Thursday, December 31, 2009

FBI Warns: Use a Separate Machine for Online Banking







Wow, what a great headline!  Talk about getting that last punch in before the bell sounds.  I didn't expect to hear this news until 2010.  But we got it in while 2009 is still around.  Cool. 



The fact that the FBI and the American Bankers Association effectively admitted the need for a separate/dedicated piece of hardware for online banking is wonderful news! 



Believe me when I tell you that this is the most significant news of the year for a company the likes of HomeATM...of which there is none.



Why?  Because it just so happens that our PCI 2.x Certified PIN Entry Device IS a "separate machine" dedicated to protecting online banking credentials.  Therefore, HomeATM can save everyone the cost of purchasing a dedicated PC for online banking.



For that matter, it also is a separate machine dedicated to encrypting and thus securing ALL  financial transactions conducted over the web, not just online banking sessions. 



So...while I call the announcement "cool," USA Today is calling it an "extraordinary warning."  What exactly is that warning?   It's a version of the same one that the folks at HomeATM have been preaching over the last 18 months.  Unfortunately the FBI and ABA are NOT YET warning people that ALL financial transactions MUST be conducted outside the browser space.  Either they are not privy to the realities, or they are taking the easy way out and saying, go buy another PC or Apple to use "exclusively" for online banking.  I disagree.  If people are still using the browser to bank online,  then we've got a problem.  It WILL NOT to solve the problem.  I've got a perfect acronym for:  SNAFU. 



THE PROBLEM IS SIMPLE....SO IS THE SOLUTION. 







Problem: Web Browsers Cannot be Trusted.  Period.  End of Story.  (well not really, cause I'm still typing)  Thus, it only makes complete 100% Logical sense that financial transactions must be conducted outside the browser space











SOLUTION
:  Use a Separate machine which PREVENTS any financial information from EVER entering the browser "space" by encrypting the cardholder data inside the box,  outside the browser space.  So, while I disagree that a new PC will solve the problem, do I agree on the need for a "separate" machine?  Hell Yeah! 



I not only agree but I've been repeating that advice "week in and weak authentication out" for over a year. 



So, no, it doesn't seem "extraordinary" to me that the FBI and American Bankers Association have jointly issued this warning.  What IS extraordinary, is that retailers lost $191 BILLION to fraud, online banking is dying a slow death, consumers are losing trust in eCommerce and we are STILL Being Told to TYPE card numbers and username/ passwords into boxes located in browsers. 



So, it looks like 2010 is the year of separate machines for online banking.





Maybe the payments industry will realize that they need a separate "dedicated" POS machine designed for all consumer use for all eCommerce activity.  Maybe I can help some people in the payments industry see "the light." 



For starters...Instead of ponying up $800-$1200 for a dedicated separate PC which does NOT encrypt ANYTHING,



How does $25 sound?  Sounds great, but what exactly does $25 get you?  How about ...

  • A dedicated separate machine for online banking.  One which uses existing bank rails, existing bank cards and existing bank issued PINs to authenticate the user.  (Replicating the same trusted process utilized by Banks to dispense cash from ATM's, without the threat of skimminig devices or hidden cameras)   But that's not all this PCI Certified Device does. $800 to $1200 won't buy you that.

  • $25 bucks will afford you military grade 3DES DUKPT End to End Encryption (inside the dedicated machine) at the maghead  meaning that NONE of your cardholder data EVER enters the browser space.


  • That same $25 will provide consumers with a device that enables real-time instant money transfer from ay bankcard to any bankcard, any bank to any bank.   


  • Oh, and that same $25  will save you $775-$1175 off the cost of a dedicated PC, a PC which, by the way cannot do any of the aforementioned.  (ever see a PCI certified PC?)


  • Last, but not least, $25 will provide "consumers" with the same technology that retailers have paid thousands of dollars for, mainly, a Point of Sale Device with a Built-In PIN Pad.   


Just to be clear, so there is NO confusion out there, HomeATM manufactures the ONLY POS device "in the world," designed for eCommerce, with a built-in PCI 2.x Certified PIN Pad providing the consumer with: 



  • Genuine Two Factor Authentication which 100% eliminates the threat posed by phishing.

  • True End to End Encryption, (not a buzzword, we 3DES/DUKPT encrypt the PIN from Zone 1 all the way through Zone 5 which is V/MC themselves)


  • Authentic/Conventional PIN Debit capability capturing the both the PVV and PVKI from the magstripe


  • 100% Replication of Card Present Transactions conducted at Brick and Mortar locations. (otherwise we wouldn't have been PCI Certified would we) which has the potential to eliminate "Card Not Present" Fraud. (etc. etc. etc.)


