alexlukin - Fotolia
The FBI issued and then revised a "public service announcement" last week to law enforcement, merchants and the general public that new EMV chip-and-signature cards offer "enhanced security." But they warned "that no one technology eliminates fraud, and cybercriminals will continue to look for opportunities to steal payment information."
The warning came after the Oct. 1, 2015, liability shift date, after which liability in the U.S. for credit card fraud lies with the party that has not made the EMV transition. Retailers are required to upgrade their point-of-sale (POS) systems to accept EMV-enabled cards, and credit card issuers must replace their customers' old magnetic stripe cards with EMV chipped cards. The U.S. is the last major market to adopt EMV cards. And card issuers here have almost all opted to issue EMV chip-and-signature cards, which use the EMV standard to authenticate with the chip and a signature, rather than with that chip and a four-digit PIN.
The FBI's original warning recommended that consumers use a PIN when it is an available option, instead of the signature method for authentication. However, it was reported that U.S. bankers objected to the FBI's suggestion because it might confuse consumers, who may not have been offered chip and PIN as an option by their card issuers, so the FBI issued the revised warning.
The revised warning does not include mention of using PINs instead of the signature-only method of authenticating EMV card users. U.S. bankers have opted generally to go with the chip-and-signature option, which is viewed as "easier" for customers, rather than the chip-and-PIN option, which is viewed as more secure.
Although chip-and-PIN cards are not perfectly secure, Randstad found that 66% of surveyed executives believed that "chip and signature does not offer sufﬁcient security and that PIN technologies should be required."
Financial institutions and retailers have been scrambling to support the new standard. For card issuers, that means issuing new cards equipped with the EMV chip. And for retailers, that means installing POS systems capable of reading the chipped cards. While bankers prefer chip and signature, retailers would have preferred to see chip-and-PIN cards. According to the National Retail Federation, under the new rules, "retailers are responsible for verifying cardholder legitimacy," which, with signature cards, means they need to verify signatures. With PIN cards, they would simply need to offer a keypad on their POS systems to accept a PIN.
Target goes all-in for chip and PIN
Meanwhile, Target, the victim of a massive credit card breach in 2013, is turning around their seriously flawed security image by doubling down on chip-and-PIN technology -- both as a retailer and as a card issuer. Target installed chip-and-PIN systems in its stores last year, which are capable of accepting both chip-and-PIN cards and chip-and-signature cards.
Target is also a card issuer, offering a Target-branded credit card and the REDcard, a debit card that is only accepted at Target stores. Target is delivering chip-and-PIN cards to their card customers, with Target's Visa credit cards reissued as Target MasterCards with new card numbers.
In other news
- Could millennials be the first chipped generation? Intercede reported this week that as many as 30% of millennials -- people aged 16 to 35 -- in the U.S. and U.K. are so distrustful of the state of their security that they would "welcome or consider digital chip implants as a next-generation measure for secure identity management on technology devices." Identity and credential management firm Intercede reported results from consumer research into U.S. and U.K. millennials "on their perceptions of current security measures and the level of importance they place on having their data protected."
- OS X malware was detected in record amounts in 2015, but still a tiny drop in the bucket compared with Windows. According to a report from Bit9 + Carbon Black, OS X malware is gaining ground, as their researchers discovered five times as many malware instances in 2015 as they found from 2010 to 2014. They based their findings on 1,400 samples collected from the team's own research efforts, as well as from "open sources, experience from incident response engagements involving OS X, peer research, black lists, and Contagio malware dump." The team had expected to find Unix/Linux malware adapted for OS X, but instead discovered little -- if any -- "Unix-style malware" ported to OS X. They also reported that the malware they did find was "not particularly sophisticated," and that "OS X malware authors aren't utilizing the Unix philosophy, combining 'small, sharp tools' to achieve the desired results. The malware authors seem to have a more 'Windows-malware' (i.e., monolithic) approach to how the malware behaves versus a composability approach, which would take advantage of existing legitimate Unix-specific OS operations as part of their design."
- Netcraft reported this week that some leading certificate authorities had "issued hundreds of SSL certificates for deceptive domain names used in phishing attacks," just in the month of August 2015. The domain names -- similar to leading brand names and intended for use in phishing attacks -- should have been properly authenticated by the registries before issuing certificates. Phishing domains targeted major companies, including Halifax Bank, PayPal, Apple iTunes and BT Group; registrars issuing the certificates included CloudFlare, Comodo, GoDaddy and Symantec. "Several certificate authorities offer free trial certificates with shorter validity periods," read the report, continuing to say "the short validity periods are ideal for fraudsters, as phishing attacks themselves typically have short lifetimes."
Is chip and PIN the answer for payment card transaction security?
Cloud security breaches remain a major concern