Friday, April 24, 2009

Proof that Software PIN Debit is Unsafe (with Pictures!)

Editor's Note: I saw this item come across the newswires, and there is a specific quote which instantly grabbed my attention. (emboldened in RED and highlighted below)

Why
did it grab my attention?

Because there are some who argue that a "floating" PIN Pad is secure, but based on information contained in the story below, it "appears" (just like a floating PIN Pad!) that it is NOT secure.

Keep in mind that a floating PIN Pad is nothing but a "graphical user interface" (GUI) and GUI's can be readily replicated by hackers.


Just as HomeATM replicated the conventional approach to PIN Debit and brought it to the web with our PCI 2.0 Certified SafeTPIN, a hacker could (make that "would" because, as it states below, they already have) replicate a software application and fool user's into entering their password's (PINs).

What a mess that will be. And guess who's going to be liable? Would it be the software application provider? That leaves the EFT Network or the Financial Institution? The only two other choices would be the merchant or the consumer. Anyone have any thoughts?


Anyway, the story below verifies that what we've been saying this past year is TRUE. Not surprising, coming from the only TRUE PIN Debit for the Web provider in the world, is it?

Source: ca
Complete item: http://community.ca.com/blogs/securityadvisor/archive/2009/04/22/banking-trojans-tips-and-tricks.aspx

Browser Impersonation

Win32/Bancos and Win32/Banker is a family of trojans that mostly target South American banks. These banks typically use the Portuguese language on their websites and in the example below you can see that the banking trojan managed to change the version of the web browser from English to Portuguese.

In the Process Explorer window shown in Figure 02, you can see that the process owning the Window Title - "http://www.bradesco.com.br - Microsoft Internet Explorer" is the banking Trojan, not Internet Explorer. The banking trojan now has control over the keyboard and can intercept login credentials entered on the website by the user.

Editor's Note: In a software PIN Debit application, you are instructed to "type" in you debit card's "primary account number" (PAN). So this is not good news for people who say that it's a secure application. In addition, it bodes well for my assertion that bank's should replace "username: password:" with our PCI 2.0 certified and much more secure SafeTPIN and use that as a log-in device.


Fake Login Page


Some banking trojans imitate legitimate applications distributed by banks and there is no way a user can tell the difference between the real and fake graphical user interfaces.

Editor's Note: So there you have it. Anyone still think that a software PIN Debit application is secure?

Recommendation
In tough economic times like this, it is very important for us tounderstand the behavior of these threats and the associated risks.

At the end of the day, the main goal of the attackers is to steal youridentity and your money!

E-Secure-IT
https://www.e-secure-it.com








Reblog this post [with Zemanta]

PCI 2.0: Best at Keeping Hackers at Bay

Digital Transaction News

You Can’t Set It And Forget It with PCI, Network Execs Say

(April 24, 2009) The Payment Card Industry data-security standard (PCI) is a favorite punching bag of merchants, but executives from Visa Inc. and MasterCard Inc. defended the set of security rules before an audience of independent sales organizations as the best tool available for keeping cardholder information safe from computer hackers.

The HomeATM engineering team that designed and manufacturers our PCI 2.0 Certified PIN Entry Device (pictured on the left) couldn't agree more.  It is indeed, the best available tool to keep hackers from getting cardholder data.  

That said, would you feel safer:

1. "typing" your Primary Account Number (PAN) into a box located on an eMerchant  checkout cart using your PC's keyboard... and then have to wait for a "pop-up" graphical user interface appear in your web browser, then "mouse click" your PIN? or...

2. Does "common sense" dictate that it's exponentially safer to utilize a PCI 2.0 PED to "swipe" the magnetic stripe information, have it 3DES encrypted "inside the box" (including the Track 2 data) and KNOW that your information is NEVER in the clear? 

If the allure of PIN Debit on the Web is security, then HomeATM is the clear winner...
A PC can NEVER be PCI certified.  HomeATM already is!


If the allure of PIN Debit on the Web is Lower Interchange, then HomeATM is the clear winner.  "Card Present" rates Beat "Card Not Present" rates all day long. 

HomeATM transactions are not only "card present" transactions, they are TRUE PIN DEBIT transactions as we replicate the traditional PIN Debit transaction done in a retail location to a "T," with our Safe"T"PIN bank card swiping/PIN Entry Device.  Oh, except that we 3DES encrypt the Track 2 data as well...a security step not taken by most POS Devices designed for brick and mortar locations.

HomeATM...True PIN Debit...True PINterchange...True Security and True 2FA (two-factor authentication) 


To read the entire story about PCI Security at Digital Transaction News, click below:


Continue Reading at DTN





Reblog this post [with Zemanta]

TrialPay Comes to The RevenueWire Network

RevenueWire Merchant ParetoLogic Partners With TrialPay To Create Revenue Windfall for Affiliates

Top RevenueWire merchant ParetoLogic is turning purchase bailouts into sales with all their software products including top-selling RegCure, DriverCure and ParetoLogic AntiVirus PLUS. With this new partnership, TrialPay presents customers the option of getting a ParetoLogic product for free when they purchase an item from the TrialPay list of offers - with the affiliate receiving a commission on the final sale. The TrialPay sales mechanism promises to generate affiliate revenues that previously would have been lost due to cart abandonment.

Victoria, BC (Vocus/PRWEB ) April 24, 2009 -- One of RevenueWire's flagship merchants, ParetoLogic, has partnered with internationally renowned online sales provider TrialPay to add a powerful new selling feature to their software products. ParetoLogic is best known for hit products such as RegCure, DriverCure and ParetoLogic AntiVirus Plus.
TrialPay Comes To The RevenueWire Network
TrialPay Comes To The RevenueWire Network

This new partnership will significantly increase ParetoLogic’s affiliate sales conversions by recovering customers who reach purchase pages but decide not to purchase the product.

"The addition of TrialPay to the sales process means the customer has the opportunity to get our products for FREE in exchange for completing TrialPay offers which includes games, movies, CDs, books and more. And the best part? Everyone still gets paid,” said Elton Pereira, CEO of ParetoLogic.

The addition of TrialPay to the sales process means the customer has the opportunity to get our products for FREE in exchange for completing TrialPay offers which includes games, movies, CDs, books and more. And the best part? Everyone still gets paid

The prospect of working with top software merchant ParetoLogic through the RevenueWire affiliate network was very appealing to us. We believe this business relationship will create a strong new revenue channel for everyone involved; one that will continue to grow for years to come

TrialPay's partners include Netflix, FTD, Gap Inc., RealNetworks and many more.

What does this mean for RevenueWire affiliates?

"TrialPay is a great way to harvest the latent business opportunity in cart bailouts. Buyers who were once just walking away from the cart will now be transformed into a viable source of revenue for our affiliates and merchants. It also offers our affiliates yet another way to optimize their product conversions and increase their overall revenue on ParetoLogic products," said Havind Sehmi, CEO of RevenueWire.

RevenueWire and Paretologic’s optimism is shared by TrialPay’s CEO. “The prospect of working with top software merchant ParetoLogic through the RevenueWire affiliate network was very appealing to us. We believe this business relationship will create a strong new revenue channel for everyone involved; one that will continue to grow for years to come”, said Alex Rampell, CEO of TrialPay.

About TrialPay
TrialPay introduces e-commerce solutions that increase the probability of conversion and maximize the profit of each transaction for any online seller. TrialPay's transactional advertising model uses the efficiencies of the Web to pair online shoppers with ideal products at every stage of the purchase process. With TrialPay, everyone wins: merchants make more sales from their current traffic, advertisers acquire new customers on a pay-for-performance basis and shoppers get a free product with every purchase.
TrialPay works with name-brand companies across many verticals, including: Fandango, The Wall Street Journal, Gap, McAfee, Netflix, FTD, Match.com and thousands of others. And through its original Get It Free model, TrialPay offers 30 million registered users more than 2,000 ways to pay through premier advertisers.

Contact:
Lisa Contoyannis, Director of Public Relations
TrialPay Inc.
(650)-318-0000
http://www.trialpay.com

About ParetoLogic
Four software professionals, who just happened to be brothers, recognized that modern computer users don't need to be at the mercy of expensive computer repair technicians to maintain, secure, and optimize their own PC's. Knowing that sophisticated technology married with a truly user-friendly interface would empower people to secure and optimize their own computers, the four brothers researched the marketplace to define and develop the software products that would most benefit today's computer user.

Three short years later, the ParetoLogic brothers employ 140 people (and counting!) to help them research, develop, and market software applications that will enable people to secure and enhance their computing experience. Available in eight languages in 192 countries around the world, ParetoLogic has established partnerships on a global scale to ensure that its products are available to all computer users, regardless of location, language, or computing experience.

Attention to the needs of the consumer coupled with a commitment to delivering exceptional software applications and resource-rich websites guarantee that our products will exceed your expectations.

Contact:
Barry Dodd, Vice-President of Marketing
ParetoLogic Inc.

About RevenueWire
Founded in 2007, RevenueWire entered the growing affiliate-fueled e-commerce platform arena as an exciting new platform for digital product merchants and affiliate marketers. RevenueWire's payment processing system SafeCart, combined with highly accurate sales referral tracking and easy-to-use analytics tools, provide both affiliate marketers and merchants with highly profitable digital product promotion and sales.

Contact:
Barry Ringstead, Marketing Director
RevenueWire, Inc.
http://www.revenuewire.com

###


India Banks to Outsource ATM Operations

ATM Outsourcing | Big banks in India plan to outsource their ATM operations | ATM Marketplace
Big banks in India plan to outsource their ATM operations

(India) Business Standard: ATM outsourcing is on the rise in India, with at least two large banks planning to outsource the installation and management of their ATM portfolios. Private sector lender Axis Bank is in talks with BAIL, Euronet Worldwide, Prizm Payments and two other independent service operators for the outsourcing contract. And Bank of Baroda has invited request-for-proposals from prospective vendors for the site construction, supply and installation of ATMs. The bank plans to set up 500 ATMs at its branches and at off-site locations over the next three years. BoB has more than 3,000 ATMs across the country.

