The FBI Warns of Weaknesses in Chip-and-Sign Credit Card Systems

[MULTIZ321]

The FBI Warns of Weaknesses in Chip-and-Sign Credit Card Systems - by Russell Brandom/ theverge.com

"The FBI has a stern warning for the credit card industry's latest security measure, the EMV chip. In a statement today, the FBI's Internet Crime Complaint Center warned that the new chips don't prevent against online fraud or point-of-sale compromises of the type seen in the Target hack. The warning emphasizes the weakness of signature-based systems ("chip and sign" rather than "chip and PIN"), and instructs merchants to require a PIN number in place of a signature wherever possible. "This fully utilizes the security features built within the EMV card," the warning states..."

Richard

 

[bogey21]

The industry has decided that "chip and sign" is a necessary interim step on the way to "chip and pin". I suspect they thought this through and know what they are doing.

George

 

[Passepartout]

I suspect they thought this through and know what they are doing.

George, I disagree. I suspect that they are trying to make it APPEAR that they are making headway towards a secure card system, while keeping the liability where it has always been.

Card issuers want to put fraud responsibility on the consumer. Consumers want to keep fraud responsibility on the banks issuing cards, and Merchants want the card issuers to provide all the infrastructure (terminals, etc.) and provide timely, accurate, secure settlements.

Hinting that 'they know what they are doing', is blind to the evidence that so far, each entity is out for it's own benefit, and placing the responsibility on one of the other entities. Until regulation specifies how, and places a deadline on when, a final, secure basis for credit card transactions

I know that you are in favor of less regulation and market forces being the final arbiter. So far, all they've been able to accomplish is a 'worst of all worlds' solution with credit cards with chips, but with no security features (like pins) and magnetic stripes that are easily hacked and a hodge-podge of terminals that allow merchants separating people from their cards instead of bringing the secure terminal to the card holder for their PIN input.

Jim

 

[dioxide45]

Until they stop putting magnetic strips on credit cards and start requiring all cards to utilize the chip, there will be problems. Of course, then how do they process card not present transactions (like online). There will never be a perfect system until they start putting card readers in computers, opening up a whole new place for the hackers to steal your information.

 

[Kal]

Wouldn't it be interesting to see a requirement to have a chip & pin card reader in order to make an online card transaction. Given the functionality of "Square Trade" readers, I would assume a personal card reader isn't that far away.

Put the burden on the customer to assume liability and there will be a huge new product line of personal chip & pin card readers. Of course we first have to have chip & pin cards. I used my Barclay Card in Paris last month and it was the only way to deal with machine transactions with no human behind the counter. Just enter the PIN and away you go.

 

[gnorth16]

Chip and Pin has been around for over 4 years in Canada and even longer in Europe. I still can't believe I was in a restaurant in Vegas last month who took my credit card to process away from the table... That's how fraud can happen!!!

I doubt anything will happen, but I called my bank to send out new cards/numbers. All of my major credit cards are chip and pin.

 

[Ken555]

The industry has decided that "chip and sign" is a necessary interim step on the way to "chip and pin". I suspect they thought this through and know what they are doing.



George

Wow, that's a lot of (misplaced) faith.


Sent from my iPad

 

[Sea Six]

I suspect that the retailers that jump on the current card-reader technology will be sorry when they have to be replaced when the final solution is determined. If it ever is. My company is putting off replacing the card readers until next fall in anticipation of many subsequent changes.

 

[Ken555]

I suspect that the retailers that jump on the current card-reader technology will be sorry when they have to be replaced when the final solution is determined. If it ever is. My company is putting off replacing the card readers until next fall in anticipation of many subsequent changes.

Huh? The standards are already established and have been for years, in Europe. Most providers are offering free or low cost terminals. Whatever you do, be sure you're in compliance.


Sent from my iPad

 

[Kal]

The elephant in the chip room is still purchases on the internet. Given the huge transition to on-line transactions from established storefronts, there has to be a solution sometime soon. Unfortunately, the European and Canadian leaders haven't solved the problem yet, so the US will be good-to-go 4 years after whenever.

 

[WinniWoman]

Chip and Pin has been around for over 4 years in Canada and even longer in Europe. I still can't believe I was in a restaurant in Vegas last month who took my credit card to process away from the table... That's how fraud can happen!!!

I doubt anything will happen, but I called my bank to send out new cards/numbers. All of my major credit cards are chip and pin.

Any restaurant I have ever gone to still takes the card away from the table.

 

[Talent312]

Chip and Pin has been around for over 4 years in Canada and even longer in Europe. I still can't believe I was in a restaurant in Vegas last month who took my credit card to process away from the table... That's how fraud can happen!

This is standard practice in the U.S. Every restaurant that I have been to in the U.S. takes your card away. I only had an issue with it once, when I was accidentally charged twice.

It's kind'a like the same thing when you pay for something online. Your card data is taken and processed out of eyesight, and who knows who has access to it.

