Saturday, May 30, 2009

3DES, DUKPT & E2EE Explained

I received a couple questions via email and wanted to take the time to provide a "coupla" of answers. If you have any questions about anything I've blogged about over the past year, feel free to shoot me one. I've got my email below:

Here's the first question:

Q: Is Triple DES a better encryption standard than DUKPT? (Derived Unique Key Per Transaction)?

A: I've used the terms Triple DES and DUKPT quite a bit in recent posts. To clarify, let's just start by saying that DUKPT does not really compete with Triple DES. Let's go over them one by one.

Worldwide, POS devices handle billions of transactions per day. If the keys to even a small portion of that traffic was discovered, we'd have a tremendously huge problem. Which is my segway to DUKPT.

The benefit of DUKPT is that even if an attacker discovered the key to a particular transaction, none of the other transactions from the same device could be decrypted with that key.

The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976.

Triple DES, sometimes shortened further as 3DES, increases the difficulty of cracking the encryption by applying three rounds of action: an encryption, a decryption and an encryption, each with independent keys.

3DES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.

Both DES and 3DES use a symmetric key. In other words, the same key enciphers and deciphers the protected data. To keep the key secret, a secure key-management system is required.

One way to prevent fraud is to use a different key for "each transaction," (Derived Unique Key Per Transaction) HomeATM's secure devices (and thus your transactions) are "Protected by DUKPT" and each one is initialized with a master key. The master key is from which the unique keys are derived, one for each"per" transaction.

That said, a potential attack point (from a fraudster) would be the master key stored in the encrypting device. However, because HomeATM utilizes DUKPT, our device is built so that tampering with the device wipes this master key out.

These derived keys are used to encrypt transaction data with a symmetric cipher such as 3DES. HomeATM also takes it one step further and encrypts the Track 2 data as well. If you ever have any questions regarding financial transaction security or how HomeATM provides true end-to-end-encrypted transactions, feel free to email me.

Before I get to the next question, I've got one for you.

When you "type" your card number into a "box" on a merchant website, is it protected by DUKPT? Is it encrypted? If so, DES or 3DES? First one to send me the correct answer gets a Free HomeATM PED!

Q: What is TRUE end-to-end encryption? (E2EE)

A: First of all, "true" end-to-end encryption can only occur with a PIN based transaction. It doesn't exist outside of that scope because there is a point in the process where the cardholder data is decrypted and before it is re-encrypted is that is the point where it is vulnerable.

With that said, Heartland's proposal for end-to-end encryption has promulgated E2EE into a hot topic.

I would point out that Heartland's E2EE proposal came "AFTER" their breach...while HomeATM instituted their end-to-end encryption from "the very beginning." I'm not bragging. I'm proudly displaying our insight into the weaknesses inherent in the payments system and how we improved upon said weaknesses.

But let's get back to Heartland, shall we? In this post I will attempt to explain why they CANNOT magically snap their fingers and introduce E2EE on their own. They need cooperation from others in the industry.
While it's true that some large U.S. retailers encrypt cardholder data while in transit, it's also true that most don't. order for E2EE to work, a lot of retailers would need to revamp their system(s). Very costly indeed.

In addition, the top full-service U.S. payment processors don't currently support E2EE; thus, retailers that encrypt card data in transit typically must decrypt it before they send it to their processor.

The key word here is decrypt. That is the weak point, the vulnerability, and as such, also the problem.

That said, PIN Debit is an entirely different animal. Card brand standards require that PINs are encrypted end-to-end. In fact, speaking about Heartland's quest for E2EE, Distinguished Gartner Analyst Avivah Litan stated:

End-to-end encryption would be most effective if data was encrypted from the timea card was swiped at a POS until it reached the card issuer, similar tothe way personal identification numbers (PINs) currently are encrypted according to card brand standards.
Starting to get the point? If not here's some more insight as Ms. Litan went on to state:

"Heartland is limited by the scope of systems it manages and from which it accepts data;it can only seek to influence the card industry to carry end-to-end encryption beyond the processor stage, through the card networks and onto the card issuers.

"The proposal's success also depends on merchants' willingness to invest in terminal upgrades that support card data encryption."

(Editor's Note: For instance...HomeATM's PCI 2.0 Certified SafeTPIN PED which also encrypts the Track 2 data.) Avivah continues:

"If Heartland implements its proposed project more securely than it hasmanaged in the past with its network, it will make payment cardprocessing more secure for merchants, especially if they don't managethe encryption keys and leave key management to their processor.

Nevertheless, the process will always include vulnerabilities at the point where data is encrypted and decrypted.

