MagnePrint Technology for Credit/Debit Cards

This seems like a solution in search of a problem:

MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable.

Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a one-of-a-kind digital identifier. MagTek calls this technology MagnePrint.

Basically, each card gets a "fingerprint" of the magnetic strip printed on it. And the reader (merchant terminal, ATM, whatever) verifies not only the card information, but the fingerprint as well. So a thief can't skim your card information and make another card.

I see a couple of issues here. One, any fraud solution that requires the credit card companies to issue new readers simply isn't going to happen in the U.S. If it were, we'd have embedded chips in our credit cards already. Trying to convince the merchants to type additional data in by hand isn't going to work, either. We finally got merchants to type in a 3–4 digit CVV code -- that basically does the same thing as this idea (albeit with less security).

Two, physically cloning cards is much less of a threat than virtually cloning them: buying things over the phone and Internet, etc. Yes, there are losses here, but I'm sure they're not great enough to justify all of this infrastructure change.

Still, a clever security idea. I expect there's an application for this somewhere.

Posted on December 18, 2009 at 6:32 AM • 69 Comments

Comments

Mike BDecember 18, 2009 6:42 AM

Any technology that can read magnetic info from a card can be used to write info back to a card. If the sensitivity of current writers is insufficient, the market will respond and produce ones that are.

Brandioch ConnerDecember 18, 2009 7:15 AM

And wouldn't the characteristics of the strip change over time? I know that my signature field is heavily worn on my cards. And my debit card can take a few swipes to get it to read correctly.

TomDecember 18, 2009 7:15 AM

I initially was thinking access control - you can't virtually enter a building, but then the problem becomes theft. If you pair it with human-powered photo check, the gain in the system dissipates.

Henning MakholmDecember 18, 2009 8:44 AM

Similar to DNA? Which conceivable similarity does this have with DNA?

Is there a "magstripe transcriptase" that can clone the data they're collecting, for example?

TimDecember 18, 2009 9:25 AM

Why can't you have chip & pin in America? They introduced it in the UK very quickly with no hassle at all.

paulDecember 18, 2009 9:38 AM

Not only wouldn't the characteristics of the fingerprint change over time, but couldn't they be deliberately altered? How easy would it be to mount a denial-of-service attack?

I'm also wondering how this would work -- is the fingerprint another chunk of data that's recorded everywhere (and hence subject to playback attacks) or is it just recorded on the card, in which case once the fingerprint algorithm is cracked, scammer can just read the cards they make and write matching fingerprint codes?

NickoDecember 18, 2009 9:51 AM

@Tim: The US doesn't have chip&pin because (a) the merchants won't accept a solution which costs them money (for new card readers) but saves money for the banks and (b) the banks won't pay for the equipment because it's not clear that it would reduce fraud by enough to cover the extra cost. Current C&P technology does little to reduce on-line fraud and that is where the fraud growth is right now. Of course the 'cost-effectiveness' equation does not include a cost for the consumer's time and hassle.

In the UK the change was "encouraged" by the government but if the current US government mandate anything for the private sector it's taken as clear evidence that Obama is a Marxist Dictator, so that's unlikely to happen either. To be honest, until a cryptographic solution comes along that works well on line it will remain more "cost effective" to put up with the fraud than to change the system.

nixarDecember 18, 2009 10:19 AM

All recent card readers should be able to read SIM cards. At least, all recent (10- years) readers made by the market leader in card readers, do.

DavidDecember 18, 2009 10:30 AM

Not to mention that chip&pin had some well-publicized cases in the UK where attempts to dispute transactions were treated as prima facie evidence of attempted bank fraud. As a consumer, I'd much rather have a system more open to fraud that I didn't have to pay for than a system with less fraud where I'd be personally responsible for the fraud.

I'd expect the merchants to be the most open to spending money to reduce fraud, as (at least in the US) they are generally the victims. (I don't pay fraudulent transactions, and the card companies generally take it out of the merchants' accounts.) Consumers will be willing to go for anything as convenient as what they've got, as long as there aren't scare stories. Banks are perhaps the least motivated.

BF SkinnerDecember 18, 2009 10:30 AM

@Brandioch Conner "change over time"

Beat me to it. Won't both use and age wear on the characteristics? Which brings up the question of replacement.
Is the I&A record going to have to be modified everytime a new card is issued?

Second question - Online sales? This only would provide control at brick and
morter outfits.

@Bruce "convince the merchants to type additional data"

Yeah. What's up with that? Some stores (BestBuy) take your card and punch in the last 4 digits, others just compare your card to the swipe info. I like the model where I never surrender my card to human or machine.

HJohnDecember 18, 2009 10:31 AM

I think part of it goes back to the "rare and spectacular" mindset. Things that address common risks don't wow us.

I think that is also part of the reason that I've found that otherwise stingy executives love to tout about hardening their encryption--which usually was already one of their strongest links before an expensive upgrade.

JoshDecember 18, 2009 10:36 AM

"ATM machine" -- Argh!

PNS Syndrome* strikes again...

(* Personal Identification Number Number Syndrome Syndrome)

DavidDecember 18, 2009 11:26 AM

@HJohn: Thing is, "rare and spectacular" is dangerous for the individual. As it is, I (along with hundreds of millions of my closest friends) pay for fraud. If we reduced fraud, we'd be better off on the average (except for the fraudsters, I suspect). If we reduce it by putting a lot of risk on the individual, then I'd argue we're not making people better off.

Similarly, I pay a lot more money to my insurance company than I expect to get back, but in return for that they mitigate my risks. Lots of people think that's worthwhile.

NullOpDecember 18, 2009 2:12 PM

Maybe useful as a second factor of authentication. Instead of reading the stripe data you read the unique characteristics. A card with a magnetic stripe on it is carried by almost everyone in the country, so goodbye tokens..? of course you would still need a way to read these if the intent was remote strong auth.

JohnDecember 18, 2009 2:37 PM

Sigh.... Looking at the article, this gentleman addresses the issue of online transactions by recommending that all manufactures integrate a swipe reader into their computers, phones, and accessories. What he seems to ignore is that doing so won't make the system more secure since it would still be possible for criminals to place skimmers on ATMs and skim the card data plus the 54 byte "MagnePrint" signature. Once they have that, it's a simple matter perform online transactions using the captured, skimmed data.

Yes, they can't reproduce the card for use by a reader not under their control. But there's nothing preventing them from spoofing the data while pretending to use a "honest" reader.

AnklebitersaurusDecember 18, 2009 4:06 PM

Online fraud has been mostly fixed for the last decade. Just, for some reason I have yet to fathom, few companies are bothering to implement the fixes.

I'm speaking of disposable credit card numbers.
http://www.auctionbytes.com/cab/abu/y205/m02/...

Last I heard, BoA (via their acquisition of MBNA) have had zero cases of fraud involving their disposable numbers. It was mentioned in a press release a few years back.

I love disposable numbers so much that I have contemplated getting a magstripe writer and rewriting one of my legit cards with a disposable number for purchases at certain merchants (e.g. Target - they are so blatant about tracking you by your CC# that I only use cash there now, it would be nice to use a different disposable CC for each purchase there instead).

Seems to me that a variant on disposable numbers would be just as fraud-repellent for b&m as it is for online. For example - if everyone had a magstripe writer they could rewrite their CC# once a week (or even more frequently if so desired) - if a CC# only has a lifespan of a week or two, that would greately reduce the window for fraudulent use.

pfoggDecember 18, 2009 5:26 PM

Some 20 years ago friend told me of a technology from a company he was working with that sounded exactly like this. The obvious use was to create physical tokens that can't be forged by independent third parties (a digital signature of the 'unique characteristics' of the card proves that particular card was signed by the official key). Wear and tear would be handled by replacement.

