Thursday, April 30, 2009

The Only Way to Process Secure Online Transactions...



With news coming out of Washington that the U.S. economy, as measured by the gross domestic product (GDP), fell by 6.1% for the first quarter of 2009, it looks like the Great Recession isn’t going away anytime soon.

In addition, with unemployment inching up toward 10% and home foreclosures still on the rise, a jump in credit card fraud is the last thing that American consumers need, but that’s exactly what they’re getting.

As Credit and Debit card scam artists are becoming more brazen and more creative, U.S. credit card holders are growing more anxious.

According to a 2009 survey by Unisys Security Index, approximately 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud.   More than two-thirds surveyed said they are extremely concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.

Unisys adds that credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned; 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.

So how can credit card holders protect their cards and their money?   (Hint, one of the devices on the left "Stops Hacking"... the other one "Causes It"

Rest assured, both are deadly to hackers.


So how do you protect cardholder data when conducting online transactions? There's only one secure way to do it.  Albeit, there's a lot of articles published that recommend the following to conduct secure online transactions:  Here's a direct quote from one of them:

"When online, use only secure sites, especially when using your credit card online. Be sure to check the URL of the site’s purchase page as well, which will always read “https” if it is secured."

The fact is, that statement is not even close to being entirely true.  "https:// has already  been demonstrated to being insecure and subject to hack attacks"  And because it's already been compromised, you will never know whether or not your transaction is secure irregardless of whether it reads http:// or "https"  Therefore, I'd strongly advise you to "scratch that advice."  Simply put...it's httbs://


See the pic on the right? (click to enlarge and take a look at the address)

I blogged  about the hole in "https" a while back.  I think I called it "httbs" at that time too. Yes,  I checked and I did...way back on January 2nd...in a post entitled:
Browsers and -Commerce  Don't Mix. 

As I've stated numerous times on this blog, there is only "one" way to secure your cardholder data when shopping online. Via a hardware device.  If you want to protect your cardholder data, then you MUST keep your cardholder data OFF the web.  It cannot be typed, it cannot be mouse clicked, it cannot be cut and pasted.  It cannot be on the web...period. 

In order to do it "outside the browser space: you'll need to Swipe your card in a 3DES end to end encrypted magnetic stripe reader which hopefully, then encrypts ALL the track 2 data.  To secure the transaction with another layer, you could add two-factor authentication (2FA) by entering your PIN,  which should also be end to end encrypted.  To protect your data even more, experts recommend the use of DUKPT key management which assigns a unique key "each" transaction.  The value is that if a hacker were to somehow breach their way through all that security, they would only have access to "ONE" transaction. 


There's only "ONE" company in the world who manufactures a  PCI 2.0 Certified magnetic card reader WITH PIN Entry Device for eCommerce.  That'd be HomeATM. 

That's it.  So...remember, don't type, swipe.  If you can see it on your screen,  then so can the bad guys.

There's myriad ways for them to do that.  Here's a select few:  zombies, worms, malware, malicious code, DNS Hijacking, Click Jacking, Key-logging, Memory Scraping, Screen Scraping, Cloned Websites, Data Hijacking, Remote control access, etc. etc. etc.  Remember the line from Field of Dreams?  If you build it they will come?  Here's one to remember for the web: If you type it, they will swipe it.  

Question:  If your cardholder data is going to be "eventually" swiped anyway, shouldn't you be the one doing the "SwipePIN?"









Reblog this post [with Zemanta]

Banking / Finance News
Source: Computing
Complete item: http://www.computing.co.uk/computing/news/2241443/chip-pin-security-goes-trial-4632986

Description:
A trial that could prove to be a test case for the security of chip-and-PIN card technology starts today.

Alain Job is suing Halifax, claiming that a fraudster withdrew £2,100 from his account at cash machines despite the fact he did not lose his card and changed his PIN as soon as he received it. The bank refused to refund the money, claiming that its chip-and-PIN system is secure.

Reblog this post [with Zemanta]

Western Union to Pilot Mobile Bill Payment

Newsflash from Finextra.com.

30/04/2009 15:37:00
WESTERN UNION, CPS AND VERISIGN PILOT MOBILE BILL PAYMENT SERVICE

Western Union has teamed with VeriSgn to pilot a system that enables Consumer Portfolio Services (CPS) customers to trigger their monthly car payments directly from their mobile phones.

More on this story: http://www.finextra.com/fullstory.asp?id=19987

Merchants On "Warpath" Against Interchange

HOME DEPOT EXEC: MERCHANTS ON ‘WARPATH’ AGAINST INTERCHANGE FEES
Merchants are "on the warpath" to push for legislation that would cut or cap credit and debit card interchange rates this year, Mario de Armas, director of international and interchange financial services at The Home Depot Inc., told attendees this week during a panel discussion at Source Media's 21st annual Card Forum and Expo at Marco Island, Fla.

"The cost for us to accept credit and debit cards continues to rise, and we have to pass those costs on to our consumer and commercial customers ... who can least afford it in this economy," de Armas said, adding that " Visa and MasterCard have done a very poor job of communicating the value of what interchange provides."

He noted that interchange began as a more clearly defined subsidy to help cover the cost of electronic payments, then mushroomed to become "a profit center for banks."  De Armas said Home Depot plans to drop its co-branded MasterCard issued by Citigroup Inc., noting customers purchase more with the company's proprietary credit card (also issued by Citi).

Moreover, the company is looking into why its payment terminals require cardholders to opt out of signature-debit if they want to use less-expensive PIN-debit instead.


Editor's Note to Internet Retailers:  Want to accept TRUE PIN Debit on your website and benefit from the lower Interchange associated with 2FA PIN Based transactions?  How about "card present" credit card Interchange rates?  We can "steer" you in the right direction with HomeATM's patented PCI 2.0 Certified platform.  Send me an email to discuss further...

Panelist William W. Shaw, group vice president at Roanoke, Va.-based First Citizens Bank, which is both a credit card issuer and an acquirer, said on the issuing side he is "very concerned" about the possibility of interchange-rate caps. "It seems we're moving further and further away from free enterprise, ... and I'm very concerned about capping anything, from the free-enterprise side of it." On the acquiring side, when credit card networks reset rates each year, "it's hugely expensive," and the system is "too complex," he said.

Panel moderator Adil Moussa, an analyst with consultancy Aite Group, said recent research from his organization found that some 28% of U.S. merchants routinely attempt to steer customers toward lower-cost payment options at the point of sale to offset the effects of interchange. Home Depot, a member of the Merchants Payments Coalition, is working closely with other merchants on lobbying efforts, de Armas said, noting he is "cautiously optimistic" that lawmakers will draft legislation this year that could lead to a reduction or elimination of interchange.


- Banking / Finance News
Source: spamfighter
Complete item: http://www.spamfighter.com/News-12275-New-Phishing-Scam-Selects-First-Dakota-National-Bank-for-Target.htm

Description:
U.S. based First Dakota National Bank released a news item in the media last week alerting customers of a phishing e-mail that spoofs the Bank's name.

The scam e-mail claims that there is a new message for the recipient from the bank...to read it she/he must log into her/his online account with First Dakota and go to the Message Center Section.  In an e-mail that reads: "First Dakota National Bank Online Banking," the recipient is asked to follow a given link.

But when the user clicks the link, she/he is directed to an Internet site that informs the user that the bank has restricted her/his online banking account. The site then asks for personal information like name, zip code, e-mail address and banking details like debit card number.

Editor's Note:  Well, simpy put, these guys are "rookies". 

The "veteran's" would have you click a link that takes you to a cloned replica of the bank's original website.  

The "professionals" would not even bother phishing, they would simply perform DNS Hijacking to a perfectly cloned site...when user's logged onto their online banking website, the pro's would be able to obtain username's and passwords.  The pro's would then go to the the genuine site and have complete access to the account.


That is why bank's need our PCI 2.0 PIN Entry Device for secure log-in.  They issue the card, they issue the PIN, so why the Username/Passe'word?  Swipe the card, enter the PIN.  You can't do it if you don't have the card and you can't do it if you don't have the PIN.  That's what 2FA is all about.   HomeATM's SafeTPIN is capable of stopping the professionals and the veteran's.  The rookies might still get away with the occassional phishing attack, but never if consumers were instructed by their banks to always be SwipePIN. 

As I've been prone to say in the past.  It's inevitable that someone will be SwipePIN cardholder data...shouldn't it be the cardholder?




Reblog this post [with Zemanta]

PayPal Has Good Q1, eBay Not So Much and Skype Hyped for IPO



Last week, eBay announced first quarter 2009 revenue of $2.02 billion, a $171.6 million year-over-year decreaseeBay's marketplace sales dropped 18% in Q1  while Amazon's gained 18%.  According to eBay, PayPal and Skype performed well with year-over-year revenue growth.

eBay sees strength for PayPal, expecting the online payment processor to more than double its revenue in the next few years.

The Payments business unit reported a strong quarter with $643.0 million in revenue, an increase of 11 percent year-over-year. Net total payment volume (TPV) for the quarter was $15.86 billion, an increase of 10 percent. The revenue and net TPV growth was driven by continued momentum in PayPal Merchant Services and the contribution made by Bill Me Later, according to eBay.


Continued increases in PayPal penetration on eBay helped offset the negative impact of gross merchandise volume (GMV) on revenue and TPV. Active registered accounts reached 73.1 million, an increase of 22 percent year-over-year. The Payments business will continue to focus on the acquisition of new merchants, greater penetration into the Marketplaces business and the growth of Bill Me Later.

Meanwhile, Skype contributed $153.2 million in revenue for the quarter, representing 21 percent year-over-year growth. Skype added 37.9 million new users during the quarter and ended the period with more than 443.2 million registered users. In addition to growing its user base, Skype is focused on product strategies to enhance customer engagement.

On April 14, 2009, eBay Inc. announced plans to separate Skype into an independent company during the first half of 2010, via an initial public offering.
  It might be a good idea to do the same for PayPal.  If so, I'd certainly put PayPal first on the list and continue to build some Skype Hype. 

Reblog this post [with Zemanta]

Airlines lost $1.4 Billion to Online Fraud...HomeATM Can Help!

April 29, 2009 - 3:19pm | author: Petrony | Fraud | News
HomeATM's PCI 2.0 certified payment solution is available to airlines via Universal Air Travel Plan's payment platform.  I humbly suggest they take a closer look.  What's that old line?  Oh, I know: $1.4 Billion Saved is $1.4 Billion Earned! 
Are chargebacks the problem?  Maybe.  Is the fact that credit card companies withhold millions of dollars in usable revenue the problem?  Maybe.  I could use logic to go on and on, but I'd rather just say that we would solve the aforementioned problems immediately, in fact yesterday. 

You can't change the  past, but you CAN change the present.  What's the future?  Some say the present creates the future...I say the future should include "card presence."  Airlines have an choice.  What's the alternative?  We've talked in the past...and at the time...you passed.  Don't let the "passed" get in the way!   We can make this profitable.  Speaking of prophets, I know that the future is laced with more losses from online fraud...or more gains from card "present" TRUE PIN Debit from HomeATM. 

We hadn't yet spread our  PCI 2.0 wings when we last talked...now it's a whole new ballgame and together we can make this fly!   Come Fly with HoMEATM :)


Airlines lost $1.4 Billion as a result of online fraud

The survey commissioned by Mountain View, Calif.-based CyberSource Corp. and Airline Information LLC, producer of conferences and publications about commercial aviation, showed that in 2008 airlines lost more than $1.4 billion to online fraudsters, which makes about 1.3% of their Web-generated revenues.

One of the most popular frauds related to the online airline purchase was determined to be when a fraudster buys a ticket in the name of another person using the information from a stolen card, and then sells the ticket with a discount to another person.

Moreover, the survey showed that airline fraud often involves the cardholder not traveling, international, single-passenger and one-way travel deals.

The average revenue loss rate on airline Web sites made 1.3%. Carriers with the least experience in selling tickets online had higher fraud rates, as well as, carriers catering more to low-fare leisure travelers, rather than to full-fare and business travelers. Moreover, it was revealed that 30% of online bookings required additional manual review and verification. On average carriers used 5.8 fraud-detection tools.

Another data found as a result of the survey was that airlines reject 2.8% of their online bookings on average.

Results are based on online surveys of airline executives with fraud-control responsibilities and follow-up phone interviews conducted between Dec. 1 and Jan. 16 that resulted in 99 qualified responses. Carriers participating in the survey ranged from large to small companies all around the world. Participating carriers had combined online sales of $40 billion last year, about 25% of the industry’s online total.



Reblog this post [with Zemanta]

Disqus for ePayment News