21 October 2017
Lachlan Gunn

ATM Security

Lachlan Gunn - BenAlpin Ltd

12Posts 74,439Views 23Comments
A post relating to this item from Finextra:

ECB calls for mandatory Sepa migration deadline

22 October 2010  |  10402 views  |  3
The European Central Bank (ECB) says self-regulation on Sepa has not achieved the expected results and is calling on legislators to now set a mandatory migration timeline.

The end for the magnetic stripe on payment cards?

27 October 2010  |  7558 views  |  0

EAST, the European ATM Security Team, has recently released European ATM crime statistics for the period January to June 2010.  The figures show a 24% increase in card skimming attacks at European ATMs - 5,743 attacks were reported for the period January to June 2010, compared with 4,629 for the same period in 2009.  This is the highest ever figure for a six month period since EAST first began reporting these statistics in 2004. 

More reassuringly, for the same periods, skimming related losses fell from €156 million to €144 million.  This is the fifth consecutive reported fall since the period July to December 2007, when losses peaked at €315 million.  Incidents peak, yet losses continuing to fall?  The bad guys have to work harder for less return.

The industry in Europe has invested significantly into EMV (Chip and PIN) technology and 95% of European ATMs are now EMV compliant.  So what?  So it is now much harder for criminals to get cash from compromised European EMV cards within the EMV area.  Why?  Because an EMV card issuer will not allow an EMV card transaction to take place without a Chip.  Even better, the EMV area is expanding and the liability shift now also applies to both Canada and South Africa, and more countries will follow.  The world, with the exception of the USA, parts of Africa, and Mongolia, is moving to the EMV standard.

Which brings one to the salient security weakness of most EMV cards – they still have a magnetic stripe on them.  This means that the sensitive stripe data can still be skimmed or illegally copied, although industry counter-measures mean that it is not always easy.  Why do European EMV cards still have a stripe? So that cardholders can use them globally at any terminal that accepts their scheme.  This opens the convenience debate:  EAST ran two web research polls to assess opinion on this topic from November 2009 to February 2010 (you can download the poll results from the ATM Research page of the EAST website).

In the first poll 60% of the respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, and in the second poll 28% indicated that they would be happy to contact their bank to activate the stripe on their card before travelling outside of Europe, 12% were happy to carry a Chip only card, and to apply for a separate stripe card should they need to travel outside Europe, and 20% were in favour of both. 

Now the EAST polls are just opinion snapshots, not scientific studies, but logic dictates that the vast majority of European card holders do not travel either outside their own country, or certainly outside the 32 countries of the Single Euro Payments Area (SEPA) – and now Canada and South Africa have joined the club.  Events are overtaking the debate as Chip only debit cards are starting to appear in Europe, most notably the V Pay initiative offered by Visa Europe which first appeared in 2005.  The more of these cards that are issued to satisfied cardholders, the more other issuers are likely to follow suit. 

Is this the beginning of the end for the magnetic stripe on payment cards? According to the European Central Bank (ECB) it is for European payment cards; the 7th Progress Report for the Single Euro Payments Area (SEPA) has just been published, from which an extract is below:

"In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards. If the industry decides to keep the magnetic stripe for practical reasons, any data enabling magnetic stripe transactions should be removed. The industry will have to be prepared to offer the cardholder cards with legacy magnetic stripes upon request as long as there are still regions outside SEPA which have not fully migrated to EMV."

I put up a blog on this site last November asking ‘Should we have chip only payment cards’, which resulted in quite a few comments and which kicked off with the question – should sensitive cardholder data be held as standard in magnetic stripes on European EMV cards?  It seems that the ECB has just answered that question.



Comments: (0)

Comment on this story (membership required)

Latest posts from Lachlan

Heat from your fingers could disclose your PIN at an ATM

30 August 2011  |  5113 views  |  1 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Do you get SMS alerts for debit card transactions?

18 August 2011  |  9758 views  |  3 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Europol busts international cross border skimming operation

18 July 2011  |  5664 views  |  0 comments | recomends Recommends 0 TagsCardsSecurity

Fraud migrates away as European EMV rollout nears completion

22 June 2011  |  5838 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Is the rise of global card fraud being taken seriously?

11 February 2011  |  4942 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Lachlan's profile

job title Director
location Perth
member since 2009
Summary profile See full profile »
Lachlan is Director of BenAlpin Ltd, a security consultancy, and is also founder and a Director of European ATM Security Team Ltd, an independent, non-profit, international ATM user group. EAST has a...

Lachlan's expertise

Member since 2007
12 posts23 comments
Lachlan's blog archive
2011 (5)2010 (4)2009 (3)

Who's commenting on Lachlan's posts