Tuesday, February 17, 2009

How To Hack an ATM Part II

Last Wednesday I did a post on How to Hack an ATM.  Apparently using ATM Bombs is more common that one would have thought. 

Sydney gets hit again by explosive ATM raiders 

(Melbourne, Australia) Herald Sun:

ATM raiders have blown up another ATM in Sydney, the third attack in less than a week. 

Police said the ATM was extensively damaged, but it was not known if any cash had been taken. A spate of ATM blasts across New South Wales and Queensland has prompted the formation of a special police task force.

Reblog this post [with Zemanta]

UATP and Alternative Payments - DTN

UATP Keeps Its Eye on Alternative Payments—and Hotels

(February 17, 2009)

Universal Air Travel Plan Inc. is still in growth mode despite some weakness in its core corporate travel business, thanks in part to an ongoing alternative online-payments initiative that started in 2005. Now the specialty payment processor is looking to sign hotels as merchants.

Processing volumes rose about 20% last year for Washington, D.C.-based UATP. “In 2007 we broke the $10 billion mark; in 2008 we were at $12 billion,” president and chief executive officer Ralph Kaiser tells Digital Transactions News by e-mail. “Our profitability is not public, but suffice it to say 2007 was a good year and 2008 was even better.”

UATP has 19 airline shareholder-owners worldwide. Thirteen issue its card, and its brand is accepted by nearly 250. Online payment systems are an increasingly important part of the mix as UATP seeks to offer airlines new product offerings beyond its core corporate travel card, especially ones that cost the carriers less to accept than general-purpose credit cards (Digital Transactions News, Aug. 20, 2008). Already accepted or planned payment brands usable through UATP include PayPal Inc., Bill Me Later Inc. (recently acquired by PayPal parent company eBay Inc.), Moneta Corp., the PIN-based specialists HomeATM and Acculynk Inc., and prepaid cards through Ceridian Corp.’s Stored Value Solutions....

Continue Reading at Digital Transactions

, , ,

A Billion Internet Users

eMarketer.com is reporting that Internet users surpassed the billion landmark in December.   China's number 1, but it is predicted that #7 India will eventually surpass #2 United States.  That surprised me a little bit.  Here's what eMarketer has to say about the comScore World Metrix...  (You may click the graphics to enlarge.)

FEBRUARY 17, 2009

Growing and growing and growing and...

The moment when the Internet passed 1 million users is veiled in history.

The truth is, whenever it happened, no one was counting—or even had the means to do so. But according to the “Internet Growth Survey” from MIT, there were 1 million hosts (defined as either a computer or IP address) in 1995.

At the time, it was estimated that the Internet was doubling in size every year, so there would be over 1 billion users in 2005.

That timeline proved overly optimistic. But according to the comScore World Metrix audience measurement service, the Internet surpassed 1 billion visitors in December 2008.

“Surpassing 1 billion global users is a significant landmark in the history of the Internet,” said Magid Abraham, comScore CEO, in a statement. “It is a monument to the increasingly unified global community in which we live and reminds us that the world truly is becoming more flat.”

comScore got to a billion users without counting access from Internet cafes, mobile phones or PDAs.

By contrast, eMarketer employs a slightly broader audience definition—access by anyone of any age from any location—to estimate that there were 1.172 billion Internet users worldwide in 2008.

Either way you count, one thing few prognosticators foresaw in 1995 was that the US would have only the second-largest online population when the Internet hit the billion-user mark. China ranks No. 1.

The Web still has plenty of room to grow.

“China has taken the lead in the number of Internet users worldwide, and today only about 20% of its residents are online,” said Lisa E. Phillips, eMarketer senior analyst. “While China will continue to lead the world in Internet users, look for India to eventually overtake the US, Japan and Germany.”

While Internet usage is close to saturation in the US, Japan and Germany, India’s Internet population lags behind its status as the second-most-populous nation on earth. “But eventually India’s Internet population will grow large enough to overtake those smaller countries that are now in the top spots,” Ms. Phillips continued.
“The second billion will be online before we know it,” said Mr. Abraham, “and the third billion will arrive even faster than that.”

See all that’s happening in digital marketing and media around the world, look into an eMarketer Total Access Subscription for your company today.

Reblog this post [with Zemanta]

The Cost of PCI Compliance - Element Payment Services Blog

In a great informational post provided by the PCI DSS Compliance Blog, published by Element Payment Services they talk about the cost of PCI compliance. 

I had the pleasure of working with Sean Kramer,  the founder and CEO of Element Payment Services, when he was with Concord EFS.  We jointly provided an innovative payments package/solution for U.S. FoodService members.  I am happy to see (but not surprised by) the growth enjoyed by Element.  It couldn't happen to a nicer guy!  Congrats to Sean and his team, including Roy Bricker who previously worked at Pay By Touch.