I assumed I never heard of it again because something was wrong with the practical implementation (too expensive, unreliable, etc.). Cost of implementation sounds like the deciding factor, if it works: it fixes custom, third-party forgery, not bribery or theft of other people's cards. The cost would have to be smaller than the losses due to that one issue (or the cost of whatever measures currently deal with it). Does that attack come up anywhere apart from making fake IDs for buying alcohol? It's unlikely to be useful for currency, which is the most obvious 'unforgeable token' problem, based on wear-and-tear requirements

FrancesDecember 18, 2009 10:07 PM

We are getting chip and pin cards in Canada. I've had one for almost a year. I'm still not sure how I like it.

TomTalksDecember 18, 2009 10:09 PM

Bruce… I’m glad you posted this thread… lots of good comment. To your point that ‘any fraud solution that requires the credit card companies to issue new readers simply isn't going to happen’ , let me clarify why I believe this can and will work.

1) The company providing the solution is MagTek, which already delivers almost 3/4th of the financial worlds secure mag-stripe components, and have been since 1972. They paid to license the IP, develop it into technology, reduce it to inexpensive ASICs, and include it with every head reader they ship (over 3 million units/yr). Many companies already have the chip in their readers (regardless of the brand), and most will with the normal life cycle refreshment process. With the new PCI requirements for end-to-end encryption (our ASIC also has 3DES and DUKPT integrated in), the vast majority of merchants will be upgrading their terminals (or just their read heads in our case) over the next year or two anyway.
2) Unlike EMV cards, with this solution the cards stay the same, and the consumer process stays the same, and merchants know exactly which lanes are losing money to counterfeit fraud so they can choose to when and where to upgrade to a newer terminal. That makes it a simple cost-benefit analysis for the merchants, and we know they are losing over $4billion/yr to counterfeit card fraud.
3) To Paul’s comment on the magnetic fingerprint changing over time, yes it does, but we use that to advantage. When we read a magneprint, we score it by correlating it to its reference print. Since each swipe is different, the score is never an exact match, but the ‘good’ card is always a very high correlation, and a counterfeit card is always a very low one. It’s never the same (with billions of random particles), so an exact match is declined as a replay attack.
4) So far, it’s done well in multi-year banking tests and trials, with over a million MagnePrints registered, over 1100 counterfeit cards caught, and more than 10 million dollars of fraud defeated.
5) I don’t dislike EMV cards and expect they’ll one day be standard, but I joined MagTek as CSO to help fight fraud now, and with 2.7 billion mag-stripe payment cards in use today and the foreseeable future-- this is the best solution I’ve found that helps the merchants lower their card fraud.

We are addressing the problem from the merchant’s perspective-- they are the ones besieged by fraud, chargebacks, and fees, and MagnePrint gives them the opportunity to lower that risk. Even with all the counter-fraud techniques in place today (including holograms, multi-color ink, cvv and neural nets), there still remains over $4billion dollars in annual theft from merchants, and it’s the merchants that are the most motivated to stop it.

((josh—I’ll give you the ATM M one!))

Nick PDecember 18, 2009 10:38 PM

I was thinking of applying it in authentication systems but it's basically "something you have." They talk of it like biometrics, but it's not really like that. If someone steals the card, then they can authenticate. This thing is only useful in multifactor authentication schemes and even so I can already do better with smartcards or hardware tokens.

I just don't see a use for this. I'd rather see more tamper-resistant storage techniques, like for TPM's or to give some competition to IBM's legendary crypto coprocessor. *That* would be useful. This is just technological masterb... err.... impractical but entertaining effort. ;)

AnklebitersaurusDecember 19, 2009 12:09 AM

@TomTalks

Of those multi-year trials - how much f that has included determined efforts to clone these 'magnetic fingerprints?'

Seems to me this works all fine and dandy as long as no one is seriously attacking it. But if it ever gains any significant traction in the marketplace you will have smart people with real motivation working to break the system. Since a lot of retail fraud is organized crime, that will be some well funded resources you are up against.

Clive RobinsonDecember 19, 2009 3:02 AM

@ BF Skinner,

"I like the model where I never surrender my card to human or machine."

It's nearly Xmas be carefull what you wish for...

One way to read your wish is RFID...

And as we know that is a truely scary model as it becomes your own personal "cattle tag" amongst other things.

@ TomTalks,

"I don’t dislike EMV cards and expect they’ll one day be standard, but I joined MagTek as CSO to help fight fraud now"

I sincerly hope that EMV "chip-n-spin" does not become the standard. It is in many cases (for the consumer) worse than the plain mag stripe CC.

The whole premise of the idea is to move the risk to the people who can least afford to defend them selves the card holders. This was one reason SET failed (there where others).

Also some UK banks and issuers are putting in RFID (based on Oyster Cards) without the customers concent. This system for "micro charging" has no recognisable security features for the customer and could easily be viewed as a "hole in the pocket".

However the UK Gov (unelected officials) is in favour of RFID for reasons I can only guess at.

So the EMV system is going to be replaced with something worse for the consumer based on the current trend.

The problem for the banks and the card issuers is the "bean counter view" to security, which has only led to tiny incremental increases in security at each stage.

These "fixes" only work for a short time before somebody develops a way around it. And these people have set up all the backends required to take advantage of the inherent insecurity. This "fraud machine" is addicted to the cash and won't be easily stopped.

The result is the "bean counter" view has forced the evolution of the card fraudsters. Technology wise the fraudsters are now well ahead of the curve and the banks and card issuers well behind.

In many cases the fraud being commited is "end run" fraud that is by exploiting the gap between the consumer and the security perimiter of the card processing system.

The amount of scope in the "end run" teritory is huge and thus unless it is correctly addressed any other changes are going to be minimaly effective. And as a side effect strengthen the fraudsters.

The first thing the banks and card issuers are going to have to do is drop the notion of "off line transactions", the second is "fall back on fail". As long as either of these is in the business model it is going to be subject to the fraudsters.

Both together as in the case of chip-n-pin is a cast iron promise that not only will the fraud continue it will increase.

The "bean counters" and "customer satisfaction marketers" need to bite the bullet and accept that what they are doing is making fraud not just probable but actually nurturing it.

There are known solutions to "end run" security issues but they are very very easy to get wrong. Oddly the simplest is likley to be the most secure simply because they end up being multi disparate channel and multi authentication in a way the human not technology can see understand and control.

End run security is a human brain not technology problem the solution has to use the human brain.

Untill the banks and card issuers take this on board then there will be continuing fraud.

In return the customers have to accept that there can be no "instant gratification" under "fault conditions".

TomTalksDecember 19, 2009 8:33 AM

@ Anklebiter-- two of the three big card brands have run full blown attack programs against the system, but failed to be able to duplicate the naturally occurring unique magnetic noise. While it’s easy to read this pattern, someone would physically have to manipulate billions of Ferris Oxide particles on a 3 inch strip of Mylar into a specific pattern, and human technology hasn’t evolved to that level yet.

A magnetic stripe is created from billions of ferrous oxide particles. The particles are various shapes and sizes and are mixed in a random pattern when the magnetic slurry is prepared. They are sealed in place when the slurry dries, during the tape manufacturing process. Once this occurs, the stationary particles emit a permanent, repeatable and distinctive magnetic signal, which is the MagnePrint. Unlike a new encryption scheme that just takes more CPU power to crack, this is nature v technology, and nature wins. It’s one more layer of security, that protects the merchants and lowers the risks of counterfeit cards in society—both good things.

