Tuesday, April 14, 2009

If HomeATM is "Doin' It Right" Who's "Doin' It Wrong?"

The Green Sheet April 13, 2009 o Issue 09:04:01  (click graphic to enlarge or read below)

Doin' it right

POS equipment continues to get smaller, cheaper and faster. In March 2009, Montreal-based payment hardware and software provider, HomeATM ePayment Solutions, rolled out Safe-T-PIN, the first Internet POS PIN entry device (PED) to achieve Payment Card Industry (PCI) Data Security Standard (DSS) PED 2.0 certification. "What Safe-T-PIN is all about is very simple," said Mitchell Cobrin, Chief Operating Officer of HomeATM.

"All we've done is to replicate a POS device within PCI standards for home use. "Our goal is to have our product with every small e-merchant and in every household of online consumers, and we're talking a couple of hundred million people."

Safe-T-PIN is a ready-to-use, pocket-sized universal serial bus (USB) "plug and play" device that requires no software upgrades, works with any operating system or Web browser, eliminates the need for keying in card numbers because the card is swiped, and works with any bank, processor or currency. It is also Europay, Visa Inc. and MasterCard Worldwide compliant to accommodate smart cards, magstripes or chip and PIN technology.

Transactions for the masses

"Safe-T-PIN gives everyone – merchants and consumers alike - the ability to do a transaction that is more secure than any they could do in a card-not-present environment, including debit and credit card transactions and P2P [person-to-person] money transfers in real time," Cobrin said. "Consumers swipe their cards, enter their password for a PIN debit, and it goes through the EFT [Electronic Funds transfers] network in the same amount of time as a brick-and-mortar transaction - and it's fully encrypted. We're not inventing a system because it's really the mirror image of the POS EFT experience. All we're doing is making it accessible to home-based, online merchants and consumers."

According to many payments industry experts, the biggest problem with e-commerce is the lack of consumer confidence in the ability to make purchases or send money online securely. They cannot see e-commerce merchants face to face and hesitate to fully trust them.

To address consumer fears about identity theft, lack of brand recognition, malware and keystroke monitoring, HomeATM has a newsletter and blog that offer viable solutions to these common concerns.

"Safe-TPIN really speaks to the heart of this matter because it makes all of that totally impregnable," Cobrin said.

Disposable POS

Additionally, HomeATM has made Safe-TPIN cost effective for the smaller and midsized e-commerce merchants, as well as for those merchants with employees who take electronic payments off site. "Safe-T-PIN's price almost pegs this unit as a disposable POS device, so if it's stolen, if it's discarded or disappears, you haven't lost the hundreds of dollars it would cost to replace it," Cobrin said. "We remove the notion of $30 a month leases on systems for merchants struggling in today's economy."

Partnership power

HomeATM has a minimal direct sales force; the company's preference is to support the ISO reseller channel and stay in the background. "We really respect and appreciate the role that the ISO can play," Cobrin said. "They're the frontline people who have the expertise in the industry, so we're here to support any particular initiatives that they might be working on to assist them in marketing this product." Cobrin noted that in the past year same-store sales have steadily declined, and e-commerce is eroding business at brick-and-mortar locations, which has created a tremendous opportunity for ISOs and merchant level salespeople to put POS devices in the hands of merchants who would not otherwise be able to contemplate having merchant processing accounts.

"Tomorrow's e-retail and P2P remittance commerce is going to happen with or without those merchants who choose not to participate," Cobrin said. "And we're not trying to cannibalize brick-and-mortar as much as we want to give all merchants, regardless of size, the opportunity to change a fairly antiquated type of thinking and not be a dinosaur.

"There are so many different approaches because a POS of this nature has never existed, so I think new markets are just inherently going to be developed in ways that, perhaps, our team has not yet even contemplated."

EDITOR'S NOTE:   So...if HomeATM is "Doin' it Right"  then who's "Doin' It Wrong?"

Excerpts from a story from American Banker: 

Acculynk Inc.
says its Internet PIN debit service...PaySecure enables consumers to enter their PIN with a mouse on a virtual PIN pad that appears on the computer screen during checkout. 
Industry analysts, however, have questioned the security of Acculynk's offering.  In February, Avivah Litan, a vice president at Gartner Inc. in Stamford, Conn., said she was against any software- or Web-based PIN-entry service.

"I would highly recommend [to any consumer] not entering their PIN anywhere on the Internet unless it was hardware-based," she said.
Editor's Note:  Apparently Ms. Litan minces no words and has a very strong opinion on who's "doin' it wrong"

But Ashish Bahl, Acculynk's CEO said the networks involved with the pilot tests have little concern about the security of PaySecure.
"For all the credible third parties that understand exactly what we do in detail, they are absolutely fine with our security, and that's their fiduciary responsibility," he said.   (Question:  Does that mean that these credible third parties are liable if there is a breach?  Because I've been wondering who would have the liability in the event of a software breach...it seems clear that these "credible third parties." will be responsible for the fallout.)

In an e-mail last week, McGuire wrote that Pulse believes that "Internet-based PIN debit has tremendous potential value for consumers, as well as for merchants and debit card issuers." 

Editor's Note:  It would have even "more tremendous-er" (sic) value if it was a "TRUE" internet based PIN Debit application, but...since the "card's not present" either is TRUE PIN Debit.  (see "Software PIN Debit Doesn't Exist...)

Javelin's (Bruce) Cundiff said that "a substantial subset of consumers" are "making the behavior change from credit cards to other methods of payment" and that they would benefit from another "pay-now" method.
Fiserv Inc.'s Accel/Exchange and Metavante Corp.'s NYCE Payments Network LLC are the other two networks testing PaySecure.  

(Editor's Note: Metavante isn't Metavante anymore.  It's FIS.  Which reminds me...if you're going to the ETA, make sure and stop by FIS' booth, which they are sharing with HomeATM...and utilizing to push HomeATM's "True" PIN Debit platform.  Oh...and while you're there, you can congratulate them on their recent acquistion of Metavante...and therefore...NYCE!)  See NYCE! Metavante Acquired by Fidelity National

Reblog this post [with Zemanta]

Penny for your card...$1000 for your PIN

A few pennies for your thoughts — and credit card, HFR, TEC - NewsFlash - Syracuse.com
JORDAN ROBERTSON - The Associated Press

SAN FRANCISCO (AP) — SAN FRANCISCO (AP) One economy apparently isn't hurting these days, the one run by identity thieves in the dark corners of the Internet.

Demand and prices remain stable for stolen credit cards, Social Security numbers and other private information, according to a new study by security software maker Symantec Corp.

Meanwhile, the supply of such data is steady too, thanks to the way the recession has inspired new scams targeting people who are worried about work and their finances, according to the Symantec report and another study from Gartner Inc. that was due to be released Tuesday.

"There's no pricing pressure at all, it's not dropping, they're not negotiating down," said Alfred Huger, vice president of Symantec Security Response. "That tells us that there are still the same number of buyers. The underground economy has not been affected by the recession."

One reason is that the prices for some records have been falling for years and can't go much lower. Stolen credit card numbers now go for as little as 6 cents each, if they're bought 10,000 at a time. The price can be $30 per card for smaller orders.  Access to hijacked e-mail accounts: 10 cents to $100. 

Bank account credentials: $10 to $1,000. 

Editor's Note:  Guess which one is $1,000?  Right...bank account credentials with the PIN Number.  See chart on left.  So how do hackers get their hands on PIN numbers? Through a PCI 2.0 PED which 3DES encrypts the Track 2 data, and utilizes DUKPT key management,  or a software platform?  Hmmmm.  Tough one.   

Scammers can hire people to "cash out" compromised bank accounts for between 8 percent and 50 percent of the amount they're stealing. Hosting for scam Web sites ranges from $3 to $40 per week.

Continue Reading

, , ,

You Wormy Little Twit!

Complete item: http://www.sophos.com/blogs/gc/g/2009/04/13/mikeyy-worm-madness-twitter/

First from PC World
: It looks like Twitter's website has been scrubbed clean after several bouts of the "Mikeyy" or "StalkDaily" wormplagued the service. Even though the threat seems to have passed,questions remain about just how serious this attack was and if therewill be any repercussions for the worm's creator.

Worm Attacks Bird

Early on Saturday, April 11, the Mikeyy worm started to spread viaTwitter posts by encouraging you to click on a link to a rivalmicro-blogging service StalkDaily.com. As soon as you clicked on thelink your account would be infected and begin to send out similarmessages encouraging your followers to visit StalkDaily. Then yourfollowers would become infected and the worm's infection rate wouldgrow. You could also catch the worm by viewing infected profiles onTwitter.com.

What on earth is going on at Twitter? That's the question that many people will be asking after the Easter break, following a wave of cross-site scripting worms that hit the micro-blogging site. After each attack Twitter said that it had resolved the problem, only for hackers to return hours later with another attack effectively rubbing Twitter's nose in it.

