The biggest ATM fraud case in history has made headlines this week, as group of individuals used spoofed prepaid debit cards to extract $45 million from ATM machines around the world. Almost 3000 New York ATM machines were hit in a 10 hour span alone.
While the removal of the limits on the prepaid debit cards was the result of the criminals hacking the systems of 2 payment transaction processing providers, the physical part of the heist was done with spoofed magnetic strip cards. It’s been long known that magnetic strip technology is a vector for ATM theft, but this is the largest such attack ever carried out. Magnetic strips are a 50 year old technology that’s easily exploited with off-the-shelf hardware that can be cheaply and legally purchased by anyone from a variety of legitimate business sources. While financial institutions have been attempting to move towards chip cards, the transition has been slow, and both chip cards and ATMs and debit machines still support magnetic strip technology for backwards compatibility.
But it may well be time to ditch that paradigm entirely, in favour of something drastically more secure. Personal mobile devices with biometric sensors are on the horizon, and these devices could change everything. The 2 factor authentication of a payment card with a pin code does not verify the identity of the holder. It simply verifies that the holder has a physical implement and the related knowledge to use that implement. As it stands, the prevalence of magnetic strip technology means the card itself can be copied… at which point the required authentication becomes mere data that can be transferred across the world. Mobile computers, however, have both processing capability and allow for alternative input. They’re not only capable of self-contained public/private key encryption, but of their own independent networking, and now with the refinement of biometric sensors, of a robust array of human identification tools. In the near future, a cell phone will be capable of using iris, face, fingerprint, voice, and even cardiac rhythm pattern recognition to verify, with the highest degree of confidence, that the only person who can access your money is you.
Apple may well be moving towards this new paradigm. Rumours are now floating around due to Apple’s acquisition of AuthenTec, that the iPhone 5s may well include both a FIPS-201 certified fingerprint sensor and NFC capabilities. This would allow Apple to corner the market on not only biometric authenticated mobile payments, but biometric authenticated NFC payment as well.
In fact, PayPal’s chief information security officer Michael Barrett, who is also the president of Fast Identity Online (FIDO), went so far as to announce the impending death of the password at a Keynote speech at Interop last week, at one point showing a dramatic slide with a tombstone for passwords citing a lifespan of “1961-2013”. He then went on to hint that “a large technology provider in Cupertino, Calif., will come out with a phone later this year that has a fingerprint reader on it”.
At this point, it’s hard to tell whether or not public adoption of biometric authentication will be easy, but if Apple manages to lead the industry, their track record with the iPhone shows it may well be effortless. This would spell the death of a wide variety of security holes, not the least problematic of which is the result of the magnetic strips sitting in all of our wallets.