This is interesting. Seems that a group of Sri Lankan credit card thieves collected the data off a bunch of UK chip-protected credit cards.
All new credit cards in the UK come embedded come with RFID chips that contain different pieces of user information, in order to access the account and withdraw cash the ATMs has to verify both the magnetic strip and the RFID tag. Without this double verification the ATM will confiscate the card, and possibly even notify the police.
They're not RFID chips, they're normal smart card chips that require physical contact -- but that's not the point.
They couldn't clone the chips, so they took the information off the magnetic stripe and made non-chip cards. These cards wouldn't work in the UK, of course, so the criminals flew down to India where the ATMs only verify the magnetic stripe.
Backwards compatibility is often incompatible with security. This is a good example, and demonstrates how criminals can make use of "technological arbitrage" to leverage compatibility.
EDITED TO ADD (8/9): Facts corrected above.
Posted on August 9, 2006 at 6:32 AM • 29 Comments