After a Decade
6 years ago
Wednesday, October 05, 2016
Tin-foil Hats and Chip Readers
I like to imagine that I am one who thinks “outside the box”. Hopefully, that will not someday result in having to think inside a box, one with bars on it, but I guess I will just take one day at a time.Some time ago I got a new MasterCard with a chip. For those just learning, “chip” technology is replacing the old magnetic stripe on your credit card.
The magnetic stripe is just a semi-permanent account information record that was difficult to change. A card fraudster could take that information and use it in multiple transactions before anyone caught on to the fraud. It could theoretically be reprogrammed, but that would be inconvenient with current technology.
The “chip” in chip technology looks on your card just like a the SIM card contacts for a cell phone. The technology allows a transaction made with the chip card to be given a one-time transaction code. Even if a fraudster can steal the basic account information, a second transaction cannot be made without the physical card to generate the unique one-time code. Again, theoretically, this is more secure, but the chip cards are capable of carrying far more information — in some European countries, they are used as ID cards - and the cards that are enabled for remote scanning can be read without being physically inserted (“dipped”) in a chip reader.
That fact has lead to concerns that information on the card that has nothing to do with a credit transaction could fall into the hands of an identity thief. As the technology becomes more sophisticated and complex, the exploits by card hackers will undoubtedly become more difficult to block. It is an adaptation of the Peter Principle that techies just don’t seem to understand — there is always somebody out there who is smarter than the programmer.
Back in the days when you had to barter, it was relatively difficult (but still possible) to pull off a fraud. When people switched to cash, the job became a bit easier; fake coins were minted but as long as they had the requisite amount of precious metal nobody cared. It was when the fraudster mixed in something less valuable that the eureka moments of an Archimedes were needed.
The printing press took the game a bit farther. Paper money was easier to carry, but a good forger could make counterfeits in bulk. The trouble was that trying to make a large purchase with counterfeit money was a sure way to get caught. To be successful, the counterfeiter had to make numerous small purchases in varied locations. Each advance in printing at the mint brought a corresponding increase in the sophistication of the copying.
The credit card was supposed to not only free the participants in the transaction from having to carry wads of cash, but it was also supposed to make the transaction more secure, since the cash simply stayed in the bank and just changed ownership there. Remember the old credit card machines? You put the card in, placed the multiple carbon receipt in, and rolled out the invoice. Then you wrote in the amounts by hand, the buyer got one copy, the merchant got one copy, and one copy went off to the bank. The lag time was as good as physically mailing a check; you could buy stuff today and still have a couple of days to get the money to the bank.
That was a banker’s nightmare. Money in transit is money that is not earning interest for the bank from the Federal Reserve. Why do you think the bank puts holds on checks from one account to another in the same bank? It is cash in the banker’s pocket. So, the credit card process had to be speeded up. The magnetic stripe technology came in, and the account information could be read off the card electronically, sent to the bank at the speed of light (almost), and the card information could also then be exchanged without the physical card being present, allowing mail order sales to flourish. All you needed to do was give the information and sign for it.
Secure? Alas, another pipe dream, because once a thief got hold of the credit card numbers, he could forge a signature and steal until the card statement showed the thefts. It had to get more complicated. Thus the chip technology. The card companies have forced merchants to install chip readers, with the incentive being that a merchant who has a chip reader installed is not responsible for credit card fraud that occurs using a magnetic stripe swiper. The credit card companies have offered to be fully responsible, even if the buyer does not have a chipped card and the swiper has to be used. However, if the merchant does not install the chip readers, then the merchant is responsible for any fraud loss.
The early cards being issued are mostly (but not all) using contact-type chips. Some, however, have the capability of being read remotely, using a scanner that queries the card wirelessly. When the chip enters the radio frequency field, it vomits out its information. Supposedly, these are short-range transmitters, but there is a concern that hackers could use somewhat more powerful transmitters and receivers and steal the information while the card is still in the owners purse, pocket, or wallet. Move the cheese, and the mice get bigger leg muscles. Cage the cheese, and they get bigger teeth. When your treasure is on the Earth, the thief will break through and steal.
So, as an experiment, I have put a tin-foil hat on my new chipped Discover Card. Using rubber cement and some aluminum foil, I carefully covered the front and back of the chip to insulate it from radio frequencies. (In olden times, we called this a short circuit.)
I tried it out at WalMart. I slid the card through the stripe reader; the woman at the checkout said I had to insert it in the chip reader. I did so. The screen said, “CARD PROBLEM”. She said try it again. Same thing. She said try swiping it again. No workie. She tried swiping it from her register. No go. The woman in line behind me was getting a bit upset. I just looked toward the ceiling. Finally, after about the dozenth time swiping it, the transaction went through. Maybe you have to swipe it r-e-a-l-l-y s-l-o-w-l-y.
I haven’t tried it at the gas station yet. I may have to go inside and have them manually enter the account numbers. I don’t know. This will be interesting.
One other thing. I looked at the card agreement to see if there was anything about tampering with the card. Nada. My guess is, though, that all it will take is some wonky lawyer realizing that the scheme is wide open to make the merchant institute a policy whereby it refuses to accept the card if the card has had its chip crippled. Once that occurs, I may have to rethink this.
Meanwhile, the rumor on the street is that this technology, which is already 20 years old, will probably be scrapped in another half-dozen years and replaced by something like ApplePay. The merchants who are paying out mega-bucks to install chip readers will have to bite the bullet and start over. Nevertheless, I have my ears open to hear about the first successful attempt at hacking that system. It will happen. If your treasure is not in Heaven, the thieves will get it sooner or later. Happy treadmilling!
P.S. -- my Better Half tried hers at the gas station. While it did not work at Bed Bath & Beyond, and the card info had to be entered manually by the clerk, it did work at the gas station pump.
Subscribe to:
Posts (Atom)