[David Griffiths] The other day, my girlfriend said to me that she had tried to use her Nationwide card in a Nationwide ATM and then in a Nat West ATM. On both occasions the transaction was rejected with an “unable to complete” type message. I was surprised that the ATMs hadn’t attempted fallback, as there is no intrinsic risk in fallback, especially if the issuer is aware of the circumstances, and the adopted fraud prevention mechanisms are working. Fraud prevention mechanisms are elaborate – neural networks and other clever stuff they are reluctant to discuss – and can monitor the cardholder’s usage patterns. So, if there is a “dodgy” fallback authorisation request, but the transaction fits with the cardholder “norm”, the issuer may chose to take the transaction risk, for all of the reasons highlighted by Richard Allan. However, if the cardholder used the card yesterday in Telford, has no history of exotic travel, and then an authorisation request is received today from Thailand, they may choose to issue a decline. My girlfriend was using the same ATMs she always uses, and was requesting the same amount that she always requests – any neural network worth the investment would recognise this as likely to be a genuine transaction. She has therefore been inconvenienced by what looks like the whim of the ATM acquirer, but ultimately blames the issuer as they can’t get a replacement card to her for 10 days.
This is not the whole story: we appear to be concerned about fallback, but what exactly is that concern all about? Apparently we are concerned about the cloning of cards that can then be used abroad, because that’s where ATMs do not support chip. The ability to clone mag stripe cards has been around as long as there have been mag stripe cards. I used to have a card cloning kit in my spare bedroom, and a lot of ATMs used in test had the facility to write cards as well as read them. Writing the cards wasn’t a problem; getting hold of the information to write to the card was – the card had to be swiped twice at the point of sale, and in most cases this could be spotted by the cardholder. Some garage forecourt systems used to do it as a matter of course, so petrol stations were high risk; but so were restaurants, because the card would be handed to the waiter who would take it away to swipe (twice?) and then return with the receipt, ready for signature. The difficulty here though is that the fraudster might have the mag stripe data, but is usually missing the PIN, so the card would have to be written to non-white plastic and then used in a point of sale (or maybe cash over the counter). The advent of chip & PIN meant that PINs could be harvested just as easily as the mag stripe data held on the chip. Petrol stations again (though not just petrol stations) have been targeted by fraudsters “tweaking” card readers to collect the mag stripe data and the PIN. This is fairly easy to do and the cardholder is unaware of the capture. The card and PIN data can then be shipped off to the Far East (or anywhere else there may be non-chip ATMs) where they can be used with plain white plastic to withdraw cash. The question is, whose fault is this?
Dave Birch mentioned the iCVV – a card verification value that is resident on the mag stripe (and exists within the MasterCard world as well as Visa). The chip contains an image of the chip’s track 2 data which is easy to access, as well as the more tricky chip data. Fraudsters harvesting Chip and PIN data from cards are actually collecting the track 2 data, and not the tricky chip data. The reason they are then using Far Eastern ATMs is the fact that they do not look for a chip and can not, therefore, operate in fallback mode. The fact that the Service Code on the card indicates the presence of a chip is therefore inconsequential. The reason for the iCVV is to provide an indication to the card issuer, at the time of the authorisation request, the card is a clone, and the magnetic stripe data was derived from a chip – which would not be possible if the card was legitimate. The problem is that the majority of the issuers did not implement iCVV when they initially converted to chip & PIN. Had they done so, then the so-called loophole would never have existed, and chip cloning would not be the headline grabber that it is today. The issuers, and indeed the whole of the card industry is on the back foot with the media because of something that they should not have allowed to happen, and because of this the acquirers are responding by withdrawing ATM fallback, and I’m getting grief from my girlfriend because she has no cash, and it’s Christmas.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]