I wrote about payment cards and chip-and-PIN most recently just over a year ago. Home Depot has filed suit against MasterCard and Visa regarding chip cards. Wal-Mart did so a month ago. I mentioned an attack on Home Depot’s payment system a while ago.
In the US, we don’t use chip-and-PIN technology as most of the rest of the chip card world does. Instead, we use chip-and-signature. That means that anyone can steal a chipped card and use it for transactions. That’s not anywhere near as secure as the multi-factor authentication of requiring a PIN number. (That’s a combination of “something you have”: the card, with “something you know”: the PIN). That is a focus of the suit. For more information on multi-factor authentication, check out Learning Tree’s System and Network Security Introduction.
The chip reader is safer than a traditional magnetic stripe reader as it provides for unique session ID for each transaction. That ID cannot be reused. However, the use of a signature is not an authentication mechanism. Anyone can copy a signature well enough to look like the one on the card, particularly if it is done with a stylus on a touchscreen or with a fingertip on a phone.
The suit claims, “… U.S. merchants pay supracompetitive interchange and other related fees and also bear the costs of fraud, including Payment Card Industry (“PCI”) compliance costs, fraud chargebacks, and other costs merchants incur to secure the defective products from compromise or use in an unauthorized manner.” As an artist, my wife takes credit cards for sales, and I can personally attest that this is true. A good deal of the fraud could be eliminated if we moved to chip-and-PIN in the US.
There is a drawback, though. If one has, say, five cards, there would be a temptation to use the same PIN for each one. That would mean that if an attacker witnessed the pen entry and stole all one’s cards, he or she could access each of them. Of course, in the US there is a limit to cardholder liability for the use of stolen cards, but recovering from it is still time-consuming. The other option is to remember all the PINs or to record them somewhere (hopefully not on the cards themselves or in a wallet or purse with the cards!). The difficulty of managing multiple codes is clear, but the benefits to merchants to moving from signatures to PINs could mean lower costs to consumers through lower fees.
Personally, I’d prefer to use a PIN instead of a signature. I’ve been a victim of compromised cards and identity theft. Improving the security of in-person and online transactions is important to me. How do you feel? Let us know in the comments below.
To your safe computing,