FBI Warns Chip Cards Vulnerable to Fraudsters

The FBI is warning law enforcement, merchants and the general public that chip cards can still be targeted by fraudsters.

October 12, 2015

WASHINGTON – On October 8, the U.S. Federal Bureau of Investigation issued a public service announcement warning that EMV cards, while offering enhanced security, can still be targeted by fraudsters. 

The FBI says that while most EMV cards still retain the traditional magnetic strip and the cardholder’s signature on the back of the card, the microchip embedded into the card allows merchants to verify the card’s authenticity by the cardholder’s personal identification number (PIN), which is known only to the cardholder and the issuing financial institution. In addition, EMV cards transmit transaction data between the merchant and the issuing bank with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to hacking while the data is transmitted from the POS to the issuing bank. 

In its announcement, the FBI suggests that consumers using an EMV card at a POS terminal should also use a PIN instead of a signature to verify the transaction. “This fully utilizes the security features built within the EMV card,” notes the bureau. However, Visa and MasterCard and most banks are not issuing new EMV chip cards in the United States with the additional layer of security that a PIN provides. The retail industry has been pushing for chip-and-PIN cards, but the card industry maintains chip and signature is adequate for protecting consumers’ data—even though chip-and-PIN has been the standard in Europe for more than 20 years. 

The FBI also warns that although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud, noting that EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the POS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data. 

According to the U.S. General Services Administration (GSA), France was the first country to begin using the chip and PIN technology standard for payment in 1992. By 2006, the United Kingdom had fully deployed chip and PIN technology, and it is now used in more than 130 countries. The United States is one of the few industrialized nations that has not fully migrated to the chip and PIN technology standard.

“The fact that the banks are not universally supporting the PIN capability retailers are installing with EMV indicates that EMV is more about getting liability off their financial statements than truly securing the card payment system,” said Lyle Beckwith, NACS senior vice president of government relations. “It appears that everyone but the card brands and issuers understand the value of PIN authentication.”

For more about EMV and convenience stores, read “Half Covered,” from NACS Magazine.

Advertisement
Advertisement
Advertisement