About 600 Defense Department travel cardholders are trying out new cards embedded with hack-resistant chips that require users to enter a passcode for purchases. The pilot program is part of a governmentwide effort to stanch rampant credit card theft.
By the end of summer 2015, all military travelers will have the so-called chip and PIN credit cards, DOD officials announced Tuesday. The current trial began in February and is slated to finish in December.
Similar to using an ATM card, the purchaser inserts the card into a machine at the register and enters a four-digit PIN, rather than scribbling a signature.
Beginning January 2015, military travelers will be able to request replacements if going to locations where chip and PIN cards are widely accepted, such as European countries.
But there might be a waiting list. Harvey Johnson, director of the Defense Travel Management Office, said with about 1.3 million government travel card users, "if everybody wants it in January, we probably can't get there. So there needs to be a methodical deployment."
The first wave of travel cardholders to receive the new technology will be people whose cards are about to expire. Employees new to the department also will receive a chip and PIN card, followed by individuals who travel frequently.
"It used to be that we considered it frequent travel if you travel three times a year," Johnson told Defense personnel, "but now we're sort of moving away from that, and if you travel [at all], we're going to recommend that you use a chip and PIN card and that you get a [government travel] card."
Chip and PIN payment cards are intended to be more secure than traditional cards with magnetic strips, which are easier to clone. President Barack Obama earlier this month issued an executive order requiring all federal agencies to distribute purchase cards embedded with the new technology, starting with 1 million in 2015.
Government purchase cards, issued by Citibank, JPMorgan and U.S. Bank, cover work expenses, such as office supplies and meals. Home Depot, Target, Walgreens and Walmart will soon be deploying chip and PIN-compatible credit card readers in all their stores.
The U.S. Secret Service estimates that payment systems at more than 1,000 businesses are infected with a type of malicious software that cribs data off credit card magnetic strips. The "Backoff" malware is to blame for high-profile breaches at Target, Neiman Marcus and Dairy Queen. Last week, security firm Damballa detected a striking 57 percent jump in Backoff infections from August to September.
While chip and PIN cards are aimed at stopping this fraud, their security protections can be foiled through a newly identified type of attack, according to Brian Krebs, author of blog KrebsOnSecurity. Krebs, who broke the Target story, reported Monday that a scheme originating in Brazil and targeting U.S. financial institutions could cost banks that are just starting to issue the two-step cards.
Basically, the criminals make magnetic strip transactions look like chip and PIN purchases on transaction lists. Unlike with some fraudulent strip transactions, banks are responsible for fraudulent chip transactions. Thieves might have pulled off the "replay" attack by manipulating payment systems that weren’t properly configured, Krebs reported.