Being a bank whistleblower, it wasn’t long before I found myself involved with Anonymous, Occupy, Wikileaks, and the underground world of hackers and hacktivism.
After seeing the backend of banking operations, this tech geek suddenly found himself immersed in the cyberwars, routinely helping disseminate leaked documents from various hacks, cracks, and social-engineering attacks.
That’s not where I learned to test the limits of technology, but it’s a shady corner, I, like many security professionals in banking, government, and more, still keep an eye on. For every technological advance we create as a society, someone inevitably weaponizes it.
Catch Me if You Can
Bank fraud has existed as long as banks, and the financial industry has always been a hotbed of corruption and regulation. One of the most notable financial criminals in recent history is former-con-artist-turned-security-consultant Frank Abagnale.
Frank Abagnale wouldn’t hold you up at gunpoint at the ATM, he simply understood how bank routing numbers and systems worked. Using this knowledge, he would assume identities and travel the country passing around forged checks, deposit slips, and even swiping deposit bags.
After his capture and release, Abagnale was forced to work with the FBI on financial crimes. He soon began consulting banks on the tricks used by paperhangers to exploit vulnerabilities in the banking system.
Debit or Credit?
It wasn’t long after Abagnale’s apprehension that banks began working with credit card companies Visa and MasterCard on replacing checks with debit cards. By using a middleman to process payments, banking information is pulled from the equation.
Having a check stolen meant the thief had access to your address, account number, routing number, and other valuable information. Using paperhanging tricks or forgery is useless against a magnetic stripe (which works similarly to a cassette tape if you remember those), and most people don’t have the knowledge or tools necessary to access the information.
With credit cards having already been a proven model for decades, new generations were quick to pick up on this seamless and secure paperless technology. These extra layers of protection and convenience led to businesses worldwide that didn’t already accept credit cards to install the swipe and feed machines we’re all used to.
Transitioning from Analog to Digital
The problem with debit and credit cards was the magnetic stripes were technically unencrypted. Although the usage of authorization and transaction codes is a form of analog encryption, nothing at the point-of-sale prevented a third party from intercepting the transmission of data during a card swipe.
From the 90’s to today, stories flood the news of debit and credit cards being used for fraud in ways Frank Abagnale could only dream. ATMs were quickly reverse engineered, and user manuals were leaked online, allowing the homebrew community to come up with some rather ingenious methods of financial fraud.
Fake ATMs are often built, and faux card readers are often installed over legitimate ones. You may have noticed a taped seal on the part of the gas pump where you swipe your card – that’s how attendants know when one has been tampered with.
On top of the fraud, cards can easily be demagnetized in our wallets when left next to magnets in smartphones, tablets, headphones, and other electronics you may not have even known were there. Magnets are also often located in the checkout scanner at retail stores that use magnetized security locks to prevent shoplifting.
Faced with having to upgrade over 3 million ATMs and countless POS machines worldwide (and huge advancements in microchip technology), the U.S. is finally moving away from magnetic stripes to NFC chips, with every card issued since October 2015 having one embedded.
EMV and NFC
When reading about the new chipped debit and credit cards, you’ll often see two terms: EMV and NFC. EMV stands for “Europay, Mastercard, and Visa,” who worked together to set a global standard to allow NFC chip cards to work with both POS and ATM machines. NFC stands for near-field communications and is the technology that allows the chip to work.
NFC chips aren’t just embedded in payment cards, they’re also found in most late-model smartphones and even newer model cameras and other electronics. The chips are used to enable wireless data transfer between two electronics devices up to 4-inches apart. They also allow electromagnetic induction charging, which is the technology used in wireless chargers.
Since the average POS device is much larger than 4-inches, it’s assumed nobody can intercept any transmissions. Even if transmissions are intercepted, being digital, they can be encrypted to make them unreadable.
In order to read these NFC chips, however, ATMs and POS machines have to be upgraded with an NFC reader, which you’ll now find in many major banks and retailers.
Samsung Pay sticks out from Google and Apple’s pay-by-phone apps in that in addition to NFC payments, it also supports MST (Magnetic Secure Transmission) technology on Galaxy S5 and newer phones.
Instead of transmitting the transaction codes via the EMV standard, Samsung’s LoopPay technology transmits the unencrypted information to the magnetic stripe reader. The company is able to bypass EMV standards because it’s not FDIC insured like deposit banks are.
Samsung Pay’s MST (developed by LoopPay) doesn’t work in ATMs or gas station pumps that use card feeders, but it can communicate with any card-swiping POS machine. This gives it a marketing edge over the iPhone and even other Android competitors but at a cost of security.
The Vulnerability of Phone Payments
MST, NFC, RFID, and other payment technologies aren’t new, and devices that can interact with and manipulate them are all over the place. And that’s the fatal flaw in phone payments.
Although Frank Abagnale could teach you how to forge a check or pass the bar exam, it’s not an effortless process. You’d have to practice your handwriting, typesetting, and countless other real-world skills.
Magnetic stripe readers aren’t easy to get a hold of on the consumer market. On top of a huge expenditure for equipment, you’d need training to program it and use it. But NFC readers are already pre-built into nearly every phone currently in development, providing a stable and consistent platform on which to create an app.
This generation’s Frank Abagnale won’t be a paperhanger – he’ll be a decentralized P2P group of people working in tangent to maintain transparency in banking. They’ll maintain records of what all those numbers on our credit and debit cards mean and implement their shared knowledge into an app capable of using packet-injection techniques to harvest information from your phone.
And instead of getting just your name, address, and account number, they’ll have access to all of your online profiles, contacts, content of text messages and emails, phone records and more. And they no longer need to risk getting caught swiping your wallet or installing fake equipment in public places.
Because all those phone payment services store up to 10 authorization cards locally on your phone. All you need to know is where they’re hidden.
I wouldn’t be surprised if such an app already existed, and that’s why I keep all those programs off my phone and avoid Samsung’s phones at all costs. I have enough problems without making myself a target.
Brian Penny is a former Business Analyst and Operations Manager at Bank of America turned whistleblower, troll, and freelance writer. In addition to MyBanKTracker, his work has appeared in The Street, Fast Company, Quickbooks Small Business Resource, Hardcore Droid, and High Times.