Wednesday, March 4, 2009

Acculynk Accel/Exchange Announce PIN Debit Pilot

Editor's  Note:  First off, let me be perfectly clear.  This is good news in terms of bringing PIN Debit to the web and I don't want to appear biased in any way when I publish my analysis of this announcement tomorrow. 

For the record, I've spoken with Acculynk's co-founder and President, Nandan Sheth, several times over the past year and frankly, I've got nothing but good things to say about him.  He's an excellent marketer and an excellent sales professional. He has taken a company (ATMDirect) which started in Dallas several years ago, (and was subsequently acquired by Pay By Touch, with whom I was a founding shareholder) and has done more with it, in a very short time, than either Pay By Touch or it's founder, Mr  Zeiglar had done over the last decade.  A magnificent job on Mr. Sheth's part.  I look forward to meeting with him at FinovateStartup'09 in April where both HomeATM and Acculynk will be demonstrating their wares...our's hard...his simple I think it says on the graphic to your left.

With that said, tomorrow I shall Type, Not (take a) Swipe at my understanding of why the methodology behind Acculynk's software based solution could put users at risk.  I will use recently published examples, and ask questions as to whether those same recent exploits could apply to any software-based (I'm not picking on Acculynk) Internet PIN Debit solution. And I'm not alone...Avivah Litan, Gartner's Distinguished Analyst predicted that processors would be next to be hacked.  She's even recently implied she thinks Visa's NextI think she presents her opinion in very simple terms.  In a recent ATM&Debit News article entitled "HomeATM Wants to Change the E-Commerce Experience (click here to download article in PDF) she says:

"I would highly recommend (to any consumer) not entering their PIN anywhere on the Internet unless it were hardware-based
- Avivah Litan

Talk about a transmitting in clear text!  That's about as clear as it gets. Any questions?  Do ask.

As regular readers of this blog are most certainly aware, I have pointed out many times that in today's fraud-ridden payments space, it is clear there is a distinct need for end-to-end encryption.  E2EE has been getting a lot of coverage lately on the heels of the "massive" Heartland Payment Systems (HPY) breach.  Whereas, HPY co-founder and CEO Robert (Bob) O. Carr is calling for it to position his company's defense in impending class-action lawsuits, HomeATM has incorporated it into it payment schemata since January 2007, well before any processor had been breached.  Note:  I have my opinion that it's the Heartland call for E2EE is a legal maneuver designed to PIN the blame on V/MC...otherwise he'd have called for it prior to the breach.  It's part of their strategy to "meritoriously defend" themselves.  V/MC leaves a window open when they receive the unencrypted data, and that window may be the only window of opportunity Bob O. Carr has to keep his company alive.  But that's a post for another day...getting back to true end-to-end-encryption, security and how it relates to Acculynk...

I understand that with Acculynk's approach, the keyboard is locked (preventing keylogging) when the floating PIN Pad comes up, but if a consumer/user can see the Graphical User Interface, (GUI) then so can the hackers.  That's not only my contention but one that is shared by many respected authorities in the payments industry.

Keylogging is but only one method of attack.  Screen scraping is another oldie, but goodie.  The floating PIN Pad can float all it wants and it can scramble and shuffle the numbers all it wants, but at the end of the day...if a hacker has control over the user's PC, via malware, bots, etc, they can watch the consumer move the mouse arrow as it approaches the GUI (and screen save) each entry of each number of the PIN.  Holy Grail Batman!

I understand that there's encryption, I'm not quite sure how this method would lower interchange fees, since the transaction would still technically be a "card not present" (CNP) transaction" because it requires the consumer to "type" in their Personal Account Number {PAN} and therefore, it's a CNP transaction. I've never seen published Interchange rates on a CNP PIN transaction.  Of course, that's the least of the worries that many people I've talked to have.

