Sunday, August 2, 2009

This is the "Type" of Security That Will Empty Your Bank Account

Excerpts from the Economic Times

By the time you will read this, the new Reserve Bank of India(RBI) norms that enforce (in my opinion, a dangerous) third-factoridentification for all online credit/debit card transactions will bealready applicable. As a cardholder, you will no longer be able to makeonline purchases or payments if you haven’t registered yourself for anadditional security layer with your partner bank. 
TillFriday, all one needed to do to make an unauthorized transaction fromyour card was to steal three security details that included cardnumber, card expiry date and 3-digit or 4-digit card verification value(CVV) number...

...but ifyou think the new security system acts like a guarantee providing forcover against online frauds, then you are treading on wrong turf. 

Editor's Note: Because they are still  instructing you to "type!" your personal information into boxes in a browser.  How dangerous is that?  Well, besides keylogging, just click on the box on the left to enlarge and see what has happened to the state of the malware threat from Janaury to July.  Besides, it's clear from the paragraph below that the purpose of this "added layer of non-security" is to provide a false sense of one and to PIN the fraud liability on the consumer!
This is what bankers have to say on the subject:

1.   If the wrong password is entered as part of this extra authentication, the bank informs e-commerce merchant and if the merchant still goes ahead with the transaction, it becomes merchant’s liability

On the other hand, if the password is correct even if customer disputes the transaction, it is still a customer’s liability.”

(Hmmm...interesting.  It appears that from now on, fraud is now eitherthe merchants liability or the consumers.  Didn't see a scenario whereit was the banks, did you?
)  Stumped? To help you with all such concerns and questions, here’s a ready reckoner on what does the new security layer implies for you as a cardholder. Editor's Note: It's no accident they wrote: "Implies"... (vs. Provides)

“From the cardholders’ perspective, (Editor's Translation: "perception")another layer of protection gives a lot more comfort in terms ofsecurity for the online transactions using credit/debit cards . (reality: another layer of this type of non- protection simply provides another way for hackers to intercept financial data, whether it be via malware (see malware growth chart above right) keylogging, phishing, XSS, etc.

Though it will also mean you may have to go through another step to complete your transaction online (the extra step is only there to determine whether banks hold the merchant or consumer is liable for the fraud) but doing that (from the banks perspective) is always better thanhaving to deal with fraud and face the risk of losing your hard earnedmoney,” says Basant Shroff, associate director, financial services — advisory services, Ernst & Young.

Editor's Note:

This is what I have to say on the subject

This is such Bullcrap!
  Adding another false layer of "bullcrap protection" will "only" provide a bullcrap "false sense of security" 

Adding another bullcrap step which they say will get rid of thebullcrap fraud actually provides hackers with "ANOTHEROPPORTUNITY" to steal your money. 

C'mon people!  Read between thelines on this one.  It's 100% BS..  Let me sift through the stinkhere. 
Consumershave fears about security, so they are cajoled, no scratch that,"fooled" into thinking online shopping is more secure because banksadded another layer of "Emperor's Clothing." 

So, in reality, the only thing they have providedhere is yet another step for hackers to steal passwords under the "false pretense"  of "enhanced security." 

Question:  If it's truly safer, then why have they covered their butt by stating that if the password is correct, (it doesn'tmatter if you dispute the transaction) are liable!   If it was truly secure, then they would assume liabiility! 

Talk about stanky!...openthe windows, turn on the fan, spray some air freshener, scratch that, call in the fumigator!  This is Smoke and Mirrors,  plain and simple.

As per RBI figures, Indian banks lost out on almost Rs 37 crore in 12,959 credit card fraud cases reported last year.

(Editor'snote:  Hence the introduction of a "third new layer" ofauthentication designed to shift bank  liability to merchants andconsumers in a most "shifty" way. 

According to the article, "Some banks,in fact, have gone a step ahead creating the security wall."  (Editor's Note:  Wait til you read this one.  Are you strapped to yourchair?  Because I almost fell out of mine when I read the folowing. 

For instance, while generating 6-digit PIN as an additional security layer at ICICI Bank, you are also asked to type a message, known as personal assurance message. (PAM).

(Editor's Note: Add an S to be beginning of that word and you'll find out how the bad guys will phish your PAM silly) This PAM is known only to you.
  (Editor's Note: Are they joking?  For how long?  Here's for how long.  Until you "type" it into a box somewhere....!)

When you type your credit card number on the merchant’s website, "IT" will take you (what/who will take me?) to the bank’s website to complete the transaction, where you need to "type" in the PIN, explains a ICICI Bank spokesperson.  

Editor's Note:  Thisis beyond bullcrap, it borders on insane.  What's so hard to understand that it's the stupid typing of their passwords, usernames, card numbers, this new "PAM" garbage, etc. that is the root of the problem.  So the NEW system now asks you to type, even more of your information into boxes and double/quadruple your chances of getting hit by fraud.

Another question:  What is this "
IT" that takes me to the bank's website?  It "IT" the web browser?  Is "IT" an API that simply takes you to another website?  There is NO WAY anyone could know whether or not they are being redirected to a legitimate versus a cloned bank website.

This is their idea of the future of ecommerce?  To increase risk by creating more steps which require more typing?

Why is that so hard for supposedly "learned" people to understand that the problem IS the typing?  See "It's the Typing Stupid"

Suppose that after you "type" your credit card number on the merchantswebsite, you are "redirected" to a "cloned bank website?"  Hackers cando this in one of many ways.  And how would you know?  The clonedwebsite looks authentic.   The "https" says it's authentic.  (for those who think that still means anything) Maybe it will display their EV SSL certificate!    Ooops, nevermind.  Those were exposed last week. 

Anyway, once you get to either the bank website, you follow the bank instructions and "type" in your PIN.   Even if you ARE on the "legitimate" website, hackers can steal whatever you type.   If you are on a cloned bank website guess what happens after you "type" your PIN?  Did you say your bankaccount gets emptied.  Correct you are.

Now what?  You have to try and get your money back right?  Well, here's the bad news...according to this article, and Iquote:
"if the password is correct and even if customer disputes the transaction, it is still a customer’s liability.”
  Oh...nowI get it.  They just shifted the responsibility of the loss from the bank onto theconsumer. So, I guess this post is directed at consumers:   "If you expect a secure eCommerce transaction, you won't "type" anythinginto the browser.  It's really not that hard to understand.  Is it?   If it is, take a look at some of the related article below.

How Can HomeATM's Technology Help? 

HomeATM is proud to offer consumers the immediate availability of our PCI 2.x Certified SafeTPIN, a personal credit/debit cardreader that keeps your credit card information and identity completelysafe when you’re banking or shopping online. Simply plug the SafeTPIN into yourcomputer’s USB port, (no software or driverss needed) visit your favorite online banking site and swipe your card and enter your PIN exactly like you would at an ATM.  There is no safer way to log in to your online banking account.  When it comes to shopping, just visit your favorite shopping site, swipe your credit card and the SafeTPIN scrambles and 3DES encrypts the user’s track2 data  before itreaches the user’s computer or Internet providing instant protection from malicious software attacks. 

HomeATM provides complete End to End Encryption (Zones 1-4) for Track2 data. (to the Card Brands) PIN Debit transactions via HomeATM provide 100% "Zone 1 through Zone 5" (including Card Brands) End to End Encryption.

Regarding our PIN Debit transactions...there is not an ePayment method that is safer.  Period.  The ONLY PCI 2.x PIN Entry Device designed for eCommerce in either hemisphere.  With HomeATM's solution, the consumer will NEVER TYPE.  HomeATM has a pending patent on assigning PIN's to credit cards via our PIN MY Card application.    

Reblog this post [with Zemanta]

Disqus for ePayment News