Friday, March 27, 2009

ATM "Software" at Risk?

ATM Security | Solidcore says ATM hacks prove traditional security controls are no longer effective | ATM Marketplace

Solidcore says ATM hacks prove traditional security controls are no longer effective

CUPERTINO, Calif. — Solidcore Systems Inc., a provider of technology to protect critical IT infrastructure from devices to the data center, says its patented runtime control software is the only proven solution to preserve system integrity and prevent malware on ATMs, point of sale systems, and physical and virtual enterprise IT systems.

Solidcore says recently publicized ATM hacks, such as the malware that infected some of Diebold's ATMs, proves that traditional security software has become obsolete for stopping today's more advanced threats.

To date, security for ATMs and other self-service devices has focused on physical controls to mitigate access and device tampering. But the widespread adoption of general purpose operating systems and added-value applications to enhance self-service banking is jeopardizing the control needed to keep these critical systems secure, Solidcore says.

This increased functionality and convenience has made it easier to obtain intimate knowledge of these devices, and ultimately open up ATMs to vulnerabilities and configuration changes that can be exploited.

ATMs have been targeted with a sophisticated piece of malicious code (malware) that takes advantage of the ATM's "service" or "maintenance" mode to turn off traditional security tools such as antivirus and encryption. According to a news release, Solidcore's patented runtime control software would have prevented this type of attack by first preventing the trojan from running on the system, and then by denying unauthorized changes to the system that ultimately created the vulnerable state where customer PIN and encoded account information became easily accessible for compromise.

Solidcore's endpoint security prevents unauthorized changes and allows device manufacturers and enterprise IT organizations to enforce established software change policies. Solidcore provides the flexibility to allow multiparty authorized updaters and keeps a detailed log of all changed items. For security reasons, ATMs are hard to access through a centralized network and many need on-site support.

Solidcore allows for certified and authorized updates to be easily created and distributed to personnel servicing these devices and limiting scope to only the changes authorized within the update. Even if the technician has "Admin" login privileges, no additional alterations will be accepted, ensuring the sustained integrity of the system.

Solidcore's patented runtime control technology is providing security and PCI compliance for more than 100,000 devices throughout the world, and is the chosen protection solution for many of the world's leading device manufacturers. More than 100 leading banks across Europe, North America and China have already deployed Solidcore to secure their critical endpoints and are beginning to extend the Solidcore solution from the ATM to the enterprise IT infrastructure.

Reblog this post [with Zemanta]

Belgiums Waffliing Over Net Security

Credit card fraud in Belgium on the increase  | Expatica Belgium

Credit Card Fraud on the Internet Has Almost Doubled in 3 Years

According to figures from the Federal Computer Crime Unit (FCCU), there are now around 1,000 cases each year of Belgians having their credit cards used fraudulently on the internet.

The FCCU presented the figures at an international conference on credit card fraud is currently being held in the French city of Lille (Nord).

The FCCU says that it concerned by the recent big increase in fraudulent e-commerce.

Cash card also on the increase

Fraud involving cash cards is also on the increase.

The number of transactions using stolen or lost cards has risen by 50% during the past five years.

The illegal copying of the information contained on a bank card’s magnetic strip, known as 'skimming', rose by 300% during the same period.

The FCCU is pinning its hopes on new technology to improve electronic transaction security.

The unit stresses the important role the producers and issuers of credit, debit and cash cards have to play in the battle against fraud.

Furthermore, they claim, international cooperation through Europol will also be critical in the battle bank card crime.

Reblog this post [with Zemanta]

Confick(er) of Interest?

Giant Internet worm set to change tactics April 1

By JORDAN ROBERTSON – 32 minutes ago

SAN FRANCISCO (AP) — The fast-moving Conficker computer worm, a scourge of the Internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday — April Fools' Day.  (Careful...this could be a joke...)

That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the Internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down Web sites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic — an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.

"I don't think there will be a cataclysmic network event," said Richard Wang, manager of the U.S. research division of security firm Sophos PLC. "It doesn't make sense for the guys behind Conficker to cause a major network problem, because if they're breaking parts of the Internet they can't make any money."

Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the Internet's data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centers.

Far more often now, Internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to Web sites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands. 

So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains — the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Continue Reading at The Associated Press

Facts About the Conficker Worm

Online Theft Doubles...Fastenating!|New alert after online theft doubles

New alert after online theft doubles  By Elaine Moore - Financial Times|Published: March 27

Online shoppers are being advised to protect themselves against a doubling in cyber-crime. Last year, thieves stole more than £50m through website purchases, according to the UK payments association, up from £22m the year before.

