Monday, April 20, 2009

Visit HomeATM at ETA...Booth 647! (FIS Booth) and We'll Put $10 on Your Card in Real Time!

HomeATM will be at Fidelity Information Services Booth (eFunds/Metavante/NYCE) Tuesday thru Thursday!  So stop by booth #647 during the ETA Meeting & Expo April 21-23at the Mandalay Bay Resort & Casino and visit with one of ourmerchant experts. 

(Look for anyone wearing a Polo with "PINterchange for the Internet "
on their back) 

Cause when it comes to providing "TRUE" PIN Debit for the Web, and military grade security,
we've got YOUR back covered! sure to check out FIS’:
  • Creative solutions to accepting PIN Debit for payment at Web-based merchant sites

  • Expanding payment options

  • Reduced interchange costs  (PINterchange!)
Stop by and say hello.
We've got a $10.00 "Card" Present  for you!

Correction: Booth #647

Just mention the fact that you saw this post in the "PIN Payments News Blog" and we'll put $10 on ANY US BANKCARD in "REAL TIME."
(right before your eyes)

Reblog this post [with Zemanta]

RKL ATM Security (Remote Key Loading)

ATM Security | Remote key loading: The next in ATM security for ISOs | ATM Marketplace
By Tracy Kitten editor • 20 Apr 2009

Dennis "Abe" Abraham has spent the last five years waiting for remote key loading to reach a tipping point. The president of Concord, N.C.-based Trusted Security Solutions Inc., developer of the A98 remote key loading system, says the timing for RKL is finally right, and independent sales organizations are now seriously considering their options.

Though complicated by complex algorithms and multiple levels of encryption, the function of remote key loading is simple. Basically, RKL eliminates the need for ATM technicians to physically visit ATMs for manual key changes — thus eliminating expense and the possibility for human error.
story continues below...

After completing their investments in Triple DES upgrades, ATM deployers are now finally able to focus some time and money on RKL. Up to this point, financial institutions have expressed interest in RKL, but few have made large investments. In the ISO space, movement has been, by and large, non-existent.

And there are a few reasons for that.

Deployers of off-premises ATMs have not been as diligent about ensuring their keys are changed. In fact, before the October 2008 release of version 1.2 of the Payment Card Industry Council Data Security Standard, no definitive requirements for key changing existed. ATM deployers were required to change keys if and when audited, but audits were not mandated across the board.

Under version 1.2, keys must be changed every 12 months, and the networks are watching, says Chuck Hayes, product development manager for Long Beach, Miss.-based Triton Systems of Delaware. That PCI push has encouraged manufacturers like Triton to start marketing RKL part of the overall ATM offering.

"It's a differentiator for us," Hayes said. "It's the first time an RKL solution has been brought to market for the off-premises space, and that's helping us enjoy a competitive advantage."

Triton's patent-pending RKL offer may only require a software upgrade, if the ATM already has Triton's upgraded encrypting PIN pad.

For an ISO that acquires and needs to merge a fleet of remote-key capable ATMs with an existing fleet of ATMs that aren't remote-key ready, the Triton solution calls for a mere switch of the host for transaction processing, Hayes says.

"The business case for ISOs is simple: less key handling," he said. "That's an advantage. If an ATM key was corrupted, the host could rekey that ATM within minutes, rather than having to go through the manual process of sending someone out, which takes time and expense."

A case for ISOs and FIs

Continue Reading at ATM marketplace

Midnight Raid Attack Creates HelluvaSMS

Source: CNet
Complete item


Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.

In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.

Dearing demonstrates how this can be done in a video on YouTube.

In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information. This attack is explained in another YouTube video.

While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.

"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."

Reblog this post [with Zemanta]

Online Security Fears Deepening...HomeATM Can Help

Consumers in Belgium apparently feel least anxious about online security than people in any other European country.

In an Index that tracks trends in consumer perception of security issues among approximately 8,500 people in nine countries, Unisys has reported that ID theft and fraud fears have surged in the last six months as recession bites.

“Reports that fraudsters are increasingly moving online, in addition to well publicized security breaches, may have also helped push up the Unisys Security Index for Internet security concerns from 105 a year ago to 121 in the UK,” the company said.

Editor's Note:  See the device on the left?  Fraudsters hate it because instead of "Typers" consumers become "Swipers."  I love the irony...  "Consumers "swipe their card information" vs. Fraudster's being the "Swiping Type"...

Virtually "every" security expert knows that  entering a card number, expiration date and CVV with a keyboard is the exact "type" of transaction that allows fraudsters to "swipe" your financial details.  On the flipside, when you "swipe" your own card details with our SafeTPIN terminal, and enter your PIN, it's done "
outside" the browser space, is "instantaneously" 3DES encrypted "inside" the box" and the data is never transmitted in the clear. 

In addition to 3DESD end-to-end encryption, HomeATM employs DUKPT key management AND also encrypts the Track 2 data. 

These procedures helped the HomeATM "SafeTPIN"  become the FIRST and ONLY payment terminal/PIN Entry Device IN THE WORLD, designed solely for e-commerce to be PCI 2.0 PED Certified.

Thus, HomeATM is also the "FIRST and  ONLY" provider of  "Tried and TRUE" PIN Debit for eCommerce."  The card is present, the Track 2 data is captured (including the PIN Offset (PVKI) AND the PIN Verification Value (PVV) and the PIN provides 2FA (two factor authentication

Again, on the flip side, with a software PIN Debit "application" (see graphic below/right) the card is NOT PRESENT, the Track 2 data is NOT captured, (nor is the PVKI/PVV), and the PIN does NOT provide 2FA, because the Primary Account Number (PAN) could have been purchased for a dime online.  So, if your perception is that there's "TWO" Internet PIN Debit choices, hardware or software, it's time to re-evaluate...because the truth is: 

There's only ONE TRUE PIN Debit "solution" for the web.  HomeATM...period.   Speaking of "conventional" you can visit us at Booth 347 at the ETA Convention.  Oh...and did I mention that HomeATM is EMV/SmartCard/Chip and PIN ready?  I think I just did...back to the article

According to the survey, 69% of UK consumers are now concerned about computer security and 65% are worried about their safety and security when shopping or banking online.

The study assessed attitudes towards national security and epidemics, financial services security, as well as sentiment towards spam, virus and online financial transactions, and physical risk and identity theft.

It used measures of consumer perceptions on a scale of zero to 300, with 300 representing the highest level of perceived anxiety. The relaxed Belgians scored a low 94 on a rating of internet security concerns.

Overall, the average score for citizens of the nine countries surveyed is 133, representing a moderate level of concern. Those surveyed are most concerned about financial security and least concerned about Internet security.

Unisys said its twice yearly survey presents an interesting social indicator regarding how safe consumers feel on key areas of security.

Some 72% of UK citizens believe they are at greater risk from identity theft and related crimes such as credit card fraud, as a result of the financial crisis

Four out of every five people in Germany are extremely or very concerned about identity theft, yet under half would accept biometric technology to verify their identities.

As many as 88% of consumers are concerned about other people obtaining and using their credit card, debit card or bank account details or are concerned about others gaining unauthorized access to or misusing their personal information.

“Fraud fears have deepened as a result of the financial crisis,” Neil Fisher, VP at Unisys said.

The company found that bankcard fraud is the greatest single area of concern across all markets, with concerns about misuse of credit or debit card details being the top concern among adults in five countries and the number two concern in four more countries.

Identity theft is seen as the second greatest area of concern, being the number one concern in three countries and the number two concern in four more.

Since the last survey six months ago, Unisys measured a jump of ten-points in its Internet Security Index and charted a significant six-point rise in its Financial Security Index. Its National Security Index continues its downward trend, while its Personal Security Index is essentially flat.

