17 July 2018
Paul Penrose

Finblog

Paul Penrose - Finextra

307Posts 1,376,501Views 248Comments

The magstripe is finished

23 June 2009  |  5063 views  |  9

Police in Devon and Cornwall are warning the public to be extra-vigilant after discovering three card skimming devices at cash machines in the south of England.

It's a mark of how far we've come that such a scam - which duped hundreds of customers and may have netted the crooks hundreds of thousands of pounds - seems too mundane to even register on the Finextra news desk.

Police have told the BBC that the devices used in this instance were so sophisticated that they would be hard for experts to spot. The gang who planted the skimmers also tampered with a speaker grill above the PIN pad, inserting a camera to record user keying.

As a result, police are now urging ATM users to be extra-cautious and to shield their hands from above when tapping in their PINs.

Surely it's time for the industry to accept that the mag-stripe is finished. It's too easy to copy and - with the advent of Chip and PIN - there are now just too many locations and too many opportunities for criminals to gain access to user codes.

Worse still, it's no longer a dirty industry secret. Too many cards have been compromised and re-issued for most people not to know someone who has fallen prey to the card cloners.

National banking associations that have converted to chip cards should stop waiting for laggards in other countries to get their act together and unilaterally institute a programme to phase out mag-stripes on their own turf for good. Failure to do so would be a dereliction of duty to customer care.

TagsCardsSecurity

Comments: (9)

Jonathan Rosenne
Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 24 June, 2009, 04:56

Id so, what is the point of PCI? Its main thrust is to protect the magstripe data.

The main problem is that the USA and other countries have not accepted EMV, and they cannot be ignored so easily.

 

Be the first to give this comment the thumbs up 0 thumb ups!
Alistair Kelman
Alistair Kelman - Self employed - London 24 June, 2009, 18:21

There have been unsubstantiated rumours for some years about a program called Bergamot which allows a criminal to get the PIN from an ATM card - in other words extract it from the cryptographic version stored on the card for use in off-line transactions. It is well known that the PIN is stored in encrypted form on modern ATM cards - check for yourself when you use your card in any terminal, the machine validates your PIN as being OK far too quickly for it to actually be performing this task online.

 

There is a rumour that from 2005 onwards UK banks accidentally created the current problem with Chip and PIN cards by selling their old non-Chip and PIN machines not as scrap but as viable units for use in the banking systems of developing countries such as Sri Lanka. What followed therefore was highly predictable - the cloning of ATM cards (without their Chip) and using them to withdraw money from UK accounts over the international banking system. This was the means whereby the Tamil Tigers funded much of their terrorist organisation.

For more on this topic see  ATMs - Now and Then

Be the first to give this comment the thumbs up 0 thumb ups!
Sriram Natarajan
Sriram Natarajan - Credit Risk Fraud Cards Professional - Gurgaon 25 June, 2009, 06:04

Well, the industry has been writing off the magstripe for the past 5 years. However, as long as the USA doesn't shift, magstripe will continue to rule. Given the recession and the CARD Act ; the US is unlikely to make any expensive investments in Chip. So, get used to 'magstripe forever'.

Be the first to give this comment the thumbs up 0 thumb ups!
A Finextra member
A Finextra member 26 June, 2009, 08:06

Magnetic stripes will still be needed since Europe is not the entire world. 

It is understandable that the magnetic-stripe is constantly 'vilified'. But take a look at the static pin-code ! Some banks in the SEPA region recognized the weakness of a replayable static pin-code and thus they offer CHIP with SIGNATURE

So far there has not been any report of a DDA chip being compromised. The mere usage of a DDA chip is enough to signal that the card is an authentic card. If one thinks about it, there is no need for a pin-code if DDA is used. 

The usual reason for skimming is that the magnetic stripe AND the pin-code can be 'recorded', the clone (with pin-code) can then be used with ATM machines or any stand-alone POS terminal. Without the pin-code, there isn't much use in skimming the magnetic stripe. Without pin-codes, fraudsters are forced to create authentic looking cards (with hologram, [zombie]chip, embossed details) and Identification cards to go with the cards and can only use these cloned cards with merchants and not with ATMs or standalone terminals (cause they don't have the pin-codes). 

Instead of vilifying the magnetic stripe, it is more useful in my opinion, to consider using one-time pin-codes and have these one-time pin-codes validated and authorized by the card issuer. 

SmartCards came to being in France mostly because at that time, telecommunication costs created a business case to look into Chips and increasing the floor limit, thereby enabling more and more off-line authorizations (meaning authorization requests are not sent to card issuers). 

Telecommunication costs have gone down, I think we can all agree on this. 
With prepaid and direct debit becoming more and more popular, my guess is that this off-line authorization will be reversed, a trend which makes it even more compelling to get rid of static pin-codes and use non replayable one time pin-codes.

