Chip And Sign Credit Cards Are A Security Risk, Warns FBI

News
By Lucian Armasu
published

FBI's Internet Crime Complaint Center (IC3) warned merchants and their customers to adopt "chip and PIN" rather than "chip and sign" for credit cards, because the latter is still vulnerable to Target-style data breaches, point-of-sale (POS) malware, and fraud.

The U.S. is the last major market to use swipe and sign cards, which is why half of the world's credit card fraud happens in the U.S., even though it only has about a quarter of the total credit card transactions.

Starting this month, U.S. retailers who haven't adopted new systems that accept chip and PIN cards will be liable for damages if they lose their customers' credit card data. On the other hand, if the retailers' POS systems support chip and PIN cards, but the banks haven't made that type of card available to their customers, the banks would be liable in this case. The point of this "liability shift" is to get both retailers and banks to invest in the migration towards secure credit card systems at the same time.

The FBI warned that although chip and sign credit cards are more secure than magnetic strip cards, they are still vulnerable to fraud. The credit card data can still be stolen by infecting POS terminals with malware, and then the cards can be counterfeited. Those cards will also be used in online transactions where there isn't a merchant to verify the physical card.

The new POS systems that support the chip and PIN credit cards also support contactless payments, which should give a boost to mobile payments services as well, such as Apple Pay and Android Pay.

Samsung Pay was built around the idea of magnetic swipe cards, thanks to the acquisition of LoopPay, which has now been made obsolete by the migration to chip and PIN. However, Samsung saw this change coming and also added the option to use Samsung Pay as a chip and PIN card, following the EMV standard. Unlike Apple Pay and Android Pay, though, Samsung Pay works more like Google Wallet did by hosting the generated virtual credit card number on Samsung's servers, rather than on the device itself.

Because some large banks continue to issue chip and sign credit cards, this could be an opportunity for the more secure contactless mobile payments to take off, because all such services already require a PIN or fingerprint authentication, and they already come with chips or other similarly secure solutions for storing credit card information.

The phones that have fingerprint authentication should offer increased protection still, because although a four-digit PIN can be cracked within 10,000 possible tries, it's much more difficult to crack the fingerprint authentication.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
28 Comments Comment from the forums
  • captaincharisma
    if they are such a security risk why has the rest of the 1st world been using these chipped cards for almost a century now? its funny how the US is considered to be the most powerful country in the world (or was) and they are so so far behind in technology
    Reply
  • John Wittenberg
    Did you mean decade? A century is 100 years, and we didn't even have credit cards back in 1915.
    Reply
  • thundervore
    The US is practactly last because the banks don't want to spend the money on new cards. But, if the bank could have passed the cost of the "new" chip card to the customer they would have done it years ago.

    I can see those criminals now....oops I meant Executives. Want a new chip card? Sure that will be $9.99 + Shipping and handling + processing fee and administration fee for converting your old card.
    Reply
  • kenjitamura
    I was under the impression banks weren't upgrading cards in the U.S. because of how profitable selling fraud protection is. All the banks sell additional services like more advanced account monitoring to people and it has been an invaluable service up until now because of how easy it was for accounts to be compromised. Now with chip and pin the threat will reduce quite a lot and so will the number of people opting in for a monthly charge for additional security features.
    Reply
  • Kewlx25
    16756316 said:
    if they are such a security risk why has the rest of the 1st world been using these chipped cards for almost a century now? its funny how the US is considered to be the most powerful country in the world (or was) and they are so so far behind in technology

    They said chip and sign is bad, but chip and pin is good, but chip and fingerprint may be better.
    Reply
  • targetdrone
    The article is wrong about chip and sign liability. Merchants are protected as long as they have a chip based terminal and use the chip to process a transaction.
    Reply
  • Dr_b_
    if they are such a security risk why has the rest of the 1st world been using these chipped cards for almost a century now? its funny how the US is considered to be the most powerful country in the world (or was) and they are so so far behind in technology

    Back in the 70's (certainly not a century ago as someone already correct you on, or was that hyperbole?), the raised numbers on the card actually served a purpose, you ran it through a manual sliding machine that imprinted the card number onto carbon copy paper, then signed it. Fast forward to 2015, new cards today don't have the card number on the front or even raised. Cards will go all digital, everyone has a phone now and that is the future, we won't be carrying plastic around with chips, and because that idea was made popular in the US first, and then exported to other countries, the US is leading that charge (no pun intended, shehehe).
    Reply
  • johnnycanadian
    if they are such a security risk why has the rest of the 1st world been using these chipped cards for almost a century now?

    <whew> I'm going to assume you meant "since shortly after the turn of the century". And as already noted, there's a big, big difference between chip without and chip with PIN. Once again the American banks are going for the cheap, crappy solution.
    Reply
  • WatchingUser
    if they are such a security risk why has the rest of the 1st world been using these chipped cards for almost a century now? its funny how the US is considered to be the most powerful country in the world (or was) and they are so so far behind in technology
    I don't see England sending people to the moon so that comment is invalid.
    Reply
  • thundervore
    The article is wrong about chip and sign liability. Merchants are protected as long as they have a chip based terminal and use the chip to process a transaction.


    Someone should tell this so BJs whole sale and Whole Foods. They have the chip terminals but they are not activated. So someone like me goes to pay and sticks the card in wondering why its not working then be told I have to swipe it. When I went to Target who uses the same terminal I sipped and it rejected my card because it detected the chip so I had to insert it and sign. That is how it should be. Target has it right!!!
    Reply