Monday, February 2, 2009

Want to See Something Really Scary?

In a very scary article written by BYRON ACOHIDO and JON SWARTZ in USA Today last week, readers were provided the opportunity to gain some insight into just how unsafe it is to enter your debit or credit card numbers online.

These bullet points should be enough to (rightfully) scare the living bejeezeeze outta you and steer you away from the idea of ever typing in your credit or debit card numbers online again.


Remember: "Don't Type, Swipe"
You're 92 time more likely to be the victim of fraud if you type rather than utilize hardware, such as our personal card swiping device. (see Software Breach 92 Times More Likely Than Hardware Breach)

The good news is that there is a way to "mask" your data and "safely" make purchases online. You have to swipe your own card data before the bad guys do.  The day AFTER this story ran in USA Today, a game changing event occurred. On January 29th, I wrote that HomeATM was pleased to announce that they met PCI 2.0 requirements. When you combine that achievement along with the fact that HomeATM provides End-To-End Encryption (E2EE) protocols, you'll see that there truly is only one way to securely purchase goods online. And that's with HomeATM's online (PIN) debit platform.

Consider the following highlights, er lowlights...from the USA Today article...


  • The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September...
  • Cybergangs now routinely activate hundreds of accounts by the minute, dedicating them to criminal pursuits.
  • The offense tends to outpace the defense," the FBI said, "The cyberthieves are extremely creative
"This Justin"


They tell the story of Justin Terrazas, 27, a beverage merchandiser from Seattle. Now pay close attention here, so you know what NOT to do. Justin clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cell phone bill online. The data-stealer swiftly siphoned his information

(Editor's Note: As we've been stating on this blog for almost a year now, NEVER TYPE your Personal Account Number, let alone your PIN while you are online.)


A few days later, someone used Terrazas' debit card account to make a $501.41 online purchase from Modabrand.com, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess. "This is definitely something you don't need in your life," he said.
  • The boom in cyberthreats that occurred during the last three months of 2008 could accelerate, especially if the economy continues to falter, security specialists say.

  • Organized cybercrime groups have become increasingly efficient at assembling massive networks of infected computers, called botnets, and deploying them to amass large caches of stolen data

  • "There is a well-funded, well-educated horde continually probing for cracks and finding their way in" to consumers' financial information, said Roger Thornton, chief technology officer of security firm Fortify Software.

  • "They are breaching ... the highest levels of the global finance infrastructure and a majority of our home computers."

  • Some cybercriminals have begun to spread malicious programs by corrupting online banner ads. Security firm Finjan reports that new tools being sold on criminal forums can be used to infect online ads that use Adobe's popular Flash player.

  • Last fall, virulent programs called Trojans began to circulate more widely in e-mail and instant-message spam, got embedded in tens of thousands popular Web pages and spread in a widening barrage of online ads. Click on the wrong thing, and you would download an invisible Trojan crafted to steal sensitive data and allow the attacker to control your computer.

  • Unemployed IT personnel potentially can find easy income by purchasingand using crimeware," says Finjan CTO Yuval Ben-Itzhak. "We expect a rising number of people will try.

  • "In the next year or two, these challenges will increase in both breadth and depth of threats," says Larry Ponemon, chairman of Ponemon Institute.
You may remember the "CheckFree is Not HackFree" post, whereby I described how hackers redirected anyone going to their site to a dummy site in the Ukraine? According to the USA Today story, that's just the beginnings of what to expect in the future.
  • "The moral of this attack is that it's so easy to take over your website," Klein says. "I just need to get a hold of your user name and password once. And we all know how easy it is to get your credentials."
Do you really know how easy it is? If you truly did understand the scope of the problem I guarantee that you would never again type your debit/credit card number online. Instead, you would happily acquire HomeATM's PCI 2.X personal card swiping device so you could be protected by both dual-authentication (what you have/your card and what you know/your PIN) and our End-To-End Encryption. None of the threats listed above would have an effect on you, provided you completed your transaction by "swiping your own card" in our personal card reader with built-in PCI 2.0 certiified PIN pad.

Click here
to read the article in it's entirety, (but I think you get the jist) otherwise, click one or more of the 7 links below:
Reblog this post [with Zemanta]

Chip and PIN (+ Magstripe) = Fraud

Back in the middle of September, (see below) I blogged about a rash of PIN numbers that were stolen by Russian and Ukrainian skimmers via the rigging of ATM machines in Dubai. As a result, it caused Lloyds TBS to announce a switch-over to Chip and PIN last December. (also linked below)

Now word comes that the National Bank of Abu Dhabi has officially announced that all banks will be required to introduce Chip and PIN. You will find the link to the story, an excerpt, and some of my comments below:

Chip and PIN system to be introduced - The National Newspaper

In a move to thwart widespread credit card fraud, banks will start introducing a “chip-and-pin” system to replace the traditional magnetic security strip.

