Search the Community

US consumers are about to get a new defense against cybercrime. The armor will take the form of credit and debit cards with a built-in chip, which retailers must be able to read as of Thursday. Short for EuroPay, MasterCard and Visa, EMV chips create a one-time-use code needed for each purchase, which makes stolen card numbers less valuable on the black market. Consumers may see slightly longer transaction times as in-store readers run the EMV cards, assuming merchants have set up the new payment terminals in time. Industry watchers don't expect every merchant to meet Thursday's deadline, which was set last year by MasterCard, Visa, Discover and American Express. Retailers do have an incentive to act quickly, though. Stores that don't have EMV-reading terminals will need to make good on in-store purchases made with counterfeit cards. ATMs and gas pumps will face the same liabilities in 2017. The card companies wrote that rule after cybercriminals stole about 40 million credit and debit card numbers from the payment system of retailer Target during the 2013 holiday-shopping season. Currently, the banks that issue cards are on the hook for fraudulent charges. There are two ways hackers steal sensitive information. They can use card skimmers to read a card's magnetic stripe at an ATM or gas pump. They can also penetrate retailers' corporate information systems, as they have with Target, Home Depot, Neiman Marcus and many others, to copy card numbers. Those stolen numbers can be used on fake cards to make fraudulent purchases. Two-thirds of fraudulent purchases inside stores are made with counterfeit cards, said Stephanie Ericksen, Visa's vice president of risk products. Authentic cards that were stolen account for the other third. That's where these new chip cards can help. Because the chips send encrypted, one-time codes for each transaction, the cards are harder for fraudsters to read and duplicate, experts say. While the cards are just rolling out in the US, the technology isn't new. Europe started using cards with embedded chips in 2005. Apple Pay and Android Pay mobile payments work on the same underlying rules. http://cnet3.cbsistatic.com/hub/i/r/2015/09/23/4959cf7f-d36a-4687-a63b-619390c304cf/resize/570xauto/c2d5185e9882c675a6fe259f561ef9ca/mobile-payments-visa-paywave-chip-security-credit-cards-4865.jpg Despite the impending retailer deadline, many consumers still don't know about the new kinds of cards. In an August survey by electronic payments company ACI Worldwide, 59 percent of consumers reported they hadn't received credit cards with EMV chips. Only a third knew the United States is shifting toward chip readers. What's more, only 27 percent of merchants are prepared for the October deadline for card reader technology, according to a report released in mid-September by the Strawhecker Group, a consulting firm for the payments industry. Experts say the slow rollout could be due to the cost of new card-reading equipment. Merchants must weigh the expense of buying new payment systems and training employees on that gear against the unknown hit from fraudulent charges. Some may even consider their new liabilities the cost of doing business. Consumers will need to adapt to the new system too, experts said. "There may be some initial inconvenience at the point of sale," said TJ Horan, vice president of product management at FICO, which helps banks determine a consumer's credit risk. Despite the increased security, industry watchers don't expect card fraud to disappear. Horan likens it to squeezing a water balloon: If you push fraud out of the system in one place, it will simply shift somewhere else. Clarification, 8:55 a.m. PT: The name of parent company ACI Worldwide has been added. Source http://www.cnet.com/

Could cyberattacks one day be governed by treaties like those limiting the use of nuclear, chemical and biological weapons? The US and China are reportedly taking a first step in that direction. http://cnet4.cbsistatic.com/hub/i/2015/09/19/45e001b5-1eb7-4d97-a2b7-afbe510965d5/38d0e49bb10853afa58b103e796f2aba/obama-and-china-president-xi-jinping-corbis.jpg The countries are discussing a mutual promise not to launch a first-strike attack with cyberweapons on the other country's critical infrastructure, such as power plants, hospitals and banks, The New York Times reported Saturday. The talks are geared toward producing a deal that would be announced next week during China President Xi Jinping's state visit to the US, the Times said, citing unnamed officials involved in the negotiations. Such an announcement might not mention an official rule barring attacks on critical systems, a Times source said. Rather, it could involve a general embrace of a United Nations code of conduct that spells out nonbinding "principles of responsible behavior" regarding the use of cyberweapons like malicious software. Nonetheless, the UN guidelines single out attacks on critical infrastructure as the "most harmful," and the negotiations could evolve into the first-ever arms-control deal for cyberspace, the Times said. The news comes amid increased tension between the US and China over hacking and cyberspying. In June, the FBI said it suspected Chinese hackers of an attack on the US government's personnel office that compromised the data of millions of current and former federal workers. And in August, officials with the Obama administration told The Washington Post that the US was developing a range of "unprecedented" economic sanctions against China over online espionage. The deal under discussion wouldn't prohibit such spying, or the theft of intellectual property, but it would, the Times said, "be a first effort by the world's two biggest economic powers to prevent the most catastrophic use of cyberweapons." It's not clear, though, how effective a cyberweapons treaty would be, the Times noted. Unlike a missile strike, a cyberattack can be tough to track, making deterrence and retaliation difficult. "It could create some self-restraint," a Harvard professor who studies US power told the Times, but "how do you verify it, and what is its value if it can't be verified?" The White House did not respond to a request for comment on the Times report. Source http://www.cnet.com/