Reblog this post [with Zemanta]

Mikeyy Worm: Jokes on Twitter...Womp!

Source: Sophos
Complete item:

Description: Another day, another Twitter worm. After yesterday's attack referencing the likes of Ashton Kutcher and Oprah Winfrey we are now seeing many Twitter users spreading messages on behalf of a new version of the Mikeyy worm, this time their common denominator is that they're all jokes including the (somewhat bizarre) word "womp".

Here are some of the messages that are being sent from compromised accounts on Twitter right now:

  • Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.
  • If your father is a poor man, it is your fate, if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.
  • If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.
  • Money is not the only thing, it's everything. Womp. mikeyy.
  • Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.
  • Success is a relative term. It brings so many relatives. Womp. mikeyy.
  • Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.
  • 'Your future depends on your dreams', So go to sleep. Womp. mikeyy.

Once again, Twitter is left looking amateurish in its response as it clearly hasn't properly hardened its systems from these kind of cross-site scripting attacks. Until they get their act together, users need to remember to turn off scripting (the combination of Firefox and NoScript is a good one) if viewing users' profiles.

Reblog this post [with Zemanta]

Oracle Buys Sun Microsystems

Had to bring you "tomorrow's  news today!"  From the April 21st edition of iTWire:

iTWire - Oracle vertically integrates paying $7.4B for Sun

by Stan Beer
Tuesday, 21 April 2009

In what is being viewed as a move to vertically integrate its business, business software giant has agreed to buy struggling servers hardware vendor Sun Microsystems for US$7.4 billion cash.

The deal will see Oracle pay a more than 40% premium of $9.50 a share for the company whose founder Scott McNealey coined the phrase “the network is the computer”.

Sun was at one time a rising star in the Unix servers business, with its Solaris operating system and Sparc based proprietary servers.

However, the commoditisation of the servers business through the x86 platform has bitten deeply into Sun’s bread and butter.

While Sun is primarily considered to be a hardware company, it does have some considerable software jewels in its crown. Aside from Solaris, Sun was the developer of the Java software development platform and owns Star Office, the commercial version of Open Office.

From Oracle's point of view - or least what its boss Larry Ellison claims - the Sun purchase will give Oracle a one-stop-shop or "applications to disk" capability, where the company could offer customers a tightly integrated hardware and software solution.

Commentators at this stage seem unsure about the wisdome of Oracle's strategy with this purchase because it's the first time the software giant has ventured boldly into the hardware space.

However, many note that previous acquisitions for Oracle such as PeopleSoft, Siebel and Bea have been successful.

In addition, as some pundits point out, Sun is not just a hardware company but is also strong in the software platform space. And the vertical integration of major computing conglomerates in the mould of IBM and HP, with hardware, software and services appearsto be where the market is heading.

Reblog this post [with Zemanta]

6 Degrees of Separation to Preventing Fraud - Deloitte Consulting

A Discussion about Applying Six Degrees of Separation to Preventing Fraud
Consideringthe human element of fraud and channeling information and specializedresources already in your company toward that effort, could helpmitigate fraud and other compliance risks.

In “A Discussion about Applying Six Degrees of Separation to Preventing Fraud,” Toby Bishop, director of the Deloitte Forensic Center for Deloitte Financial Advisory Services LLP,moderates a discussion with Yogesh Bahl, Northeast leader of Anti-FraudConsulting for Deloitte Financial Advisory Services LLP, and TimLupfer, director in the Human Capital practice of Deloitte ConsultingLLP.

Listen to the discussion of how companies may be able toapply techniques used in fraud investigations to prevent and detectfraud before it causes serious damage.  To watch the video, click the screen below...

Related content:
Overview: Applying Six Degrees of Separation to Preventing Fraud
Services: Anti-Fraud Consulting
Services: Deloitte Consulting 

Disqus for ePayment News