Friday, April 17, 2009

Something Phishy About Bank's Not Using 2FA from HomeATM

Research shows that most online banking sites have inbuilt flaws which could potentially put valuable customer data into the wrong hands.

Now there is a way (since March 17th, 2009) to vastly increase the security of online banking. 

HomeATM engineered AND manufactures the world's FIRST and ONLY PIN Entry Device solely designed for online authentication and eCommerce to achieve PCI 2.0 certification.  What that means is:

Banks now have a choice.  They can use what many consider to be a very obsolete UserName/Password login OR they can provide a methodology which safely and securely authenticates their online banking customers with two-factor authentication. 

Logging on to a bank's online banking site is now quick/convenient and easy.

Bank customers would simply swipe their bankcard through HomeATM's SafeTPIN device and enter their bank assigned PIN. 

HomeATM is proud to introduce the security of "True" 2FA (two-factor authentication) to the online banking community AND provide the impetus for banks to procure more online banking customers via the allure of the most secure online banking platform in the industry.

I don't mean to oversimplify how easy it would be for a financial institution to implement "True 2FA" with HomeATM's device, but it's unavoidable.

To keep it short, I'll provide but one recent fact from Gartner Research:
According to research firm, Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks.  (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) 

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.  (That's $196 to the banks and $154 to the consumers)  "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.  (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Guess what?  The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers. 

Additional benefits include empowering online banking customers with the ability to perform:

  • Person to Person Money Transfers,
  • Bill Payment Online (with "True PIN" vs. PINless Debit)
  • Secure online transactions with online retailers.
As I said, I don't mean to oversimplify WHY they banks should investigate our solution further, but sometimes the simplest things in life are the best...aren't they?

In closing out this week's edition of the PIN Payments News Blog, 'll state one more "food for thought" item. 

According to a trustworthy source, Bank of America spent $129 Million on PCI DSS compliance last year. 

Now I'm not saying that our SafeTPIN device would eliminate the entire cost of PCI DSS compliance, BUT...on account of how we are "already" PCI 2.0 PED certified, any bank that utilizes our device for "True Two Factor Authentication" during the log-in process, would effectively be removed from the scope of PCI DSS requirements. 

  • at least for their online banking application
  • and Bill Pay
  • and online eCommerce Transactions
  • and Money Transfers anybody out there that knows some high level banking executives...pop me an email and let's talk. 

I'll make you some serious money, save the bank's some serious money, enhance the banks' image AND provide consumers with the peace of mind knowing that their financial information is secure!

Consumers fear financial security threats more than the threat of a terrorist attack (see graph on left)  

Here's a quote from:  Convenience or Security?  How About BOTH?

American's "DEFINITELY" want security.

In fact American's worry more about credit and debit card fraud than they do about a terrorist attack...according to a new report from Unisys.

Oh...and in quantity, our device costs about 10% of what it currently costs banks and consumers for each "phishing incident."  Simple...ain't it?

Reblog this post [with Zemanta]

Online Fraud Benchmark Report - RSA Conference

Source: eFraud Network
More info:

To download a copy of the PDF, courtesy of click the link above.  Click the graph on the left to enlarge.

Executive Summary

Experts know there are more stolen credentials in the hands of the cybercriminals than ever before.

And, we’re seeing more fraudsters cash‐out using stolen credentials with unprecedented speed.  Last year, RBS WordPay reported their debit card payroll card system was the victim of a hacking ring compromising over one million personal records. What was different about this hack, however, was the speed with which the cybercriminals behind the hack were able to cash‐out. News agencies in the U.S. reported that nine million in cash was netted by cloning cards in 49 cities across the globe in the U.S.,  Canada, Russia and Hong Kong all in about 30 minutes1. Similarly, in the U.S., PIN cashers were able to withdraw five million in less than 48 hours from Citibank2 using compromised prepaid debit card accounts.

In testimony at Homeland Security Committee hearings about data breaches, the Department of Justice said “the problem has grown so big federal prosecutors across the country are pursuing 2,000 cases related to identity theft” and that “the number of convictions for identity theft have more than doubled – a 138 percent increase, in the last four years.”3

Combine this testimony, and the attacks mentioned above with the Heartland Breach – the largest data breach on record as far as number or identities compromised – and 2008 will be remembered as the year the cybercriminals not only perfected their identity‐stealing skills but also their bank robbing skills.

To try and understand how online fraud and data breaches are impacting multiple industries and organizations, the Program Committee of the eFraud Network™ Forum (eFN)– a global group of antifraud professionals from the financial services, payment, merchant and law enforcement community created its first in‐depth survey about online fraud.

We received 104 responses from individuals representing organizations in many different industries and countries. We provide information about the survey respondents and our methodology in Appendix A.

Key Findings: The 2009 Online Fraud Benchmark Report highlights five significant findings:

• Data breaches are no longer a rarity and current regulations are not working.
• Spending to prevent fraud is up or holding steady through 2009.
• More cross‐industry information sharing is needed to prevent online fraud.
• We still don’t know the economic damage of the Heartland Breach.
• There is a direct correlation between the number of attacks and number of customer accounts
managed by the survey participants.

3 See:

2FA is Needed for Online Services

Will 2FA use transcend online banking? : News : Security - ZDNet Asia
Will 2FA use transcend online banking?
By Vivian Yeo, ZDNet Asia
Friday, April 17, 2009 07:25 PM

SINGAPORE--Two-factor authentication (2FA) is starting to become available for online services other than banking and remote logon to corporate networks, but it remains to be seen whether consumers will take to it.

Local security technology firm Data Security Systems Solutions (DSSS), is set to showcase a new two-factor authentication service for online services at the RSA Conference next week. Called BetterThanPin, the service is unique in that it allows consumers, rather than service providers or enterprises, to initiate stronger authentication for the online services they deem important, said Tan Teik Guan, the company's chief executive and chief technology officer, in an interview Friday with ZDNet Asia.

The BetterThanPin service requires a user to create an account on the BetterThanPin portal and register the online accounts. (Editor's Note...IMHO, that makes it "worse than PIN" because it's done on the web.  Anything done in the browser space is hackable.)

During the sign-up process, the user is also asked to select the preferred mode or token of receiving the weekly-generated passwords. These temporary passwords--six-digit numbers--will be added to the string of characters in a user's static password for a particular account.

According to Tan, the service currently only allows users to initiate 2FA for their Gmail accounts. However, it is also ready to manage Facebook accounts, and there are plans to include Yahoo Mail and Skype to BetterThanPin. The service is also envisioned to be compatible with hardware and software tokens.

Starting next week, DSSS will initiate a trial for Gmail users, he added. The company is targeting 1,000 users of different demographics globally to participate in the trial, which will last till August.

"From the feedback, we will decide whether to continue [developing] the service [and] what [other] online services to ready [it for]," said Tan.

The company has so far been focused on developing BetterThanPin, which uses existing authentication technology by DSSS, and paid scant attention to the commercial viability of the service, admitted Tan. However, he said the service could eventually be offered through the cloud by service providers, in individual enterprise deployments such as Intranet sign-in or directly to individuals.

Should DSSS market the service direct to consumers, it may include advertisements sent with the temporary passwords as it would not be realistic to offer the service for free long-term to consumers, he noted.

DSSS is not alone at trying to introduce stronger authentication for online services. Last month, Vasco Data Security announced in a media release that customers of Square Enix would be offered stronger authentication to access content and services by the Tokyo-based video game company.

With the move, Vasco noted the popular massively multiplayer online role-playing game, Final Fantasy XI, would be the first online game in Japan to make use of one-time passwords for authentication.

Citing statistics released by Japan's Ministry of Internal Affairs and Communications in February, Vasco said there were nearly 2,300 cases of fraudulent access to online services in the country last year--a 26 percent increase year on year. Over half of the cases involved online auctions, while some 457 were related to online games.

Security vendors including Sophos and Symantec, have also, in the past, warned of cybercriminals tapping on malware such as Trojans to steal credentials of online gamers. With the growing number of online game sites and players, it was increasingly lucrative for malware writers looking to profit from online assets.

Continue Reading at ZDNETAsia


Breaches Will Get Worse in '09

Data Breaches Rampant in 2008

More electronic records were breached in 2008 than the previous four years combined, according to the 2009 Verizon Business Data Breach Investigations Report (pdf) released this Wednesday.

The research is based on Verizon Business data of 285 million compromised records from 90 confirmed breaches.

Key findings from Verizon's report:

  • Most data breaches investigated were caused by external sources. External data breaches are highest in Eastern Europe, East Asia and North America; these regions combined account for 82% of all external attacks.
  • Most breaches (64%) resulted from a combination of events rather than a single action. For example, an attacker exploiting a mistake committed by the victim, hacking into the network, and installing malware on a system to collect data.
  • In 69% of cases, the breach was discovered by third parties - most organizations do not discover their own breaches.
  • Nearly all records compromised in 2008 were from online assets, but not desktops, mobile devices, portable media, etc. Rather, 99% of all breached records were compromised from servers and applications.
  • Roughly 20% of 2008 cases involved more than one breach.
  • "Highly sophisticated" attacks account for only 17% of breaches, Verizon said. Still, these cases accounted for 95% of the total records breached, which indicates that hackers know where and what to target.
  • Being Payment Card Industry (PCI) -compliant is critically important: 81% of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.

Data breaches investigated in 2008 affected a wide array of organizations:

  • Food and beverage establishments, the second most frequently hit industry in the first report, dropped to 14% in 2008, down from 20%.
  • The retail industry accounts for a third of all cases.
  • Breaches in the financial services increased the most, doubling to a share of 30%, and representing 93% of the compromised records in the study - with 90% of these records involving groups engaged in organized crime.

Mistakes and oversight failures - as opposed to lack of resources and hindered security efforts - were identified as the main cause of the breaches. And 90% of all breaches could have been avoided if basic security guidelines had been followed, Verizon concluded from a previous study, covering 230 million compromised records from 2004 to 2007.

These are: changing default credentials; avoiding shared credentials; reviewing user accounts; employing application testing and code review; patching comprehensively; assuring HR uses effective termination procedures; enabling application logs and monitoring them; and defining "suspicious" and "anomalous" - be prepared to defend against and detect very determined, well-funded, skilled and targeted attacks.

Cybercrime is always evolving, Verizon said.

For example, new methodologies, like memory scraping malware, are being used to steal personal identification codes, or PIN numbers, associated with credit/debit accounts, to withdraw cash directly from a consumer's account.

, , ,

Reblog this post [with Zemanta]

Hackers, PIN Codes and Sensationalism

What follows is a dynamite piece from the Securosis Blog explaining that the piece in Wired, about PIN cracking, was a blend of sensationalism and journalism.  I especially like Adrian Lane's theory on the Heartland Breach which I have enlarged and greyed below.  Enjoy! 

“PIN Crackers” and Data Security

Really excellent article by Kim Zetter on the Wired Threat Level site in regards to "PIN cracking", and some of the techniques being employed to gather large amounts of consumer financial data. I know Rich referenced this post earlier today, but since I already wrote about it and have a few other points I think should be mentioned, hopefully you will not mind the duplicated reference.

Before I delve into some of the technical points, I want to say that I am not certain if the author desired a little sensationalism to raise interest, or if the security practitioners interviewed were not 100% straight with the author, or if there was an attempt to disguise deployment mistakes by hyping the skills of the attacker, but the headline and some of the contents are misleading. The attackers are not 'cracking' the ATM PINs, as the encryption is not what is being attacked here. Rather they are 'scraping' the memory of the security devices, looking for unencrypted data or the encryption keys. In this case by grabbing the data when it is unencrypted and vulnerable (in a cryptographic sense if not the physical one) within the Hardware Security Device/Module/Unit for electronic funds transfers, hackers are in essence sniffing unencrypted data.

The attack is not that sophisticated, nor is it new, as various eavesdropping methods have been employed for years, but that does not mean that it is easy. Common tactics include altering the device's operating system or 'attaching' to the hardware bus to access keys and passwords stored in memory, thus bypassing intended interfaces and protections. Some devices of this type are even constructed in such a way that physical tampering will destroy the machine and make it apparent someone was attempting to monitor information. Some use obfuscation and memory management technologies to thwart these attacks. Any of these requires a great deal of study and most likely trial and error to perfect. Unless of course you leave the HSM interface wide open, and your devices were infected with malware, and hackers had plenty of time to scan memory locations to find what they wanted.

I am going to maintain my statement that, until proven otherwise, this is exactly what was going on with the Heartland breach. For the attack to have compromised as many accounts as they did without penetrating the Heartland facility would require this kind of compromise. It implies that the attackers have access to the HSM, most likely exploiting negligent security of the command and control interface, and infecting the OS with malicious code. Breaking into the hardware or breaking the crypto would have been a huge undertaking, requiring specialized skills and access.

Part of the reason for the security speed-bump post was to illustrate that any type of security measure should be considered a hindrance; with enough time, skill and access, the security measure can be broken. Enough hindrances in place can provide good security. Way back when in my security career, we used to perform hindrance surveys of our systems to propose how we might break our own systems, under what circumstances this could be done, and what skills and tools would be required. Breaking into an HSM and scraping memory is a separate and distinct skill from cracking encryption (keys), and different from writing SQL and malware injection code. Each attack has a cost in time and skill required. If you had to employ all of them, it would be very difficult for a team of people to accomplish. Some of the breaches, both public as well as undisclosed breaches I am aware of, have involved exploitation of sloppy deployments, as well as the other basic exploitation techniques. While I agree with Rich's point that our financial systems are under a coordinated multi-faceted attack, the attackers had unwitting help.

Criminals are only slightly less lazy than system administrators. Security people like to talk about thinking like a criminal as a precursor to understanding security, and we pay a lot of lip service to it, but it is really true. We are getting to watch as hackers work through the options, from least difficult to more difficult, over time. Guessing passwords, phishing, and sniffing unencrypted networks are long since pase, but few are actively attacking the crypto systems as they are usually the strongest link in the chain. I know it sounds really obvious to say that attackers are looking at easy targets, but that is too simplistic. Take a few minutes to think about the problem: if your boss paid you to break into a company's systems, how would you go about it? How would you do it without being detected? When you actually try to do it, the reality of the situation becomes apparent, and you avoid things that are really freakin' hard and find one or two easy things instead. You avoid things that are easily detectable and being watched. You learn how to leverage what you're given and figure out what you can get, given your capabilities. When you go through this exercise, you start to see the natural progression of what an attacker would do, and you often see trends which indicate what an attacker will try and why.

Despite the hype, it's a really good article and worth your time.


, , , , ,

ATM Skimming Incidents Take Off!

ATM 'skimming' increases as economy falters
Thieves attach mini-technology to machines for just a few hours that secures customer card numbers, PINS, to make new cards

April 17, 2009
The Baltimore Sun

BALTIMORE — Privacy experts, banks and others are warning consumers about a threat to their personal financial information: electronic "skimming" devices that record credit-card and debit-card numbers at ATMs, gas pumps or vending machines. Using tiny technology disguised as part of the machine, thieves use the information to press new cards with customers' numbers, to the dismay of cardholders such as Kristin R. Kyriakos, 29, of south Baltimore, who returned from vacation Monday to numerous bank overdraft notices in her mailbox.

Thieves had stolen her number while she used an ATM at a Wachovia branch location. With that information, they withdrew cash from several ATMs in New York, taking $2,500, she said. "All of a sudden, I'm really apprehensive," Kyriakos said. "I wasn't aware that people were even capable of doing this."

There's no central source of data to determine the extent of the problem, said American Bankers Association spokeswoman Margot Mohsberg, but anecdotal evidence suggests skimming is cyclical, like other types of fraud.

"As the economy gets worse and people get more desperate for money, the amount of fraud tends to go up," she said.

Also, the technology is more accessible, with people able to purchase the necessary equipment over the Internet, she said. Criminals use magnetic strip readers to record information from the ATM card.

Continue Reading


Under the federal Electronic Funds Transfer Act, banks have up to two weeks to investigate before returning any money, said Paul Stephens of the nonprofit Privacy Rights Clearinghouse. That can be a big problem for people who need cash in their accounts to pay bills and living expenses.

"You may be in a position where your account is completely depleted," he said. "Don't be fooled by the promise that ... you have 'zero liability for fraudulent transactions.' You have zero liability once the investigation is completed."

He noted that skimming schemes in which thieves capture ATM card information as well as PINs were not very common. Debit cards or check cards are more vulnerable, because they are used like credit cards for less secure point-of-sale transactions without entering a PIN, Stephens said. ATMs often have security cameras that would record any tampering, he said.

Federal law provides limited protections for consumers who use debit cards or check cards. Debit-card users are liable for $50 of fraudulent charges if they notify their banks in writing within two days of noticing errors, but up to $500 within 60 days, said Hugh Williams, coordinator of the identity-theft office of the Maryland attorney general's office.

"After that, it's gone, basically," he said. That's why he reminds everyone to regularly inspect their bank statements.

, ,

Personal Identification Numbers, or PINs, are supposed to provide secure authentication for bank cards. Unfortunately, they are increasingly failing to do so. - Chad Perin from the Tech Republic Blog

Most of you have probably heard about ATMs with skimmers mounted over the card slot that can read your card on the way in and out of the machine, with carefully placed cameras to read your PIN as you type it in. The person setting up this little trap can then clone the card with the skimmed data, and with the pin gets access to your bank accounts. The first time I remember hearing about that method for cracking PIN security on bank cards was in the early ’90s, so it’s not exactly a new technique.

More recent developments in bank card security cracking include malicious phishing Websites, cross-site scripting, and legitimate Websites that have been directly compromised by security crackers. It’s an especially disturbing phenomenon because bank cards don’t usually have the same zero liability protections as credit cards — a fact most users of debit cards don’t think about when they use their bank cards the same way they’d use credit cards.

A new, and even more disturbing, security vulnerability for bank cards has arisen.

A research fellow at the French National Institute for Research in Computer Science and Control (say that five times fast) named Graham Steel wrote a paper in 2006 that addressed vulnerabilities in the hardware security modules that tie the bank card authentication network together.

The paper, submitted to British HSM manufacturer nCipher, provided guidelines for hardware security module configuration that would help mitigate the vulnerability of the devices to attack, but it also pointed out that other aspects of HSM vulnerability were inherent to their design. To really and truly fix the problem of HSM vulnerability, the devices would have to be fundamentally redesigned in a manner that is not backward compatible. Payment processing networks across the globe would have to be reimplemented using a different, improved standard.

HSM manufacturers such as Thales-eSecurity maintain that they address the security vulnerabilities addressed by Steel’s paper, but thus far they seem to be taking an approach remarkably similar to the way Microsoft OSes are “secured” against viruses. Other reassurances that HSM manufacturers are seeing to our security involve statements about how the devices are delivered in a very secure configuration by default, which is all well and good if you don’t need them to actually do much. Unfortunately, most payment processing transactions require functionality to be enabled that exposes the devices to significant potential for compromise. As Brian Phelps of Thales-eSecurity put it, according to the Wired article PIN Crackers Nab Holy Grail of Bank Card Security:

It’s a very difficult challenge to protect against the lazy administrator. Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations — supporting legacy applications may be one example — which creates vulnerabilities.
He went on to confirm Steel’s estimation of the scope of the problem, saying that redesigning the payment processing system to comprehensively address the current vulnerabilities due to legacy systems compatibility needs “would require a mammoth overhaul of virtually every point-of-sale system in the world.” If this doesn’t send a chill down your spine, either you aren’t paying attention, or you don’t actually use a bank card.

It is only recently that verifiable incidents of PINs being skimmed from HSMs, either gathered unencrypted from the device’s volatile memory or picked up as encrypted PIN blocks and decrypted. In some cases, at least, the decryption is made possible by the fact that the HSMs themselves contain decryption keys, and once one encrypted PIN block is decrypted it becomes much easier to decrypt the rest of them.

At first glance, one might think that the idea of storing decryption keys on devices scattered around the country that relay PINs from point to point using a model conceptually similar to Internet routing itself should have been immediately recognizable as a bad one, thanks to the example of the inherently flawed concept of digital DRM. Of course, the design of payment processing hardware security modules predates the AACS key for HD-DVDs, the Sony DRM rootkit, and Microsoft’s WGA. HSM designers get a free pass on learning from the mistakes of others, although the fact the mistake was made in the first place should have been avoidable.

For the most part, the problem is the way HSMs pass PINs around, tend to have scads of unnecessary features enabled at any given time, and contain the keys needed to decrypt the encrypted PINs. A couple of key points include:

  • End-To-End Encryption: The PINs should be encrypted and decrypted only at the end-points. Encrypting and decrypting anywhere between those points just increases the options for unauthorized interception.

  • Private Key Encryption: Using standardized encryption keys is tantamount to criminal negligence in this age of private key cryptography. Each and every end-point, including the bank cards themselves and the receiving systems that need to authenticate a request, should have a private and public key set. This way, you’d only be able to read data if you’re one of the unique end-points that is supposed to have access to it.
As things currently stand, however, the likelihood of the system being overhauled is pretty slim due to the immense cost that would be involved in replacing an entire global payment processing network with an incompatible standard. As a result, this problem is likely to be addressed only in a superficial, “it works right now and that’ll have to be good enough” manner. In many cases, it may not even be secured that well. Be extremely careful where you use your bank cards in the future. While liability protection for credit cards tends to be better than for debit cards, even there you should be wary of the potential threat.

Chad PerrinChad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools. Read his full bio and profile.

Shares of Major Credit Card Companies Mixed

Sector Snap: Credit card companies mixed -
Associated Press
Sector Snap: Credit card companies mixed
Associated Press,

Shares of major credit card companies were mixed Thursday, as several analysts warned that ongoing credit deterioration and a decline in consumer spending will likely pressure earnings for some time.

Investors got some mixed data about credit card losses Wednesday: Capital One Financial Corp. said its U.S. and international credit card defaults jumped in March, but American Express Co. said defaults in its U.S. card unit rose only slightly. The latter report indicated that some cardholders may be having an easier time paying their bills.

Visa shares fell 99 cents to $58.12, while MasterCard dropped $3.99, or 2.4 percent, to $161.47.

Read the Entire Article at Forbes

Reblog this post [with Zemanta]

Visa Aquarium :60 Second "Tuesday Afternoon" Commerical

The Moody Blues "Tuesday Afternoon" is the song used by Visa in their Aquarium Ad.  If you want to hear the entire song, scroll down for the "extended version" of Tuesday Afternoon. 

I've got a lot of questions in the comments section regarding who sings it and what's the name of the song, on a post I did back in early March, about Visa's new Go with Visa campaign. "New Visa Commercial: Aquarium

So I thought I'd bring you the :60 second commercial.  Here it is a long with a post from Zoo and Aquarium Vistor's Rudy Socha:

Should You Use Your Visa Card When You Visit An Aquarium On A Tuesday Zoo and Aquarium Visitor News
Should You Use Your Visa Card When You Visit An Aquarium On A Tuesday?

By Rudy Socha

Lorain, OH - Recently as part of its GO global advertising campaign Visa ran an ad showing a father taking his daughter to a public aquarium. The commercial was very well done and would have great appeal to young families with children, especially those who regularly visit zoos and aquariums. The tag line asks “When was the last time you took your daughter to an aquarium on a Tuesday?”

There are many branding messages implied by Visa being associated with a family visit to a public aquarium. The most prominent message is “Visa enables your visit”. Visa wants to be thought of as synonymous with a visit to a public animal attraction.

There is a very good reason for Visa doing this as a component of their global ad campaign. Each year more than 200 million Americans visit animal attractions. Worldwide attendance is close to 800 million.

The image of a parent taking their child to an aquarium is very positive and there are a lot of positive connotations associated with this industry. Today’s animal attractions in the United States are associated with conservation, wildlife preservation, environmental education, and overall have the “Green” image every company desires.

Continue Reading

Reblog this post [with Zemanta]

Google, Green Dot, MasterCard, Visa, Western Union in Online Payment Suit

If you can't compete, file a patent-infringement lawsuit!

Actus a Texas Hold'em company, is gambling that it could win big.  Oops...did I say Texas Hold'em, I meant Texas-based patent-holding company Actus has filed a patent suit against 20 companies including Google and Sonic Solutions in the US District Court of Texas alleging infringement of four of its patents for an electronic payment system.

What have they been doing all these years?  I haven't heard a peep about this company. 

Apparently they dream big, because other defendants in the case include Bank of America, Capital One Financial, Green Dot,  JP Morgan Chase & Co, MasterCard International, Meta Financial Group, M&T Bank Corporation, Obopay, Visa, Vivendi Universal SA, Wal-Mart Stores, Walt Disney Co, (hope they slip 'em a Mickey) and  Western Union.

Google faced 14 patent challenges in 2008, compared to only three in 2006 and has suggested that it plans to curb the growth of potential lawsuits by fighting rather than settling them. However, last month it agreed to settle a visual voicemail patent dispute with Klausner Technologies.

Here's more on the story from Finextra:
Finextra: BoA, MasterCard, Visa sued over e-commerce payments patents

BoA, MasterCard, Visa sued over e-commerce payments patents
Actus, a recently formed US holding company, is suing 20 companies, including Bank of America, MasterCard, Obopay and Visa, accusing them of infringing four patents related to an electronic payments system for e-commerce.

Actus, a holding firm based in Texas, filed a suit against the companies in the US District Court for the Eastern District of Texas last week.

The other defendants are Blaze Mobile, Capital One, Enable Holdings, Google, Green Dot, Javien Digital Payments Solutions, JP Morgan Chase, Meta Financial Group, M&T Bank, Sonic Solutions, Vivendi Universal, Walt Disney, Western Union, WildTangent, AgileCo and Wal-Mart.

The patents in question relate to "methods and apparatus for conducting electronic commerce using electronic tokens", where digital currency is used by customers for online payments.

According to the abstracts for the patents: "The electronic tokens are issued and maintained by a vendor, who also provides products and services that can be purchased or rented using the electronic tokens. The electronic tokens may be purchased from the vendor either on-line, using a credit card, or off-line, using a check, money order, purchase order, or other payment means."

The patent applications were originally filed by a company called PayByClick, with Marvin T Ling listed as the inventor.

According to legal newswire Law360, gift cards offered by Bank of America, JP Morgan, Visa, and others, are among the products accused of infringing the patents. Google's Checkout service is also named.

Actus is seeking a permanent injunction against further infringement and unspecified damages. The suit also seeks treble damages because Actus says the patents were infringed wilfully.

Reblog this post [with Zemanta]

Hackers Not Limited...Is PCI?

Brian Krebs, from the Washington Post writes regularly on security.  Here's an excerpt from an article he wrote in response to Verizon Business' latest report on the state of the payments industry...

Hackers Test Limits of Credit Card Security Standards
The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire PCI scheme is only a tool to shift risk off the banks and credit card companies' balance sheets.

"The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Merchants and retailers who experience a breach and are later found to be out of compliance with the PCI standards face steep fines from the credit card companies, and may eventually be forced to pay banks the costs of reissuing compromised cards.

Michael Jones, chief information officer for Michaels Stores Inc., a craft store chain, maintains that the PCI mandates were developed from the perspective of the card companies, rather than those who are expected to follow them.

For example, major tenet of the PCI standards is that hackers cannot steal credit and debit card data if retailers simply choose not to store the data. But Jones said retailers are required to store the data to defend themselves from chargebacks, a dispute that can be initiated by a bank or by a bank's customer. If a retailer cannot produce a copy of the receipt in the face of a chargeback, that retailer is forced to pay the cost associated with that chargeback, Jones said.

"This could have been fairly easily solved using a unique approval ID for each transaction, thus eliminating the need for credit card number storage by the retailer," but the credit card companies have balked at that suggestion, Jones said.

Continue Reading Brian Krebs story at the Washington Post

, ,

Severity of Breaches Increase

Study: Despite Increased Security Spending, Severity Of Breaches Is On The Increase
CompTIA study says human error is the most frequent cause of breaches worldwide

By Tim Wilson  DarkReading

Despite increased spending on both security technology and training, most companies are experiencing more severe data breaches, according to a newly-completed study.

In its seventh annual security research study, the Computing Technology Industry Association (CompTIA) surveyed some 1,500 IT and security pros in countries around the globe. In the study, CompTIA found that the frequency of breaches had not increased significantly between 2008 and 2007, but the severity of those breaches has increased slightly. The average severity of a breach in 2008 was ranked as 5.6 on a ten-point scale, up from 5.3 in 2007 and 4.8 in 2006.

"The number of breaches may not be going up, but companies are feeling their impact a little bit more each year," says Tim Herbert, vice president of research at CompTIA.

Almost 10 percent of U.S. respondents said security breaches have cost their organizations more than $100,000 in the past 12 months. About a third saw employee productivity affected by a breach, and 20 percent saw an impact on revenue-generating activities. Nineteen percent experienced some server or network downtime as the result of a breach, and 10 percent paid fines or legal fees.

Continue DarkReading
Reblog this post [with Zemanta]

More Bad News for Software Applications

Source: The Register
Complete item:

Network backbone technologies used to route traffic over large corporate networks are vulnerable to large-scale hijacking attacks, according to two researchers who released freely available software on Thursday to prove their point.

The tools, demonstrated at the Black Hat security conference in Amsterdam, are intended to show that attacks once believed to be only theoretical are very much practical, said Enno Rey, one of the creators of the software. He developed the tools along with researcher Daniel Mende.

"We think the trust models of some technologies that are widely deployed in some networks are outdated," Rey told The Register. "This is to make people aware that the technologies they use in their daily life are not as secure as they might seem.

Some of the new tools attack a network data-forwarding technology known as MPLS, or multiprotocol label switching. Carriers such as Verizon, AT&T and Sprint use it to segregate one corporate customer's traffic from another's as it's shuttled from one geographic region to another. The tools make it trivial for anyone with access to the carrier's network to redirect that traffic or alter data on it.

The software works because MPLS has no mechanism for protecting the integrity of the headers that determine where a data packet should be delivered

"There is no way of detecting modification of labels," Rey said. "If somebody gets access to this network, it's quite easy to cause disastrous havoc."

Other tools attack a separate network technology known as BGP, or border gateway protocol. Among other things, they crack the MD5 cryptographic keys used to prevent tampering. They also make it easy to inject unauthorized routes in BGP tables, allowing an attacker to hijack huge swaths of internet traffic.

Other tools exploit similar weaknesses in the ethernet protocol.

Of course, the lack of security in MPLS, BGP and ethernet is well documented. At last year's Defcon hacker conference, for example, researchers Anton "Tony" Kapela and Alex Pilosov demonstrated an attack on BGP that allowed them to redirect traffic bound for the conference network in Las Vegas to a system they controlled in New York. Other internet underpinnings, including the DNS, or domain name system, and SNMP or Simple Network Management Protocol have also been shown to be vulnerable to tampering.

Rey said he and Mende are well aware of this research. But up to now, the assumption has been that the attacks are technically difficult to carry out. The goal of the tools is to make corporate security professionals aware that the only thing preventing the hijacking of entire corporate networks is the steps carriers take to secure their infrastructure.

"Try to understand if your carrier is trustworthy," he recommended. "If there are any doubts, it might be a good idea to encrypt the traffic. We just want people to be able to make informed decisions."


Disqus for ePayment News