MY TAKE: How the lowly ‘magstripe’ became the perfect mechanism for payment card fraudsters

By Byron V. Acohido

When it comes to data storage, the familiar “magstripe” on the back of your plastic cards is about as simple and ubiquitous a piece of technology as you can find.

Consisting of magnetized particles impregnated on a thin band, it is the decades-old technology that makes credit, debit and gift card transactions possible. It is also widely used on employee access cards, public transit tokens, phone calling cards, even hotel card keys.

Now the lowly magstripe has become a favorite tool of identity thieves on the cutting edge, say law enforcement officials and tech security analysts.

The arrest in April of a suspected identity thief in Edmonton, Alberta, has shed light on one recent inventive scam.

Acting on a tip, Edmonton police arrested a 26-year-old man sitting in a shopping mall restaurant typing away on his laptop, and in possession of thumb drives and computer printouts of credit card account data stolen from hundreds of U.S. and Canadian bank customers.

The suspect also had several prepaid gift cards issued by Visa and MasterCard (MA), and a device for embedding data on a magstripe, called a “magstripe reader-writer,” says the arresting officer, Edmonton Detective Bob Gauthier.

How it’s done

By altering the magstripes of authentic bank gift cards, the suspect bypassed a difficult and risky step other magstripe scammers are forced to take: fabricating fake credit cards.

“Instead of having to make fake plastic, you can load up bank gift cards with stolen data you get from people online, then go in and use them like cash,” Gauthier says.

Sounds like easy loot. In fact, payment card fraud overall remains at manageable levels, and magstripe scams, in particular, are difficult to orchestrate, says Brian Triplett, senior vice president of emerging product development at Visa USA.

Crooks have to defeat a security code on the magstripe as well as automated systems that watch for and alert the credit-issuing bank to suspicious transactions.

“Every Visa transaction that goes through our network is rated for fraud potential in real time,” says Rosetta Jones, vice president at Visa USA. “Our approach is not only to protect card-holder data, we’re also exploring innovative ways to render that data useless.”

Magstrip reader

Yet crooks clearly are giving it a go. No precise measures of the levels of magstripe fraud are available. But the arrest in Edmonton followed the breakup in March of a Miami-based ring of thieves recruited to assist in an elaborate — and lucrative — magstripe scam.

In that case, data hacked from retail giant TJX flowed into the hands of forgers, who embedded the stolen data onto the magstripes of expertly counterfeited credit cards.

Enter the Miami ring. Its members, six of whom have pleaded guilty to organized fraud, used the counterfeited credit cards to buy stacks of Wal-Mart (WMT) gift cards. Ring members then used the gift cards to amass $1 million worth of big-ticket items from Sam’s Club, a Wal-Mart subsidiary.

Discussions on the website forums where data harvesters and identity thieves congregate suggest versions of the magstripe scams exposed in Edmonton and Miami are taking place elsewhere, says Dan Clements, president of, an identity-theft prevention company that tracks such chatter.

Recently, a forum participant going by the nickname PlasticShopper offered $30,000 worth of Wal-Mart gift cards for sale to the highest bidder; another hawked a $1,000 gift card from, Clements says.

Some crooks have even taken to using illicitly obtained gift cards as a form of payment to suppliers and partners, says Idan Aharoni, senior fraud analyst at security firm RSA, a division of EMC.

“There have been many talks (in the forums) regarding prepaid gift cards in general and the various methods of abusing them,” Aharoni says.

Gift cards issued by Visa, MasterCard and American Express (AXP) have emerged as singularly attractive fraud targets because they are much more widely available and can be used more places than merchant gift cards, security experts say.

Acquiring a bank gift card is as easy as buying a pack of gum at the grocery store or ordering a novel online. Thousands of banks, credit unions, supermarkets, drugstores and convenience stores offer them; they can be picked up at a grocery checkout line or ordered from online banking websites or sites such as

And they work at millions of restaurants and shops, using exactly the same magstripe-driven payment system used for credit and debit card transactions.

Fraud tough to spot

Like merchant gift cards, bank gift cards are flat, with no embossed numerals and no individual’s name anywhere on the card. No proof of identity is required to use them.

Altering the magstripe to convert a bank gift card into a credit card “is a way to convert small-value cards into big-value plastic,” says John Pironti, information risk strategist at tech consulting company Getronics.

Pironti notes that it takes several thousands of dollars of equipment to create counterfeit credit cards from scratch. “But if I whip out a generic Visa gift card, with an altered magstripe, with no name on it and no way to trace it, as long as I exude confidence while making the purchase, no sales clerk in the world is going to stop me,” he says.

Visa, MasterCard and American Express have begun rolling out “contactless” payment cards that use a computer chip to speed transactions and is said to be significantly more difficult to compromise than a magstripe. But magstriped payment cards are expected to continue in wide use for decades.

An estimated 5.1 billion magstripe payment cards are in use worldwide, with 15 million magstripe point-of-sales terminals in the USA alone, according to market researcher The Nilson Report.

Consumers, on average, use them about 15 times a week, says Mimi Hart, president of MagTek, a maker of electronic-transaction equipment, including magstripe reader-writers.

“The infrastructure is so huge, you can’t change the security for all these cards overnight,” she says. “It is an ongoing process.”

(Editor’s note: This story originally appeared in print copies of USA TODAY, inside the Money section. Jon Swartz contributed to this story)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone