Friday, October 2, 2009

Closing Out Online Banking Security is Weak Week...with a Bang

Closing out our week's series: "Online Banking is Weak Week" I am providing an online banking log-in example:   But first:

UPDATED: Breaking News: from SC Magazine: A PERFECT way to end the weak! (sic)

Opinion: Take no chances with card security > E-Commerce Security ...

Card companies should be re-investigating secure alternatives, such as PC-based {Chip and} PIN Terminals, where customers securely authorize transactions using their own computers, similar to...("exactly like" HomeATM'S Slim.)

Remember..."Please Enter" translates into "Please Type"  For the record, I am not picking on either bank exemplified below. ALL banks have weak authentication. I only chose Fifth Third because of Bank Technology News article entitled: Is the Genie Out?

Internet Banking Log In

Here's what you will need to Log In to our Internet Banking and Bill Payment system:

A Fifth Third Bank account with Jeanie® Card access. To access your accounts, please use your card number or social security number as your ID and your associated PIN (Personal Identification Number) as your password.

To learn about Fifth Third's easy-to-use Internet Banking system, please view our online demo.

 Internet Banking

Internet Banking Help 


Enter your ID: 

Please use your Jeanie Card number as your ID.

Forgot your ID?


Enter your password: 

Please enter your ATM PIN or Internet Banking password.

Forgot your password?

Secure Form 

 For Internet access to all

 your business services

Log In to Fifth Third Direct

 Log In to Fifth Third DirectSM

Then there's the thousands of banks that ask for a simple "username: password" authentication. (now that I think about it, as bad as that is, it's better than "entering"/TYPING!" your ATM PIN or social security number into a box) In this particular example, from Wells Fargo's Online Banking site, they do have a link explaining how to "Improve your Online Safety Skills."

Of course, online banking trojans, such as URLZone, Zeus or Clampi do not really care how skilled you are...heck they really don't even care if you've got the most up-to-date malware programs installed on your computer.

I could go on and on and online banking security is weak, but if the Genie is out and if username and password authentication is useless, and if online banking Trojans are proliferating like bunnies, and if consumers are suing banks for having their online banking log-in credentials stolen and if analysts are saying:

"Multi-factor authentication, as defined under the FFIEC isn't sufficient to meet the environment in" Tom Wills - Javelin Research

Then again, I don't think it takes a rocket scientist, to figure out the not only Houston has, but we all have a problem.

You'll hear the SSL and EV SSL arguments, but they are moot points. There are ways around them. Plain and Simple. If it's done within the browser, you're information is cooked.

Nothing that goes through the browser can be relied upon" Avivah Litan - Gartner

The good news for banks and consumers is that we have a solution available that is ready to go.  The timing really couldn't be better for banks.  Rather than having to come up with something (like another band-aid) to fight the onslaught of malware (5 million new ones cropped up in July, August and September and URLZone cropped up October 1st) the engineers at HomeATM foresaw the events that are currently transpiring...(the web is not safe for eCommerce) and spent the last 7 plus years developing a "outside the net, but inside the box" encryption mechanism, got it patented, and then go the manufacturing cost down to the level where banks could give 'em away. 

But HomeATM wasn't done.  They spent the 18 months getting it PCI 2.x Certified.  Then they got it TG-3 certified.  Still not done.  They also developed a real-time P2P Money Transfer which works with ANY bankcard.  Consumer to Consumer, Account to Account and even a Consumer to Business (online bill pay) application that would work in "real-time".  

  • How big is that?  I invite you to conduct a "real-time bill pay" search on Google.  If you throw out "'s" 2 results, there are only 10. (11 now, because I just posted about it)

  • By contrast , conduct a google search on "Bill Pay" and you get over 2.1 million. 

  • Now take it a step further.  Google "Online Real-Time Bill Pay" and you will get ZERO results. (1 now, because I just posted about it)  whereas "online bill pay" gets you 962,000. 

Bank of America is running a promotion right now, which states they will give you, the online banking customer $25...hey...(looks like they bumped it to $35 since I posted about it for using their "online bill pay" feature.  You know what that means?  It means, by definition, that they can afford to give away the HomeATM Slim (and save $10)

  • Once equipped with our SLIM, consumers would have no worries/fears about online banking because they would be replicating the same procedure utilized to withdraw cash at an ATM.  (and there would be no skimmer or hidden camera threat) 

  • Once equipped with our device, it would mean that the threat of losing a customer to a competing bank (see 49% of Consumers Worldwide Would Switch Banks if Victim of Card Fraud) would be vastly reduced.

  • It would also mean the chances of customer acquisition from banks with weak (i.e. current) authentication would be vastly enhanced.  (I hope I'm not going to fast for you here...good, then I'll continue...)  

  • It would enable banking customers to conduct real time P2P money transfers

  • It would enable the bank's customers to conduct real time A2A and C2B money transfers

  • It would also mean that customers would be enabled to conduct a more secure "card present" transaction on the web. 

Based on the fact that the web is currently a 100% "card not present" environment, that is a tremendously huge breakthrough in the fight against cybercrime...  Why? Here's two reasons:

CNP Fraud is not only the driving force behind the dramatic rise in credit and debit card fraud. It is also the leading cause of fraud...not only in the UK or China, but the US as well.

Card Not Present Fraud causes MORE than HALF of all card fraud losses in the U.K. yet CNP transactions probably made up less than 10% of all card transactions.

HomeATM's device would eliminate "card not present" fraud by providing customers with a PCI 2.x certified device enabling "card present" transactions to be conducted on the Internet. 

