Friday, February 6, 2009

Strengthen Security of Online Payments - European Parliament

Security and safety of Internet transactions need to be strengthened, says European Parliament
Download the European Parliament Press Release in PDF format



More than half of EU citizens and nearly 1.5 billion people worldwide have access to the Internet. Yet, despite the fact that one out of three EU citizens conducts online purchases, only 30 million carry out cross-border shopping in the EU. In view of this, MEPs are demanding increased Internet security, simplified rules and specific measures for SMEs in a report adopted in Strasbourg with 562 votes in favour, 9 against and 10 abstentions.

In a report drafted by Giorgos Papastamkos (EPP-ED, EL), The European Parliament believes that lack of trust in the security and safety of transactions and payments "constitutes the most important danger for the future of e-commerce".

Editor's Note: HomeATM fully agrees with the assessment that the security of internet transactions need to be strengthened. It was the reasoning behind providing end-to-end encryption on our transactions since January '07. The lack of trust is a problem indeed, but in order to build trust, e-payments need to be End-to-End Encrypted. (E2EE) Without E2EE, another breach is imminent.

One guaranteed way to provide E2EE is via PIN Debit through a personal swiping device. Of course the PIN Entry Device (PED) would need to meet PCI 2.0 requirements by going through a series of rigorous testing. Upon completion of testing it would then need to be submitted through the proper channels in order to receive official PCI 2.0 certification. Should that happen, you have a game-changing platform. Which is why HomeATM was pleased to announce that it's SafeTPIN (T stands for Transaction) personal card swiper with built-in PIN Pad was deemed by Witham Labs to either meet or exceed PCI 2.0 standards. (HomeATM Meets PCI 2.0 Standards) In short, HomeATM has believed that the security of online transactions needed to be strengthened from day one, which was the basis for our approach to bringing safe and secure PIN-authorized transactions to the web.

MEPs call on the Commission to investigate the causes and to redouble its efforts to "create mechanisms for strengthening businesses' and individuals' trust in international electronic payment systems, as well as establishing suitable means for resolving disputes related to illegal commercial practices".

Combating counterfeiting, piracy and fraud


Illegal behaviour such as counterfeiting, piracy, fraud, breach of transaction security and violation of citizens' private space pre-existed in the "physical world", say MEPs, but these activities have been both "facilitated and exacerbated" by the abundant technological possibilities provided.

They stress the need to adopt and strengthen necessary and appropriate enforcement measures and for more effective and concerted coordination. This will permit the combating and elimination of existing illegal online commercial behaviour, without affecting the development of international e-commerce, MEPs say, especially with regard to cases liable to involve major public health risks, such as bogus medicines.

MEPs also believe that the regulatory deficiencies in the EU online market are hindering the development of a stable and strong European online industrial and commercial environment. This, they say, results in unsatisfactory levels of participation by European consumers in EU and international trade transactions and hinders creativity and innovation in commercial activity.

Improve regulatory provisions


MEPs deplore the regulatory provisions permitting or requiring geographic market partitioning, high Internet access charges, and any limits on the availability of delivery options in the EU.

The report calls on the Commission to improve the legal interoperability of Internet services through the development of model licences and other legal solutions compatible with jurisdictions. It also asks that existing European deliverables for legal interoperability be propagated in order to reduce both transaction costs and legal uncertainty for online providers.


The report points out that the inherently international character of electronic commerce calls for universal understanding and cooperation, and proposes that bilateral and regional trade agreements signed by the EU should contain explicit provisions covering broad and open use of the Internet for trade in goods and services. The fact that the Doha Development Agenda "does not mandate specific negotiations on e-commerce', is regrettable, it says.

Measures for SMEs


MEPs call on the Commission to develop a comprehensive strategy for removing the barriers to using e-commerce still affecting SMEs (access to ICT, costs of developing and maintaining e-business systems, lack of trust, lack of information, legal uncertainty over transnational disputes, etc.).

They ask the Commission to include policy recommendations, which offer incentives to SMEs to further participate in online trading products and services.

The report recommends the establishment of a database, designed to provide information support and management guidance to the new and inexperienced participants in online trading, and the conduct of a comparative economic analysis of the benefits of e-commerce and online advertising for SMEs, as well as case studies of successful EU SMEs trading online.

