Blog article
See all stories »

Object reference not set to an instance of an object.

Comments: (5)

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 10 September, 2009, 09:21Be the first to give this comment the thumbs up 0 likes

Surely the best way to eliminate skimming is to remove the mag stripe. You can't clone what isn't there.

 

Robert Siciliano
Robert Siciliano - Safr.me - Boston 10 September, 2009, 12:41Be the first to give this comment the thumbs up 0 likes

With 1.5 billion cards in circulation worldwide, removing the magstripe is no simple task. That means every reader and every machine has to be refitted. I doubt we will ever see the magstipe go away. There are to many technologies relying on it and many technologies coming to secure it, or at least make its insecurity a non issue.

Nick Green
Nick Green - ISD Consultants - Northampton 10 September, 2009, 18:21Be the first to give this comment the thumbs up 0 likes

Why does the industry continue to expend effort on trying to secure the magstripe when it is just money down the drain (watermark magnetic et al.)? I agree that the magstripe may stay but purely as a means for unattended devices to ensure you have the card the right way round. The answer is to use IC Cards where you have a secure environment to store the data. EMV expands throughout the world and in every country it is introduced fraud goes down; the issue is that as everyone closes the front door the back door is left wide open in the US.

I'm not saying that chip cards are the answer to everything (I'll leave that to some of the purveyors of solutions who have 'the answer') there is no single solution to combating fraud it always has been a layered approach. But putting an active component in the cardholders' hands gives you the ability to develop solution for Card Not Present that would further limit the opportunity for fraud.
To plagiarise 'The Borg' "EMV - you will comply - resistance is futile".

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 11 September, 2009, 08:37Be the first to give this comment the thumbs up 0 likes

Robert,

I agree it's not an easy task. The question is how concerned are people/goverments/banks about the level of fraud? Its fine saying it's expensive and difficult, I agree it is, but EMV does exist and works quite nicely without a Mag stripe.

There are other solutions - someone will no doubt try and sell one on here in the next few hours - but none in the 'real world' yet other than EMV.

At what point does the cost get outweighed by the benefit? If we can prevent terrorists obtaining funding through fraud and prevent hundreds/thousands of death is that worth the pain of replacing cards and upgrading devices?

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 12 September, 2009, 03:39Be the first to give this comment the thumbs up 0 likes

I agree strongly with Nick and Joe.  Yes there are alternatives to chip cards to address card skimming, and there is a host of non-chip solutions to other fraud modalities too, but they're all ad hoc, or short term.

It's important I think to focus on the underlying vulnerability that enables most identity related frauds, namely the replayability of ordinary digital data.  To properly tackle most payment fraud, we must prevent the replay of ID data (most feasibly through asymmetric cryptography i.e. digital signatures).  And we should protect users against real time fraudsters (phishers, pharmers) through intelligent personal security devices.

In plain English, the unique and powerful thing about smartcards is they can tell what's going on around them.  Smartcards (and their intelligent cousins SIMs, smartphones, USB keys etc.) can act as proxies for their owners. They can test the digital bona fides of web sites and of terminal equipment, detect Man-in-the-Middle attacks, detect spam, and self-monitor to tell if they're being used inappropriately. 

So ... we can keep tinkering with magnetic stripes, end-to-end encryption, tokenization and two factor authentication, to erect short term barriers to specific attack vectors, but with significant total cost and at teh expense of user confusion and divergence.  Or, we can transition to a single, fundamentally robust, extensible, long term approach to all digital ID protection, using chip cards to address skimming, counterfeiting, CNP fraud, and ID theft all at the same time.

Cheers,

Stephen Wilson, Lockstep.