Brandioch ConnerDecember 19, 2009 10:21 AM

@TomTalks
"4) So far, it’s done well in multi-year banking tests and trials, with over a million MagnePrints registered, over 1100 counterfeit cards caught, and more than 10 million dollars of fraud defeated."

1,100 counterfeit cards.

At $10 charge on average - $11,000 fraud defeated.

At $100 charge on average - $110,000 fraud defeated.

At $1,000 charge on average - $1,100,000 fraud defeated.

At $10,000 charge on average - $11,000,000 fraud defeated.

That average seems rather high to me. What were the criminals trying to purchase?

"Even with all the counter-fraud techniques in place today (including holograms, multi-color ink, cvv and neural nets), there still remains over $4billion dollars in annual theft from merchants, and it’s the merchants that are the most motivated to stop it."

Do you have more data on the neural nets you mentioned?

pablo cousinoDecember 19, 2009 10:32 AM

WE are using magneprint in almost 800 ATM here in our Bank called BCI in Chile. These ATMs beong to a network of ATMs (redbanc) of all chilean Banks.
WE started 18 month ago and it have been very succesfull because we have eliminated the fraud in ATM because of skimming.
Now we are testin on POS. We worked with magtek and with local supplier and with a multivendor sw for atms called KAL from UK.

DonnaDecember 19, 2009 12:31 PM

Back to the original point of this post, there are over 30 billion magnetic stripe cards in the world (and only 2.7 billion it seems are payment related per above), so what are some other areas that would benefit from being able to tell an original card from a fake?

Mimi HartDecember 19, 2009 9:20 PM

Yes, such as Driver Licenses; Corporate, Education, and National IDs; Telephone cards; Gift and prepaid; Download cards; Access Control. Any place where an inexpensive, non-duplicable token is needed.

In the on-line world, anytime "user name and password" is insufficient.

There is more to a magstripe than meets the eye. You just need a better reader (MagnePrint enabled) to see it.

There is nothing extra to type. The reader sees more data and emits the static data, like the PAN etc., and the MagnePrint stochastic data which is used to authenticate the token.

Clive RobinsonDecember 19, 2009 11:30 PM

@ Donna, Mimi Hart,

Be very carefull on your assumptions as to what the technology actually does.

"It only verifys the measured magnetic stripe nothing else".

The rest of the token around the stripe and the data on the stripe are not verified by this system.

Effectivly it is just like a VIN plate in a car or serial number plate on the back of a machine.

You need to ask the questions about how somebody might attack the system as a whole not an individual asspect.

For instance if I know how the algorithm works, and you must assume it is known fully by the enemy for security evaluation. I can make my own cards in exactly the same way as the card issuers.

Therefore this system is of no use in an "offline" system.

Likewise what way is the "serial number" tied to the data in an online system.

Likewise what relationship does the data have to actual security in all it's aspects.

By the way this sort of system is not new the SALT negotiations threw up many ideas for non duplicable physical property devices that could be used as serial numbers on things like tanks etc.

They also gave rise to the work by Simmons on what we call "covert channels" back in the 70's.

However for many reasons the physical property serial numbers never realy took of in the way many expected.

The most frequent use these days is in "tamper evident" security seals.

And it would be worth digging out a lot of the work on these as they show interesting and surprising attack vectors.

Nick PDecember 20, 2009 12:08 AM

@ Clive

Well, upon further thought, it does seem quite interesting and useful. Some of the attack vectors seem unlikely, Clive. They are more like insider threats. While that's the biggest problem in regular business, most credit card fraud is external. The technique they are using is to match the cardholder (account & presumably PIN) to the card itself. If (assumption follows) cards are printed first then tied to users as they are registered, then this can reliably prevent millions of dollars of ATM fraud annually from cloned cards. The current model is to pay about $20 per plastic card (reusable) and then $100 for data w/ PIN. Spend a few grand and you make tens of thousands. Send that, hit more ATM's, make more money. Even $1,000 limit per card translates to big bucks and widespread deployment of this would prevent a lot of that. Like biometric w/out permanent privacy issues. ;)

@ TomTalks

Well, that was the good news. The bad news is that this only stops one or a few threats. Online fraud, which is tremendous, doesn't ever use a physical card. Cards can still be stolen, as well. If this system was implemented, both card theft and online fraud would go up. They would also become more efficient. They are already efficient enough that two guys with a distribution team in a foreign country can net millions in a year via fraudulent purchases resold on sites like eBay (actual case study). This system only defeats one threat in this space, at best. A Barclay's one-time PIN system or something like that is even better: works on *every* type of transaction and requires only a thin extra device. Throw in tamper-resistance & side channel prevention and we have a winner. If this was mandated on all online transactions, people wouldn't mind it. I hate regulations though... they always end up being totally lame after all the compromises are made.

Nick PDecember 20, 2009 12:21 AM

@ Brandioch Conner

You asked about neural networks. This is a technology from AI and statistical research that learns patterns by example from raw data. They can spot patterns that are nearly impossible to code as rules and reliably catch them in mountains of data. However, they are notoriously tricky to structure or train properly and produce many false positives or negative. They and their cousins, Support Vector Machines's, are the current best attack strategy on CAPTCHA's and things like fraud or risk detection. They can also be combined with rules- or case-based reasoning for better results.

Example Neural Fraud Prevention Product
http://www.nd.com/resources/smartsoft.html

Clive RobinsonDecember 20, 2009 5:52 AM

@ Mimi Hart,

"Think RBS. 100 cards, 28 cities, 1 hour, $9 million dollars."

I guess from your first post you work for or are associated with Magtek.

Thus you should know that the $9million dollar theft you refer to involved manipulating the systems behind the ATM cards.

Thus the attackers could do very much what they wanted.

Effectivly this changed the attack from an "online" to "offline" attack.

So this "physical serial number" technology would not have prevented the attack (only possibly made it more difficult).

Even with Chip-n-Pin ATM fraud continues with little problem.

The three main reasons for this are,

1, The use of Mag stripe only readers.
2, The use of incorect "fall back on fail".
3, Offline attacks.

The first problem is an "edge effect" that is the attackers know that Mag Stripe only readers are used in certain parts of the world and they take the "clone details" from cards skimmed in ATMs in the UK etc out to these machines.

The second attack works because of the banks "Marketing and Customer Services" Departments. If a working chip is not present then it falls back to "Mag Stripe". Thus simply taking the chip out with a battery made the "cloned card" work with Chip-n-Pin terminals.

The third attack is again an issue with the banks "Marketing and Customer Services" Departments. For any "serial number" system to have a chance to work the serial number has to be held in the part of the system that autherises the transaction. If it is not then the serial number is of little or no use because there is no reliable way to check it is valid. Thus if the ATM can not contact the validating database reliably all bets are off.

Oh and another issues with this technology and say "Chip-n-Pin" it probably won't work, for pragmatic reasons. That is most Chip-n-Pin readers don't read the mag stripe thus any change in pattern due to normal wear-n-tear is not going to get logged by the system.

Thus the two technologies are going to "butt head to head" and if the banks "Marketing and Customer Services" Departments have anything to do with it then the non-swipe conveniance of Chip-n-Pin will win hands down.

