The new EMV chip-style credit cards are here, and the FBI has already released a warning about the way they are being deployed in the United States. The EMV card has been in continuous use in Europe and Asia for over a decade, and has worked well to reduce the amount of credit card fraud there. We have had to wait here in the US simply because it was deemed too expensive to deploy, although when you look at the cost of credit card fraud in the last four years, you have to wonder who is doing the math. On October 1st use of the EMV card in the US was finally mandated, although implementation is lagging behind.
There are two ways to use an EMV card. The one in common use in the US is called “chip and sign.” The card holder inserts or “dips” the card into the reader slot, and then signs the signature pad. The one commonly in use in Europe is called “chip and PIN” and after dipping the card, the card holder enters a PIN in the PIN pad. Guess which one is more secure? That’s right – the one in use in Europe.
Authentication relies on one or more of these factors – something you have, something you know, and something you are. The card with the chip is the something you have. The PIN would be something you know. The signature is something you are.
The problem with using the signature as the second part in a two-factor authentication scheme is this – signatures are rarely the same from one time to the next, the signature we write on a card terminal rarely looks anything like the one on our drivers license, and the cashier never compares the two anyway, so the signature is just a waste of time and effort.
And if your credit card should be stolen, the criminal only has to sign and go. Any signature should work. But with chip and PIN, without the PIN the card is useless.
The FBI warning is advocating for the use of chip and PIN, and quite rightly so. Oddly enough the banks and credit card companies are resisting, even though they absorb most of the financial loss. The thought is that consumers in American are incapable of remembering PIN numbers, even though we all have one or two already with our bank ATM cards. The premise that we are too dim to remember a PIN is insulting anyway.
My advice: use chip and PIN if you can and when you can. Check with your credit card company to see if it is an option, and if so, set it up. Maybe if enough of us request it, or better yet, insist on it, the banks and card companies will finally take the path of greater security. This would be better for all of us.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com