Their concerns are more or less (pun intended) security related.  "Simple and Secure" are not usually two words that go hand in hand.  One of my biggest worries is that some journalists will read thepress release issued today by Acculynk think it's the greatest thingsince sliced bread.  Maybe it is...maybe it isn't, but that determination should be made by doing research.  So, I implore anyone who reads this blog that may bein the field of journalism to do some common sense research in order todetermine how safe you think this process really is.  If E2EE, 3DES or DUKPT seems to technical, call AvivahLitan and ask her yourself.  She's usually pretty good about taking thetime to speak with journalists in layman's terms...and whereas my rants could be mistakenfor competitive jealously (I assure you they're not)...her take is both authoritative and legit.  

That said...I want to be sure to take the time to extend kind regards and "Kudos" to both Mr. Sheth and Acculynk for providing PIN Debit on the Web with some major momentum!  Online Debit for Online Shoppers is long overdue and there's no doubt he is a pioneer. By the way...Acculynk also has a demo of their application in Flash, which can be viewed by clicking the following link:  Acculynk Flash Demo of PaySecure(TM) 

Here's Acculynk's press release...

Acculynk Announces Issuer Participation in Pin Debit Pilot Program
Wednesday March 4th

Estimated Card Base of Several Million to Be Enabled During the Pilot

ATLANTA--(BUSINESS WIRE)--Acculynk’s Internet PIN debit pilot program is scheduled to go live in early March with several issuers that will bring several million cards to the pilot. The first pilot issuers to participate are from the ACCEL/Exchange EFT network, owned by Fiserv, Inc., the leading global provider of financial services technology solutions. A second EFT network will be announced in a few weeks.

“We’ve had very strong interest from our issuing community, including some of our council members, because this is a value-add service that provides greater security for a consumer’s online transaction,” said Michael Kelly, (pictured on left) general manager of the ACCEL/Exchange Network, from Fiserv. “We are very excited that some of the first transactions for this payment type will be driven through ACCEL/Exchange issuers.”

PaySecureTM utilizes a consumer’s debit card and the PIN for online payments, requires no redirection or enrollment, and offers consumers a simple and familiar checkout experience.

“With security a top priority for all consumers, we strongly feel that adding a second factor of authentication for online payments will increase the security of our customer’s data. Many of our cardholders prefer to use PIN debit at the point of sale. We are excited to give them this payment choice online with a service that adds an extra layer of fraud protection,” said Jeff Gegen, Vice President of Bank Operations at Baker Boyer Bank, an ACCEL/Exchange issuer. “This is a historic pilot program where the promise of PIN debit on the Internet is finally being realized, and we are thrilled to be one of the initial issuers participating.”

As one of North America’s premier ATM/POS networks, ACCEL/Exchange from Fiserv provides financial institutions with the infrastructure for cardholders to access their funds anytime, anywhere. The network is currently enabled at more than 200,000 ATMS in North America and most major merchant locations throughout the United States.

Acculynk is the first company in the U.S. to bring PIN debit to the Internet with a software-only service that has been certified by several major EFT networks. PaySecureTM provides an extra layer of security for online card transactions and reduces fraud and charge-backs by as much as 75% for issuers, while offering attractive margins and no-cost adoption.

“Our value proposition to issuers is very strong, and we’ve managed to secure an impressive line-up of institutions for this pilot,” said Ashish Bahl, CEO of Acculynk. “But what’s most exciting is the enormous merchant demand for this product. Such demand will benefit all of our issuers with increased volume and brand awareness.”

Acculynk brings the strength of PIN-based authentication to a domestic online market that has recently been impacted by increased fraud associated with data breaches.

About Acculynk

Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. For more information, visit

About Fiserv

Fiserv, Inc. (NASDAQ: FISV - News) is the leading global provider of information management and electronic commerce systems for the financial services industry, driving innovation that transforms experiences for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. For more information, visit


Corporate Contact:
Danielle Duclos, Director of Marketing, 678-894-7013

Source: Acculynk

Reblog this post [with Zemanta]

E-vidence of Paradigm Shift...MasterCard Focusing on Debit Business

Remember when Visa and MasterCard were credit card companies?  Well they've quietly "shifted" their focus.  With 314 million debit cards, 53% of Visa's card volume is debit. 

Meanwhile, MasterCard has seen their 126 million debit cards be responsible for 40% of their business.  And don't think it will stop there.  They saw the writing on the wall years ago. 

The people behind Visa and MasterCard have been called many things, but stupid isn't one of them.  Here's some proof of that...

MasterCard Grows Debit Business with KeyBank Deal
By Juan Lagorio

NEW YORK (Reuters) - MasterCard Inc., the world's second-largest credit-card network, will launch a debit card with U.S. regional bank KeyBank on Wednesday, in MasterCard's latest bid to tap demand for payment systems that do not involve borrowing.

"Debit remains a priority for us," Patricia Preston, senior vice president of U.S. debit product management and development of MasterCard Worldwide, told Reuters in an interview.  The World Debit MasterCard will offer rewards, discounts, and savings in an effort to attract customers. Cleveland-based KeyBank, a unit of KeyCorp (KEY.N), will be the first of many partners the credit card network expects to adopt the new debit card.

KeyBank plans to issue 25,000 of the cards by the end of March, and 60,000 by the end of the first year, said Carl Stauffeneger, senior consumer product manager of KeyBank.  He added the bank, with almost 1,000 branches in 14 states, was targeting clients with an annual debit spend of around $7,500.

MasterCard said it expected to promote the new debit card in the United States before exporting it to other countries, but declined to give further details.

The company prospered in recent years as fast-spending consumers used their credit cards more. But with many Americans trying to curb their borrowing, the use of debit cards is likely to increase as consumers stick to stricter budgets.

In the United States, credit transactions represent 60 percent of the gross dollar volume of MasterCard, while debit cards make up the rest. In contrast, rival Visa has a bigger presence in the debit business in the United States, with 53 percent of Visa's total volume in debit cards, and 47 percent in credit cards. 
(Editor's Paradigm Shift Note::  Just as Macy's "net profit" surged 29% (net as Internet, not gross vs. net) and their bricks and mortar shrunk 7.7.%, Debit Card volume grew 13 percent while credit cards shrank 2%

MasterCard has 126 million debit cards in use in the United States, while Visa has 314 million debit cards.

Reblog this post [with Zemanta]

99% of "SSL Secure" Websites Are Not

Only 1 Percent of SSL-Secured Sites Use Extended Validation SSL - DarkReading
Calls for widespread EV (Extended Valuation) SSL implementation are on the rise as SSL threats increase

By Kelly Jackson Higgins - DarkReading

Two years after its rollout, the more secure Extended Validation Secure Sockets Layer (EV SSL) digital certificate for authenticating Websites and securing Web sessions is used on more than 11,000 Websites worldwide. But that's only 1 percent of the 1.03 million sites currently secured with SSL certificates, according to Netcraft. 

Editor Translation: 
99% of "SSL Secure" websites are "SOL" when it comes to security.

Meanwhile, calls for EV SSL adoption have intensified amid concerns of new man-in-the-middle (MITM) attacks targeting newly discovered weaknesses in SSL, namely the MD5 encryption algorithm hack that allows the creation of forged CA and X.509 digital certificates, and the MITM attack demonstrated at Black Hat DC that basically makes users think they are visiting a secure Website when they are not.

Continue darkReading

Reblog this post [with Zemanta]

Facebook a Conduit for Viral Surges

BBC NEWS | Technology | Facebook users suffer viral surge
Facebook has been targeted by malicious hackers seeking to steal valuable data from members. The social network site has been hit by five separate security problems in the last seven days, say security experts.

By creating fake messages padded with details of Facebook members the thieves are capitalising on the trust and social links that drive the network.  Security firms warn that the popularity of social networking sites makes them a tempting target for hi-tech thieves.

Trust network

"It's been a pretty bad week for social networking in general," said Rik Ferguson, senior security advisor at Trend Micro.

In the last week, said Mr Ferguson, Facebook had been hit by four malicious applications as well as a new variant of the Koobface virus that first targeted members of the social site in December 2008. The rogue applications on Facebook all try to steal saleable information from the profiles of those who open it up, said Mr Ferguson.

One malicious application tried to trick people into adding it by claiming that their friends were having trouble looking at their profile. If the application is added it spams itself to every Facebook friend that a member of the site has. Even as Facebook stamps out one malignant application, it can pop up in another place."