There is also a call for a detailed analysis of the influence of online trade upon conventional trading patterns and activities, in order to be aware of and consequently avoid potential adverse effects.

Increase investment for third-country Internet trade


Finally, MEPs believe that the participation of the least developed and other developing countries in international trade through the Internet has to be supported through increased investment primarily in basic infrastructure such as telecommunication networks and access devices. The report underlines the need for low cost and better quality provision of Internet services.

REF. : 20090204IPR48481

Source: Press Release






Reblog this post [with Zemanta]

Juniper on Mobile Money Transfer Market


Press Release: Contraction in Migrant Workers Impacts Mobile Money Transfer Market by 50%, down to $73bn by 2011

Hampshire, UK – 4th February 2009: A new study by Juniper Research indicates that the mobile money transfer market will be particularly vulnerable to the effects of the global recession. The rapidly changing economic downturn is forecast to have an immediate impact on the gross value of mobile money transfers, with the market in the worst case scenario reaching $73bn by 2011. This is some 50% less than previously forecast, although strong growth overall is still expected in the long term.

The Juniper Research mobile commerce report determined that the short term impact of the recession is likely to be felt most severely in this market owing to the effect of job losses in the migrant worker population.

Report author Howard Wilcox pointed out: "We are still in the early stages of the recession but we are already observing significant layoffs which will affect a market where the growth is fuelled by migrant workers sending remittances home to families. Workers from countries such as India, the Philippines and Mexico are likely to be hit in this way because of the sheer numbers working abroad as expatriates. However, we still see this market long term as a significant growth opportunity."

The Juniper report determined that all the mobile commerce market segments are still set to grow significantly over the next five years driven by a range of factors including user demand, but they will all be affected to a greater or lesser extent by the recession. The report includes a top level assessment of the impact of the global economic situation resulting from the credit crunch on the main mobile commerce market segments.

The Juniper Research mobile commerce study analyses the trends and issues affecting the mobile commerce market, across all the main segments providing forecasts of gross transaction values for digital goods and physical goods purchases, NFC (Near Field Communications), mobile money transfers, ticketing, coupons and banking. The report also presents the latest application and services examples and case studies from in excess of 60 mobile commerce companies pioneering in this developing market.

Mobile Commerce whitepapers and further details of the study, 'Mobile Commerce: Prospects for Payments, Ticketing, Coupons and Banking 2008-2013’ can be freely downloaded from www.juniperresearch.com. Alternatively please contact John Levett at john.levett@juniperresearch.com, telephone +44(0)1256 830002.


Reblog this post [with Zemanta]

Amazon Payments Taken Out of Beta

Amazon takes payments service out of beta

Amazon Payments, a subsidiary of Amazon.com, (NASDAQ:AMZN), today announced the General Availability of Amazon Flexible Payments Service (Amazon FPS) and the launch of Amazon FPS Quick Starts.

Amazon FPS Quick Starts aggregate various Amazon FPS APIs into a simplified set of APIs that substantially reduce the steps a developer must take to enable transaction processing on their websites. Now, developers can enable common payment transactions such as one time payments, recurring payments and pre-payments in hours rather than days.

Amazon FPS is the first payments service designed from the ground up specifically for developers. It is built on top of Amazon's reliable and scalable infrastructure and allows developers to accept payments from Amazon's tens of millions of customers.

Starting today, developers who sign up for Amazon FPS by March 15th and launch their applications by June 1, 2009 can take advantage of free payment processing for the first 90 days until total transaction volume reaches $500,000. To learn more about Amazon FPS, Amazon FPS Quick Starts, and the free processing promotion, visit amazonpayments.com/fps.

Amazon FPS Quick Starts include:

* Basic Quick Start enables one-time payments for e-commerce and digital goods, donations, and any other online service.
* Advanced Quick Start provides periodic or delayed payment features required by subscription and usage-based services such as digital music and online storage. Advanced Quick Start offers developers flexibility in specifying payment instructions by time period, amount, and frequency. For example, a user can make recurring payments for a specific amount at regular intervals or a sender might set a spending limit per week for a particular named recipient.
* Marketplace Quick Start is designed for building marketplace applications. Developers can facilitate transactions between a third party buyer and seller, take a cut of the transaction, and have control over who pays the transaction processing fees.
* Aggregated Payments Quick Start reduces processing costs by consolidating multiple transactions, including micro-payments, into a single, larger transaction. This Quick Start offers prepaid and postpaid mechanisms to aggregate transactions. You can enable your customers to create prepaid balances that can be used subsequently to make multiple smaller purchases on your web site or you can extend credit and charge them later for accrued usage. In both cases, the Aggregated Payments Quick Start enables you to programmatically track individual transactions and the aggregated amount.
* Account Management Quick Start simplifies integrating account activity, balance and transaction information into websites and existing applications.

