Thursday, May 14, 2009

Online Banks Subjected to 200 Hack Attempts Already in 2009

Looks like there's a phenomenal surge in hacking attempts to control online bank accounts.  It's unfortunate, but HomeATM can eliminate the threat of cloned bank sites, cloned bank cards and phishing attacks all at once.  Just have your customer log-in to your site with a PCI 2.0 Secured 3DES DUKPT PED.   If they don't have the physical card and don't know the bank issued PIN, they CANNOT log-in. 

I've been saying it's time for banks to do this for a while now, but with 200 hacking attempts so far this year time is getting short.  It's easy as 1-2-3 and two of them are done.

  1. Bank Issues Bankcard
  2. Bank Issues PIN
  3. Bank Issues Bankcard/PIN Reader and Eliminates username: password.
Banking / Finance News
Source: spamfighter
Complete item:


Given the surging attempts by cyber criminals to attack its online customers, Allied Irish Bank (AIB) has warned customers to be very careful while using online services. The Bank said that it had noticed phenomenal rise in phishing attacks in last few days.

Since the beginning of this year till April 2009, 200 hacking attempts had been made by cyber criminals to control people's online bank accounts, according to the reports. In fact, these statistics were equivalent to the overall hacking attempts made throughout 2008.

According to the security experts, cyber criminals send an e-mail pretending to have arrived from the bank to target bank customers. The text of the e-mail asks customers to click on the links to visit the bank's website.

However, it takes customers to a fake website appearing as the legitimate site of the bank and asked them to fill in their bank codes.

Editors Note:  They wouldn't need to "fill in their bank codes" if they swiped instead of typed.  Would they?  And since the card holder data is instantaneously encrypted there's no data to be had.  Continue with the way it's done now, SNAFU...and your customer get's had...and so do you.  It's going to get's not going to get better, so what are you waiting for?  It's as simple as 1-2-3 and two of the pieces are already in place!

Look for more and more of these to crop up.   Oh...and here's an example of a Wells Fargo Cloned site: (click to's harmless...just a jpeg) or go to The Consumerist to read the story:  Here's the LINK

Reblog this post [with Zemanta]

Cash Present Rates? Congress Investigates

Congress pushes for discounts for cash payers

Visa and Mastercard earn billions through the fees they collect on merchants' credit card transactions. As part of their standard agreements, vendors are prohibited from offering a discount to customers who pay with cash.

That could change. Sen. Richard Durbin (D-Illinois) and Sen. Christopher Bond (R-Missouri) are pushing for regulation that would prohibit credit card companies from imposing these unfair and arbitrary rules on merchants which force cash customers to, in effect, subsidize the purchases of credit card users.

Retailers pushing for the chance "do not want to pay their fair share for the significant benefits they get when accepting debit and credit," Trish Wexler, a spokeswoman for industry trade group Electronic Payments Coalition told (subscription required) the Wall Street Journal.

Will all due respect: Bull. It's more that they would like to see the costs of credit card use flow through to the people who choose to use credit cards, and they want to see people who use cash benefit from that choice. Why should people who pay cash have to pay fees to Visa too? In effect, that is how it works under the current system.

The proposal offered by Durbin and Bond is good for consumers and bad for the financial services industry. I wonder who will win this battle. I'll give you a hint: Don't look for signs offering a "Pay with cash discount!" anytime soon.

Reblog this post [with Zemanta]

EMUE Dongle

Source: Silicon
Complete item:,3800010322,39430292,00.htm

A bank card that allows workers to securely access company IT systems from outside the office is being trialed in the UK. Up to 1,000 staff at Deloitte and Visa will be given new Barclaycard Corporate Visa cards, revealed by last year, which generate one-time-use passcodes that allow remote access to the company IT system over a virtual private network (VPN).

The card has an embedded keypad and LCD screen, to allow users to enter their PIN and generate the passcode, which is then authenticated by the VPN.  The three-month pilot began last month and is aimed at demonstrating how much businesses could save by using the cards instead of investing in separate tokens to generate passcodes.  Simon Owen, who leads the information and technology risk practice at Deloitte, told "It allows you to combine the savings of not having to produce and distribute a separate dongle device with the security and convenience of having this in a credit card." The two-factor authentication technology was developed by Barclaycard in conjunction with EMUE Technologies.

