Payment card fraud can be completely eliminated, says security expert.
(Reporting from ISC West 2010)
LAS VEGAS – A relatively inexpensive technology could wipe out the multi-billion dollar costs of payment card fraud and harm al Qaeda wannabes in the process, a security guru who has worked for the intelligence community said Wednesday at ISC West.
“I believe swipe-card fraud can be eliminated,” said Tom Patterson, chief security officer of MagTek , the industry leader in swipe-card readers. Patterson's timeline for this isn't exactly modest either: he wants counterfeit card fraud gone by the end of 2011 .
The key to this fraud detection revolution resides in the magnetic stripe on the back of every payment card. Much like a fingerprint is unique to a human being, every magnetic stripe laid on a payment card is one of a kind. When a magnetic stripe gets created, billions of ferrous oxide particles mix together in a wet slurry. Once that slurry dries, it locks in a random arrangement of particles of different shapes and sizes that emit a unique magnetic signal that cannot be duplicated. MagTek calls this the card’s MagnePrint, which like a fingerprint does not change over time.
This discovery, and the technology built around it, has the ability to simply stop fraud, Patterson said. Here’s why. When criminals skim a payment card, they electronically rip out the card’s number and the cardholder’s name. Next they simply lay that information onto a fraudulent card and go on spending sprees. But if merchants had the ability to check the MagnePrint of the card, they could eliminate fraud completely. When a thief went to use a counterfeit card, the system would find that although the card’s name and number information was correct, the transaction print wouldn’t match the reference print on file and the transaction would be denied.
Every year, banks and merchants lose an estimated $10 billion on fraudulent debit and credit card purchases made by thieves, Patterson said. Cardholders, on the other hand, open themselves to identify theft. And if they use it frequently, chances are it has been skimmed. Patterson estimates that hundreds of millions of cards have been compromised so far.
But how do criminals skim so many cards? Patterson says organized criminal gangs, including the Bloods and Crips, traditionally approach employees in the service industry--whether it be a waitress, a gas station clerk, or a cashier--provide them with a hand-sized skimmer, and pay them $20 for every card they skim. For someone making minimum wage, that's a big bonus. Another way tech-savvy criminals compromise cards is by installing skimmers directly into ATM machines .
Patterson also warned cardholders that the skimming could have taken place months, if not years, ago and that the only obstacle to using a certain card's information is the massive backlog of card numbers they’ve stolen. (Patterson said a good way to avoid falling victim to the consequences of card skimming is changing all your payment cards quarterly.)
Card skimming also harms national security. Every time authorities capture an al Qaeda wannabe in this or that country, the suspect has suitcases full of counterfeit payment cards, Patterson said.
(Read more about ATM fraud trends in Europe from the November 2009 issue or how high cybercrime is on the FBI 's priority list in the June 2009 issue.)
To make this fraud detection system universal, MagTek is currently working to build up its Magensa.net database of payment card fingerprints. Patterson said MagTek has spent $15 million licensing and developing the technology. The only barrier now to implementing MagTek’s system is cooperation across the payment card industry. “Banks and merchants don’t work well together,” Patterson explained.
Nevertheless, Patterson said he’s gaining industry support by tramping around the world to conferences like ISC West to preach the benefits of MagnePrint and Magensa.net.
The system can only work if each stakeholder does its part.
Banks and card issuers need to collect a card’s reference print and share it with MagTek every time they issue a new card. For cards that already exist, card processors must capture each card’s reference print and share it as well. To complete the circle, merchants must upgrade their card readers, capture a card’s transaction print, and share it with MagTek to compare it with the reference print. Patterson said the whole authentication process takes 10 milliseconds or less, so merchants won’t lose money by taking too long to process transactions.
MagTek has already begun building in the MagnePrint capability into all their products last year, which makes life easier for merchants because they probably already use the company’s readers. MagTek provides almost 75 percent of all magnetic stripe components, like ATMs and point-of-sale terminals, to the financial industry.
Patterson hopes to have 500 million MagnePrints on file by the end of 2011. (MagTek estimates there are currently 2.7 billion stripe cards currently in circulations.) The database now contains about 100 million card prints that MagTek's customers currently use to authenticate payment card transactions.
In Santiago, Chile, MagTek partnered with Banco de Credito e Inversiones (BCI) to test its technology. BCI installed the technology onto more than half of its 1,000 ATMs. The trial results weren't shabby.
“We have zero fraud. Zero,” Mario Gaete, BCI's chief operating officer and chief information officer, told American Banker in June.
Maybe Patterson's mission isn't a fools errand.
♦ Photo of credit cards by Lotus Head/WikiMediaCommons
♦ Thumbnail by ttstam/Flickr