I suspect that Magtek executives are aware of this and rememper the Video Tape Format wars and are hoping that their low cost low tech "VHS" system will win through.

Well I personaly think neither will win in the long run and that unfortunatly LF RFID will win due to the extra revenue potential it offers the banks "Marketing and Customer Services" Departments.

Clive RobinsonDecember 20, 2009 6:13 AM

@ Nick P,

"They are more like insider threats. While that's the biggest problem in regular business, most credit card fraud is external."

At the moment due to the "low hanging fruit" principle.

The $9million in an hour showed that attackers could subvert the system and make it effectivly "offline" autherisation.

It should have been a wake up call to the banking industry but they appear to have forgoton already.

As the easy attacks dry up then the money machines that these fraudsters now are will simply evolve a longer neck to get to the next level up of fruit.

Banks etc will continue to make tiny incremental improvments to their systems when they are publicaly shown to be at fault. But otherwise they will "externalise the risk" onto those who can least afford to fight them.

We have seen this with Chip-n-Pin where we have gone back to the bad old days of banks accusing card holders of fraud or negligence and throwing money at lawyers rather than solve the issue.

And we are now seeing merchants getting a dose via PCI failing. Auditors come in and advise and certify an organisation. The organisation gets hit and the first thing that happens is the card issuer banks roll out the lawyers...

The simple fact is the payment card industry in all it's forms is not upto the job of stopping fraud, and in all honesty I don't think it ever will be as long as they are allowed to pass the loss onto others.

Worse the card issuer banks are by their small incremental improvments just making the enemy fitter and stronger and giving them more resources.

I've said it before, few people can climb a mountin without training to do it. The banks are providing a training course for the fraudsters and paying them to be on the course out of our pockets...

Nick PDecember 20, 2009 12:36 PM

@ Clive Robinson

Well, the $9 million in an hour can only be discussed so far on this. I mean, that's a rare occurrence. The banks need to do better on that end, but the real problem right now is authenticating online and offline transactions. This is what they suck at and what's involved in most CC fraud.

I did like your points on PCI & Chip and Pin. PCI get's pretty wasteful and way out of the threat model, like when it requires a wireless intrusion system on non-wireless networks just in case a thief uses WiFi in his spy gadget. I guess they were sure the thief wouldn't just use, say, *any* other part of the spectrum! Chip and Pin was proven to be very easy to defeat and attackers made considerable money off it. Both do serve to let the banks blame it on the customers. I think the MagStrip would just do the same: "No, he couldn't have made that withdrawl because our system is impossible to defeat. They'd have to make billions of iron part... blah blah blah." Seems to be the trend, these days.

Ctrl-Alt-DelDecember 20, 2009 6:55 PM

@TomTalks:
"3) To Paul’s comment on the magnetic fingerprint changing over time, yes it does, but we use that to advantage. When we read a magneprint, we score it by correlating it to its reference print. Since each swipe is different, the score is never an exact match, but the ‘good’ card is always a very high correlation, and a counterfeit card is always a very low one. It’s never the same (with billions of random particles), so an exact match is declined as a replay attack."

How do you "replay" a card swipe? Do you mean someone using a hacked reader and playing back recorded swipes?

Right on! Those stupid fraudsters will never think of changing the recorded numbers very slightly before playing them back.

Mimi HartDecember 20, 2009 9:11 PM

Yes, you might play them back, and jiggle the bits, but the MAC fails and the transaction can be declined.

Clive RobinsonDecember 21, 2009 1:09 AM

@ Nick P,

"Well, the $9 million in an hour can only be discussed so far on this. I mean, that's a rare occurrence."

I don't have crystal balls so I cannot say if it was a one off, a rare event or the start of a new trend.

My gut tells me it's the last, simply because banks internal security has always been bad. Mainly because the took all the checks and balances of the manual system (designed to stop individuals) and put them into an electronic system and forgot that now some individuals could in an IT system effectivly become many people (force multipliers) and the computers having no "hinky" let them do it, thus opened up all sorts of posability for crime that was not there before.

Which is why as you say,

"The banks need to do better on that end,"

And realisticaly I don't think they are simply because they are to focused on losing an old war (with horses and sabers) and not paying attention to the new war (with planes and tanks) whilst the enemy is planning for the war after the next three wars (stand off weapons).

This is becauseas you say,

"the real problem right now is authenticating online and offline transactions. This is what they suck at and what's involved in most CC fraud."

And this is the point "offline" transactions where the center with all the autherising systems is not available will always be open to fraud. It is a lost war and there is no point fighting it. Security should override the "Marketing and Customer service" departments and say "no offline" and "no fall back on fail".

This almost immediately removes all the current "easy fraud" which costs way too much to fight.

That way instead of squandering resources on a CM/CCM/CCCM war at the bottom of the Khyber Pass they force the enemy to come out of their mountain strong holds and down onto the central plains to fight, where the enemy is at a disadvantage.

At the end of the day the battle the Banks and Card industry is currently fighting is a war of attrition and all their wins are pyrrhic at best ( http://www.wisegeek.com/... ).

Their battle can be seen as one to protect an empire by fighting the barbarians on the edge of the empire. They would be better advised to turn the Empire into a Kingdom/federation and let the Barrons/states fight the local tribes men whilst the king/president protects the treasury.

The real problem with these "physical serial numbers" is they work the wrong way around.

They have physical atributes which produce information, which you then use to try and protect other information.

It only looks good this way because we are by and large creatures of the physical not information worlds.

From the other direction all you see from the physical token is a "derived" serial number that may be used as a check record in a DB record that may or may not be unique and is currently belived not duplicable.

It thus has no reality in the information world other than a bit string.

It has no implicit fundemental relation to the actual data in the records nor is it tied to the data in some fundemental way.

It is nothing more than a tangable entity reduced to an intangable data string trying to protect an intangable and ephemeral entity. Worse it changes with time thus there is going to be a whole host of other issues (ie it cannot be used as a crypto key etc).

Thus it cannot of it's self prevent the data being changed nor can it do a whole host of other things that realy are a nescesary requirment to making the Card industry secure.

Like a Bio-metric once known to the enemy it is no longer a secret and thus has no real value in the information world because it is effectivly infinatly copyable and reusable without refrence to the physical token.

Simply because of this it is always going to be subject to replay attacks at some point in the system. The physical resources to protect this physical secret are so vast that it would be pointless.

Thus you need to use some non physical method to provide the security. Due to the way a physical token gets converted into information there will always be an oportunity to do an "end run" around the physical token, there is as we know from experiance no physical lock that has been designed (yet) that cannot be picked, irrespective of the lock manufacturers claims to the contary.

I know this because I fell into a similar trap with Capatchers. They are very difficult for a computer to process. Thus I made the mistake of thinking they could be used as a force multiplier as a trade off to overcome human weaknesses. Effectivly by extending the security perimiter the "last mile" into the humans head thus stop the "information security gap". Thereby to limit the oportunity of automated man in the middle attacks whilst reducing unreliable human keypress efforts.

What have the enemy done, well an "end run" around the capatchers, they simply use a low payed person in another country to convert capatchers back to key strokes. That is they simply used an economic force multiplier against a technology hurdle to gain an acceptable trade off.

To be of real use in the information world which is what the Card industry realy is, it needs to work the other way around that is you need a source of information that is secure in it's own right. From this the records etc are derived.

Currently we only know of a very limited number of provably secure information systems. The simplest of which is the "one time pad".

To a lesser extent we have other systems such as the BBS RNG and RSA and eliptic curve that are axiomaticaly secure.