The latest cross-site scripting worm we've seen on Twitter urges the website to hire Mikeyy Mooney, the suspected author of at least the earlier attacks and give a phone number. Journalists who have spoken to 17-year-old Mooney have confirmed to Sophos that the phone number used in the latest worm messages is genuine.

We've chosen to obscure the phone number, although it is trivial for anyone to discover it if they search on the Twitter site for archived messages. If Mooney is responsible for the worms that have troubled Twitter and its many users today then the correct course of action is for the authorities to investigate - not for the internet community to take the law into its own hands.

Of course, it's understandable that some may feel very aggrieved by a worm messing with their Twitter profile settings but it's up to Twitter to decide if it wants to make a complaint to the police.

But the worm suggesting that Mikeyy could help Twitter out with its security problems wasn't the end of it.

Yet another cross-site scripting worm hit Twitter, pretending to be a link to removal instructions for the earlier attacks. Unfortunately, if you clicked on the bit.ly link you were redirected to an infected Twitter profile page, which - yes, you guessed it - would infect your profile too and continue the spread of the worm.

What's most alarming to me though is that it seems Twitter was caught with its pants down in the aftermath of all of these attacks. To be hit by one cross-site scripting worm may be regarded as a misfortune, to be struck three or four times over a weekend looks like carelessness.

Reblog this post [with Zemanta]

Heartland Breach Still Affecting Consumers

Kenosha News | Local banks victims of data breach

Thieves use stolen data on debit, credit transactions

Customers at Southport Bank in Kenosha fell victim last week to a data breach at a company that processes debit and credit card transactions for national retailers. 

In January, Heartland Payment Systems announced a data breach. Since then, customers of more than 600 banks around the country have been victims of debit card fraud, with thieves using data stolen during the Heartland breach.

Last week, Southport learned 78 customers had been hit by debit card theft, with the thieves using fraudulently produced duplicate cards to make purchases.  The bank said that customers — including several Southport Bank employees — began noticing irregular transactions on their accounts April 8th.  Other local banks also have been affected, including Bank of Kenosha.

Southport senior vice president Gregg Pfarr — who said his own personal account was one of those breached — said the bank moved to shut down the fraud, issuing new cards to customers believed vulnerable and placing a $100 limit on signature-only uses of debit cards that do not require customers to provide a personal identification number (PIN).  Editor's Sarcastic Note:  That must mean that PIN transactions are more secure than signature debit...who woulda thunkit?

Before the bank was alerted to the scam, the identity thieves made $31,000 in purchases with the cards. Southport Bank is covering those losses; bank customers are not liable for the charges.  According to Pfarr, the problem is related to the security breach announced by New Jersey-based Heartland, which provides debit and credit card processing services for more than 250,000 retailers across the country.

Heartland issued statements saying it had uncovered “malicious software” planted in the company’s payment network. That software apparently captured data from the magnetic strip on the back of credit and debit cards, allowing thieves to recreate the cards.  The breach may have exposed millions of cardholders across the nation to fraud.   According to Heartland, the malicious software did not capture individual PINs, addresses or other personal information from card holders. The FBI is investigating the breach.

Pfarr said it appears scammers are using the information to hit banks in clusters. He said the fraudulent charges on customers’ cards were out of state, concentrated in Arizona, California and Illinois. Pfarr said the charges on his own account were at Wal-Mart and Walgreens stores in Arizona.  The charges to Southport customers all appeared to occur in the last week, and the bank now believes it has shut down all the cards vulnerable to the fraud. 

Bank of Kenosha officials acknowledged the Heartland breach also affected their bank. However, chief financial officer Mark King said he could not comment on the details, saying the bank officer who worked on the issue was out of the office Monday.  Pfarr said all consumers should keep a close watch on account information and be wary of fraudulent charges. By law, he said, customers are not liable for fraudulent purchases on their cards.

Reblog this post [with Zemanta]

More on the Paradigm Shift...eCommerce vs. Brick-and-Mortar Sales

From Practical eCommerce, by Armando Roggio

Online shopkeepers willing
to indicate how theirsales were doing in 2009 generally reported extremes, with sales eitherrising or falling by more than 10 percent, according to a new PracticaleCommerce survey.

Practical eCommerce asked a group of its readers how their 2009sales had fared compared to the first quarter of 2008. By April 7,2009, 34.6 percent of those responding had seen a 10 percent or greaterincrease in sales for the first three months of 2009 compared to thesame 2008 quarter. Some individuals indicated sales growth of 30percent or more. Unfortunately, another 28.8 percent of respondentssaid that their sales had fallen 10 percent or more in the first threemonth of 2009 compared to the same 2008 period. One merchant said saleswere off by more than 50 percent.