"These vulnerabilities can be limited by using "sound key management practices" and enforcing extra security measures, such as "requiring two separately managed sets of keys for cryptographic operation"

HomeATM practices what she preaches by incorporating a"sound key management practice."

That is why HomeATM is the closest thing to TRUE end-to-end encryption in the industry. (our industry being eCommerce payments and Real Time Money Transfer.)

In the bricks and mortar world, end-to-end encryption doesn't exist and the whole system would need to be revamped. You can learn more about that in this related post where Avivah Litan asks:
Hacked! Is Visa Next? (

Hole in the Whole Card Security System

Credit Cards' Unintended Security Hole - CBS News
Credit Cards' Unintended Security Hole
Retail Realities: Why Zero Liability Programs Are a Wonderfully Early Holiday Gift to Cyber Thieves Everywhere

Editor's Note:  First of all, I call it "Zero Lie Ability." because the truth is that signature debit vs. pin debit brings "nothing to the table, yet Visa pushes it over the more secure 2FA PIN debit system.  Lie Ability also has the dual meaning that the banks have "no clue" (zero) on how Visa fooled them into agreeing to partake in this so-called "zero liability" program...the one that pushes the "LIE" in order to provide Visa with the "ABILITY" to make more profits.  It doesn't take a rocket scientist to PIN down the fact that Visa's "Signature" product, given the two choices (PIN or SIG) is the less secure of the two. 

I'll expand further on Tuesday.  For now, here's Evan Schuman's rant...which by the way...contains zero lies!

(CBS) This column was written by Evan Schuman, the editor of, a site that tracks retail technology, e-Commerce and security issues. He can be reached by e-mail and on Twitter.

In one of the most delicious ironies in retail today, the single most significant element that makes it easier for cyber thieves to steal consumer credit and debit card information from retailers is something the credit card companies themselves cooked up.

To be fair, this unintended consequence is a domino effect, where the innocuous-seeming program has set off a series of chain reactions that, today, makes credit and debit card breaches a lot more likely and more lucrative for the thieves. The program is called zero liability and it was initiated by some of the major credit card players many years ago to try and make consumers more comfortable making purchases online. The premise is that any fraudulent purchases will not have to be paid for by the consumer. Some banks have spoken of no liability beyond $50, but in operation, almost all banks cover all of the charges.

The program worked wonderfully and consumers quickly did become comfortable making E-Commerce purchases. But as identity theft and straight-out stealing from credit cards became much more common, large retailers became popular targets. The onus was on the retailers-not the banks-to pay millions of dollars to install and manage sophisticated security programs. But these costs were almost impossible to justify. After all, no chain was going to advertise: "We just installed state-of-the-art firewalls and encryption systems. Come shop with us." And the risk of being breached seemed too remote to make a compelling argument to a board of directors.

Then came the retail world's wakeup moment.  (Continue Reading...but Editor's Note)

Editor's Note:  When will the e-tail world "wakeup?"  AFTER or BEFORE the next big breach?  Look for Tuesday's PIN Payments News Blog for an analysis of why an e-Breach is inevitable...unless online shoppers swipe instead of type.  I've long said, that if cardholders data is going to be swiped, should it not be the cardholder doing the SwipePIN? 

BTW: It's ironic that this story was run on CBS, because there's a lot of BS that I C. involving e-payment security on the web.  (includinig BSMS)  When it comes to asking who "nose" this more than anyone, the engineering team at HomeATM has been conscious of this fact for years.  So what is Visa doing?  Jiminy Cricket!  Where's the conscience? 

Heartland Update: 656 Institutions Impacted

While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.

Read Entire Article

Reblog this post [with Zemanta]

NACS Says Interchange Reform Badly Needed

'A penny times billions adds up'
Trade group (NACS) representing convenience stores and grocers upset with recent credit card fee increase
Date published: 5/29/2009

An association of retailers is upset about a recent fee increase charged to merchants each time a customer uses a credit card to pay.

The National Association of Convenience Stores calls last month's usage-fee increases by Visa and MasterCard "beyond outrageous." The fees, which took effect April 17, increase a merchant's per-charge transaction cost by more than a penny. Merchants are now charged about 2 cents per transaction on usage fees, which are in addition to other costs.

"A penny may not seem like much, but a penny times billions adds up quick," said NACS spokesman Jeff Lenard. "And when business costs go up, they get passed along to consumers, so we are all the losers."

MasterCard spokesman Chris Monteiro declined to comment on the pricing adjustments but noted that "every business establishes a price for the goods and services it provides, and the electronic payments industry is no exception.