It is this "information world" security we should be persuing not security based on the convertion of some physical token into information.

Information can be protected by information physical objects can only be protected by physical security. Those that forget that are heading for a fall.

If you cannot afford the physical security at the perimiter then don't use physical tokens.

paulDecember 21, 2009 10:39 AM

@TomTalks:

I'm still confused here. If the magprint signature is on the card, and the reader is comparing the signature written on the card to the signature derived from the swipe, then what's to prevent fraudsters from writing a card whose written signature matches the magnetic fingerprint that it generates when swiped? (I'm assuming, of course, that the algorithm will become known, but with tens of millions of readers out in the field that seems like a pretty good assumption. Readers have been hacked before.)

If I were an organized criminal, I'd be preparing an attack for the time when this technology goes into widespread use, knowing a) the enormous business advantage to be gained by being able to generate fraudulent physical cards when other criminal organizations couldn't and b) the likelihood that stores and banks using the tech might back off on other anti-fraud measures for physical cards once they're perceived as more secure.

Andy DeignanDecember 21, 2009 12:58 PM

Hi Paul. I hope this expalnation helps.

MagnePrint is a dynamic card authentication technology based on the unique physical properties of the magnetic stripe, also referred to as the stripe's digital identifier or (DI). It provides validation that the card itself is genuine and that its encoded data has not been altered. The term itself is derived from 'Magne' as in magnetics, and 'Print' as in fingerprint.

Just as fingerprints can uniquely identify human beings, Magnetic Fingerprints (MagnePrint) can uniquely identify magstripe cards. This is possible because of the stripe composition. A magnetic stripe is created from billions of ferrous oxide particles. The particles are various shapes and sizes and are mixed in a random pattern when the magnetic slurry is prepared. They are sealed in place when the slurry dries, during the tape manufacturing process.

Once this occurs, the stationary particles emit a permanent, repeatable and distinctive magnetic signal, which is the MagnePrint. The MagnePrint, like a fingerprint, remains basically unchanged for the life of the card.

The MagnePrint is in the background of the stripe. It is sometimes referred to as 'noise'. It does not interfere with the cardholder personal data encoded in the foreground. Nor can the encoded data remove or erase the MagnePrint. Furthermore, the MagnePrint and the cardholder personal encoded data can be linked.

MagnePrint technology offers four layers of security. These are increasingly impregnable layers that act as barriers to prevent the compromise of MagnePrint technology.

The first layer is inherent in the complexity of the particulate distribution on a standard magnetic stripe. The MagnePrint algorithm leverages the fact that the 3.375 inches of stripe space along each card's encoding area are populated by a persistent random distribution of particles that are permanently fixed. Changes in the magnetic stripe's physical structure that occur during a card's lifetime, e.g., by abrasion during normal use, are statistically insignificant.

Furthermore, the likelihood that two different cards will yield identical particle distributions, given the randomness inherent in the process by which magnetic stripes are manufactured, is in the range of one in 900 million. And the hundreds of millions of particles make it statistically and practically impossible for an existing magnetic stripe to be cloned with a particle distribution pattern that will yield an equivalent MagnePrint value.

As a second layer, MagnePrint technology determines the 54-byte MagnePrint value in reference to the positions of the flux reversals of the encoded card data. The data pattern is larger, by orders of magnitude, than the particle pattern. Therefore, if a valid card with a known particle pattern were to be re-encoded with identical data, it would show non-trivial variances in the way the encoded data pattern microscopically aligns with the physically permanent particle structures of the magnetic stripe on the card. As a result, cards with altered data can be detected with MagnePrint technology.

The random variations inherent in each incidence of reading a card offer a third layer of security. Each read of a card, whether the card is swiped by hand, or inserted into a motorized or dip reader, is a stochastic process. Due to the principle of entropy and certain factors of imprecision such as swipe speed, pressure, direction, acceleration and reader to reader variations, the MagnePrint will change unpredictably with each swipe but within boundaries that allow it to be measured and validated.

Paradoxically, this means that a transaction MagnePrint value that is identical to a previous MagnePrint value on file is almost certainly fraudulent and will be rejected by the host. Multiple MagnePrint values taken from the same card on successive reads are expected to vary, within a statistical range. The probability of an exact match on all 54 bytes in separate card reads is in the range of one in 100 million. This inherent variability provides a statistically probable, unique transaction value for every card swipe, adding far greater security to the payment system and reducing the value of card data obtained through criminal cardholder database breaches.

Finally, as a fourth security level, the MagnePrint authorization process is protected against fraud by the simple fact that it depends on information that is in plain view. There is nothing hidden about the particulate structure of the card or the encoded alphanumeric data. This means that there is no 'secret' to the fundamental MagnePrint technology that, if cracked, would compromise the system.

Determining acceptance criteria: It is important to understand that MagnePrint does not guarantee the authenticity of the transaction. It provides the card acceptor or authorizer a data point representing the probability that a given card used for a transaction is authentic. By using this data point, a card acceptor or issuer can establish an acceptance criterion for a financially acceptable level of risk.

paulDecember 21, 2009 2:20 PM

Oh, dear.

They've brought out the bafflegab cannon.

Once more, maybe a little clearer: is there anything that prevents someone who a) knows the algorithm magneprint uses to calculate its signatures b) has a magneprint-capable reader and c) has a card writer from creating a card whose 54-byte signature and magnetically encoded account data will pass verification. If so, what? Without the stochastic verbiage, please.

(Oh, and 1 in 100 million is not that comforting. That means statistically-expected matches occurring several times a day at least...)

Chris SDecember 21, 2009 2:36 PM

Regarding last post, the third level of protection is false. It won't take very long for someone wanting to use false data because they just need a program that can simulate the statistical probability needed for an acceptable match. Then as long as they have the original reading they can create acceptably similar fake swipes. Even if the statistical information is secret they can swipe cards repeatedly building up a statistical base to work from.

In fact I suspect with some research it may be possible to encode cards with an given magnetic signature that mimics an original one in a statistically acceptable way. If we assume they would use current day encoders then it would not be possible, but who's to say that more advanced encoders capable of altering the magnetic structure in a more sophisticated way isn't possible. Since there is an inherent level of error in the background noise it wouldn't be required to be exact, only close enough to fool the reading algorithm.

Who knows where this would end up but given the rewards I expect the work will be done as the system becomes widespread enough.

Anyway, I suspect this whole foolproof card idea is mostly about taking the burden from the merchants and banks and placing it on the card holder.

Mimi HartDecember 21, 2009 2:53 PM

Paul,
Even if you a) know the algorithm, and b) have a magneprint capable reader, there is no card writer that can easily write the account data and the signature data back onto another card.

The other card has its own signature which cannot be erased and which will interfere with the signature you are trying to superimpose.

While we note that nothing is impossible, because the stripe has billions of particles that give off a signal, (independent of the encoded data) it's darn near impossible to create another stripe which has a similar particulate distribution and hence a similar signature.

Clive RobinsonDecember 21, 2009 5:27 PM

@ Paul,

"Once more, maybe a little clearer: is there anything that prevents... ...If so, what? Without the stochastic verbiage, please."

Either they are deliberatly avoiding answering the question or they know the answer and don't want to say it.

The answer is of course NO nothing at all. The only prevention is the recorded signiture in the Bank/Card Issuers DB.

Thus this system will only work in "online" mode.

And as we know the attackers will be aware of this and thus only attack the system in "offline mode".