Deloitte used to rely on a separate dongle to generate a passcode but its 10,000 staff now use a mobile phone applet based on EMUE technology to authenticate access to systems via VPN. The applet works in the same way as the card, generating a one-time passcode after the employee enters their PIN.  "We believe that the EMUE technology offers 60 per cent cost savings over traditional security technology such as the dongle offerings," Owen said.  The card can still be used for authenticating ATM and Chip and PIN transactions and is swipe-card-reader compatible.

The passcode technology can also provide remote authentication to combat card not present (CNP) fraud and identity theft associated with online banking, internet shopping and telephone authentication.  CNP fraud using stolen UK cards cost £328.4m last year, accounting for more than half - 54 per cent - of all card losses. Owen said: "EMUE is designed to stop CNP fraud that many banks say are hurting them at the moment."  Consumers could also use the technology to avoid being scammed by phone calls or emails, inputting an EMUE code into their card from the caller or the email to authenticate the correspondence.

Reblog this post [with Zemanta]

NY Times Twitter Account Hacked

Source: Sophos
Complete item:

Yesterday, a Twitter account run by the New York Times was the latest high profile victim of an account hack.

The Moment, a fashion blog from the New York Times, which has over 510,000 followers on the micro-blogging network, fell foul of spammers who broke into their account and posted the following message:

Everyone visit for 100% FREE webcam girls/guys doing anything you ask them in the chat, I love it personally.

A couple of hours later, The Moment regained control of their account and posted the following explanation for the out-of-character Tweet.

Of course, it was never likely that a Twitter account with so many followers was going to remain under the control of hackers for long - but the spammers probably didn't care about that. After all, if just a small percentage of people followed the link to check out naked webcam action then it will have been worth their while.

Clearly more people need to learn lessons of high profile attacks like this, and ensure that their online passwords are hard for the hackers to guess.


Reblog this post [with Zemanta]

Fake Websites Driving Malware Installations

Scam / Fraud / Hoax Alerts
Source: F-Secure
Complete item:

of our Web Security Analysts came across a website (118,000 ranking in Alexa)
that drives users into installing a fake Adobe Flash Player file. The site
prompts a message requesting the user download "a new version of Adobe Flash
Player" in order to view a video on the site.

Looks pretty authentic,
right? It even offers to download an "install_flash_player.exe" file for you.
The analyst was using a Linux system though, so this seemed slightly
odd.  Turns out the site is a (pretty good) fake. Unless a visitor takes a
hard look at the address bar, it's pretty easy to be fooled.  The
downloaded installer also looks like the original Adobe Flash Player installer,
though the checksum and digital signatures point out the

nstall_flash_player.exe version


Based on a reverse domain lookup on the
malware link, the fake site is hosted in Bulgaria.


Breaches Causing Huge Decline in Consumer Trust Say 78% of Respondents

Source: Digitaltransactions
Complete item:

Many banks are reflexively reissuing debit cards in the wake of a breach, possibly stopping fraud losses but sustaining huge reissuance costs and eroding customers' trust. That's according to survey research released this week.

"[Breaches] occur all the time, and don't show any signs of going away," says Paul Henninger, director of fraud solutions at Actimize Inc., the New York City-based vendor of anti-fraud software that sponsored the research.

As breaches multiply-and as hackers increasingly target transaction processors like Heartland Payment Systems Inc. and RBS WorldPay Inc., the two most recent processor targets-issuers will have to find ways to more selectively shut off access to accounts, he says. As it is, reissuance costs as much as $30 per card, he estimates, with postage, call-center, and other operational overhead factored in on top of the actual cost of a card. "Banks have to decide what approach to take," Henninger warns.

Actimize's research effort, which last month surveyed 113 institutions around the world (51% in North America) about fraud on PIN- and signature-based debit card transactions, also sheds light on the possible size of the Heartland breach, which the Princeton, N.J.-based processor reported in January. Heartland has not released any figures for how many accounts were compromised, but in the survey 30% of respondents said they had seen fraud they believed stemmed from the breach. That's nearly on a par with the 31.25% who reported attacks from data stolen in the TJX Cos. Inc. breach, which was reported more than two years ago and involved anywhere from 40 million to 100 million compromised accounts. The data suggest, says Henninger, that either hackers are getting more aggressive about using stolen card data or "the Heartland compromise was at least as big as TJX if not larger."

With major breaches now involving merchant processors holding data affecting possibly thousands of banks, issuers face mounting costs that go well beyond actual fraud losses, the report says.

Even though some 48% of respondents reported that fewer than 1% of the accounts they are notified of as having been exposed in a breach are actually hit with fraudulent activity, nearly 15% are replacing more than 20% of their cards in the wake of a data breach. "These are cards they pre-emptively reissued without any indication of fraud," says Henninger. "It's a massive number of cards."

