Tuesday, March 24, 2009

Acculynk and Pulse Agree to Pilot

PULSE to Pilot Secure Internet PIN Debit Technology

Debit Network Partnering with Acculynk, Financial Institutions and Major Merchants to Test Consumer Use of PIN Debit for Web-Based Shopping

Note: Pictured on left is Acculynk President Nandan Sheth along  with a graphical depiction of Acculynks floating PIN Pad.  Once again...kudos to Acculynk for bringing PIN Debit on the Web to the forefront.  

Editor's Note: Good news for Internet PIN Debit pushers.  I will say it's a good thing it's a pilot...in the event of a breach, god forbid, the collateral damage will be relatively contained".  Speaking of pilots, HomeATM does not need to be "piloted" because HATM transactions are identical to how they are done at a brick and mortar location.  Therefore, everyone "knows" "it will fly" (on it's own...doesn't need a pilot...)  

There have been only 16 vendors "worldwide" who have tested positive for PCI 2.0 approval and HATM is the only ONE, whose PED device was designed for the web.  We'd love to have the EFT Networks on our side, but at the end of the day, HomeATM utilizes eFunds which handles the majority of PIN Debit transactions for the EFT Networks.  So, in effect, they are middlemen.  Wouldn't that be ironic if there were to be a "man in the middle attack?"

Before I go any further, it's important to note that I want to preface any more statements I make by stating that this is not a "HomeATM vs. Acculynk" argument.  It is however, a PCI 2.0 PED certified hardware solution vs. a software-based approach (which CANNOT capture the PIN Offset or the PVV.) argument.   It IS a security vs. convenience argument. 

Suffice it to say that It is extremely difficult for many security analysts to conceive of an instance whereby a PIN is transmitted and NOT AUTHENTICATED against the PIN Offset.  Payments industry professionals are extremely concerned that a hacker would be able to steal both the account number and the PIN and conduct online transactions. 

If you don't believe me, check out next months magazine from "The Society of Secure Payment Professionals."  I might be going out on a limb here, but my guess that an organization called "The Society of Secure Payment Professionals" might know a little bit about payments security.  Then again, maybe it's them who are  "off-base" instead of a software PIN Debit application.

At the end of the day, when the smoke clears, there is no doubt that the publicity PIN Debit for the Internet is getting these days is a good thing.  Internet PIN Debit is long overdue.  That said, it's overdue because it's more secure.  So, once again, it becomes a security vs. convenience argument.  Most everyone would agree that processing a PIN Transaction via hardware is the more secure.  Nonetheless, when EFT Networks, such as Accel/Exchange and PULSE agree to pilot PIN Debit for the Web, it is a step forward towards making PIN based transactions on the Internet a reality.    Or as John Stewart from Digital Transactions says, in announcing Pulse's decision to run an Acculynk pilot:

"Lendingfurther impetus to the trend is the development of a hardware-basedproduct by Acculynk rival HomeATM ePayment Solutions, a Montreal-basedengineering company. HomeATM’s PIN pad, which consumers hook up totheir PCs via a USB link, on Friday became the first such device toachieve certification under Payment Card Industry PIN Entry Device (PCIPED) 2.0 rules.

Interestingly...(and I invite you to read between the lines here) his article goes on to say: "Pulseremains open to both hardware- and software-based solutions for PINdebit on the Internet, the spokesperson says. “We are interested inunderstanding more about any solution that would be viable in themarket,” she says. “

Such a solution would need to be consumer-friendlyand provide value for both merchants and issuers.”  Editor's Note:  If viable means "most closely resembles a consumer checkout experience at a grocery store" then HomeATM is certainly a "viable" solution.  

Here's the press release  (PDF) announcing Pulse's decision to Pilot Acculynk's PIN Debit Technology along with some comments. (in grey)


HOUSTON--(BUSINESS WIRE)--PULSE, one of the nation’s leading ATM/debit networks, has signed an agreement with Acculynk under which PULSE will test Acculynk’s PaySecure® Internet PIN debit technology in a pilot program. The pilot will involve selected PULSE merchant and financial institution participants and is slated to begin in the second quarter of 2009.