 

[MichaelColey]

We use Square and we've added the Miura readers that also handle chip cards (including Chip and PIN) and NFC (like Apple Pay). One thing I'm noticing is that while most of the credit cards now have chips, I don't think I've seen a single DEBIT card with a chip, and probably half of our customers pay with debit cards. I also haven't seen a single Chip and PIN card. They've all been Chip and Sign.

 

[Kal]

... I also haven't seen a single Chip and PIN card. They've all been Chip and Sign.

The Barclay Card is a combination Chip/Pin & Chip/Sig. It defaults to the Chip/Sig if there is a human interaction. Otherwise it's a Chip/Pin.

From my searching that's the only one available in the US. Even then it currently has a good rebate program but that too is changing in May 2016.

 

[Elan]

I have 1 CC with a chip. IME, about 20-25% of the retailers have the chip reader functional. Every time I use the chip reading function, but still have to sign, I think "WTF?". How is this any better? It's actually slower for the consumer than swipe and sign.

Maybe I'll start using Android Pay and pay with my phone.......

 

[Kal]

This is standard practice in the U.S. Every restaurant that I have been to in the U.S. takes your card away....

In Europe the restaurants use a hand held device where the transaction is performed at the table. The technology is available, so as always it's a matter of money. The card service company doesn't see it as a priority and the merchant doesn't want to spend the money. The merchants often say the card reader vendor hasn't provided the equipment. Sure, money again.

So today, the resolution is to shift the liability to the merchants and let the card service company keep collecting their percentage of the transaction. Seems like a clever way for the banks to increase profit margin.

 

[dioxide45]

Any restaurant I have ever gone to still takes the card away from the table.

This is slowly changing. Our local Olive Garden, Red Robin and Chilis are starting to use Ziosk terminals at each table. Olive Garden and Red Robin require that the guests pay at the terminal if using a card. It still seems to be optional at Chilis.

 

[falmouth3]

I've only encountered one company in the states that is using the chip technology yet. It's amazing how far behind we are.

 

[presley]

There was so much hoopla about merchants having to get the terminals by October and start processing the new way. We had to buy a new terminal ($300) and yet our processing company still does not process the chips. We were told to keep scanning the old way and that we would be notified when they can handle the chip.

Two merchants I went to this weekend had the same issue. The CVS terminal didn't work with my chip. I had to scan. The Vons terminal didn't even have the thing to insert my chip card. So much for all those big fines if merchants weren't compliant by October.

Regarding chips in debit cards, my bank sent us new debit cards with the chip a few weeks ago.

 

[dioxide45]

I've only encountered one company in the states that is using the chip technology yet. It's amazing how far behind we are.

So far, I have had to use the chip at three. Walmart now requires it. When you try to swipe a chip card at their terminal, it forces you to insert the card. Our local Goodyear automotive now has it and yesterday at our small local Dairy Queen, their terminal required use of the chip. I suspect within a year, it will be much more wide spread as merchants upgrade their terminals.

 

[MichaelColey]

Every time I use the chip reading function, but still have to sign, I think "WTF?". How is this any better? It's actually slower for the consumer than swipe and sign.

They never intended to make it better for consumers. The chip cards are intended to make it less prone to fraud. The magnetic strips on the backs of the cards are VERY easy to make. So if your card number is compromised, thieves can very easily make a card with your card number. The chip cards are more difficult for thieves to replicate.

 

[Kal]

There was so much hoopla about merchants having to get the terminals by October and start processing the new way. We had to buy a new terminal ($300) and yet our processing company still does not process the chips. We were told to keep scanning the old way and that we would be notified when they can handle the chip...

I asked a local merchant how they feel about now having to accept the liability for fraudulent cc transactions? They said the machine vendor would not have the chip reader until January but they were not concerned. They had a "powerful" cash register (but a swipe cc reader). They also said their customers are trustworthy and if they got hit they would challenge the transaction with the card service provider.

Hmmmmm, maybe they need to look up the definition of "liability". :ignore:

 

[Ken555]

My local Ralphs and Gelsons (grocery stores) now use the chip terminals. When I swipe my AMEX now the terminal instructs me to insert it so it may read the chip and it stays until the transaction is complete. Of course, it stupidly also insists that I sign and doesn't ask for a PIN. At least they now have the hardware to do it right.

I prefer Apple Pay, as it's much more secure.


Sent from my iPad

 

[MichaelColey]

With the liability shift, it's basically the weakest link in the process that gets stuck with the liability for any fraudulent transactions.

If the card issuer hasn't sent the customer a chip card, they're liable.

If the processing company hasn't made chip readers available for their merchants, they're liable.

If the merchant hasn't bought a chip reader (and it's available), they're liable.

 

[WinniWoman]

Not one single place where I live (Hudson Valley, NY) process my cards as chips. I still swipe and sign.