The PIN Payments Blog has focused on eCommerce and security since it's inaugural post in March of 2008.
As I have come to learn, some believe I do it to bash the industry for supporting products which encourage consumers to enter (type) their card number, or their username and password into boxes on the web, or click their mouse...but that's not why I do it.
I do it because I understand that the information superhighway known as the web, is exactly that. An information superhighway. It's also known as the web, and what a wicked web it is...hackers, keyloggers, screen scrapers, data stealing malware, zombies, etc.
Think of hackers as Big Nasty Spiders and your financial data as a big meaty fly. Get the picture? If not, there's one on above on the left.
When websites ask you to enter (type) your credit card or debit card numbers into a box, I know that it's Pandorian in nature and I want to prevent you from boxing yourself in. Consumers cannot "realistically" expect that their card numbers are going to be safe. Sure it may "seem" convenient, but things aren't always as they seem, are they? On the flip side, sometimes they are...and it sure "seems" that as time goes by, hackers get more advanced thus create more advanced programs designed to steal your financial information. Who knows what they'll come up with tomorrow?
This much I do know. When I started this blog, it was safer to type your cardholder data into the web than it is today. And it's safer today than it will be tomorrow. Therefore, the day after tomorrow seems to be the day when everyone will understand that "what we are trying to do here on the blog" is come from help...not anger industry insiders, nor do we want to be perceived as viciously criticizing so-called competitors.
What we try to do here is best represent the truth on this blog...and the truth is, IT IS NOT SAFE TO TYPE YOUR CREDIT CARD NUMBERS INTO A BROWSER.
Speaking of competitors (and truth) HomeATM created a software-based PIN platform years ago, and contrary to a YouTube video floating around out there on the web, it was not a so-called competitor, but HomeATM, who conducted the "first" software-based PIN debit transaction on the web. We did it in 2005, (documentation available upon request) in front of a bunch of Intel "higher ups" who in addition to asking if we were crazy, (like PC's they know the risks inside and out) practically laughed us out of the room.. .That experience instigated our engineering department to re-evaluate how PIN transactions should be conducted on the web, and there is only one way. "Outside the Browser Space." (OBS)
So, we scrapped the software PIN debit thingy and went to work on creating a secure terminal with a built-in PIN Pad...and lo and behold, HomeATM conducted the "first" end-to-end-encrypted PIN Debit application using the Internet. (using a "secure" 3DES, protected by DUKPT hardware device, just like they do it in the stores!)
Now, there were two more tasks at hand. The first one was achieved last March 17th, ironically while HomeATM Chairman and CEO, Ken Mages and I were listening to PCI General Manager, Bob Russo speak. named HomeATM was certified as the first manufacturer in the world with a PIN Entry Device specifically designed for eCommerce usage as PCI 2.x Certified and listed us on their website.
Final task. Get our manufacturing costs down to a price point where distribution to the masses is feasible.
The mountain: Credit/Debit Card Terminals cost $500.00+ and PIN Pads cost $150.00+ (and encrypting the PIN Pad costs an additional $25.00+)
The result: HomeATM becomes the first company in the world to manufacture and offer a credit/debit card terminal with integrated PIN Pad for less than $25.00! (including PIN Pad encryption!)
The end result? "HomeATM Knows PIN." That said, I suspect, (k)no(w), make that know, that yesterday's doubting Thomas' will become tomorrows believers/customers...especially as new reports, like the one released by Trend Micro (below) state what we have stated from day one. It's a dangerous and scary world (wide web) out there!
If that's not scary enough, here's more...did you know that a signature debit transaction is at least 10 times LESS secure than a PIN Debit transaction? That's in the brick and mortar world. So how many times LESS secure is a "card not present" (no signature) debit transaction vs. a PIN Debit transaction? Yet signature debit is being pushed by issuers "over" PIN debit. Why? All in unison! Because they make more money! Yup, the less secure the transaction, the more money they make. At whose expense? Two guesses. If you said consumers and/or merchants your right.
In it's first Focus Report, Trend Micro examines the growth of data-stealing malware, the most dangerous of web threats today. Growth of this threat is unprecedented and you are in exponentially MORE danger today, than when the PIN Payments Blog first started emphasizing the inherent dangers of conducting eCommerce on the web.
According to Anti-Phishing Working Group (APWG) statistics, the number of sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December 2008—an 827 percent increase from January
While the term "data-stealing malware" is a relatively new one, itssole purpose for existence is a familiar story: To steal proprietaryinformation such as online banking credentials, credit card numbers,social security numbers, passwords, and more from compromised networksand PCs in order to fuel an underground cyber crime economy driven byprofit-seeking criminal networks that cross geopolitical boundaries.
Trojans are the fastest growing category of data-stealing malware,according to data from TrendLabs, Trend Micro's global network ofresearch, service, and support centers committed to constant threatsurveillance and attack prevention. Trojan attacks pose a seriousthreat to computer security. True to their name, they typically arrivedisguised as something benign such as a screen saver, game, or joke.Based on TrendLabs research:
- In2007, 52 percent of data-stealing malware were Trojans; in 2008, thatnumber increased to 87 percent; as of Q1 2009, 93 percent ofdata-stealing malware were Trojans.
- Trojans and Trojan spywareare the predominant type of data-stealing malware in all regionsmonitored by TrendLabs, including Australia, Asia, Africa, SouthAmerica, North America and Europe.