He credits the banks with taking fraud seriously, but says they are relying on a "blunt instrument," namely legacy processing systems that were not designed to handle the aftermath of a mass data compromise. Two technologies that would help, he says, are real-time transaction monitoring and analytical modeling updated to include characteristics of mass compromises.

Some issuers, Henninger says, are getting the message that wide-ranging-and repeated--card replacements shake consumer confidence in the issuing institution. "These were risk professionals respondng," he says. "They appear to be as concerned about the impact on consumers as they are with the financial impact."

Indeed, more than 78% of respondents said they are seeing a decline in consumer trust as a result of data breaches, Henninger says. "If you have a customer who lacks trust in the banking institution, that's a serious problem," he notes.


Reblog this post [with Zemanta]

Economy Strengthens Debit's Lead Over Credit

The new issue of ISO and Agent Weekly came out today and on the left you'll find a graphic from that publication.
It seems that even though Debit has been making gains on Credit for a number of years, the economy, recession, whatever you want to call it, has changed the spending habits of  83% of consumers.
Click the graphic to enlarge.
If you're interested, here a link to the latest issue of ISO and Agent Weekly which is in PDF format:

Reblog this post [with Zemanta]

Defendant Ordered to Pay $300M Seeks Bankruptcy

Late yesterday I did a post on this subject...but it was just breaking, sohere's a follow up.

LOS ANGELES—The defendant in a fraud lawsuit filed for bankruptcy the same day a jury ordered him to pay $300 million to a venture capitalist who accused him of stealing his research into a Web-based credit card processing system.  Greg Daily filed the bankruptcy papers Monday in U.S. Bankruptcy Court in Tennessee, where he is a resident, court records showed.

A Los Angeles jury had decided on its award for plaintiff Douglas Shooker on Monday, imposing an automatic stay on proceedings against Daily, the Los Angeles Daily Journal reported. Jurors had been scheduled to deliberate about punitive damages later in the week. 

Jurors announced their award at the end of a 4 1/2-month trial over research on capturing revenue from Web-based purchases that Shooker said he shared with Daily's Nashville-based credit card processing company iPayment Inc.  Shooker claimed Daily later blocked his firm, Auerbach Acquisition Associates Inc., from exercising a contract to buy a majority stake in iPayment.  It was unknown whether Daily had filed for bankruptcy before or after jurors announced their award.

Daily's lawyer James Penrod and Auerbach attorney Jennifer L. Keller did not return calls from The Associated Press seeking comment and clarification Wednesday.

Editor's Note:  Here's more information from iPayment Inc. via their press release:

On May 12, 2009, iPayment, Inc. (“iPayment”) disclosed in the Quarterly
Report for the quarter ended March 31, 2009, filed on Form 10-Q with the
Securities and Exchange Commission the following:

On May 11, 2009, a jury in the Superior Court of the State of California
for the County of Los Angeles handed down a verdict in the amount of
$300 million, plus potential punitive damages, against Greg Daily, the
Company’s Chairman and Chief Executive Officer. This lawsuit was brought
against Mr. Daily individually and not in his capacity as the Chairman
and Chief Executive Officer or Director of the Company. Neither the
Company, nor any other shareholders, officers, employees or directors
were a party to this action. The Company has no indemnification,
reimbursement or any other contractual obligation to Mr. Daily in
connection with this action.

In response to this verdict, Mr. Daily has filed for personal bankruptcy
protection under Chapter 11 of the United States Bankruptcy Code in
Nashville, Tennessee. The Company is not a party to these bankruptcy

Information in this press release may contain “forward-looking
statements” about iPayment, Inc. These statements involve risks and
uncertainties and are not guarantees of future results, performance or
achievements, and actual results, performance or achievements could
differ materially from the Company’s current expectations as a result of
numerous factors, including but not limited to the following:
acquisitions; liability for merchant chargebacks; covenants governing
the Company’s indebtedness; weakening consumer spending and a generally
weak economy; actions taken by its bank sponsors; migration of merchant
portfolios to new bank sponsors; the Company’s reliance on card payment
processors and on independent sales organizations; changes in
interchange fees; risks associated with the unauthorized disclosure of
data; imposition of taxes on Internet transactions; actions by the
Company’s competitors; and risks related to the integration of companies
and merchant portfolios the Company has acquired or may acquire. These
and other risks are more fully disclosed in the Company’s filings with
the U.S. Securities and Exchange Commission, including without
limitation the Company’s Annual Report on Form 10-K for 2008. The
Company undertakes no obligation to revise or update any forward-looking
statements in order to reflect events or circumstances that may arise
after the date of this release.

iPayment, Inc. is a provider of credit and debit card-based payment
processing services to approximately 145,000 small merchants across the
United States. iPayment’s payment processing services enable merchants
to process both traditional card-present, or “swipe,” transactions, as
well as card-not-present transactions, including transactions over the
internet or by mail, fax or telephone.

Reblog this post [with Zemanta]

Security Fears Holding Back Online Shoppers

Internet users wary about shopping online.

Almost a third of internet users are too frightened to shop online, according to a report by the Office of Fair Trading.

The report reveals that 30 per cent of users are too frightened tohand over their credit card details and do not shop online because of alack of trust.

Online sales
The OFT said that one in five internet users who chose not to shoponline failed to do so because they were worried about personalsecurity. 

Savers need to be aware that just because an account is internet only does not automatically mean that it is a good deal
David Black, Defaqto

Some 15% of those who turned down the chance of internet shopping said they did not trust the retailers.

"Online retailing is the future for many businesses and increasinglyimportant to the economy," said OFT chief executive John Fingleton. "If consumers are not confident online, demand will grow at a slowerrate. So we must tackle these concerns right now if the online marketis to grow at its full potential."

"UK consumers buy almost twice as much over the internet compared totheir European neighbours," said Consumer Minister Gareth Thomas.  "It is encouraging that the OFT's survey shows increasing consumerconfidence when buying online - but people still have concerns."

Banking changes

Mr Black, principal consultant for banking at Defaqto, said thatsimilar fears over security - as well as a lack of internet access -meant people were missing out on better returns.

Returns on savings have been cut dramatically as account providers have mirrored falls in the Bank rate.
Mr Black said that introductory offers being offered on accounts meant savers could get a better deal by switching accounts.  "However savers need to be aware that just because an account isinternet only does not automatically mean that it is a good deal. Thereare examples of internet only accounts that are paying as little as0.10%," he said.

However, the report reveals that confidence in e-commerce isincreasing among consumers who do shop on line. Over half, 54%, ofonline shoppers feel it is as safe as shopping in store compared with26% three years ago.

Reblog this post [with Zemanta]

Cardinal Commerce and Cred-Ex Launch MAP New Territory

Alternative Payment Solution Provider Cred-Ex To Launch Its New Merchant Advantage Program
SECAUCUS, N.J., May 14 /PRNewswire/ -- Cred-Ex (, in conjunction with CardinalCommerce (, is ready to launch its new (MAP) Merchant Advantage Program.

With this program, Cred-Ex helps participating online merchants increase their conversion rates and attract new traffic. Through its patented technology, Cred-Ex assists participating merchants in assessing credit-worthy customers at the checkout page. With Cred-Ex's four keystrokes and two clicks only application process, an instantaneous (less than six seconds) online full credit evaluation is provided. Using Cred-Ex's state of the art underwriting engine, based on their own underwriting criteria, merchants can make immediate credit decisions to issue their customers in-house credit to complete their purchases. The program is designed to allow the customers the flexibility to pay for their purchases in multiple (three to six) even installments, with or without interest. This process dramatically increases volume and loyalty by attracting and converting new customers, and by retaining existing clients. In this credit challenged market, the MAP process is ideal for high tickets items and to move slow moving inventory. The process can also be used in conjunction with specific strategic marketing initiatives. Alternative Payment Solutions have proven their effectiveness in lifting ticket size and increasing orders volume. MAP is the new generation in creative alternatives to achieve and increase profitability. Cred-Ex's technology also helps combat identity theft through its patented process.

While composed of complex algorithms, Cred-Ex's patented process is easy for merchants and consumers to use. Unlike its competitors, Cred-Ex's platform does not require consumers to input potentially harmful personal data such as Credit Card, Bank Account or Social Security numbers. As a result, Cred-Ex does not store consumers' sensitive data on its servers. This protects the consumer's identity.

Coleen Barbiere, Cred-Ex Chief Operating Officer, says, "Merchants welcome new ways to increase webstore sales and profits by increasing conversion ratios and attracting additional traffic. Our new Cred-Ex Merchant Advantage Payment option will give participating merchants the edge that they need to differentiate themselves from their larger competitors and increase their sales volume".

Stephane Touboul, Chief Executive Officer and Cred-Ex co-founder says, "We are very excited about launching our product through CardinalCommerce's Centinel(R) technology. Cardinal's proven easy integration process, coupled with the power of the dynamic Centinel platform, makes it even easier for merchants to adopt and benefit from our Merchant Advantage Program. Truly, between Cred-Ex's marketing and technology innovation and Cardinal's state of the art platform, it is a win-win for the merchants".

Matt McDowell, CardinalCommerce's Vice President of Merchant Services, says, "Merchants continually tell us that using non-bankcard payment options leads to increased sales and appeals to those customers who wouldn't purchase from their sites otherwise. Today, new payment options are essential for eCommerce growth, and Cred-Ex's Merchants Advantage Program is the type of tool that will make a difference for our current, and future, Centinel Customers."

Merchants benefit from alternative payment solutions because they increase webstore profits. CyberSource recently reported that additional payment choices can increase merchants' sales conversion rates by up to 14%. Plus, Jupiter Research found that alternative payment solutions increase average order size by 13.3%. In today's challenging economy, creative alternative payment solutions can improve a much needed increase in the bottom line.

About Cred-Ex:

Cred-Ex is the main brand of Emerging Payments Technologies, Inc. that has been a leader in alternative billing for over 10 years. Emerging Payments Technologies, Inc. began developing the Cred-Ex platform and brand in 2004 to lead the trend in online billing, e-Commerce, and now m-Commerce. Cred-Ex's owners have built several major companies and are recognized leaders in Europe in the main stream and alternative payments industry. They are also the founders of Fluendo ( that specializes in delivering products and consulting services focusing on UNIX and GNU/Linux. multimedia. Fluendo comes out ahead by combining best-of-breed systems from the Open Source world with a strong team of highly knowledgeable software engineers; and Aedgency ( ), a leading interactive advertising agency, performance-based only, that specializes in Search Engine Marketing (SEM), and contextual advertising.

About CardinalCommerce:

CardinalCommerce Corporation is the global leader in enabling authenticated payments, secure transactions and alternative payment brands for both eCommerce and mobile commerce. Cardinal Centinel(R)* enables payment brands such as Verified by Visa, MasterCard(R) SecureCode(TM), Amazon Payments(TM), Bill Me Later(R), ClickandBuy(TM), Cred-Ex, Ebates(TM), eBillme(TM), eLayaway(TM), Google(TM) Checkout, Green Dot(R) MoneyPak(R), Mazooma(TM), Moneta(R), MyECheck, NACHA(R) Secure Vault Payments (SVP), PayPal(TM), RevolutionCard(TM), Ukash(TM), and more to a network of thousands of merchants and merchant service providers. Our mobile commerce platform, Cardinal MAX(TM), makes it simple for retailers to sell and market products through the mobile channel. Cardinal's proprietary and easily deployable technology provides consumers, merchants, credit/debit card issuers, and processors the ability to conduct authenticated Internet, wireless and mobile transactions safely and securely. Headquartered in Cleveland, Ohio, with facilities in the United States, Europe, and Africa, Cardinal services a worldwide Customer base.

* Patent # US 7,051,002 B2

Contact: Contact:
Eric Gelb Tim Sherwin
Business Development CardinalCommerce
T: 201-865-7600 x 102 T: 877-352-8444 x 101

19,000 Union Workers at Risk after Laptop Stolen

A laptop stolen on the East Coast may have put members Oregon's largest private-sector union at risk of identity theft.

John and Melissa Browning, who work at a local grocery store, have been members of the United Food and Commercial Workers Union 555 for more than 15 years. The UFCW represents about 19,000 workers in Oregon and southwest Washington.  Dan Clay, the union's president, said the UFCW's international headquarters sent a letter to members of Local 555 about a union employee's laptop being stolen on the East Coast.

The letter said the laptop may contain personal information of Local 555 members, including birth dates and Social Security numbers.  "With that information, whoever obtained it could go out and get any type of credit because they have my birth date, my Social Security number, my full name as well as the address I live at," said John Browning.  The Brownings said they're angry about how long it took for them to learn about the laptop theft. The letter said the laptop theft occurred in March.

"Our union Local 555 wasn't the union that had the laptop stolen and so we weren't in control of the situation," Clay said. "We weren't made aware of it until very recently."  The UFCW recommended members place fraud alerts on their credit files.

The Brownings hope their warning serves as a reminder for other union members.  "People need to learn to be very diligent in checking their credit reports and making sure the information they give to companies is going to be secured properly," John Browning said. 

