Written by Technorati Tags: ATM, debit cards, fraud, security
This is not the whole story: we appear to be concerned about fallback, but what exactly is that concern all about? Apparently we are concerned about the cloning of cards that can then be used abroad, because that’s where ATMs do not support chip. The ability to clone mag stripe cards has been around as long as there have been mag stripe cards. I used to have a card cloning kit in my spare bedroom, and a lot of ATMs used in test had the facility to write cards as well as read them. Writing the cards wasn’t a problem; getting hold of the information to write to the card was – the card had to be swiped twice at the point of sale, and in most cases this could be spotted by the cardholder. Some garage forecourt systems used to do it as a matter of course, so petrol stations were high risk; but so were restaurants, because the card would be handed to the waiter who would take it away to swipe (twice?) and then return with the receipt, ready for signature. The difficulty here though is that the fraudster might have the mag stripe data, but is usually missing the PIN, so the card would have to be written to non-white plastic and then used in a point of sale (or maybe cash over the counter). The advent of chip & PIN meant that PINs could be harvested just as easily as the mag stripe data held on the chip. Petrol stations again (though not just petrol stations) have been targeted by fraudsters “tweaking” card readers to collect the mag stripe data and the PIN. This is fairly easy to do and the cardholder is unaware of the capture. The card and PIN data can then be shipped off to the Far East (or anywhere else there may be non-chip ATMs) where they can be used with plain white plastic to withdraw cash. The question is, whose fault is this?
Dave Birch mentioned the iCVV – a card verification value that is resident on the mag stripe (and exists within the MasterCard world as well as Visa). The chip contains an image of the chip’s track 2 data which is easy to access, as well as the more tricky chip data. Fraudsters harvesting Chip and PIN data from cards are actually collecting the track 2 data, and not the tricky chip data. The reason they are then using Far Eastern ATMs is the fact that they do not look for a chip and can not, therefore, operate in fallback mode. The fact that the Service Code on the card indicates the presence of a chip is therefore inconsequential. The reason for the iCVV is to provide an indication to the card issuer, at the time of the authorisation request, the card is a clone, and the magnetic stripe data was derived from a chip – which would not be possible if the card was legitimate. The problem is that the majority of the issuers did not implement iCVV when they initially converted to chip & PIN. Had they done so, then the so-called loophole would never have existed, and chip cloning would not be the headline grabber that it is today. The issuers, and indeed the whole of the card industry is on the back foot with the media because of something that they should not have allowed to happen, and because of this the acquirers are responding by withdrawing ATM fallback, and I’m getting grief from my girlfriend because she has no cash, and it’s Christmas.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
