Identity proves easy to swipe

Aging credit card technology is vulnerable to theft


As the credit card gained popularity in the early 1970s, college students were invited to try to crack a new technology that enabled computers to "read" the cards through a magnetic stripe across the back.

The "magstripe" was considered revolutionary, but it turned out to be no match for the homemade devices the engineering students devised.

One contraption, a Dick Tracy-like wrist gadget, copied the account data on the stripe and transferred it to another card.

"Obviously, any system can be defrauded somehow," one student said at the time of the competition, sponsored by an arm of Citibank, "but if it can be done cheaply, in some guy's garage, then you're going to worry."

Three decades later, the magstripe has become the backbone of today's "cashless" society, having nearly outlived sister innovations of its era, such as the cassette and videotape.

But in recent years, the magstripe has also been a pawn in the rise of identity theft, an easy mark for criminals equipped with computer know-how and the latest equipment.

About half of identity crimes are essentially credit card fraud, yet the financial industry has been stymied by the cost and complexity of moving beyond the magstripe.

"We're using technology that's 35 years old, and we're wondering why we're having so many problems with identity theft?" said Billy Hoffman, a recent graduate of the Georgia Institute of Technology. He wrote an article in the Make magazine for tech enthusiasts about how to build a credit card reader with mail-order parts and a glue gun.

More secure technologies have been available for years, but merchants and credit card companies have mostly balked at replacing 2 billion credit cards and millions of terminals that read them. Moreover, companies say losses from fraud are minuscule in a global marketplace, roughly 5 cents for every $100 charged.

And while identity fraud has become a potent issue in Washington and in state capitals, public outcry over credit card theft has been relatively mild because consumer liability is limited by law, industry observers say.

"The industry won't change until it becomes economically feasible or profitable, or there is so much backlash from fraud," said Werner Raes, president of the International Association of Financial Crimes Investigators and an investigator for Citigroup Inc., now the parent of Citibank.

Raes, for one, says the problem will only become more rampant unless companies do a better job of ensuring that the customer is indeed the person named on the card. He calls identity theft an "epidemic" and predicts that one in four Americans will become the victim of some form of the crime by 2010.

Major credit card issuers, including Visa and MasterCard, have reported that their losses from fraud declined to $788 million last year from a peak of $955 million in 2001, according to the Nilson Report, an industry newsletter. Merchants lost an additional $260 million last year, the report said.

However, some believe the cost of fraud well exceeds that.

Javelin Strategy & Research of Pleasanton, Calif., using different methods to count losses, found that identity fraud of credit card accounts cost issuers and banks, as well as merchants and consumers, nearly $20 billion last year. The fraud ranged from filching a wallet to a practice called "skimming." The firm's survey was the most comprehensive to date, making comparisons to earlier studies difficult.

Thieves "skim" magstripe information from unsuspecting consumers, which they can use to shop on the Internet. They mass-produce cards with pilfered account numbers.

And often they employ the tools of the industry against it. Instead of building their own contraption in a garage, they purchase card readers, encoders and printers sold commercially. How-to guides are also available.

Credit card companies say they have taken steps to make their cards and the magstripe more secure. They have added signature panels to the cards as well as holograms to thwart counterfeiters. They developed "neural networks" that track the spending patterns of cardholders and signal when an account might have been taken over. And they offer ways to make online transactions more secure.

"There are so many protections around the magstripe, and we invest significant amounts in terms of people and systems for security," said Tom O'Donnell, senior vice president at Chase Card Services, a division of JPMorgan Chase & Co., which has the largest share of the credit card market. "I can't comment directly on the magstripe's impact with regards to fraud. We see the issue more holistically."

Chase and other issuers are also trying isolated distributions of computer-chip cards that are harder to hack. Card companies, while careful not to hassle customers, say they continually test new security measures, some of which are intentionally kept out of the public eye.

John Hall of the American Bankers Association compared the process to an arms race with criminals.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.