FBI Takes Down Alert on Chip & PIN Credit Cards

Uploaded on 2015-11-18 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Financial

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message, less than a day later, following concerns from US bankers that back chip cards.

The FBI didn't offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer's signature to bolster a chip card has become a heated battle between the nation's major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures.

The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards.
"We saw the PSA and spoke to the FBI after we saw it and we thought it was not really reflective of the US marketplace and thought there would have been some level of confusion with the use of PIN," said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA. Johnson said it seemed likely the FBI would revise its PSA, but he had no idea when.

Spokeswomen for both Visa and MasterCard said that the FBI was expected to revise the original statement, and had no further comment.

Of all the major card companies, Visa, notably, has supported having consumers provide a signature instead of a PIN to secure an in-store payment with a new chip card. Retailers, including the National Retail Federation and the Merchant Advisory Group have supported the use of a PIN with the chip-embedded card to improve security.
"Retailers have long argued that PINs are essential to providing cardholders with the security that they deserve," said Brian Dodge, executive vice president of the Retail Industry Leaders Association. Reacting to the FBI's original alert, which has since been removed, he said it was a "wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the US just as it has been around the world for years."

But Johnson asserted that PINs won't be used in the US. "PIN is not going to be adopted in the US," Johnson flatly said.
The purpose of the chip on newer cards is to prevent counterfeit fraud when thieves steal card data from merchants' computer servers and manufacture fake cards with stolen 16-digit card numbers and four-digit expiration dates. Because the chip allows a unique code to be used with each transaction, it is difficult for thieves to steal card numbers from merchants' servers.

Johnson added it is also considered "extremely hard" for fraudsters to manufacture a credit card with an embedded computer chip. The original FBI announcement "suggested a chip card is easy to replicate, which it is not," he said. If credit card numbers are somehow stolen from a merchant's database, a fraudster could conceivably imprint an account number on a magnetic stripe on a new card. However, a newer point-of-sale terminal could detect that it should have been a chip card, not a magnetic stripe card, and would deny the transaction, he said.

A lost or stolen chip card can still be used fraudulently by a thief in a store purchase or by phone or online, an event that retailers believe use of a PIN will prevent. However, only about 5% of card fraud comes from stolen or lost cards, Johnson said. In its original message, the FBI pointed out vulnerabilities with chip cards, including that chip cards still have magnetic stripes that are vulnerable to thieves.
CIO: http://bit.ly/1NDstBt

 

« Cybercrime: How to Recognize an Online Fraudster
Thailand’s Military to Set Up New Cyberwar Unit »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ThetaRay

ThetaRay

ThetaRay’s solution for Industrial cyber security protects against unknown cyber-attacks that target industry and critical infrastructure.

Clearwater Security & Compliance

Clearwater Security & Compliance

Clearwater Compliance specialize in Privacy, Security, Compliance and Risk Management Solutions for Health Care, Law Firms and other businesses.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

Trinity Cyber

Trinity Cyber

Trinity Cyber’s patent-pending technology stops attacks before they reach internal networks,reducing risk and increasing cost to adversaries.

European Cyber Security Conference

European Cyber Security Conference

EU Cyber Security Conference will debate what Europe’s response to evolving threats in a dynamic global risk landscape should look like and what the next steps for all actors of the ecosystem.

Sky Republic

Sky Republic

Sky Republic offers a Smart Contract Platform to integrate and synchronize business networks beyond EDI and API.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

Ostrich Cyber-Risk

Ostrich Cyber-Risk

Ostrich Cyber-Risk is a risk management company that helps organizations reduce the complexity of identifying financial and operational risks related to your cybersecurity posture.

ThreatFabric

ThreatFabric

ThreatFabric integrates industry-leading threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators.

ReformIT

ReformIT

ReformIT is a Managed IT Service and Security provider with many years experience helping companies find the right IT solutions to meet the needs of their businesses.

Auria

Auria

Auria advances complex space, missile, and cyber operations with visionary solutions and software.

Andesite

Andesite

Andesite is delivering sustained advantage to cyber defense teams through technology and community.