Friday, April 24, 2009

Proof that Software PIN Debit is Unsafe (with Pictures!)

Editor's Note: I saw this item come across the newswires, and there is a specific quote which instantly grabbed my attention. (emboldened in RED and highlighted below)

Why
did it grab my attention?

Because there are some who argue that a "floating" PIN Pad is secure, but based on information contained in the story below, it "appears" (just like a floating PIN Pad!) that it is NOT secure.

Keep in mind that a floating PIN Pad is nothing but a "graphical user interface" (GUI) and GUI's can be readily replicated by hackers.


Just as HomeATM replicated the conventional approach to PIN Debit and brought it to the web with our PCI 2.0 Certified SafeTPIN, a hacker could (make that "would" because, as it states below, they already have) replicate a software application and fool user's into entering their password's (PINs).

What a mess that will be. And guess who's going to be liable? Would it be the software application provider? That leaves the EFT Network or the Financial Institution? The only two other choices would be the merchant or the consumer. Anyone have any thoughts?


Anyway, the story below verifies that what we've been saying this past year is TRUE. Not surprising, coming from the only TRUE PIN Debit for the Web provider in the world, is it?

Source: ca
Complete item: http://community.ca.com/blogs/securityadvisor/archive/2009/04/22/banking-trojans-tips-and-tricks.aspx

Browser Impersonation

Win32/Bancos and Win32/Banker is a family of trojans that mostly target South American banks. These banks typically use the Portuguese language on their websites and in the example below you can see that the banking trojan managed to change the version of the web browser from English to Portuguese.

In the Process Explorer window shown in Figure 02, you can see that the process owning the Window Title - "http://www.bradesco.com.br - Microsoft Internet Explorer" is the banking Trojan, not Internet Explorer. The banking trojan now has control over the keyboard and can intercept login credentials entered on the website by the user.

Editor's Note: In a software PIN Debit application, you are instructed to "type" in you debit card's "primary account number" (PAN). So this is not good news for people who say that it's a secure application. In addition, it bodes well for my assertion that bank's should replace "username: password:" with our PCI 2.0 certified and much more secure SafeTPIN and use that as a log-in device.


Fake Login Page


Some banking trojans imitate legitimate applications distributed by banks and there is no way a user can tell the difference between the real and fake graphical user interfaces.

Editor's Note: So there you have it. Anyone still think that a software PIN Debit application is secure?

Recommendation
In tough economic times like this, it is very important for us tounderstand the behavior of these threats and the associated risks.

At the end of the day, the main goal of the attackers is to steal youridentity and your money!

E-Secure-IT
https://www.e-secure-it.com








Reblog this post [with Zemanta]

Disqus for ePayment News