Which is why I say the Bank/Card Issuer security people need to override the "Marketing and Customer Service" Depts desires which give rise to the need for,

1) Off line authentication.
2) Fall back on fail.

As long as these two are there then the attackers will use them to their advantage.

The other thing is at what point does this 54bit DI string get set to the Bank/Card issuer central system and how?

That is unless properly done it may be subject to "bit flipping" or "block replacment".

Personaly I think this is a "trying to win a lost war" technology (like CCTV as a deterant). As such it will have an initial success and fairly quickly it will be worked around.

And as has been observed the Banks/Card Issuers will put money into putting the cost of a failed attempt onto the customer by talking "stochastic noise" in the court...

Oh and a point of note don't belive anything you hear about how they encrypt the data etc the signal from the Mag Head is analoge even a minor change with a soldering iron will alow a "copy" signal to be injected.

Further I have seen no evidence that they have a method to protect against a "replay shim".

What they glibly talk about as "noise" is actualy not noise in the conventional sense. It is highly repeatable and thus can be picked up and recorded just like any other signal. Importantly it can be read over and over again and thus used to average out other noise.

Something they have not talked about is particle size and hysterisis. Due to trying to produce mag stripe cards for 10cents or less the partical size in the mag stripe slurry is quite large. However expensive audio tape uses considerably finer partical sizes.

It thus may well be possible to simply glue a very fine particulate tape over the top of the course grained particulate mag stripe and record a cleaned up signal on to it with sufficient quality to get past the engineering tolerance on a low cost card reader...

Ctrl-Alt-DelDecember 21, 2009 6:13 PM

What's obvious here is that:

1. "MagnePrint" provides NO protection against online fraud, as for such transactions the card is not swiped (or is "swiped" in an easily spoofed way).

2. "MagnePrint" provides negligible protection against "spoofing" using a compromised card reader under control of the fraudsters, nor does it protect against man-in-the-middle attacks.

3. "MagnePrint" provides negligible protection against harvesting signatures using a compromised card reader connected to a PC. If a reader can read the pattern, the result can be stored and (subsequently) manipulated and reproduced.

4. Cards are designed to be cheap to make. For a higher price it would be possible to produce a card "blank" with finer particle size mag-stripe that could be recorded with a captured Magneprint signature. Such a card could look and read just like the original card and would therefore be usable anywhere. At present there's no financial incentive to produce such artifacts, but that would change if MagnePrint became popular. The countermove to such cards is to upgrade the magnetic stripes of all legitimate cards to the same quality - a very expensive move that has implications all the way downstream (including better hardware and software to manage the finer resolution) and therefore would certainly not be implemented until MagnePrint fraud was already widespread.

If implemented immediately worldwide this technology could provide a brief period of reduced fraud until the fraudsters upgraded their own technology, but the operative term is "brief".

If implemented more slowly it would have almost no effect on the amount of fraud, because of things like offline fallback, and because it would mean the fraudsters could ramp up their technology accordingly.

It's worth noting that "offline" authorisation is still the norm in many countries once you get out of their big cities. Closing down offline (paper) transactions would indeed close a big loophole and would be a huge boost to the the "cash" economy in such places.

Nick PDecember 21, 2009 6:17 PM

Yeah, he totally didn't answer the question at all. That was a lot of technobabble that barely served his marketing agenda. Ok, let me ask the same question in a different way to see if he answers: "How exactly is the MagPrint fingerprint compared to the data on the card? How is this information checked against an online database to ensure authentication? Is there an offline mode and how does it work? Is their a fall-back for when unexpected things happen and how does that work?"

These are the important questions. For instance, if one simply took a MagPrint of the card and compared it to the MagPrint value stored in the magnetic stripe, then a thief could simply store the MagPrint value of *his* card in *his* stripe along with a stolen account number, pin, etc. If the bank stores the magprint value of each issued card and ties it to the card holder, then the bank could have the reader transmit the magprint (not stored on card), account info and PIN to the bank for verification. So long as authentication protocol functioned correctly, this may prevent card cloning and shift attacks to card theft, which is more difficult and risky. But do they actually do it this way? What happens in offline mode? What happens if magprint reader is broken for whatever reason?

And please don't tell me any more about the MagPrint technology. It doesn't even matter: biometrics & secure tokens already accomplish the same thing in practice. The weaknesses are usually in the implementation of the reader (i.e. shortcuts or bugs) or how the unique value is used to ensure security (the protocol). We're concerned about faulty implementations and the authentication protocol, not the uniqueness of magprints. If you answer my above questions, mainly those in paragraph 2, I would be quite grateful & we can all move forward in the discussion.

Ctrl-Alt-DelDecember 21, 2009 6:23 PM

Oh, and I forgot to add - MagnePrint offers NO protection against stolen cards. On the contrary, since the stolen card is the real thing, MagnePrint could lead to decreased vigilance.

Mimi HartDecember 21, 2009 7:21 PM

You're right...

Fifty-dollar bills have anti-counterfeit features built in, but they won't protect you if they're stolen

Counterfeit payment instruments harm the system. MagnePrint can detect and stop their use.

Chris SDecember 22, 2009 3:49 AM

Not just stolen cards but if smart then swapped cards. Replace real card with fake and then go use the real card as needed. How long before the card owner realizes it's fake, especially if fall back mechanisms allow him to use the card when the MagnePrint signature doesn't validate. After all, he is the real user so he can provide docs and info to show he should be rightfully using it, and he could still use it online. Just another attack method.

AndréDecember 22, 2009 8:22 AM

@ Mimi Hart / Andy Deignan

I am with Clive and the rest of them here: you claim that your product can "detect and stop" the use of counterfeit magnetic-stripe-cards. But you do not tell us, how. Well you do tell us a lot, but it does not have anything to do with the "how", in fact.
As far as I understand your explanations, you take a new card, save my data on it and then from my data and the magnetic pattern of the card you generate a key which you save on the same card too. How does that prevent me from taking another card on my own, saving my data on it and then generate a valid key for this card the same way you do and put it on the card as you do? How will these 2 cards be different?
Well of course, if you put the key you generated into my bank's database, so to check its validity, that of course is something I can't easily do on my own. But if not, the only thing a cardreader can do is verify, if the data on the card and the card itself matches to the key. Both cards will pass that test. There is only one way not to pass that test (except breakage of the card): if I steal someones fully functional card and put someone else's data on it. But why should anyone do that? I mean, having a fully functional card already ...

Mimi HartDecember 22, 2009 9:26 AM

MagnePrint has two distinct benefits. It will detect that the token is not original and it will detect if the encoded (personal account) data on the card has been altered. It does this by the following process:

A MagnePrint enabled reader reads the cardholder data and it simultaneously reads the background magnetic signature. The two are conjoined to produce a 54 byte value. That value is stored at the authentication host. When the card is read at the POS or ATM, the process is repeated. (The cardholder data and the signature are read simultaneously). A new 54 byte value is generated and sent to the host. At the host the two values are compared. If they correlate highly, the card can be considered valid. If they correlate poorly, the card can be considered counterfeit. If they correlate 100% to the reference value or one that has been seen before, this will be considered playback and the user can be prompted to re-swipe.

If they correlate poorly, by deduction we know that the data has been altered or the token has been substituted.

What has been described above is the underlying technology. In addition to this, the reader encrypts the 54 byte value with a derived unique key per transaction and a sequence counter. Before that happens, the reader initiates a challenge/response sequence to mutually authenticate the host and itself. If this does not occur, the reader will not broadcast. (Swipe all you like, but you will not get the data.) The host may also send an encrypted session ID which the reader validates and returns to the host. This allows the swipe to be time bounded.

