Yesterday, the FBI issued an advisory about security risks related to the new chip-enabled credit cards (the new cards that people are receiving that I discussed last week in 9 Things You Should Know About Your New Chip-Enabled Credit Cards). Today, however, the FBI removed the advisory from the web.
The public service announcement - entitled "New Microchip-Enabled Credit Cards May Still Be Vulnerable To Exploitation By Fraudsters" - warned that the use of a PIN for authentication was needed in order to take advantage of the security offered by the chip, and raised questions about the security of the chip-and-signature model being deployed throughout the country. I discussed this problem in detail in my article last week.
The FBI has not commented on why it removed the post, but ComputerWorld's Matt Hamblen reports that it did so at the urging of The American Bankers Association (ABA), which asked the FBI to revise its warning in order "to reduce confusion."
The confusion may have stemmed from the fact that the FBI stated that when making payments, people "should use the PIN, instead of a signature, to verify the transaction"- something that generally cannot be done at American retailers. In fact, it is a bit perplexing that the FBI was apparently unaware that such security is not available to most Americans.
Interestingly, the FBI warning highlights the tug of war between financial firms (Visa, banks, etc.) pushing the Chip-and-Signature model, and retailers, who like their European counterparts, want the security that Chip-and-PIN delivers. Banks commonly point to the fact that only small amounts of credit card fraud occur from cards physically stolen and used for in-person purchases, while retailers want the maximum return on their investment in new chip-enabled credit card processing equipment.
The FBI seemingly sided with merchants, stating explicitly "Merchants are encouraged to require consumers to enter their PIN for each transaction, in order to verify their identity." Perhaps this alarmed the ABA as well.
But, sadly, warning or no warning, the reality remains the same. Chip-and-PIN is the standard for securing in-person credit card transactions around the world for a reason--the use of PIN numbers makes it a lot harder for people to make unauthorized purchases with stolen credit cards. Chip-and-Signature does offer some benefits over older magnetic stripe cards--as I discussed in my article last week--but we should be working our way towards Chip-and-PIN and not settling on a method already known to be deficient.
A copy of the FBI's original warning appears on my website at http://josephsteinberg.com/FBIWarningEMVCards.pdf.
Please feel free to discuss this article with me. I'm on Twitter at @JosephSteinberg.