New credit card security doesn’t go far enough

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bostonglobe.com/opinion/editorials/2015/09/25/new-credit-card-security-doesn-far-enough/jxofFcLj7kS7hDWV5oqpYJ/story.html

Hardly a week goes by without a news report of a new cyberattack. As any
consumer affected by fraud knows, the harm is real. The impact on
businesses, government, and other targets is also real, and includes
monetary harm and reputational damage that can devastate those so reliant
on the trust of their customers.

Retailers recognize that their commitment to protect information must
evolve and grow with the threat, and they have invested considerable
resources to strengthen the barriers that protect information that passes
through their systems. Retailers also recognize that cybercriminals are
highly sophisticated, and that the tallest and thickest “walls” won’t
always stand up to the volume of attacks. That’s why retailers believe that
reducing the value of data behind their walls is equally important.

Cybercriminals, like most criminals, are money-driven. Sophisticated
cyberthieves, often from overseas, relentlessly troll for valuable data
they can sell to crime rings that use the stolen information to commit
fraud. But there is a way to make the credit and debit card information
less valuable or totally useless to potential thieves: It’s called Chip and
PIN (personal ID number). It has been the standard around the world for
nearly a decade, yet not embraced by banks and card networks in the United
States.

Consumers are just now receiving credit and debit cards reissued with a
microchip embedded in addition to the traditional magnetic stripe. The chip
offers a higher level of security and is an important step in the right
direction; but unlike cards issued in Canada, Europe, and the rest of the
industrialized world, cards issued in the United States will not require a
PIN. Cards delivered to our consumers will still rely on a signature, which
allows for stolen-card use and forgeries.

The combination of an encrypted chip and private PIN substantially reduces
the value of data to cybercriminals. If a criminal cannot use a stolen card
or create a counterfeit card, the value and reasons to steal the data in
the first place disappear.

When Britain began using both chip and PIN technology, fraud losses at
retailers fell 67 percent, and lost or stolen credit card fraud fell by 58
percent. When hacking European businesses became less profitable,
cyberthieves simply refocused their efforts on an easier target, US credit
card numbers. Today, the United States represents half of all card fraud
even though only about a quarter of the world’s transactions occur here.

Retailers have invested an estimated $8.6 billion in new point-of-sale
equipment to accept these new chip cards. The experience at point of sale
will change slightly; chip cards are “dipped,” not swiped. Unfortunately,
one thing will not change: The US will continue to have the weakest card
security in the world.

Given the clear consumer benefits of Chip and PIN, why are banks hesitating
to require both? They argue that consumers will forget their PIN numbers;
but whether it’s using an ATM or cell phone, we are all quite capable of
using a PIN to prevent access to sensitive information. The truth is that,
for banks and card networks, the status quo is lucrative; they don’t want
to change.

There is no one answer to defeat cyberattacks, but we must recognize that
criminals follow money through the path of least resistance. Banks should
ensure new US cards are equipped with the same security features afforded
consumers in other countries. We can all help push forward this important
and overdue reform by demanding our banks to stop the delay — and to drop
the signature and mandate the PIN.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!