Editor's Note: Yes, but if the magnetic stripe is still on the back of the card it can be easily skimmed and cloned. Therefore the "increased security" is only applicable in "card present" situations. Otherwise the data contained on the magstripe can be lifted, and cloned for use overseas and online.

In my opinion, that is why I think it is a mistake for banks to be pushing "signature debit" over "PIN Debit" here in the states. Sure, they might be making a killing on overdraft fees today, but what's getting lost in translation is that they are leaving everyone else in the world open to fraud.

Back to the story:

"The introduction of such technology has proved to be extremely successful in other parts of the world in reducing card fraud, particularly in Europe,” the Central Bank said.

Editor's Note: That may or may not be true as the "flip-side" of the story is that overseas fraud was 14 times higher and last week, it was reported that more than 1 in 4 Brits have been a victim of credit or debit card fraud. Fraudsters, like water, seem to find the path of least resistance, which is another reason to be surprised at the banks pushing of the "least resistant" platform, known as signature debit.

They say that the argument against switching to a Chip and PIN system in the U.S. is the cost. But I say there's a more cost-effective approach. We don't need to spend the $15 plus billion to make the switchover when we could do it for nothing by pushing PIN based transactions over signature debit. At the same time we'd vastly increase the security of our transactions, and drastically reduce the instances of card cloning, especially in "card not present" situations by requiring the entry of a PIN, which is the preferred payment mechanism by both consumers and merchants anyway.

"While the cost of making the switch to Chip and PIN in America would be exorbitant, we could simply require the use of PIN's here in the States which would go a long way to combating fraud and cloned cards"
But I guess, in the long run (and I'm being extremely facetious here) it makes more sense for the banks to push "signature debit" in order to make their $35 overdraft profit on a "$4 Big Mac and Coke" purchase than to diligently prepare for the storm that is approaching. Banks have known for years that PIN Debit is more secure than signature debit. So I have to agree with Avivah Litan when she says:

"Signature-based transactions are definitely less secure, so it's really outrageous that banks are steering customers to use signatures rather than PINs simply because it generates more fee income," says Avivah Litan. One major retailer confided to her that fraud on signature-based debit purchases at his company's stores is 15 times higher than for transactions authorized by a PIN.


Signature is 15 times higher than PIN Debit? No wonder banks are pushing signature debit. It makes for complete non-sense. Common sense dictates the the push for PIN Debit , both in retail and on the web. Regarding the web, in it's current "card not present" state, there's not only more fraud, but cloned cards can be used almost at will. So you'd think even the banks would "get it." Especially based on the fact that they already seem to be PIN-heads. I'll try again:

"A PIN based transaction would be both "dually authenticated" and, with HomeATM, provide the added security of End-To-End Encryption. (E2EE)" Question: If PIN Debit fraud is 15 times LOWER in retail (a card present space) what are the numbers in a "card not present" environment, such as the web? I can only speculate. The fact that e-commerce transactions are all software based, (and fraud is 92 times more likely to be associated with software vs. hardware) provides me with evidence that the time for swiping your card and entering your PIN in a PCI 2.0 tamper proof PIN Pad , (thus making it "card present") has arrived.


But, seemingly, for now anyway, the bank's are focused on pushing/steering American consumers towards a fraud-centric payment mechanism that is 15+ times more likely to induce fraud, depending on the environment. Without doing research, I'm willing to bet that while the Interchange Fees contribute, it's the overdraft fees that are the main ingredient behind their recipe of pushing signature debit. I thought the Fall of Wall Street was supposed to teach us some truths about greed. Talk about "lie-ability."


Anyway, getting back to the story: Chip-and-pin cards rely on a personal number, usually four digits, rather than a signature, and are thought to be harder to defraud. All banks will be required to introduce the new technology, according to a statement from the Central Bank yesterday, although no timetable was given.“This is in line with global industry trends intended to reduce the risk of debit and credit card fraud.

Chip-and-pin technology has been used widely in Europe for many years, and was introduced in Britain in 2004. There is still some debate about its effectiveness, although according to a British government website, counterfeit and fraud were reduced by nearly £60 million the year after its introduction. Last week, a senior Dubai police officer told The National that its introduction could prevent increasingly sophisticated credit card fraud... (click here to continue reading)

Related Stories:

Russian Hack Creates "Rush On" Changing PIN's in Dubai

Sep 15, 2008 -Dubai — Some banks in the UAE have slashed the daily cash withdrawal limit of ATM users by almost half after hackers, who police said were from Russia and Ukraine, used counterfeit bank and credit cards to steal funds from customer ..

Chip and PIN Coming to Dubai
Dec 22, 2008 -Chip and PIN Coming to Dubai - Decision to switch based on recent hack and rise in card related fraud. Many banks across the UAE experienced a concerning rise in the
instances of card related fraud in the latter part of ...



