[BreachExchange] Home Depot Claims Visa, MasterCard Chip Cards Not So Secure In Lawsuit

Thu Jun 16 18:16:11 EDT 2016

http://boston.cbslocal.com/2016/06/15/home-depot-visa-mastercard-chip-cards-lawsuit/

Visa and MasterCard are using security measures prone to fraud, putting
retailers and customers at risk of thieves, The Home Depot Inc. says in a
new federal lawsuit.

It’s the latest giant retailer to raise the security concerns, with a
lawsuit filed this week in U.S. District Court in Atlanta. Last month,
Arkansas-based Wal-Mart Stores Inc. sued Visa Inc. over similar issues.

Atlanta-based Home Depot says new payment cards with so-called “chip”
technology, rolled out in the U.S. in recent years, remain less secure than
cards used in Europe and elsewhere in the world.

Even with chips, U.S. cards still rely on customers’ hand-written
signatures for verification, rather than more secure Personal
Identification Numbers, or PINs, Home Depot maintains.

A Mastercard spokesman said the chips boost security.

“Regardless of how the cardholder’s identity is confirmed, the chip makes
data much more secure, rendering it almost useless to create fraudulent
cards or transactions,” MasterCard spokesman Seth Eisen said in a statement
Wednesday.

MasterCard received the court filing Tuesday and is still reviewing it,
Eisen said.

“We are aware of the complaint and will respond in due course,” a Visa
spokeswoman said in a statement Wednesday.

A central issue in Home Depot’s lawsuit: Its accusation that Visa and
MasterCard are conspiring to prevent adoption of more secure technology in
order to maintain market dominance and profits.

“For years, Visa and MasterCard have been more concerned with protecting
their own inflated profits and their dominant market positions than with
the security of payment cards used by American consumers and the health of
the United States economy,” Home Depot states in its 138-page lawsuit.

About 80 nations use cards with chips, and most of them — including
England, France and Australia — also require a PIN, Home Depot said.

“Such cards offer an extra layer of security beyond the chip itself, by
requiring the user to enter a four-digit PIN, thereby ensuring that the
individual using the card is the card’s owner,” Home Depot states in its
lawsuit. “Signatures can be copied or forged, and cashiers are not
handwriting experts trained to identify forged signatures.”

As a result, U.S. consumers and merchants such as Home Depot pay
fraud-related costs that are “unrivaled in the rest of the industrial
world.”

A chip in combination with a PIN is a form of “two-factor authentication,”
said Craig Piercy, director of the online master of internet technology
program at the University of Georgia’s Terry College of Business.

“It basically means that you have something with you — usually a physical
thing — and something that you know. Both together are required to
authenticate a user.”

If a card is stolen, even one with a microchip, a thief could still use it
by inserting it into the card reader, then scribbling the name on the card
on a receipt or pad near a cash register

But if the thief doesn’t know the PIN, the card would be rejected.

“Neither one protects against all types of fraud, but in terms of
protecting against lost or stolen cards, chip and PIN is more secure,”
Piercy said.

Home Depot was targeted in a wave of data heists that began with Target’s
pre-Christmas 2013 attack. But Home Depot’s 2014 data breach at stores in
the U.S. and Canada affected 56 million debit and credit cards, far more
than the attack on Target customers. Hackers also stole 53 million email
addresses from Home Depot customers.

In the world of retailing, the size of the theft at Home Depot trails only
that of TJX Companies’ heist of 90 million records disclosed in 2007.

Home Depot pushed hard to activate chip-enabled checkout terminals at all
of its stores after the 2014 attack.

Even with chip technology, the lack of PIN requirements in the U.S. could
lead to rising fraud in the future, as more transactions shift to online
payments where no physical card is presented, Home Depot said its lawsuit.

Last month, Wal-Mart said in a lawsuit that Visa won’t allow it to let
customers verify chip-enabled debit card transactions with PINs rather than
the less-secure signature method.

“PIN is the only truly secure form of cardholder verification in the
marketplace today, and it offers superior security to our customers,” a
Wal-Mart spokesman told The Associated Press after its lawsuit was filed
last month in the New York State Supreme Court.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160616/ef57487f/attachment.html>