Here's their post: 

PCI DSS Compliance Blog: Cost of PCI Compliance
Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.

To visit the PCI DSS Compliance Blog click here.  Element Payment Services site is located at: www.elementps.com

Reblog this post [with Zemanta]

Can Prepaid Cards Be Loaded by Hackers?

Kara Gammell writes in today's Telegraph.com.uk about prepaid cards and questions whether or not they would provide more protection than credit or debit cards and entice 50% of the UK population to shop online in an article entitled: "Will Prepaid Cards Keep the Fraudsters at Bay?" 
"More than half of the population are so worried about becoming a victim of fraud that they refuse to shop online. The research, conducted by CyberSource, a company specialising in electronic payments, said that one in three respondents knew someone who had been the victim of fraud.

But for these reluctant shoppers, a prepaid card might just be the answer.

A prepaid card looks just like a normal credit or debit card, and enables you to buy products and services where ever these cards are accepted.

The main difference is that you can only spend the balance that has been preloaded onto it. This means there is no risk of running into debt as it has no credit or overdraft facility and crucially, the card has none of your personal bank details attached to it.

In the beginning prepaid cards were used by parents to manage their children's spending habits and the market has been typically has been dominated by Mastercard and Maestro. But now a number of rival cards have appeared, targeting everyone from overseas travellers, nervous online shoppers to new mothers.

Andrew Hagger, spokesman for Moneynet.co.uk, said: "Prepaid credit cards allow such people to be part of the modern day 'plastic culture' which allows you to take advantage of online shopping discounts as well as access to hugely popular sites such as eBay."

For those shoppers who are hesitant about spending on the web, this type of card could help reduce the potential for fraudsters to steal your personal details.

Mr Harrison said: "The risk with a credit card is that the fraudsters will be able to max out your card, where a prepaid card is almost like a pay-as-you-go mobile phone. The only money that can be stolen, is the money you have loaded on.

"And unlike a debit card, a prepaid card does not have any link to your bank account or address, so the chance of fraud is next to none."

Editor's Note:  The problem the UK is having is with cloning/counterfeit cards.  I would imagine that hackers have their eye on the prepaid market as it is readily more easy to counterfeit $50 cards than $50 bills.

How do prepaid cards work?

Money – typically up to £5,000 – can be loaded on to a prepaid card by cash at a bank, Post Office, at Pay zone or PayPoint terminals, bank transfer, through your employer or even by another credit card.  Editor's Note:  or even by a hacker using a stolen credit/debit card! 

Continue Reading

, , ,

Aconite Extends Chip & PIN Support to Banks in Middle East

Aconite extends Chip & PIN support to banks in the Middle East

London, 17th February 2009

New webinar provides guidance to banks as they prepare to roll out Chip & PIN cards

London, 16th February, 2009: Aconite, a leading provider of software and consulting services for managing business applications on chips in smart cards, tokens or mobiles, is running a webinar to provide timely support to banks in the Middle East in light of recent increased pressure from Central Banks in the region on banks operating locally to implement Chip and PIN cards. These mandates, issued in the United Arab Emirates, Kuwait, the Kingdom of Bahrain and Saudi Arabia for example, require banks to quickly deploy chip technology to increase card security and reduce fraud. And whilst some countries have been mandated to migrate, neighbouring countries will also feel the pressure to increase security on their cards as fraudsters target lesser protected card schemes.

The complimentary webinar entitled “Your guide to introducing Chip & PIN cards” will provide practical advice and highlight important considerations to assist card issuers in making a smooth transition to Chip & PIN cards. The webinar programme will be led by Aconite’s David Worthington, Regional Manager for the Middle East and Bev Stevens, Senior Consultant. Collectively, they have over 25 years chip experience and have delivered various EMV and consulting projects in the Middle East. This includes assignments at numerous banks across Bahrain, Kuwait, Jordan, Oman, Qatar, Saudi Arabia and the UAE, as well as periods spent working directly for KNET and SAMA.

David comments “Aconite is well placed to assist banks taking up this challenge as the company’s team has been engaged in the migration of chip technology since the first pilot of chip cards in the UK in 1993. Through hands-on international experience, we have gained a thorough understanding of every stage of the migration process; our aim is to share best practice to make the migration process for card issuers in the Middle East as straight forward as possible”.

The webinar is schedule for 11am GMT on Wednesday, March, 4th. For more information or to register for the webinar please visit:

I've provided further information about the Aconite webinar below:

"Your guide to introducing Chip and PIN cards in the Middle East"


It was recently announced that the UAE Central Bank has requested that all banks operating in the country are required to upgrade their ATM cards to Chip & PIN cards to reduce the risk of debit and credit card fraud, whilst in the Kingdom of Bahrain, the Central Bank of Bahrain has also issued mandates for Chip & PIN implementation for both Issuers and Acquirers. Whilst some countries are being driven to increase the security of their card base by such national mandates, neighbouring countries will quickly feel the pressure to follow suit as fraudsters will inevitably target lesser protected card schemes.

