The Cloning of Credit Cards: The Dolly of the Electronic Era

• Jurisdiction: South Africa
• Pages: 331-346
• Author: Charnelle van der Bijl
• Date: 27 May 2019
• Published date: 27 May 2019

THE CLONING OF CREDIT CARDS: THE

DOLLY OF THE ELECTRONIC ERA

Charnelle van der Bijl

BLC LLB LLD

Senior Lecturer, Department of Mercantile law, University of Stellenbosch

1 Introduction

The long-awaited and much-anticipated EMV (Europay, Mastercard and

Visa) system aimed at combating credit and debit card fraud has recently

been launched by ABSA. VISA branded debit cards will contain a special

chip and transactions will be veried, using a four-digit personal identica-

tion number, which will be keyed in instead of the signing of receipts.1 The

introduction of the EMV bank chip smart card system, which is to replace

magnetic stripe cards with microchip cards, is aimed at eliminating the risks

of unauthorised use.2 A smart card is a plastic card based on cryptography

with a microcomputer chip in it, which is swiped at a payment terminal, or

smart card reader that veries the smart card as being genuine by sending

a random code. This code in turn is responded to by the microchip, which

together with a security access code such as a PIN (Personal Identication

Number), acts as a type of secret key.3 Smart card technology therefore refers

to the microcomputer-embedded technology linked to the card rather than to

the purpose of the card.4

The cloning of payment instruments poses a formidable challenge to banks

and consumers. The cloning of credit and debit cards is often referred to as

skimming, which entails that the magnetic strip on the back of a credit card is

copied using a hand held card reader.5 Magnetic-stripe card technology is there-

fore awed in the sense that the data stored on the stripe can be altered by a per-

son who has access to the device which records the information and the mag-

netic-stripe credit card can be replicated (cloned) on a personal computer.6

1 “ABSA, VISA Launch Pro duct to Curb Card ‘Sk imming’” Busine ss Day Friday May 4 2007 19. See also

Schulze “E Money and Electro nic Fund Transfer s” 2004 16 SA Merc LJ 50 54-56 for a di scussion of the

nature of sma rt cards.

2 Schulze 2004 16 SA Merc LJ 53 and n 21. See further Havenga & Havenga , Kelbrick, McGregor, Schulze ,

Van der Linde & Van der Merwe General Principle s of Commercial Law (2004) 390-391. EMV (Europay,

Mastercar d and Visa) is a global card standard that has bee n accepted by South Africa , but which remains

to be f ully implem ented despit e the imple mentation da te being 1 January 2005. This card has a digital

signatur e, and transac tion slips will no longe r be needed.

3 Havenga et al Komm ersiële Reg 410-411. Schulze 2004 16 SA Merc L J 55. See also Schulze “Sma rtcards

and E-money: New D evelopments Bring New P roblems” 2004 16 SA Merc L J 703 707.

4 Schulze 200 4 16 SA Merc LJ 53.

5 Business Da y Friday May 4 2007 19.

6 Schulze 200 4 16 SA Merc LJ 55.

331

(2007) 18 Stell LR 331

© Juta and Company (Pty) Ltd

Following on from our previous article on cloned cheques,7 the focus of this

article will be on cloned credit cards. It will be investigated whether the EMV

system is a miracle cure to credit card cloning in particular, or whether pitfalls

exist, which need to be guarded against. During the transition period from

the current credit card system to the bank chip smart card, it will no doubt be

important to ensure that both types of credit card are interoperable and that ter-

minals would be able to accept both magnetic stripes and magnetic chips.8 This

in itself will not be without its own challenges, especially as far as the preven-

tion of cloned credit cards is concerned, as has since been discovered in France

and the United Kingdom which already implement the EMV system.9

In France, algorithmic research (ARX) has uncovered security problems

related to the exposure of PIN codes of magnetic stripe and EMV cards used

at ATM’s (Automated Teller Machines).10 Anyone with access to the PIN veri-

cation facility could use hardware to reveal the PIN codes and either perpe-

trate fraudulent transactions or manufacture cards with different PIN codes

to those of the legitimate cards.11 The French system experienced further set-

backs as some electric point terminals used for smart cards still had magnetic

swipe readers. The reason for this is that certain ATM cash terminals were only

able to use data stored on the cards’ magnetic stripe due to incompatibility

problems with cards embedded with chip technology.12 Serge Humpich, a 36

year-old engineer, discovered aws in the smart card microchip system used in

France and actually managed to crack the French banking smart card system

by fabricating a fake smartcard that was recognised by electronic point of sale

terminals.13

A further report on fraud-related EMV payment, perpetrated at petrol sta-

tions with unattended payment terminals, has been made in the United King-

dom. Money has reportedly been stolen from customers after their payment

card data was skimmed (cloned). The reason cited for this is that the cards

were swiped through a magnetic stripe reader, which captured the data. In the

process, the terminal also detected whether a chip was present and the transac-

7 Pretoriu s & Van der Bijl “A New Mode of Forgery: The Ri se of Cloned and Washed Che ques” 2006 18:2

SA Merc LJ 196.

8 Schulze 200 4 16 SA Merc LJ 56.

9 “Card Techn ology” Newsr oom Global Newswatch vol 11 06/01/06 C ard Tech 8 2006 WLN R 9391895;

“French Card Ha cker Convicted” ava ilable at http://ww w.theregister.co.uk/ 2000/02/26/frenc h_card_

hacker_convic ted (accessed 10 May 2007).

10 “Algorithmic Research Reveals PIN Proc essing Weak ness tha t Allow Payment-Card Fraud” available

at http:// www.smartca rdstrends.co m/det_atc.php?idu (accessed 8 M ay 2007). Se e also Dine rs Club SA

(Pty) Ltd v Singh 20 04 3 SA 630 (D).

11 “Algorithmic Re search Reveals PIN Processing Weak ness that Allow Pay ment-Card Frau d” available at

http:// www.sma rtcardstr ends.com/det_a tc.php?idu (accessed 8 May 2007 ).

12 “French Card Ha cker Convicted” ava ilable at http://ww w.theregister.co.uk/ 2000/02/26/frenc h_card_

hacker_convic ted (accessed 10 May 2007).

13 “French Card Ha cker Convicted” ava ilable at http://ww w.theregister.co.uk/ 2000/02/26/frenc h_card_

hacker_convic ted (accessed 10 May 2 007). See fur ther “Secur ity: Hackers Re veal How to Forge a Ban k

Card” available at http:// www.tla.ch /TLA/N EWS/2000sec/20 000317credicard.htm. There it is men-

tioned that the informati on hacked included d eciphered c odes which validated forgeries where micr o-

chip-car rying ca rds were fed into ATM’s, or mo bile phone sty le termina ls where amo unts are i mmedi-

ately debited once t he card has been read a nd the PIN number has b een entered. See f urther “Sma rt Card

Crypto Ge nius Sent to Trial” availa ble at http:// the register.co.u k/2000/01/23/smart- card-cry pto-genius-

sent (accessed 8 May 2 007).

332 STELL LR 2007 2

© Juta and Company (Pty) Ltd