Oct 9 2015 Original FBI announcement urged use of PIN with a chip-embedded card, which banks oppose By Matt Hamblen
The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message on Friday, less than a day later, following concerns from U.S. bankers that back chip cards.
The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters,” and was replaced by a “page not found” message as of mid-day Friday.
The FBI didn’t offer any comment Friday on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer’s signature to bolster a chip card has become a heated battle between the nation’s major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures.
The American Bankers Association contacted the FBI on Thursday urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official told Computerworld on Friday.
“We saw the PSA yesterday and spoke to the FBI after we saw it and we thought it was not really reflective of the U.S. marketplace and thought there would have been some level of confusion with the use of PIN,” said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, in a telephone interview.
Johnson said it seemed likely the FBI would revise its PSA, but he had no idea when.
Spokeswomen for both Visa and MasterCard said Friday that the FBI was expected to revise the original statement, and had no further comment.
Of all the major card companies, Visa, notably, has supported having consumers provide a signature instead of a PIN to secure an in-store payment with a new chip card. Retailers, including the National Retail Federation and the Merchant Advisory Group have supported the use of a PIN with the chip-embedded card to improve security.
“Retailers have long argued that PINs are essential to providing cardholders with the security that they deserve,” said Brian Dodge, executive vice president of the Retail Industry Leaders Association, in a statement issued Friday. Reacting to the FBI’s original alert, which has since been removed, he said it was a “wake-up call to the banks and card networks that continue to stand in the way of making PIN authentication the standard in the U.S. just as it has been around the world for years.”
But Johnson asserted that PINs won’t be used in the U.S. “PIN is not going to be adopted in the U.S.,” Johnson flatly said.
In the FBI’s original PSA, there was language that consumers “should use the PIN, instead of a signature, to verify the transaction,” even though banks have not been issuing PINs with new chip credit cards. Four-digit PINs are used with debit cards, however, but many merchants are still not accepting chip-enabled debit cards.
“The suggestion and recommendation from the Bureau that a customer request to be able to use their PIN would be confusing…and creates confusion in the market,” Johnson explained.
The original FBI statement also noted that while chip cards “offer enhanced security, the FBI is warning law enforcement, merchants and the general public that these cards can still be targeted by fraudsters.”
The purpose of the chip on newer cards is to prevent counterfeit fraud when thieves steal card data from merchants’ computer servers and manufacture fake cards with stolen 16-digit card numbers and four-digit expiration dates. Because the chip allows a unique code to be used with each transaction, it is difficult for thieves to steal card numbers from merchants’ servers.
— I can’t remember the last time I signed a credit card slip. Why is the US so far behind on this? I checked with people in the UK and half the time they tap, not even pin anymore. Why is there a hold up and resistance? Perhaps someone can explain to us outsiders how a signature that you don’t even have to get 100% right is more secure than a pin? Pins are used on debit cards. Its known technology and known risks with known risk abatement dating from before chips even. ~anon
— I think there’s an important additional issue here – it’s the question of who bears the cost of fraud on chip and PIN cards (with the caveat that I’m not a lawyer, just a bank customer!)
In Europe, my experience is that if the correct PIN was entered, that creates a strong presumption that the card’s owner authorized the charge. And at that point the bank and the business (basically the only two parties that can control fraud) usually wash their hands of the matter and force the cardholder to pay.
The presumption that a PIN is kept secret underlies their attitude — but if you sit in a cafe, brasserie or go to a store, it’s pretty obvious how easily a malicious person can get somebody’s PIN code, and also how little actually appears to have been done by the banks and retailers to ensure that the code stays secret. Given how resourceful fraudsters have proven at scamming banks and ATMs, I have to wonder just how long it will take till we see clever fraud on the new systems. And then how badly will consumers be burned when the banks deny responsibility, just like the European issuers do?
With the PIN and (useless) signature, at least there’s the certainty of real-time authorization – this keeps the risk with the people that have an incentive to manage it i.e. the issuer and the retailer. ~anon
— The laws are not that different in the rest of the world believe it or not. Yet we seem to have had no problem with this. As for signature anyone could sign almost anything and get away with it. Nobody at the cash was a handwriting expert. Fraud was always a possibility yet some how…we moved past it to pin and even tap-and-pay for minor transaction. ~anon
— I believe the Bankers are so accustomed to reaction, that prevention is an alien concept.
Beside, In a US court of law, a signature can be used to somewhat guarantee someones identity whereas a PIN can be stolen and has no legal proof. Buyers remorse? A signature can’t get you out, but a claimed stolen PIN could open things up. ~ anon
— Mastercard and Visa, according to their official agreements with merchants, require that merchants take their cards, even if the purchaser cannot provide ID. That’s why merchants don’t typically check it; they can’t deny a signature based upon it not being present, so it simply wastes their time. Additionally, the prevalence and ease at which even teenagers can obtain falsified ID cards means that “Check Photo ID” on the back of a credit card simply makes it easier for such a fraudster to use your stolen card, because it means that they don’t have to emulate your signature (they can provide their own, on their fraudulent ID). ~ anon