And there are now signs that banks may be looking for ways to avoid responsibility for covering these losses. Under the Banking Code, those who have not acted with “reasonable care” to protect their details won’t be protected. However, “reasonable care” no longer means safeguarding PIN details but having up-to-date antivirus software and avoiding malicious emails.  (Editor's Note:  That being the case, good luck!...I have a better idea...why don't the banks step up THEIR security?) 

Banking security expert Steven Murdoch, from the University of Cambridge, says the most effective protection should come from the banks, but there are some things that consumers can do.

(Editor's Note:  Agreed...the most effective protection should come from the banks!  It's time to get rid of the Username: _________  Password: _________  (time is UP)  and time to use "real authentication." 

What better to "authenticate" yourself than to log on to your online banking session by "swiping your card" and "entering your PIN" with a device that is not only PCI 2.0 PED Certified, but also encrypts the Track 2 data?  Can you think of one? 

For more information or to further my case... you can read my post on how
HomeATM Prevents the "Cloned Bank Site" Threat.  It shows how consumers typed in the website of their bank, were brought to a cloned site, entered their username and password into what they thought was the REAL site, and voila!, the fraudsters went to the real site and emptied their bank account.  Never would have happened if the banks customers were equipped with a SAFE-T-PIN device.   Never.

Using the SAFE-T-PIN to log on is the EXACT equivalent of using an ATM in the LOBBY of your Bank.  Not the same as using a satellite ATM down the street...the same as using the one in the lobby....or at a teller for that matter. 

The SAFE-T-PIN is a simple fastening device, it fastens 3DES DUKPT Security to all transactions.  None of the information on the card, the magentic stripe or the PIN is EVER in the clear.  Fastenating...isn't it?  To learn more, click the graphic on the left.

Back to the story from

Get Safe Online (, the government-backed consumer website, is a good place to start. It offers a range of tips and advice.

Emails from unknown sources, especially those with attachments, may contain a virus to infect your computer and steal details, and so should be left unopened and immediately deleted. It is also possible to download software that can protect a computer from attack. The best known packages are those from Norton, McAfee and Kaspersky. These can be found and downloaded from an online search. It’s also a good idea to update the software regularly. Hackers also find to easier to infect computers through old versions of web browsers, so renewing computer program such as Internet Explorer can make it harder for them.

Even so, Murdoch says 80 per cent of viruses go undetected by virus checkers.

Some of the simplest ways to protect the security of bank details online are those that many online shoppers ignore. Using different passwords for online accounts, and making the passwords as complex as possible, can prevent hackers who obtain one password from gaining access to a customer’s details elsewhere.  (Editor's Note:  Can we PLEASE get off this Password bandwagon that's been taking consumers, financial institutions and IT departments for a ride for years?) 
 Read the Article in it's Entirety at Financial Times

Reblog this post [with Zemanta]

Sheetz to the PIN'd

CSN reports that Sheetz selected Gilbarco's FlexPay for 2000 PIN Pad installations at 270 locations...

GREENSBORO, N.C. -- Sheetz Inc. will upgrade 2,000 fuel dispensers at 270 locations with Gilbarco FlexPay Encrypting PIN Pads, which are PCI compliant and provide Triple Data Encryption Standard (TDES)encryption of the Personal Identification Numbers (PIN) entered byconsumers during debit card transactions at the pumps, the companyreported.

"We selected Gilbarco Veeder-Rootbecause they have the service organization infrastructure, OEM hardwareand support to manage this large program turnkey," Mark Wilson,director of store support for Sheetz, said in a statement. "Sheetzwants to achieve compliance well ahead of the deadlines. It is criticalto our brand to provide the best possible protection for our customers’transaction data and preserve their option to use debit."

Gilbarco Veeder-Root Project Management Servicesbrings a network of more than 500 Authorized Service Contractors andmore than 3,500 trained technicians to complete upgrades under thedirection of experienced Gilbarco project managers. Standard workinstructions, site surveys, order and schedule management, reportingand 24/7/365 technical support contribute to successful projects,according to Gilbarco Veeder-Root.

"It’s clear that Sheetz is dedicated to the securityof their customers," Scott McDowell, director of marketing, dispenserapplications for Gilbarco Veeder-Root, said in a statement. "Ourproducts and services are designed to provide PCI-compliant protectionto meet today’s PCI standards and protect your investment against anyPCI changes for the future."

FlexPay Encrypting PIN Pad for PCI Compliance

FlexPay™ Encrypting PIN Pad

Our FlexPay™ Encrypting PIN Pads are part of your planto meet Payment Card Industry (PCI) requirements for debit transactionsat the fuel dispensers in the United States. They provide an integrated solution that can be factory-installed or retrofitted in the field.

  • No wiring or POS changesEPP_website.jpg

  • Integrated appearance

  • Local key encryption in PIN pad

  • Triple Data Encryption Standard (TDES)

Gilbarco also offers project management services to simplify your field upgrade program.

Reblog this post [with Zemanta]

30% Chance IT WON"T get Hacked?

In an article from Finextra, they are reporting that, according to AFP, over 70% of US Firms were at taken a hack at in 2008.   Does that mean you've got a 30% chance your PIN won't get hacked if a software based Internet PIN Debit Solution takes off?  Hope so!  But wait! 

The article goes on to say that 80% of organizations with $1 Billlion plus in revenue had a hack taken at 'em.  So, we've just reduced your chances to 20%!   Our CEO say 100%, so does that mean there's an 80% chance he's right?  Numbers are great.  PIN Numbers are the Holy Grail  Stay tuned!...oh, and after viewing (click to enlarge) the graphic below, don't forget to make any connections you may perceive
about the long-term security off a software application that uses the web browser.  From Finextra.

Payments fraud rampant in US organizations - survey

Over 70% of US firms were victims of attempted or actual payments fraud in 2008, according to a survey from the Association for Financial Professionals (AFP).

The JP Morgan Treasury Services sponsored survey of 629 corporate treasury and finance professionals found that large organizations were more likely to have experienced payments fraud.

A massive 80% of firms with annual revenues over $1 billion were victims of payments fraud in 2008 compared with 63% of organisations that had revenues of under $1 billion.

Nearly a third of survey respondents report that incidents of fraud increased in 2008 compared to 2007. Further, almost 40% experienced increased fraud activity during the second half of 2008 as economic conditions worsened in the US.

Nearly nine out of ten organizations affected in 2008 were victims of cheque fraud. ACH debit affected 28%, consumer credit or debit cards, 18%, corporate/commercial cards, 14%, ACH credits, seven per cent, and wire transfers, six per cent.

Around two thirds of companies that were victims of actual or attempted payments fraud in 2008 experienced no financial loss, and among those that did, the typical amount was a modest $15,200.

Read the Entire Article at Finextra

Reblog this post [with Zemanta]

FinovateStartup09 Adds 4 Companies

By Jim Bruene Net Banker

We are pleased to announce four more companies to the Finovate Startup conference lineup. The total number of demoing companies now stands at 52, 13 more than last year (see logos below; company descriptions here). Startups have just a few more days to apply (see note 1), so we'll be announcing the final lineup shortly.

Editor's Note:  HomeATM will be there and both myself and HomeATM COO, Mitch Cobrin will be in attendance.  BankTastic is planning on conducting an interview with us and if you are planning on attending or have any questions about either the event or HomeATM, feel free to drop me a note,  
According to Net Bankers, Jim Bruene, Here are the latest additions:
  • BudgetPulse, an online personal financial management service
  • Mozo, a financial services comparison engine out of Australia
  • SeerGate, a startup working on popularizing online debit payments
  • Tempo Payments, looking to make decoupled debit a household word                                
About FinovateStartup2009

The second annual FinovateStartup conference will be held April 28 in San Francisco. At the event, select startups in financial services technology have six minutes to demo their latest and greatest to execs and investors in banking and financial technology. The one-day event is organized by the publisher of Netbanker and Online Banking Report.
Early-bird deadline: You have until Tuesday, March 31, to reserve a seat at the early-bird price (here).

Cybercrime More Profitable than Drug Trafficking

Cybercrime Running into Trillions Experts Say...

Published:27-March-2009 - Computer Business Review
By Kevin White

Rogueware network monitoring indicates size of problem

Survey says cyber crime overtakes physical crime
According to a global survey of over 3,000 IT managers spanning all industries and company sizes com ...

More money is now being made from cybercrime than the billions that come from drug trafficking, AT&T's Chief Security Officer Edward Amoroso has told a US Senate Commerce Committee.

Some $1 trillion annually is being siphoned off by cyber criminals according to the security chief, an estimate that the CTO at Finjan Inc, Yuval Ben Itzhak reckons is about right.

"In our Q1 2009 report on cybercrime, we revealed that one single rogueware network was raking in $10,800 a day, or $39.42 million a year. If you extrapolate those figures across the many thousands of cybercrime operations that exist on the internet at any given time, the results easily reach a trillion dollars," he said.

According to Ben-Itzhak, Finjan's Q1 2009 security trends report also revealed that traffic volume to compromised Web sites has increased significantly, so luring masses of potential buyers to rogueware offerings.

He believes that this could just be the beginning of a wider trend that we will experience in 2009 and 2010.

“Having the large number of layoffs of IT professionals all around the world, especially in the USA, we expect a rising number of people willing to ‘give it a try’ and to get stolen credit card numbers, online banking accounts and corporate data that they can use to generate income,” he added.

Reblog this post [with Zemanta]

Interchange Fees Going Up

Merchant Account Fees Going Up | Practical eCommerce

James Estep - Merchant Account Blog
Two times a year, Visa and MasterCard have the opportunity to increase credit card interchange, which is part of the fees that merchants pay to accept credit cards. This year, both Visa and MasterCard have opted to add a new type of fee classified as a network access fees. This is in addition to fairly significant interchange increases. This fee will most likely have a greater affect on businesses than the typical interchange increases that we see twice a year.

When interchange fees are increased, a business's credit card processor can elect to absorb these increases, or pass them on to their customers. It is not uncommon for a service provider to leave their customer's processing rates alone and completely absorb the interchange increase. This is simply good customer service, and often the interchange rates that are being changed will have a negligible affect on the overall industry.

This year however, Visa is going to add a 1.95¢ per transaction fee while MasterCard is going to add a 1.85¢ per transaction fee charged directly to processors and delivered directly to Visa and MasterCard, unlike interchange which goes mainly to the issuing bank.

When transaction and access fees like this are changed, they will almost always be passed directly onto merchants. This is because they have a profound affect on the potential amount of income a service provider receives. Losing 1¢ per transaction may even remove all profitability from a merchant account if it is written competitively enough. 

While smaller businesses may only see increases of a few dollars or cents per month, these additional fees are going to result in significant increases to high-volume, low-ticket merchants. A store like or Walmart could end up paying more than a million additional dollars per year for credit card processing.

Visa is expected to see a 300+% increase in per transaction revenue, making this an obvious attempt to bring further value to shareholders during a volatile economy. There is a lot of speculation that fee increases like these will become more common now that both Visa and MasterCard are public companies and their interests are not necessarily in-line with the merchants that accept their cards. With congressional oversight of the processing industry looming in the background, I find it amazing that Visa and MasterCard would take a PR risk like this just to pacify their shareholders. Any thoughts?

Editor's Note:  Yeah, I have some.  Let me start by unequivocally stating that Visa and MasterCard "don't care about risk." I could go on for paragraphs, instead, I'll use my "signature" response: 

Signature Debit has a 10x to 15x higher risk than PIN Debit, (depending on whose statistics you read) yet which one are they attaching rewards to?  Which one are they pushing?  Why?  Because they don't care about RISK, they care about PROFIT.  They've got consumers and merchants by the nose hairs.

Reblog this post [with Zemanta]

OrderDynamics Supports Amazon Simple Pay

OrderDynamics Launches Support for Amazon Simple Pay™ into On-Demand eCommerce Platform
Canada's leading On-Demand eCommerce platform provides its online retailers support for Amazon's payment solution Amazon Simple Pay™.

Toronto, ON (PRWEB)  -- OrderDynamics Corporation launches support for Amazon Simple Pay™, a set of payment-only products that allows shoppers to use payment information from their accounts as a payment method. By offering Amazon Simple Pay™ to their shoppers, online merchants provide a convenient, trusted, and easy ordering mechanism to tens of millions of Amazon Customers.

On-Demand eCommerce

"New payment solutions are constantly under evaluation by our product development team, because of the significant positive impact it can have on our Client's sales" explains Michael Benadiba, CEO OrderDynamics Corporation. "We also make the frontend implementation of these payment solutions easy through self service access from our backend management dashboard" continues Benadiba. Amazon Simple Pay™ provides brand recognition, purchase protection, and convenience to online shoppers - all things that can increase the chance of converting a sale.

The OrderDynamics On-Demand eCommerce platform has access to over 20 branded payment methods on their front-end eStores through its partnership with CardinalCommerce such as: Verified by Visa & MasterCard® SecureCode™, Amazon Payments™, Bill Me Later®, Ebates™, eBillme™, eLayaway™, Google™ Checkout, Green Dot® MoneyPak®, MyEcheck, PayPal™, RevolutionCard™, Mazooma™, ClickandBuy®, and more.

Learn about how we've helped online merchants grow: On-Demand eCommerce Case Studies

About OrderDynamics Corporation

OrderDynamics Corporation is a privately owned company that provides turn-key eCommerce solutions to businesses looking to grow their online sales solutions. The success of OrderDynamics is highly attributed to its response to real Client requirements and Dynamic Merchandising concepts which provide superior control and help drive revenue. The OrderDynamics solution is designed for online merchants and services different business such as retail, manufacturing, business-to-business, complex online retail, and more. OrderDynamics officially launched its On-Demand eCommerce Solution in 2006 after 2 years of research and development.

Reblog this post [with Zemanta]

Disqus for ePayment News