Thursday, February 12, 2009

Dangerous Vulnerability in Blackberry

New Vulnerability Found In BlackBerry's Web Application Loader - DarkReading

Flaw could allow attackers to gain control of the device, researchers warn

Editor's Note: 

This was rated as a 9.3 out of 10 which means it's "highly dangerous"  and "potentially easy to exploit.  Which is exactly why, when BB is exploring how to position itself for mobile banking, and/or P2P Payments they might want to weigh in heavily on the pragmatics  of  "playing it safe." 

(via a plug and play device...such as, oh, I don't know, a slider?) 
If there's ever a time  to "play it safe" it's with online apologizes for using the "same" picture twice in 1 just seemed so apropos. 
Feb 11, 2009 | 05:29 PM
By Tim Wilson DarkReading

Just a few weeks after President Obama won his fight to keep his BlackBerry, the handheld's security is causing concern again.

BlackBerry maker Research In Motion this week is warning users about a newly discovered vulnerability that could potentially enable an attacker to gain remote control of the device or crash its browser.

Given a "Common Vulnerability Scoring System rating of 9.3 on a 10-point scale, which means the vulnerability is highly dangerous and potentially easy to exploit..."
The flaw was found in the BlackBerry's Web Application Loader, an ActiveX feature that enables the handheld to load new applications via the Internet Explorer browser. RIM says that "an exploitable buffer overflow" exists in the BlackBerry Application Web Loader ActiveX control.

According to an advisory issued by US-CERT, the flaw may be exploited by phishers or other attackers. "By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user," the advisory says. "The attacker could also cause Internet Explorer to crash."

US-CERT says the vulnerability has been assigned a Common Vulnerability Scoring System rating of 9.3 on a 10-point scale, which means the vulnerability is highly dangerous and potentially easy to exploit.

continue "darkreading"

Reblog this post [with Zemanta]

Security Fears Stunt Growth, HomeATM Stunts Security Fears

This Finextra article was the basis for this post:    Click any pic to enlarge

Finexta: Security fears are stunting the growth of e-commerce in the UK, with refusenik consumers citing media scare stories and personal accounts of online credit card fraud as reasons for not shopping on the Web.

More than half the UK population still does not shop online, according to a survey of 1000 consumers undertaken by tech security outfit, CyberSource. Reasons range from simple preference for high street shopping to lack of a computer or Internet access.

However, 41% of people who don't shop online also cite security fears as a cause for concern.

The study found that the most common source of information about the safety of online shopping is stories in the media. But consumers also rely on friends and family for advice. About a third of survey respondents say that they or someone they know has been a victim of online credit card fraud.  "With the abundance of media coverage about security breaches, it is not surprising that some shoppers are frightened off," says Simon Stokes, managing director of CyberSource.

"The challenge to the industry is educating consumers to shop safely, to minimize their exposure to fraud."

My thoughts: 
The folks at HomeATM realize that educating consumers is part of the solution, but first and foremost, it is the media who needs to be further educated regarding the perils and pitfalls, trials and tribulations, and  security ramifications involved with entering/typing their card information into a browser space. 

This week I brought you annoucements regarding PayPal's new personal card swiping device, offered through Dell. PayPal's Says Don't Type...Swipe!.   (see pic on right)

In addition, I also posted a story regarding ProPay, who is hosting the Data Security Summit, and their personal swiping device. 
Data Security Summit Host Says Don't Type...Swipe!  (see pic below left)

This represents the beginnings of a fundamental shift in understanding that online transactions are safer when done  outside the browser space. 

Of course, neither device can measure up to what HomeATM has to offer. Our device not only provides, at a very minimum... what theirs does, but it has the added security benefit of incorporating a fully encrypted PIN Pad, providing  yet another significant security benefit called dual-authentication.  (What you have/card and What you know/PIN)

As I mentioned in those posts, our personal "SwipePIN" device can also be used for P2P and Me2Me money transfers.  Why is that significant?  Well, as one blogger at says when speaking of mobile banking:

The point of talking about it here is that I think these alternative payment systems might end up driving adoption of mobile banking.

