Consumers shouldn’t assume new chip-enabled credit cards will keep them safer this holiday season. They won’t.
The cards have a significant flaw: They require old-fashioned signatures, easily forged, to complete transactions rather than Personal Identification Numbers or PINs. A PIN system is behind the near breach-proof credit card networks of Europe.
The irony is that major banks and retailers, burned in a series of credit-card breaches this year, rushed through the release of credit cards using embedded microchips than than traditional magnetic tape, a technology dating to the 1940s. But they did not think about the back-end of the financial transaction, the part that confirms to the seller the identity of the buyer.
“I am taken aback,” says Hector Hoyos, chief executive at Hoyos Labs, “that we are using chip-and-signature cards instead of chip-and-pin cards. [Chip cards] will cut down on some fraud, but we could have done so much more,” he says. “We are spending all this money for a system that isn’t as secure as it could be.”
In addition the new cards are still bits of plastic — easily misplaced or stolen — rather than say electronic credit instruments such as in Apple Pay or Android Pay.
“We are spending all this money for a system that isn’t as secure as it could be.”
– Hector Hoyos, Hoyos Labs
“Consumers still have to always know where their cards are,” says Randy Vanderhoof, executive director of the Smart Card Alliance. “They still have to check their credit-card statements to make sure there are no unauthorized purchases on there. Chip cards are much more secure than the magnetic-stripe cards have been. But consumers still have to be smart with their credit cards.”
Still security holes
Consumers should have begun receiving their new EMV credit cards earlier this year. EMV stands for Europay, MasterCard and Visa, the three companies that helped to create the new chip-card standard. The new cards hold tiny computer chips that create unique codes for every purchase. These chips make it more difficult for fraudsters to steal the credit-card information of consumers and use it to create counterfeit cards and make fraudulent purchases.
Retailers were supposed to have installed new scanners to accommodate the EMV cards starting Oct. 1. The new scanners require consumers to dip one end of their EMV cards into them. Consumers then have to wait a couple of seconds for the scanners to register the card before they sign to close their transaction.
A complication of the rushed rollout: Not all retailers are equipped to accept the EMV cards. Jo Lintzen, vice president of business development with security manufacturer Utimaco, said that it won’t be until 2018 that close to 100 percent of retailers will be able to accept EMV cards. Consumers who shop at these retailers will have to swipe their chip cards — the new cards still sport a back-up magnetic strip on their backs — as they would have with traditional magnetic-strip cards. Consumers shopping this way will still be vulnerable to counterfeiters.
In another potential problem area for consumers, gas stations are not required to install the new EMV scanners at their fuel pumps until October of 2017. That creates another security hole because so many consumers pay at the pump by sliding their credit cards. Consumers who fill up at gas stations without the EMV-ready scanners will again have to pay by swiping their cards, exposing their new chip-protected cards to counterfeiters.
Then there are online purchases. A growing number of consumers turn to the Amazon.coms and eBays of the world when shopping today. There is nothing that an EMV card can do to protect consumers when shopping online. Even when paying online with an EMV card, consumers will still simply enter their credit-card’s information into a Web site, information that will remain vulnerable to fraudsters.
“The EMV cards offer consumers no protection online.”
– Tom Donlea, WhitePages
Lintzen said that he expects online credit-card fraud – what security experts refer to as card-not-present fraud – to soar now that the new EMV cards have been introduced.
“There will be a shift in online fraud simply because it will now be more difficult to commit other types of credit-card fraud,” Lintzen said. “The bad guys are creative. They will look for other targets, and online credit-card transactions are an obvious target.”
That’s why it will be more important than ever for consumers to check their credit-card statements carefully each month, said Tom Donlea, eCommerce director at WhitePages. Donlea said that consumers need to look for any purchases that seem suspicious. They should also only shop with online merchants that require them to enter their credit card’s three-digit security code.
“The EMV cards offer consumers no protection online,” Donlea said. “So it is up to consumers to monitor their statements.”
Consumers are not liable for fraudulent purchases made with their credit cards. But too often, consumers fail to notice the smaller unauthorized purchases made online with their stolen credit-card information.
The signature vs. PIN debate
Philip Andreae, vice president of field marketing with Oberthur Technologies — a global supplier of chip cards and services — says that officials at Oberthur are agnostic when it comes to the chip-and-signature vs. chip-and-PIN debate.
Andreae says that chip-and-PIN cards would be more secure because it would also address fraud that arises from lost and stolen credit cards. Thieves would need to know the PIN that comes with a stolen credit card. They couldn’t just forge a signature.
But Andreae says, too, that chip-and-signature cards have the advantage of embracing the kind of shopping habits that consumers already hold; consumers are already used to signing for purchases. Chip-and-signature cards also protect against the type of credit-card fraud that is by far the most prevalent, counterfeiting, Andreae said.
“What people need to understand is that the level of fraud resulting from lost and stolen credit cards is insignificant when it compares to the total cost of fraud that results from counterfeit cards,” Andreae said.
Vanderhoof said that consumers are happy with chip-and-signature cards. Otherwise, he said, they’d be clamoring for chip-and-PIN cards. That outcry for the PIN cards has not happened, Vanderhoof said.
Hoyos said that the debate between PIN or signature might be moot. He predicts that credit cards will one day rely on biometric identifiers to allow consumers to complete a credit-card transaction. For instance, when making a purchase in the future, a consumer might be required to provide a fingerprint to make sure that they are the real owners of their credit cards.
“Your own iris or fingerprint can provide true protection when you are making a credit-card transaction,” Hoyos said.
Donlea said that the new cards might cause some problems this holiday season. It takes a bit longer to complete an EMV-card transaction – anywhere from two to 20 seconds – and those delays could add up during the holiday shopping rush.
Retailers will also be adding plenty of seasonal help this time of year, which could add to the delays, he said.
“I know it’s really just a short difference between dipping your EMV card and swiping a stripe card,” Donlea said. “But I have to admit, in my experience, that difference seems interminable. It’s really not. It just seems that way.”