Once installed the malicious program hunts for cookies on a victim's computer and uses the details it finds in the small text files to log into other social sites that person may be a member of. 

Editor's Note:  I have to wonder out loud why they wouldn't be able to log into Twitter as "anyone they want" and wipe out "anyone they want's" prepaid "Twitpay" account. 

Watch for the headline of that particular breach by the end of the year....

Continue Reading at the BBC
Reblog this post [with Zemanta]

Gartner: 7.5% of US Adults Victims of Financial Fraud

About 7.5 percent of U.S. adults lost money as a result of financial fraud last year, mostly due to data breaches, according to a new Gartner study released on last night.

In the survey of nearly 5,000 consumers, 70 percent said they had never been a victim of identity theft fraud. Meanwhile 14 percent said they had had their credit card information used to charge purchases or get money, 7 percent said their debit card was used, 6 percent said a new account had been opened in their name, 5 percent had money transferred out of their account, and 4 percent had had checks forged.

The study also looked at why people switch banks and concluded that security and financial health of a bank were of about equal importance to consumers, said Gartner analyst Avivah Litan.

Continue Reading at CNET News

Reblog this post [with Zemanta]

Twitpay out of Beta but is it Alpha?

From the Twitpay Blog:  Twitpay taken out of Beta...

First, an overview. 

In order to use this service you must first sign up, secondly Transfer (PUT SOME CASH) money into your Twitpay account which is administered by Amazon, and third,  use Amazon Payments to move your cash to and fro.  This isn't a true money transfer's a prepaid service.   Otherwise you would not have to "fund" a third party first in order to fund a first party second...

According to Twitpay’s FAQ page, the app was created “because Silicon Alley Insider said it was a billion dollar business (and) a billion dollar business sounded good to us.”   It is a good idea. you'll read below, Twitter themselves admit that "
we’ve faced some challenges, mostly because doing money transfer is a pretty complicated thing to do. There are a lot more regulations to comply with than we guessed over that weekend in November".  Well guess what.  Hackers can (and will) make it even more complicated in the future. 

The idea of taking your cash out of your checking or savings account and placing it into another account before it can be transferred seems to be to "middlemanish."  Why go through that extra step when instead you could completely eliminate the middle man?  It seems to me that with no middleman, you would eliminate "man-in-the-middle" attacks.  That's how HomeATM's P2P money transfer service is designed.  You enter the email of the recipient, swipe your card, enter your PIN, hit Send.  They receive the email, swipe "their" card, enter "their" PIN and hit Receive.  Simple yes?  Dually authenticated on BOTH ends,  with beginning to end encryption.  And it's done in "REAL-TIME". 

This from the Twitpay Blog:

Today, we’re taking Twitpay out of beta and putting it out there for everyone to use. (If you don’t like to read long blog posts: we’re turning on “real money” powered by Amazon Payments. We’re excited. Twitpay is awesome.)

Since our unusual inception at Atlanta Startup Weekend 2 we’ve had an interesting few months. As a company, we’ve faced some challenges, mostly because doing money transfer is a pretty complicated thing to do. There are a lot more regulations to comply with than we guessed over that weekend in November. We’ve also seen some competition, and some copycats. We welcome the former, and are annoyed by the latter, although the job post for “build a clone of Twitpay” was really appealing. Maybe we should have applied for it…

Mostly what we’ve seen is that you want to use Twitpay, just like we do. In fact, the most frequent question (maybe the only question) we get asked is “When can I do real money?”

We’re exceedingly happy to say that the answer is “right now.”

As we’ve thought about what’s important about social payments, a few things stayed in the front of our minds: they have to be really easy, and they have to be secure. We got the easy part down on Day 1: just tweet the money and it goes! If you haven’t used Twitpay yet, here’s how it works:

1. Post a tweet like ”@ev twitpay $1 because Twitter is awesome”
2. There’s no Step 2!

Our apologies to Jeff Goldblum.