The goal of the pilot test is to assess consumer acceptance of Internet-based PIN debit transactions. Acculynk’s technology enables consumers to use their debit cards with a personal identification number (PIN) to pay for online purchases.

“Internet-based PIN debit has tremendous potential value for consumers, who enjoy the convenience of debit cards,” said Judith McGuire, PULSE senior vice president, product management. “Of debit users who have a preference, 56 percent prefer PIN authentication over signature,” McGuire added, referring to the findings of the Hitachi Consulting/BAI 2008 Consumer Payment Preferences Study. “We also believe this new payment option could provide significant value to both card issuers and merchants, driven in part by reductions in fraud and cardholder disputes.”

“In addition to reducing fraud losses and chargebacks associated with online purchases, Internet PIN debit is predicted to increase online debit purchase transactions,” said Acculynk President Nandan Sheth. “These incremental transactions will come from three sources: consumers who have PIN-only debit cards, individuals who are currently hesitant to use their signature-enabled debit cards online without the PIN authentication, and consumers who are inclined now, or in the future, to use alternative Internet payment methods.”

How it Works

Acculynk’s PIN-pad technology integrates directly into the merchant checkout process, providing a seamless experience for online shoppers. The consumer will be aware of the PIN entry option only if his or her card is enabled for PIN debit. The consumer will have the choice of entering their PIN or completing the purchase as a signature debit transaction.

Acculynk’s Internet PIN debit service utilizes many advanced security features, including a graphical, scrambling PIN pad for the secure entry of PIN data. The PIN pad numbers appear on the purchaser’s computer monitor in random order, and the numbers re-scramble each time the cardholder clicks on a digit of his or her PIN using the mouse.(Editor's Note: if it appears on a screen, even for a nanosecond, it can be argued that it can be screen scraped.)

The PIN itself is not captured on the consumer’s PC (Editor's Note:  that statement "might" be true, but only due to a technicality.  The real truth is if  it appears on the screen, it can be seen...and if the consumer can see it, so can a hacker.  i.e.  nor is it transmitted over the Internet. (Editor's Question: Then how does Acculynk get it?) 

Instead, Acculynk captures  and encrypts data associated with the PIN entry process, (they are readily admitting that they are capturing unenrypted data associated with the PIN entry process...otherwise they wouldn't have to encrypt it...right?) then transmits that encrypted data (Editor's Question:  So exactly "when" do they encrypt it?)  in a separate message from the message used for the card number. This makes it extremely difficult (Editor's Note: that's "press releasian" for it's entirely possible.  It's analogy time...ready?  Okay, here goes: It's "extremely difficult" to get into Harvard, but every year people do) for fraudsters to capture any information that could be used to compromise a consumer’s debit card or account. 

In addition, producing a counterfeit card would be virtually impossible because the magnetic stripe data is not captured during the online transaction. (Editor's Note:  This statement is accurate.  The magnetic stripe data IS "NOT CAPTURED" which is the what HomeATM feels is the security issue.  We would respectfully like to point out that a cybercriminal doesn't need a "cloned card" to make purchases online...you need the PAN and the PIN.  So the cloned card argument is completely irrelevant.  If you don't believe me, send me your PAN and PIN.  In order to properly prophetize (sic) I would kindly request that only people with more than $10,000 in their checking account should comply.  C'mon, Humor me! I'll bet that there's several people at PULSE that qualify...  I promise I won't make a counterfeit card!  I also promise you bank balance will drop dramatically!)

“PULSE believes that Internet PIN debit could provide significant benefits to cardholders, e-commerce merchants and financial institutions,” said McGuire. “Our pilot program will help us determine whether this product delivers a favorable cardholder experience.”(Editor's "Dry" Note:  Or quite possibly an unfavorable one) 

I want to be clear.  Once again, I love the attention that all this is bringing towards making PIN Debit on the Internet a reality.  But there's a different reality that concerns me.  It's the H-Word.  Right now the "H" is silent in Acculynk's approach to bringing it.  If the Hackers "bring it" the industry will receive a huge black eye...the retailers will get reemed, and the consumers, well ironically, they'll be severely "inconvenienced."   Here's some food for thought...Who's got the liability if there is a breach?  


