Can I scratch off the magnetic strip off a debit card to only allow chip and PIN?
I have been robbed in the past by thieves using my HSBC Debit Card (issued by UAE branch) to purchase mobile phones and accessories by signing for the purchases. While the card has chip & PIN protection, HSBC mention (in the fine print) that, because not all merchants have chip & PIN, they also allow the PIN to be bypassed and sign for the purchase.
My question is...if they were able to sign for the purchase, was that using the magnetic strip? And if so, can I scratch the magnetic strip, so it can't be read and essentially have a chip & PIN-ONLY debit card?
I was told that HSBC will not refund the money as I did not protect my card (even though I always protected my PIN) and will not issue a chip & PIN-ONLY Debit Card. All UAE banks provide only a chip & PIN card with a signature option. Same goes for the "new and improved" chip and PIN credit cards.
Can I scratch off the magnetic strip to protect my money?
Unfortunately, "card not present" transactions *can't* be protected by chip and pin, so no matter what you do to the physical card, there's a persistent "back door" built in to the system.
"I was told that HSBC will not refund the money as I did not protect my card" I find this shocking. Were there some circumstances of not protecting your card that you admitted to?
What @tylerl said, because otherwise you wouldn't be able to use the card online. Having said that, we *really* need to fix this, e.g. with 2FA (e.g. send a text message that requires a respone for card-not-present transactions).
If you are robbed, you should call the bank immediately to report stolen card so that any purchases made thereafter is no longer your responsibility but the bank's.
This is very strange that HSBC will not protect you. My bank will allow the first non-chip transaction, then call your mobile. If you don't answer, the card is immediately blocked; we are no where as big as HSBC so one would hope HSBC would be more robust in their policies.
You should consult with local lawyer. Usually there are laws regulating who is responsible in such cases, there might be a threshold limiting customer liability and signature transactions might shift such liability to the merchant, as he's responsible for verifying the signature. Banks sometimes tell plain lies - if customer believes they win, and if he comes back with a lawyer they lose nothing.
@tylerl: Existence of another vulnerability does not invalidate mitigating this one. In fact, card not present transactions pose different set of challenges for a criminal, like requiring a shipping address. In some places it's enough to make them less popular among thieves than fully anonymous "walk in, buy goods, walk out - leave no trace". But the chance of the card being useless in hands of "wrong kind of thief" is IMHO well worth the effort. Especially as thieves tend to dispose of stolen cards at first hint of problems.
You should also be concerned about NFC cards. New cards are being delivered with this "new and exciting" method of payment, where you don't even have to introduce the pin and the card can be read with a NFC ready cell phone.
Debit cards provide thieves a direct path to your bank account. I won't have one around. Best of luck.
It is less common, but in the USA, some banks such as Bank of America offer ATM/debit card only. It is not a Visa/MasterCard so it will not be accepted unless you process it as debit and enter a PIN only. There are bofa branches in UAE, so I would ask there.
What about the old "see ID"? Where I live, if you write that in the signature line on the card, merchants will require a photo ID instead of a signature
You should try to find a bank that prints your picture on the card itself. I don't know if this kind of card is available in Europe, but in the US it's common enough. Of course, this method is far from full-proof, all they have to do is find someone who looks like you which should be easy enough, but it's one additional hurdle they'd have go through before being able to use your card without the pin.
As Phil stated, you can still use the card using its number (as you would do on-line). Also, some ATM machine won't accept the card if not able to read the magnetic strip.
The best thing is to use a credit card: in that case you can block the payment and get a refund.
There is a +/-80% solution to that ATM problem in my answer. Note that besides using the card's number online one can also still use chip+pin. YMMV according to where you live.
Chip+pin is not a problem because they would need to know the pin. Brian is asking how to protect from someone swiping the card and faking the signature.
I meant 'the owner of the card (with scrambled magstripe) can also still use chip+pin' (depending on where the owner lives), not the attacker. Sidenote: pin is easy to get, the software pretty reliably gets victim's pin from no less than 3 meters away for glassholes and around 43 meters for a HD camera. www.blackhat.com/docs/us-14/materials/us-14-Fu-My-Google-Glass-Sees-Your-Passwords-WP.pdf and www.wired.com/2014/06/google-glass-snoopers-can-steal-your-passcode-with-a-glance/
The numbers are not just printed but embossed. Making them unreadable would require lot of fiddling with the card. In any case I would not accept a card without numbers on it as payment.
Yes, you can.
On some places you can find a device called
demagnetizer. Just run your card over it (or over a very strong magnet), and the magnetic track will be corrupted and you will only be able to use the chip part of the card.