These readers, called "MagneSafe" when properly used can authenticate the reader, the host, the data on the card, the card itself, and protect the cardholder data during transmission.

If a value related to the PIN is encoded on the card, it can also assist in validating a cardholder who demonstrates knowledge of the PIN.

Every magstripe card has a magneprint; the magneprint is NOT encoded (written) on the card. It is a naturally occurring phenomena. It is the combination of the encoded data and the magnetic signature, read from the stripe, which produce a dynamic (unpredictable) value that can be used in conjunction with encryption to detect and stop counterfeit cards.

trsm.mckayDecember 22, 2009 11:53 AM

Lets see if I can move the discussion forward (disclosure - I have a long history in this area, including working with Magtek).

@Nick
Yes, the bank does store the magneprint value of each issued card and ties it to a specific the card holder. There are two basic methods of encoding cards: centralized (than mailed to account holders) or distributed (devices at the branch write the stripe). I've helped Magtek on their distributed card encoding solutions (MCAPS and ICAT). For those more familiar with smartcards, think of the personalization step.

@Andre
The magneprint value is not stored on the card. Leaving aside the security problems with that apporach, it has the potential for all sorts of nasty compatibility questions.

There is no advantage to stealing another card with a valid magneprint, and using it as a starting point to copy a different customer's card; because it magneprint is calculated using both the card's magnetic background and the encoded values.

@Chris S
Can you clarify the attack you are describing?

trsm.mckayDecember 22, 2009 12:15 PM

@Ctrl-Alt-Del
Some good points, but I think you have a few misunderstandings.

Obviously agree with your point 1 -- this does not apply to card-not-present transactions. Also agree that it does not help against physically stolen cards.

On your point 2 about a spoofed reader (or spoofed transaction) I have seen some claims from Magtek that certain elements are hard to spoof, but I don't know enough to comment. details to be definitive. I suspect it really depends upon the exact scenario.

On your point 3, it depends upon how the attacker wants to used harvested signatures. Knowing the signature won't help you with a non-compromised reader/transaction source, and we have already agreed it does not help on card-not-present transactions. Whatever is left does not seem to be a real world attack scenario.

I suppose point 4 with some type of super quality card and card encoder is potentially possible, but given my experience with card encoding I can guarantee it won't be cheap or easy to make. My strong suspicion is at this point the criminals will look for an easier path (like card not present transactions :-) ).

Chris SDecember 23, 2009 4:29 AM

To clarify attack I had described I have no idea how feasible this is but it seems like not very difficult. Can organized criminals produce fake cards now? Then maybe a scenario like the following:
Valid cardholder uses his MagnePrint card. Accepting agent takes card and in addition to running the transaction they produce a reasonable fake of the card that is non MagnePrint. It doesn't need to fool MagnePrint but looks similar enough to fool the card holder (who likely sticks it back in his wallet without inspecting it too carefully). Now the copier has a real MagnePrint that can be handed off for illegitimate but fully trusted purchases. The card holder has a fake in his wallet and we don't know how long before it gets discovered. He may use it online, or use it at some locations without MagnePrint technology successfully. Presumably not all merchants will have MagnePrint universally. If he uses it somewhere that has MagenPrint will it fail his card or fallback to non-MagnePrint support? If fallback is allowed then the length of non-discovery is extended. Someday he will have trouble and contact support for help that his card doesn't work but by that point the real card has likely already had a good run, and the card holder is held responsible since how could he not have been when MagnePrint is so foolproof.

Nick PDecember 23, 2009 1:15 PM

@ trsm.mckay

Thanks for the clarification. If it has the online property I specified, it will prevent merchant and ATM fraud that uses cloned cards. The next area of vulnerability that came to mind is the decentralized scheme. MITM attacks on various devices, procedures or even the shipping of devices (like a malicious writer) may be possible. The malicious writer would be trusted in your scheme. I wonder what measures are in place to prevent modifications or replacement while being shipped to branch or while at branch. Particularly, criminals often get jobs at banks before trying to rob them. I wonder what odds are of inside job compromising writer or database. Payoff would be big.

@ Chris S:

Nice idea. It seems impractical for most, though. I mean, you have to be able to copy an arbitrary card in nearly exact detail and you need the time to do it. Thinking on it further, though, a mafia-owned restaurant or other store where card leaves owners hand for at least a minute may work. You could have high-res scanning equipment, software to convert it to card format, and a dual-sided plastic card printer (see link below). Then a typical stripe reader/writer would be used for cloning. A mafia restaurant (or rogue employees) could obtain tons of cards and commit lots of fraud before they were caught.

http://www.plasticprinters.com/equipment/...

trsm.mckayDecember 23, 2009 2:53 PM

Almost all card encoders used for distributed enrollment, at least for financial institutions like banks, have some level of security. The big batch centralized card encoders are a bit different, but I’ll ignore them because they seem to be outside of your scenario. From a security standpoint there are two types, primarily depending upon whether they can handle PINs directly.

The card encoders that don’t handle PINs still require security (my experience has been with DataCard 150, 280, etc.). You may have noticed that most credit cards contain holograms and other features that are designed to make counterfeiting difficult. There are a lot of requirements around protecting these blank cards, which makes the mafia restaurant substitution scenario pretty difficult (assuming sooner rather than later a customer will notice the card they got back did not look right).

Typically this class of machine has good physical security, and a minimal level of logical security (they operate like a printer, but have some cryptography to make sure they only print for authorized sources). At least for the older Datacard models I’m familiar with the controller does not use secure hardware, so they don’t really have much defense against insider attacks (e.g. someone who can load blank cards can easily access the internal controllers).

The encoders that have to deal with PINs raise the security bar quite a bit. The biggest difference is the requirement for a TRSM (think FIPS 140 tamper resistant security module like a smartcard or HSM). In this class of encoder, access to the blank stock does not help an attacker with the logical security. I designed a couple of encoder systems when I worked at HP/Atalla (which led to my later association with Magtek). All hardware designs can be attacked given enough determination and resources, but at least the Atalla and Magtek encoders I have been involved have a substantial set of safeguards.

Still there are a lot of differences in banks through-out the world, and this is an area that does not have many standards (standard rant 1 – PCI regulations are primarily for not-on-us transactions, they don’t cover operations internal to the bank like creating PINs and card encoding scenarios). Given the increasing prevalence of credit card skimming, I wonder how long it would take (and how widespread something like magneprint would have to be) before the card replacing scheme would become a real world attack scenario (certainly it is not now).

trsm.mckayDecember 23, 2009 3:10 PM

@Mike B (first comment)
Says: Any technology that can read magnetic info from a card can be used to write info back to a card.

I might as well say that any microphone can become a speaker. Maybe you can get a microphone to produce some sound, but no one would mistake it for a particular type of high quality speaker.

Same thing for card readers, there are very different characteristics between read and write heads. Trying to write with a read head would not work well even on the older mag cards. When you consider trying to write on HiCo cards, this becomes total nonsense. HiCo encoding requires an extremely strong magnetic field, which means you need a specially design head and a very large supply of power. There is no way you could encode a HiCo card with the same parts normally used by a mag card reader, it would require a total replacement.

Clive RobinsonDecember 23, 2009 6:15 PM

@ Chris S, Nick P,

I can think imediatly of one place where the card leaves the owner for quite a while.

Open tab bars, where you give the barman your CC at the begining of the evening and he runs the tab for you and puts it on the CC at the end of the evening.

