The Bankwatch

Tracking the consumer evolution of financial services

Search Results

Korean ATM network no longer accept Mag Stripe

With that mag stripe support is removed from Korean ATM.  Finally someone has seen the light.  Maintenance of mag stripe just because America refuses to accept chip fully is an unacceptable willingness to accept fraud.

I hope this is first of a trend.

hat tip Dave Birch

South Korea turns off magnetic stripe support in ATMs
2015-03-06, 18:11

Written by Colin Henderson

March 6, 2015 at 18:39

Posted in Uncategorized

Stripe land another $70 million

I have been following Stripe for a while, and now I wish they were listed 🙂

Stripe banks $70m in fundraising, valuing company at $3.5bn

Good for them. Stripe and Ripple are the two that I would bet on in payments.

Written by Colin Henderson

December 2, 2014 at 23:04

Posted in Uncategorized

Stripe are heading towards becoming leaders in payment processing

In Aug 2013, I picked up on Stripe, and was impressed by their ‘start up’ approach to a space banks should have owned, but failed since day 1.

Stripe – simple online payments …

Today this piece at Bloomberg surprises with the extent that Stripe have become engaged in the payments eco-system that matters. This piece is worth the read just to see the big name players Stripe have engaged.

Stripe Lands Apple in Quest for $720 Billion in Payments

They are integrated with Apply Pay, Alibaba and have these backers:

Stripe has the backing of investors including Sequoia Capital and Andreessen Horowitz, as well as PayPal co-founders Peter Thiel, Elon Musk and Max Levchin. It has raised about $140 million in funding, with its $1.75 billion valuation pegged to a financing in January.

Written by Colin Henderson

September 21, 2014 at 23:00

Posted in Uncategorized

EMV decisions on mag stripe in Canada in 2005 come back to haunt customers

Finally Target confirm the obvious, that the recent hack of 40 million debit and credit cards also obtained the PIN numbers.  Target have also told CNN that they do not store the encryption key.  This is suspect at best.  It may not be stored but it exists somewhere otherwise they could not have encrypted the PIN’s.  I would go further and question why Target store the PIN at all.  The EMV protocols require the PIN for interaction between the Card, POS and the Bank.  The PIN is of no value to Target.

Target confirms encrypted PINs were stolen in recent breach

(Reuters) – Target Corp (TGT.N) on Friday confirmed that “strongly encrypted PIN data” was stolen as part of the massive data breach at the third-largest U.S. retailer during the first three weeks of the holiday season.

Back to the mag stripe storyline.

Background from Krebs:

If there was ever a driving case to eliminate mag stripes this is it.  My wife used her credit card in NY State recently and innocently noted to me they never asked for her pin.  Yes dear, that’s because your super secure chip card is using the porous mag stripe in the US.

If you really want to get paranoid about this, then read Krebs on Security here.  He has identified the Ukrainian man responsible.  I have viewed some of the sites mentioned and it is at once alarming and also disarming how easy it was to identify this man.  This would be a much better use of the NSA abilities.

Stolen cards are divided into a ‘base’ that reflects the stolen source and any other special characteristics.  In this case individual bases included zip and postal codes (yes Canadian cards are involved, including Bank of Nova Scotia in one sample posted online).  Two bases being mentioned in one site, that has since disappeared since Krebs post are called Tortuga and Barbarossa.  The advantage of zip/postal codes is to design the attacks within the cardholders home region, thus increasing the time before Issuers fraud alerts kick in.  Its obviously more of a fraud alert if your card that is used daily in Niagara Falls Canada, shows up in a transaction in Hong Kong or Singapore and to purchase electronic goods.

The cards are purchased as follows (from Krebs)

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

Some others:

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

To be clear, what is for sale is the card number, expiry date, name, address, and CVC.

Relevance to Bankwatch:

if ever there was a case to get serious about not just EMV but mag stripe then this is it.

The sophistication level is such that simple encryption of stored data is not enough.  The transmission of the data has to be considered.  If the data (card number, pin, etc) are ever in the clear (i.e. unencrypted) during the process then they probably exist unencrypted somewhere such as in RAM and these guys have tools to search that RAM.