Click to continue


Phone Crime More Worrisome Than Computer Fraud

Source: CIO
Complete item: http://www.cio.com/article/490565/Phone_Crime_Worries_Banks_More_Than_Computer_Fraud

Description:
Computer fraud may be a big problem for banks today, but the telephone is becoming a critical tool for fraudsters, bank executives say.

In addition to calling customers about suspicious transactions, banks use SMS (Short Message Service) to request that customers contact them. So, fraudsters have begun using a variety of techniques to try to trick the banks into thinking they're communicating with legitimate customers via the telephone. "Call-center authentication is, to me, the biggest pain point right now," said Stan Szwalbenest, remote channel risk director with JP Morgan Chase, speaking at the RSA conference in San Francisco this week.

Malware, phishing and cyberattacks may get talked about, but "we should never fool ourselves into thinking that's the only place [crime is happening]," he said. "The biggest risks I see are social engineering, and that's exactly how the crooks are getting in."

Social-engineering attacks occur when fraudsters trick bank customers or employees into divulging sensitive information, usually by pretending to be someone they are not.

Sometimes fraudsters will hack into a bank account and change the customer's contact phone number. Then, when a suspicious transaction posts to the account, the bank will call the fraudster instead of the customer.

In cybercrime forums there's even a job title for people who do this: confirmer. "There are companies that specialize in it," said David Shroyer, senior vice president for online security and enrollment with Bank of America. Fraudsters will sell the services of people who have the language skills to mimic legitimate customers, offering, for example, four males and six females who speak English, one with a Spanish accent. "They say, 'We can match the phone number where your real customer is calling from,' " he said.

In another scam, criminals activate automatic call-forwarding features to essentially take over their victim's telephone lines for a period of time.

"They're adapting to our adoption of different technology and different authentication methods," Shroyer said.

Large banks like JP Morgan have been working with telecommunication companies to be able to identify spoofed calls, and with a recent rash of so-called swatting attacks, where hackers call 911 from spoofed numbers to trick police into sending out emergency response teams, the U.S. Federal Communicaions Commission has recently taken a greater interest in call spoofing, Szwalbenest said.

Criminals are also using low-cost, corporate-grade telephone systems to run their automated call centers. They will call, e-mail and send SMSes to victims telling them to call phoney numbers in hopes that victims will think they're calling a real bank and provide account numbers and passwords.

E-Secure-IT
https://www.e-secure-it.com

Let's Sign a Treaty...and Cybercrime Will Disappear!


Security Expert Calls For New Model For 'Demonetizing' Cybercrime, Botnets - DarkReading
Security Expert Calls For New Model For 'Demonetizing' Cybercrime, Botnets
Current approach focused on fighting attacks is not working, says SecureWorks' Joe Stewart


By Kelly Jackson Higgins | DarkReading

SAN FRANCISCO -- RSA CONFERENCE 2009 -- A top U.S. botnet expert has proposed a new approach to fighting cybercrime: Hit the bad guys where it hurts -- in their wallets -- by making online crime less lucrative and more risky to carry out.

Joe Stewart, director of malware research for SecureWorks, says the current approach, which includes knocking out botnet command and control and occasionally arresting the latest spam kingpin, just isn't a sustainable strategy. "These techniques don't work. We have too few resources, too much focus on the attack, and not so much on the attackers," he said in his presentation here on Thursday. "My proposal is to focus more on criminal groups than the attacks. We're not going to end cybercrime...I want to look at a different approach [at fighting it]."

Stewart's model goes after cybercriminals on three fronts -- technical, legal, and financial.

At the heart of the approach is a global Internet treaty that nations on the Net would sign, holding each other responsible for online abuse within their own borders.

That would mean a nation's CERT would get the authority to enforce penalties for those network operators that allow distributed denial-of-service (DDOS) attacks, spam, malware, or other hacking across their networks. This type of Internet abuse on an ongoing basis would result in the operator's being disconnected from the Net, according to Stewart's vision.

This would also require a global authority for Internet abuse, which would coordinate among the regional CERTS and special operations teams watching out for such abuse. The teams would be made up of experts in reverse engineering, linguistics, social engineering, and disinformation operations, for example. "It would not be limited to researchers," Stewart said. "It would be run in a covert way...you don't want your adversary knowing something [about the operation]."

The closest thing to such Internet authorities today is South Korea's CERT, which by law can order an ISP to take down a botnet command and control server, for instance, Stewart noted.  "We need a global framework to get rid of safe havens for abuse," he said.  But this global authority would be solely focused on DDOS attacks, spam, malware, and other attacks -- not civil issues or content.  Other security researchers say the concept makes sense, but pulling it off wouldn't be easy.

"Trying to disincentivize [the attackers] is a new way of looking at things," says Ivan Arce, CTO of Core Security. "But it will be hard to accomplish. [Law enforcement alone] is not sufficient, and cutting them off the Internet is probably not going to work because they will find another way [to regain access]." Arce says the key to combating cybercrime is to find a way to discourage the insecurity of networks and systems.

Continue Dark Reading


Disqus for ePayment News