In 1960, an IBM engineer named Forrest Parry was developing a new type of ID card for the CIA when he had an epiphany: Why not make each card a tiny data storage device in and of itself? He cut a short length of half-inch wide magnetic tape from a reel and wrapped it around a blank plastic card, secured it with Scotch tape, and then, at his wife’s suggestion, pressed it on with a warm iron.
The magnetic stripe card was born.
Today magstripes are on the backs of millions of US-issued credit and debit cards, where they hold all the information needed to produce a flawless counterfeit card — account number, expiration date, and a secret code called a CVV. That has made Forrest Parry’s invention one of the computer underground’s most prized targets — more valuable than anything on your hard drive. We were reminded of that last week, when Home Depot confirmed that 56 million shoppers had their credit card data siphoned from the big box retailer’s point-of-sale systems over six months. That’s 3,000 miles of magstripe, stolen three inches at a time.
The announcement makes the Home Depot breach the single largest known theft of credit card data in history, edging out the 40 million cards stolen from Target late last year, and about the same number taken from TJX in 2006. It may also be one of the last major credit card heists.
But more on that in a moment.
U Enlarge The first magstripe card. Jerome Svigals via Wikimedia Commons
First, a bit of history: What happens to stolen bank card data hasn’t changed in 15 years — the hackers package it and sell it in bulk to the underground’s third-party resellers. Ten years ago it was the Ukranian known as “Maksik”; today it’s the Ukrainian known as “Rescator.” If Parry’s innovation was to take a bulk storage medium and literally slice it into a wallet-sized one, the computer underground has perfected the opposite process, compiling all those squirts of information into a big data play that would make Mark Zuckerberg envious.
Once it’s in an underground shop, card counterfeiters buy the magstripes they need — sometimes ordering by bank or ZIP code — and copy it onto fake cards using their own magstripe encoding machines. Then they use the cards to buy goods they can resell or dispatch crews to do the shopping for them in exchange for a cut of the profits.
Since about 2001, stolen magstripe swipes, or “dumps,” have been the pork bellies of a massive hacker commodities market, centered in Eastern Europe and stretching around the globe. Beyond the hackers who breach stores like Home Depot, and the resellers like Rescator who market the cards, there are vendors specialising in the hardware and material — plastic embossers, fake holograms, blank cards, magstripe encoders — needed to use the data and others who crank out professional fake IDs to help pass the fake cards. By the most conservative estimates, it all adds up to $11 billion (£7 billion) in losses annually.
But the golden age of credit card fraud is drawing to a close, and history will regard Home Depot, TJX, Target, and all other breaches as a single massive exploit against one catastrophic security hole: The banks’ use of roughly 23 characters of magnetically encoded data as the sole authentication mechanism for a consumer payment infrastructure that generated 26.2 billion transactions in 2012 alone. Engineering students will study that gaffe with the astonished bemusement with which they view old footage of the Tacoma Narrows Bridge twisting in the wind.
The fatal problem with the credit card magstripe is that it’s only a container for unchanging, static data. And if static data is compromised anywhere in the processing chain, it can be passed around, copied, bought and sold at will.
The solution has been available for years: Put logic in the card. Thanks to Moore’s Law, an inexpensive tamper-resistant microprocessor fits comfortably in a space smaller than your driver’s license photo. With a computer on both edges of the transaction, you can employ cryptography and authenticate the card interactively, so that eavesdropping on the transaction gains you nothing. Just as IBM’s Parry made our wallets smarter by adding computer storage, a modern card is smarter still by having an entire computer onboard.
Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV — the standard was pioneered by Europay, MasterCard, and Visa — that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.
By then, it’s probably safe to say, the entire idea of a credit or debit “card” will be quaint. With the newly announced Apple Pay joining Google Wallet as a real-life payment system, even the chip-based credit cards will be little more than a backup technology. Apple took some ribbing for announcing Apple Pay while its iCloud celebrity breaches were still in the news. But unlike cloud storage, the state of the art of retail payment is so poor today that Apple can’t possibly fail to improve it.
You can see where this is headed by looking at one of EMV’s early adopters. Since the UK deployed EMV “chip-and-PIN” cards in 2004, overall card fraud in that country has fallen 32 percent, from 504.8 million euro in losses that year to 341 million in 2011, according to the most recent figures from the UK Card Association.
There are two loopholes that kept criminals from being hit even harder by the chip cards. First, the UK cards still have magstripes so UK travelers can use them when visiting the US. Adaptable criminals in the UK began working with confederates in restaurants and shops, covertly swiping magstripes from customers and selling them to American crooks to use at primitive American point-of-sale terminals. These scams contributed as much as 80 million euro in foreign fraud charges on UK cards in 2011.
But that loophole will close once the US switches over to EMV. The second, bigger, loophole is online fraud. Internet transactions aren’t made any safer by having a chip on your card, and in the UK and elsewhere criminals were able to make up much of what they lost by doubling down on fraudulent web purchases.
But the end is nigh for online credit card fraud, too. Systems like Apple Pay and Visa’s newly announced Visa Token Service accomplish the same security goals as EMV, but also work online. They replace the static credit card number with a temporary token that changes every time. “Initially, Apple Pay’s tokenization will only be for in-app purchases from mobile phones,” says David Robertson, publisher of the respected payments industry newsletter The Nilson Report. “But over time that will broaden.”
Robertson agrees that the simultaneous arrival of EMV and tokenization in the US will trigger a sea change in the underground. “There’s every reason to think that the industry will get ahead of the bad guys again,” he says.
None of this means cybercrime will become unprofitable. Skilled cyber-criminals will still make tons of money in more elaborate scams, like account takeovers and identify theft. But the death of the magstripe will trigger a financial crisis in the unskilled ranks of the computer underground akin to what the mortgage collapse did to Wall Street. And Perry’s historic invention, so brilliant at the time, can relax into its long overdue retirement.
Excerpts from: Wired .co .uk