I have long been a proponent of the two card approach.  Give me a chip card for my day to day use.  In 2005 during the initial requirements sessions for Chip Cards I disagreed with the retention of the mag stripe.  The well intentioned purpose was to make it a smoother transition for clients who a) travelled abroad, and b) who used merchants that hadn’t converted.  I always believed those two points were over-stated and unfortunately this has been borne out in Canada.  Merchants swarmed to the new technology, egged on by a fairly non diverse and aggregated group of POS providers. And foreign travel – give me a different card.

That initial decision to maintain the mag stripe was driven by Visa and MasterCard, but we could have made in Bank decisions to not follow that decision, and still remain within the terms of the agreements in my view.

So my wifes shopping trips in the US are unnecessarily at risk due to a poorly conceived decision by technologists in 2005.  And that unnecessary inconvenience includes all the banks and card issues fraud departments who spend all day cancelling and re-issuing cards.  This is a dirty secret of banks and the scale of that re-issuance is overwhelming.

Written by Colin Henderson

December 27, 2013 at 14:02

Posted in Uncategorized

Cheques, Miles, Gallons and mag stripes – US just left behind by North Korea as the last non EMV (Chip) card country

I just love this paragraph from Bretts latest post over at Finextra.  It says so much at so many levels about America.

USA – world’s largest closed loop payments system?

Last year Celent reported that fully two thirds of cheques written globally are still written in the United States. At a time when the world is accelerating towards faster payments, the US has been reinforcing Check21 and propping up a system that was popularized in the 1950s. When put to a vote recently the US banking community voted down the Expedited Processing and Settlement (EPS) initiative at NACHA which would have given real-time ACH payments a chance in the US. As of Q1 2012, the only countries not to have adopted the EMV standard for cards payments were the United States and North Korea. In Q4 of 2012, North Korea adopted the EMV standard leaving the US as the sole remaining holdout, with the debate on EMV rollout for a 2015 timeframe still raging. This is not a globally progressive payments infrastructure.

This is especially appropos as we watch the US self destruct in a government system designed a mere 300 years ago to protect themselves from the mistakes of the Brits but more and more looking impotent.

I love America but what is it about the country that everything has to be self centric and their (old) way.  Cheques, Miles, Gallons and mag stripes … hmmmm

Written by Colin Henderson

October 8, 2013 at 00:07

Posted in Uncategorized

Stripe–simple online payments levering technology banks are missing

Here is a brilliant example of how online payments should work.  I have always maintained banks should be dominating this space.  But no.  Banks lost this battle by refusing to adopt new technology that works with the web.  Banks are still too focussed on platforms that support legacy systems, and that’s where a company like Stripe excels versus banks.


What is Stripe:

In typical developer form (take that as a compliment) they forget to tell site visitors who they are and what they do.  Any home page which includes reference to Stripe.js or anything *.js makes me smile.  The home page goes on to state ‘we are developers too‘ Smile

Yes you are developers but more importantly you have a developer instinct to see through the un-natural constraints and hurdles that banks place in the way of elegant solutions.

Both sides:

I have seen both sides.  Bank software development and start up.  The nature of this post and knowing my audience, this will be read by bankers and by non bankers interested in financial services.  There is a point here that is essential, and one that banks are trying hard to come to terms with. 

Banks biggest success online has been with user interface.  It is fair to say a decent job has been accomplished with making online functional and easy both with web and mobile.  I am personally most familiar with BMO and RBC and great job there.

This point that Stripe brings to the fore is something else.  It is the next beach-head for banks to attack.  Banks are getting comfortable they have solved the web and solved bringing a customer centric view of cross bank customer information and functions to the customer. 

But this is only the start.  That was the 1996 problem.  Stripe highlights the 2013 problem for banks.  In fairness the technology in 1996 or even 2006 was insufficient to support complex financial activity on the web.  The newest versions of Ruby and js have sophistication levels that are dramatically enhanced in the areas of web capability along with security.

