Why your credit card's magnetic strip is vulnerable
Despite knowing a swipe card’s magnetic strip is vulnerable, U.S. banks haven’t moved to a more secure system. Why?
By now, you've heard about a global ATM heist for the ages; this complicated operation did $45 million worth of withdrawals.
The high-tech part involved hacking into financial accounts. The low-tech part: making homemade debit cards that get away with it in one important country: ours.
To simplify, this was a two-part crime. The bad guys stole debit card information online, and then pasted that info onto magnetic stripe debit cards. The kind you and I use.
Easy peasy, says fraud analyst Julie Conroy at the Aite Group. You can buy the equipment to do it for $25.
"So you can take any ordinary plastic card," Conroy says. "It can be an old gift card you've gotten. Create your own magnetic stripe. And then use it like any other ATM card."
This magnetic stripe technology is older than the Ford Pinto. Its vulnerabilities let the presumed crooks in this case make duplicate debit cards to use all at once.
"It was really choreographed," says financial researcher Brian Riley with CEB Tower Group. "Within the course of ten hours, thousands of transactions passed through. And if you saw the map that was released, it showed a map going straight down Broadway."
The U.S. is the world's only advanced economy using magnetic stripes. Every other member of the G20 group of industrialized countries uses a newer technology.
"That puts a chip on the cards," says fraud consultant Jerry Silva. "And now you had kind of a double layer of security."
Cards with chips embedded are harder to copy. And they generate a unique code for each transaction, for additional security.
Ideally, American consumers and banks want that.
"But the cost of replacing all of the plastic in this country, the cost of upgrading every ATM to date has exceeded the cost of the fraud itself," says Silva.
By one estimate, the hardware upgrade would cost around $4 billion. That puts this $45 million case in some perspective.
One reason Americans are in this situation is, we invented credit cards. So we have old infrastructure, a bit like the New York City subway system.
"A lot of times the early adopters are stuck with a generation 1.0 system," says cybersecurity analyst Chris Wysopal of Veracode. "And I think that's what we have here."
Still, higher-tech cards are coming to the U.S. in the next few years, analysts say. They've started to hit the market for global travelers, though financial firms still have to work out details of the chip format.
When the new cards do come, no one in the industry believes our fraud problems will be resolved. The hackers will just need to get a little more creative.