Friday, January 2, 2009

Graphic: Soft vs. Hardware

400+ Breaches: Software Responsible for: 92% Hardware: only 1%
According to a Trustwave review of 400+ breaches,
  • 67% were from POS Software,
  • 25% from an Online Shopping Cart, (also software)
  • 7% from Back-end Systems while...
  • only 1% from a Hardware Terminal.
    (and those were tampered with, which won't happen with our personal card swiping device)

Reblog this post [with Zemanta]

Browsers & E-Commerce Don't Mix

As the name implies, "Browsers" are for "browsing" when you're done, and it comes time to make that online purchase, it should be done "outside the browser."

There are reports of a serious vulnerability with all browsers which makes e-commerce unsafe. This is a sobering moment in e-commerce history... but it's nothing that we at HomeATM didn't see coming...(see the post: It' Safe to Say It's Not Safe..)

Browsers are e Commerce handicapped.

HomeATM has long taken the position that a software only approach to providing PIN based transactions to the web is ripe with insecurity. There are too many holes within the browser space to guarantee a secure transaction. Typing your credit or debit card information in a browser is simply put, "not a wise thing to do" as there's "no such thing" as a "secure site" as the story at the end of this post demonstrates.

So, now there's further proof HATM is right. There's no such thing as a secure website...thus there's no such thing as a secure e-commerce transaction. If you've any doubts simply google: web browser flaw (I've provided a link to make it easy) and you get 17,000+ hits..."Pardon my sarcasm, but "Enter your PAN" (personal account number) into the browser space, and you'll get hits from hackers.This time around, it may have taken 200 Playstation 3 consoles but what about this year...or the year after that?

E-Commerce is NOT safe in a browser space.

This is why the engineers at HomeATM decided to take the "hard"ware approach and manufacture, then distribute a "personal point of sale device.

Sure, by all accounts, it would have been much easier to roll out an Internet PIN debit platform with a software only approach. But that would be taking the "easy way" out. "Soft"ware is, by it's own descriptive, "soft." When you take a software only approach..., and this is a big caveat, we believe it 's only a matter of time before a major breach occurs. It's not so much the software, as it is the consumers PC.

Therefore, in the interest of protecting the consumer AND the merchant, we know that we had no choice but to do it the "hard" way and create a small, easy to use, secure point of sale device . It's the way it's been done since the beginning of electronic payments and...

According to a Trustwave review of 400+ breaches, 67% were from POS Software, 25% from an Online Shopping Cart, 7% from Back-end Systems and only 1% from a Hardware Terminal. (click here to see the graph)

By utilizing (pictured on left) our personal swiping device, (which plugs into a PC's USB port in seconds), the transaction is safely done "outside the browser space" utilizing existing secure bank rails, which have yet to be compromised in 40 plus years. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe. Here's the latest about browser insecurity...
There's a "proof of concept" that a "key piece of of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability."

At this point, an "I told you so" doesn't do anybody any good, so we'll continue to focus on what we do best...providing a secure environment for PIN based transactions. But rest assured, if a software only approach to PIN debit is released, when it's breached, expect a resounding "I told you so" from the folks at HATM.

With that said, it's relatively baffling to us that an EFT switch Firserv's Accel/ to read story (PDF) is willing to "toss the dice" and pilot a browser enabled approach to securing PIN based e-transactions.

Mr. Kelly, currently the GM of Accel/Exchange and pictured on the right, is adamant in his belief that it's safe. We respectfully disagree, and time will tell, we just hope it's won't be at the expense of an entire sector (PIN Debit for the web) being tarnished because of a massive breach. They point out that it would cost millions to distribute a personal POS device like the one produced by HomeATM, but we've got the costs down to the point where, in quantities above 100,000 we could provide them for free, if the consumer/etailer covered the $4.95 cost of shipping and handling. What would cost millions, maybe even billions, would be a breach resulting in the exposure of consumers PAN and PIN.

Of course, we're not alone with our analysis...ask Gartner's distinguished analyst, Avivah Litan how much she would trust a software only approach to bringing PIN based transactions to the web.

