Is there finally a way to end credit and debit card fraud?
Credit and debit card fraud costs the financial world billions of dollars each year. However, The Tech Herald spoke to Tom Patterson, a past advisor to the FBI on cyber security and the current CSO of MagTek. He explained the ties between card fraud and terrorism and discussed one layer of security that could help eliminate debit and credit card fraud altogether.
MagTek, which is the main day-to-day employer for Patterson, offers various protection products for the financial industry. As the CSO, Patterson uses his history in the security industry to oversee development of company products, and at the same time, he has launched a campaign to end counterfeit card fraud by 2011.
[Disclosure: Part of this solution will use MagTek products, and they hold the patent on the technology.]
We started talking with him regarding his plan for plan for ending card fraud and the ties he and his Intelligence Community associates have noticed between card fraud and terrorism over the years.
Patterson started the conversation about how he got into this business. As a former Intelligence Community person, he worked in Washington D.C. most of his adult life. “I came into this to try and fight organized crime and to fight global terrorism and this is a perfect way to do it. To get the payment card industry to work together with the merchants, to make counterfeit cards not work anymore,” he explained.
The story Patterson told starts with a waiter or waitress, the kid at the gas station working extra hours to make more money for school or the holidays. Most people know the kid or the waiter, they are from the same community, and rarely do they think twice about handing over their credit card to make a payment. That lack of hesitation is where the link between fraud and terrorism starts.
Somewhere in the U.S., before the clerk or waiter starts their shifts, they are approached by someone who offers them a card skimmer, which easily fits in the palm of their hand and into their pocket. All they have to do is swipe all the cards they can through it during their shift, and in return they are paid $20.00 per swipe.
“So you can make $50.00 in pay and $500 in credit card skimming, just because this guy showed up. A lot of people are doing it, and they’re nice normal people. They’re the kids you went to school with, they’re the parents on your kid’s soccer teams, school mates, they’re otherwise not criminals,” Patterson explained.
“Opportunity knocked here, and they feel it’s a victimless crime and they’re not doing anything bad. When we catch them, that’s uniformly their response, ‘Hey you know we needed the money for rent, the economy is bad, we weren’t really hurting anybody, the banks end up covering it, it’s not a bad thing.’”
So where do the skimmers come from? After some investigation, law enforcement officials, including the FBI, Secret Service, local police and others, traced the skimming operations to a sect of the U.S. population that are in every city and state. This sect is the local gang population, with confirmed skimming operations discovered in the Bloods, Crips, and Latin Kings. To them, card skimming is their number three revenue source after weapons, drugs, and extortion.
“[Skimming has] moved up above extortion, and it has become a significant business for these gangs to go out and run these people. So on average, one gang member is going to run 20 to 25 otherwise normal waiters, waitresses, or clerks. They’ll give them the skimmer at the beginning of their shift, pick it up at the end of their shift, and they’ll pay them off. The gangs are turning around, and by having a bunch of members, they are able to harvest over 10,000 high value credit card numbers a night collectively through the system in a big city on an average weekend night.”
The investigations continued. Following the money, they were able to see exactly who the gangs were selling their harvested cards to. It turns out that once the gangs have the harvested data in blocks of 10,000, they sell them upstream to foreign organized crime.
The two largest, Patterson explained, are the Russian Mob and Chinese Triad. These groups buy fresh numbers that have been harvested in the last couple days, targeting the cards that were harvested from good stores and expensive restaurants. The reason for this is because that’s where the high value cards are found.
“Within three days of them being skimmed by some nice looking freckle-faced kid that you trust, the cards are in the hands of Russian organized crime where they’re pairing it with a very good looking fake piece of plastic and then selling that combined card on online auction systems for about $80. Within a week people can buy a card that’ll work for the next 15-20 days until the billing cycle is up.”
So where do the cards from the Russians go? At this point in Patterson’s story there is a solid tie to the hard core criminals, since gang members are far from shy about crime and violence. Yet, this is not terrorism.
On October 12, 2002, 202 people, including 152 foreign nationals, and 38 Indonesian citizens, were murdered when two bombs were detonated outside popular nightclubs in Kuta, on the Indonesian island on Bali.
The attack has been called the deadliest act of terrorism in the history of Indonesia. When law enforcement arrested those with ties to the Bali terrorist attacks, they poured over everything they had on them, every scrap of paper and book was searched for information.
“In there was the Al-Qaeda terrorism handbook, which is a handwritten book that is passed around to anyone who wants to call themselves Al-Qaeda. Chapter 3 is all about funding, we translated the Arabic to English, and it talks exactly about how to get counterfeit credit cards and use them to fund the struggle,” Patterson told us.
“It talks about how it is anonymous and very low cost to go to these online sites and buy these cards. As we interdicted other sites and other terrorist cells in Europe and Africa, even one in Ohio, we found the same people are buying these stolen credit cards and using them to fund the struggle exactly as they are taught.”
With that final tie, there is a complete cycle. One that when explained to executives in the financial world, obviously shakes them up a bit. Patterson notes at this part in his story that the real shocker isn’t the connection itself, but the speed of the connection.
“So you can go out on Friday night, to a nice steak joint, have your card skimmed by a nice attractive looking waitress, who then gets $20 for it and gives it to a gang member at the end of her shift. By Sunday it’s in Russia and by Wednesday the following week it’s up for sale and being delivered within 10 days and used,” he said.
This scam isn’t just in the U.S., it runs all over the world. The common criminal elements in the streets are being tapped to start the cycle as it were, and to them this is a clean crime. There is little risk. The payout is huge for them as they get working cards to use, as well as money for what they collect.