Some 'experts' say that non replayable pin codes present terrible customer experience",  I would say that arbitrarily blocking a cardholder from using his card in 'suspected countries' is a terrible customer experience. It is also a terrible experience for a customer to find out that their checking account has less money than it should have because his card got skimmed, cloned and (the clone) used to withdraw from ATMs. 


The resolution should be done one step at a time: 
- If 'EMV' countries are mandated to issue only DDA; 
- if the magnetic-strips associated to these DDA cards are used with non-replayable pin-codes (with terminals that still read the magnetic stripes and even to pay online/internet); 
- if floor limits are lowered and more online authorizations are triggered 

then I think a big chunk of fraud will be eliminated. 

About non-replayable pin-codes being terrible with customer experience, I know more people who actually write down their static pin-codes (because they can't remember them) either on the back of the card or a sticker that they keep in their wallet, or store it in their mobile.

OTP generators are becoming more and more popular to authenticate online banking customers. These gadgets come in different shapes and prices and sometimes they come in the form of a software that can be downloaded into a mobile . Why not leverage the cost of these gadgets to not only authenticate online banking customers but also to authenticate card usage?

Surely, we somehow need to involve customers/consumers and let them be the judge of whether it is a terrible customer experience or not. I don't recall banks being concerned in changing the behaviour of their customers from signature to static pin-code, which believe it or not, has brought terrible customer experience to some consumers. 

Is it terrible customer experience to require a non-replayable pincode for an Internet transaction?

I would bet that prepaid and debit cardholders would not mind trying this new approach. There is no reason why this can not be offered and we let the consumer decide.

Most importantly, these resolutions require changes mostly with the Issuing Bank. Perhaps, this kind of change model that enables each Issuing Bank to secure the cards they issue without mandating the entire world to change will enable the issuing banks to present a new business model supporting the 'necessity' and 'utility' of interchange fees.

A good analysis of the card authorization system is needed to properly come up with the right approach to stopping fraudsters. Instead of pointing a finger at non-EMV countries or the magnetic-stripe, it is best to be more nimble and creative than the fraudsters. 

Be the first to give this comment the thumbs up 0 thumb ups!
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 28 June, 2009, 01:37

"Is it terrible customer exerience to require a non-replayable pincode for an Internet transaction?"

Well, yes, it is terrible! Static one time passcodes are totally broken in light of Man In The Middle attack.  Dynamic OTPs (what's called "transaction signing" in the Remote Chip Authentication protocol) are very awkward, un-natural, and entail lots of extra data keying into the disconnected reader. Why should anyone want to deal with a second keypad, especially when different readers seem necessary for different banks?

The most universally habituated behaviour for users to authenticate themselves -- not just in banking but also in government service delivery, transport, employee security, building entry, public telephones, healthcare and so on -- is the plastic card.  It's very deeply ingrained, almost instinctive: you insert the right card into a terminal, enter a PIN, and you get service.  Simple.  We do it every day in multiple settings, without a second thought. 

We are so close to extending this habit to the Internet that I can almost smell it.  There are well over a billion smartcards in circulation now, in EMV, healthcare, driver licenses, government ID and employee ID.  Increasingly laptops come with built in smartcard readers (see the Dell E6500 that has both contact and contactless readers!).

And I don't think anyone is "villifying" magnetic stripes.  That's a very emotive way to characterise the criticism.  Rather, we are deprecating magnetic stripe technology.  It is undeniably past its use-by date.  Why waste time and money extending mag stripes further, perpetuating fundamental security vulnerabilities, when what we need across the board is a shift to better and uniform protection of digital identities?

Cheers,

Stephen Wilson, Lockstep.

 

Be the first to give this comment the thumbs up 0 thumb ups!
Richard Bird
Richard Bird - JPMorgan Chase - Columbus 29 June, 2009, 14:20

I think it is important to question why an antiquated technology such as mag-stripes is still the de facto standard in the United States, which has in turn slowed down the adoption of far superior technologies that have been rolled out in other geographies around the world.

As with most things American, the cold hard fact is that the mag-stripe issue boils down to money; margin to be exact.

While advising my client on the roll-out of retail operations into countries outside of the United States, banks and service providers frequently asked my client about their preparedness to move toward chip & pin type interfaces. "The rest of the world is moving there" was the typical pitch. My client decided to install standard mag-stripe reader technologies, due to the additional cost of other technologies and the lack of experience they had with those technologies.

So, Visa/Mastercard/Discover/American Express (US) have virtually no client demand for these technologies, and there is no regulatory demand to move towards these technologies. The failure to move away from mag stripe in the U.S. then, is answered by a very simple equation:

If the cost of fraud is less than the cost of producing new plastics for debt holders, then the credit issuers will not spend the money (which would generate no additional revenue or benefit to the issuer) to move away from mag stripe.

