Credit card fraud and data theft represent big business to crooks. With every technological advancement meant to secure this mode of payment, fraudsters work overtime to find vulnerabilities to exploit consumers, merchants and banks … sometimes in just a matter of keystrokes.
So where does that leave credit card issuing companies, and their security teams, in the struggling against their criminal arch-rivals? The fact is, they are not helpless. In fact, a fascinating, inside look from the BBC into the inner workings of a high-tech credit card security lab shows us exactly how the card companies are trying to gain an edge against fraudsters.
As described by BBC reporter Paul Marks, the first image inside the Mastercard DigiSec Lab is of a wooden contraption designed to swipe a card back and forth through a card reader:
“The wooden robot's aim is to see if a suspect payment card had been tampered with by a hacker group. If fitted with a malicious RFID chip it could broadcast a radio signal containing account and PIN details to an attacker who has hidden a receiver antenna near, say, a shop's point-of-sale terminal or an ATM. But it must be swiped many times to allow the team to tune into the signal – so the robot automates that swiping.”
The arm of the “robot” had to be designed with wood and other non-metallic materials to avoid the absorption of electromagnet signals from a hacker. The lab researcher explains that he picked up the wood from his local hardware store.
That’s only the beginning of the activities in the Mastercard Lab. The researchers are able to demonstrate the distinct vulnerability of that magnetic strip on your card. And while many countries in Europe and elsewhere adopted increased security features (aka “chip and pin” techonology) many years ago, U.S. banks are only now implemented chip technology themselves … without the pin element. To illustrate why all of this is crucially important, Marks writes:
“To highlight its vulnerability, lab chief Alan Mushing sprays a sample magnetic stripe with a fluid suspension of iron filings – instantly showing up the patterns of zeroes and ones on the card as a series of light and dark bands. ‘You can work out the account number, the expiry date and other key data. The issuers are all surprised to see how vulnerable it is,’ he says. “
In other words, our essential credit card information is simply “hidden in plain sight.”
While it’s reassuring to know there are researchers working diligently in the lab to help protect our credit data, the story is clear that this is not a one-sided fight. Instead, it reads more like a Cold War of sorts, in which one side briefly gets the upper hand while the other struggles to catch up, and vice versa. In fact, the vaunted chip technology is probably only safe for a limited time. Hackers are no doubt working to crack the technology and “reverse-engineer” the chips in order to hack them or create their own.
Also, the race to refine and implement biometrics as security features is fraught with sabotage: Fraudsters can steal fingerprint implants with wax or glue, so the next steps might include features like heartbeat monitors. One thing is clear. The researchers in the DigiSec Lab have their work cut out for them. But by using technology to their advantage, they just might keep pace with the crooks bent on outwitting them.