If you have an old tape (audio or VHS) recorder, you can take it apart and use the write heads to wipe cards. It's a nice little project you can do in a few minutes :)
How can you verify that the procedure was successful? And can't the chip also get damaged by a magnetic field which is strong enough?
The chip won't get damaged by a magnet. And to try, I would to go a friendly shop, ask to pay with the magnetic strip and see a big "error" on the card reader :)
@HocusPocus - actually, if it is demagnetized, the read head should get a bunch of nothing rather than an error. An error might still be magnetized with some information uncorrupted.
In the United States, if the mag strip doesn't work, the cashier can always complete the purchase by using the number on the front of the card. Does a chip and pin card not have a number on front?
@Phil Get some sanding paper and sand the number off? Or epoxy to cover them and make them unimprintable. :-)
@Phil at least in the UK, the ability to do this was removed from most POS terminals at the time chip & pin was introduced. Manually entering the card number is only possible if you're authorized for cardholder not present transactions on your merchant account. I don't know if it was handled the same way in UAE, though.
Wouldn't this also destroy the NFC that is becoming more and more present in debit cards?
Embossed letters are still present on CC to allow to quickly carbon-copy (literally) the card on paper. That's in the (very) old days, but still allowed today, and it will count as PRESENTIAL.
Magnetic strip is still there because half of the CC readers still work that way. ATM and TPV outside USA and UE are still missing the chip reader, and even inside those countries most ATM are old and would still read only magnetic strips.
Contactless cards are the new fashion and they are even more horrible than the previous two methods, since they will allow purchases with your CC still inside your wallet (and without you noticing)
Ways to be more secure with all that methods? Mess with the magnetic strip if you buy from merchants with chip-aware TPVs (magnets would do the trick); erase the CVC from behind your card (write it somewhere else, but not on the card it "protects"); break the antenna on your contactless card or store it inside some aluminium foil; and don't ever loose sight of your CC. If you do not purchase on-line, ask your bank to de-active your card for such transactions; if you do, ask your issuer bank to enroll your card in 3DSecure (Visa) or SecureCode (MasterCard) (or equivalent) for reducing risks of on-line fraud, and remember to check your bank statements regularly, establish a low limit on the CC and ask your bank for details on everything suspicious.
NOTE on your bank refusing responsibilities for "not protecting" your card (as if they explained what methods count as "protecting a card" for them): a manual signed transaction must match your allowed sign (on the back of your card and the one the bank has), so if the merchant accepted it, it should be the merchants problem, not yours.
SecureCode seems to protect merchants, not consumers. Just as this question points out mag stripe is used by merchants who don't have chip+PIN processing, MasterCard transactions can be completed by merchants who don't have SecureCode processing. Very valuable for a merchant to support, because criminals will take the stolen number to another store where the SecureCode isn't needed. But for the consumer, it presents only additional risk ("We *know* the purchase was authorized because the correct SecureCode was provided!") because SecureCode secrets can be stolen too (keylogger, perhaps)
Regarding contactless cards: You don’t know the horror that is here in Poland. Most banks don’t give you an option to get a traditional card. I had to resort to punching a hole in the card where the antenna is
@BenVoigt If your card has a robust authentication method (like an OTP to the phone) you reduce the risk to those commerces that do not use authentication, and in those cases, the commerces are the ones that assume the risk of fraud, so your issuer bank should reimburse (could take some time, though). If you do not purchase on-line, ask your bank to de-active your card for such transactions.
"ATM and TPV outside USA and UE are still missing the chip reader and even inside those countries most ATM are old and would still read only magnetic strips." - card readers using magnetic strips are pretty much unheard of in Europe. I guess that has to do with liability issues. Also I'm pretty sure I only used pin + chip in China.
@NuTTyX: The "robust authentication methods" actually only work if the merchant cooperates. I have OTP for internet payments, but it only works with merchants that use "3d-secure". The local ones do, but on some international ones I just entered the card number, even without the "cvc/cvv2", no OTP, no redirection, and the payment still cleared.
You can opt-out of the contactless option, and by default, they are very limited ($10-25 payments at once maximum). So no, embossed and magstriped cards are still a much more significant risk. However, it's a risk of the bank, not yours - if your bank doesn't refund the frauds, change your bank :)
@Luaan: sadly, some major banks/financial institutes *do not* offer contactless-free cards, they send them *activated* per mail (without prior notification) *without* any form of RF protection, without warning the customer that the cards expose un-encrypted unique data wirelessly (confirmed by the bank in question who argued chip & mag also have unique un-encrypted data) and to top it all of: silently *re-enabled* my account's contact-less option after it has been disabled (and verified) by bank-employee (which is the only opt-out mechanism they offer). Solution: daily check e-bank account?!