If you’re sending money to someone who will probably send you some back later (settling up your coffee shop tab every day) you may be happy with just keeping track. For most of us, though, there are times when you want to send “real money.”

The standard way to solve this is to say “Well, you give some money to Twitpay, and then later we’ll give it to the person you sent money to.” In fact, that’s what we started to do at first. Something didn’t sit right with us, though. Why should you trust Twitpay with your money? You don’t know us. Even more importantly, in the above scenario, Twitpay effectively becomes a bank. And while the allure of TARP funds is seductive, we’ve heard some rumblings lately that maybe being a bank isn’t the greatest idea right now.

So we decided not to ask you to trust us. Working with Amazon Payments, we’ve built a new version of Twitpay that means we don’t have to be the middle-man for your cash. That’s good for you as a user because you don’t have to trust us with your money, you just have to trust Amazon. It’s good for us as a service because it allows us to focus on adding new features and focus on the core of our business.

So as of 12:01 AM, March 3, 2009, Twitpay is live with real money. And we are also the most secure and trustworthy social payment platform out there. If you have any ideas or suggestions, please visit us and click on the Support link. We look forward to hearing from you.

Reblog this post [with Zemanta]

IBM Agrees with HomeATM...Hardware Required

IBM Looks to Secure Internet Banking With USB Stick - Business Center - PC World

IBM's Zurich research laboratory has developed a USB stick that the company says can ensure safe banking transactions even if a PC is riddled with malware.

A prototype of the device, called ZTIC (Zone Trusted Information Channel), is on display for the first time at the Cebit trade show this week. IBM hopes to entice banks into buying it for online banking, which saves banks money on personnel costs but is constantly under siege by hackers.

When plugged into a computer, ZTIC is configured to open a secure SSL (Secure Sockets Layer) connection with a bank's servers, said Michael Baentsch, product manager for BlueZ Business Computing at the Zurich lab.

ZTIC is also a smart-card reader and can accept a person's bank card for verification. Once a PIN (personal identification number) is verified, a transaction can be initiated through a Web browser.

Web browsers, however, are a point of weakness for online banking because of so-called man-in-the-middle attacks.

Hackers have created malicious software programs than can modify data as it is sent to a bank's Web server but then display the information the consumer intended in the browser. As a result, a person's bank account could be emptied. Man-in-the-middle attacks are also effective even if the bank's customer is using a one-time password generator.

The ZTIC, however, bypasses the browser and goes directly to the bank. It ensures that the data exchanged is accurate.

Editor's Note:  Sounds like IBM agrees with Avivah Litan, who agrees with HomeATM.  Hardware is not an's a necessity.

For example, say a bank customer wants to transfer money. The customer will input US$100 into a form in the browser. The bank's servers will then try to confirm the amount. During a man-in-the-middle attack, the attacker is capable of transferring $1,000 but can modify the confirmation message to still show $100.

Since it has a direct secure connection with the bank's servers, the ZTIC will show the amount that actually has been requested to be sent. So even if the browser shows a confirmation for $100, the ZTIC will show $1,000, indicating a man-in-the-middle attack in progress, Baentsch said. The user would know to reject the transaction and press the red "x" button on the ZTIC.

"If malware is attacking your online banking transaction, it will show you something strange has happened," Baentsch said.

IBM expended a lot of effort to figure how to initiate an SSL session within a USB stick, Baentsch said. It takes some processing muscle, and since the USB runs independent of the PC, it does not have access to the computer's processor.

ZTIC uses a chip from microprocessor designer ARM, and the software has been designed so it can quickly establish a SSL session, Baentsch said. Although it is a memory stick, no data can be stored on it, which also prevents malicious software from infecting it.

Using ZTIC would also prevent phishing attacks, where a fraudulent Web site tries to elicit sensitive details from a user, and pharming attacks, where DNS (Domain Name System) settings have been tampered with, Baentsch said. ZTIC checks to ensure that the Web site has a valid security certificate.

IBM has internal figures on how much the ZTIC might cost for banks, but Baentsch wouldn't reveal them, saying that it would depend on the final design specifications of the ZTIC and other factors.

Zemanta Pixie

Disqus for ePayment News