Mar 19, 2006

ATM fraud scandal ignites mag stripe vs. chip debate: some experts just don’t get it

Some credit and debit card security experts just don't get it. The ATM fraud scandal in the US is being called “the worst hack ever” and “the worst consumer scam to date” and has reignited debate over mag stripe vs. chip. The debate is revealing basic misunderstandings among some payments experts.

It appears that credit and debit card information was stolen along with security keys needed to re-create the PIN codes, probably from a third party processor. The information was used to create fake cards and withdraw money from ATM machines in the UK, Russia and Canada. A Bank Systems & Technology article last week, “Lessons to Learn from Citi Data Breach”, shares the viewpoints of 3 analysts, Bruce Cundiff (Javelin Strategy & Research), Jon Gossels (SystemExperts) and George Tubin (TowerGroup). Naturally, the discussion reignited the debate on mag stripe vs. chip in the US.

"This situation brings together a perfect storm of issues —mag stripe vs. chip, PIN vs. signature debit, and merchant storage of data," comments Cundiff. "I think this is potentially the beginning of building a business case for chip cards in the U.S. I'm wondering if this is the tipping point for adopting chip cards in the U.S."

Gossels is not so sure about this. "It is important to focus on what the problem is that you're trying to solve," he explains. "Smart cards would not have solved this particular problem. Look at the way credit cards are used over the phone. You give your name and account number to the person on the other line. It doesn't matter if they have your card, as long as they have your data."

Gossels just doesn’t get it. You can’t create a fake smart card using information provided over the phone. It sounds like he doesn’t even know which security breach everyone is talking about. People are using fake cards to pull money out of ATM machines, lots of money. Not to buy flowers over the phone.

Most UK ATM machines are smart card enabled, as are a growing number of machines in other countries. If the original cards had been EMV compliant, thieves would not have been able to use fake cards to pull all that money out.

This is also very similar to what happened in Malaysia a couple years ago with their ATM fraud. They had similar security breaches as well as things like pinhole cameras placed above ATM machines. Malaysia solved the problem by moving to chip and making it impossible to create fake cards. The US banking industry will probably spend a great deal of effort and energy trying to kill all the various sources of the problem, but since there are so many of those, they will eventually have to move to chip. Even at the POS. We've seen recent articles on Las Vegas hookers caught with mag stripe hotel keys loaded with credit card information, turning simple hotel keys into cards used to pay at POS terminals run by merchants who let the customer swipe the card, which has become a common practice over the last few years.

Alright. I’ve calmed down. Take a look at Cundiff’s blog, specifically his post, “Recent PIN fraud issues for large banks may be the start of a revolution”.

1 comment:

Sausheong said...

More recent news on card fraud - http://news.zdnet.com/2100-1009_22-6051261.html?tag=zdfd.newsfeed