Disable magstripe purchases?


(Allie) #1

I love that magstripe ATM transactions are disabled by default. Is there any way we could get this same protection for purchases as well (especially disabling fallback)?

P.S. on that same note also disable contactless magstripe emulation mode by default, obviously being able to turn this on when travelling.

P.P.S. what if we don’t want 24 hours of magstripe cloning vulnerability? It would be nice to be able to do single purchase within 10 minutes or something type authorisations. Also a good chance for merchant education at small businesses ‘oh yes, my bank declined it because your system is insecure so hang on, I have to tell them really quickly in the app it is okay and it isn’t a thief trying to use my card here.’ This might make small businesses where the owner is the one ringing you up think twice about their refusal to upgrade their old magstripe stuff.


(Hugh) #2

I’m not sure (personally) you’d ever want to turn this on given the massive inherant insecurities with MSD.

Personally, I have overwritten all my bank cards (they now carry my student ID) - obviously this isn’t meant to be a “sensible” suggestion as such (although I do have a secure copy of the card data should I ever need to “re-enable” magstripe).

I think this does demonstrate (perhaps better for another thread) why magstripe should be discontinued as a matter of urgency. There is no use case for it anymore (except legacy support for people that haven’t upgraded terminals in 15 years).


(Allie) #3

Except, the vast majority of contactless in the US uses MSD mode, even when EMV is available for contact. So it’s good for travel, and the risk can be mitigated by using Android Pay. And even MSD contactless mode is more secure than actual magstripe.

As I said, I’d rather it be one-off (tell the app you’re expecting a magstripe transaction and to authorise ONE that occurs within 10 minutes or so).

Or shops that have it disabled. I can name one in the town I went to uni in the US in that HAD EMV enabled, then asked their processor to disable it because they preferred swiping. Most restaurants in the US, even with chip terminals, have it disabled.

I agree completely that this is ridiculous, but it needs to be supported for travel. Thus my suggestion of disabling these modes, but then allowing a one-off ‘authorise one transaction’ button.


(Hugh) #4

Hmmm, do you have a source for that? Iirc it is literally MSD OTA which sounds worse imho!

Oh totally agree!
I would welcome a discussion (and maybe this isn’t the place) on what needs to happen to completely disable magstripe and remove it permenantly, and what the timescales and implications of that would be. For instance, is the infrastructure significantly more expensive?


(Allie) #5

Contactless MSD mode uses a dynamic CVV/CVC, so whilst pre-play attacks are possible, you can’t use it to make a cloned card (usable for more than one transaction).

Why not the place? We are trying to help give our opinions for the bank of the future. My understanding is the magstripe physically needs to exist, or even some chip-enabled ATMs will reject the purchase. Even the ICBC cards in Hong Kong with ‘no magstripe’ just have it printed over so it doesn’t look like there’s one! The data on it, though, isn’t normal when I tried to read it (I don’t remember, but it wasn’t a valid bank card track).

Part of me, who has a wallet of cards, would love to have a card that simply didn’t have a magstripe as a merchant education tool. Walk out of shops which use it and show them, especially small businesses, how it loses them business (this only works if the owner is the cashier, obviously).

Being realistic, I have a lot more cards and payment options than most. It needs to work for travel. But one-off could be a good balance.