Contactless is crap but it could be worse: Yanks suffered magstripe up to 2015
Blast from the past (sorry, that'll be last night's curry)
Want me to flash? I’m good at flashing.
Oh, and apologies for the lateness of this week’s column: it has been one of those weeks. To make up for it, here’s a flashback.
Like I said above, I’m good at flashbacks.
I wrote the following column eight years ago about the much-belated mercy killing of the magstripe credit card system in North America. It amused me that the manual system, based on carbon paper and a big slidey plastic-and-metal thingy lasted so long.
I hope I will be equally amused in the future by the death of contactless payments, which work only 50% of the time in my experience. This means the retailer has to print out a cancellation receipt and ask me to chip-and-pin it instead, which obviously takes longer than just chipping-and-pinning in the first place, which makes me wonder what the flying fuck the point of contactless is … 50% of the time.
Happy weekend, dear reader, and I trust Americans are contactlessing their week ahead frantically in time for a Happy Thanksgiving.
Whenever I dump my load, I don’t feel the need to swipe. Swiping is far too dirty for me. I’d rather just lightly touch, lift up my trousers and walk away.
Having slipped the touch-and-go debit card back into my wallet and collected my load of clothes shopping that I had dumped at the till – why, what did you think I was talking about? – I sometimes try to imagine who might still prefer to use the ancient magnetic swipe reader found at the side of every point-of-sale card keypad.
Could it be Chelsea Pensioners struggling with the concept of chip-and-PIN? Russian gangsters who’ve scammed hundreds of magstripes at a nearby cash machine? Retro-hipsters with Bitcoin debit cards whittled from sustainable oak?
I found out this week *: millions of North Americans.
It was only while reading a story on The Reg about how Samsung’s mobile payment system supplier, LoopPay, was hacked back in March that I twigged. Apparently, the hackers had been trying to break into LoopPay’s magnetic secure transmission system, which emulates “commonly used magnetic stripe cards”.
Commonly used? Surely not. No one has asked me to swipe a card for years.
And a damn good thing, too: giving a card reader access to the personal identification data encoded (ha ha, my little joke) on the magnetic strip at the back, known as a “magstripe”, is about as secure as writing your PIN on a piece of paper and asking the nearest hoodie to read it out to you as you key it in.
Yet now I learn that American and Canadian banks and retailers never quite warmed to chip-and-PIN in the early noughties, prolonging the use of magstripe’s 1970s tech far beyond its reliable lifetime. However, the North American love of magstripe had its heart broken 10 days ago * when the tech was rendered officially obsolete.
Retailers can still support card swiping at point-of-sale if they wish, but as of 1 October 2015, banks and credit agencies in North America no longer bear the cost of magstripe fraud at the tills.
Magstripe, you see, suffers from two major problems: security and usability. It is severely lacking in both.
A magstripe holds three 2.8mm-wide recording tracks. For historical reasons, Track One is devoted to airline use: magstripe’s first great success was in 1970 when American Express introduced self-service ticket and boarding-pass desks at the American Airlines counter at Chicago O’Hare International Airport.
Track Two contains your personal banking information. Track Three can be used to hold all manner of third-party data, from information about your financial loans to your driving licence details.
So there it is – all your personal ID encapsulated, but not encrypted or anonymised, in a little magnetic strip that is easily read (and thereby easily copied and duplicated) by a magnetic reader. It sounds appalling but compared to relying on carbon-copies of your credit card plus a signature, it must have been amazing.
Let’s be charitable, then. As magstripe took off at the end of the 1970s, no one knew how easy it was to read and duplicate information from magnetic tape ... except perhaps for data security experts, banks, credit agencies, data processing staff, retailers, radio station engineers, recording artists, employees at Philips and Sony, Led Zeppelin bootleggers, Robert Fripp, Bow Wow Wow and every teenager in the world with two tape decks.
The other problem with magstripe, usability, will be familiar to most people who have ever had to deal with electronically locked doors between the early days of numeric keypads to the widespread adoption of RFID around ten years ago.
