Tuesday, January 6, 2009

Anti-Skimming Recommendations from SEPA

I've covered card skimming on this blog extensively in 2008.  There's a big problem in Europe, where they have instituted EMV, with having the magstripe skimmed there, then transferred onto cloned cards, and used in the United States, where EMV is nowhere to be found.  SEPA (Single Euro Payments Area) has now released recommendations to fight skimming in Europe. 

Here's page one of a three page PDF.  Click here to open the PDF file in full.


SEPA countriesSEPA Countries - Image via WikipediaThe growth of skimming fraud is a major driver for the rollout of EMV across the SEPA. This should be completed by 2010 and it has already resulted in dramatic reductions in the use of fraudulently duplicated cards in the countries where it has been introduced. However, it has also resulted in fraudulent transactions migrating to countries where EMV has not yet been implemented or is not planned, often outside the SEPA area. As many such countries have no plans to introduce EMV, cards will continue to have both mag-stripe and chip and therefore there will remain a significant risk of a fraudster skimming a magstripe in an EMV country and using the duplicate card in a non-EMV country or environment.


Card skimming involves the capture of a card’s mag-stripe information (which may be debit, credit or ATM only), and matching it with the card’s PIN number in order to produce a duplicate card. This may occur at ATMs, Point of Sale (POS), or indeed any other location where a customer uses their card and PIN.

The mag-stripe information is captured by fitting an additional card-reader over the ATM’s card slot and the PIN is usually obtained by the use of micro cameras, although “shoulder surfing,” may also be used. This information is then stored on a chip within the skimming device or more usually transmitted immediately to a lap-top PC nearby. Devices are usually attached to ATMs for short periods e.g. 20 minutes and the device is usually being observed. For this reason ATMs which are busy and which have ample adjacent parking are particularly attractive to fraudsters.

The duplicate card can then be used in a non-EMV ATM, or if the duplicate card passes visual inspection, Point of Sale (POS). Information on the chip is not captured which means that the card cannot be used in an EMV environment and this normally limits use to locations where EMV has not been introduced. Fraudulent data may be sold on and mixed with other sources of data and the actual card production may be months after the data was captured, although on other occasions duplicate cards have been used less than 24 hours after the attack.

With a duplicate card a bank account can be drained until there are no funds available, or in the case of a credit card, until the credit limit is reached. As ATM usage is subject to daily withdrawal limits, these transactions usually take place close to, or at the daily limit over a number of days. EAST (European ATM Security Team), reports that the number of cases of skimming remains high across Europe with over 4501 ATM incidents in 2007, resulting in losses of over € 438 million1.

PIN Debit Payments Blog

Reblog this post [with Zemanta]

Twitter Outwitted

First there was Facebook, and now Twitter users have been lured into a phishing  scheme causing some users to give up their Twitter username and password to a site "masquerading" as Twitter.com.  (this is  what easily could have happened to CheckFree users instead of them being brought to a blank page...and what will happen more and more in the not so distant future.  This may be a drill, to test the waters.   I predict it will happen frequently in 2009 and I predict there will be a post on the subject tomorrow morning...adorned  with the same graphic that's on the laptop on the right...

The phishing links arrived as direct messages, usually saying something like “hey! check out this funny blog about you….” If you clicked on the provided link your browser was redirected to the URL twitter.access-logins.com, which looks just like the main Twitter login page, but steals your credentials. 

With a main domain name of access-logins, this phishing scheme is not what you’d call subtle, but if you’re worried you might have been duped, the Twitter blog suggests changing your Twitter password. It appears that all the scammers did with the captured login info is send more direct messages, furthering the scam. If you’ve been suckered, Twitter will reset your password for you.

While Twitter did a good job of containing the problem, the suggestion that you not give out your “secret info” is bit ironic since that’s the only way you can access Twitter through third-party sites and apps.

News of the attack led many a savvy Twitter user to gripe about the service’s lack of OAuth support, but, while OAuth would allow third party sites to access your Twitter account without giving up your password, it wouldn’t completely stop phishing attacks.

But OAuth would have one huge benefit that could lessen phishing attacks on Twitter: it would get users out of the habit of giving their Twitter username/password to any cool new site that pops up without thinking about the potential side effects — like the fact that you just gave an unknown party complete access to your account...

Read more at wired.com

Reblog this post [with Zemanta]

The Glitch That Stole Christmas?


Some 64 Percent Shopped Online Without Incident -- While 37 P
ercent of Those Online Didn’t Shop the Web at All

Source: Guidance/Synovate Survey

MARINA DEL REY, Calif. - In what may have been the most closely-watched holiday shopping season in the short history of the online medium, some 36 percent of online shoppers ran into roadblocks en route to buying that gift – ranging from molasses-like website response to fruitless efforts to check out, to outright system crashes.

That’s the principal finding of a new nationwide survey from Guidance, conducted through December 23. In association with Chicago market researcher Synovate, Guidance asked 1,000 online consumers, “When you think of online shopping this holiday season, which of the following have you had issues with?”

The findings come amid a dramatically weakened economy, declining brick-and-mortar retail sales, a shortened holiday shopping season – due to a late Thanksgiving – and uncertainty about whether online shoppers would pick up the slack.

The Guidance/Synovate survey revealed that 64 percent of shoppers completed their purchases incident-free. At the same time, 37 percent of those online skipped Internet shopping altogether, a small percentage of whom reported doing so because of problems in the past. Of those who reported trouble this year, 13 percent said they had to abandon a very slow website while they were trying to shop, 8 percent said a website froze or crashed altogether, 7 percent could not complete a purchase on their first attempt, 6 percent tried to access a website that was down temporarily and 4 percent said a purchase they thought they had completed actually didn’t go through.

According to the survey, online shopping hassles affect the overall degree to which people will shop online. Across nearly every demographic breakdown -- other than race -- the group least likely to say their online shopping was incident-free was also the group least likely to shop online.

Crash-Free Commerce

“While online shoppers may have escaped the ferocious winter weather, a significant number didn’t elude the issues that tend to afflict overburdened, under-engineered eCommerce sites,” said Jason Meugniot, Guidance CEO and Owner. “Ideally, every shopping cart that is not abandoned by the shopper should be converted – and every one that doesn’t sends a message to the consumer. Uptime, speed and reliability ought to be prerequisites of the online shopping experience. Still, I’m heartened by the success that many online shoppers enjoyed, especially since deep discounts, special offers and free shipping/returns made online shopping a better value than ever this season.”

Among the survey’s major findings:

  • Women were more likely to say their purchases were completed without incident (44 percent, compared with 36 percent of men).
  • Respondents at both ends of the age spectrum seemed to have more problems than their counterparts overall: just 35 percent of both the 18-24 and the 65+ age groups said their shopping was incident-free, versus 40 percent of the overall sample. Respondents 25-54 were most likely to say their online shopping was incident-free: 44.5 percent of those 25-34, 46.5 percent of those 35-44, and 40 percent of those 45-54.
  • That might explain why the youngest and oldest also were the least likely to shop online: nearly half of both groups (45 percent of those 18-24, and 48 percent of those 65+) said they didn’t shop online at all this holiday season. The group most active online were those between the ages of 35 and 44: just one-quarter of them (26 percent) did not shop online.
  • Those with higher incomes had an easier time of it: just 27.5 percent of those who earn less than $25,000 per year said they didn’t encounter problems, compared with 46 percent of those who earn more than $75,000.
  • Weather wasn’t the only thing bedeviling those in the nation’s midsection. Respondents in the Midwest were far more likely to experience problems: only 29 percent reported no problems, compared with 44 percent for those in both the Northeast and the South, and 42.5 percent of those in the West. Respondents in the Midwest were also least likely to shop online: nearly half (46 percent) said they didn’t shop online, while just 30.5 percent of those in the Northeast agreed.
Guidance has been designing, developing, hosting and managing eCommerce websites for clients since 1995.

“Keeping an eCommerce website up and running smoothly requires more than simply lining up enough servers,” said Meugniot. “Retailers need application support for the database, the eCommerce apps and the website itself – and a partner that understands how everything works together. Finding an experienced and reliable hosting and managed services provider is vital, to make sure retailers capture every transaction and keep customers coming back for more.”

The Guidance/Synovate survey has a margin of error of +/- 3 percent. For a full copy of the survey results and a graphic presentation of top-line data, email info@edgecommunicationsinc.com.

About Guidance
Since 1993, Guidance (www.guidance.com) has helped companies seize opportunities and solve problems through the innovative and practical use of technology. Guidance designs, builds and maintains eCommerce websites for retailers that are pure-play online or multi-channel – creating captivating experiences so consumers will buy more, come back often and value greater engagement with the retailer. Guidance's systems facilitate $500 million in online sales every year. Members of the Guidance team are seasoned professionals, passionately committed to providing technical leadership and powering ingenuity. Key clients include Foot Locker, GEARYS Beverly Hills, Relax the Back, Salvation Army, and many others. Guidance is based in Marina del Rey, Calif.