I will close out this year wondering when people in the financial industry are going to pull their head out of their @$$ and admit that we need to do the same thing for the web as we do in the brick and mortar world, which is swipe the card and enter the PIN.  Maybe it will happen in 2010.  It's good to see we reached an important milestone, (the FBI/American Banker's Association joint warning admitting that a separate hardware device is needed) BEFORE 2009 ended...albeit we just got it in before the bell. 



HomeATM overcame a tremendously huge hurdle.  They were able to design and manufacture a POS device with a built-in PIN Pad that doesn't cost thousands, even hundreds of dollars.  We've got the cost down to the point whereby banks could literally give them away to consumers AND make a return on their investment.  You see, each device earns revenue for the issuing banks.  So every time a consumer swipes their card and/or enters their PIN they make residual income.   Every time a consumer instantly transfers money with our unique "real-time" P2P program, they earn residual income.  Every time a consumer logs in using our device, they save money off losses attributed to phishing. 



So what's the problem?  If you are in the payments industry, you've probably already figured it out.    If you are not in the payments industry, I've got a little secret to share with you.  The problem lies within the picture below.

 





Cutting processing costs in half might sound like a wonderful solution to the average person, but not in this industry.  It is the problem.  Why you say?  Simple...



The money (savings) would come out of the pockets of banks, the EFT Networks and V/MC, which I call the Cardtels.  So, they feel it is in their best interest to prevent that from happening.   It doesn't matter that PIN Debit is the most popular AND SECURE payment option available.  They (the Cardtels) tried (and did) to keep PIN debit out of retail locations for years, until Constantine and Cannon represented Wal*Mart and other retailers in an anti-trust lawsuit that wound up costing the V/MC $3 plus billion dollars.  That really didn't matter.  They probably earned $4 plus billion during the eight years it took to get to the Supreme Court house steps, the location of which compelled them to settle "out of court."  



  • You see, it doesn't matter that fraud continues to rise at record levels. 

  • It doesn't matter that "Card Not Present transactions" are responsible for more than 50% of all fraud even though it only constitutes about 10% of all transactions.

  • It doesn' matter that people card numbers are being stolen left and right

  • It doesn't matter that retailers lost $191 BILLION dollars to fraud in 2008.



What DOES matter, is that the Cardtels keep their profit.  So even though our device would mean the end of the threats posed by phishing, keystroke logging etc. (both of which are responsible for a huge percentage of identity theft cases) and even though it would significantly reduce the costs of fraud for business cardholders and Internet Retailers, the problem is that a more secure transaction, comes with a price tag.  A lower one.



So...instead of conventional means to making purchases online, which, again is: Swipe your Card, Enter Your PIN, we have seen hundreds of "alternative payment schemes" flood the market.  The kicker is that, ironically, those very same alternative payment schemes have claimed about 30% of the revenue that used to be earned by the Cardtels. 



Our job, in 2010 is to get the Cardtels to see that the device "they certified" can be positioned to take back some of the 30% of revenue lost to alternative payment schemes...schemes, which by the way, ADD to the cost of fraud. 





Suffice it to say that 2010 will be a very interesting year....I look forward to it.  Until then, Happy News Year and thanks to all of you who have visited, followed and told others about the PIN Payments News Blog.  We've had 10 times the hits in 2009 than we did in 2008...so again, thank you.



Oh...I almost forgot about the article I was referring to when I started typing...er...taking a swipe at the Cardtels.  Here's a snippet from the story published by USA Today.  Wired has one too.  Here's the Link: Feds Warn Small Businesses to Use Dedicated PC for Online Banking

FBI Issues Extraordinary Online Banking Warning



A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches and non-profits has prompted an extraordinary warning.



The American Bankers Association and the FBI are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.



The reason: Cybergangs have inundated the Internet with "banking Trojans" — malicious programs that enable them to surreptitiously access and manipulate online accounts. A dedicated PC that's never used for e-mail or Web browsing is much less likely to encounter a banking Trojan.



And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers.



ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time.



"Criminals go where the money is," says Avivah Litan, banking security analyst at Gartner, a technology consulting firm. "The reason they're going here is the controls are antiquated, and a smart program can often get the money out."



Internet-enabled ACH and wire transfer fraud have become so acute that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, has gone public about the scale of the attacks to bring attention to the problem. The FBI, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued warnings in the past two months.



The FBI says it has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million — and successfully made off with $40 million.



The victims are mostly small to midsize organizations using online bank accounts supplied by local community banks and credit unions, FBI analysis shows. "The bad guys are still out there breaking into customers' computers," says Steven Chabinsky, deputy assistant director of the FBI's Cyber Division.



Banking and tech security experts say many more cases of ACH and wire transfer fraud are going unreported mainly because the attacks are new and there are no laws setting forth the rights of online business account holders, the way consumer-rights laws protect accounts held by individuals. The result: Many cases end in civil disputes in which small businesses often lose.



"Our nation's legislators are not doing their job in affording the same protections for business account holders that they do for consumer account holders," says Litan.

 







Disqus for ePayment News