FBI Takes Down Alert on Chip & PIN Credit Cards

Uploaded on 2015-11-18 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Financial

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message, less than a day later, following concerns from US bankers that back chip cards.

The FBI didn't offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer's signature to bolster a chip card has become a heated battle between the nation's major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures.

The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards.
"We saw the PSA and spoke to the FBI after we saw it and we thought it was not really reflective of the US marketplace and thought there would have been some level of confusion with the use of PIN," said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA. Johnson said it seemed likely the FBI would revise its PSA, but he had no idea when.

Spokeswomen for both Visa and MasterCard said that the FBI was expected to revise the original statement, and had no further comment.

Of all the major card companies, Visa, notably, has supported having consumers provide a signature instead of a PIN to secure an in-store payment with a new chip card. Retailers, including the National Retail Federation and the Merchant Advisory Group have supported the use of a PIN with the chip-embedded card to improve security.
"Retailers have long argued that PINs are essential to providing cardholders with the security that they deserve," said Brian Dodge, executive vice president of the Retail Industry Leaders Association. Reacting to the FBI's original alert, which has since been removed, he said it was a "wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the US just as it has been around the world for years."

But Johnson asserted that PINs won't be used in the US. "PIN is not going to be adopted in the US," Johnson flatly said.
The purpose of the chip on newer cards is to prevent counterfeit fraud when thieves steal card data from merchants' computer servers and manufacture fake cards with stolen 16-digit card numbers and four-digit expiration dates. Because the chip allows a unique code to be used with each transaction, it is difficult for thieves to steal card numbers from merchants' servers.

Johnson added it is also considered "extremely hard" for fraudsters to manufacture a credit card with an embedded computer chip. The original FBI announcement "suggested a chip card is easy to replicate, which it is not," he said. If credit card numbers are somehow stolen from a merchant's database, a fraudster could conceivably imprint an account number on a magnetic stripe on a new card. However, a newer point-of-sale terminal could detect that it should have been a chip card, not a magnetic stripe card, and would deny the transaction, he said.

A lost or stolen chip card can still be used fraudulently by a thief in a store purchase or by phone or online, an event that retailers believe use of a PIN will prevent. However, only about 5% of card fraud comes from stolen or lost cards, Johnson said. In its original message, the FBI pointed out vulnerabilities with chip cards, including that chip cards still have magnetic stripes that are vulnerable to thieves.
CIO: http://bit.ly/1NDstBt

 

« Cybercrime: How to Recognize an Online Fraudster
Thailand’s Military to Set Up New Cyberwar Unit »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

Asseco Group

Asseco Group

Asseco Poland stands at the forefront of the multinational Asseco Group. We are a leading provider of state-of-the-art IT solutions in Central and Eastern Europe.

Wipro

Wipro

Wipro Limited is a leading global information technology, consulting and business process services company.

Bureau Veritas

Bureau Veritas

Bureau Veritas are a world leader in Testing, Inspection and Certification. We provide certification and training services in areas including cybersecurity and data protection.

Careerjet

Careerjet

Careerjet is a leading online job search engine with a large presence worldwide, sourcing millions of job ads from thousands of websites from all over the world in areas including Cybersecurity.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

American Cybersecurity Institute

American Cybersecurity Institute

American cybersecurity Institute is a newly formed not-for-profit organization dedicated to education, advocacy, study and analysis in the space of cybersecurity law and policy.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric cybersecurity practitioners charged with defending hybrid cloud environments.

Across Verticals

Across Verticals

Across Verticals is a boutique cyber security consulting firm that specializes in holistic, deeply technical and end to end cyber security advisory services based on industry best practices.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Avalon Cyber

Avalon Cyber

Arm your organization in the fight against cyberattacks by partnering with the experts at Avalon Cyber.

IS4IT Kritis

IS4IT Kritis

IS4IT is your partner for the successful planning, introduction and implementation of company-specific information security concepts.

HTX (Home Team Science & Technology Agency)

HTX (Home Team Science & Technology Agency)

HTX brings together science and engineering capabilities to transform the homeland security landscape and keep Singapore safe.

InQuest

InQuest

InQuest specialize in providing comprehensive network-based security solutions that empower organizations to protect their most critical assets: their people.