Payment fraud resulting from massive data breaches was in the news again this month and one specific type of payment fraud–online banking fraud–got a little too close to home for me personally...
The Smart Card Alliance fell victim to such fraud this month. Our online banking account was breached by someone who created a valid account relationship with the Alliance’s business checking account and began making large, unauthorized ACH withdrawals from our account.
What was most shocking was how inept the bank’s (I won’t mention any names, but it is one of the BIG ones) internal business processes were in responding to the fraud, locking down the account, and putting on additional controls after the fraud was reported. What I was told was that I could set up manual controls to limit ACH deposits and withdrawals to only authorized accounts, but that I needed to upgrade our account to a “stronger” type of account. It took 10 business days just to have an ACH blocking feature turned on!
I was also told that the bank can provide me with a smart card–not to securely log in and authenticate myself to my account in place of my current user name and password , but rather to have the chip generate a dynamic one-time password (OTP) each time I authorize a transaction.
For authentication, I would still have to type the password into my desktop computer , which just might be infected with a key logger connected to Twitter-like instant messaging that can capture my account information "and the OTP" as I type and log in as me without me even knowing it. (Such a “man-in-the-middle” attack was recently revealed in this NY Times article).
I am on a mission now: to find out how our bank account got hacked, why all online personal and business checking accounts are vulnerable–at least in this bank–and why no one is doing anything about it.
An Open Letter to Mr. Vanderhoof: Randy, HomeATM agrees that typing your password into your desktop computer is a futile way to prevent hackers from obtaining your sensitive data and HomeATM IS trying to do something about it. We are in the midst of speaking with several national banks in order to demonstrate that consumers need to authenticate themselves the same way they do at an ATM machine. I am aware, that as Executive Director of the Smart Card Alliance you would probably be more interested in our EMV version (which we have, should you know anyone in Europe who might be interested) , but until EMV is prevalent in the United States, we are offering banks the opportunity to offer their customers our PCI 2.x Certified PIN Entry Device, the only one of its kind. One which would provide users with the security and protection of a two-factor (what you have/card and what you know/PIN) 3DES DUKPT TRUE "End to End Encrypted" Log-In. (Most are End-to-Almost-End Encrypted) HomeATM provides true Zone 1 through Zone 5 encryption for the PIN. (The track2 data is encrypted through Zones 1-4)
Our device would also provide consumers with the means to conduct "card present" transactions in a "card not present" fraud infested world (wide web) and enable the bank to offer a real time (not ACH) P2P Money Transfer option as well as " real time" online bill payments.
Maybe the Citizen's Bank lawsuit, which I blogged about earlier today will open their eyes to the risk they are not only exposing their customers to, but the risks they are exposing themselves to as well! Feel free to drop me a line anytime if you'd like to discuss further!
Our device would also provide consumers with the means to conduct "card present" transactions in a "card not present" fraud infested world (wide web) and enable the bank to offer a real time (not ACH) P2P Money Transfer option as well as " real time" online bill payments.
Maybe the Citizen's Bank lawsuit, which I blogged about earlier today will open their eyes to the risk they are not only exposing their customers to, but the risks they are exposing themselves to as well! Feel free to drop me a line anytime if you'd like to discuss further!
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uLtatNt9_22_H0ftgYJbHgYDNwLPH7HA6Xc-u4GOeMnmI4e-QlnQGM_YX6mMl0pmdJrWmeWl6cEYId4aaquuanywaablGlcHEYL6FF7ov2T_DOFJC-LmMH58F64qxGoegkPvcn-gDumL_NPW6k8tbY=s0-d)
