President Barack Obama issued an executive order on Friday to have secure chip-and-PIN technology embedded into government-issued credit and debit cards as part of a broader move aimed at stemming payment data breaches.
Under the order, government-issued cards that transmit federal benefits, such as Social Security, will have microchips embedded instead of the usual magnetic strips, as well as associated PINs like those typically used for consumer debit cards. A replacement program for the cards is set to begin on Jan. 1 of next year, with the goal to have more than 1 million such cards issued by the end of the year, Obama said at the federal Consumer Financial Protection Bureau, according to a press release.
http://www.computerworld.com/article/2835226/obama-orders-chip-and-pin-for-government-credit-cards.html
[Related]: http://www.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security
[Additional Coverage]:
http://www.reuters.com/article/2014/10/17/us-obama-credit-security-idUSKCN0I61OP20141017
http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/17/obama-calls-for-greater-credit-card-security-in-light-of-data-breaches/
(Score: 2, Informative) by mce on Sunday October 19 2014, @10:46AM
... the US will enter the modern age of payment. In Europe, using a chip is the default since many years because it is infinitely more secure. My bank even disabled all their credit cards in the US, unless owner explicitly decides otherwise. Owners who need to visit the US are also encouraged to enable their card only for a limited period of time.
(Score: 2) by davester666 on Sunday October 19 2014, @04:56PM
The problem with "will have microchips embedded instead of the usual magnetic strips, as well as associated PINs like those typically used for consumer debit cards", is that there are still a whole bunch of merchants that have card-readers that only support magnetic strips. Supposedly most of them will switch next year sometime when liability for fraudulent transactions switches to the merchant if they are still using a magnetic strip reader then.
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @05:26PM
I thought merchants were pretty much liable for fraud anyway. The CC networks have a pretty sweet gig where their oligopoly power has let them externalize their costs.
(Score: 1) by Wierd0n3 on Sunday October 19 2014, @05:30PM
At our store, we are at the mercy of the corporate overlords decision. My boss owns 2 gas stations, a BP and a Mobil. the Mobil station has already upgraded their system to support chip and pin, which required a complete POS (point of sale) replacement. They went from a stable physical button register to a seemingly beta-software level touchscreen system. At first, when he went up to learn and train the employees on the new system, he was fairly impressed. now a month later, He has 3 pages of notes for bug reports to file with the vendor. On top of that, the chip and pin slot is currently disabled because they couldn't get it ready in time for the install.
BP is scheduled to make the decision and (order us to) install ours by the middle of next year. I can't wait......
oh and the ATM vendor said we have to purchase our own new Chip and Pin compatible unit.
(Score: 2, Interesting) by curunir_wolf on Sunday October 19 2014, @05:11PM
But chip-and-pin cards would not have stopped the recent breaches at Home Depot, Target, and Kmart. According to the Post article:
The mass breaches were all caused by malware in the retailer's payment systems. So even if they were all using chip-and-pin only, those breaches still would have happened. The difference is - who pays. With chip-and-pin, the retailers take on the responsibility. Consumer protection against fraud is actually pretty good in the US. Call the bank, tell them you didn't make those charges, and they put your money back in. Now imagine you find out there are a bunch of charges on your card at Target - and you haven't even been there. Now ride over to Target and ask them for your money back...
I am a crackpot
(Score: 2) by hoochiecoochieman on Monday October 20 2014, @12:11PM
The payment authorisation is a cryptogram generated by the card after a successful PIN verification. The PIN in inserted in a secured hardware module and can only leave the module encrypted, and only in the case of online PIN verification. The PIN encryption key is not stored in the POS equipment.
So I fail to see how the breaches you mention could generate false payments.
Now, with a magnetic stripe, that's as easy as stealing candy from a child.
(Score: 2) by VLM on Sunday October 19 2014, @11:15AM
I don't know anything about how to get a ".gov CC" but I do know the primary effect will likely be lots of spam trying to get PINs.
"Attention, your card number 1234567... has had its pin changed to 1234. If you did not request that change, please locate your current card number and current pin then call (some phone number forwarding to Russia or a burner phone or whatever)"
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @03:02PM
If you're talking about card-not-present transactions (e.g. mail/phone/internet orders), which AIUI are what most such spammers are currently trying to accomplish, AFAIK chip-and-pin doesn't change anything about them -- you still enter the card number, cardholder name, CVV, etc.
Otherwise, for normal chip-and-pin transactions, you need both the chip (something you have) and the pin (something you know). Unlike mag-stripe cards, reading the numbers on the card doesn't let you clone the card, so knowing the card number and PIN doesn't benefit an attacker unless they have access to your card.
I do expect, as with every new payment method, there'll be a transient burst of spam trying to exploit any consumer confusion, but I don't see any way this makes phishing spam more attractive or successful than it is now.
(Score: 2) by MrGuy on Sunday October 19 2014, @11:37AM
One of the primary barriers to chip and pin in the US is that there are very few merchants that are able to accept chip-and-pin payments.