Reblog this post [with Zemanta]

SmartCard Marketing Posts 1,700% Gain


SmartCard Marketing Systems Inc. Posts 1,700% Gain in Payment Processing Volume in December 2008 Compared to Same Period Last Year

SmartCard Marketing Systems Inc.(PINKSHEETS:SMKG) announced today another record high month in their Prepaid Card loading, PIN Debit (powered by HomeATM) and Bill Payment processing volume for December 2008.

The company saw an increase of 1,700% in Payment processing for December 2008 as compared to same period last year. This volume exceeds the previous record high by 211%, which was posted the month before in November of 2008. This growth trend started mid-2008 when SMKG completed development of its full complement of alternative financial services. The growth is anticipated to continue through 2009 and 2010 as the company grows its transaction volume and active customer base.

(SMKG:PINKSHEETS) President Bruce Baillio said, "Our bill pay, online PIN debit (powered by HomeATM) and card loading volumes are growing exponentially as we get caught up on product deliveries and customer installations. We are in the beginning stages of a major growth curve in both transactions and dollar volumes processed. Not only is the company catching up on backlogged orders, but we are signing new corporate customers every month. In spite of weakness in the overall economy, there is no sign of a slowdown in our business. "

gosmartcard.com


Gemalto, mChek Partner in South Asia


Gemalto, the world leader in digital security, today announced its partnership with India-based technology partner mChek, a leading provider of mobile security, banking and payment applications, to bolster the range and choice of secured mobile banking solutions available on Gemalto SIM cards to markets in South Asia.

Since September 2008, Gemalto and mChek have successfully deployed a broad range of mobile banking services with telecom operators in India and Sri Lanka on millions of SIM cards. This includes a mobile top-up service where its customers can recharge anywhere, anytime for themselves or others.

Tan Teck Lee, president of Gemalto Asia said, "mChek has demonstrated an exceptional platform that is flexible and scalable for a broad range of mobile banking and payment applications. By leveraging Gemalto's worldwide partnership program, we can partner with mChek to better serve our customers be they telecom operators or subscribers. Together we aim to bring new levels of security and convenience beyond India and Sri Lanka into markets such as Bangladesh, Indonesia and the Philippines."

The Gemalto Partner Network consists of leading companies that develop products that are complementary to Gemalto products and solutions. Gemalto partners such as mChek have the benefit of exchanging information and getting access to technology and business support as the company looks at expanding its secured mobile banking solutions. This move reaffirms Gemalto's commitment to the region and to bringing convenient, easy to use, secure-mobile solutions to subscribers.

Facilitating secured transactions on the mobile phone

The rapid adoption of mobile phones around the world, notably in emerging countries, provides an opportunity for the telecom and banking industries to leverage the uniqueness of the SIM card (i.e. a network-enabled personal security device) to provide a range of banking services. While some mobile operators have implemented Stored-Value Account (SVA) wallets, in most countries, banking regulations do not allow non-banks to accept deposits or limit the scope and value of operator managed SVA wallets.

The mChek platform addresses these two issues and provides a solution for telecom operators through Gemalto SIM cards. In a unified environment, mChek enables a broad range of services, including mobile banking, two-factor authentication, secure message delivery, cross-border and domestic money transfer and mobile payments using SVA wallets, direct debit and credit/debit card support.
About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries. Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.  Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM) in mobile phones, smart banking cards, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto's software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit www.gemalto.com.

About mChek


mChek (www.mChek.com) is a leading provider of mobile security and payments solutions. Based in Bangalore, India, mChek's solutions are deployed on a large-scale at Bharti Airtel in India and Dialog Telekom in Sri Lanka.Bharti Airtel recently announced 1 million users on the mChek platform. mChek is approved by Visa International and is deployed by leading banks including Citibank, State Bank of India, ICICI Bank, HDFC bank, Corporation bank, NDB Bank and Seylan Bank.

Source:  Montner & Associates Tech PR Agency

Reblog this post [with Zemanta]

Bill Me Later and I "Might Pay"


Here's a surprise.  Bill Me Later,  an online payment processor purchased by eBay saw credit losses reach their highest level,  8.75% during the fourth quarter of 2008. The credit loss for the period was the highest rate recorded by the newly acquired company.  Imagine that.

Some analysts had doubted whether eBay would benefit from the acquisition. 

However, Bob Swan, chief financial officer at San Jose, eBay, stated that the rate was in line with expectations and “much less than at other credit issuers.”

Editor's Note:  Say again?  They  expected credit losses to rise, thus they expected it to lose money?  I guess that was the underlying reason they bought them for nearly $1 billion.
  As I said in a post back when they were acquired, the only winner here is the  Bill Me Later shareholders who were happy to be paid immediately.

Personally, I expect the 8.75% rate to surpass 10% for Q1 2009 for Bill Me Later, which "might" cause them to re-brand as "MightPay."   I wonder if that's in line with what Bob Swan's expectations are.  It makes you wonder how much they would have paid if they "expected" it to "save the day." 



Reblog this post [with Zemanta]

Disqus for ePayment News