As a card issuer in the Middle East, what exactly does that mean from you? What are the cost implications? And just how do you go about embarking on such a migration project?

Aconite has been helping financial institutions define their Chip & PIN strategy since the very first chip pilot in the UK back in early 1990s. We would like to share with you practical advice and considerations to help you make a smooth transition from magnetic stripe to chip cards.

Reblog this post [with Zemanta]

330+ Banks Impacted by Heartland Breach as Numbers Climb

Heartland Data Breach: More Than 330 Institutions Impacted
Bermuda, Canada and Guam Now Report Effects from Breach

Bank Info Security is reporting that more than 330 Financial Institutions have reported that they are being impacted by the Heartland Payments Systems Data Breach.

From their site:
"The Heartland Payment Systems [HPY] data breach is the first major information security incident of 2009. As first reported on Jan. 20, Heartland, the sixth-largest payments processor in the U.S., revealed that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Since then, a growing number of banking institutions have stepped forward to announce that their customers were among those affected by the breach."

 see a full list of all the affected institutions, click here

Reblog this post [with Zemanta]

Biometric Facial Authentication Hacked

Researchers Hack Faces In Biometric Facial Authentication Systems - DarkReading
Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week

By Kelly Jackson Higgins

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces.

The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images. They successfully bypassed Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition -- each set to its highest security level -- demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops.

Editor's Note:  Guess it's time for HD-3D webcam's eh?

These Windows XP and Vista laptops come with built-in webcams that work with the facial-recognition technology. This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords. The software scans the user's face and stores the images and facial characteristics. Then the user can log in by scanning his or her face, which is then matched against the image data.

Continue "DarkReading"

Accumulate Strengthens Mobile Credit Card Transaction Security

Barcelona 2009 Accumulate strengthens security of credit card transactions via the mobile
Presse Anglaise

The launch of the ME-platform and the Check ME product enables enhanced security and opens up for new, innovative and cost-effective services in payment and identification using the mobile phone.

Barcelona, February 17, 2009 – At the Mobile World Congress 2009, Accumulate will launch its new mobile technology platform – Mobile Everywhere (ME). The platform is based on patented technology that enables new and innovative payment and identification solutions on the mobile device.

The first product to be released from the Accumulate ME-platform is Check ME, which extends security and control features of the mobile phone, so that consumers can comfortably conduct credit card transactions over their device.

“When online fraud increases, it hinders business opportunities. With the Accumulate ME-platform, card issuers and online shop owners can increase their business while greatly minimizing the fear many end-users have when using credit cards for online transactions”, says Stefan Hultberg, CEO of Accumulate.

Check ME is based on the ME-platform and secures online credit card transactions using the mobile to verify and authenticate the user. Customers are typically credit card issuers such as banks. Key benefits are:

  • Mobile is always with you – increasing accessibility
  • As secure as token generators – eliminates need for extra device
  • No external storage of credit card data
  • Works with almost every mobile phone
  • Easy to use
An example Check ME’s usage: A consumer makes a credit card purchase online, and authenticates her identity with a pin code provided to her via Check ME on her mobile.

“The launch of the ME-platform and Check ME will be followed by additional new, innovative and cost-effective identification and payment services using the ever present mobile phone”, says Stefan Hultberg.

ME-platform – the technology
The core components of the ME-platform consist of a mobile client that is distributed to users and a back-end transaction server system. The ME-platform offers 3D security and uses a standard mobile phone as a security device, making truly secure authentication accessible for the masses.

For each transaction two separate lines of communication are established – simultaneously – between the customer and the service provider, using two different communication systems: the mobile phone and computer-to-computer communication via the Internet. The end users use their regular computer and standard cellular phone. The service provider sends encrypted information – and receives encrypted reconfirmation – using their web server, and an external transaction service.

The ME-platform products currently work on all major mobile platforms including Android, Blackberry, iPhone, Java, Linux, Nokia Series 40/60 and Windows Mobile.

Visit Accumulate at MWC 2009
If you would like to meet Accumulate in Barcelona, just send a mail with your request to info@accumulate.se Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. . We will reply with more information on where and when to meet.

More information
Stefan Hultberg, +46 70 350 5704, stefan.hultberg@accumulate.se Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. .