Until you start solving that problem, this is a terrible idea - you'll be replacing less-secure-but-working cards with more-secure-but-useless ones.
(Score: 2) by Sir Garlon on Sunday October 19 2014, @12:15PM
At first, you'll use them at hotels and restaurants in Washington, DC.
Think about it. If you were managing a hotel or restaurant in DC, this announcement alone would be enough to make you upgrade your card readers. Otherwise you'll risk losing increasing amounts of business as the government employees who work in or travel to DC have to take their business elsewhere.
After that, other major cities would follow. New York. Las Vegas, because it hosts a lot of conventions. And so on.
I would also think businesses who serve a lot of retirees, such as in parts of Florida and Arizona, will find it in their best interest to upgrade sooner rather than later.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 2) by MrGuy on Sunday October 19 2014, @01:12PM
Hey, that's great! If I'M living on Social Security, the hotels and restaurants of DC are absolutely the place I'd be using those benefits anyways.
(Score: 1) by DaTrueDave on Sunday October 19 2014, @03:17PM
Social security? Is that often paid in the form of a credit/debit card, or is that an exception for people that don't have their benefits direct deposited into a bank account?
Think of the hundreds of thousands of federal employees who will have their travel cards upgraded to this.
(Score: 2, Interesting) by curunir_wolf on Sunday October 19 2014, @05:18PM
Social security? Is that often paid in the form of a credit/debit card, or is that an exception for people that don't have their benefits direct deposited into a bank account?
According to the latest figures I can find, almost 10% of US households are "unbanked". That is, they don't have bank accounts. Those folks get their Social Security payments, welfare payments, unemployment benefits, etc., on a debit card. So this move will certainly prompt a lot of retailers to upgrade their systems to accept chip and pin.
I am a crackpot
(Score: 2) by richtopia on Sunday October 19 2014, @03:34PM
I have a Citi card with a chip, and the last time I was at Walmart I could not check out without using the chip instead of the magnetic strip.
Granted, last time at Walmart was a year ago... but you have one option for retailer. Horay.
(Score: 2) by tathra on Sunday October 19 2014, @07:18PM
military, especially active duty reservists, use government-issued credit cards all over the nation to buy gas; the first gas station franchise to install the hardware to make chip&pin work will have a monopoly on federal employees' gas and snack stops. i predict it'll start there , and then any other places where federal employees are allowed to make purchases on the government's dime, and then once a lot of other places already have it implemented, all the other places will basically have no choice.
(Score: 0) by Anonymous Coward on Monday October 20 2014, @02:02PM
It's not only chip and pin POS systems. Take a trip through rural america and I guarantee you'll find businesses that don't take CC and are cash only. I'm 100% for progress and implementing Chip and Pin, but we can't forget that a lot of rural businesses are still cash only, and the Digital Wallets and Chip CC's just don't work.
(Score: 3, Informative) by aos on Sunday October 19 2014, @12:16PM
They use the word "instead" in TFA but here in Canada, when we switched to chip based cards, they still kept the magnetic strip. Ideally you use the chip but can fallback to the magnetic strip until the merchants switch.
(Score: 3, Informative) by cmn32480 on Sunday October 19 2014, @02:52PM
My American express is the same way. And oddly enough, the only merchant I have run into that requires you to use the chip if you have it is Walmart. Last time I was there, the mag strip didn't work BECAUSE I have a chip in the card. The cashier told me it had been installed a few weeks before, and the chip part was confusing the hell out of people when the mag stripe didn't work.
Target and Home Depot (of all the freaking places) had the chip readers disabled last time I went to either of them. I was flabbergasted given their history.
"It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @04:56PM
They use the word "instead" in TFA but here in Canada, when we switched to chip based cards, they still kept the magnetic strip. Ideally you use the chip but can fallback to the magnetic strip until the merchants switch.
In Canada, they kept magnetic strip because of Americans. If you want to travel to US, how are you going to use your CC if they only accept swipes? Or how will Americans pay for their purchases in Canada?
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @03:39PM
chip and pin is the classic chicken and egg problem. Why issue the cards if there is no merchant to accept them?
With the US Govt issuing cards, loss of business for not having the necessary equipment will become a powerful motivator for many merchants to upgrade.
The US Govt issues a lot of cards. The IRS has an option for receiving refunds using prepaid cards...that is one of the reasons for rampant fraud.
Other large banks will now jump on board. Sam's club just issued me a new card with a chip and I am sure the banks will start pressuring the merchants to upgrade the readers using various incentives.
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @06:36PM
Hardly classic chicken and egg. The banks are in a position to force the adoption of chip and pin, it has already happened in many parts of the world.
(Score: 1, Interesting) by Anonymous Coward on Sunday October 19 2014, @03:32PM
PIN and chip is still vulnerable to fraud. The chip info can be scanned/skimmed as always and a 4-digit PIN isn't exactly Fort Knox.
What PIN and chip has proven itself successful in is giving banks just enough legal 'reason' to deny fraud claims when they happen. Pushing the financial responsibility of the fraud to the cardholder.