Complete item:
Reblog this post [with Zemanta]

Visa Won't Confirm Amount of Heartland Fine

The Heartland Payment Systems (HPY) data breach has already cost the card processor millions in fines from Visa and MasterCard.

This news was revealed by CEO Bob Carr in Heartland's recentearnings call, wherein Carr said the much-publicized breach has alreadycost the company $12.5 million.
Other than legal fees and some related charges to the breach,much of that amount went toward fines imposed by Visa and
MasterCardagainst Heartland's acquiring banks, Carr says.  

A Visa source would not confirm the amount of the fine imposed,but Carr told investors that more than 50 percent of the $12.5 millionrelates to a fine that MasterCard assessed against its sponsor(acquiring) banks...

Continue Reading at Bank InfoSecurity

Reblog this post [with Zemanta]

Web Application Firewalls Hacked

Researchers Hack Web Application Firewalls

OWASP Europe presentation demonstrates tools that fingerprint the brand of WAF, as well as bypass it altogether

By Kelly Jackson Higgins | DarkReading

A pair of researchers at the OWASP Europe 2009 conference on Wednesday showed how some Web application firewalls (WAFs) are prone to attack.

Wendel Henrique, a member of SpiderLabs (Trustwave's advanced securityteam), and Sandro Gauci, founder and CSO for EnableSecurity, also foundsome WAFs vulnerable to the same types of exploits they are supposed toprotect Web apps from, such as cross-site scripting (XSS) attacks.

The researchers used a tool they developed, called WafW00f, todetect and fingerprint the presence -- and in some cases, the brand --of a WAF running in front of a Web application. A second tool createdby Henrique and Gauci, called WafFun, let them exploit and bypass WAFsrunning in blacklisting and whitelisting modes. With a combination ofWafW00f and WafFun, the researchers are able to execute attacks on theWAF invisibly so they can successfully hack the Web-facing applicationsitting behind it.

Editor's Note:  So let me get this straight...HTTTPS is HTTBS and Firewalls are useless.   4 Questions: 
  • Are you starting to see how unsafe a web browser is? 
  • Are you starting to see why financial transactions SHOULD NEVER be done in a web browser space? 
  • Are you starting to see why HomeATM engineered, patented and manufactures the ONLY PCI 2.0 PED designed for eCommerce use? 
  • Are you starting to see that the 3DES end to end encryption of cardholder data with DUKPT key management is the safest and most secure way to provide consumers and merchants from hackers?      

"If an attacker knows what product and version, it's easy toexploit it. One of the things [WAF] vendors claim is that they[operate] in stealth [mode]," Henrique says. "But in practice, theyhave a lot of different behaviors that they create...and you can usethose behaviors to identify what WAF is in place."

Continue DarkReading

Reblog this post [with Zemanta]

Airtight Study of Financial Districts Reveals Wi-Fi Security Risks

AirTight Networks published a study of wireless access points and found that the majority still use WEP and the WEP cracking time is less than five minutes.  Interesting study.  The URL to the PDF is at the end of this post.

Source: SecurityFocus
Complete item:

The majority of wireless access points located in seven metropolitan financial centers have easy-to-break or nonexistent security, according to a survey conducted by security firm AirTight Networks and published on Wednesday.

The survey, which summarized more than 30 scans in six U.S. cities and London, found that 57 percent of the access points had no security or used Wired Equivalent Privacy (WEP), an older and easy-to-hack form of encryption. Almost 40 percent of the insecure wireless networks used enterprise-grade hardware from major vendors, suggesting that they were deployed by companies, not consumers, said Mike Baglietto, director of product marketing for AirTight Networks.

"We thought wireless was mature enough that people should understand the security issues," Baglietto said. "But we saw a lot of open access points, a lot of identities being leaked, and a lot of insecure installations."

The relative insecurity of wireless networks has long been a bane for many companies. In 2007, retail giant TJX Companies announced that more than 46 million credit- and debit-card numbers had been leaked through the insecure wireless portions of its processing network. While WEP has long been known to have serious deficiencies that allow attackers to easily break into networks using the technology, researchers found in 2008 that some communications using WiFi Protected Access - the security technology that replaced WEP - could also be broken.

In its latest study, AirTight Networks found that 32 percent of access points used WPA security. Only 11 percent of the access points used the most recent iteration of wireless security, WPA2.

Study Methodology

  • Visited 7 financial districts (6 in US, 1 in UK)
  • Scanned WiFi signal for 5 minutes at randomly selected location
  • 3632 APs scanned
  • 547 Clients scanned
  • Pickedup WiFi signals at 30 randomly selected points in:New York, Chicago,Boston, Wilmington,DE, Philadelphia, San Francisco, London
  • A sample WiFi trace tells a lot about network security posture in each location.

Key Findings:
Widespread Use of Insecure Practices

Overall Distribution of WiFi security
57% of WiFi networks are either OPEN or using weak (WEP) encryption

  • Data flowing through these access points can be sniffed, decoded, captured and misused
  • Open and WEP encrypted access points pose a serious risk when connected to an internal network
  • WithinAirTight's 5 minute scans, several instances of open APs were connecteddirectly to internal networks and leaking the identities of activeusers including company executives

The company also found that a little more than a third of the open access points were likely to be part of public or hotspot networks, while the other two-thirds of walk-in networks seemed intended to be private.

URL to see the report:

Press Release:  AirTight Study of Financial Districts' Airspace Reveals Wi-Fi Security Risks

Key Findings Demonstrate a Pattern of Wireless Data Leakage and Poor Security Practices in Six U.S. Cities and London

Mountain View, CA. - May 13, 2009 - There appears to be a very high incidence of wireless vulnerabilities and poor wireless security practices in the financial districts of seven cities according to the results of a survey released today by AirTight® Networks, the industry leader for wireless security and compliance solutions. AirTight issued the findings of its Financial Districts Scanning Report for wireless security vulnerabilities in the financial districts of New York, Chicago, Boston, Wilmington (DE), Philadelphia, San Francisco and London.

The key findings demonstrate a pattern of careless use of Wi-Fi access points and lack of knowledge about the vulnerabilities wireless can introduce into a business environment and how to protect corporate data. This follows the same patterns of wireless vulnerabilities that AirTight found in its Airport Scanning Reports last year, but with potentially much more significant consequences to an already battered industry. That is that the airspace in these financial districts is dominated by open or poorly encrypted (WEP) wireless access points (APs). Many of these APs were using ineffective security practices such as hiding the SSID, and personally identifiable information was leaking out.

Key Findings

- 57% of the airspace scanned was dominated by open or WEP encrypted access points.
Data flowing through these access points can be sniffed, decoded, captured and misused
Open and WEP encrypted access points pose a serious risk when connected to an internal network
Within AirTight's 5 minute scans, several instances of open APs were connected directly to internal networks and leaking the identities of active users including company executives

- 61% of open and WEP encrypted access points were consumer or SOHO grade.
These cannot be detected or centrally managed using wired security tools
Many were found to be operating in the default factory mode

- 13% of active Wi-Fi client devices (laptops, iPhones) were operating in ad hoc mode.
These were actively looking to connect to viral networks such as "free public Wi-Fi", "free Internet access"
These are also vulnerable to wi-phishing or honeypotting

- 27% of open APs were hiding their SSIDs in the mistaken belief that this offers protection from sniffing.

- Enterprise grade APs were found configured in WEP mode instead of WPA or WPA2 even though these APs can support the stronger encryption.

"In light of some rather spectacular data breaches involving financial information in recent years - both wired and wireless - in financial districts we expected to find well protected and configured networks, open or guest access isolated from corporate networks and strict enforcement of Wi-Fi security policies," said Pravin Bhagwat, CTO of AirTight. "What we found instead should give pause to security administrators working in industries with highly sensitive information such as financial services."

In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006. The cost per compromised record in 2008 rose 2.5% over the year before to $202 per record, according to the study being released last week.

"In this time of heightened scrutiny of banks and other financial services organizations, a major breach would certainly be a blow to their reputation as well as their bottom line," continued Bhagwat. "Wireless networks provide great efficiencies for corporations and, more and more, employees are demanding the ability to work anywhere at anytime. However, when the data that is being transmitted is so sensitive, all methods available to protect it must be undertaken. It is time for all of these enterprises and government agencies to recognize the risks and implement best practices."

Wireless Security Checklist

While there are many ways to protect your network from wireless breaches, AirTight has developed a list of best practices to get started. A few are listed here.
Enable encryption, to protect the data that is being transmitted. Opt for WPA, preferably WPA2, rather than WEP.
Conduct ongoing wireless security audits and scans to detect the presence of unauthorized Wi-Fi devices and activity in your premises.

The full Wireless Security Checklist can be found on AirTight’s Website page for the Financial Districts Scanning Report.

How the study was conducted

For this study, AirTight set out to understand the risks to data from financial services organizations created by poor security practices. Just as with its earlier Airport Studies, AirTight continues to find troubling results regarding the security posture of private Wi-Fi networks as well as the rapid spread of viral Wi-Fi networks.

AirTight wireless security researchers doing "war walks" took five minute scans at randomly selected locations in the financial districts of seven cities - New York, Chicago, Boston, Wilmington (DE), Philadelphia, San Francisco and London - from February through April, 2009. Overall, the signal from more than 2000 Wi-Fi access points was sampled. The scans were typically collected near the buildings where financial institutions were housed including banks and stock exchanges.

You can now follow AirTight on Twitter @AirTightWIPS
Read and comment on the AirTight Networks Blog

About AirTight Networks
AirTight Networks is the global leader in wireless security and compliance solutions providing customers best-of-breed technology to automatically detect, classify, locate and block all current and emerging wireless threats. AirTight offers both the industry’s leading wireless intrusion prevention system (WIPS) and the world’s first wireless vulnerability management (WMV) security-as-a-service (SaaS). AirTight’s award-winning solutions are used by customers globally in the financial, government, retail, manufacturing, transportation, education, healthcare, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 11 U.S. patents and two international patents granted (UK and Australia), and more than 25 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit

TSYS to Provide Travel Bank with Japan's First Visa Prepaid Card

COLUMBUS, Ga. & TOKYO - (Business Wire) TSYS announced that it would begin processing Visa-branded prepaid cards for the Japanese market in July 2009. The prepaid cards will be issued by Travel Bank Inc., a financial services company that is part of the JTB Group. Consumers can use the cards to make payments at Visa merchants when traveling overseas or to withdraw cash from Visa ATMs.

“Prepaid cards are a trusted alternative to travelers’ checks in many countries, and the number of issuers that are interested in prepaid is increasing worldwide,” said Gaylon Jowers, Jr. President of TSYS International. “We are delighted to be expanding service to the Japanese tourism industry, and we applaud Travel Bank’s decision to offer prepaid cards that are safe, flexible and can satisfy consumers’ unique needs.”

“We are confident that Japanese consumers who travel overseas will find Visa-branded prepaid cards to be a convenient way to pay when traveling abroad,” said Hitoshi Kondo, managing director of TSYS Japan. “We have been working with Travel Bank on its retail gift products for more than a year and are proud to expand our partnership to provide service to Japan’s largest travel agency group.”

TSYS is one of the world’s largest processors for branded prepaid cards. In Japan, the company offers payment-related services for debit, credit, retail gift, loyalty and prepaid products to a variety of industries through its wholly owned subsidiary, TSYS Japan.

Editor's Note:  About TSYS Japan

TSYS Tokyo FacilityTSYS entered the Japanese market in 2000 by acquiring a majority share in GP Network Corporation (GP Net),a joint venture formed by seven leading Japanese credit card companiesand Visa International. Shortly following the new partnership, a whollyowned TSYS subsidiary, TSYS Japan, was established to offer processing
alternatives to the payment card industry. GP Net owns and operates a merchant network, rapidly delivering card transaction data between merchants and card companies In 2006, TSYS Japan began providing processing services as the first and only “third-party” processor in the Japanese market. It currently offers a variety of products and services, including an innovative debit product that offers cardholders a choice of multi-currency repayment options.

TSYS Japan has added several prepaid card clientssince it began providing services for its first client in 2006. Rapid growth in this sector is expected to continue into the coming years.  To learn more about TSYS Japan, please visit our Japanese website at  For more information about our services in the Asia Pacific region, contact at
About Travel Bank, Inc.

Travel Bank, Inc. is a company of the JTB group. Since its establishment in 1997, it has offered financial products and services to consumers, including support service for international ATM card issued by Japanese banks and membership services for affluent customers of trust banks. Travel Bank has obtained Visa Membership to begin offering Visa Prepaid Card as Japan’s first-of-its-kind issuer. For further details, please refer to (Japanese language site).

About TSYS

TSYS (NYSE: TSS) is one of the world’s largest companies for outsourced payment services, offering a broad range of issuer- and acquirer-processing technologies that support consumer-finance, credit, debit, debt management, healthcare, loyalty and prepaid services for financial institutions and retail companies in the Americas, EMEA and Asia-Pacific regions. For more information contact or log on to TSYS routinely posts all important information on its website.

TSYS Media Relations
Cyle Mims, +1-706-644-3110
TSYS Investor Relations
Shawn Roberts, +1-706-644-6081

Disqus for ePayment News