Continue Reading

In related news, the NACS also ran an editorial on their website complaining that Interchange Fees need to be regulated or the benefits to the recent Credit Card Bill of Right will be badly affected:

Editorial: Merchants Need Interchange Reform 

Unless interchange fees are regulated, the benefits to consumers of recent credit card reform will be sharply reduced

MINNEAPOLIS, MN – An editorial in the Minneapolis Star-Tribune
welcomed the passage of the Credit Cardholders’ Bill of Rights as one
protecting cardholders, although the bill failed to address interchange

 The editorial urged Congress or courts to act and
eliminate interchange fees, costs that total $45 billion annually. The
Craig Wildfang and Mark Williams, recommended the following:

  • Congress should regulate interchange fees, those charged to
    merchants by card-issuing banks. Collectively, the fees total $45
    billion annually and are rising.
  • U.S. interchange fees are among the world’s highest and are
    not supported by commensurately higher costs to banks or card networks.
    In fact, the costs of running computer hardware and software — “the
    principal costs of running a payment card network” — have been
  • Interchange fees are essentially a privately enacted sales
    tax by the country’s largest banks (creators of Visa and MasterCard),
    “except that the revenue goes to the country’s largest banks, not to
    the government.” No controls have been in place to regulate these
    “fixing of prices to merchants” by the banks. Indeed, “the five largest
    card-issuing banks account for 80 percent of all cards.”
  • Other countries have contested interchange fees, including
    Australia and the European Union. In those cases, authorities lowered
    or eliminated the fees.
  • Canada’s Interac debit network, as well as other foreign debit card networks, voluntarily do not charge interchange fees.

Wildfang and Williams summarized that eliminating the $45
billion interchange fee would provide an immediate stimulus to the
economy. And noting that Citibank and Bank of America have accepted
hundreds of billions of dollars of taxpayer funds to endure the current
financial crisis, a reciprocal gesture is especially merited. Without
doing so, the benefits of the Cardholders’ Bill of Rights are sharply
reduced. And if Congress fails to act, merchants will turn to the
courts to seek relief.

Cybersecurity Tsarina - ISR

In an article written by Kevin M. Nixon, he muses as towhether Melissa Hathway is the next Cybercrime Czar...

Is She America’s New Cybersecurity Tsarina?

May 29, 2009 by ADMIN · 2 Comments
By Kevin M. Nixon, Security Editor

Information Security Resources staff had received an advance copy of the official White House Press Release (05/29/2009)and was all ears today during President Obama’s East Room remarks onthe highly anticipated and long awaited release of the “CyberspacePolicy Review: Assuring a Trusted and Resilient Information andCommunications Infrastructure”.

The report has become known as “TheHathaway 60-Day Report” in “homage” to Melissa Hathaway, the personPresident Obama picked as “Acting Senior Director for Cyberspace of theNational Security Council (NSC) and the Homeland Security Council(HSC)”.

Not only did the President bestow atitle too long to technically print on a normal sized business card,also he gave her a the shortest runway I have ever seen to assemblerecommendations, gain consensus, and publish a report for the ChiefExecutive.

Just pulling together all agencies,departments, stove-piped information while overcoming all the turfbattles can only be likened to attempting a huge worm wrestle.

Ms Hathaway accomplished the task anddelivered the goods and so everyone anticipated that the Presidentwould recognize her “get it done” work ethic and also announce from theEast Room today, her appointment as America’s Cybersecurity Tsarina.

However, everyone holding their breathin the East Room today probably passed out from lack of oxygen.  ThePresident was blatantly and conspicuously silent on his appointment.

The President’s silence left everyonewondering “does she or doesn’t she” and left reports attempting to findany hints of the President’s plan.  ISR think that we may be on tosomething. As POTUS stepped in front of the gathered experts, somewherein the back offices of the White House there was a shadowy figurehunkered over a keyboard waiting for the exact moment to press enterand publish an article on the White House Blog.

Could that person have even beensitting in the East Room audience with the President holding onto herthree Blackberry devices just waiting for President Obama to give thesecret word or phrase to “press the send” button?

We may never know, but President Obamadid acknowledge Melissa Hathaway at about the same time that an articleby her was posted on the White House Blog.

What is noticeable is in Ms Hathaway’sarticle is her title in the article’s by-line.  Gone is “MelissaHathaway, Acting Senior Director for Cyberspace of the NationalSecurity Council (NSC) and the Homeland Security Council (HSC)”.  Thenew by-line reads:  Melissa Hathaway, Cybersecurity Chief at theNational Security Council.

Which still leaves us wondering andwaiting?  Is the White House making new robes as the Catholic churchdoes when a new Pope is elected or has Ms Hathaway been appointed“Camerlingo” (1st runner up in a papal contest).  Guess we will justhave to wait.

Melissa Hathaway’s Blog post “Securing Our Digital Future” is re-published here:
Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation’s digital future:

Published:  FRI, MAY 29, 10:00 AM EST — The White House Blog

The globally-interconnected digitalinformation and communications infrastructure known as cyberspaceunderpins almost every facet of modern society and provides criticalsupport for the U.S. economy, civil infrastructure, public safety andnational security.

The United States is one of theglobal leaders on embedding technology into our daily lives and thistechnology adoption has transformed the global economy and connectedpeople in ways never imagined. 

My boys are 8 and 9 and use theInternet daily to do homework, blog with their friends and teacher, andemail their mom; it is second nature to them.

My mom and dad can read thenewspapers about their daughter on-line and can reach me anywhere inthe world from their cell phone to mine.  And people all over the worldcan post and watch videos and read our blogs within minutes ofcompletion.  I can’t imagine my world without this connectivity and Iwould bet that you cannot either.   Now consider that the same networksthat provide this connectively also increasingly help control ourcritical infrastructure.

These networks deliver power andwater to our households and businesses, they enable us to access ourbank accounts from almost any city in the world, and they aretransforming the way our doctors provide healthcare.  For all of thesereasons, we need a safe Internet with a strong network infrastructureand we as a nation need to take prompt action to protect cyberspace forwhat we use it for today and will need in the future.

Protecting cyberspace requiresstrong vision and leadership and will require changes in policy,technology, education, and perhaps law.  The 60-day cyberspace policy review summarizesour conclusions and outlines the beginning of a way forward in buildinga reliable, resilient, trustworthy digital infrastructure for thefuture.

There are opportunities foreveryone–individuals, academia, industry, and governments–to contributetoward this vision.  During the review we engaged in more than 40meetings and received and read more than 100 papersthat informed our recommendations.   As you will see in our reviewthere is a lot of work for us to do together and an ambitious actionplan to accomplish our goals.

It must begin with a national dialogue on cybersecurity and we should start with our family, friends, and colleagues.

We are late in addressing thiscritical national need and our response must be focused, aggressive,and well-resourced.  We have garnered great momentum in the last fewmonths, and the vision developed in our review is based on theimportant input we received from industry, academia, the civilliberties and privacy communities, others in the Executive Branch,State governments, Congress, and our international partners.  We nowhave a strong and common view of what is needed to achieve change.

Ensuring that cyberspace issufficiently resilient and trustworthy to support U.S. goals ofeconomic growth, civil liberties and privacy protections, nationalsecurity, and the continued advancement of democratic institutionsrequires making cybersecurity a national priority.
Kevin M. Nixon, MSA,CISSP®, CISM®, CGEIT®, has testified as an expert witness before theCongressional High Tech Task Force, the Chairman of the Senate ArmedServices Committee, and the Chairman of the House Ways and MeansCommittee. He has also served on infrastructure security boards andcommittees including the Disaster Recovery Workgroup for the Office ofHomeland Security, and as a consultant to the Federal Trade Commission.
The Author gives permissionto link, post, distribute, or reference this article for any lawfulpurpose, provided attribution is made to the author and to

Reblog this post [with Zemanta]

Friday, May 29, 2009

Online Banking Under Attack!

ITWeb :Online banking under attack
[ Johannesburg, 29 May 2009 ] - In today's trying economic climate, it is becoming clear that every organization in every industry sector, be it financial, retail or telecommunications, is a target for cyber criminals. If they conduct banking online or host customer and supplier information, businesses must ensure they have proper security measures in place not to fall victim to these crimes.

This is according to Costin Raiu, Chief Security Expert at Kaspersky Lab, EEMEA, addressing delegates at ITWeb's 4th Annual IT Security Summit 2009 in South Africa this week.

The conference provided information security professionals and IT managers with the most up-to-date information, tools, trends, legislation and strategies to address information security issues.

“Cybercrime accounts for billions of dollars in terms of losses annually and the criminals are becoming more professional in developing technologies designed to counteract traditional anti-virus solutions every day. It is not so much an issue of computer malware, but the countless vulnerabilities in operating systems as well as the installed software applications that make it very hard to run secure computer systems,” he says.

Raiu says contributing factors that lead to the flourishing of premeditated online crime is the evolution of malicious code from viruses to Trojan horse attacks, designed to steal personal information for financial gain.

“Online payment systems and online banking systems often make use of simplistic authentication technologies, and hackers use keystroke loggers, password-stealing Trojans and social engineering to gain access to accounts which are later emptied of funds.

“Even systems that use complicated multi-factor authentication techniques are at risk with the introduction of specialised Trojan horses, which are able to intercept transfers on-the-fly and replace the destination account with the attacker's account or highjack an online banking session,” he says.

“At the same time, banking institutions that offer financial services online must use a blended approach to security, using two-factor authentication methods that rely on external devices to ensure that user accounts are not compromised,” he says.

In his closing comments, Raiu said businesses have to begin to realize that the IT security threat is not going to go away. The protection against such risks, he says, must be international priority, involving various industry experts and associations to guard against these financial risks.

Reblog this post [with Zemanta]

How to Hack an ATM Part VI


Kaufen Sie schnell!

Theprogress of e-commerce in Germany—home to Europe’s largest Internetpopulation—was relatively slow, retarded by many of the same issuesseen earlier in other countries, such as the UK and the US. Heightenedsecurity concerns and adherence to traditional payment habits on thepart of many Germans hindered the development of online selling.
But the situation has changed.

By the end of 2008, the GfK Groupreported that retail e-commerce sales—excluding event tickets,financial products and travel—reached €13.6 billion ($20 billion), up€2.2 billion ($3.2 billion) from 2007.

“Consumers in Germany have largely overcome their reluctance aboutbuying online,” says Karin von Abrams, eMarketer senior analyst andauthor of the new report, Germany Online: Europe’s Biggest E-Commerce Market Comes of Age.
Eurostatcalculated that 89% of Germany’s male Internet users ages 16 to 74shopped online in 2008—the same percentage that sent or receivede-mails.

Among males ages 25 to 54, the percentage who shopped online was 93%.

Continue Reading at eMarketer

Read Below How to Order eMarketer's Report on E-Germany

Germany Online:  Europe's Biggest E-Commerce Market Comes of Age

The progress of e-commerce in Germany, Europe’s largest Internetpopulation, reflects patterns seen earlier in other countries, such asthe UK and the US. But cautious consumers’ security concerns andtraditional payment habits are increasingly being overcome.

The Germany Online report analyzes the factors driving the surge in German e-commerce.

Many German retailers were slow to recognize the advantages ofInternet sales—30% of the German firms selling on the Web last yearlaunched their online stores in 2007 or later.

Nevertheless, sales are growing.

By the end of 2008, German retail e-commerce sales—excluding eventtickets, financial products and travel—reached €13.6 billion ($20billion), up €2.2 billion ($3.2 billion) from 2007.

Key questions the “Germany Online” report answers:
  • How many German consumers are buying products and services on the Internet?
  • How do online buying patterns vary with age and gender?
  • How is the arrival of online shopping clubs changing the e-commerce landscape?
  • What is the current level of interest in mobile commerce?
  • And many others…
eMarketer Reports—On Target and Up to Date
The Germany Onlinereport aggregates the latest data from international marketing andcommunications researchers with eMarketer analysis to provide theinformation you need to make fast, whip-smart business decisions.

To download the report to your desktop—click Add to Cart:

Reblog this post [with Zemanta]

Western Union Malware Attack Launched

Finextra has a story on the Western Union scam (The PIN Payments Blog told you about it on May 12th) but "their" story talks about Graham "Cluely" (a senior tech consultant at Sophos) complaining that people are "Clueless"

Oh really Graham? And you just figured that out? Who Clued you in? Was it that Pareto guy?

A Phunny Phishing story. Oh, and if you are one of the dumb people, please don't be offended by the graphics...just a dumb attempt on my part to be phunny.

Western Union malware attack launched

WesternUnion has become the latest firm to have its brand hijacked byphishers, with a flood of trojan-laden e-mails purporting to come fromthe money transfer outfit hitting inboxes.

Graham Cluley, senior technology consultant, Sophos, suggests the attack is unlikely to fool all but the most gullible.

"Ifyou haven't sent any money via Western Union, then why would they betelling you it failed to be delivered properly? Common sense is yourfriend. It's just such a shame that it doesn't seem to be very common,"says Cluley.

Editor's Note: Common Sense dictates that "If everyone else is drinking the Kool-Aid, then maybe I should drink it too!"

It's the uncommon sense that prevails. Don't believe me? Ask the lemming that "didn't" jump off the cliff.

Reblog this post [with Zemanta]

Thursday, May 28, 2009

"Both Sides of the Mouth Syndrome Syndicated

Information Security Resources , an industry leading "InfoSec" blog shared the BSMS with their readers.   

Both Sides of the Mouth’ Security Analysis

May 27, 2009 by ADMIN · Comment

By John B. Frank, Marketing Strategist with HomeATM ePayment Solutions

It was nice that Javelin Strategy and Research took the time to write about HomeATM in their analysis of Finovate Startup09, but I’m a little confused about something they say in their report.

Maybe a reader might be able to clarify what they mean, because right now I’ve got  a kindova BSMS (Both Sides of the Mouth Syndrome) taste in my - for lack of a better word - mouth.

Why do I say BSMS?

Well, in the first portion of Javelin’s analysis of HomeATM, they say that our Safe-T-PIN device provides (the more secure) card present (vs. the less secure card not present) credit card transaction, and the even more secure PIN Debit transaction.

Here’s their quote:

Launched in April 2009, P2P Safe-T-PIN offers home-based “card present” credit card and PIN debit transactions online using a PCI-certified device attached to a personal computer through a USB port.

Users also could make online purchases by swiping their credit card or debit card and PIN at checkout. The device allows for secure real-time money movement with an option for delayed transactions.

Then, after stating that, the next thing they say is:

There is greater potential for HomeATM as a frequent high-value P2P solution such as a Western Union money transfer than for enabling e-commerce. Many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because of security concerns.

Therein lies my confusion.

First they state that our PCI certified device allows for “Card Present” and “Online PIN Debit” transactions, along with the statement that our device ALLOWS SECURE REAL TIME MONEY MOVEMENT, and then in their next breath they say that many consumers may be hesitant to use that very same PCI 2.0 Certified PIN Entry Device because of security concerns?

Did they possibly mean to imply that many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because they don’t want “improved” security?

Someone help me out here!  I’m not being sarcastic.  I’m being serious. Okay, I admit…I’m being totally sarcastic. But there’s good reason; in fact 117 good reasons. You may have noticed when you first visited the HomeATM site, there was a popup that appeared asking if you would please partake in our survey.

Well, I started the survey yesterday and already have 117 responses, and it doesn’t appear to me that very many consumers may be hesitant to swipe their ATM (or debit or credit) cards on hardware attached to their computer.  In fact, 117 said they would prefer to Swipe their Card and 117 said they would prefer NOT to Type in a Username/Password.

Click below to enlarge and read two questions pertaining to whether individuals would prefer to Type or
Swipe their Card information at a merchant website or Online bank:

The analysis did go on to say that two of the “differentiators” enjoyed by HomeATM is that we provide “end to end encryption” and our device is PCI certified, so I’m still left confused by what they meant about many consumers being hesitant because of security concerns… chime in if you know!

HomeATM Differentiators:

• A HomeATM Mobile device will be available for mobile phones with Web access, allowing transactions on the go
• PCI-certified device
• Hardware-based end-to-end encryption
• 100% acceptance with all bank cards

Author’s Note:  Plus our PCI 2.0 Certified PED also “encrypts” the Track 2 data and utilizes DUKPT key management as an additional layer of security.

HomeATM’s Engineering Team Designed and Manufactures the World’s FIRST and ONLY PCI 2.0 PIN Entry Device Specifically Designed for eCommerce. Our device provides “Card Present” rates on credit cards and “True PIN Debit” Interchange on debit cards as well as secure 2FA authentication for online banking sites and live, “real-time” money transfer from P2P, B2B, B2P, P2B and mobile.

To learn more about our product’s and services click here or email us at:

Stay Informed With RSS Feeds or Email Alerts Here: 

Reblog this post [with Zemanta]

Debit Card Transactions Grow 48%, Credit Cards 12.7% - RBI

Consumers prefer debit cards in slowdown
Consumers prefer debit cards in slowdown
BS Reporter / Mumbai May 29, 2009, 0:28 IST

The number of debit card transactions increased by 48 per cent in financial year 2009, compared to an increase of 12.7 per cent for credit cards in the year. Similarly, debit card volumes grew by 44.6 per cent, whereas credit cards saw a volume growth of 13.7 per cent for the same period, says the Reserve Bank of India’s data.

Sector experts attribute this surge in debit card usage to the ongoing economic slowdown and the cautious attitude towards spending money. Add to this the diminished focus of banks in issuing credit cards.

The pattern is starker in a quarter-on-quarter analysis by Venture Infotek, a transaction management company. Debit card transactions showed an increase of 88.6 per cent, against a rise of 34.5 per cent for credit cards for the March. In value terms, daily transactions through debit cards increased by 73.4 per cent vis-à-vis an increase of 24.8 per cent in credit card transactions.

“This shows the Indian consumer is behaving cautiously. Debit cards bring in the discipline of spending only the money you own. Besides, credit is scarce in a recession and credit card companies are vary of extending credit loosely,” said Piyush Khaitan, Managing Director, Venture Infotek.

The total value and volume of point of sale transactions through credit cards in March has declined by 11.9 per cent and 3.9 per cent, respectively, over April 2008, says the RBI data.

It also shows the number of credit cards in circulation has declined from 28.3 million cards in April 2008 to 24.6 million cards in March 2009. Whereas debit cards have registered an increase of 30.9 per cent, to touch 137.4 million in March 2009.

Emerging Bank Markets in the U.S. 2009

Emerging Bank Markets in the United States 2009

Mintel, March 2009, Pages: 56


Since the last survey that we conducted of the unbanked and underbanked markets, two significant developments have taken place: the financial crisis and the election of President Barack Obama. These two events offer both good news and bad news for those looking to market to the underbanked. On the one hand, those distrustful of the banking system are now even more distrustful. On the other hand, as the majority of unbanked and underbanked consumers are immigrants, this poses a possible opportunity.

Due to problems in the banking industry, banking institutions will need to look towards new revenue streams. Though banks are more risk-averse, there is evidence that the underbanked are not necessarily high risk and are actually careful consumers. Given their population growth rates, it is a huge economic opportunity.

This report includes key information about the growing numbers of unbanked and underbanked consumers:

-What are the demographics of the unbanked and underbanked?
-What are the factors that lead to distrust and/or underuse of banks?
-Which segment(s) has the greatest growth rate?
-What are methods to market to the unbanked and underbanked?

Table of Contents

Reblog this post [with Zemanta]

US ATMs: Rebuilding the Foundation - Aite Report

A New Report From Aite Group
US Bank ATMs" Rebuilding the Foundation

In order to improve the overall ATM customer experience, banks must first make sure their
underlying ATM technology is up-to-date.

Boston, MA, May 28, 2009
– A new report from Aite Group, LLC examines how the ATM channel is
expected to evolve through 2010. Based on interviews with bank ATM
channel executives at 23 of the top 80 U.S. banks by number of checking
accounts, the report prescribes recommendations for banks and vendors
participating in the U.S. ATM market.

as banks embrace the potential to add additional features and
functionalities to ATMs, they realize that they must first update their
underlying technology. In five years, 91% of ATM executives indicate it
will be important or extremely important to their bank's strategy to
create a differentiated ATM experience through customer
personalization. If the foundation is not yet built, banks will not be
able to provide the level of personalization their peers are currently
starting to implement.

"Many banks are currently using outdated ATM technology, and see themselves as lagging behind the competition
when it comes to service at the ATM channel" says Kate Monahan,
analyst with Aite Group and author of this report. "Until updates are
made, service will continue to suffer at the ATM channel and areas of
opportunity for personalization at the ATM, such as marketing to
customers on a one-to-one basis, will not be possible."

This 39-page Impact Report contains 31 figures. Clients of Aite Group's Retail Banking service can
download the report by clicking on the icon to the right.

, ,

Western Union Option to Receive Funds via Online Banking

Press Release Source: Western Union
Western Union Offers Customer Option to Receive Funds via Online Banking at

Service Launched with New Agent, Turkey’s Garanti Bank

ENGLEWOOD, Colo. & ISTANBUL--(BUSINESS WIRE)--The Western Union Company (NYSE: WU - News), a worldwide leader in money transfer services, announced today the launch of a service that allows online banking customers in Turkey to receive money transfers directly into their bank accounts. The service is offered through a new Agent, Garanti Bank, Turkey’s second largest private bank. Online banking customers can also send money from the website at any time to more than 334,000 Western Union® Agent locations in over 200 countries and territories.

The model may be applied further in Turkey and in other markets around the world.

“Western Union continues to drive industry innovation to meet a growing demand for convenient, reliable online services,” said Hikmet Ersek, Executive Vice President and Managing Director for Europe, Middle East, Africa, Asia Pacific. “This is the first time a Western Union customer in Turkey will be able to choose between the traditional method of receiving cash at an Agent location and having funds sent directly into his bank account, without having to go to a physical location or talking to a call center.”

Ali Fuat Erbil, Executive Vice President of Garanti Bank, said: “Garanti Bank is known for its dynamic business approach and commitment to technological innovation. We have achieved many firsts in Turkey and are delighted to be part of using the Internet to bring a new level of convenience and efficiency to our customers.”

The service is aimed at busy people who do not have time to visit an Agent location and is available 24 hours a day, seven days a week. Customers can send and receive funds using their online Garanti Bank accounts by following a few simple steps. The Western Union Money Transfer® service is available at more than 4,000 Agent locations in Turkey through Ziraat Bank, Turkish Post, Finansbank, ING Bank, Denizbank, Fortis, Türkiye Finans and TBank.

About Western Union

The Western Union Company (NYSE: WU - News) is a leader in global money transfer services. Together with its Orlandi Valuta and Vigo branded money transfer services, Western Union provides consumers with fast, reliable and convenient ways to send and receive money around the world, as well as send payments and purchase money orders. It operates through a network of more than 379,000 Agent locations in over 200 countries and territories. Famous for its pioneering telegraph services, the original Western Union dates back to 1851. For more information, visit

About Garanti Bank

Established in 1946, Garanti Bank is Turkey's second largest private bank with assets reaching in excess of $63 billion as a result of its customer centric approach and innovative culture. As a universal bank with leading presence in all business lines, Garanti serves to over 8 million customers in corporate, commercial, SME, and consumer segments offering fully integrated financial services through its 9 financial subsidiaries that include payment systems, pension, leasing, factoring, brokerage and asset management. Committed to its customers, Garanti with over 16,000 employees operates an expanding distribution network comprising more than 730 branches including five foreign branches and four international representative offices, more than 2,600 ATMs, an award-winning call center and an Internet and mobile bank utilizing its state-of-the-art technology. Garanti supports its extensive branch network with centralized operations, exceptional data warehousing and management reporting systems, and the efficient use of alternative delivery channels. Garanti’s wide product variety combined with custom-tailored solutions is a key competitive advantage in its success as Turkey's largest lender providing more than $44 billion in cash and non-cash loans. For more information, please visit

Reblog this post [with Zemanta]

LifeLock Fraud Service Ruled "Ilegal"

Judge Rules LifeLock’s Fraud Alert Service Illegal

In a decision that has privacy advocates and others scratching their
heads, a federal judge has ruled that LifeLock has been
breaking California law for years by placing fraud alerts on its
customer’s credit profiles.

The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services — a
standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly.

Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling “dramatic and unexpected.”

“It causes a real shift in the industry,” he told Threat Level.

The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation’s three credit reporting bureaus. Experian claimed LifeLock is trying to “game the system” of fraud alerts to make a profit.

LifeLock, a controversial company that gained notoriety for publishing its CEO’s Social Security number in advertisements
charges $120 a year to consumers to place fraud alerts on their credit profiles, among other services. The company also offers a $1 million guarantee to reimburse the expenses of any customer who suffers losses from identity theft while subscribed to LifeLock.

Continue Reading at WIRED

Reblog this post [with Zemanta]

Stolen Credit Card Data Published in Blog

Stolen credit card data published in blog | The Australian
Blair Speedy | May 29, 2009
Article from: The Australian

VICTORIAN police are investigating a massive identity fraud involving the personal details of thousands of Australians that have been available on an internet blog site for more than a month.

The data, discovered by The Australian, includes thousands of Visa, Mastercard and American Express numbers, including expiry dates, together with home addresses, phone numbers and email addresses.

The list was posted on a free blogging site, where it was copied by search engine Google as part of its routine cataloguing of internet sites on April 21.

Victoria Police Sergeant Dave Spencer said the list appeared to have been collected from a number of sources before being sold to criminals.

"Lists like this come up for sale on the internet, and this is basically the end product of skimming and hacking of ATMs and other point-of-sale systems," Sergeant Spencer said.

, , , , ,

80% of Phishing Attacks Use Hijacked Websites

I've blogged about this subject plenty of times over the last year, and my concern is specifically targeted towards the inherent weaknesses in the username/password systems used with online banking. If a consumer is tricked/phished into providing their username/ password, then the phisher is successful.

The average phishing attack results in a loss of $350 to a bank.

According to research firm,Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Guess what? The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers.

HomeATM provides a very simple cure to this maliciousness. Use a PCI 2.0 certified SwipePIN device and require online banking users to swipe their bank issued card and enter their bank issued PIN. The data is encrypted and is NEVER in the clear. So, in the event a consumer is tricked into swiping and entering their PIN, as opposed to typing in their log-in credentials, the phisher has nothing.

And nothing is something banks should want phishers to have.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites - DarkReading

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites
New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

May 27, 2009 | 04:23 PM
By Kelly Jackson Higgins

It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Continue Dark Reading

Reblog this post [with Zemanta]

Disqus for ePayment News