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @05:31PM
So what you're really saying is that you have no idea how chip and PIN work.
(Score: 0) by Anonymous Coward on Sunday October 19 2014, @05:31PM
Yes, in the UK there is a long history of banks denying fraud claims from customers who have chip & pin cards.
Here's one article, there are more: http://www.thisismoney.co.uk/money/saving/article-2215223/Victim-chip-pin-fraud-Its-YOUR-fault-insist-banks.html [thisismoney.co.uk]
Makes me glad I am 100% cash for all in-person transactions (and online I only ever use single-use CC#s).
(Score: 2) by hoochiecoochieman on Monday October 20 2014, @12:20PM
The chip info can't be scanned/skimmed, it's protected by cryptography and the keys are not exportable. There have been attacks on one or other poor card implementations from a vendor or two (mainly poor random number generators) but otherwise the whole system is pretty solid.
You only have 3 attempts and your card is blocked. Sounds pretty secure to me.
One advice: go and read something. And to whoever modded this one insightful: go and do the same.
(Score: 2) by opinionated_science on Monday October 20 2014, @02:09PM
Chip-n-pin is about shifting liability, although, it also increases the risk for the user.
Some who could previously skim your card, might now need to take you to the ATM instead...
(Score: 2) by hoochiecoochieman on Monday October 20 2014, @02:32PM
Skimming magnetic tracks is in a completely different league from kidnapping someone and forcing them to withdraw cash. Any kid can do the former, it takes a hardcore criminal to do the latter.
It doesn't pay to scale up to that level. You can only withdraw 200 euros/day here in Portugal (I don't know about other countries). Not that it hasn't happened, stupid violent people will do stupid violent things, no matter what you do.
Our system is not perfect, but it gives us an extremely low rate of card fraud. But if you enjoy being the world capital of card fraud, why should I care? Be happy the way you like.
(Score: 2) by opinionated_science on Monday October 20 2014, @02:43PM
Here in the USA criminal violence is in a league of its own...there have been consistent attempts to introduce chip-n-pin in the US and consumers have rejected it.
Ironically, with the arrival of smart-phones it may not matter... Chip-n-pin works BEST when you are at home doing internet shopping, because a unique code can be generated that cannot be sniffed.
Entering a pin in public is bad enough for ATM's but is of dubious use in a civil society for many displays...how do you know which to trust? At least ATM's we know not to trust the one with the "extra facade" ;-)
(Score: 2) by hoochiecoochieman on Monday October 20 2014, @03:06PM
Was it the consumers, or it's the banks who don't want to spend money, ironically in the second richest country in the world?
Entering PINs in public places? Are you kidding? How is it more dangerous than leaving your card data and signature everywhere where anyone can easily copy them?
And more, for a terminal to be able to perform purchases, it has to comply to a fuckton of rules, one of them is that the PIN has to be entered in a tamper-proof hardware module which is factory-loaded with unique keys generated by the payment system.
And anyway what it does is to transfer money from your bank account to the merchant's. In order to have a terminal, the merchant has to be registered so it's extremely difficult that anyone can get away with stealing money that way.
And even if they captured your PIN with a fraudulent terminal? It would be useless. Without the chip, they can't perform transactions. If they skim your PIN and then steal your card, that's an easy one, you just report it stolen. I can't see how this could be any worse than magstripe and signature, even in the worst possible scenario.
One lame excuse after the other. You Americans used to be pioneers, now you're the naysayers of the World. You used to be the ones who asked "Why not?" when everyone else would ask "Why?". Now you always say "No, just because".
(Score: 0) by Anonymous Coward on Monday October 20 2014, @10:40PM
> One advice: go and read something. And to whoever modded this one insightful: go and do the same.
Right back at you ignoramus.
Chip and Skim [ieee.org]
(Score: 2) by hoochiecoochieman on Thursday October 23 2014, @11:08AM
This doesn't prove me wrong.
So, chip-and-PIN is not a silver bullet that solves every problem in the world. So what? Does this mean it's not a progress?
(Score: 0) by Anonymous Coward on Monday October 20 2014, @12:37AM
"President THEY LIVE issued an executive order on Friday to have secure chip-and-PIN technology embedded into the fleshy head or hand as part of a broader move aimed at stemming payment data breaches. (or some other bullshit reason).
(Score: 0) by Anonymous Coward on Monday October 20 2014, @02:09AM
I read your sentence three times and I can't make a coherent sentence out of the words you put down.
(Score: 0) by Anonymous Coward on Monday October 20 2014, @04:52PM
The two banks my wife and I went to clearly stated in their fine print that chip and pin from them puts the onus on the consumer for any and all charges period. We opted for the traditional, ancient mag stripe, because the fine print clearly stated we're only liable for $50 if we claim the card was used fraudulently (thanks to legislation passed long ago), and puts the onus on the bank to prove otherwise (in which case of course we might have to pay everything). The move to chip and pin in the US will suck without the legal safeguards already in place for mag stripe cards.