In 1960, an IBM engineer named Forrest Parry was
developing a new type of ID card for the CIA when he had an
epiphany: Why not make each card a tiny data storage device in and
of itself? He cut a short length of half-inch wide magnetic tape
from a reel and wrapped it around a blank plastic card, secured it
with Scotch tape, and then, at his wife’s suggestion, pressed it on
with a warm iron.
The magnetic stripe card was born.
Today magstripes are on the backs of millions of US-issued
credit and debit cards, where they hold all the information needed
to produce a flawless counterfeit card — account number,
expiration date, and a secret code called a
CVV. That has made Forrest Parry’s invention one of the computer underground’s most prized targets –
more valuable than anything on your hard drive. We were reminded of
that last week, when Home Depot confirmed that 56 million shoppers had
their credit card data siphoned from the big box retailer’s
point-of-sale systems over six months. That’s 3,000 miles of
magstripe, stolen three inches at a time.
The announcement makes the Home Depot breach the single largest
known theft of credit card data in history, edging out the 40
million cards stolen from Target late last year, and
about the same number taken from TJX in 2006. It may also be one of
the last major credit card heists.
But more on that in a moment.
First, a bit of history: What happens to stolen bank card data
hasn’t changed in 15 years — the hackers package it and sell it in
bulk to the underground’s third-party resellers. Ten years ago it
was the Ukranian known as “Maksik“; today it’s the Ukrainian known as “Rescator.” If Parry’s innovation was to take a bulk
storage medium and literally slice it into a wallet-sized one, the
computer underground has perfected the opposite process, compiling
all those squirts of information into a
big data play that would make Mark Zuckerberg envious.
Once it’s in an underground shop, card counterfeiters buy the
magstripes they need — sometimes ordering by bank or ZIP code –
and copy it onto fake cards using their own
magstripe encoding machines. Then they use the cards to buy goods
they can resell or dispatch crews to do the shopping for them in
exchange for a cut of the profits.
Since about 2001, stolen magstripe swipes, or “dumps,” have been
the pork bellies of a massive hacker commodities market, centered
in Eastern Europe and stretching around the globe. Beyond the
hackers who breach stores like Home Depot, and the resellers like
Rescator who market the cards, there are vendors specialising in
the hardware and material — plastic embossers, fake holograms,
blank cards, magstripe encoders — needed to use the data and
others who crank out professional fake IDs to help pass the fake
cards. By the most conservative estimates, it all adds up to $11
billion (£7 billion) in losses annually.
But the golden age of credit card fraud is drawing to a close,
and history will regard Home Depot, TJX, Target, and all other
breaches as a single massive exploit against one catastrophic
security hole: The banks’ use of roughly 23 characters of
magnetically encoded data as the sole authentication mechanism for
a consumer payment infrastructure that generated 26.2 billion
transactions in 2012 alone. Engineering
students will study that gaffe with the astonished bemusement with
which they view old footage of the Tacoma Narrows Bridge twisting
in the wind.
The fatal problem with the credit card magstripe is that it’s
only a container for unchanging, static data. And if static data
is compromised anywhere in the processing
chain, it can be passed around, copied, bought and sold at
The solution has been available for years: Put logic in the
card. Thanks to Moore’s Law, an inexpensive tamper-resistant
microprocessor fits comfortably in a space smaller than your
driver’s license photo. With a computer on both edges of the
transaction, you can employ cryptography and authenticate the card
interactively, so that eavesdropping on the transaction gains you
nothing. Just as IBM’s Parry made our wallets smarter by adding
computer storage, a modern card is smarter still by having an
entire computer onboard.
Now, after resisting it for 10 years because of the formidable
transition costs, the US is about to finally embrace the secure
chip-based authentication system called EMV — the standard was
pioneered by Europay, MasterCard, and Visa — that the rest of the
world has already adopted. Pushed by mounting fraud costs, credit
card companies have crafted incentives for merchants to switch to
the sophisticated readers needed to accept the cards. “There was a
lot of skepticism about whether it would ever happen in the US,”
says Michael Misasi, an analyst with the Mercator Advisory Group.
“All of the data breaches that have happened have woken people up,
and progress has been accelerating this year.” The first serious
milestone is October 2015. By 2020 the swipe-and-sign magstripe
reader will be as hard to find as the credit card impression
rollers they supplanted.
By then, it’s probably safe to say, the entire idea of a credit
or debit “card” will be quaint. With the newly announced Apple Pay joining Google Wallet as a real-life
payment system, even the chip-based credit cards will be little
more than a backup technology. Apple took some ribbing for announcing Apple
Pay while its iCloud celebrity breaches were still in the news. But
unlike cloud storage, the state of the art of retail payment is so
poor today that Apple can’t possibly fail to improve it.
You can see where this is headed by looking at one of EMV’s
early adopters. Since the UK deployed EMV “chip-and-PIN” cards in
2004, overall card fraud in that country has fallen 32 percent,
from 504.8 million euro in losses that year to 341 million in 2011,
according to the most recent figures from the UK Card Association.
There are two loopholes that kept criminals from being hit even
harder by the chip cards. First, the UK cards still have magstripes
so UK travelers can use them when visiting the US. Adaptable
criminals in the UK began working with confederates in restaurants
and shops, covertly swiping magstripes from customers and selling
them to American crooks to use at primitive American point-of-sale
terminals. These scams contributed as much as 80 million euro in
foreign fraud charges on UK cards in 2011.
But that loophole will close once the US switches over to EMV.
The second, bigger, loophole is online fraud. Internet transactions
aren’t made any safer by having a chip on your card, and in the UK
and elsewhere criminals were able to make up much of what they lost
by doubling down on fraudulent web purchases.
But the end is nigh for online credit card fraud, too. Systems
like Apple Pay and Visa’s newly announced Visa Token Service accomplish the same
security goals as EMV, but also work online. They replace the
static credit card number with a temporary token that changes every
time. “Initially, Apple Pay’s tokenization will only be for in-app
purchases from mobile phones,” says David Robertson, publisher of
the respected payments industry newsletter The Nilson
Report. “But over time that will broaden.”
Robertson agrees that the simultaneous arrival of EMV and
tokenization in the US will trigger a sea change in the
underground. “There’s every reason to think that the industry will
get ahead of the bad guys again,” he says.
None of this means cybercrime will become unprofitable. Skilled
cyber-criminals will still make tons of money in more elaborate
scams, like account takeovers and identify theft. But the death of
the magstripe will trigger a financial crisis in the unskilled
ranks of the computer underground akin to what the mortgage
collapse did to Wall Street. And Perry’s historic invention, so
brilliant at the time, can relax into its long overdue
This article originally appeared on Wired.com