October 02, 2005|By LAURA SMITHERMAN | LAURA SMITHERMAN,SUN REPORTER
"Fraudsters have to make a living, and they will find a way to break any technology," said David Pelling of Fair Isaac Corp., which sells fraud-detection software to financial institutions. "There will always be a certain amount of fraud out there unless we make the payments and authorization process so cumbersome that we restrict commerce."
A credit card's magstripe generally stores the cardholder's name, account number and expiration date. It also stores a secret code that's unknown to the cardholder and checked during purchase authorization, and a code used to verify the personal identification number, or PIN.
First used for transit passes and later airline tickets and ID badges, the magstripe is similar to cassette tapes and other magnetic recordings. It's made up of particles that are essentially tiny magnets, which can be magnetized in either the north or south direction. Those two polarized settings correspond to the binary system of 0's and 1's used by computers.
At a convention of hackers in the Netherlands this summer -- devilishly titled "What the Hack" -- self-described computer geeks held a workshop on how to build a magstripe card reader with "parts you can find in your junk drawer," according to a Web site for attendees.
Hackers trade advice on Internet message boards, and Web sites hawk credit card-making supplies. Some sites boldly sell computer programs that purport to generate account numbers with the same mathematical algorithm used by credit card companies.
"The sense of alarm in the industry is not so much that the cards are being compromised. It's that with the Internet, it's so easy for somebody in rural Minnesota to obtain supplies," said Brad Paulson of the International Card Manufacturers Association. "There is just so much technology at people's fingertips. Everyone who wants to do this certainly has access to the equipment and the means to do it."
Several weeks ago, an auctioneer on eBay advertised a device that re-encodes magnetic stripes and a portable card reader that stores more than 2,000 card swipes. The seller, who declined to give his name, said he got the stuff from a friend and suspects that it was used for illegal activity.
After a few days, though, he said he hadn't gotten a decent offer and would try again. As of last week, it wasn't back on the block.
A Web site run by Extreme Media Inc. in Westland, Mich., sells The Ultimate Credit Card Hacking Dictionary, software and a couple of magstripe cards for $140. A device that reads and encodes credit cards costs an additional $775.
Shawn Cummins, who started the company, said he has been contacted by the Secret Service and Federal Bureau of Investigation but hasn't been charged with a crime for his business.
A preamble to the guide for hackers says that it is intended for informational purposes. Cummins said customers are refused if they say they plan to do something illegal. Still, Cummins double-checks customer information when approving online orders to cut down on fraud, acknowledging his own suspicions.
"Look at the clientele I deal with," he said.
Law enforcement officials say they have little ability to stop the proliferation of books and other materials used for identity crime. Ed Neumann of Javelin Strategy & Research compared credit card-making apparatus, used by small businesses as well as corporate giants, to radar detectors.
"They're not illegal to manufacture, but they're definitely illegal to use in some places," he said.
The leading contender to replace the magstripe card is the so-called "smart" card, which stores information on a computer chip embedded in the plastic. The cards were invented and patented in the 1970s and are widely used in Europe.
While industry observers have predicted for years that the magstripe would be rendered obsolete by the chip card, the technology hasn't made major inroads in the United States, the world's largest market.
The smart card costs dollars to manufacture compared with pennies for the magstripe card. The cost to upgrade or replace credit card terminals could reach $1 billion, and it's unclear who would pick up the tab -- card issuers, banks, merchants or, ultimately, consumers.
MasterCard projected in the mid-1990s that virtually all of its cards would be equipped with chip technology by 2000. That didn't happen, and no one is setting timetables now.
"For us, it's hard to say how long it will take," said Sergio Pinon, senior vice president of security at MasterCard.
Chase recently teamed up with MasterCard and Visa to start issuing a kind of smart card that uses radio frequency identification technology and allows a user to simply wave the card in front of a terminal. Chase has rolled out hundreds of thousands of the "contactless" cards named "blink" in Georgia and Colorado. Similarly, American Express is converting its "Blue" smart card to contactless.
