"Carders" can put fraudulent info on swiped cards - a "very serious threat" to smartcard security - Visa won't say what if any action they will take

By - April 19, 2005

By Deb Radcliff for SiliconValleyWatcher

I never really thought about the magnetic strip on the back of my credit card until Dan Clement recently sent me a tutorial on how to hack the mag strip to change the information contained inside it. Clement copied the tutorial off a “carder” Web site, where he spends a lot of time looking for stolen cards and information he can use to protect clients subscribing to his Malibu-based credit card protection service, CardCops.

The tutorial explains in great detail how to buy a $725 machine called an msr206 which, along with some expensive software, can be used to "dump" new data into track one and track two of the magnetic strip to change the cardholder name and credit limit.


"Merchants who swipe the cards don’t look to see if the data printed out by the mag strip reader on the sales slip matches the data on the front of the card," says Clement. "So you can put fraudulent information in the magnetic strip and it will go through."

The tutorial tells how to do this anonymously by purchasing $25 prepaid credit cards and gift cards out of vending machines and from merchants requiring no identification, then "dumping" the false information into the tracks. The dumps come from other carders with "clean" sources of phony and stolen credit information that won’t alert fraud detection systems at the issuing banks.

After reading the tutorial, which Clement has found at multiple carder sites over the past six months, I contacted Don Davis, editor of Card Technology Magazine. Davis says his biggest concern is how this type of fraud will affect the security on bank-issued smart cards, which are now rolling out in Europe and have the potential to become big in the U.S. The problem, he says, is what happens during the transition from magnetic strip reading point of sale terminals to smart card chip reading terminals.

During the transition, he says, terminals read the magnetic strip, which indicates what kind of card they’re dealing with.

"The carders could take off the mag strip data that says, this is a smart card, and the terminal doesn’t know to ask for the chip and the user’s PIN. This could be a very serious threat," Davis says.

Clement agrees that this poses a serious problem for the adoption of chip-based smart credit cards.

"I talked to Visa," Clement said. "And they say it’s a growing problem. But they won’t tell me what they’re doing about it."

When I called Visa, I got the same runaround. The spokesman there said that yes, the problem is growing, but was unable to get me anyone at Visa who could advise issuing banks to protect against this type of fraud. This has happened before when I’ve contacted Visa to help with stories about credit system problems for which they have no answer.

For example, last year when I wrote a sweeping report on how "phishers" were using brand-impersonating e-mails and Web sites to separate people from their financial accounts and passwords, Visa’s response was pretty much, "We did our bit. We educated our consumers. Now go away."

But now that a host of anti-phishing consortiums and organizations have sprung up and invited Visa to join them, Visa was all over me to include them in my one-year update on phishing that was published on Monday.

So I gave Visa a chance to redeem itself by offering some answers to this mag strip hacking problem. And all I got was a two-week runaround.

Sometimes it scares me how security-clueless our e-commerce leaders really are.


Share this article

 Subscribe in a reader

By - April 19, 2005 | Permalink | Category: Security Watch
| SVW Toolbar | SVW Newsletter | SVW Mobile