Debit Card Cloning and the Cashless Society

I read with much amusement the article “Thieves Clone Debit Cards”, published Thursday March 11, 2010, The Thursday Star  which reports a supposedly new phenomenon of Debit Card cloning.

This reminded me of a similar report earlier this year on Wednesday January 6^th 2010, when the Bank of Nova Scotia announced on radio that persons were soliciting the Card numbers and PIN (Personal Identification Numbers) of customers Debit and Credit Card accounts via a phishing scam i.e. fake website requesting personal information.

While this technique is nothing new, it is not the first time either, as Cable and Wireless (now LIME) used to put out advisories warning persons against giving out account information if they had received email of the type similar to what was described in the advisory.

I use the word “new” rather loosely, as over the years I have heard so many countless stories about Credit Card theft, cloning and skimming that it has become rather boring, especially as I have worked in the Telecoms Sector for such a long stretch and I am thus used to the fact that Cards with magnetic strips can be easily copied to any other Card with a magnetic strip.

The procedure is so simple for copying Credit Cards that is somewhat obvious: just copy the Card using a generic Card Reader, which you can purchase online, store the contents onto a computer and use the same Card Reader to copy back the contents onto a new Card with a magnetic strip, a process called cloning. This new Card does not have to be blank, a point to note, as it can be any Card, including the Digicel Card Top-Up facility and the software to do it come with the Card Reader. But what of Debit Card Theft?

Debit Card theft is not a new phenomenon either and has been around since the early 2000 in other countries, such as in Great Britain, where Debit Card theft is on the rise and usually associated with organized crime, which is most likely the case here. However despite the phenomenon now in Jamaica using pin hole cameras mounted in brackets inside of the ATM (Automated Teller Machines) and devices, called Card Skimmers, placed over the Card slot to read the information on the Debit Card in order to copy the Card, these are not in anyway new.

The defeat for this type of fraud is also very simple: don’t use ATM with anything protruding from the Card Reader slot and always shield your pin when entering it to transact business. What however is new is how easily the information can be recovered. One of the relatively new methods is the use of wireless cameras. In the past, the pin hole cameras used to made from old camera parts that were stripped down and powered by a 9 VDC battery and stored the information digitally for retrieval later by the Debit Card thieves, along with the Skimmer device that was placed on top of the Card Slot.

However this has proven risky as the chances of getting caught in a police sting operation have increased and now a new generation of more sophisticated Credit Card thieves have begun to use wireless means of retrieving the data. In this new method, the Credit Card thief has a camera that transmits on a NTSC standard television channel, which has a range of 100 feet. As such, the Credit Card thieves can sit comfortably some distance away, possibly in a car and using a laptop, record all the transmissions from the wireless camera. But it is the Skimmer that has really gotten sophisticated.

With a bit of electronic wizardry, the Skimmer is now designed to send a transmission to a receiver owned by the Debit Card thief! This is done by using a mini radio transmitter which is gutted and connected to the Skimmers electronic circuit board. The Skimmer, like the Card Reader, records the Debit Card information as a series of tones or frequencies, as the information stored on the Debit Card, believe it or not, is not encrypted. Thus, once the victim, who is called a mark, inserts their Debit Card and then pulls it out, the Skimmer then transmits these tones via a RF frequency to a receiver that records the tones.

Later the images from the wireless pinhole camera and the information transmitted by the wireless Skimmer are paired together and used to place the Skimmer’s information on the new Card with a magnetic strip, which is essentially is cloning. Thus, by making the Skimmer and the pinhole camera wireless, the Debit Card thief ensures anonymity, making it difficult to trace anything back to the Debit Card thief.

As time goes by, with the prevalence of data services on Telecoms Provider’s Networks, the Debit Card thieves may become even more sophisticated and begin using 2G data services such as GPRS (Global Packet Radio System) and EDGE (Enhanced Data Rates for GSM Evolution) to transmit the skimmed Debit Card information and 3G or 4G data services to separately transmit the images from the mini camera. Already, I have seen mobile phone circuits reconnected just to do this, but this method too easily traces back to the Debit Card thief, so its prevalence may be short lived.

It seems Telecoms Providers may possibly be the Debit Card thief’s best friend in another way that most police may not have possibly foreseen but is so new that it has a new name: GSM snooping. This new method is now made possible thanks to the work of a German security expert Karsten Nohl indicated at a Hackers convention press conference in German that he had decrypted the A5/1 codebook, which uses a 64-bit encryption key, as stated in the article “Q&A: Researchers Karsten Nohl on Mobile eavesdropping”, published January 1, 2010 4:00 AM PST author Elinor Mills, InSecurity Complex – CNET.

For the layperson, this means that conversations on Telecoms Providers networks that still use the A5/1 codebook are not only interceptable but decodable. It is thus being hoped that local Telecoms companies have upgraded to the more secure A5/3 codebook, which Dr. Karsten Kohl, who holds a PhD in computer engineering from the University of Virginia, has yet to decrypt…….at least for now.

What Dr. Karsten Kohl research means is that for the first time, the almost 80 billion users in the world on the older GSM networks that have not yet gone 3G, which uses the stronger (and supposedly more secure A5/3 codebook), can have their conversations intercepted and reliably deciphered using off-the-shelf, easily available computer hardware. What is even worse, this information is now circulating on the Internet, as Dr. Karsten Kohl did this project with assistance from volunteers and developers from the Open Source community.

In practical terms, this means that not only is the knowledge of the process of how the codebook operates and is produced widely known, mobile conversations on older GSM networks still using A5/1 codebooks can now be easily decrypted. Decryption was possible years ago with the right gear, but this equipment was specialized and required security clearance and registration and was very expensive.

Thus with this breakthrough, thanks to the Open Source Community, GSM mobile conversations can no longer be considered private and confidential, as now embassies and politicians will soon realize that persons with laptops with the right gear can intercept their conversations as far as a kilometer away.

Thus the recent Bank of Nova Scotia advisory and now this recent article in the Thursday Star must now appear to be alarmist news, as most wireless POS (Point Of Sale) at Gas Stations and Convenience Stores island wide are on GSM networks, using the GPRS (Global Packet Radio System) and EDGE (Enhanced Data Rates for GSM Evolution) to transmit data for each transaction involving Debit and Credit Cards accounts.

Thus, the layperson, armed with this information, is left to wonder where the real concern of the Bank of Nova Scotia should be focused: not the few hundred people, whose number admittedly are increasing, who do transactions online and often receive notifications via email and may mistake them as real when in fact they are part of a phishing scam, but the increasing thousands of people who are now using wireless POS (Point Of Sale) at Gas Stations and Convenience Stores island wide whose transactions are now interceptable and reliably decodable with equipment that is already easily available in Jamaica.

Eventually as Dr. Karsten Nohl and his Open Source team progress with their work, they will soon decrypt the formidable 128 bit A5/3 codebook, which is currently not in use on most GSM networks, inclusive of CLARO, Digicel and LIME and AT&T, which has so far resisting change to this new encryption schema due to it prohibitive costs as stated in the article “Cell phone codebook exposes security gaps”, published January 28, 2010 by Sami Lais, The Washington Technology, The Washington Post. Thus it seems a solution is required for both the usage of ATM Debit and Credit Cards as well as Wireless POS device usage.

So what is the solution? Already, it has been reported that RFID (Radio Frequency Identification) touted as the next secure means of transmitting you pin wirelessly between the Card and the ATM machine was showing promise, but even these systems have been compromised due to poor encryption schemas.

Perhaps by 2015, with improvements in the power systems and the electronics of these RFID tags, Debit Cards can be made safer by coercing people to do most of their financial transactions without cash, doing away with the idea of money having to be withdrawn from the banks forever, possibly even the Debit Card itself, making everyone instead to posses a Credit Card with a RDID tag.

Even cheaper would be an implantable RFID device in your wrist, eliminating the need to carry a Card altogether. In this future Cashless Society, which is very much possible as there have been calls by the BOJ (Bank of Jamaica) Governor for the immediate passing of a Credit Reporting Bill as stated in the article “Credit rating bureau needed quickly - Wynter”, published Friday January 22 2010, The  Daily Observer, by Alicia Roache, The Jamaica Observer to create a Credit Bureau which would result in the construction of a CBD (Credit Bureau Database).

This would be possibly using Digicel’s DataCenter as well as the recent passing of a Cyber Crime Bill, as stated in the article “Move to Tackle CyberCrime - Hacker got Golding”, published Sunday February 14, 2010 by Philip Hamilton, The Jamaica Gleaner. Increased Taxation and Financial Transaction Security by the introduction of a Cashless Society via these two Acts of law would allow the Government of Jamaica to literally modernize Jamaica overnight as we push towards 2030.