Another place is a resterant where people visit on a semi regular basis or have to leave the CC details to make a reservation.

Then there are hotels where they "pre-charge" your CC when you book in. Likewise car rentals and tool hire shops etc.

In fact any place you use your CC to pay a deposit or use on a frequent basis (Gas Station etc).

Clive RobinsonDecember 23, 2009 6:41 PM

@ trsm.mckay,

"... before the card replacing scheme would become a real world attack scenario (certainly it is not now)."

I hate to disagree with you but to my knowledge card "swapping" and "Dupping" has been going on for atleast thirty years.

The old "swapping" attack was simply to give a person back another card.

You would be astounded by the number of people who do not check their CC when the waiter gives it back to them, they just put it straight in their wallet.

The old Dupping technique was dead simple and still works today.

When you do an offline transaction with the paper voucher and the hand operated impression machine every thing you used to need was duplicated on the voucher. You just used to photocopy five vouchers onto a sheet of A4 and pass it on to a voucher forger. They used to have a hand impression machine where the merchant plate was removed and the place where the CC should be put was drilled out to take reverse letter dies which are almost identical to the raised type face used on the CC card the forger would run ten or twenty vouchers through and forge the signiture.

As a waiter or whatever you would when a customer paid in cash fill in the details run the voucher through the resturants impression machine to get the merchent details onto the voucher put that in the till and the cash in your pocket.

To do the same thing these days all you need is a digital camera on a fixed focal length tripod (like you used to see in spy movies for copying documents) and photo both sides of the card (it takes less than ten seconds to do).

The bonus is you get that magic little number on the back used for card not present transactions...

I think "offline" and card not present fraud will continue for some forseable time and the mag partical signiture will have no effect on these types of fraud.

The question then becomes how do you get the merchants to "pony up" for new EPOS systems with the technology built in when they still have a perfectly functional mag stripe reader they have already payed good money for.

Chris SDecember 25, 2009 5:58 AM

I hadn't even thought of the case where they photo the card and have lots of time to make the dupe. Then on your next visit or when you come to pick up/drop off items/car they make a quick swap. If this isn't being done now then I guess it's because they still have easier ways.

ClayJanuary 4, 2010 12:23 PM

@paul "..is there anything that prevents someone who a) knows the algorithm magneprint uses to calculate its signatures.."

In developing a similar anti-clone capability (based on different magnetic stripe attributes) that works in conjunction with format preserving encryption I addressed this problem at the system level.

In our case the 8 byte signature is encrypted and sent with a hash of the track data to the Verification Service. The VS uses the hash to index the signature for comparison and returns the result.

As long as the encryption is secure knowing the algorithm and the signature will not help in defeating the system.

Mike KJanuary 5, 2010 8:22 AM

point #1: no, it's not possible to write to or change the magnetic strip the way you are thinking. it's not an audio tape, and it's not a computer disc. it is possible to write the magnetic data, but not possible to overwrite the card's fingerprint. you should be familiar with MagTek's technology before claiming things like this.

point #2: the magnetic strip is durable, and can withstand a lot of use before the fingerprint needs to be retired and the card reissued. even if the fingerprint ages and can no longer serve as authentication, this is not an issue.

point #3: magtek is the world's leader in card scanners. it's not a startup that's trying to replace every card reader in the world. in fact, most of the world's card readers are already MagTek brand, and many of them already have this technology (whether or not it has been turned on in that particular terminal)

Cowardly And AnonymouslyJanuary 15, 2010 9:09 AM

@Mike K

Still, it is unclear, why we have to be forced to write to or change the magnetic strip of the current technology cheapo cards?

Criminal card may be produced by it's own specific technology, with very hign resolution of magnetic particles, that can hold the signal from the magnetic 'noise' of the commonly used lower resolution cards. I mean, not use the common cards and common card writers, but create an improved versions of both, targeted specifically at MagPrint counterfeiting. Such a technology is not developed yet? To say honestly, you don't heared of such a event. Have at all anyone tried to develop that yet? But anyway, does that fact provides some security to the card identification process, how do you think?

The technology have only be developed ONCE, and then used and reused widely! Criminally funded scientists will develop their custom card writers with cards in a matter of years, and then will sell them over the Internet, what a great business!!!

Again, why should criminals be bounded to only use the the technology, that is proven to be economically practical for card issuers? Are they the same people as card issuers? Oh NO!!!

ExothermicusJanuary 16, 2010 5:19 PM

The magneprint "signature" has two flaws that I can see despite their claims of it being foolproof.

1. The magnetic particle density and their inherent "data signature" can be duplicated with a sufficiently smaller reading and writing head using analog techniques.

2. The semi-random nature of this data makes any use of well known hashing algorithms impossible, require something more like a neural net for authentication.

3. The very nature of this technique using the characteristic noise of the medium, would make it very easy to mount a denial of service attack, by having would be skimmers to intentionally write to the signature area of the cards. Inducing a high failure rate would cause the system to be quickly abandoned.

4. I sell POS equipment in my day job. Despite PCI requirements, you would be surprised how many merchants (and banks) are still buying and using non-encrypted POS card swipe solutions. As long as the older and cheaper non-encrypted units still work with their merchant accounts, they are not willing to spend a few extra dollars to protect their customer data.

Exo

msrmanJuly 11, 2010 11:01 PM

I think the Magneprint technology is snake oil. They "MagTek" are assuming that all card skimmers are capturing and storing the actual card data that is derived from the analog signal on each track. All it takes is a card skimmer that captures the analog representation of the card and then duplicates the analog signal, not the digital card data. The digital data can still be derived from the analog data. Nice try, but Magneprint is only giving a false sense of security. When the card skimmers get hold of an analog reader/storage device (can you say cassette type recorder), then the Magneprint technology is toast. If you have doubts, then remember, the magnetic stripe data is a 2 frequency, coherent phase signal, and the read heads used to read this data pick up this signal and derive the actual data. Background noise???, what would you say that is, the amplitide of the 0 vs 1 bits? Anyway, an analog dupe of a card will defeat Magneprint.

Seeing is believingJuly 20, 2010 6:07 PM

BCI installed the technology on more
than half of its nearly 1,000 ATMs, and on
those machines, “we have zero fraud. Zero,”
Mario Gaete, its chief operating officer and
chief information officer, said in an interview...

msrmanJuly 23, 2010 1:42 PM

BCI may not be having any problems now, but once analog copiers of magnetic cards are available, then MagnePrint is doomed. Each mag stripe card when encoded is unique only when the encoding is done from taking a digital signal and converting to an analog signal as it is recorded, because the analog characteristics are unknown. If the analog signal of a card is skimmed and then copied to another card using the same analog parameters, then MagnePrint will see the new skimmed ie fraudelent card as the original. The reason that you aren't seeing any problems now is that no one has released any analog to analog mag stripe skimmer/recorders.....yet. It would cost less than $100 to make one, and all those companies who have placed their faith and trust in MagnePrint will suffer.

Seeing is believingAugust 3, 2010 12:42 AM

Please spend $100 and show us. You seem to miss the point that the card you might transfer the analog recording onto (from the one that you picked up on the analog skim) already has its own unalterable analog signature that will interfere with the one superimposed on it. If you truly want an appreciation for how difficult the task is, you should contact BCI. They have done a lot of testing. I think if you read the comments above from Magtek, you will see that they readily acknowledge "nothing is impossible" but the way they have implemented MagnePrint makes it extraordinarily difficult to pass off a counterfeit copy.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..