Tuesday, July 7, 2009

IBA Website Hacked/Cloned This Morning

As we have pointed out a few times on this blog, these types of problems plaguing banks could be severely reduced, if not completely eliminated in three simple steps...two of which have already been done.

Authenticating an online banking customer with "username | password" (or "any form of log-in" which a consumers must type/enter) is the fundamental basis of the problem.

Banks issued a card, Banks issued a PIN, the last issue they must contend with is for them to issue the card/PIN reader. True two-factor authentication. What you have (card) and what you know. (PIN)

Prior to HomeATM breaking the price barrier, a low-cost secure card reader/with integrated PIN Pad did not exist. Therefore, the only other choices banks had for authenticating their customers (besides username |passwords) were to upgrade their log-in capabilities with OTP's (one-time passwords) and Dongles. OTP"s can and have been intercepted, and Dongles can ONLY be used as authenticators. Not anymore. With HomeATM's "low cost" terminals, banks are in a position whereby they could give these things away faster than toasters and prevent themselves and their customers from getting burnt by fraudsters.

The added benefits of HomeATM's device is that it is NOT LIMITED to authentication. Our device also provides Zone 1-4 End-to-End-Encryption (for Track 2 data) and full Zone 1-5 E2EE for the PIN during an "online" financial transaction. (Thereby protecting the cardholder data as well as any $500+ point of sale terminal and $150 PIN Pad) Our device also utilizes existing bank rails, which enables the cardholder to instantly transfer money from any bankcard to any other bankcard. That feature also inherently provides a unique way to pay bills/utilities online.

Apparently, in spite of events like the one reported below becoming more commonplace, (see Commonwealth Bank stories over the past week) some banks think they are immune. Unless they utilize an inoculator, (such as our SafeTPIN) I can assure them they're not.

The Hindu Business Line : IBA website hacked
IBA website hacked

MUMBAI: Indian Banks Associations (IBA) website was hacked this morning, leading to panic among bank customers across the country. The IBA warned the public not to share bank account details to the website as demanded by the hackers.

The IBA website has been compromised and there is a bogus message doing rounds asking people to give their ATM Card details online at the bogus link.

The webpage is a copy of IBA's web home page, a top IBA official said. Translation: A "Cloned" Bank Website.
(Never heard of such a thing? Enter "Cloned Website" in the HomeATM Search Bar on the top left sidebar...or check out "Related Articles below)

IBA is the national body of Indian banks and has members from public, private and foreign segments. IBA has deployed a special team to examine the matter and will resolve the issue at the earliest, the official said. - PTI

Reblog this post [with Zemanta]

According to Mercartor ACH = Bedrock of AltPay

The ACH Network: The Bedrock of Alternative Payments; New Research Report by Mercator Advisory Group

The ACH Network began as a low volume network transmitting large recurring transactions between well-established entities; however changes in rules and business models have brought about significant changes in the nature and volume of ACH activity.

More than 18 billion ACH payments were made in 2007, representing a 12.6% increase from the total number of transactions generated in 2006. Much of the growth in ACH volume can be attributed to fundamental changes in payment methods used by consumers and businesses with the network transforming into a high volume platform of relatively low-value, non-recurring transactions. These transactions are originated from a rapidly expanding number of merchants, aggregators, corporations, and financial institutions.

Alternative payment providers such as Google Checkout, Bill Me Later and of course PayPal leverage the ACH to provide consumers and merchants with a secure and efficient means of payment and in doing so are experiencing phenomenal growth.

Non-financial institutions have been beating the banking industry to the punch of developing unique and cost efficient payment solutions, especially in the e-commerce space. Ironically, alternative payment providers have succeeded using the banking industry’s own infrastructure to capture interchange-like revenues.

However, a new solution has emerged from the National Automated Clearing House Association (NACHA) that could level the playing field for banks to compete against alternative payment providers and push the ACH network in a new direction. NACHA’s recently released Secure Vault Payments (SVP), an e-commerce payment solution not only enables customers to move payments from their direct deposit accounts to merchants and service providers, but transactions occur with real-time authentication and authorization from the consumer’s bank Web site. The push method ensures merchants and service providers that payments are being made with “good funds” thus reducing concerns about fraud, chargebacks, and non-sufficient funds.

Although signature debit and credit card usage online has yet to be hugely impacted by alternative payment solutions, in many cases, non-traditional payment providers offer significantly enhanced value propositions including discounts, sales and loyalty tools, and the ability for merchants to cross sell on non-competitive merchant Web sites. These value added services create significant competitive pressures for traditional payment types and are giving alternative payment methods solid traction.

Brent Watters, Senior Analyst of Mercator Advisory Group’s Prepaid Advisory Service and principal analyst on the report, comments, “As alternative payment methods continue to evolve and more players step into the space, the use of traditional payment cards for online transactions will continue to decrease. It is foreseeable that merchants will increasingly promote alternative payments and consumers will become more accepting of new payment types. Mercator believes that in the next five years (2014) 35% of payments made online will be in the form of alternative payments, including prepaid cards, new forms of credit and programs leveraging the ACH.”

Highlights from this report include:

  • The ACH continues to show solid growth and transaction volume will continue to escalate as more alternative payment schemes leverage the network.
  • The ACH is moving to push versus pull method of payment thus creating direct competition for EFT networks that have been eager to develop a PIN-less debit solution for online transactions.
  • The ACH’s eCheck services continue to fuel the networks’ transaction volume and penetrate markets currently targeted by debit and credit cards.
  • NACHA’s Secure Vault Payment (SVP) creates an opportunity for banks to compete in online alternative payments.
  • Within the next five years (2014), 35% of payments made online will come in the form of alternative payments, including prepaid cards, new forms of credit and programs leveraging the ACH.
Members of Mercator Advisory Group have access to this report as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits.  Please visit us online at http://www.mercatoradvisorygroup.com/.

For more information  send email to info @ mercatoradvisorygroup.com. Author Information: ROBERT MISASI     Mercator Advisory Group

7-Eleven Takes Lead Role in Credit Card Fee Fight

7-Eleven leads fight against what it calls excessive credit card fees | News for Dallas, Texas | Dallas Morning News | Dallas Business News
By MARIA HALKIAS / The Dallas Morning News

7-Eleven Inc. is using its 6,300 U.S. stores to send a message to Washington and the credit card industry.

Starting this week, the Dallas-based convenience store operator hopes to solicit 1 million signatures on petitions calling for Congress to change what the chain says are unfair and excessive credit card transaction fees.

Credit card companies charge retailers a fee for every transaction. The size of the purchase doesn't matter. And retailers have no power to negotiate the fees, they say.

For convenience stores alone, the fees totaled $8.4 billion last year, up 10.5 percent from 2007. That's more than the $5.2 billion the industry made in profit, the National Association of Convenience Stores says.

7-Eleven, which alone paid $160 million to credit card companies last year, is leading the lobbying effort
, working with the association, which represents 146,000 stores nationwide. The efforts come as the sweeping credit card rules that Congress passed go into effect in February prohibiting certain fees on consumers.

Petitions are prominently displayed at 7-Eleven checkout counters.

Continue Reading at The Dallas Morning Herald

, , , ,

PayPal Opens Platform to 3rd Party Developers

From Finextra:

PayPal woos third party developers with Adaptive Payments

PayPal is set to open up its platform to third party developers in a move the firm says will make it easier for them to make money from their ideas.

The new application programming interface (API), called Adaptive Payments, will give developers more flexibility in building apps that move money between PayPal accounts.

The API allows straight payments from customers to the PayPal accounts of receivers such as owners of Web sites or widgets on social networking sites.

It also means developers can build applications for "parallel payments", enabling a sender to make a payment to multiple receivers.

PayPal says this means users can set up a shopping cart that enables buyers to pay for items from several merchants with one payment. The cart would allocate the payment to merchants who actually provided the items.

In addition, "chained payments" will enable a sender to make a single payment to a "primary receiver", who can then keep a part of it and send the rest to "secondary receivers".

The firm says this could be used by companies such as online travel agencies which handle bookings for airfares, hotel reservations and car rentals. The primary receiver allocates their commission with the secondary receivers then getting their share of the payment.

The new API is similar to Amazon's Flexible Payments Service, which was launched in beta in 2007 as part of the e-commerce giant's attempt to muscle in on PayPal's territory.

However, in a blog post responding to TechCrunch, which broke the story, Osama Bedier, VP, platform and emerging technology, PayPal, insists Adaptive Payments is "not an effort to 'crush Amazon's fledgling payment service'".

Security in a Post-Heartland World

Understanding How PCI- Compliant Companies Can Be Breached: Security in a Post-Heartland World

Dublin - Research and Markets
has announced the addition of Javelin Strategy & Research's new report "Understanding How PCI-Compliant Companies Can Be Breached: Security in a Post-Heartland World" to their offering.

The Payment Card Industry Data Security Standard (PCI DSS) raises the high water mark for data security. But there's a persistent myth that PCI compliance equals security. The reality is that PCI is only a baseline, and one that needs to be monitored constantly as the threat landscape changes. In the months following what may be the largest the data breach in U.S. history at Heartland Payment Systems, many people are wondering if PCI is effective. In response, the PCI Security Standards Council has released new guidance around risk-based compliance and Qualified Security Assessor (QSA) reviews and remediation. But will these be enough to calm the concerns that merchants have with PCI? This report includes an update of PCI, an overview of emerging technologies, and lessons learned from the Heartland breach. Hashing, tokenization, end-to-end encryption, and Chip and PIN are covered in depth.

Primary Questions - Does PCI compliance equal security? - Which are the most common requirements not met by previously PCI-certified firms? - What has been learned about the Heartland breach? - How can merchants store PAN data without violating PCI? - What are the emerging technologies that can help merchants take PAN data out of scope for PCI compliance? Methodology This report is based on data collected online from a random-sample panel of 2,339 respondents in September 2008. The survey targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Overall margin of sampling error is 2.03% at the 95% confidence level, for 2008.The report was also based on interviews with executives from the PCI Council, Heartland, and eight security vendors Companies Mentioned: - Merchant Bank - PCI Security Standards Council - Trustware - Merrick Bank - Princeton Payments Solutions - U.S. Department of Veterans Affairs - Micheals - Qualys - Veracode - National Retail Association - RBS WorldPay - VeriSign - NT Objectives - Securosis - Verizon - nuBridges - Shift4 - Visa - Ounce Labs - T-Mobile - WhiteHat Security - Payments Software Company - The Cadence Group - Paymetrics - TJX For more information visit http://www.researchandmarkets.com/research/3113c7/understanding_how 

Reblog this post [with Zemanta]

Microsoft Video-ActiveX Trojan Discovered

Hackers using Active X flaw for remote code execution - Computer Business Review : News
Hackers using Active X flaw for remote code execution

By Kevin White

Security researchers warn on Video ActiveX Control vulnerability

Potential cybercriminals have been found to be inserting a data-stealing Trojan onto PCs left vulnerable by a flaw in the Microsoft Video ActiveX Control, security experts have warned today.

The discovery, which was made yesterday by researchers in China and since confirmed by several authoritative security software vendors, enables remote code execution on targeted machines.

Finjan CTO Yuval Ben-Itzhak told us, “It stands as a zero-day attack until a patch is issued or a workaround is made, and it basically means that a hacker could take control of a remote PC by someone visiting a compromised web site.”

Some popular European music download and gaming sites are among those he said had already been be comprised. “It is low volume at present, but we expect to see it increase in the coming weeks,” he said. 

(Editor's Note:  Low in volume?  Was that a pun considering it's music downloads that put users at risk?)

Continue Reading at CBR

, , , ,

Indian E-Commerce Changes Card Verification Norms

Indian E-Commerce Braces For Changes In Credit Card Verification Norms | MediaNama
Indian E-Commerce Braces For Changes In Credit Card Verification Norms
By Nikhil Pahwa ⋅ July 6, 2009 Post a Comment ⋅ Email This Post Email This Post ⋅ Print This Post Print This Post ⋅

The e-commerce industry in India needs to brace for the coming of a lull in transactions, which owes its origin to a notification from the Reserve Bank of India.

According to the notification, it order to enhance the security of online card transactions, it will become mandatory from August 1st 2009 onwards, to provide:

1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions.  (Editor's Note:  How about making the "card present" by swiping the magnetic stripe and encrypting it through Zones 1-4?, then entering the PIN and encrypting it through Zones 1-5?

2. A system of “Online Alerts” to the cardholder for all “card not present” transactions of the value of Rs. 5,000/ and above. 


Travel Portal Cleartrip recently set up a page to help its users register at various bank sites for Verified by Visa and Mastercard Secure verification norms which banks in India are adopting in order to comply with point 1 mentioned above.

Hrush Bhatt, co-founder, Cleartrip, told MediaNama that for completing transactions, merchants will have to re-direct consumers to bank sites, which will require the additional password for verification of payment. For methods that involve redirection, payment failures are around 10 times more.

Bhatt said that though the RBI circular is correct in spirit, but the manner in which this is being implemented, is going to cause disruption for customers and merchants. Cleartrip is gearing up for at least a 2-3 week disruption, “when people won’t know what this stuff is. Hopefully, after that people will enroll.” ICICI Bank is planning to mandate usage of these additional passwords on July 20th, while the rest are expected to switch between July 20th and August 1st, except American Express. “AmEx already has billing address verification in their API,” he said.

Bhatt added that this also puts Indian online companies at a disadvantage to international ones, because “International companies do not have this extra hoop to jump through. Any (Indian) company that wants to serve an international audience is also at a disadvantage.” This is because international customers will not be able to use sites from Indian merchants unless they have the additional password.

Alternatives & Why Banks Went For Additional Passwords

“Last date we heard, less than 8% of the world is enrolled in any of these programs,” Bhatt said, referring to Verified by Visa and Mastercard Secure. “In the US, merchants are provided with a variety of fraud control measures like billing address verification, date of birth verification; obviously, the banks have this information.” Bhatt said that the biggest processors of transactions online - Amazon and iTunes - do not support the additional password.

“There could be other ways, but the banks have chosen to go with the method that involved the least amount of work for them.

The existing gateways and the APIs don’t process these fields right now, so they will have to reverse integrate with wherever that information sits in their system to ensure that that an additional field is provided to the gateways.” 

Editor's Note:  Why mess with all that when it doesn't solve the problem anyway?  Additional passwords are not needed.  Encrypted True 2FA is needed.  If anyone can tell me a better way to authenticate the user than swiping their own card in the safety of their own home, followed by entering their PIN, (besides using EMV and entering PIN) and transmitting the encrypted data safely with a derived unique key per transaction (DUKPT) I'd love to hear about it.  In my opinion, redirecting will only create another link in the chain and another way for fraudsters to find the Gap in that system.

Impact On WAP?

Bhatt wonders how this will work on WAP, because with this additional layer of security involves a redirection to the bank sites: Do mobile browsers support those redirects?

Continue Reading


Chip and PIN for ATM's

Fraud, like water finds the path of least resistance.  As more and more countries migrate to Chip and PIN, more and more criminals migrate to the web, where security is somewhere between lax and non-existant.  This article talks about the fact that countries that have initiated Chip and PIN must do so across the board...including ATM's.  For the record, HomeATM's PCI 2.0 Certified PIN Entry Device is EMV (Chip and PIN) ready...

Chip and PIN cards wasted by Australian banks
Bank delays exposing Aussies to credit card fraud
Marissa Calligeros
July 7, 2009 - 2:05PM

New security-enhanced credit cards fitted with anti-skimming microchips are useless in the fight against credit card fraud because Australia's banks have been too slow to introduce ATMs and EFTPOS machines capable of reading them, experts say.

Former cybercrime consultant to Britain's MI5 security intelligence service Fraser Smith said banks were lulling consumers into a false sense of security with the introduction of chip and PIN enabled credit cards because the technology to make them fully effective - while available - had not been fully rolled out.

Chip and PIN cards are designed to reduce the risk of card skimming and require a "PIN pad" terminal, or a modified swipe-card reader, which accesses the security chip on the card.  While several thousand of the new machines are believed to be in circulation already, the Australian Banking Association says it could be up to two years before the majority of ATMs and EFTPOS machines in Australia are upgraded to include the chip readers.

Queensland fraud investigators fear the lag is exposing already vulnerable bank customers even further.  "It is a mistake," Mr Smith said of the delay, at a meeting of the Asia/Pacific Group on Money Laundering in Brisbane today.  "If you're going to go (with chip and PIN) go the whole way."

Chip and PIN technology was introduced across-the-board in the UK in 2006, but Australia, like Canada and the United States, still relies on magnetic strip technology, whereby credit cards are swiped through ATM and EFTPOS machines.

Queensland Detective Superintendent Brian Hay of the Fraud and Corporate Crime Group said Australians were becoming increasingly vulnerable to international banking scams as a result. 

"Whilst we still rely upon magnetic strip data and the rest of the world migrates to chip and PIN, it's going to become a bigger problem here," he said.

"It's like fish in a pond... as that pond dries up those fish are going to become more concentrated. "In Australia we are going to have a higher concentration of cyber-based criminals around the world migrating to Australia to exploit our vulnerabilities.  "We will not be fully secure until all our point of sale terminals are chip compliant."

Continue Reading at the Brisbane Times

, , , , ,

Disqus for ePayment News