Withdrawing Cash With A Smartphone Could Beat The Card Skimmers
The U.S. loses more money to card fraud than the rest of the world combined — something that's mostly down to the magnetic stripes that make our cards incredibly hackable. Although more secure technologies are coming, they'll require time and money to adopt. But one kindly Canadian bank has a secure system that only needs a smartphone and a QR code.
Magnetic stripe cards, the kind that are ubiquitous in everything from credit cards to hotel keys, are incredibly easy to clone. It just takes one pass through a reader to take all the information from the chip, and one further pass to put that data onto a fake card — and thereby get a working clone of your credit card.
One of the easiest ways to clone cards is to graft a nearly-undetectable skimmer onto an ATM, which lurks undetected whilst accumulating thousands of card numbers. That makes ATMs a great target for hackers, and therefore first in line for a security upgrade.
The system that BMO Harris Bank has come up uses a smartphone app, and a QR code on the ATM screen. The customer uses the app to choose their amount of money in advance, then walks up to the ATM, and chooses the option for mobile money. The ATM screen displays a QR code, which you scan with the app, and the machine spits out sweet sweet money.
The beauty of the system is that it's secure — a fraudster would need your particular smartphone and the app password to impersonate you — and has no physical contact between any card and the ATM, meaning there's nothing for a card skimmer to clone. Win-win.
According to the WSJ, the service will initially be available on 750 ATMs, with 900 online by June. While that's a drop in the bucket compared to 425,000+ ATMs in the country, it's a health percentage of BMO's 1300 machines. Moreover, a successful trial may well persuade other banks to add support for the system. Just don't lose your smartphone — and set your password to something other than 'password', okay? [WSJ]
Images by Catatronic
The beauty of the system is that it's secure — a fraudster would need your particular smartphone and the app password to impersonate you — and has no physical contact between any card and the ATM, meaning there's nothing for a card skimmer to clone.
Not true. One way to defeat this, if this is all there is to it, would be to have a camera and a stingray-like device instead of a skimmer. That can sit pretty much anywhere - not even directly on the ATM. When the display shows a QR code, it jams the signal. The user eventually gives up and walks away. Then the stingray-like device transfers the QR data and IMEI of the user, and the thief walks up and grabs the money that now comes out.
Another way would be a man-in-the-middle attack, where the data exchange proceeds as natural, all the way until the final confirmation, when the jammer turns on. And again, sends the final ack on behalf of the user once he walks away.
I can think of a couple more attack vectors too.
I mean, I'm just guessing here, but you could probably have a 'transaction did not work' button, or a timeout of 30 seconds-a minute or so.
It'd be an arms race. Then you'd have a 'transaction did not work' fake button and an app sending "I'm still alive" every few seconds too. Pretty much any technological solution can be circumvented by counter-technology. Even if you and I cannot think of it right now, it's a safe bet that someone will. The solution is to add real security and simplify, not add technology and complicate. Because the more complicated, the more attack vectors there will be.
Simplest would, perhaps, be to kill ATMs and instead switch the aging US banking system to one that is payer-initiated and not payee-initiated, like most of the rest of the world, and mandate that all bank account numbers be globally unique and public. Then you pay for things through any method you like, and the merchant has no business even knowing how you paid it - as long as he sees the money enter his account, he is pleased.
Paypal brings SOME of that to US customers, but not nearly enough. Our antiquated banking system is why we still carry so much cash and rely on ATMs.
Paypal brings SOME of that to US customers, but not nearly enough. Our antiquated banking system is why we still carry so much cash and rely on ATMs.
No comments:
Post a Comment
Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered