Monday, March 9, 2009

Updated: Acculynk...Where's the PIN Offset? My Pet PVV



Updated:  I just got off the phone with Chris A. Mark, CEO and Founder of the Aegenis Group and the Society of Secure Payment Professionals.  

Apparently,  John Stewart, Editor of Digital Transaction News, saw this post and called Chris to discuss a "hardware vs. software" approach.

I had our CEO, Ken Mages join us on the phone.  Chris is probably one of the foremost experts in PCI and payments security and 1 of about 20 people in the world who "truly" understands how a PIN transaction works, so since Ken is another 1 of the 20, it made sense for him to collaborate with Chris.

In fact, here's a little backgrounder on Mr. Mark:  Quite impressive to say the least... 

The Aegenis Group is led by

Chris MarkChris Mark, CISSP, CIPP; CEO/President and Founder

Mr. Mark is an experienced information security professional and PCIexpert. Over the past six years, Mr. Mark has worked in variousinformation security capacities within the payment services’ segment.Most recently, Mr. Mark was employed at MasterCard Worldwide where hewas one of MasterCard’s representatives on the Payment Card IndustrySecurity Standards’ Council (PCI-SSC)Technical Working Group. In addition to founding an informationsecurity company and conducting numerous PCI assessments for merchants,service providers, and members, Mr. Mark has worked with bothMasterCard Worldwide and Visa USA on components of their respectivedata security programs.

Mr. Mark is also contracted with Visa to train all of their majoracquirers and the top 3000 merchants in the PCI DSS. Prior to joiningthe civilian sector, Mr. Mark served in both the United States MarineCorps, where he operated as an elite Force Reconnaissance Marine andMarine Scout/Sniper, and in the US Navy where he was selected to serveas a Navy SEAL Officer. Subsequent to sustaining a career endingtraining injury, Mr. Mark served as the Training Officer and ChiefInstructor of the US Marine Corps Basic Reconnaissance Course where hewas responsible for screening, selecting, and training eliteReconnaissance Marine Candidates. Mr. Mark is a combat veteran ofOperation Continue Hope, Mogadishu, Somalia. Mr. Mark holds the CISSP,and CIPP professional certifications, numerous technicalcertifications, and has an MBA and BA degrees.


Here's an excerpt from an email he sent me:


John,

John Stewart from Digital Transactions called to ask about the differences in Home ATM and Acculink.  I was very clear that conceptually I feel HomeATM is a much better solution.
Please feel free to call me to discuss the article comments.

Chris
Chris A Mark, CISSP, CPISA, CPISM, CIPP
The Aegenis Group, Inc.





We spoke at length about the security of our solution and he was impressed enough to want to learn more and we are happy to provide him with anything and everything we can so that we can empower his analysis.  We agreed to FedEx him a SwipePIN device (pictured below) and we'll talk again after Ken gets back from the Merchant Risk Council meeting in Las Vegas on Thursday or Friday.   I'll provide an update.   Here's the rest of the story....



In an effort to prove that I am not alone in questioning the security of Acculynk's Floating PIN Pad I am going use a respected third party resource to back up my concerns... just in case people confuse common sense for competitive jealousy.  I assure you, I have none.  (common sense that is...lol)

In fact, in an act of fairness...I hereby extend an open invitation to any C-Level Executive at Acculynk to address the two questions highlighted on the graphic on the left.  I am more than happy to allow them the opportunity to set the record straight.  It is not my intention to berate their solution.  It IS my intention to prevent a future breach that makes Heartland's pale in comparison...which is exactly what would happen if hackers got their fraudy-little fingers on PIN's.

As I said, I've spoken to Acculynk President Nandan Sheth quite a few times over the course of the last year and have nothing but good things to say about the him. As a matter of fact, after taking my cell-phone off the charger, I see that I missed a call from him earlier this afternoon, so I owe him a return call...
   

The following is from the Society of Payment Security Professionals blog written by Chris A. Mark, CISSP, CPISA, CPISM, CIPP, Founder and CEO of The Aegenis Group.

In the article he published last October, Chris questioned the security of Acculynk's Floating PIN Pad. 
Online PIN Debit; Great Idea or Not so Great Idea?

The big questions he asked about (besides security) is that if a "card is not present" (CNP) i.e. in Acculynks model one must manually type in the credit or debit card's personal account number (PAN) and if it's determined that the card can be used with a PIN, then the floating PIN Pad GUI pops up.  The e-shopper then uses the floating PIN Pad to enter their PIN.  So...with no swipe...just type...they want to know: "Where is the PIN Verification Value (PVV) and where is the PIN Offset stored?"  Good questions!  In a traditional PIN Debit transaction (like the one that most closely mimics the consumer experience in a grocery store...
the PVV and PIN Offset is resident on the magnetic stripe.  No Swipe...No Stripe!  No Stripe...No PVV...NO PIN Offset.

Besides the fact that in 500+ breaches, software was 92 times more likely to be breached than hardware, those were two more very important reasons why HomeATM went with a Hardware based solution.   

Here's an excerpt from the Society of Security Professional Blog:

I (Chris) want to thank Susan Kohl for sending this over. Digital Transactions has published several articles on new technology that will allow PIN Debit for eCommerce sites. Read the article here.

In short, the new technology will present a buyer with a floating ‘PIN Pad’ on the screen. Users can then enter their PIN which will then allow the merchant to immediately debit the user’s account for payment. While the technology appears very compelling from a convenience perspective I have to admit that it also gives me pause. In my mind, there are a number of potential issues with this technology. I am sure (or at least hoping) the companies, banks and card brands are working through these issues but they merit discussion here anyhow.

From a security perspective, I am challenged by the technology. My first thought is key stroke logging and malicious software. Now I know people will likely say that this is possible with traditional eCommerce transactions. This is accurate. In this scenario, however, PIN data is being transmitted. As discussed in a previous entry, there may not be a limit to the liability associated with compromise of PIN data. It brings another question to light, as well.

If the transaction is a ‘card not present’ transaction then where is the PIN Verification Value / PIN Offset stored?

In a traditional PIN Debit transaction it is resident on the magnetic stripe of the card. This has several benefits one of which is that it prevents a data thief from obtaining a PIN and only the primary account number and being able to conduct PIN based transactions.

If the card is not required to be presented, it appears that this would allow fraudsters to obtain the PAN or other card data and the PIN and conduct transactions.

Editor's Note:  Holy Grail Batman!  See I'm not biased.  And I'm not alone with my "concerns." Do you have any?  As always, feel free to leave a comment.  Click on the title of the post, and the comments will be enabled on the bottom.  Have a salubrious weekend!   






Reblog this post [with Zemanta]

Ten Commandments of Web Payments




The Ten Commandments of the Web Payment Card Industry

I   Thou shalt assume that the operating system software environment is compromised by all sorts of malware.

II
   All cards shall be secured with a PIN number.

III
  No user will ever be asked to provide their PIN to anyone.

IV
  All PIN numbers shall be entered via a secure I/O method, either an encryptedPED or controlled keyboard input.

V
   All credit card PIN’s must differ from your bank issued PIN.


VI   All card, personal, and key information shall be encrypted in volatile siliconand/or memory prior to transmission.

VII
  At no time will any sensitive data be transmitted in the clear.

VIII
No card or account data will be stored in user accessible storage.

IX
   All silicon will be secured to a circuit board with a Tamper ProofModule or Trusted Platform Module.

X      On any wPCI certified web portal, no two parties will directly transmitaccount information to one another.





Reblog this post [with Zemanta]

Acculynk Most Closely Mimics Grocery Store Experience?

Yesterday after three years in Montreal, HomeATM Chairman and CEO, Ken Mages, arrived back in his (and mine) hometown of  Chicago.  One of the first things he did upon arrival was return a phone call to John Stewart, Editor of Digital Transactions to address the recent announcement by Acculynk that Accel Exchange has agreed to roll out a pilot.    

They published the story late yesterday afternoon entitled: "Web Based PIN Debit Picks Up Momentum with Pilot and New Deals"  (to read the whole story click the link at the bottom of this post)  I found the story interesting on several levels. But my favorite quote is at the end of the story.  (click any graphic to enlarge)


To surmise, it all comes down to whether PIN Debit for the Web should be Hardware or Software based.   Our position is clear.  Their's not so much.  Here's an excerpt from the article with my thoughts in bold grey italics...
HomeATM’s Mages contends Acculynk’s product is vulnerable to hackers who could, for example, screen-scrape users’ sessions as they click on the floating PIN pad.

Editor's Note:  Screen Scraping is oldhat to BlackHats.  The real concern is the recent surge of a NEW generation of attacks, for example: SSL vulnerabilities, Trojans,
(for example, Tigger...a new type of malware that injects code intouser-mode processes."  "This component takes screenshots, hooks COM for spying on browser events, and exports passwords[from] protected storage, network and dial-up.  It also steals webcookies, steals certificates, and puts the NIC in promiscuous mode tosniff FTP and POP3 passwords)" worms and man-in-the-middle attacks.  But those were not addressed in this particular article.  Screen scraping was touched upon...  


With HomeATM’s product, cards are swiped and PINs entered only on the peripheral device, with all data encrypted from swipe to transmission to issuers. (Editor's Note:  HomeATM also encrypts Track 2 data)  “If I can see it on your screen, I can capture it,” Mages argues.

Without going into details
, Acculynk’s CEO Ashish Bahl counters that each click is encrypted in ways intended to frustrate hackers. Editor's Note: That's an interesting one. No details I can understand, but when hackers get frustrated they get motivated.  Frustrating hackers, in my mind is not the level of security I want associated with PIN Debit for the Web)...

At the same time, he adds, the resources necessary to predict when to start and stop screen scraping with each click would be cost-prohibitive even for determined fraudstersEditor's Note: Cost prohibitive is relative to the potential return.  Personal Identification Numbers are the "holy grail" for hackers.  You have the PIN's and you the capability to empty bank accounts.  So, in my humble opinion, there's no such thing as a "cost prohibitive" barrier when it comes to PIN's.  Especially, if they're "determined."  The "Holy Grail" is NOT a cost-prohibitive entity.  It's something hackers would want to get their hands on "at all costs."


For now, Accel/Exchange is satisfied with the security of Acculynk’s system. Editor's Note:  I would suggest that "for now" sends the wrong message.  Yeah, it's good "for now" and we'll take a wait and see approach as to whether or not we're right?  That's a pretty bold gamble.  Too bold.  Heartland's CEO thought the same thing...we're good for now...but then after what could be the biggest breach ever, he called for end-to-end encryption.  Translation: It wasn't good enough. 

We did our own [investigative] work, then we sent in a third-party auditor,” says Kelly. “They approved it.”  Editor's Note:  Okay, so Accel Exchange is willing to take the risk that they could be forever remembered as "Accel Exchange for PIN's to Hackers" but WHO? is the 3rd party auditor?  Why aren't they putting their reputation on the line as is Accel?  Could it be TrustWave?  They're the group that PCI certified Hannaford, RBS WorldPay and Heartland.  Speaking of PCI certified...it's literally impossible to certify each and every PC that is used to enter the PIN's...so why was there no mention in this article on how they're going to address that issue?)

Kelly says he can’t predict which method (Hardware vs. Software) will ultimately dominate what is now a nascent business in processing Web-based PIN debit transactions. “Who knows who’s going to be the right solution?” he says.    Editor's Note:  Did he just really say that he can't predict which method is right and that he doesn't know if what he's doing is right?  No...maybe I read that wrong... 

“For us, Acculynk most accurately mimics the consumer experience at a grocery store.” Editor's Note: I KNOW I read that right:  This is scary folks...he said, "most accurately "MIMICS the consumer experience at a GROCERY STORE?  He did say that right?  I hate to sound sardonic, but when was the last time you walked into a grocery store and used a floating PIN Pad?  I go to the grocery store quite often and everytime...including the last time...there was a "HARDWARE" device.  Maybe what he meant to say is that it mimics the grocery store experience in the sense that someone can look over your shoulder and watch you enter your PIN.

Sounds like Mr. Kelly is a bit confused.  In order to make sure there is NO confusion, HomeATM's "Third Party" was Witham Laboratories, 1 of 8 approved by PCI to test...and  they vigorously tested and found our hardware device to "meet or exceed" PCI  PED 2.0 standards.

Furthermore, HomeATM's hardware device not only "accurately mimics" the consumer experience at the grocery store, it does it one step better.  It "PRECISELY MIMICS" the consumer experience in the lobby of their bank.  (not the satellite one down the street) 
The only difference is that(unless you install your own) there's no possibility of a hidden camerato record your PIN as you enter it, there's no possibility of askimming device, and even if someone were to break into your home,leave your 52' LCD on the wall and try and tamper with our device, itwould shut down, because it's literally "tamper proof."    
I understand why Accel Exchange is willing to take drastic measures to increase their growth (see chart above left...they have the most minitesmal growth of any EFT Network in the Top 10) but this may be a bit TOO drastic.  The only thing that's SAFE to say about this development is that since Accel is only in 6 out of 50 states, (Alaska, California, Idaho, Nevada, Oregon and Washington) 88% of the country will still have PIN security. 
Read Entire Article at Digital Transaction News












Reblog this post [with Zemanta]

HomeATM Blog Included in "Best of the Best" by Alltop

The HomeATM PIN Payments Blog has been honored with a "Best of the Best" classification from Alltop. We humbly accept. (Follow this blog on Twitter).

We've been placed in the "banking section" along notables such as Glenbrooks's Payments News, NetBanker, (the Finovate people) Bank Info Security and the New York Times Banking Section. (see graphic on right)

As long as I've started a post announcing our inclusion in Alltop's Best of the Best, let me clarify something that's been bothering me. We (along with a myriad of others) have been referred to as "an alternative payments company." Quite the opposite is true. HomeATM does not offer an alternative payment platform. We offer a mainstream platform for an alternative space. There are lots of "alternative payment" companies out there. In fact one seems to crop up every week. What makes HomeATM's PIN Payment platform DIFFERENT is this:

A PIN based payment is NOT an alternative payment at all. Debit recently overtook Cash as King, and PIN Debit is the most preferred form of payment by BOTH consumers and merchants alike. Our platform most accurately mimics the consumer experience at a grocery store. Swipe your card (more convenient than having to type a 14-16 digit number), and enter your PIN.

Therefore it is a "Mainstream" payment. The only difference is, with HomeATM's SwipePIN device, you would do it in the safety of your own Homethereby alleviating the risk of someone looking over your shoulder andstealing your PIN. Another big difference is that with your own "personal" swiping device, you know it hasn't been tampered with. In addition, the PIN is end-to-end encrypted.

The only thing alternative to PIN Payments is that there are "two" approaches (alternatives) towards providing a PIN Payment mechanism for the Internet. 1. Hardware 2. Software

When it comes to breaches, software is, well, "soft." 92% of 500+ breaches were software related. 1% was Hardware. (Tampering caused the vast majority of Hardware breaches and ..our's is "tamper-proof."

Recently, Acculynk, who takes a "software" approach has made some strides with a smaller EFT Network. (Accel Exchange) whose General Manager, Mike Kelly, believes that their solution "most accurately mimics the consumer experience at the grocery store."

Based on the logic exemplified from that statement, it's not surprising they've chosen Acculynk. Meanwhile, a much larger (10 times) EFT Network has already written off a software based solution as potentially dangerous to the whole ATM Debit ecosystem.


Speaking of "Confirmation we Kick Ass,"... for hundreds of years people have fought for what they believe to be right. But...we have yet begun to fight. HomeATM believes common sense will prevail. But first, here's a swift kick in the ass to a software based PIN application.

Without obtaining the PIN Offset, or the PIN Verification Value, which both reside on the magnetic stripe, your PIN can (we say...will) be compromised. Swipe...never Type. If your card information is going to be "swiped" anyway, should you be the one doing the "SwipePIN?"

From the Society of Payment Security Professionals:

If the transaction is a ‘card not present’ transaction then where isthe PIN Verification Value / PIN Offset stored? In a traditional PINDebit transaction it is resident on the magnetic stripe of the card. This has several benefits one of which is that it prevents a datathief from obtaining a PIN and only the primary account number andbeing able to conduct PIN based transactions. If the card is notrequired to be presented, it appears that this would allow fraudstersto obtain the PAN or other card data and the PIN and conducttransactions.

So where's the "logic" behind the Accel Exchange's decision to implement a software based solution which DOES NOT protect the PIN? One can only guess they're using the same logic they used when they said that a "floating PIN pad" most accurately mimics the consumer experience at the grocery store. (click picture to enlarge)








Reblog this post [with Zemanta]

Intelligent ATM's



Forex bureaus face competition from ‘intelligent’ ATMs Written by Okuttah Mark March 9, 2009:

The roll out of new automated teller machines (ATMs) that can enable individuals to change foreign currency, deposit cash and checks will not only change how people transact business, but also poses a threat to forex bureaus.

The new development comes as some banks roll out mobile and Internet-based banking in a bid to cut costs, increase efficiency and reach a wider audience.

The first of its kind to be installed in Kenya, the new “intelligent” ATMs unlike those currently used, will enable users, both those with the bank accounts or without, to deposit cash or checks without having to put them in envelopes.

“Depositing cash through the ATMs while wrapped in envelopes requires that at least two tellers must be present to confirm the amount, while the client who deposits it after working hours must wait up to 11 a.m the following day before it reflects in his or her account,” said Wilson Kigwa, the marketing manager at NCR, an American company that provides technology solutions to financial institutions.

However with the new ATMs, the cash deposited is reflected in the account within minutes, thereby giving the client ability to withdraw the cash or part of it just immediately when need arises.


Business Daily, Nairobi


Reblog this post [with Zemanta]

New Visa Commercial - Aquarium

Visa's new Aquarium Television Commercial. More People Go with Visa.








Client: Visa
Agency: TBWA/Chiat/Day, Los Angeles
Executive Creative Director: Rob Schwartz
Group Creative Director: Patrick O'Neill
Art Director: John Dwight
Copywriter: Paul Sincoff
Agency Executive Producer: Guia Iacomin
Agency Senior Producer: Veronica Beach
Agency Producer: Aileen Baliat
Production Company: foreignfilms
Director: Matthias Zentner
Executive Producer: Federico Fasolino
Line Producer: Gustaf Richter
Post Production: Velvet
Post Executive Producer: Gustaf Richter
Editor: Jochen Kraus
Flame Artist: Sylvi Roessler
Shake: Manuel Voss,
Christian Stanzel,
Viktoria Herbert,
Tobias Wiesner
CGI: Blackmountain
VFX Supervisor: Abdelkareem Abonamous,
Andreas Illenseer
Director of Photography: Torsten Lippstock
Underwater DOP: Didier Noirot
Sound Design: Amber Music
Executive Producer (Amber): Michelle Curran


Reblog this post [with Zemanta]

Chase Paymentech and Web.com Form Alliance


Web.com and Chase Paymentech Form Alliance to Benefit Small and Medium-Sized Businesses



Joint Collaboration Provides Merchant Payment Processing Solutions to Web.com Customers

DALLAS, TX. AND JACKSONVILLE, FL. – March 9, 2009 – Web.com (NASDAQ:WWWW), a leading provider of online marketing for small businesses,announced today an agreement with Chase Paymentech to offer merchantpayment processing solutions to small and medium-sized businesses(SMBs).  Chase Paymentech is widely-recognized as a leader in merchantacquiring and payment processing and provides SMBs with affordablemerchant payment processing and online marketing solutions.

Web.com customers will have access to multiple secure paymentprocessing services including all major credit, debit and customizablegift cards.

"This partnership is a natural fit matching two companies with asingular vision to assist small and medium-sized businesses to grow theprofits of their businesses," said Peter Gasparro, Group Executive forChase Paymentech. "Our merchants depend on our industry-leading paymentplatform, from stored-value solutions and point-of-sale payments, toonline transactions. Our commitment to excellence and staying ahead ofthe curve is what led us to partner with Web.com."

"To be able to offer our customers a full spectrum of secure andreliable payment processing solutions by an industry leader is anexciting development," said David Brown, Chairman and CEO of Web.com."Giving our customers innovative payment tools at the same paymenttransaction rates generally available to larger companies, gives them amuch needed advantage.  We anticipate that this partnership willbenefit the vast majority of our customers presenting them withadditional ways to grow their business, save considerable costs andtake advantage of the latest merchant payment solutions."

Under this arrangement with Web.com, merchants will have access toChase Paymentech’s suite of electronic-payment solutions and will beeligible for a free rate analysis to understand their total cost ofaccepting electronic payments.
SMBs interested in obtaining a free rate analysis, can call 866-550-6151. Additional information can be found at: http://www.web.com/landing/chase/default.aspx.

About Chase Paymentech
Chase Paymentech, a business unit ofJPMorgan Chase, is a global leader in payment processing and merchantacquiring, capable of authorizing transactions in more than 130currencies. The company’s proprietary platforms provide access to awide variety of payment methods, such as credit cards, debit cards,prepaid stored value cards and electronic check processing. With alegacy of innovation and vision in electronic payments, ChasePaymentech promoted the growth of eCommerce worldwide. The companycontinues to fuel the success of the Internet's largest brands,currently processing more than 50 percent of all Internet transactions.Offering secure payment solutions, improving cash-flow management,mitigating risk and accelerating funding - Chase Paymentech'sconsultative approach helps today's small and emerging businessesbecome tomorrow's industry leaders. On the Internet or at the point ofsale, Chase Paymentech's unique combination of outstanding service,innovative solutions and financial strength offers solid benefits tocompanies both large and small. More information can be found at www.chasepaymentech.com.

About Web.com
Web.com Group, Inc. (NASDAQ: WWWW) is a leadingprovider of online marketing for small businesses. Web.com offers afull range of online services, including Internet marketing andadvertising, local search, search engine marketing, search engineoptimization, lead generation, home contractor specific leads, websitedesign and publishing, logo and brand development and eCommercesolutions, meeting the needs of small businesses anywhere along theirlifecycle. For more information on the company, please visit www.web.com or call 1-800-GETSITE.

Contacts:
James Wester
Chase Paymentech
877-843-5631
james.wester@chasepaymentech.com

Olga Gikas
Web.com
904-680-6679
ogikas@web.com

Source: Chase Paymentech
- Twitter Page


Reblog this post [with Zemanta]

Biggest Revolution in Payments in 40 Years?


ComputerWeekly.com

France Telecom's mobile network subsidiary Orange and Barclaycard are joining forces to develop new mobile payment technology for transactions under £10, the firms announced this morning.

The companies said 28 million customers in Londonwill be able to use their mobile phones to pay for goods and services at retailers simply by waving their handset against a reader.

Both are looking to expand the partnership to include other contactless services in ticketing, transport and rewards. MasterCard will provide the payment capabilities for the transactions.

This will be the biggest revolution in payments since plastic cards were introduced more than 40 years ago, they said.

The capacity to pay by mobile will emerge over the next few months from marketing schemes being set up by the firms.
Orange UK CEO Tom Alexander said more companies were looking to the mobile industry "to evolve" the way they do business with their customers. "A key part of our strategy at Orange is to grow and evolve our business in order to provide people with services beyond talk and text."

Antony Jenkins, CEO of Barclaycard, said, "There has been a lot of talk about mobile payments and now it is going to become a reality for our customers because of Barclaycard's commitment to contactless technology. I believe that all our UK customers will be able to use their mobile phones to pay for everyday items within three years."

Continue Reading




, , , , , , ,

Emperor-ically Funny! The Emperor Softwares No Close...



The Emperor Soft Wares No PIN


Editor's Note:  This morning,  I received an anonymous comment to the post entitled "Where's the PIN Offset...My Pet PVV.  

I found it to be clever, witty and comedic. 

Because the individual obviously took some time to craft it,  I decidedto share it by publishing it as a post.  It doesn't take a genius tofigure out the analogies here, but it's all been crafted in purefun...albeit, some may consider it to be a "third-rate" attempt atcomedy


All apologies to Hans Christian Anderson!   


MANY,many breaches ago lived a wealthy emperor, who thought so much ofshopping that he spent all his money in order to obtain clothes; hisonly ambition was to be always well dressed. He did not care for hissoldiers, and the theater did not amuse him; the only thing, in fact,he thought anything of was to drive out and show a new suit of clothes.He had a coat for every hour of the day; and as one would say of a king"He is in his cabinet," so one could say of him, "The emperor is in hisdressing-room." The emperor always prided himself on paying with cashand he guarded the PIN to his ATM card vigorously.

The great Georgia city where he resided was very gay; every day manystrangers from all parts of the globe arrived. One day two swindlers (Editor'sNote: he/she apparently wanted to stay as close to the original storyas possible, so anyone in Georgia, please don't be offended by the"gay" term.  It meant bright/happy as in "Don we now our GayApparel...fa la la...fa..la..la, fa la lol) came to this citycalled Duluth; they made people believe that they were weavers, anddeclared they could manufacture the finest cloth to be imagined. Theircolors and patterns, they said, were not only exceptionally beautiful,but the clothes made of their material possessed the wonderful qualityof being invisible to any man who was unfit for his office orunpardonably stupid. In addition, they told the emperor they couldaccept payments on the Internet with his PIN ATM card!

"That must be wonderful cloth," thought the emperor. "If I were to bedressed in a suit made of this cloth I should be able to find out whichmen in my empire were unfit for their places, and I could distinguishthe clever from the stupid. I must have this cloth woven for me withoutdelay." And he promised a large sum of money to the swindlers, inadvance, that they should set to work without any loss of time. Heagreed to pay with his ATM PIN card on their website.


Theyset up two looms, and pretended to be very hard at work, but they didnothing whatever on the looms. They asked for the finest silk and themost precious gold-cloth; all they got they did away with, and workedat the empty looms till late at night. They also created a website sothat the emperor could easily use his PIN ATM card to pay for thepurchases he so coveted.

"I should very much like to know how they are getting on with the clothand the website," thought the emperor. But he felt rather uneasy whenhe remembered that he who was not fit for his office could not see it.Personally, he was of opinion that he had nothing to fear, yet hethought it advisable to send somebody else first to see how mattersstood. Everybody in the town knew what a remarkable quality the stuffpossessed, and all were anxious to see how bad or stupid theirneighbors were.

"I shall send my honest old minister to the weavers," thought theemperor. "He can judge best how the stuff looks, for he is intelligent,and nobody understands his office better than he. Also, he is anaccredited third party who can judge the security of this new PINwebsite."

The good old minister went into the room where the swindlers sat beforethe empty looms. "Heaven preserve us!" he thought, and opened his eyeswide, "I cannot see anything at all," but he did not say so. Bothswindlers requested him to come near, and asked him if he did notadmire the exquisite pattern and the beautiful colors, pointing to theempty looms. The poor old minister tried his very best, but he couldsee nothing, for there was nothing to be seen. "Oh dear," he thought,"can I be so stupid? I should never have thought so, and nobody mustknow it! Is it possible that I am not fit for my office? No, no, Icannot say that I was unable to see the cloth. Nor could he see how theemperor would enter his PIN safely into this invisible website!"

"Now,have you got nothing to say?" said one of the swindlers, while hepretended to be busily weaving and pretending to build the payment page.

"Oh, it is very pretty, exceedingly beautiful," replied the oldminister looking through his glasses. "What a beautiful pattern, whatbrilliant colors! I shall tell the emperor that I like the cloth verymuch and that the PIN entry website is very safe."

"We are pleased to hear that," said the two weavers, and described tohim the colors and explained the curious GUI floating PIN pad pattern.The old minister listened attentively, that he might relate to theemperor what they said; and so he did.

Now the swindlers demanded more money, silk and gold-cloth, which theyrequired for weaving. They kept everything to themselves, and not athread came near the loom, and not a real transaction went through thefake website but they continued, as hitherto, to work at the emptylooms and blank website.

Soon afterwards the emperor sent another honest courtier to the weaversto see how they were getting on, and if the cloth was nearly finished.Like the old minister, he looked and looked but could see nothing, asthere was nothing to be seen. Neither could he see or use themysterious floating PIN pad.

"Is it not a beautiful piece of cloth and don't you love the website?"asked the two swindlers, showing and explaining the magnificent GUIpattern, which, however, did not exist.

"I am not stupid," said the man. "It is therefore my good appointmentfor which I am not fit.  It is very strange, but I must not let any oneknow it;" and he praised the cloth and the website, which he did notsee, and expressed his joy at the beautiful colors and the finepattern. "They are very excellent," he said to the emperor.

Everybody in the whole town talked about the precious cloth and magicPIN website. At last the emperor wished to see it himself, while it wasstill on the loom and the PC. With a number of courtiers, including thetwo who had already been there, he went to the two clever swindlers,who now worked as hard as they could, but without using any thread orHTML.

"Is it not magnificent?" said the two old statesmen who had been therebefore. "Your Majesty must admire the colors and the GUI pattern." Andthen they pointed to the empty looms and the blank screen, for theyimagined the others could see the cloth and the magic GUI PIN pad.

"What is this?" thought the emperor, "I do not see anything at all.That is terrible! Am I stupid? Am I unfit to be emperor? That wouldindeed be the most dreadful thing that could happen to me."

"Really," he said, turning to the weavers, "your cloth and website haveour most gracious approval;" and nodding contentedly he looked at theempty loom and blank screen, for he did not like to say that he sawnothing. All his attendants, who were with him, looked and looked, andalthough they could not see anything more than the others, they said,like the emperor, "They are very beautiful." And all advised him towear the new magnificent clothes at a great procession which was soonto take place and to pay online with his PIN ATM card. "They aremagnificent, beautiful, excellent," one heard them say; everybodyseemed to be delighted, and the emperor appointed the two swindlers"Imperial Court weavers and webmasters."

The whole night previous to the day on which the procession was to takeplace, the swindlers pretended to work, and burned more than sixteencandles while capturing PINs with the floating GUI PIN pad. Peopleshould see that they were busy to finish the emperor's new suit. Theypretended to take the cloth from the loom, and worked about in the airwith big scissors, and sewed with needles without thread, and said atlast: "The emperor's new suit is ready now. Let us pay for it with hisATM card and PIN!"

The emperor and all his barons then came to the hall; the swindlersheld their arms up as if they held something in their hands and said:"These are the trousers!" "This is the coat!" and "Here is the cloak!"and so on. "They are all as light as a cobweb, and one must feel as ifone had nothing at all upon the body; but that is just the beauty ofthem and the fact that you can pay for the clothes with just your PINATM card and our magic GUI floating mouse-clickable PIN pad makes thisall the better."

"Indeed!" said all the courtiers; but they could not see anything, for there was nothing to be seen.

"Doesit please your Majesty now to graciously undress," said the swindlers,"that we may assist your Majesty in putting on the new suit before thelarge looking-glass and before collecting your money?"

The emperor undressed, and the swindlers pretended to put the new suitupon him, one piece after another; and the emperor looked at himself inthe glass from every side.

"How well they look! How well they fit!" said all. "What a beautifulpattern! What fine colors! That is a magnificent suit of clothes!"

The master of the ceremonies announced that the bearers of the canopy, which was to be carried in the procession, were ready.

"I am ready to pay," said the emperor. "Does not my suit fit memarvelously?" Then he turned once more to the looking-glass, thatpeople should think he admired his garments.

The chamberlains, who were to carry the train, stretched their hands tothe ground as if they lifted up a train, and pretended to holdsomething in their hands; they did not like people to know that theycould not see anything.

The emperormarched in the procession under the beautiful canopy, and all who sawhim in the street and out of the windows exclaimed: "Indeed, theemperor's new suit is incomparable! What a long train he has! How wellit fits him!" Nobody wished to let others know he saw nothing, for thenhe would have been unfit for his office or too stupid. Never emperor'sclothes were more admired.

"Buthe has nothing on at all," said a third grade child at last. "Goodheavens! listen to the voice of an innocent third-rate child," said the father,as one whispered to the other what the child had said. "But he hasnothing on at all," cried at last the whole people.

That made a deep impression upon the emperor, for it seemed to him thatthey were right; but he thought to himself, "Now I must bear up to theend." And the chamberlains walked with still greater dignity, as ifthey carried the train which did not exist. The swindlers were joyousfor not only had they stolen the emperor's dignity, they had alsostolen his precious PIN.

THE END (of the ATM ecosystem)










Reblog this post [with Zemanta]

Disqus for ePayment News