"Developers have been excited about the flexibility that Amazon FPS offers and the wide range of innovative business cases it enables. Developers have asked us for an easier way to get started and tools that would enable them to make the most of the Amazon FPS feature set. This release incorporates this feedback by introducing Amazon FPS Quick Starts, which significantly simplifies integration while maintaining all the flexibility that Amazon FPS provides," said Mark Stabingas," General Manager of Amazon Payments. "Developers can now choose the Amazon FPS Quick Start that meets their unique business needs and monetize their innovations quickly."

"SocialGold's objective is to make it really simple and easy for users to buy currencies and goods in online games and social applications. Amazon FPS Quick Starts provide the most logical and easy-to-use interface we've seen," said Vikas Gupta, Co-Founder and CEO of Jambool, a virtual economy platform for online games. "With Amazon Quick Starts we could quickly zero in on the API we needed. The documentation is great, the API is lightweight and we believe Amazon FPS Quick Starts will be instrumental in helping us create a great experience for our users."

"Meetup is a worldwide network of local, offline groups," said Maya Voskoboynikov, Group Product Manager for Meetup. "By integrating with Amazon FPS, we are helping Meetup Groups develop their own economies in the form of membership dues, event tickets and sponsorship payments. Helping Meetup Groups grow their economies is key to supporting the growth of long lasting organizations. We chose Amazon FPS for its flexible and powerful API, which allowed us to build several custom solutions from one basic foundation."

"We needed to support hundreds of thousands of merchants across a vast network of boutique marketplaces," said Matthew Trifiro, CEO of 1000 Markets. "Amazon FPS was the only system capable of giving us a robust checkout experience across our network. We looked at other payment systems available and chose Amazon FPS because Amazon is the most trusted name in e-commerce and that leads to more sales."

Source: Amazon Payments, 06 February 2009

Reblog this post [with Zemanta]

Mobile Money Transfer Gaining Acceptance

Finextra: Monilink reports growing user acceptance of mobile money transfer
Monilink reports growing user acceptance of mobile money transfer

UK m-banking outfit Monilink is reporting a surge of interest in mobile payments, with over half a million pounds transferred by users in the past month.

The Monilink mobile money service is currently available to over half of UK adults including customers of Alliance & Leicester, first direct, HSBC, Lloyds TSB, NatWest, Royal Bank of Scotland and Ulster Bank.

Customer surveys indicate that the most requested new services are the ability to move money to third party accounts, such as topping-up travel cards, charging electricity and gas pre-payment accounts and paying-off credit card balances.

The vendor is currently expanding its portfolio to offer services for the most advanced smartphone devices, including the latest touch screen handsets. It says the ongoing development of services specifically designed for smartphones demonstrates the growing acceptance of mobile money services by consumers across the UK.

John Milliken, managing director of Monilink believes that big bank backing for the service is crucial to user acceptance.

"Consumers we talk to are still reluctant to give secure information to brands they haven't heard of before," he says. "In the UK the successful mobile money services are all presented to the consumer by the banks themselves which I believe is the crucial difference between the mass-market services here and some of those offered in some other places in the world."

Monilink recently introduced facilities for intra account transfer and international money mover services over recent months.

Says Milliken: "I look forward to continuing this trend with the announcement of our new payment services, including some of those that our customers have requested."

Reblog this post [with Zemanta]

X-Force Is With You...


IBM has released it's 2008 X-Force Security Report.  Since I've been detailing how unsafe it is to do e-commerce in a Web browser space (7 words - You should be SwipePIN instead of Typin') I thought I'd share some statistics to back it up.  (click graph on left to enlarge)

X-Force Trend Statistics Report

The X-Force produces the X-Force Trend Statistics report twice per year, once at the end of each year and once at mid-year. These reports provide statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber-criminal activity. The information in this report is for customers, fellow researchers, and the public at large and is intended to help others understand the changing nature of the threat landscape and what might be done to mitigate it.

