The magnetic stripe card was born.
Today magstripes are on the backs of millions of US-issued credit and debit cards, where they hold all the information needed to produce a flawless counterfeit card—account number, expiration date, and a secret code called a CVV. That has made Forrest Parry’s invention one of the computer underground’s most prized targets—more valuable than anything on your hard drive. We were reminded of that last week, when Home Depot confirmed that 56 million shoppers had their credit card data siphoned from the big box retailer’s point-of-sale systems over six months. That’s 3,000 miles of magstripe, stolen three inches at a time.
The announcement makes the Home Depot breach the single largest known theft of credit card data in history, edging out the 40 million cards stolen from Target late last year, and about the same number taken from TJX in 2006. It may also be one of the last major credit card heists.
But more on that in a moment.
First, a bit of history: What happens to stolen bank card data hasn’t changed in 15 years—the hackers package it and sell it in bulk to the underground’s third-party resellers. Ten years ago it was the Ukranian known as “Maksik”; today it’s the Ukrainian known as “Rescator.” If Parry’s innovation was to take a bulk storage medium and literally slice it into a wallet-sized one, the computer underground has perfected the opposite process, compiling all those squirts of information into a big data play that would make Mark Zuckerberg envious.
Once it’s in an underground shop, card counterfeiters buy the magstripes they need—sometimes ordering by bank or ZIP code—and copy it onto fake cards using their own magstripe encoding machines. Then they use the cards to buy goods they can resell or dispatch crews to do the shopping for them in exchange for a cut of the profits.
Since about 2001, stolen magstripe swipes, or “dumps,” have been the pork bellies of a massive hacker commodities market, centered in Eastern Europe and stretching around the globe. Beyond the hackers who breach stores like Home Depot, and the resellers like Rescator who market the cards, there are vendors specializing in the hardware and material—plastic embossers, fake holograms, blank cards, magstripe encoders—needed to use the data and others who crank out professional fake IDs to help pass the fake cards. By the most conservative estimates, it all adds up to $11 billion in losses annually.
But the golden age of credit card fraud is drawing to a close, and history will regard Home Depot, TJX, Target, and all other breaches as a single massive exploit against one catastrophic security hole: The banks’ use of roughly 23 characters of magnetically encoded data as the sole authentication mechanism for a consumer payment infrastructure that generated 26.2 billion transactions in 2012 alone. Engineering students will study that gaffe with the astonished bemusement with which they view old footage of the Tacoma Narrows Bridge twisting in the wind.
The fatal problem with the credit card magstripe is that it’s only a container for unchanging, static data. And if static data is compromised anywhere in the processing chain, it can be passed around, copied, bought and sold at will.
The solution has been available for years: Put logic in the card. Thanks to Moore’s Law, an inexpensive tamper-resistant microprocessor fits comfortably in a space smaller than your driver’s license photo. With a computer on both edges of the transaction, you can employ cryptography and authenticate the card interactively, so that eavesdropping on the transaction gains you nothing. Just as IBM’s Parry made our wallets smarter by adding computer storage, a modern card is smarter still by having an entire computer onboard.
Now, after resisting it for 10 years because of the formidable transition costs, the US is about to finally embrace the secure chip-based authentication system called EMV—the standard was pioneered by Europay, MasterCard, and Visa—that the rest of the world has already adopted. Pushed by mounting fraud costs, credit card companies have crafted incentives for merchants to switch to the sophisticated readers needed to accept the cards. “There was a lot of skepticism about whether it would ever happen in the US,” says Michael Misasi, an analyst with the Mercator Advisory Group. “All of the data breaches that have happened have woken people up, and progress has been accelerating this year.” The first serious milestone is October 2015. By 2020 the swipe-and-sign magstripe reader will be as hard to find as the credit card impression rollers they supplanted.
By then, it’s probably safe to say, the entire idea of a credit or debit “card” will be quaint. With the newly announced Apple Pay joining Google Wallet as a real-life payment system, even the chip-based credit cards will be little more than a backup technology. Apple took some ribbing for announcing Apple Pay while its iCloud celebrity breaches were still in the news. But unlike cloud storage, the state of the art of retail payment is so poor today that Apple can’t possibly fail to improve it.
by Kevin Poulsen, Wired | Read more:
Image: The first magstripe card. Jerome Svigals via Wikimedia Commons
Image: The first magstripe card. Jerome Svigals via Wikimedia Commons