When eight thieves allegedly withdrew nearly $3 million from New York City ATMs in less than a day, the hard part wasn't finding an ATM card.
By the time the astonishing heist was under way, the difficult work of hacking prepaid debit card accounts and stripping the withdrawal limits was long done. After that, coding the magnetic stripes on the backs of plastic cards with the hacked account numbers was no big deal. Brooklyn U.S. Attorney Loretta Lynch said conspirators in the global scheme, which netted $45 million from ATMs around the world, were able to use gift cards, old hotel keys, expired credit cards—anything with a magnetic stripe on the back.
It didn't have to be this way.
The insecurity of "mag stripes," a decades-old technology, is no secret. The use of sometimes paper-thin "skimmers" in the slots of ATMs and card swipers to lift card data from mag stripes is a commonplace crime.
And more secure alternatives are well established. In Europe, Canada, Southeast Asia and parts of Latin America, card issuers and consumers are switching to so-called chip-and-PIN systems. Instead of mag stripes, cards are embedded with computer chips that are much harder to hack.
But even a band of bandits hauling backpacks stuffed with millions likely won't speed the U.S. conversion to more secure card tech.
"The U.S. accounts for about a quarter of the world's card spending but about half of the world's card fraud. The odd $45 million here or there doesn't make much difference to the overall calculation," says Dave Birch, a director at electronic transactions consulting firm Consult Hyperion.
"It boils down to the lack of a business case that is based purely on security."
In other words, fraud inflicts a cost, but not a high enough cost to justify the financial impact of a radical overhaul to new cards and point-of-sale systems.
Still, the risks are serious enough that the largest U.S. credit card companies have set a deadline for merchants to embrace "contactless" cards that use chip-and-PIN, officially known as the EMV payment standard.
By October 2015, the big four—Visa, MasterCard, American Express and Discover—will no longer assume liability for fraud at the checkout counter if banks haven't made chip-and-PIN cards available or merchants haven't switched to point-of-sale terminals that will accept the cards.
One possible perk of the switchover could be the widespread support of NFC for payments—embedded chips that would allow users to wave their smartphones over point-of-sale scanners to pay just as they would an EMV-equipped credit or debit card.
At the same time, credit card companies have had to set the deadlines in the first place because card issuers and merchants see little incentive to switch otherwise. Mag stripe cards still work just fine for them, and have even become slightly more secure as PIN-enabled debit cards have become so prevalent. And the elimination of the requirement to sign a credit card receipt for transactions under $25 has even stripped contactless payments of their speed advantage.
What's more, by 2015 a different payment technology altogether—a technology possibly much less expensive for merchants—may have taken hold. Companies like Square already offer point-of-sale systems that allow customers to pay retailers via smartphone app and retailers to accept those payments the same way. Participants on both sides of the transaction don't need any proprietary technology at all. They just need the consumer devices they likely already have.
Such systems eliminate the obvious vulnerabilities of mag stripes. They also give merchants less incentive to shell out for expensive new EMV technology if systems like Square have become widely embraced by their customers by 2015.
One company that appears not to be banking on a future that includes little plastic cards is Google. Use of its Google Wallet app has not flourished due to the limited availability of NFC terminals in stores. But AllThingsD reports that Google has scrapped a plan to introduce a standard mag-striped credit card as another way to harvest consumer data:
"Google CEO Larry Page abruptly killed the card launch plan after he was displeased with a glitchy run-through demo last week. He had long been skeptical of a physical card solution, with several sources saying he felt it did not press forward innovation as payments startups like Square have done."
In the U.S., the switch to 21st-century payment tech is moving so slowly that ATM thieves might be able to take their hacked mag stripes from machine to machine in a self-driving car. But at least they won't be able to use a Google card.
