Fraud
FRAUD
UPDATE

by Kiran Gandhi

Introduction

   The Magneprint® risk management tool provides Issuers, Acquirers, and merchants with an additional layer of protection against fraud, in card-present credit and debit card transactions. The necessary technology to implement this tool is now available, tested, and ready for use.
   Magneprint is a card security technology that will, when properly implemented, detect skimmed or magnetically altered counterfeit cards. The Magneprint risk management tool, developed by MagTek, Inc., imposes no significant time cost and only a minimal dollar cost on the merchant at the point of transaction, and the necessary infrastructure investment is negligible in the context of the ongoing costs of fraud to issuers and acquirers. Additionally, its success does not depend on a mass re-issuance of cards, since the cards currently in circulation can be brought into participation automatically over time in the course of their normal use.
   Magneprint technology is complementary to chip technology. For the foreseeable future the magnetic stripe will remain as either the primary or fall-back (if and when chip fails) machine-readable technology on financial transaction cards. The chip will protect the chip and will not protect the magnetic stripe. However, Magneprint will protect the magnetic stripe.
   Worldwide, reported credit card fraud is a U.S. $4 billion dollar problem, with an unknown but likely significant additional fraud cost related to debit cards that goes unreported. Credit and debit card fraud is everyone's problem. The costs of fraud are carried initially by issuers and acquirers, who pass them on to merchants in the form of authorization fees and discounts, who pass them on to consumers in the form of higher prices for goods and services.
   Over time, the adoption of Magneprint technology is expected to lead directly to an annual savings in the range of US$1 billion dollars of card-present credit card fraud that is currently borne by card issuers. In addition, there will be annual savings directly related to the elimination of currently unreported debit card fraud.

More Data Yields Better Decisions

   It's empirically clear that the current authorization system is generally successful in keeping credit card fraud within a predictable, actuarially useful range. But the system is not perfect. As we noted above, in the range of US$4 billion dollars worth of fraudulent transactions are cleared per year, the vast majority of which presumably represent "false positives" that were erroneously passed through by the authorization system.
   No matter how much information is available, the decision to authorize a given transaction (to indemnify the merchant for that transaction, provided that certain conditions are met) is always a statistical judgment call ­ a risk-management decision. The issuer adjusts his authorization algorithm to take into account all available information that is relevant and the algorithm produces an authorization decision.
   The accuracy of that decision, and its effectiveness in filtering out fraud, is directly related to the amount of information available to the algorithm. More data yields better decisions. For example, if the payer's identity and the card he presents were authenticated at the time of transaction, it would without question reduce the incidence of fraud.
   It is in the spirit of "more data yields better decisions" that the Magneprint risk management tool was developed. Magneprint is a way of providing another useful, reliable piece of data about the likely authenticity of a given credit or debit card. This data point can be used as an input to the card authorization process.

The Genius of Magneprint

   Magneprint uses the inherent properties of magnetic materials to provide the authorization algorithm with a reliable measure of how likely it is that the card presented is the original card issued by the issuer ­ not a clone, not a copy, or not one that has altered data on the magnetic stripe, but the unique original. There currently exists no other cost effective technology capable of providing such statistically reliable, real time authentication of the payment instrument in a credit or debit card transaction. As a result, issuers that take Magneprint into account in their authorization process should see an immediate and material decline in their fraud losses resulting from skimming.

Magneprint Fundamentals

   What is Magneprint: This technology was developed to generate a numeric value that could serve as the digital fingerprint of a specific magnetic stripe credit card or debit card. This digital fingerprint, known as a Magneprint, is a value that is determined automatically when a card is read in a Magneprint-enabled card reader.

How the Magneprint value is determined

   Magneprint technology, based on research conducted by Washington University's Department of Security Technologies, measures the background magnetic particulate distribution on a standard magnetic stripe card, and converts that distribution into a 54-byte value that is a simplified representation of that particulate distribution.