@Luaan contactless cards can have RF chip, EMV chip AND magstrip. So they offer only additional vector of attack and no protection over what happened to OP.
@Agent_L Yeah, but not necessarily - my card only has a single chip, no magstrip, no RF, no emboss, no internet payments. Encrypted chips are the standard here, and it's the only thing I need for both ATM and direct payment. I understand that US banks are a bit laggy in those security elements. Is there really no bank that would supply those? Do you have insurance with the card for free?
@Luaan I'm in Poland, so almost every card issued here has RF, chip and magstrip, no emboss on cheapest cards, but golds are always embossed. I haven't heard about any cards like yours. There are some insurances included, but imho all insurances from banks are to protect the bank, not the client, as EU laws pretty much exclude client liability beyond small sum.
@BenVoigt I agree 3D-secure only really protects the merchant (although your bank may make you agree with T&C claiming it protects the end-user). The major problem is that the authentication form is served within an iframe, which hides the URL and certificate validation of the 3D-secure page itself. That page often turns out to be some domain that has nothing to do with either the merchant, your bank or the card company. Of course, it's reasonably easy for an unscrupulous merchant site to make that iframe point to any proxy of its choice, which it could control: most users wouldn't notice it.
YES, but there is a big chance that an (internally chip-capable) ATM (depending on region) will reject the card!
The most common 2 problems for an ATM (including chip-capable) to reject a card are:
- a dirty or scratched magstripe (as shown in spork's answer)
- an erased or mangled (=invalid) magstripe
- by exposure to magnets or EMP (they need to emit a fluxstrength of at least 4000 oersted, so your average refrigerator magnet will not work)
- using a 'demagnetizer' (like an electronic article surveillance (EAS) de-mag bin, but NOT a 'common' MCC/VHS head 'demagnetizer' since a 2006 rapport showed they usually were so weak they couldn't even wipe a floppy or audio-tape)
- overwriting it with a high-coercivity (HiCo) writer (using all 1, or 0 or random, optionally repeating it in the same manner (and same reasons) as one would DOD-wipe a HD)
Running strong magnets (alternating their magnetic orientation) over (part of) the magstripe does exactly the same)!
I can confirm effectiveness on all three of the above, but note 2 things:
- Quite some ATM's don't open their card-slot if they don't detect the start of the magstripe even if they would use the chip (if available) internally!
(So my vote would go for magnetizing OR leave beginning intact and mangle the remaining +/- 2/3th of the magstripe)
- again, (depending on country/ATM) the ATM might reject a card with an invalid magstripe according to the manufacturers of SkimProt who sell a special magstripe sticker:
If the sticker is placed incorrectly or its integrity is damaged, ATMs may not accept the bank card.The sticker is:
A magnetic stripe containing a code, instructing ATMs to use the card’s chip and zeros in place of card information.
All-in-all, some food for thought, to which I want to add that the contact-less problem seriously outweighs this one.
One might want to do some trial and error (don't forget to have some cash or alternative card available) in their regular region BUT one should keep murphy's law in mind: when you unexpectedly need your scrambled magswipe to work (school/field/company -trip etc), it most probably won't.
The skimprot stickers are said to work in 80% of the world, seems supported by spec and best of all: you can remove them in a pinch!
(My) Logic dictates thus that according to the manufacturer, 80% of the ATM's worldwide have a chipreader available internally, otherwise the animized card's magstripe would not work!
Sidenote: apparently the third (bottom) read/write track (specified to hold your 'encrypted' pin) is usually not used by the majority of banks.
SkimProt seems like a nice idea but it's quite expensive (alternatives?). Also note that OP said he was robbed - it wouldn't protect in this case.
@domen: read between the lines: The point I'm making is that while a scrambled mag-stripe is NO problem at a non-mag POS, most (chip-enabled) ATM's will reject it! **Solution: scramble your magstripe and re-enable ATM-use with anonymous magstripe sticker**. Now the personal magstripe attack-vector in case of theft is covered for only the 'price' of not being able to use +/- 20% of the ATM's worldwide; way better odds/user-experience than almost none of the ATM's, while offering 100% magstripe skim-protection. (In my opinion, this is still the only answer with a complete and viable solution).
Possible alternative solution: buy skimprot, read it's special code, overwrite your own card's magstripe with that code. This assumes that it is possible to overwrite the write-protected track 1 and 2 (using a hard/soft modded writer). If anyone can confirm that, please leave a comment!
Do you have any references for "scrambled mag-stripe ... most (chip-enabled) ATM's will reject it!"? How could the tracks be write protected, at all?
@domen: References apart from the ones already in my answer and spork's answer? (Pick up a ATM-receipt from the ground (there are always polluters..) and try to cram it in an ATM.. Fail. Now try it with your card, pulling it out in time once the slot opens... well better don't do it, not fun to jam an ATM pre-saturday-night, right?) As for the 'write-protect', that was my misnomer. It is specified as write-only and I assume its only write-only per spec, as in: the device should obey the rules, but I'd love confirmation!!
Don't do this, it will not work in ATM machines in my experience. I've had to get a new debit card mailed in last month because there was a little scratch out of the magnetic strip, although I had not noticed and had used it for daily chip-only and wireless transactions. It wouldn't work in any (Dutch) ATM machine afterwards (I tried my own bank's and several well known other ones).
Note that during this time I had no issues with wireless (nfc) and chip-only transactions, although that should go without saying.
This was the damage with which no ATM would accept my card:
+1 Just as I was saying and explaining in my answer, thank you *very* much for sharing this up to date answer!!
Thanks for that great picture. One can see the diagonal orange line mangling the magnetic 'bar-code' (invisible to the naked eye) on track 1 and most(if not all) on track 2. Every byte (6bit on track 1, 4bit on track 2) has a extra parity bit and each track a checksum. Both would be invalid, thus the service code section can not issue code 2 to instruct the ATM to use the chip. I have some questions regarding it: was it a scratch or was it 'broken' (like a cut)? If it was a 'cut', then I wonder, did your contact-less function still work?
If you live in an area where no ATM and other cash terminal needs the magnetic strip, you can use a strong magnet to scramble the magnet strip.
I personally have done this using a recycled neodymium magnet out of a decommissioned hard drive. Note: never put your debit card in a microwave if you intend to use it afterwards.
Why not write "VOID" (or "CHIP & PIN ONLY") in big letters in the signature field on the card (and take a photo of it for your records)? That should only allow it to be used for chip and PIN transactions. If a merchant does allow it to be used for a signature transaction, then the merchant and bank are going to have a hard time justifying allowing the transaction, especially as the signature didn't match...
I have "CHECK ID" written on my credit card, and it usually works.
Also, a girlfriend was able to get one bank (Bank of America) to replace her ATM/VISA debit card with an ATM-only card, just by asking.
I don't know about the magnetic strip. I guess you can. In my country almost all shops have chip-readers. And if the card doesn't work, report it broken and you get a new one.
CSC / CVV
But what about the card security code (CSC or CVV). With your credit card number, expiration date and CSC anyone can shop online. No need to steal a card!
It's just a number printed on the back of your card. I remember it, never need to read it, just as I remember the card number and date. So this is something that can easily be scratched off the card without consequenses for ATMs and such.
This year ICS started to use an app for your phone that creates a code that has to be used to approve a payment. To get this working you need to link that app to your account. This works like two-factor authentication.
My bank offers a service to send me an SMS whenever something is paid. So if someone abuses the card, I get a message. That is another security measure you can take.
Erasing or damaging the magnetic strip well stop it being read, this may prevent the card working in some ATMs and such.
As pointed out card not present, contacted (this one is lethal) and using an old imprinter (if still allowed for use by merchant bank) are valid loopholes.
However the EMV spec has a mode of doing a signature transaction without the PIN off of the chip is possible, basically their is a priority list on the card, the terminal goes down the list chooses the first method it can currently support. For example if the reader currently does not have an internet connection then an offline transaction might be allowed by the card (this checks PIN, but does not contact bank to check the card is valid, but just asks the card is the PIN typed in valid, and as a such is easily exploited if one is having together fake cards). Another option on this list can be TRACK which indicates the chip will spit out a copy of the magnetic stripe data for use if the PIN entry on the terminal is damaged.
Finally all those suggesting 3DSecure, SecureCode and VerifiedByVisa for online transactions, that has a whole list of its own criticisms and problems.
All the fraud prevention methods on credit cards is ultimately not for the card holder but to try and allow Visa, MasterCard and merchant banks to legally cover their own backs while still making sure they get their cut from someone. So the best answer given here is contact a lawyer in your jurisdiction.
You should mark all of your cards "see photo ID" in the signature block on back. If a merchant accepts a fraudulent transaction after you've done this, it's entirely on them.
This doesn't speak to the specific threat the poster is concerned about. True or not, it's tangential.
With the card stolen how could he prove it was marked? Besides, the power of such markings depend on local laws. Unless there is special jurisdiction in place, they are meaningless.