Saturday, May 23, 2009

Hacker Pokes Hole in Secure Sockets Layer (SSL)

Editor's Note:  I received a couple of emails regarding my post: Comparing Apples to...Let Just Say "The Real Deal" saying I was wrong and  that transactions conducted by typing your credit card number into a mobile phone, using SSL is safe. 

Here's one quote from an email:
"SSL and other mechanisms are available to iPhone developers to do this right. There is nothing fundamentally insecure about entering a credit card number into a browser with SSL enabled"

Oh?  Let me remind you that SSL was hacked back in February.  Guess he must have been out sick that day...

Hacker pokes new hole in secure sockets layer • The Register

Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.  Unveiled at Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical.

It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions
. It does this while continuing to fool both the website and the user into believing the security measure is still in place.

The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.

"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."

Editor's Question: Still think it's safe to enter
your credit card number into a mobile phone?

Then read "Related Articles" below and maybe you'll "Think Different!"

Reblog this post [with Zemanta]

5 to 1 Baby...1 in 5...No One Here Gets Out...Without Having Their Card Cloned

1 in 5 people have bank cards cloned (From The Argus)

Bank card cloning has become a major problem as criminals become more desperate as the recession bites. Figures show that card fraud is growing with one fraudulent transaction taking place every eight seconds.  They reveal that more than £609 million was lost to credit card fraud last year. 

Almost one in five people had their cards cloned at hole-in-the-wall cash machines or in-store chip and pin terminals. 

High-profile victims include Top Gear presenter Jeremy Clarkson who was targeted at a petrol station in California two years ago.  His card was cloned after he filled up his car with petrol. He was hit with a bill for £35,000 after his credit card details were sold on.

Card holders have been warned to be even more vigilant when using automatic cash machines and to check their bank statements carefully.   Kerry D’Souza, a fraud expert at card protection company CPP, says: “Criminals like card crimes because they can do it without having to make face-to-face transactions.

“People need to be vigilant and check their bank statements.  “Being a victim of fraud, with average sums of £650, can be very stressful and a lot of hassle.  “The banks do look for unusual transactions but we all need to be careful.”

The warning came as two Crawley men were sentenced yesterday after they were caught with cloned credit cards.

One of them said he got caught up in the scam after getting himself heavily into debt.

Americo Ferreira, 25, and Sarwar Abdurahaman, 22, were stopped by police after they were seen acting suspiciously in a car that was not theirs at the Tesco petrol station at Broadbridge Heath, Crawley, at 1am on July 15 last year.

They were about to use the cloned cards to fill 15 plastic drums in the car with petrol.  Undercover police targeted the area after they were told that cloned cards were repeatedly being used at the unmanned all-night service station.

Petrol pumps in use at the time meant that customers only had to swipe their bank cards through the machine and did not need to enter a PIN number.

Continue Reading at the Argus

Reblog this post [with Zemanta]

Obama Transcript at Credit Card Law Signing


OBAMA: Hello, everybody. Please have a seat. I’m sorry.  It is a great pleasure to have all of you here at the White House on this gorgeous, sunny day. The sun’s shining; birds are singing; change is in the air. (LAUGHTER)

This has been a historic week, a week in which we’ve cast aside some old divisions and put in place new reforms that will reduce our dependence on foreign oil, prevent fraud against homeowners, and save taxpayers money by preventing wasteful government contracts, a week that marks significant progress in the difficult work of changing our policies and transforming our politics.

But the real test of change ultimately is whether it makes a difference in the lives of the American people. That’s what matters to me; that’s what matters to my administration; that’s what matters to the extraordinary collection of members of Congress that are standing with me here, but also who are in the audience.

We’re here today because of a bill that will make a big difference, the Credit Card Accountability, Responsibility and Disclosure Act.

I want to thank all the members of Congress who were involved in this historic legislation, but I want to give a special shoutout to Chris Dodd, who has been a relentless fighter to get this done.  (APPLAUSE)

Chris -- Chris wouldn’t give up until he got this legislation passed. He’s spent an entire career fighting against special interests and fighting for ordinary people, and this is just the latest example.

I want to thank his partner in crime, Senator Richard Shelby. (APPLAUSE)

So we’re not going to give people a free pass, and we expect consumers to live within their means and pay what they owe, but we also expect financial institutions to act with the same sense of responsibility that the American people aspire to in their own lives. This is a difficult time for our country, born in many ways of our
collective failure to live up to our obligations, to ourselves and to one another.

The fact is, it took a long time to dig ourselves into this economic hole. It’s going to take some time to dig ourselves out. But I’m heartened by what I’m seeing, by the willingness of all the adversaries to seek out new partnerships, by the progress we’ve made these past months to address many of our toughest challenges.

And I am confident that as a nation we will learn the lessons of our recent past and that we will elevate again those values at the heart of our success as a people, hard work over the easy buck, responsibility over recklessness, and, yes, moderation over extravagance. This work’s already begun, and now it continues.

I thank the members of Congress for putting their shoulder to the wheel in a bipartisan fashion and getting this piece of legislation done.  Congratulations to all of you. The least I can do for you is to sign the thing.


Source: CQ Transcriptions

Reblog this post [with Zemanta]

Judge: IRS Can Force First Data to Provide Details on US Merchants

A New Front In War on Offshore Tax
by William P. Barrett | Forbes Magazine

IRS seeks data on U.S. merchants who may be diverting online credit card sales revenue to foreign accounts.

Are some U.S. merchants using the credit card processing system to divert Internet sales to offshore accounts and hide taxable profits from the Internal Revenue Service?  That’s the suggestion in a case in federal court in Denver that appears to represent a new front in the IRS’ war against offshore tax evasion.
A federal judge there has granted permission for the IRS to force big credit card processor First Data of Greenwood Village, Colo., to provide details on any U.S. merchants who have arranged since 2002 to have payments from credit and debit cards deposited in offshore accounts with the assistance of First Atlantic Commerce, an obscure company headquartered in Bermuda.

Editor's Note: First Data itself is NOT being accused of any wrongdoing and said in a statement that First Data does NOT support the transfer of credit card proceeds by US businesses to offshore accounts.
Continue Reading at Forbes

, , , , , , ,

MoneyGram Exits Payment Processing Biz

May 22 (Reuters) - MoneyGram International Inc (MGI.N) will sell its payment processing business to privately-held Solutran to focus on its profitable money transfer and bill payment businesses.

The deal is expected to close in the third quarter and majority of the current 37 FSMC business employees will join Solutran, said the company, which boasts of having Wal-Mart (WMT.N) as one of its clients.

"It's a move that enables MoneyGram to shift our organization closer to our core businesses and at the same time provides Solutran with an exceptional business that fits its growth strategy," Chief Executive Anthony Ryan said in a statement.

FSMC, or the payment processing business, represents less than 1 percent of MoneyGram's total revenue.

MoneyGram's investment portfolio has taken a hit due to deteriorating credit market conditions, and the company has been struggling to move away from riskier asset-backed securities to safer instruments such as government debt.

Shares of the Minneapolis-based company closed at $1.60 Friday on the New York Stock Exchange. The stock has gained 56 percent in value since January this year. (Reporting by Sweta Singh in Bangalore; Editing by Ratul Ray Chaudhuri)

Disqus for ePayment News