Reblog this post [with Zemanta]

Encrypted Email for Donors/Client Info

The "e" in e-mail now stands for "encrypted?"

Michele Donohue writes for The NonProfitTimes about a new Nevada (and Massachusetts) state law requiring encryption of personal information email transmissions that contain donor's credit/debit card information... 

States Push To Encrypt Donor/Client Info
Michele Donohue

Fred Schultz, CEO and founder of the Foundation for Positively Kids (FPK) in Las Vegas, deals with a lot of confidential information in his program for medically-dependent children. The organization stores names, addresses, medication, family information and donor credit card information.

A good portion of that information arrived via email. That system now must be overhauled to accommodate a new Nevada law that requires personal information transmissions to be encrypted.

“We are trying to take care of sick and dying kids -- why do I have to worry about a new Nevada encryption law?,” Schultz asked rhetorically.

Nevada is not alone. A data security measure became law on January 1 in Massachusetts and it is being talked about in several other states. FPK’s information technology (IT) support implemented a new program that would require recipients to have a password to access sensitive emails. “It’s the law, and whether it has teeth behind it or not, there has to be an effort made by nonprofits large and small to try to abide by what the new statute would be,” he said.

The Nevada law, which falls under Nevada’s Miscellaneous Trade Regulations and Prohibited Acts, states that personal information cannot be transferred through electronic transmission outside a secure system unless it’s encrypted.

Both Nevada and Massachusetts define personal information as: “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (1) Social security number, (2) Driver’s license number or identification card number, and (3) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.”

The Nevada statute holds organizations financially accountable for security breaches, which could include civil suits from effected parties... (continue reading at NonProfitTimes
Reblog this post [with Zemanta]

Barclay Up the Wrong Tree?

From what I've read the jurys still out on whether NFC is secure.  WEP wasn't.  We'll see. Barclayscard is smart...they're playing both sides, everything remains the same with their IC debit cards, except for the addition of embedding an NFC chip.  If Near Field Communications is proven secure by then, Barclay's will be ready by 2011.  Will NFC be?

Barclays Goes Contactless on Debit Cards

Barclays customers will soon be able to pay their way with the wave of a card as the bank is set to be the first in the UK to roll-out contactless VISA debit cards to its customers.

From March, most Barclays debit cards that are issued or reissued will have contactless technology built in as standard. More than three million customers are expected to be using contactless debit cards by the end of the year.

The cards use contactless technology to enable transactions of £10 or less to be paid for by holding the card up to a special reader, without the need to enter a PIN or insert the card into a terminal. The transaction is debited directly from the customer's current account in the same way that a standard card transaction is. The cards will still have chip and PIN which will be used for purchases and for ATM transactions. Periodically the card will prompt for the PIN to be entered to verify the customer's identity.

Mark Parsons, Managing Director of Current Accounts for Barclays, said: "Barclays has long been a pioneer in banking. We were the first to launch the debit card in 1987 and now we are the first to give our customers the latest incarnation ­- the contactless debit card. This gives people a new way to pay for things that is quick, secure and convenient and we are confident that it is going to be really popular with customers."

Over 8000 retailers already accept contactless payments with more installing the technology every week. Barclaycard was the first to introduce contactless technology on credit cards in the UK in September 2007 with the launch of Barclaycard OnePulse, the three in one oyster, credit and contactless card.

For more information on Barclays contactless debit cards go to barclays.co.uk/contactless. To search for outlets which accept contactless payments visit the Visa website at visapaywave.co.uk

Source: Press Release

Reblog this post [with Zemanta]

E-Commerce Not Safe in Web Browser Followup

SSL Crisis Averted -- For Now - DarkReading
Last Friday,  I posted about a "serious vulnerability" within ALL web browsers and " that a "key piece of of Internet technology that banks, e-commerce sites,  and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability.

(see my post "
E-Commerce and Browsers Don't Mix)

Yesterday, Dark Reading said the SSL crisis has been "possibly" (there's no way of knowing)  averted...for now anyway.  (as a die-hard Cub fan, I cannot resist the temptation to add the famous "Wait til next year" mantra. Wait...since last week, this week IS next year...)

Anyway, here's a portion of that article.  To read it in it's entirety, click the link at the bottom of this post...

SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks 

Jan 05, 2009 | 02:55 PM
By Kelly Jackson Higgins - DarkReading

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.  (Editor's Note:  The bad news is that 15 percent of all digital certificates were signed with MD5)

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

Story continued at Dark Reading
  (but before you go...here's an additional snippet)

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.

Reblog this post [with Zemanta]

Disqus for ePayment News