P2P (person to person) payments are potentially the gasoline to the rising mobile banking flame. The draw back to many mobile P2P services (e.g. PayPal) is that many times they are competing with cash transactions. Exchanging cash is free. Exchanging funds with PayPal is not. PayPal, and many other services charge fees to the recipient or sender. Many of the companies touting new payment methods are aiming to reduce those fees and push their service to the masses. If they succeed, mobile P2P payments may become pervasive and mobile banking usage will explode.

HomeATM understands what it takes to make a online transaction secure, and it is also aware of the fact that online shopping behavior is going to be affected by all the recent breaches.  We feel that online consumers will soon understand the "common sensibility" involved with using a secure device utilizing existing bank rails and providing end-to-end encryption to protect their sensitive data.  In the meantime, we will continue to cover all the reasons why you should be SwipePIN instead of Typin'....

The above article focused on online financial behavior in the UK.   It's no different here in North America...nor anywhere else for that matter.  Here's a sampling from a report by Forrester Research from last week:

Three Ways Online Security Affects North Americans' Financial Behavior

How Secure Consumers Feel
Online Affects What They're Willing To Do

This is the first document in the "Perceived Online Security" series by Brad Strothkamp, Peter Wannemacher with Courtney Tincher, Carlton A. Doty

Executive Summary (This is a document excerpt)

For the past five years, Forrester has tracked the degree of security consumers feel when using financial information on the Internet.

By analyzing these trends and our most recent survey data,
we found that security is a key factor in consumers' willingness to shop and buy financial products on the Web. Online consumers who feel secure are more than twice as likely to pay bills online as those who feel insecure and more than three times as likely to apply for a financial product online. eBusiness professionals at financial firms should proactively try to strengthen consumers' sense of
online security to increase their use of the Web.

You may purchase the report for $749 from Forrester, and read all about it.  Or you can call HomeATM and we'll put together a custom solution for your financial institution.

Reblog this post [with Zemanta]

RIM to Buy Certicom Encryption Maker

RIM wins Certicom bidding war - Computer Business Review

Research In Motion Ltd looks to have won out in its pursuit of Certicom Corp after rival bidder VeriSign Inc announced yesterday that it would not be making any other offers for the encryption software supplier.

Certicom chairman Jeffrey Chisholm said the board had recommended that shareholders accept RIM's sweetened offer, but he has also cautioned that the deal was far from closed.  "While we fully expect that this deal will go ahead, it's not over until it's over," he is quoted as saying in the local Canadian press.

RIM tabled a $105 million cash offer for Certicom last week, which was almost double what the company had originally staked back in December, and 40% more than the price being mooted by VeriSign.

RIM already uses Certicom encryption programmes to secure its BlackBerry line and the technology is seen as vital to the continued development of the mobile email favourite.

The acquisition is regarded as being highly strategic for RIM as it would help accelerate take up of the Blackberry device by government and public sector authorities, which insist on hardened security in mobile systems.

The market also expects the popular hand-held device could be developed into a platform for digital wallets and secure m-commerce.

Certicom has confirmed that it is to pay a $3.25 million break-up fee to VeriSign.

Reblog this post [with Zemanta]

Voltage SecureData Now Provides E2EE

Voltage SecureData Now Provides Distributed End-to-End Encryption of Sensitive Data

Retailers, payment card processors, financial institutions and others enjoy new features that make it easier to comply with regulations and reduce the risk of data theft

Palo Alto, California – February 12, 2009– Voltage Security, Inc., a global leader in information encryption, today announced major enhancements to Voltage SecureData, supporting more environments and platforms than ever before, including end-to-end encryption across distributed environments such as those used by retail and payment processors, as well as support for z/OS and Hardware Security Modules (HSM). As a result, Voltage customers are finding it easier to protect their data end-to-end, comply with regulations and protect sensitive customer information from the moment it is collected.

Editor's Note:  HomeATM has done this since January 2007.

"Large structured databases have been crying out for better protection," said Trent Henry, principal analyst, Burton Group. “Although data breaches are caused by a variety of factors, improved data protection is a big piece of the solution. Unfortunately, many organizations haven't been able to improve underlying data security because it required costly application changes or coding. Customers are looking for solutions that provide protection without changes to legacy infrastructure.”

Voltage SecureData now integrates with Hardware Security Modules (HSMs) to store cryptographic information in order to meet internal company security requirements. HSMs are widely accepted as an industry best practice for securing encryption keys that protect an organization’s most sensitive data.

For IBM mainframe customers using z/OS, Voltage SecureData now operates natively, providing a simple API that can be accessed by COBOL and other Language Environment (LE) programs to protect data, as well as an integration and scripting tool called z/FPE that enables bulk encryption and masking of z/OS data (CICS, DB2, IMS, QSAM, VSAM) – providing full end-to-end data encryption, accessible from within or outside the z/OS system.

These new Voltage SecureData capabilities build upon two core cryptographic and key management innovations: Identity-Based Encryption (IBE) and Format-Preserving Encryption (FPE).

“Voltage SecureData makes it extremely fast—not to mention much easier and more cost effective—to encrypt data as soon as it’s collected in a database, then keep it protected wherever it goes and while used by various applications," explained Terence Spies, chief technology officer, Voltage. "Other cryptographic approaches turn a 16-digit credit card number into an alphanumeric string with as many as 50 characters. This poses big problems for databases, applications, and legacy systems that are set up to accept only 16 digits, requiring heavy-duty re-architecting and modifications. By contrast, by leveraging FPE, Voltage SecureData enables encrypted credit card numbers to continue to look and feel exactly like the real thing, eliminating those problems and the associated complexities altogether.”

In addition to supporting distributed environments, mainframe and HSMs, the latest version of Voltage SecureData also makes it easier for customers to:
  • Manage encryption across multiple servers. Voltage SecureData allows administrators to manage several servers from a single point, speeding updates and lowering operational costs.
  • Secure data in a cross-platform environment. Supports Windows, Linux, AIX, Solaris, HP-UX, z/Linux and z/OS.
  • Encrypt databases directly. With the Voltage SecureData Command Line, customers can encrypt data directly without building a separate encryption application or creating extracts.
  • Meet compliance requirements. Includes built-in PCI audit reports, comprehensive logging across infrastructure and integration with third party log management systems.
  • Integrate encryption in existing applications. Developers can add encryption with just two lines of code; competing products require as many as 100 lines to accomplish the same task.

Interest in encryption will likely increase in the coming months, as the new president shines the spotlight on the need for data protection. President Obama's Homeland Security agenda mandates standards for securing personal data and requires companies to disclose data breaches. In particular, he has indicated that encryption will play a key role in efforts to protect consumers. As a result, government efforts will expand beyond infrastructure protection and focus on database encryption, as well as mobile data, storage encryption, PKI and key management solutions.

For more information on ‘Data Protection Risks and How to Avoid Them,’ join Voltage Security, Burton Group and MphasiS (an EDS company), in a discussion about the top five risks of protecting customer data and what to do about them on February 19th at 9:00am Pacific and 12:00pm Eastern. Click here to register.

About Voltage Security
Voltage Security, Inc., an enterprise security company is the global leader in information encryption. Voltage solutions, based on next generation cryptography, provide encryption that just works for protecting valuable, regulated and sensitive information persistently and based on policy. Voltage delivers power, simplicity and the lowest total cost of ownership in the industry through the use of award-winning Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption (FPE). Voltage Security offerings include Voltage SecureMail™, Voltage SecureData™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.

Voltage Security is the number one OEM provider of email encryption technology in the world with OEMs that include Microsoft, Proofpoint, Secure Computing, Sendmail, Canon, Code Green Networks and NTT Communications. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 2000 companies in banking, retail, insurance, energy, healthcare and government, such as American Board of Family Medicine, Diebold, Integro Insurance Brokers, NTT Communications, SafeAuto Insurance, Winterthur Life UK Ltd. and XL Global Services. For more information please visit


Source: Press Release

Reblog this post [with Zemanta]

Gemalto and INSIDE Contactless Announce NFC Availability

Press Release (PDF) 

NFC chip and SIM card meet GSMA’s latest SWP handset requirements

AMSTERDAM & AIX-EN-PROVENCE, France - (Business Wire)

Gemalto, the world leader in digital security, and INSIDE Contactless, the world leader in advanced open-standard contactless chip technologies, today announced availability of a Near-Field Communications (NFC) solution fully complying with the latest ETSI standards. The solution also meets the new GSM Association “Pay-Buy-Mobile” mobile handset requirements based on the Single Wire Protocol (SWP). The new Inside MicroRead® NFC chip, combined with the Gemalto latest UpTeq 300 m-NFC SIM card embarking a Common Criteria EAL4+ security certified chip, gives handset makers and mobile operators the first fully compliant, interoperable, full-speed SWP solution – tested at 1.6 Mbps – to support proximity payments, transport and ticketing.

Both companies had the vision and leadership to develop near field communications solutions and champion them to become ETSI standards supported by the GSM Association. Gemalto originally developed the Single Wire Protocol, which provides a standard interface and secure communications channel between the SIM card and the embedded NFC chip, brought by INSIDE Contactless.

“Inside has been a pioneer in the field of NFC and after years of continued effort, it is gratifying to see this exciting technology finally coming to market,” said Bruno Charrat, chief scientist for INSIDE Contactless. “The GSMA is already recommending that its member mobile network operators begin ordering SWP handsets to ensure that consumers can enjoy the convenience of mobile payment and other NFC-related services as soon as possible.”

Gemalto and Inside have been participating in seven “Pay-Buy-Mobile” pilot programs around the world. In particular, both companies kick-started Asia’s first mobile contactless SIM-based NFC trial in Taiwan. As part of a trial involving more than 200 users, FarEasTone, a leading wireless service provider in Taiwan, found that 90 percent of people felt positive toward this new service, 80 percent of people were satisfied that the service is secure and 40 percent said they would switch their monthly spending to a mobile credit card service.

“Offering open, standardized solutions is key to the sustainable take-off of mobile contactless services,” added Jérôme Sion, director of mobile contactless activities at Gemalto. “Following a number of successful pilot programs around the world, always very well received by consumers, we are now entering the time of broad commercial NFC business. Gemalto gathered a unique knowledge from these early deployments and is able to immediately set up a number of field-proven services to support these large operations.”

In a separate Press Release today, Feb 12, 2009 Gemalto announced it achieved SAS Security Certification:

Gemalto Achieves SAS Security Certification, Remains Only U.S. Smart Card Manufacturing and Personalization Center With This Distinction

About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries.

Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.

Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM) in mobile phones, smart banking cards, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto’s software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit

About INSIDE Contactless

INSIDE Contactless is the global leader in open-standard contactless payment and Near Field Communication (NFC) semiconductors and software that power the next generation of payment, transit, identity and access control applications. The company’s intelligent, microprocessor-based platforms offer the flexibility to be embedded in smart cards, mobile phones and other consumer electronic devices, documents, badges and other items to support a wide range of innovative contactless applications and bring new levels of convenience to users. INSIDE has delivered more than 300 million contactless platforms worldwide to customers and partners that include many of the leading payment card and mobile phone manufacturers, systems integrators and financial institutions. With a portfolio of 60 families of patents, including several essential NFC patents, the company has played a leading role in NFC and contactless innovation. INSIDE is headquartered in Aix-en-Provence, France, with offices in Shanghai, Singapore, Warsaw, Seoul and Silicon Valley. For more information, please visit

Rémi Calvet, +33 (0) 1 55 01 64 10
M.: +33 (0) 6 22 72 81 58
Rebekah Lahey, +33 (0) 1 49 09 26 58
Aline Borne, +33 (0)1 55 01 51 05
M.:+33 (0)6 16 29 87 04
Corman Communications, LLC for INSIDE Contactless:
Patrick Corman, 650-326-9648
INSIDE Contactless
Geraldine Sauniere, +33 (0) 4 42 39 33 01
Marcom Director

Online Generation Gap - Pew

Internet use among some of America's oldest citizens grew 73 percent from 2005 to 2008, significantly narrowing the online generation gap.

