New, more secure government credit cards and multi-factor authentication for federal websites dealing with sensitive citizen data are two ways the White House wants the government to lead a nationwide effort to reduce identity theft and fraud.
President Barack Obama signed an Executive Order on Oct. 17 outlining a series of steps with short and longer term deadlines to transition to more secure online transactions under a new Buy Secure initiative.
“First, starting next year, we’re going to begin making sure that credit cards and credit-card readers issued by the United States government come equipped with two new layers of protection: a microchip in the card that’s harder for thieves to clone than a magnetic strip, and a pin number you enter into the reader just as you do with an ATM,” Obama said during a speech at the Consumer Financial Protection Bureau in Washington. “We know this technology works. When Britain switched to a chip-and-pin system, they cut fraud in stores by 70 percent. Of course, no one security measure, no matter how powerful, can stop fraud on its own. So today, I’m also directing federal law enforcement to share more information with the private sector when they discover identity theft rings.”
Federal cybersecurity experts acknowledged the White House’s order with a combination of satisfaction and frustration.
Alan Paller, director of research for the SANS Institute, said the federal leadership and implementation of pin and chip security is long overdue.
John Pescatore, director of emerging security trends for SANS, offered more details about why the frustration.
“It was over 16 years ago in Presidential Directive Decision-63 where the White House said, ‘The federal government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors.’ Pushing government point of sale to chip and PIN is a good thing, but of course doesn’t do anything for online payments — only point of sale,” he said. “The bit about stronger authentication (building public-private awareness about more secure authentication) is equally important — moving away from reusable passwords would reduce identity theft way more than chip and PIN will. The government hasn’t been consistent on this, since they’ve been pushing an obsolete Smart Card based solution (HSPD-12) and have rejected less secure, but much more usable/feasible, solutions like text messages as a second factor — such as Google, Paypal, Microsoft and many others are using.”
As an aside, industry and government sources say momentum is building to relook at the technology and policy guiding Homeland Security Presidential Directive-12 (HSPD-12) smart identification cards. Remember the policy is a decade old, and even though the National Institute of Standards and Technology constantly is updating Federal Information Processing Standard 201, some experts say new approaches and technology require new thinking.
In the meantime, Obama’s mandate begins to change the government and, therefore, push the market to transform.
The bulk of the work for the governmentwide change will fall on the shoulders of the General Services Administration and the Treasury Department.
By Jan. 1, Treasury must develop a plan to for agencies to install enabling software on payment processing hardware that supports these enhanced security features. The department also by the same date must ensure that any new payment processing hardware comes equipped with these security features.
The President also gave GSA and other agencies that accept credit and other payment cards a Jan. 1 deadline to begin replacing old cards with those that have the chip and PIN capabilities.
OMB, the National Security Council staff and the Office of Science and Technology Policy must give Obama a plan by Jan. 15 for how the government will ensure all personal data accessible to citizens through online services require the use of multi-factor authentication.
Agencies then will have roughly 15 months to implement that plan.
The Retail Industry Leaders Association applauded the White House order.
“Today’s announcement should serve as a catalyst for widespread adoption of chip and PIN card security,” said RILA president Sandy Kennedy in a release. “The antiquated card security system in place today in the U.S. makes it far too easy for criminals to commit card fraud. Retailers are dedicated to protecting consumers and believe that Chip and PIN technology will better shield U.S. consumers from fraud, just as it has done for consumers elsewhere around the world.”
Obama also called on Congress to take action to protect consumers.
“Today, data breaches are handled by dozens of separate state laws, and it’s time to have one clear national standard that brings certainty to businesses and keeps consumers safe,” he said.
House lawmakers called on the Senate to do something with cyber legislation.
“Since 2011, the House of Representatives has sent two cyber bills to the Senate, but the Senate has thus far failed to take action,” said Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D- Md.), chairman and ranking member of the Intelligence Committee, respectively, in a statement. “We urge the Senate to move quickly on this issue to ensure the safety and security of all Americans.”
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.