First, let's flashback and take a look at their leading paragraph from last years release:

"ARMONK, NY - 11 Feb 2008:
IBM (NYSE: IBM) today released the findings of the 2007 X-Force Security report, detailing a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers at a rate never before seen on the Internet.
"

Here are some personally selected highlights:
Web-Related Security Threats

• The number of new malicious Web sites in the fourth quarter of 2008 alone surpassed the number seen in the entirety of 2007 by 50 percent. Last year, China replaced the US as the most prolific host of malicious Web sites.
 
Browser-related vulnerabilities are still overwhelming the largest percentage of critical and high vulnerabilities affecting personal computers in 2008. (52 percent of all criticals and highs)

Even good Web sites are facing more issues. Web applications, in particular, are increasingly vulnerable and highly profitable targets for helping the criminal underground build botnet armies

• Web applications in general have become the Achilles heel of Corporate IT Security. Nearly 55% of all vulnerability disclosures in 2008 affect Web applications, and this number does not include custom-developed Web applications (only off-the-shelf packages). 74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of 2008.

• Last year, SQL injection jumped 134 percent and replaced cross-site scripting as the predominant type of Web application vulnerability.

• Exploitation of Websites vulnerable to SQL injection has increased from an average of a few thousand per day, when they first took hold early in 2008, to several hundred thousand per day at the end of 2008.

• In addition to these vulnerabilities, many Web sites request the use of known vulnerable ActiveX controls, which leave Web site visitors who do not have updated browsers in a compromised position.

The majority of phishing – nearly 90 percent – was targeted at financial institutions. Over 99% of all financial phishing targets are in North America or Europe, with the majority of targets in North America (58.4 percent).  

• The days of amateurs, college students, or hackers taking joy rides on corporate information systems are largely over. Today’s attackers are economically motivated. They are international criminal organizations who make a living stealing financial information and identities.
 

Remotely Exploitable Vulnerabilities
The most significant vulnerabilities are those that can be exploited remotely, because they do not require physical access to a vulnerable system. Remote vulnerabilities can be exploited over the network or Internet, while local vulnerabilities need direct system access.

2008 marks the third straight year where the percentage of remotely exploitable vulnerabilities has reached a record high.

In 2008, they represented 90.2 percent of all vulnerabilities, up from 89.4 percent and 88.4 percent in 2007 and 2006 respectively.

A factor in the increase that has occurred over the past few years is the growing number of Web application vulnerabilities, which are typically remotely exploitable and an ever-growing percentage of the overall vulnerability count.  See figure 14 above. (click to enlarge)
To take a look at the full 106 page PDF, click here.
Reblog this post [with Zemanta]

Parking Ticket = Malware in Disguise

Here's a new angle on getting people to unknowingly and willingly visit a site which installs malware on their machines.  According to Christopher Null at Yahoo Tech, hackers put counterfeit "parking tickets" on the windshields of illegally parked cars.  The counterfeit tickets instruct the car's owner to go to a website and pay the fine.  Yes, you guessed it...the website installs malicious code.  Here's his story:

Parking tickets actually malware attacks in disguise : Christopher Null : Yahoo! Tech

The last place anyone would expect to face a computer security attack is on the windshield of their car in the form of a parking ticket.

But that's the latest -- and intensely clever -- way that hackers are attempting to goad people into visiting infected websites and willingly install malware on their machines.

The scam is instantly clever once you hear how it works: Hackers print up phony "PARKING VIOLATION" notices and plaster them on cars parked on the street. The phony ticket directs the car's owner to visit a certain website, and of course the website in question (which largely seems to comprise of photos of badly parked cars) is a hack site which attempts to install malware on your PC.

Essentially what we have here is a phishing attack that takes place in the real world instead of via email. The use of fliers on parked cars is what's truly ingenious: A similar attack sent via postal mail would probably have minimal effect, but people are incredibly protective of their cars, and I imagine these windshield fliers will actually have a pretty good percentage of people typing in the URLs typed on them.

Reblog this post [with Zemanta]

Disqus for ePayment News