It was called the Nightmare before Christmas. From Nov. 27 to Dec. 15, 2013, the personal information of as many as 70 million people—names, addresses, phone numbers, emails— was stolen during a wave of credit card thefts at Target retail stores.
The news did not surprise Yinzhi Cao, assistant professor of computer science and engineering. From largescale breaches to scams that skim data at gas station pumps, credit card fraud is commonplace. Indeed, the California financial consultant Javelin Strategy & Research estimates that credit card thieves stole $16 billion from 12.7 million U.S. consumers in 2014.
Because magnetic card readers use plain text to store confidential information, says Cao, they are vulnerable to untrusted card readers and skimming devices. Proposed solutions— integrated circuit cards and mobile wallets—are incompatible with current systems and too costly and time-consuming for retailers to implement.
Cao and his colleagues have developed the first inexpensive, secure method of preventing mass credit card fraud using existing magnetic card readers. Their technique — SafePay — transforms disposable credit card information to electrical current and drives a magnetic card chip to simulate the behavior of a physical magnetic card.
The group, which includes Xiang Pan and Yan Chen of Northwestern University, won the Best Paper Award when they presented SafePay at IEEE’s Conference on Communications and Network Security in September in Italy.
“Because SafePay is backward compatible with existing magnetic card readers, it will greatly relieve the burden of merchants in replacing card readers,” says Cao. “At the same time, it will protect cardholders from mass data breaches.”
SafePay consists of a mobile device and a server that distributes disposable credit card numbers. A magnetic credit card chip is controlled by an app inside the mobile device. The system costs about 50 cents, not including the mobile device.
A SafePay user downloads and executes the mobile banking app, which communicates with the bank server. During a transaction, the mobile app acquires disposable credit card numbers from the bank server, generates a wave file, plays the file to generate electrical current, and then drives the magnetic card chip via an audio jack or Bluetooth.
SafePay has several unique features. Disposable credit card information expires after a limited time or number of usages, so leaked information cannot be used in future transactions. A magnetic credit card chip makes it compatible with existing readers. The mobile banking app automates the process making it extremely user-friendly.
Cao’s group has conducted successful real-world experiments with SafePay at a vending machine, a gas station and a coffee shop. Their work is supported by Qatar National Research Fund and NSF.