The Trend Could be Related to Business Size

The extremes in ecommerce sales growth and decline could simply be afunction of the fact that most Practical eCommerce readers representsmall-to medium-sized ecommerce businesses, which may be more volatilethan larger concerns. As evidence of this, a survey conducted inNovember 2008 by Practical eCommerce discovered that 47.7 percent ofits readers were relatively small businesses with sales of less than$100,000 annually; 23 percent had annual sales of $100,000 to $500,000;and another 18.7 percent had yearly sales between $500,000 and $5million.

Smaller ecommerce businesses can be more volatile because of tightercash flows, smaller marketing budgets, and just because of the size oftheir total revenues.

"Due to the economic situation, I've put off purchasing replacementinventory and new inventory. I also put off attending the NYC Toy Fairwhich is 'the' show to attend in my industry," said one retailer whosesales had fallen 52 percent compared to the first quarter of 2008.

When sales drop for smaller retailers there is rarely a largereserve of capital. Cash flow constricts and even vital businessfunctions like purchasing inventory get postponed. When a product isout of stock, it cannot be sold, and sales fall. Tight budgets can alsomean that smaller merchants are likely to stop advertising before theirlarger cousins, again leading to a dramatic decline in total sales.

The Trend Could Be Tied to Brick-and-Mortar Sales

A second potential reason for the dual trends could be related tobrick-and-mortar sales. Nearly one fifth of Practical eCommerce readersoperate both a physical retail outlet and an online store. Sales atso-called brick-and-mortar stores are generally believed to be trailingecommerce sales, meaning that some of the survey's respondents might beweighed down with lackluster location sales and fixed, brick-and-mortaroverhead.

"Brick-and-mortar sales are stagnant," said one respondent. "The[economic] 'atmosphere' has kept customers away from in-storeshopping," said another survey respondent." Those who do shop makepurchases and then have them shipped to their residence to keep theirpurchases on the 'down-low' from the public eye."

The Trend Could Be Industry Related

The seemingly extreme differences in how well an ecommerce businesswas doing in 2009 might also have been the result of which industry amerchant was serving. As an example, of those businesses that hadexperienced a 10 percent or more growth in sales in the first quarterof 2009, 22 percent were in the home, furniture, or garden segment.

As one retailer pointed out, more customers might be looking fordo-it-yourself supplies, and they are finding them cheaper online.

No Clear Resolution

Unfortunately, the survey tended to raise more questions than itanswered. But it was clear that in spite of almost constant concernsabout the economy several merchants are experiencing sales growth.

The ATM Skimming/Romania Connection

A high-tech syndicate composed mainly of Romanians is believed to be behind a spate of recent ATM skimming incidents that have targeted almost 40 ATMs in Sydney alone, the Fraud Squad says. 

Up to a dozen members of the sophisticated gang are believed to have entered the country in recent months, moving between capital cities and attaching skimming devices to ATMs, said Colin Dyson, Commander of the NSW Fraud Squad.  They operate under the orders of international ringleaders, who at the same time orchestrate similar scams in other countries.  At least 10 ATMs in Melbourne have been used to steal customers' bank card details and more than $1 million, police say.

Sydney has been hardest hit, with police sources saying as many as 40 ATMs have been targeted. The amount of cash stolen is yet to be tallied.

NSW police on Sunday arrested two Romanian nationals after people saw them allegedly installing suspicious devices on an ATM at Avalon, on Sydney's northern beaches.  The men, aged 36 and 32, were charged with possessing implements for making false instruments, and face court today.  Seven other Romanian men aged in their 20s and 30s have already been charged over the scams - two who faced court in Sydney last week and five in Melbourne.

In recent days, police in the US and New Zealand also prosecuted Romanian nationals over ATM skimming.

"It's a global phenomenon," Detective Superintendent Dyson said. "We also suffer a fair bit of internet fraud from that part of the world, from Eastern Europe and Russia.  "It seems they're adept at putting this technology together."

Detective Superintendent Dyson said there had been a rise in ATM skimming since late last year, "Back in 2005 we arrested some Bulgarians that came out here.  "There hasn't been a great number of incidents since then, but towards the end of the year we started to see it again."

"The monetary impact is hard to gauge, even for the financial institutions, as its hard to identify [if missing money] is the result of ATM skimming, retail skimming or phishing or internet fraud," Detective Superintendent Dyson said.

Disqus for ePayment News