This is where Stripe has succeeded. They have full PCI compliance.  They have built from their base and are now taking on continents at a time.

Is Stripe PCI compliant?


Stripe has been audited by a PCI-certified auditor, and has in turn been certified as a PCI Level 1 Service Provider, the most stringent level of certification available. You can confirm our certification in Visa’s registry of service providers.

Stripe is also a participant in the PCI Security Standards Council.

Relevance to Bankwatch:

The capabilities of technology is moving ahead very quickly.  We are talking months, not decades, The example of Stripe is one that exemplifies the potential disintermediation of one more core bank function.

Much more to come.  Thank you Stripe for the brilliant example, and getting me excited about banking again!

Written by Colin Henderson

August 16, 2013 at 00:38

Posted in Uncategorized

the pinstripes are chasing the poor | TIME

Microfinance, small loans in impoverished areas is becoming business that is interesting the large Banks.

The Big Trouble In Small Loans – TIME

And he’s getting more of them, from directions he never could have anticipated. Last year the Spanish multinational BBVA raised some $300 million to invest in microfinance, then reached across the Atlantic to snap up two Peruvian firms. “Everyone wants to do this now,” says Llosa. “And it’s not only Peru. This change is everywhere. Everywhere microfinance is working, it’s happening.”

Written by Colin Henderson

June 6, 2008 at 10:22

Posted in Social Lending

Combo mag stripe and chip cards will fail

 The UK experience is indicative of how criminals will remain one step ahead.

Chip and pin helped cut card fraud by 13% to £439m last year from a 2004 high of £504m. Now, however, so-called ‘card not present’ fraud, which consists mainly of Internet scams, has risen 21% to £183m.

Source: Online shoppers may get own card terminals to beat fraud – Sunday Times – Times Online

Current implementations of chip won’t work as long as they combine mag strip and chip on the same card.  The current implementations are intended to deal with fraud, but designed to deal only with ‘stolen credentials’ fraud.

“Chip and pin was brought in to deal with counterfeit and lost and stolen card fraud, it wasn’t introduced to tackle card-not-present fraud. What the industry is doing now is looking at ways to utilise chip and pin technology in an online environment,” said a spokesman for Apacs.

Relevance to Bankwatch:

I remain convinced the Bank that goes with chip only cards, and no mag stripe on those cards,will be the winner.  If customers require temporary cards for foreign use, then issue them separately, and charge for them.

tags: ,

Written by Colin Henderson

September 11, 2006 at 00:00

Posted in Uncategorized

The weakness in combo chip/ mag stripe cards

In a move by the criminals they highlight the weakness in combo chip / mag stripe cards. These are cards that have chip and mag stripe on them. This is the primary transitional approach taken by banks, to circumvent issuing separate chip cards, and mag stripe cards. Customers would require mag stripe for usage abroad where chip has not been implemented yet.

Guardian Unlimited | UK Latest | Eight held over chip and pin fraud

The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magnetic strip and record a person's pin number.The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.

Relevance to Bankwatch:
As predicted in an earlier 'relevance' I remain convinced that combo cards could be the death of chip, and the better approach would be to issue chip cards only with no mag stripe. If customers need a mag stripe for travel or other purposes, then they can get those. The problem is the transition of merchants to chip, so customers desire to have chip only cards is the best impetus for them.

Technorati Tags: , ,

Read the rest of this entry »

Written by Colin Henderson

May 6, 2006 at 23:52

Posted in Chip Cards, Debit cards

Wall-Mart Executive says Chip & Signature is worthless

Finally the voice of reason from a US retailer.

Wal-Mart Treasury Exec: Chip & Signature is ‘Worthless’

Cook told CNNMoney that migrating to chip-and-signature is barely an improvement over magnetic-stripe cards, and said that Wal-Mart would have supported moving to a chip-and-PIN system. “The fact that we didn’t go to PIN is such a joke,” Cook said.

Written by Colin Henderson

April 6, 2015 at 22:12

Posted in Uncategorized

%d bloggers like this: