on the magnetic stripe image present on the chip, that was a different value to the CVV present on the stripe itself.  This simple act would have meant any data harvested from the chip could not be use to create a magnetic stripe clone.  Almost no one implemented it.  Track 2 image data and PINs are now so easy to harvest, it's like a continuous Christmas for criminals.  Harvest the data, ship to a country that has not yet implemented chip and PIN on ATMs, build a magnetic stripe card and off you go.  It's too easy, but what appears to be just as easy is the fooling of so-called industry experts into thinking that it's a chip and PIN weakness, which can only be addressed by bolting on some whizzbang gizmo, which, by the way, I happen to have here in my suitcase, ready for a quick sale, no questions asked!

The same is true of the SDA / DDA argument.  Scheme recommendations went along the following lines: issue SDA cards first, and then upgrade to DDA on the next re-issue cycle.  The reason being that SDA cards used weaker cryptographic techniques than the alternative DDA cards, but they cost half as much money, and required less effort to implement from scratch.  It has always been recognised that SDA cards could be copied, or cloned, or generally fiddled about with, but that it would probably take a few years before the criminal mind got to grips with the possibilities, and so there was some leeway.  A bank issuing cards on a three year re-issue cycle, beginning the upgrade to DDA at the end of the first three year SDA cycle, would be vulnerable to SDA cloning attack for six years - until the last SDA card has expired.  The important point here is the use of the word "expired" rather than "stopped", "blocked" or "removed from circulation"; the vulnerability lasts until the last SDA card has expired.

Cloned SDA cards are a reality; so are cards that can tell a good story to the terminal, but aren't quite EMV, but don't let on.  Clever consultants have known for a long time how to do it.  It was only going to be a matter of time before the clever criminals worked it out, and it is my belief that they now have.  I issued my first chip and PIN card in 2002, on a three year re-issue cycle.  The original plan was to begin DDA issuing after the first three years, which would have meant that all cards (from that particular issuer) would have now been replaced by their DDA successors.  The banks would have been one step ahead of the card cloning criminals.  The banks, because they haven't moved to DDA are now one step behind the card cloning criminals, and are not in a position to leapfrog out of trouble.

It is my belief - and feel free to come back and tell me that it's me that is the idiot - that after a number of years of declining card present fraud (magnetic stripe cloning is so much easier, and a gift from the card issuers), we are now going to see a dramatic increase, and there is nothing we can do about it!

Send the transactions online, I hear you say.  Good plan, the issuer can then tell if the card is a clone or if it is genuine.  Well, the reality is that they can - sometimes!  Sometimes they just don't know, and some of them aren't actually quite sure how to tell in the first place.  However, whether or not the issuer systems are capable of verifying a card transaction online, the transaction request has first to be delivered to the issuer online.

But what if the card just tells the terminal not to bother going online?  What if the card tells the terminal that everything is just ok? What if the card advises that there is no need to bother the issuer?  What if the card tells the terminal all of this, and the terminal can't tell the card is bogus?  What if the terminal is taken in by the con-man card?  

Look at the fraud figures, we are going to see a dramatic increase, and there is nothing we can do about it!



Comments: (1)

David Birch
David Birch - Tomorrow's Transactions - London 22 December, 2008, 21:06Be the first to give this comment the thumbs up 0 likes

"Look at the fraud figures, we are going to see a dramatic increase"

While this is true Griff, I don't want to be so defeatist! There's a plan B that I'm waiting to reveal... oh go on then... turn off the contact interfaces in the terminals and make them contactless only.  Since the contactless cards in Europe are DDA by mandate, and since the hosts (as far I can see so far) implement the crypto properly, this ought to make a decent dent in the fraud figures!!