You've most likely heard the term "Caveat Emptor"? HomeATM wishes to protect both the buyer and the e-tailer with our approach. At the same time, we also wish to avoid providing fraudsters with the means to carry out "Account Emptor" which is exactly what would happen once they got a hold of your PAN and your PIN.

Anyway, moving on to the story behind all this. A group of researchers have demonstrated a "proof of concept" of an exploit that bypasses Secure Sockets Layer (SSL) security safeguards. Another words, "every web browser (Explorer, Firefox etc.) that implements SSL can be spoofed into displaying the padlock". Translation: Invert the p in "https" and you'll get the picture..."httbs".

This is certainly not good news, but as I've mentioned a couple of times already, for the engineers at HomeATM, it's old news. So, don't be surprised by any more "surprise announcements" about how insecure e-commerce is. As I've vehemently stated, many times over in this blog, the web was originally designed to be an information highway and "Highway robbery "is not a new concept.

Once again, and I want to state this for the record...unequivocally...

In order to secure a PIN based transaction, it needs to be done "outside" the browser space. Period. End of story.

Which brings me to the beginning of the story that instigated this post, (from CNET, written by Jonathon Stray).

Web browser flaw could put e-commerce security at risk | Security - CNET News
BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.

The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public (Editor's Note: too late, cat's outta the that they know it can be done, it'll be done again) as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time

(Editor's Note: yeah, the "initial" digital forgery took that long, but now that they know how to do it how long would it take? Besides, the potential monetary reward for two weeks work is huge ) on a cluster of 200 PlayStation 3 consoles.

In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years. (Editor's Note: What? It's unlikely to happen unless hackers use "well-known techniques?" They're kidding right? That's what the kid with the paper is selling, but I'm not buyin' it.)

Yet if one group can do it today, others eventually will. (Editor's Note: at least that line is clearly stated) "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.

Molnar and six other researchers presented their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov.

Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://". SSL certificates essentially stand for the claim that, for instance, actually belongs to E-Trade Inc., and is not being operated by a thief hoping to steal account passwords.

Most browsers indicate that SSL is active by displaying a small padlock icon. (see pic on right) An attack using a forged authentication certificate--which is what the researchers say they have done--is insidious because the browser can't detect it and the padlock icon would still appear.

Unlike most security issues, this problem cannot be fixed with a simple software update. "The bug is not in anyone's software," Sotirov said. "It's not the browser that's at fault. The browser does exactly what it's supposed to do... The problem is that what it's supposed to do is wrong."

The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.

An SSL certificate is a small file that ties a real-world corporate identity to a Web site address and a corresponding public encryption key. This is presented to a private certificate authority firm, which is supposed to verify the link between identity and domain name and then cryptographically "sign" the certificate to vouch for it.

The problem arises when someone else is able to forge the same signature... continue reading at CNET News

Reblog this post [with Zemanta]

Global Payments Wins Processing Award

Global Payments wins top internet card processing award - Taiwan News Online
Global Payments Asia-Pacific Limited ("Global Payments") was recently named by MasterCard Worldwide as its Top Processing Partner for the Global WebPay(TM) product that leverages the MasterCard Internet Gateway Service (MiGS) for online card processing. Global Payments was chosen from more than 69 bankcard acquirers that use MasterCard's Internet gateway today across Asia Pacific, the Middle East and Africa.

Global Payments' win is attributed to Global WebPay's unique solution that provides online merchants with the capability to process multi-country, multi-sales channel and mult-currency card transactions. The Global WebPay product offers merchants a Web-based user interface to integrate their online stores, call centers and IVR sales through a single connection. This single interface requires minimal integration which significantly reduces operating costs and allows merchants to seamlessly integrate all their card-not-present transactions across multiple jurisdictions in Asia.

Global WebPay is currently available in 9 Asian markets: Hong Kong, Brunei, India, Malaysia, the Maldives, the Philippines, Singapore, Sri Lanka and Taiwan. This product offers online merchants more than 50 transaction currencies and ten payment currencies, thereby allowing merchants to receive funding in local Asian currencies and minimize forex related costs.
Reblog this post [with Zemanta]

Disqus for ePayment News