Article

MasterCard intros new way of fingering card fraud

After a successful six-month beta test in Malaysia, MasterCard International is ready to roll out a new method of fraud prevention. The technology, developed by MagTek, uses the unique characteristics of magnetic stripes to protect cards.

February 13, 2003

Much the way that ridges and furrows make every human fingerprint unique, minor imperfections and other characteristics make the magnetic stripe on every plastic card a one-of-a-kind identifier as well.

"Just as you and I have a fingerprint that can be used to uniquely identify us, every card in your wallet has a stripe made up of a unique pattern of magnetic particles," said Kiran Gandhi, vice president of MagTek, Inc.

Carson, Calif.-based MagTek purchased the rights to this concept, which was first developed at Washington University in St. Louis. Then MagTek tweaked the technology for some seven years and christened it Magneprint, with the aim of using it to prevent card fraud.

It works

MasterCard International, the first licensee, is optimistic about Magneprint's potential after wrapping a six-month beta test of the technology in Kuala Lumpur, Malaysia. Six-hundred terminals capable of reading Magneprints were deployed at more than 400 retail locations during the beta. Four banks representing more than 100,000 cardholders participated.

Esmond Chan, MasterCard's vice president and regional head of security and risk management for Asia/Pacific, said that during the test three transaction attempts were made with card "clones" created with skimmed data. Several skimming devices were also discovered at terminals.

"We can confirm that the issuers were able to detect the counterfeit transactions using Magneprint," Chan said.

Skimmers use a small computer device to obtain card data at a terminal, then use the data to create bogus cards which are used to access bank accounts -- often at an ATM. According to Chan, skimming accounts for about 30 percent of MasterCard's global fraud losses and 50 percent to 60 percent of total fraud losses in the Asia/Pacific region, where skimming rings have been especially active in countries like Malaysia.

Each card has to be registered and added to a database to use Magneprint, Gandhi said. The data can either be captured at the time of card issuance or "on the fly" as it's being used for the first time at a Magneprint-capable terminal.

"This is another benefit of implementing Magneprint as it practically does not require the reissue of cards already in the market," Chan said.

According to Gandhi, the Magneprint is just 54 bytes, so only minor software changes are required to add it to a host's authorization system.

When a card is swiped at a terminal, the Magneprint is compared to the original, which is stored at the host. There are no exact matches, Gandhi said, because factors like the speed at which a card is swiped will produce slightly different results each time.

This is similar to biometric fingerprint readers, which produce prints with slight variations depending on how a finger is positioned on the reader or how much pressure is applied. Scores within a certain range are considered a match.

No encryption is required with a Magneprint, Gandhi said. "It's impossible to reproduce the data. You can't clone the characteristics of the magnetic particles."

According to Chan, MasterCard believes that card issuers are in the best position to manage their own risk, and will therefore encourage issuers to manage their own Magneprint databases and conduct authorization decisions based on their own thresholds. However, he said, it would possible for either MasterCard or other transaction processors to manage Magneprint scoring on behalf of issuers.

Considering the costs

While costs to store and manage Magneprint data will vary, Gandhi estimated that most issuers would be able to do so for $150,000 to $200,000.

Chan preferred not to comment on specific costs. However, he said, "We have shared the various components of costs with our member banks that have expressed interest in implementing Magneprint. Based on our experience with the beta test in Malaysia, we can comment that the cost to upgrade the bank's systems is minimal and the enhancements can be completed within two to three months."

Current card readers cannot be updated to read Magneprints, Gandhi said, so new readers are necessary. Peripheral readers, which cost less than $100, were used during the beta test. Eventually, he said, MagTek will integrate the technology into new terminals.

The cost to upgrade existing point-of-sale terminals is "minimal," Chan said. "For new terminals with the built-in Magneprint capability the incremental cost will be again nominal. We are currently working with ATM manufacturers on the requirements to upgrade ATMs. While upgrading ATMs will be more involved compared to POS terminals, we expect that the cost will not be significant."

Implementing Magneprint is far less expensive than implementing chip cards and the necessary infrastructure to support them, a solution being adopted in many regions of the world.

Indeed, countries that are in the process of converting to chip are finding it costly. According to the UK's Association for Payment Clearing Services (APACS), conversion to chip/PIN will cost banks and retailers in the UK an estimated 1.1 billion pounds (about $1.7 billion U.S.). In Malaysia, a report published in The Star newspaper noted that banks would have to spend more than 40 million ringgits (about $10.5 million U.S.) each to upgrade their systems for chip.

"You have to weigh the costs of implementation versus the potential liability," Gandhi said. "If your liability is 10 cents and you must invest $1, there is no gain. But if your liability is $1 and your cost is 10 cents, you've gained 90 cents."

Moving toward chip

Using interim technologies like Magneprint would allow for "a more strategic move" toward chip rather than an abrupt one, Gandhi added. "You could take the money you save on fraud and use it to invest in your chip migration. If you took the time to develop other interactive chip-based applications, you could better justify the costs to upgrade your infrastructure."

Both Chan and Gandhi agreed that the chip is the best long-term solution to card fraud. However, it will likely take many years to achieve chip ubiquity. And until then, cardholders are at risk.

While more than 127 million MasterCard-branded smart cards had been issued by the end of 2002, Chan said that a hybrid card environment, in which chip and magnetic stripe co-exist, will be the norm "for the foreseeable future."

Noting that the UK and other countries migrating to chip are currently issuing cards that include both a chip and a magnetic stripe, Gandhi said, "You could clone card data in the UK and use it somewhere else, say India, to compromise those cards."

"Card fraud is like a water balloon. If you squeeze it in one place, it pops up someplace else," Gandhi said.

Gandhi said that MagTek is in discussions with other companies interested in licensing Magneprint, including other card associations.

Chan said that MasterCard is working closely with members from the U.S., Canada and Mexico, who have expressed "keen interest" in Magneprint. "The beta test in Malaysia has fully validated the technology," he said.