PULSE is one of the nation’s leading ATM/debit networks, currently serving more than 4,500 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services (NYSE: DFS). The network links cardholders with more than 289,000 ATMs, as well as POS terminals at retail locations nationwide. The company is also a valued resource for industry research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulsenetwork.com.

About Acculynk

Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. Acculynk is headquartered in Atlanta, Georgia, with a management team that brings extensive experience in the financial, network, security and payment processing industries. For more information, visit www.acculynk.com.


Anne Rhodes, 832-214-0234

Danielle Duclos, 678-894-7013


Reblog this post [with Zemanta]

Eurozone Banks Told - Ditch Direct Debit Interchange by 2012


Europe's banks have been told that they will have to ditch interchange fees on direct debit transactions by 2012 under EU antitrust rules.

More on this story: http://www.finextra.com/fullstory.asp?id=19812

Skimmers Net $500,000 at ATM

Finextra: Australian ATM skimming gang nets $500,000

Australian police are hunting thieves suspected of stealing over $500,000 from ANZ customer bank accounts using details obtained from a skimming device attached to a cash machine in Melbourne.

Investigators suspect the device has been attached to the ATM intermittently over the past two months, with stolen card details then used to access funds from accounts.

Police say an international syndicate may be responsible and have released images of two men they believe can help with the investigation.

According to local press reports, at least four other local cash machines are suspected to have had skimmers attached to them and over 5000 people have been affected.

Editor's Note:  Good thing these people aren't determined and the punishment fits the crime.  It also helps that they're not highly organized.  Editor's Sacarstic Comment: All those variables will certainly help deter  future breaches...

Reblog this post [with Zemanta]

Criminal Hackers Attack 450,000 Webpages Each Day

So really...what are the chances of a software based approach to protecting the Holy Grail known as PIN's being compromised.  There's only 450,000 per day.  It's not like it's 165 Million per year.  Thank God were only talking about 164,250,000 per year. 

The good news (NOT) is the number of SQL attacks appear to be slowing down. (insert sarcastic smile here) 

After all, in the first two quarters of 2008, the number was 5000 per day.  By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.   So by this time next year, there will be hardly anything to worry about...

To put into perspective the odds that a software based approach to protecting your PIN will succeed, I bring you the following story from Robert Siciliano, a security analyst and regular contributor to the Finextra Blog.  Here's the link:  His website is IDTheftSecurity.com

Finextra Blog - Robert Siciliano

There is just no end to the vulnerabilities that computer users face. SQL injection.  SQL is abbreviation of Structured Query Language.   Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.   Editor's Note:  "Sequel" seems more apropo, since they'll be more breaches in the future than there were Rocky movies..

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007.

The infection is called a SQL injection. According to Wikipedia, a “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.”

In other words, a SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An example would be the common Wordpress blog platform that many use and that has been found to be vulnerable. This is just one of hundreds of applications that can be hacked in this way.

In 2005, a now defunct 3rd party payment processor called CardSystems suffered a SQL injection, compromising a reported 40 million credit cards.  Editor's Note:  I remember CardSystems.  Pay By Touch bought CardSystems!  Pay By Touch is now defunct too.  Food for thought...Coincidentally Pay By Touch also bought ATMDirect (now Acculynk)  Hmmm, wonder if there's a connection...either to the SQL attack or being defunct in the future.      

Since that time, criminal hackers have multiplied their efforts. SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchants database and steal data, the attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether its a signup form or a login page for a favorite networking site.”

The attack on the user’s PC is simple. This type of attack is often called a “drive-by,” because sometimes all the user needs to do is surf the site. Many of the attacks take place during common web tasks such as watching videos, listening to music or downloading files.

The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected. Their PC becomes part of a “botnet,” which is a robot network of computers specifically designed for hacking.

