Tony Chew, head of the technology risk supervision division of the Monetary Authority of Singapore, is advocating for a concerted global effort to phase out magnetic stripe technology entirely. “We can all go chip and PIN which will be a more effective method of combating counterfeit card fraud,” says Chew.[From Vendor Articles: 12/6/2009 Credit card fraud rising]
It’s the rise in fraud that is causing this kind of thinking. Far from shrinking card fraud, the introduction of chip & PIN in the UK has multiplied a thousandfold the number of places where people use PINs and therefore where PINs can be stolen from. So long as there are places where easy-to-copy magnetic stripes can be used, the incentive for criminals is clear. Things are getting worse.
It is my belief – and feel free to come back and tell me that it’s me that is the idiot – that after a number of years of declining card present fraud (magnetic stripe cloning is so much easier, and a gift from the card issuers), we are now going to see a dramatic increase, and there is nothing we can do about it![From 2009 – is that the year we all went online?]
I happened to be reading this month’s Fraud Watch, and one of the front page stories is “ATM fraud threatens global acceptance”. The story says that “several issuers are considering blocking major cities and possibly whole countries where international card fraud is high, because there is no chance for reimbursement for those losses even though the original cards are EMV chip and PIN compliant”. (There are, as I understand, no plans for a liability shift to rectify this, particularly in the USA.) Oh dear. Incidentally, the top three destinations for ATM fraud on UK-issued cards last month were…. 1. Canada, 2. Italy and 3. the USA.
Suppose Gerrard is right? What will happen in 2012 when travellers from the USA arrive in Paris and discover the shops, hotels and ticket machines won’t accept their cards any more?
The scale of these ATM frauds is, frankly, impressive. They are well-organised on a large scale and the attacks are executed with precision in order to defeat card issuers’ fraud management responses. Here’s an example…
RBS WorldPay not only had the data hacked for around 1.5 million payroll and gift cards back on December 23rd, but also that the mag stripe and other information must have been gained as well. Shortly after midnight Eastern Time on November 8th, a co-ordinated global attack took place in thirty minutes withdrawing $9 million from ATMs by lifting the limits on each card:[From The Financial Services Club’s Blog: $9 million in 30 minutes in a Global ATM scam]
Until issuers decline all non-stripe ATM withdrawals, which they can’t do until there’s an infrastructure of EMV-capable ATMs in each region, this isn’t going to change. All we can do is try to accelerate ICVV migration and advise new issuers to start with ICVV from the beginning. I should add that not all ATM frauds combine stealth, sophistication and crack teams of co-ordinated international criminals co-ordinating across continents:
Two former workers at an Abbey branch in London managed to steal more than £120,000 from cash machines by stuffing wads of notes down their trousers.[From Finextra: Former Abbey workers pinch £120,000 in ATM scam]
Sometimes the old ways are the best.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]