I have already vented my spleen about RFID door entry systems but the swipe-card entry systems that preceded them were both unreliable and hilarious in equal measure. This was because you were never quite sure whether the door would open on the first swipe or the seventeenth.
This, then, would force you to attempt a variety of increasingly embellished ways of swiping your card through the slot. Turn the card over and swipe again. Swipe upwards. Swipe upwards and then downwards. Swipe quickly. Swipe slowly. Jiggle the card up and down a bit. Swipe over and over again, shouting the Joliet-standard verbal password: “Open the fucking door, you bastard.”
You needed to develop a very particular swipe technique, different for every card and every reader, to persuade the bastard thing to work. I knew one guy who used to employ an elaborate pre-swipe routine involving breathing on the card (this works for uncooperative Zippo lighters, by the way), rattling the door a bit to give it fair warning that you want it to open, then enacting a kata sequence from Enter The Dragon before leaping into the air and swiping the card through the slot as he descended.
The worst swipe-card entry system I ever encountered was the one at the bomb-proof reinforced door of the PC Magazine testing labs. Not even the entire Bruce Lee back catalogue would persuade its magstripe reader to open that fucking door, much to the amazement – well, amusement – of my colleagues. Then I noticed there was a 2mm gap between the door and the frame, and I found that I could push my card through the gap to release the Yale-type lock they had foolishly installed on the other side.
All this nonsense has been superseded by RFID, albeit with the caveat that you need to be careful about which cards you hold near the touch-reader devices. One of my clients’ premises requires me to carry an entry card for all its external and internal doors, while also acting as a payment card for purchases made at the staff canteen. I am never sure whether, on those occasions when it bleeps red and refuses to let me enter or leave the building, I am actually being charged for an egg mayonnaise sandwich and a mini pack of sour cream Pringles.
For North Americans who are only now being forced to abandon magstripe at the tills, it seems likely that chip-and-pin will represent the briefest of “new” financial authentication systems to deal with. There will probably be a short interlude of chip-and-pin curiosity before the nerdy explosion of smartphone payment spreads its love from Europe back across the Atlantic to where it was originally devised.
Then, once the last remaining outback of the western world (the USA) has caught up and all our financial transactions are properly hooked up to big data trawlers, we can look forward to an appropriately dystopian future, as every purchase, Retweet, Share and Like will be tracked, evaluated and applied to our credit rating. The Chinese are doing it now, so I reckon your government will be next – assuming it isn’t already.
In the future, we will need new techniques for accessing the data of our own lives, and this time will require more than a simple swipe to open the door.
A nuclear warhead ought to do the trick. Obliterate the fucker.
Alistair Dabbs is a freelance technology tart, juggling IT journalism, editorial training and digital publishing. At the time he wrote this * he was trialling different methods of paying for goods by smartphone and encountered one significant difficulty. When one credit card is refused, he said, it’s quick and easy to whip out another, but if this happens on a smartphone, it is mandatory to put up with a queue of harrumphing customers behind you as you fiddle with an app to change the account you want to pay from. Or whip out another smartphone?
* This was written on 10 October 2015
I’m so glad we don’t have swipe readers any more, they would never let you in when you needed it.
Mind you it can be worse, at a ex employer someone programmed some doors (not all) with a 3 second delay between the card being read (or if coming the other way the door button being pushed) and the lock releasing. It took a lot of moans and people walking into the closed door before they fixed it.
Mind you at the same employer they put the door controller inside the room it was controlling, the controller locked up so a hole was drilled through the wall to allow the magloc to be released - the same idiots put the controller pc in a room controlled by itself…
Contactless entry cards were a thing in the USA in the mid-80s. The particular company I worked for then had a card reader on the door to/from the common area in the building, which saw much traffic of the Percy pointing variety. Since the reader was just below hip height to the average male, and the cards were way too thick to fit in a wallet, there was much bumping of butts to bring back pockets into proximity with the reader. How the very few women in the tech company negotiated this I cannot say.