About Accumulate
Accumulate – world leading provider for secure connected mobile solutions. For more information please visit www.accumulate.se or contact us in Stockholm or London.
London office: Accumulate UK Limited, 306 Harbour Yard, Chelsea Harbour, London SW10 0XD, United Kingdom. Phone + 44 207 351 5944
Stockholm office: Accumulate AB, Norrlandsgatan 23, S-111 43 Stockholm, Sweden. Phone +46 8 20 46 15

Reblog this post [with Zemanta]

Nominations Open for Outstanding Smart Card Achievement Awards

Nominations Open for Smart Card Alliance 2009 OSCA Awards

PRINCETON JUNCTION, NJ, February 17, 2009 –The Smart Card Alliance will once again honor the companies and individuals who have significantly impacted and influenced the market for smart cards in North America with its prestigious “Outstanding Smart Card Achievement” (OSCA) awards.

The 2009 OSCA awards will be presented during the Smart Card Alliance 2009 Annual Conference held in conjunction with CTST 2009 – The Americas Conference on May 4 - 7, 2009 in New Orleans. Complete details and nomination forms can be found at http://www.smartcardalliance.org/pages/activities-osca-awards. All nominations must be received by March 20, 2009.

Nominations are open in three award categories – two for organizations and one for an individual.

  • Outstanding Issuing Organization Award. For an organization that is issuing smart card technology to its internal clients or external customers for their use in North America.

  • Outstanding Technology Organization Award. For an organization with offices in North America that designs, develops or manufactures smart card technology; or that integrates, designs or implements systems in which smart card technology as an important part of an overall solution; or that provides services that support smart card usage in North America.

  • Outstanding Individual Leadership Award. For an individual who stands out for his or her individual contributions to the smart card industry in North America based on a professional record of leadership, vision, support and commitment to the smart card industry in North America.
A judging panel consisting of North American smart card industry suppliers, end-users and individuals from the analyst and media communities will review all qualified OSCA applications. They will select three finalists in each category based on the nominee’s merits and qualifications as outlined in the applications and determine the award for 2009.

Visit the Smart Card Alliance Web site to see the 2008 OSCA Award winners.
Reblog this post [with Zemanta]

CheckSavers Plans Rollout

Check Savers (www.checksavers.com) is pleased to announce the planned 2009 rollout of its new payment technology.  Click their comparison chart on left to enlarge.

Check Savers uses a patented technology to receive data over the web and create payment items which get deposited directly into merchants’ accounts.

The payment system developed by Check Savers has taken the best features from traditional payment methods - credit cards, ACH and checks in order to bring a comprehensive solution suitable for any industry.

At a reduced operating cost of approximately 25% to 50% of the price of credit card acquiring, and elimination of traditional chargeback exposures, merchants have more protection in their business operations than ever before.

"We have predictable pricing models ensuring that companies can accurately forecast their operating costs. This feature, coupled with enhanced fraud management and the fact that companies can use their existing banking relationships, means that we truly have a merchant-centric product. Companies can now promote sensible spending across their client base, whilst at the same time pass on significant savings to their clients; something which is not lost in the financial climate of 2009" Teo Leonard - Operations Director

It has been commonly misinterpreted as ’another Check 21 product’ . Check Savers provides a whole new concept in acquiring technology; a single solution for all bill payment, acquiring and invoice management is now at your fingertips.

Government, non-profit and traditional commerce industries, contact us to see how we can fit into your world.

Reblog this post [with Zemanta]

Secret Service & FBI Issue CyberAttack Advisory

*** Joint USSS/FBI Advisory ***


Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization's ability to detect and respond to similar incidents quickly and thoroughly.
Attacker Methodology:
In general, the attackers perform the following activities on the networks they compromise:

1.They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.
2.They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.
3.They obtain valid Windows credentials by using fgdump or a similar tool.
4.They install network "sniffers" to identify card data and systems involved in processing credit card transactions.
5.They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks.
6.They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.
7.They use WinRAR to compress the information they pilfer from the compromised networks.

We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.

Recommendation 1: Disable potentially harmful SQL stored procedure calls.

Continue Reading this USSS/FBI Advisory at Visa

Reblog this post [with Zemanta]

M-Banking Given Boost by Gates Foundation

Finextra: Gates Foundation teams with GSMA to boost m-banking in developing world
The GSMA, which represents the interests of the worldwide mobile communications industry, and the Bill & Melinda Gates Foundation have announced a new program that aims to expand the availability of financial services to millions of people in the developing world through mobile phones.

The Mobile Money for the Unbanked (MMU) program, supported by a US$12.5 million grant from the foundation, will work with mobile operators, banks, microfinance institutions, government and development organisations to encourage the expansion of reliable, affordable mobile financial services to the unbanked.

"There are over 1 billion people in emerging markets today who don't have a bank account but do have a mobile phone," said Rob Conway, CEO and Member of the Board of the GSMA. "This represents a huge opportunity and mobile operators are perfectly placed to bring mobile financial services to this largely untapped consumer base. Based on the initial findings of research conducted with the microfinance centre CGAP and McKinsey & Company, we believe that mobile money for the unbanked has the potential to become a US$5 billion market opportunity over the next three years."

continue reading at Finextra

Disqus for ePayment News