FBI Takes Down Alert on Chip & PIN Credit Cards

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message, less than a day later, following concerns from US bankers that back chip cards.

The FBI didn't offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer's signature to bolster a chip card has become a heated battle between the nation's major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures.

The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards.
"We saw the PSA and spoke to the FBI after we saw it and we thought it was not really reflective of the US marketplace and thought there would have been some level of confusion with the use of PIN," said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA. Johnson said it seemed likely the FBI would revise its PSA, but he had no idea when.

Spokeswomen for both Visa and MasterCard said that the FBI was expected to revise the original statement, and had no further comment.

Of all the major card companies, Visa, notably, has supported having consumers provide a signature instead of a PIN to secure an in-store payment with a new chip card. Retailers, including the National Retail Federation and the Merchant Advisory Group have supported the use of a PIN with the chip-embedded card to improve security.
"Retailers have long argued that PINs are essential to providing cardholders with the security that they deserve," said Brian Dodge, executive vice president of the Retail Industry Leaders Association. Reacting to the FBI's original alert, which has since been removed, he said it was a "wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the US just as it has been around the world for years."

But Johnson asserted that PINs won't be used in the US. "PIN is not going to be adopted in the US," Johnson flatly said.
The purpose of the chip on newer cards is to prevent counterfeit fraud when thieves steal card data from merchants' computer servers and manufacture fake cards with stolen 16-digit card numbers and four-digit expiration dates. Because the chip allows a unique code to be used with each transaction, it is difficult for thieves to steal card numbers from merchants' servers.

Johnson added it is also considered "extremely hard" for fraudsters to manufacture a credit card with an embedded computer chip. The original FBI announcement "suggested a chip card is easy to replicate, which it is not," he said. If credit card numbers are somehow stolen from a merchant's database, a fraudster could conceivably imprint an account number on a magnetic stripe on a new card. However, a newer point-of-sale terminal could detect that it should have been a chip card, not a magnetic stripe card, and would deny the transaction, he said.

A lost or stolen chip card can still be used fraudulently by a thief in a store purchase or by phone or online, an event that retailers believe use of a PIN will prevent. However, only about 5% of card fraud comes from stolen or lost cards, Johnson said. In its original message, the FBI pointed out vulnerabilities with chip cards, including that chip cards still have magnetic stripes that are vulnerable to thieves.
CIO: http://bit.ly/1NDstBt

 

« Cybercrime: How to Recognize an Online Fraudster
Thailand’s Military to Set Up New Cyberwar Unit »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

SERMA Safety & Security (S3)

SERMA Safety & Security (S3)

SERMA Safety & Security provides a comprehensive cybersecurity offering incorporating Expertise, Evaluation, Consultancy and Training, covering hardware, software and information systems.

Security Brokers

Security Brokers

Security Brokers focus services and solutions with a focus on strategic ICT Security and Cyber Defense issues.

Proteus

Proteus

Proteus is an Information Security consulting firm specialized in Risk Analysis and Executive Control.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

CyberSAFE Malaysia

CyberSAFE Malaysia

CyberSAFE Malaysia is an initiative to educate and enhance the awareness of the general public on the technological and social issues and risks facing internet users.

Center for Education & Research in Information Assurance & Security (CERIAS)

Center for Education & Research in Information Assurance & Security (CERIAS)

CERIAS is one of the world’s leading centers for research and education in areas of information and cyber security.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

ActZero

ActZero

ActZero’s security platform leverages proprietary AI-based systems and full-stack visibility to detect, analyze, contain, and disrupt threats.

ITSEC Asia

ITSEC Asia

ITSEC Asia works to effectively reduce exposure to information security threats and improve the effectiveness of its clients' information security management systems.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.

US Department of State - Bureau of Cyberspace & Digital Policy

US Department of State - Bureau of Cyberspace & Digital Policy

The Bureau of Cyberspace and Digital Policy leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.

Invisily

Invisily

Invisily makes enterprise and cloud computing resources invisible to attackers with zero trust solutions, making them visible only when needed to only those who need them.