What needs to change on the current magnetic stripe card

   There are no changes required to the manufacturing process of the magnetic stripe, the plastic card manufacturing process, or the data encoded on the magnetic stripe. Also, there is no need to re-issue cards.

Why Magneprint is useful

   Because the particulate distribution is persistent over the useful life of the card, multiple Magneprint values read at different times from the same physical card (assuming the encoded card data has not been changed) will always be equivalent within statistical limits. In contrast, the Magneprint values read from different physical cards, even if encoded with identical card data, will always be different. This means that the Magneprint serves as a reliable indicator of the identity of a physical card, and can be used to prevent the authorization of fraudulent card-present transactions initiated from "cloned", "skimmed", or "altered" cards.

How the Magneprint is used to screen for fraudulent transactions

   When a card-present transaction is submitted from a Magneprint-enabled reader for authorization to a Magneprint-enabled host system of an issuer, the Magneprint of the card read at the transaction point is transmitted along with the card data and other data. The Magneprint risk management tool compares the transaction Magneprint value to a reference Magneprint value already present in the authorization database, calculates the degree of correspondence (the match value) between the two Magneprints values, and makes a judgment about the authenticity of the card based on all available transaction information, including the match value.

What technology is required

   The Magneprint risk management tool requires a Magneprint-enabled card reader at the point of transaction, an acquirer host that is enabled to transport the Magneprint values to the issuer, as well as a Magneprint-enabled system at the issuer's host site. The Magneprint-enabled components, which can be retrofitted into most existing card authorization systems at a nominal cost, will be available from MagTek and its partners.

Four Layers of Security

   Magneprint technology offers four layers of security. These are increasingly impregnable layers that act as barriers to prevent the compromise of Magneprint technology.
   The first layer of security is inherent in the complexity of the particulate distribution on a standard magnetic stripe. The Magneprint algorithm leverages the fact that the 3.375 inches of stripe space along each card's encoding area are populated by a persistent random distribution of particles, that are, permanently fixed. (The changes in the magnetic stripe's physical structure that occur during the lifetime of the card, e.g., by abrasion during normal use, are statistically insignificant.) Furthermore, the likelihood that two different cards will yield identical particle distributions, given the randomness inherent in the process by which magnetic stripes are manufactured, is in the range of one in 900 million. And the hundreds of millions of particles make it statistically and practically impossible for an existing magnetic stripe to be cloned (from the perspective of particle distribution) in a way that yields an equivalent Magneprint value.
   As a second layer of security, Magneprint technology determines the 54-byte Magneprint value in reference to the positions of the flux reversals of the encoded card data. The data pattern is larger (by orders of magnitude) than the particle pattern. Therefore, if a valid card with a known particle pattern were to be re-encoded with identical data, it would show non-trivial variances in the way the written data pattern microscopically aligns with the physically permanent particle structures of the magnetic stripe on the card. As a result, cards with "altered data" can be detected with Magneprint technology.
   The third layer of security is the random variations inherent in each incidence of reading a card. Each read of a card (whether the card is swiped by hand, inserted into a reader, or read by some other method) is a microscopically different experience, due to the impossibility of precisely duplicating the reading process, variations in the read head among card readers, and so forth. Paradoxically, this means that a transaction Magneprint value that is identical to a previous Magneprint value on file is almost certainly fraudulent. Multiple Magneprint values taken from the same card on successive reads are expected to vary, within a statistical range. The probability of an exact match on all 54 bytes in separate card reads is in the range of one in 100 million. This inherent variability provides a statistically probable, unique transaction number for every card read, assuring that Magneprint is very difficult to compromise.
   Finally, as a fourth and ultimately impregnable security level, the Magneprint authorization process is protected against fraud by the simple fact that it depends on information that is in plain view. There is nothing hidden about the particulate structure of the card, or the encoded alphanumeric data. This means that there is no "secret" to the fundamental Magneprint technology that, if cracked, would compromise the system.