Keep in mind that the criminals pushing the skimmers are not the typical carder that you read about in the cyber security world. These are the drug dealers and hustlers who often go ignored until there is a drive-by or revenge killing. They will use money as a reward to start with, but if someone refuses, pain and intimidation work for them as well.
So we asked, is the ability to use these cards for all their worth before the next billing cycle the end goal? Patterson said yes, and went into another example of where a deeper shady criminal element with potential terrorist ties used stolen cards to move a mule across Europe.
A woman was discovered in the streets of Turkey, and the local police thought it was a prostitute killing. During the autopsy, they noticed her body started to decay right in front of their eyes. They discovered she was a nuclear materials mule. What happened was that the criminals had given her pellets of nuclear material that had been coated in plastic, and she was to swallow them and go through Europe and deliver them to the countries she was assigned.
One of the pills ruptured, and she died a horrible death. In her purse were 16 counterfeit cards, and instructions to use one and trash it, then use another and trash that, working her way through the cards, one at a time, so no one could catch her. By the time the owner of the card noticed any issues, the card had already seen its one use, and in this case the person who used it was dead.
The tie between card fraud and low to high-level criminal or terrorist activity is becoming a frequent common denominator. The reason for this is how easy it can be to get the stolen cards in the first place.
When you add in the organized method of how they are used, catching the criminals behind card fraud is easier said than done. However, like any war, you need money to operate. Patterson’s goal is to cut the funding by killing off card fraud.
Even with the best of our technology, thanks to fraud detections used by the banks and payment processors, there’s still $4 billion dollars stolen every year. Patterson said that the solution he is shooting for will help as a strong layer of protection once added to the existing defenses.
So what is this solution? It turns out that a music professor at the University of Washington came up with it, when he was looking to find a way to eliminate the hiss in cassette tapes. He determined that the hiss is actually a magnetic fingerprint, and it is more unique than human DNA.
“Every piece of mag-stripe, if you know how to look for it, has this unique array of three-billion particles of ferrous oxide that are sprayed on it and randomly arranged by nature. All you have to do is listen to that noise pattern, and you can determine the uniqueness of that mag-stripe, and therefore the uniqueness of that card. So it doesn’t cost anybody anything, but what I’m trying to do is get the card creators, who issue the cards, and the processors who process the cards in bulk, to record that magnetic fingerprint into an authentication database,” Patterson said.
When the card is swiped, in addition to reading the other information written on it, you can read the magnetic fingerprint as well. This fingerprint as it were, can be correlated against a master record, and if it matches, the transaction will complete. “If it’s not, if it’s nowhere near, as a counterfeit card will be, then it’s declined and the card becomes worthless,” Patterson added.
The key piece to this protection, Patterson explained, is that it isn’t a new technology. Quite the opposite, this is nature. “It’s not another encryption effort. Every time we come up with a technical innovation, the bad guys come up with a counter for it. Sometimes before we can even mass deploy these things, there’s a way to get around it. So I like this because it’s not technology, it is nature.”
When it comes to the noise pattern, you can hear it on headphones, but what you cannot do is write it. This is because to write it, you will need to put it on another piece of magnetic tape, which will keep you from exactly replicating that noise pattern, and thus prevent you from replicating the fingerprint.
“Every piece of magnetic tape is going to be created randomly by nature. Each particle of ferrous oxide is like a little bar magnet with a north pole and a south pole, and you’re literally spraying them through a spray nozzle on to Mylar, and then ironing them on to the card. They’re randomly arrayed, they could be pointed one way or another, but you can’t re-engineer that. So, all we have to do is get them to record the magnetic fingerprint and add that information to the rest of your banking information,” Patterson explained.
The process is known. There have been trials for over a year now with Visa and Fifth Third Bancorp openly talking about them, while other financial organizations have kept their testing out of the public eye. Patterson said that there have been over one-million in-use swipes so far.
All of the cards, which are the good cards, are correlating from 80 to 100-percent of the fingerprint. The reason for the large gap is that over time the stripe will wear down with usage. Once the card degrades so much the correlation drops below acceptable levels, a new card could be issued.
However, because most people get a new card every few years anyway, the fingerprint would rarely degrade below the required levels. When it comes to fraudulent cards, when they were scanned during testing, they only correlated at about 0.5-percent.
For cards that are in circulation, the system can pick the fingerprint up as the card is used, preventing costly re-issues on a whim. When this happens, a card is checked against a set level of transactions to develop a base, and if no fraud is reported, the established base is used as the fingerprint until the customer gets their new card as normal, where a new fingerprint has been recorded.
One bank participating in the trials did just this, using their ATMs to record the magnetic fingerprint over the period of three months, establishing a base for an undisclosed amount of customers. In less than a year, Patterson said, this bank was able to flag 1,100 counterfeit debit cards, and their fraud level plummeted from $11 million dollars to zero.
The numbers and results are impressive. At the same time, this entire solution is only one layer of protection, as it will not help protect against Card Not Present fraud, or other banking crimes. This fact is one that is stressed by Patterson, and he adds that what he sees in the fraud arena today, the vendors working in that space are making great strides to lowering the amount of loss felt in the industry.
Still, he believes what he is doing will make a difference. This enthusiasm comes off clear when he talks about his 2011 goal.
“So I launched an industry campaign to get the banks and the merchants to work together. All I've got to do is break the chicken and the egg. The banks say ‘we’d do it if the merchants checked’ and the merchants say ‘we’d do it if there was something to check against’…I hope that by this time next year, that the Christmas shopping season is safer.”
We hope so too. More information is available here.