While younger consumers, still dominate Internet use, nearly half of Americans aged 70 to 75 are online, according to the Pew Internet & American Life Projects Generations Online in 2009 report. Perhaps more important to ecommerce merchants is the fact that 47 percent of Americas older than 72 made online purchases, making them one of the most likely generation to shop online.

"Compared with teens and Generation Y," the Pew report said, "older generations use the internet less for socializing and entertainment and more as a tool for information searches, emailing, and buying products."

To see the Pew
Internet & American Life Projects Generations Online in 2009 report in it's entirety, click here.  (PDF)

Reblog this post [with Zemanta]

Web Only Retailers See 24.9% Growth
With 26% tabulated, Top 500 retailers lifted sales by 21.4% last year, Costco up 41.7%

Updated analysis of data for Internet Retailers forthcoming 2009 Top 500 Guide reveals that sales for the 131 online retailers reporting actual 2008 sales so far have grown by 21.4%, to $34.22 billion from $28.19 billion in 2007.

The report a week ago included 110 web merchants with a combined growth rate of 21.8%. The updated analysis includes 81 web only merchants, 25 catalog companies, 21 chain retailers and four consumer brand manufacturers.

The results of big retailers can skew the growth rate. With sales removed for Amazon, No. 1 in the Internet Retailer Top 500 Guide with $19.14 billion in sales; Costco Wholesale Corp., $1.7 billion; Netflix Inc., $1.36 billion; and Newegg Inc., $2.1 billion; the remaining 127 merchants still grew by 8.8% to $9.89 billion in 2008 from $9.09 billion in the prior year.

Two of the four large retailers reported higher than average sales growth, with Amazon's sales up 29.5% and Costco's up 41.7%.

Web-only retailers grew the fastest by 24.9% to $26.58 billion in 2008 from $21.29 billion in 2007, followed by chain retailers with growth of 22.4% from $3.08 billion in 2007 to $3.77 billion last year.

Catalog companies were up by 1.9% to $3.69 billion in 2008 from $3.62 billion in 2007. With only four manufacturers reporting so far, web sales dropped year over year by 8.1% to $178 million from $193.8 million.

Reblog this post [with Zemanta]

Poll: Only 4% of Banks Unaffected by Breach

Yesterday I provided a list of (so far) the 157 banks and credit unions who have been affected by the Heartland Payment Systems breach.  (along with the number of cards each bank was issuing as replacements.) 

This morning Finextra did a story on a Independent Community Bankers Association (ICBA)  "poll" the results of which, are suggesting that thousands of community banks are at risk from Heartland breach

The ICBA conducted an informal poll asking community banks "Have you been affected by the Heartland Payments Systems Breach?" 

Amazingly, only 4% responded "No."

Informal or not, with 82% answering in the affirmative (12%, don't know) these are alarming numbers for all concerned.

With nearly 5,000 members, representing more than 18,000 locations nationwide,
the Independent Community Bankers of America, represents community banks of all sizes and charter types throughout the United States.   The ICBA conducted the online poll in late January and here are the results:

Heartland hasn't really said much

1.  They apologized for the inconvenience and said they're heartbroken.  (Translation, HPY = bad ticker)
2.  Said it wasn't their fault, they passed PCI and nobody shared with them information about past breaches, which could've maybe prevented it.  (Translation:  a standard deflection, we did what was asked, we did all we could do..)
3.  They said the industry needs to incorporate end-to-end encryption (Translation: I guess we didn't do all we could do)

One thing we do know is that the ICBA poll certainly implies that thousands of banks have been affected.  Sure it was an informal poll, but even though the numbers only add up to 99%, it's 100% more information than we've gotten out of the Heartland. 

Reblog this post [with Zemanta]

Disqus for ePayment News