‘SafePay’: First anti-fraud system to use existing credit card readers

From large-scale data breaches such as the 2013 Target case to local schemes that use skimming devices to steal data at the gas pump, credit card fraud is becoming commonplace. The key challenge is that existing magnetic card readers use plain text to store confidential information, which makes them vulnerable to an untrusted card reader or skimming device. Analyst firm Alite Group estimates that this vulnerability is adding up to $8 billion in incurred losses per year in the U.S.

Solutions have been proposed–such as integrated circuit cards and mobile wallets systems. However, they are incompatible with current systems making them too costly and time-consuming for retailers to implement.

For the first time, researchers have developed an inexpensive, secure method to prevent mass credit card fraud using existing magnetic card readers. The novel technique–called SafePay–works by transforming disposable credit card information to electrical current and driving a magnetic card chip to simulate the behavior of a physical magnetic card.

The research, led by Yinzhi Cao assistant professor of computer science and engineering at Lehigh University (Bethlehem, PA) with coauthors Xiang Pan and Yan Chen from Northwestern University, will be presented at the IEEE Conference on Communications and Network Security which takes place next week, September 28-30, in Florence, Italy and published as paper: SafePay: Protecting against Credit Card Forgery with Existing Magnetic Card Readers.

“Because SafePay is backward compatible with existing magnetic card readers, it will greatly relieve the burden of merchants in replacing card readers and at the same time protect cardholders from mass data breaches,” said Cao.

Broadly speaking, SafePay is related to Cyber-Physical Systems (CPS), which are systems consisting of computational elements that control physical entities. The computational elements in SafePay consist of a mobile device and a server which distributes disposable credit card numbers. The physical entity is the magnetic credit card chip controlled by a mobile application inside a customer’s mobile device.

The paper outlines the overall architecture and server-side deployment model, the design of SafePay, prototype implementation and security analysis.

Here’s how it works: First, the user downloads and executes the mobile banking application which communicates with the bank server. During transactions, the mobile application acquires disposable credit card numbers from the bank server, generates a wave file, plays the file to generate electrical current, and then drives the magnetic card chip via an audio jack or Bluetooth

The critical elements that make SafePay unique are:

  • Disposable credit card information that expires after a limited time or number of usages (i.e., just one time) so, even if the information is leaked, it cannot be used for future transactions.
  • A magnetic credit card chip that makes it completely compatible with existing readers. In the evaluation, the researchers show that the cost of the magnetic card chip is about $0.5, and could be even lower if manufactured in large scale.
  • A mobile banking application that automates the process making it extremely user-friendly.

Cao and his colleagues conducted real-world experiments with the SafePay technology performing transactions with a vending machine, a gas station, and a university coffee shop. During the experiments, they used a bank application, cell phone application, and magnetic credit card chip. The disposable credit card information was acquired from ShopSafe by registering several disposable credit card numbers with Bank of America. In all three scenarios, the SafePay method worked and the transactions were successful.