HOW THE RIGHT HAND RULE OF PHYSICS DAMAGED THE FINANCIAL COMMUNITY
If I recall my basic physics correctly, the direction of magnetic flux around an conductor can be determined by placing the right hand over the conductor with the thumb pointing in the direction of current flow. The magnetic flux flows in the same direction as the fingers of the right hand. With the exception of the newer “left-handed” composites (aka “metamaterials”), this rule applies to all conductors. Not the least of which is the magnetic material in a magnetic stripe.
One of the earliest practical uses of the right hand rule in IT was with magnetic core storage – little ferrous torroids (read that “iron doughnuts” if you entered IT after 1975) that stored binary information in the third generation, pre-large scale integration computers. These torroids actually had sense and pulse wires the size of human hairs that could reverse the direction of magnetization. Those were the good old days of computing where one could actually see a bit. Nowadays bits are so far removed from visual inspection that they may as well be virtual. But then one could say the same of the beauty of the Hudson Hornet. I digress.
Magnetic stripes will pass into digital history as one of the most convenient, efficient but fraud-enticing technologies ever produced. As such it will take its rightful place along with barcodes and laminated plastic IDs. And for the magnetic stripes the fault lies with the right hand rule of physics – and possibly also the Hudson Hornet, but that's another story.
The reason is the relatively low entry barrier to abuse. You see, one of the consequences of the right hand rule of physics is that anything that can be magnetized one way can also be magnetized the opposite way by applying current to the magnetic source in the opposite direction. Therein lies the rub. One may think of a magnetic stripe as a non-conductive substrate like mylar with a thin layer of magnetic particles embedded therein. These particles are magnetized by a card writer according to a pre-defined format. They are read by a card reader that senses the presence and location of the magnetic fields. With just a slight leap of faith one may abstract from this the sort of information that is on the face of the card.
CREDIT CARDS RULE OR CREDIT CARD RULES?
Credit makes the world go round – for everyone else there's gold bullion! Visual inspection of the embossed part of a credit card will typically reveal several key fields, including, but not limited to (a)four sequences of four numbers. The first number might be a code or system number. The next six numbers might be a bank ID followed by eight numbers that make up the account ID followed by a check digit; (b) an expiration date, and (c) a name. This information may be augmented by holograms, photographs, fingerprints, and so forth.
The embossed information is also recorded on the magnetic stripe on the back of the card. However, the contents of the obverse side (embossed or not) and the contents of the magnetic stripe on the reverse side, are only coincidentally related. Either may be changed independent of the other. By far, the easiest change is the alteration of the magnetic stripe. Therein lies the rub. The implications are significant.
SKIMMING AND SCANNING SCENARIOS
Here are a couple of low-octane (but ever so effective) credit/debit card scams to consider.
Let's analyze these in order. (1) is a low-cost, entry level approach to credit/debit card fraud. In this case, a victim's credit card has fallen into the hands of a criminal (quite possibly passing through several additional hands along the way) who has had a bogus ID manufactured to correspond to the card. Difficult? Don't bet your Hudson Hornet on it. IDs that will withstand merchant scrutiny may be obtained in university dormatories and swap meets, not to mention fraud gangs. This is a no-brainer. The only tricky part here is to bang on the card before it get's reported as stolen.
That's where (2) comes in. In this case the real credit card remains with the owner, and a counterfeit card is produced with the same information. The technology to produces these counterfeit cards exists in most office supply stores. The corresponding phony ID is produced as in (1). The result: the fraudulent use of the credit/debit card isn't reported until after the crime. The only trick here is that the criminal needs to get a magnetic imprint of the legitimate card to get the information required to emboss the obverse side (of course the magnetic imprint is simply copies from the original card to the counterfeit. For that “personal touch”, a device called a “skimmer” would be required. Skimmers are usually battery-powered and may be as small as a thumb. One of the most common uses of skimmers is in restaurants where the employee swipes once for the company, and once again under the apron for him/herself. Quality, lithium-powered skimmers that can hold 5,000 credit card records and come complete with a computer interface are under $500. For those that are too lazy, cheap, or risk-averse to use a skimmer, credit card information is traded on the Internet.
An even simpler variation on this theme is (3). In this case, the crook buys blank mag stripe cards and duplicates legitimate credit card information on the blanks. Of course, this limits the use of the card to venues where ID is not required. Gas pumps and ATMs are targets-of-opportunities with this approach.
Some years ago, Las Vegas Metropolitan Police Department detectives noticed that they were arresting people with a healthy supply of hotel room keys. They were offered all sundry kinds of explanations from “I forgot to leave them in the last 22 hotel rooms I stayed in,” “I collect them for my uncle,” “I think of them as works of art,” etc. It didn't take the detectives long to conclude that there was something wrong with this picture. When they swiped the room keys they found credit card information. The reason for this is that in the State of Nevada it's illegal to possess more than two credit/debit cards in someone else's name. To avoid detection, the crooks were recording the information on hotel room keys, players cards, etc. That's where one of my research groups got into the picture.
Deputy Chief Dennis Cobb, co-director with me of the Identity Theft and Financial Fraud Research and Operations Center ( www.itffroc.org ) suggested a better mousetrap. His idea was that we develop a miniature card scanner that would detect anomalies on mag stripe cards. E.g., if the device were set to detect hotel room keys, and found data that was suggestive of credit/debit cards, the card could be held as evidence. We accepted the challenge, and together with Dennis developed a prototype that would do just that.
CardSleuth is a thumb-sized appliance that can be set to recognize virtually any type of magnetic format on a mag stripe card. We illustrate with two examples. In Figure 1, CardSleuth was set to look for hotel room keys and found one – hence the green light. Nothing unusual to report here. The bottom data windows reveal a standard pattern for hotel room keys that use track three of the magnetic stripe. The contents of the bottom windows would not appear on the portable device, only the green light.
Figure 2 illustrates the discovery of a card anomaly. Again, CardSleuth is looking for hotel room keys, but in this case it discovers credit card information, hence the red light. A buzzer is also added for confirmation.
Some technologies are just inherently amenable to abuse. Magnetic striped cards are one such technology. Though a sought-after convenience in almost every industry, their use are fraught with difficulties. Single most among them is the total absence of any form of authentication. But then one might say the same thing of the Internet.
CardSleuth is one small advance toward preventing misuse. There is no security silver bullet to be found, but every bit of help against credit/debit card fraud helps.