PHONE me if you feel DIRTY: Yanks and 'Nadians wave bye-bye to magstripe


135 Reg comments Got Tips?

Something for the Weekend, Sir? Whenever I dump my load, I don’t feel the need to swipe. Swiping is far too dirty for me. I’d rather just lightly touch, lift up my trousers and walk away.

Having slipped the touch-and-go debit card back into my wallet and collected my load of clothes shopping that I had dumped at the till – why, what did you think I was talking about? – I sometimes try to imagine who might still prefer to use the ancient magnetic swipe reader found at the side of every point-of-sale card keypad.

Could it be Chelsea Pensioners struggling with the concept of chip-and-PIN? Russian gangsters who’ve scammed hundreds of magstripes at a nearby cash machine? Retro-hipsters with Bitcoin debit cards whittled from sustainable oak?

I found out this week: millions of North Americans.

It was only while reading a story here at The Reg about how Samsung’s mobile payment system supplier, LoopPay, was hacked back in March that I twigged. Apparently, the hackers had been trying to break into LoopPay’s magnetic secure transmission system, which emulates “commonly used magnetic stripe cards”.

Commonly used? Surely not. No one has asked me to swipe a card for years.

And a damn good thing, too: giving a card reader access to the personal identification data encoded (ha ha, my little joke) on the magnetic strip at the back, known as a “magstripe”, is about as secure as writing your PIN on a piece of paper and asking the nearest hoodie to read it out to you as you key it in.

Yet now I learn that American and Canadian banks and retailers never quite warmed to chip-and-PIN in the early noughties, prolonging the use of magstripe’s 1970s tech far beyond its reliable lifetime. However, the North American love of magstripe had its heart broken 10 days ago when the tech was rendered officially obsolete.

Retailers can still support card swiping at point-of-sale if they wish, but as of 1 October 2015, banks and credit agencies in North America will no longer bear the cost of magstripe fraud at the tills.

Magstripe, you see, suffers from two major problems: security and usability. It is severely lacking in both.

A magstripe holds three 2.8mm-wide recording tracks. For historical reasons, Track One is devoted to airline use: magstripe’s first great success was in 1970 when American Express introduced self-service ticket and boarding-pass desks at the American Airlines counter at Chicago O’Hare International Airport.

Track Two contains your personal banking information. Track Three can be used to hold all manner of third-party data, from information about your financial loans to your driving licence details.

So there it is – all your personal ID encapsulated, but not encrypted or anonymised, in a little magnetic strip that is easily read (and thereby easily copied and duplicated) by a magnetic reader. It sounds appalling but compared to relying on carbon-copies of your credit card plus a signature, it must have been amazing.


Biting the hand that feeds IT © 1998–2020