U.S. issuers have no incentive to move, regardless of how much sense it makes.

Be the first to give this comment the thumbs up 0 thumb ups!
Heinrich Mautner Markhof
Heinrich Mautner Markhof - WebLookOn Inc. - Austria 29 June, 2009, 15:03

Getting money out of an ATM in the dark became - at least in the CEE countries - a game with fire. We all heared about the various techniques criminals apply either to robb the card, spy the PIN or even manipulate the whole machine.  Using eCards like Stephen would be a relative safe way as long robbery is´nt involved. But beginning 2010 you will read about that: Getting money out of ATMs the SecBank Int. creditcard owners won´t need to type in PIN codes any more. The new method is part of the outsourced authentication service of an Austrian IT- Company. In stead of using PINs, the card-owner uses his key-secret to authenticate himself. Now he can cry out loud the entered numbers (single digits instead of PINs)), so that everybody could hear it. Even after beeing robbed the " new" card-owner will have no chance to repeat the authentication, and after 2 trials the card is invalid. Additional features of the authentication service are the combination of Key-Secret with PrePaid and Charged Card functionalities that combine on- and offline use. The WebLookOn service will also be used for authentication/logging into bankaccounts and in addition to a second factor (SMS) used in transaction authorization.

Heinrich, Weblookon

Be the first to give this comment the thumbs up 0 thumb ups!
A Finextra member
A Finextra member 01 July, 2009, 12:02

Gerard Hartsink, Chairman of the European Payments Council, recently stated that a decision to move completely to chip cards without mag-stripes will be made by 2011. This decision cannot come too quickly. Yet, even with Chip and PIN, there are variations of security. Any recommendation from the European Payments Council must mandate that the most secure solutions available are implemented. For example, upgrading SDA chips (static data authentication) to DDA chips (dynamic data authentication) makes it more difficult for fraudsters to use cloned cards.

Regardless of whether the move to chip cards across Europe is mandated or not, Chip and PIN cannot be seen at the silver bullet to card fraud problems. Implementing one weapon in the battle against card fraud will never be sufficient to protect consumers. Banks are increasingly employing multiple techniques to detect and prevent card fraud in order to build more effective defenses. Monitoring transactions for unusual or suspicious activity, combined with point of compromise analysis (determining the location at which the card was skimmed to identify other vulnerable cards) are two examples that banks are using to supplement fraud protection on the physical cards.

As banks continue in their fight against card fraud, they face the eternal challenge of reducing the risk of fraud by implementing these techniques while ensuring they do not have a detrimental impact on the customer experience. If (or should that be when) the chip card rules in Europe, this problem will come into acute focus for fraud managers battling with how they provide a good service to customers from non-European countries where the mag-stripe is likely to continue its reign.

 

Be the first to give this comment the thumbs up 0 thumb ups!
A Finextra member
A Finextra member 03 July, 2009, 14:45

With regard to Marite’s point on DDA, both Visa and MasterCard have already issued a mandate for European banks that all off-line capable cards issued after 2011 should use DDA, as the technology allows banks to more securely approve offline transactions without having to send them over the network for authorisation.

 

While DDA cards do provide greater security (by storing an encryption key that generates a unique number for each transaction that is only valid for one authentication), the implementation of DDA is not without its challenges. It can take up to eight times longer to generate the cryptography on a DDA card and if banks are unable to extend the time they have to create the data, this could cause a major headache.  Issuers must consider the challenges related to capacity and plan ahead accordingly.

 

The SEPA deadline / MasterCard / Visa mandate is just around the corner. As SDA cards have security vulnerabilities, and initiatives like contactless cards are making offline transactions more prevalent, DDA must be on the agenda for issuers. However, in order for it to be a success, they urgently need to look at effective ways of managing their card encryption processes in order to smoothly implement DDA technology by 2011.

 

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Latest posts from Paul

ANZ and Visa lose the plot

30 June 2011  |  6856 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineRetail banking

Don't give up the day job...ever

20 May 2010  |  6102 views  |  0 comments | recomends Recommends 0 TagsTrade executionWholesale bankingGroupWhatever...

Now we are ten

19 April 2010  |  6473 views  |  3 comments | recomends Recommends 0 TagsRetail bankingWholesale banking

Finextra's Best of the Web

05 March 2010  |  5982 views  |  1 comments | recomends Recommends 0 TagsRetail bankingWholesale banking

The ATM was the last great financial innovation

25 February 2010  |  10136 views  |  8 comments | recomends Recommends 0 TagsRetail bankingWholesale bankingGroupFinance 2.0

Paul's profile

job title Head of Research
location London
member since 2007
Summary profile See full profile »
I'm responsible for editorial content and quality control across the full range of Finextra media.

Paul's expertise

Member since 2006
307 posts248 comments

Who's commenting on Paul's posts