Bots, the infected PCs, are also known as zombies. Zombies, as a result of the SQL injection, generally have a virus installed that gives the hacker control from anywhere in the world. The “botnet” can consist of 10 PCs, 10,000 PCs or into the hundreds of thousands. Studies show there are potentially millions of zombies globally, all part of numerous botnets.

Lax security practices by consumers and small businesses are giving scammers a base from which to launch attacks.

Botnet hackers set up phishing websites targeting well known online brands. They send junk mail emails and install redirection services to deliver viruses, malware and keyloggers.

USA Today
 reports IBM Internet Security Systems blocked 5000 SQL injections every day in the first two quarters of 2008. By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.

The key to identity theft protection and preventing your computer from becoming a zombie is to engage in every update for every browser and media player that you use, keeping your operating system updated and using anti-virus software such as McAfee Total Protection.

Identity Theft Speaker Robert Siciliano discusess SQL injection here

Reblog this post [with Zemanta]

Official Letter of HomeATM PCI 2.0 PED Certification

PCI Security Standards Council's Official Letter of Approval  of HomeATM's SAFE-T-PIN Device.  Click to Enlarge 

BSMS - Both Sides of the Mouth Syndrome

I bring you this story from IT World because it demonstrates the direction the payments industry is going with data at the point of sale.

Interestingly, the opposite direction (You're doing it Wrong) is being taken by EFT Networks who will be piloting a software vs. hardware Internet PIN Debit initiative. 

While the brick and mortar world is looking for ways to improve security, the Internet Payments Space is apparently is looking for ways to improve convenience "at the expense" of security. 

In the following article, VISA  talks about new initiatives to reduce payment card fraud.  Visa wants to "utilize" the "magnetic stripe" to improve security!  

Meanwhile, Accel/Exchange and Pulse is rolling out a pilot that completely ignores the security the magnetic stripe provides

Utilizing the Acculynk "convenience over security approach" a consumer can simply type in their PAN (primary account number) for all to see but...ironically, they then lock your keyboard, saying "don't type in your PIN" (because typing is not secure)  

Okay, so which is it?  If we're supposed to trust you when you say it's okay to "type, not swipe" your PAN, but then tell us "We have to lock your keyboard," in order to ensure you "DON'T TYPE in the PIN", (because it's NOT SAFE)  why should I believe you when you say it's safe to click?  I may be dumbfounded, but I'm not dumb.  It's just not "clicking" for me...   

I call that BSMS... "Both Sides of the Mouth Syndrome".  It's safe to TYPE in your PAN,  but whatever you do... DON"T TYPE  in your PIN.   That TICS (Tongue in Cheek Syndrome) me off! 

Whereas Visa is talking about "enhancing" the magnetic stripe with a digital fingerprint, Acuulynk, Pulse and Accel are piloting a program whereby NO MAGNETIC STRIPE data is even captured, and because the card is NOT SWIPED...your PAN and PIN probably will be)... 

I guess that qualifies merchants for that elusive and infamous Interchange Rate known as "Card Not Present -  PIN." 

Here's excerpts from the story...demonstrating, in no uncertain terms, that not only is the magnetic stripe essential for security, but needs to be further enhanced.  Meanwhile, on the web, certain players don't think they need it at all.  Amusing to say the least:

Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive Thursday described two new initiatives to reduce payment card fraud being tested by the company.

One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said during at a security event being hosted by Visa today. 

Dan Roeber, vice president and manager of merchant PCI compliance at Fifth Third, said the bank had rolled out about 1,000 card readers to retailers who have not been informed about the pilot effort. The terminals (Editor's Note:  HARDWARE) are capable of reading the magnetic stripe information and creating a "DNA picture" of the card which is then matched during the authorization process, against baseline information for that card stored by the card issuer, he said during a panel discussion at the event Thursday.

During the pilot process, baseline images or fingerprints for a card are created when it is first swiped through one of the new readers (HARDWARE), Roeber said. But going forward, if the approach works, baseline images for each card could be created and stored during the card issuing process itself, Roeber said. "Even if somebody gets into a database and makes fraudulent cards, the DNS fingerprints are not going to match," Roeber said. "The thing I really like about this technology is that there are no key management issues," as is the case with the use of end to end encryption for protecting cardholder data.

"We are very excited about this technology," he said.

Richey said that while these projects were not quite ready for broad roll-out yet, they were indicative of the kind of approaches that could be used to make stolen data useless at the point of sale.

Richey said Visa was not opposed in the future to the idea of using chip and PIN technologies that are used widely in Europe. They require consumers to enter PIN numbers, instead of signing, when making credit card transactions. The approach is widely considered to be safer than purely signature-based transaction, but it would require considerable investments on the part of card issuers to make the change. Richey said today that Visa "fully" supports the technology and said it was not a matter of "if" but "when" and "how" the technology would be adopted in the U.S.

Editor's Note:  Translation:  If  it's not a matter of "if" but a matter of "when" then BY DEFINITION, Acculynks solution is short-lived, because without hardware, you cannot do an EMV transaction.  HomeATM's hardware is EMV ready.

Dave Weick, CIO at McDonalds Corp., discussed during a panel a new plan to minimize threats against payment card data. He described how the fast-food giant was exploring how to completely segregate all payment card data and transactions from the rest of its internal network. Weick said McDonalds had developed a way to accept payment card transactions without letting any of that data touch any of its own internal systems, including its point-of-sale devices.

Editor's Note: Hmmmm....sounds like something HomeATM already DOES...for web based merchants, including the following:

No one in the company's internal system would have access to any cardholder data, and even the portion of the network that deals with card transactions would be handled by an outside vendor, Weick said. "We are very early on in this," he said, adding that the plan was to first roll out the approach to company-owned restaurants before deploying it across all franchises.

Click To Read the Entire Story at IT World

Reblog this post [with Zemanta]

Fraudsters Watch as You Enter PIN

Scam targets big-box shoppers
Below is the Brick and Mortar Version of a story which demonstrates what lengths fraudsters are willing to go through to get your card information and your PIN. 

The Internet Version will be out about 30-60 days after Pulse starts their pilot...stay tuned:

Police say sly thieves steal credit card, debit card information from unsuspecting targets
By Laura Payton, The Ottawa Citizen

OTTAWA — Police are warning about a fraud ring targeting shoppers at big-box stores like Wal-Mart and Super-C.

Police say the thieves pick out a shopper inside the store, usually a woman 45-years-old or older. Their goal is to steal her credit or debit card information.  They follow her to the checkout, watch as she enters her personal identification number, and then follow her to the parking lot.
Once outside the store, one person asks for directions to distract the shopper, while an accomplice takes the shopper’s cards. The thieves are well equipped with a card reader. They either steal the shopper’s wallet, or slip the card out of the wallet, run it surreptitiously through the card reader to obtain the information, and return it to the victim.

“The victim doesn’t see that until the bank calls her and says to her, ‘You are a victim of fraud’,” says Const. Isabelle Poirier, Gatineau police spokeswoman.  Poirier says the fraudsters could be working around the province.  “It’s been (happening) in all the province of Quebec. It appears in other towns, too. They come here, they do one or two events like that and probably they do that everywhere in Quebec,” she said.

The suspects are men and women, between the ages of 25 and 45. They speak French with a Middle-Eastern accent. Police say they are investigating 15 incidents since last summer, and they ask anyone who has been a victim of this type of crime to contact them.

Shoppers should make sure they watch anyone who approaches them and keep their personal belongings close. Always cover your hand when you enter your PIN, and never give out personal information such as a birth date to strangers.  Editor's Note:  Another bit of advice:  Never type your card number into a browser.  I'd tell you to cover your screen when you enter your PIN on a floating PIN Pad, but that won't do anything to help you.   Oh, and never give out your PIN to strangers.  In fact, never give out your PIN to ANYONE.  

Reblog this post [with Zemanta]

Disqus for ePayment News