Monday, March 9, 2009

Acculynk Most Closely Mimics Grocery Store Experience?

Yesterday after three years in Montreal, HomeATM Chairman and CEO, Ken Mages, arrived back in his (and mine) hometown of  Chicago.  One of the first things he did upon arrival was return a phone call to John Stewart, Editor of Digital Transactions to address the recent announcement by Acculynk that Accel Exchange has agreed to roll out a pilot.    

They published the story late yesterday afternoon entitled: "Web Based PIN Debit Picks Up Momentum with Pilot and New Deals"  (to read the whole story click the link at the bottom of this post)  I found the story interesting on several levels. But my favorite quote is at the end of the story.  (click any graphic to enlarge)


To surmise, it all comes down to whether PIN Debit for the Web should be Hardware or Software based.   Our position is clear.  Their's not so much.  Here's an excerpt from the article with my thoughts in bold grey italics...
HomeATM’s Mages contends Acculynk’s product is vulnerable to hackers who could, for example, screen-scrape users’ sessions as they click on the floating PIN pad.

Editor's Note:  Screen Scraping is oldhat to BlackHats.  The real concern is the recent surge of a NEW generation of attacks, for example: SSL vulnerabilities, Trojans,
(for example, Tigger...a new type of malware that injects code intouser-mode processes."  "This component takes screenshots, hooks COM for spying on browser events, and exports passwords[from] protected storage, network and dial-up.  It also steals webcookies, steals certificates, and puts the NIC in promiscuous mode tosniff FTP and POP3 passwords)" worms and man-in-the-middle attacks.  But those were not addressed in this particular article.  Screen scraping was touched upon...  


With HomeATM’s product, cards are swiped and PINs entered only on the peripheral device, with all data encrypted from swipe to transmission to issuers. (Editor's Note:  HomeATM also encrypts Track 2 data)  “If I can see it on your screen, I can capture it,” Mages argues.

Without going into details
, Acculynk’s CEO Ashish Bahl counters that each click is encrypted in ways intended to frustrate hackers. Editor's Note: That's an interesting one. No details I can understand, but when hackers get frustrated they get motivated.  Frustrating hackers, in my mind is not the level of security I want associated with PIN Debit for the Web)...

At the same time, he adds, the resources necessary to predict when to start and stop screen scraping with each click would be cost-prohibitive even for determined fraudstersEditor's Note: Cost prohibitive is relative to the potential return.  Personal Identification Numbers are the "holy grail" for hackers.  You have the PIN's and you the capability to empty bank accounts.  So, in my humble opinion, there's no such thing as a "cost prohibitive" barrier when it comes to PIN's.  Especially, if they're "determined."  The "Holy Grail" is NOT a cost-prohibitive entity.  It's something hackers would want to get their hands on "at all costs."


For now, Accel/Exchange is satisfied with the security of Acculynk’s system. Editor's Note:  I would suggest that "for now" sends the wrong message.  Yeah, it's good "for now" and we'll take a wait and see approach as to whether or not we're right?  That's a pretty bold gamble.  Too bold.  Heartland's CEO thought the same thing...we're good for now...but then after what could be the biggest breach ever, he called for end-to-end encryption.  Translation: It wasn't good enough. 

We did our own [investigative] work, then we sent in a third-party auditor,” says Kelly. “They approved it.”  Editor's Note:  Okay, so Accel Exchange is willing to take the risk that they could be forever remembered as "Accel Exchange for PIN's to Hackers" but WHO? is the 3rd party auditor?  Why aren't they putting their reputation on the line as is Accel?  Could it be TrustWave?  They're the group that PCI certified Hannaford, RBS WorldPay and Heartland.  Speaking of PCI certified...it's literally impossible to certify each and every PC that is used to enter the PIN's...so why was there no mention in this article on how they're going to address that issue?)

Kelly says he can’t predict which method (Hardware vs. Software) will ultimately dominate what is now a nascent business in processing Web-based PIN debit transactions. “Who knows who’s going to be the right solution?” he says.    Editor's Note:  Did he just really say that he can't predict which method is right and that he doesn't know if what he's doing is right?  No...maybe I read that wrong... 

“For us, Acculynk most accurately mimics the consumer experience at a grocery store.” Editor's Note: I KNOW I read that right:  This is scary folks...he said, "most accurately "MIMICS the consumer experience at a GROCERY STORE?  He did say that right?  I hate to sound sardonic, but when was the last time you walked into a grocery store and used a floating PIN Pad?  I go to the grocery store quite often and everytime...including the last time...there was a "HARDWARE" device.  Maybe what he meant to say is that it mimics the grocery store experience in the sense that someone can look over your shoulder and watch you enter your PIN.

Sounds like Mr. Kelly is a bit confused.  In order to make sure there is NO confusion, HomeATM's "Third Party" was Witham Laboratories, 1 of 8 approved by PCI to test...and  they vigorously tested and found our hardware device to "meet or exceed" PCI  PED 2.0 standards.

Furthermore, HomeATM's hardware device not only "accurately mimics" the consumer experience at the grocery store, it does it one step better.  It "PRECISELY MIMICS" the consumer experience in the lobby of their bank.  (not the satellite one down the street) 
The only difference is that(unless you install your own) there's no possibility of a hidden camerato record your PIN as you enter it, there's no possibility of askimming device, and even if someone were to break into your home,leave your 52' LCD on the wall and try and tamper with our device, itwould shut down, because it's literally "tamper proof."    
I understand why Accel Exchange is willing to take drastic measures to increase their growth (see chart above left...they have the most minitesmal growth of any EFT Network in the Top 10) but this may be a bit TOO drastic.  The only thing that's SAFE to say about this development is that since Accel is only in 6 out of 50 states, (Alaska, California, Idaho, Nevada, Oregon and Washington) 88% of the country will still have PIN security. 
Read Entire Article at Digital Transaction News












Reblog this post [with Zemanta]

Disqus for ePayment News