Determining Acceptance Criteria

   It is important to understand that Magneprint does not guarantee the authenticity of the transaction. It provides the card issuer a data point representing the probability that a given card used for a transaction is authentic. By using this data point, card issuer can establish their acceptance criteria for a level of risk that is financially acceptable.
   During the Beta Test in 2002, a run of a million transactions with an acceptance threshold set at 0.5 resulted in a "false accept" rate of zero (that is, all attempts to process fraudulent cards were thwarted) and the resulting "false reject" rate was only 0.027 percent.
   In comparing a given transaction Magneprint to its reference Magneprint, the scoring algorithm assigns a match value between zero (no match) and one (perfect match). The Magneprint authorization methodology allows each financial institution to select an acceptance threshold between zero and one for its transactions, or even to specify a threshold that varies according to the characteristics of the transaction (e.g., be more stringent for higher-dollar transactions originating from a fraud prone merchant).
   As important as it is to reject fraudulent transactions, for many merchants it is just as important not to reject legitimate transactions (i.e., not to generate "false rejects"). In order to preserve customer goodwill, some issuers might wish to be more forgiving, e.g., set the acceptance threshold at 0.35, which would result in authorizing a very small number of fraudulent transactions, while statistically eliminating the incidence of "false rejects" and while still maintaining the robustness of Magneprint as a risk management tool. These risk management decisions have been deliberately left in the hands of the issuer, so that each can establish acceptance thresholds that are prudent in the context of its own business and its own customers.

Growing the Magneprint-Enabled Card Base

   The Magneprint risk management tool depends upon the presence of reference Magneprint data in the authorization database. This allows comparison of the transaction Magneprint data and the reference Magneprint data to authenticate the card.
   Reference Magneprint data should of course be collected as a matter of course whenever a card's identity is known with certainty, e.g., at the time of issuance. To avoid re-issuance costs, how can reference Magneprint data be gathered reliably on cards already in circulation, without imposing an unacceptable convenience on cardholders?
   Fortunately, Magneprint technology provides a built-in channel for collecting reference Magneprint data "on the fly" during the course of normal card use. When a transaction Magneprint is submitted as part of the authorization data set, and if no reference Magneprint exists for that card, this first transaction Magneprint is presumed to be legitimate and recorded in the authorization database with "provisional" status. Henceforth, the provisional Magneprint collected at the time of this earlier transaction will be available for use as the reference Magneprint in authorizing future transactions.
   The authenticity of this provisional Magneprint is not guaranteed, because it was collected in circumstances in which the authenticity of the card from which it was provided was not known with 100% certainty. However, there is a strong statistical probability (inherent in the overwhelming margin by which legitimate transactions outnumber fraud attempts in the transaction pool as a whole) that any such "provisional" Magneprint will in fact be legitimate, so treating all such provisional Magneprints as authoritative, in the absence of evidence to the contrary, is a statistically rational business decision. Furthermore, if there are no disputes from the cardholder regarding the transaction that was used to collect the "provisional" reference then the "provisional" status can be changed to permanent status.

Conclusion

   The Magneprint system as a whole has been exposed to rigorous beta test environments of statistically significant size, with quantifiable positive results. Following are some of the most prominent benefits associated with the adoption of the Magneprint risk management tool.

  • Decline in Direct Skimming
    As it begins to be adopted, Magneprint will immediately begin to impact the success of skimming ­ a method for creating counterfeit cards in which a legitimate string of card data bytes is captured and copied to create another card. Counterfeit cards created by skimming are easily detected by Magneprint technology. The decline in skimming will lead to a decline in credit and debit card fraud losses.
  • Other Benefits.
    Magneprint technology will increase the confidence and goodwill among both cardholders and merchants. Although difficult to quantify, this benefit is significant. With the increased awareness in identity fraud, consumers are becoming concerned with fraudulent uses of their credit and debit cards. Furthermore, both issuers and acquirers will benefit over time in the form of lower acquisition costs, lower churn levels, and increased card activity.