Question:  What happens when "Card Not Present" transactions are replaced with Card Present" ones?  

Answer? " Card Not Present" Fraud is eliminated...Right? 

So what are we waiting for? A 10,000% Increase in Online Banking Trojans? Want more? Take a look at the related articles section below. ALL from THIS week.  (Including Breaking News from SC Magazine:  Again: 

Opinion: Take no chances with card security > E-Commerce Security ...

Card companies should be re-investigating secure alternatives, such as PC-based Chip and PIN terminals, where customers securely authorize transactions using their own computers...

Shoot me an email and I'll show you how your financial institution can get a leg up on your competitors for less money than you are currently spending on acquisition promotions that do NOTHING to protect either your customer or yourself.

As always, feel free to leave any comments, questions or criticisms in the comment form below. (click the title of this post to bring it up if it is not there.)

Enjoy your weekend!

John B. Frank

Reblog this post [with Zemanta]

$35 Promo to Online Bill Pay at Bank of America

Bank of America Gives Away $25 to Pay Bills Online

A special limited time offer.

Paying Bills online is easy—and so is getting your $25.

With this special offer, it’s the perfect time to start enjoying the ease and convenience of paying bills online. Just enter your information below and click the “Submit” button. Then sign-in to Online Banking, click “Bill Pay” and pay two bills. It’s really that easy.

What type of account do you have?

Your Last Name

Last 4 digits of your checking account number (Where can I find my account number?)

Zip code

(as shown on your checking account)

Email Address *

Bill Pay it's free. It's secure. It's really that easy.

Not a Bank of America checking customer?

Open a new checking account

Questions? Contact Us

¿Preguntas? Cont├íctenos

Reblog this post [with Zemanta]

ComputerWorld: Username/Password Obsolete and Weak

Online Banking Security is Weak Week continues! 

Here an excerpt from an article in ComputerWorld by Andrea M. Antonopoulos stating that the weakest security solution is the username/password.   Sounds familiar...where did I hear that before?  I know what I've outlined in yellow sounds like I wrote it, but I was all Ms. Antonopoulos! 

New secure password rules

By Andreas M. Antonopoulos

September 29, 2009 05:37 PM ET

The vast majority of security systems are still dependent on this weakest of solutions -- the username/ password pair.

In a world with road warriors, ubiquitous network access, keyloggers and trojans, does this approach even make sense? Can we still depend on username/password and if so do the rules above still apply?

I would answer "no" to both questions.

End users behaving badly

Let's face it: password based security was obsolete the moment the first keylogger was built. Between hardware keyloggers, software keyloggers, trojans and shoulder surfing, the whole idea of keeping a "secret word" is ridiculous.

Companies would be well advised to scrap username/password security in favor of (genuine) multi-factor authentication as prices drop and the technologies become easier to use.

Editor's Note: As's "simply a matter of time" before "everybody" realizes username's and password's are obsolete. 

Thanks ComputerWorld for helping spread the word. 

If we can spread the word as quickly as online banking Trojans are being spread, it won't be long before you'll be able to use a SLIM to authenticate online banking log-in the same way you currently access your cash at an ATM!

Instead of "Typing" 14-18 digits of your card number, then the 6 digit expiration date, followed by the 3 digit CVV code, (that's 23 keyloggable keystrokes)  all you have to do is ONE "Swipe". 

That was Easy!  That was Faster!
That was Secure!  That was "about" Time!

Continue Reading at ComputerWorld

Reblog this post [with Zemanta]

Amex Wants to Swipe Canadian Market Share from Banks

Amex Canada president Denise Pickett
Amex goes on offensive in Canada

U.S. credit card giant plans big effort to swipe customers from big banks north of border

Oct 02, 2009 04:30 AM


American Express Co., eyeing more growth in Canada's multibillion-dollar credit card market, is launching a new advertising campaign this month to poach more business from this country's biggest banks.

The New York-based credit card giant, coping with higher write-offs in its U.S. card business, said Thursday it is banking on Canada and three other international markets – Mexico, the United Kingdom and Australia – to fuel future growth.

"Canada is one of the most important international markets for American Express and I think it is because we've grown as a market," said Denise Pickett, president of American Express Canada.

Despite the onset of the recession, purchase transactions generated by Visa, MasterCard, and American Express cards in Canada increased 9.3 per cent to 2.65 billion in 2008, according to the Nilson Report.  Amex disclosed the details of its marketing plan to reporters just one day after Finance Minister Jim Flaherty said new credit card regulations would take effect next year.

Continue Reading at "The Star"

Visa: Deceptive Campaign Should NOT Fool Members of Congress

Editor's Note: Visa should be careful when they use  "Fool" and "Members of Congress" in the same sentence:-) 

Congressmen can be easily conned (fooled) into most anything and visa-vera.

Take the "gress" work out of Congressman and what do you have left?  I digress...

Visa Inc. has joined MasterCard Worldwide to attack some of the claims that the 7-Eleven convenience chain is making about its recently delivered petition on card interchange.

Members of Congress received the nearly 1.7 million signatures on Sept. 30. The brand said they represented the views of consumers who want Congress to force a cut or cap on credit and debit card interchange.

But Visa claimed that most signed the petition under a mistaken impression of what they were signing.

Members of Congress and the public should not be fooled by the motives behind the petitions being delivered to Congress by the CEO of 7-Eleven,” the card brand said. “This deceptive campaign is really about some retailers trying to take advantage of the public by having them support legislation that would ultimately shift retailers’ costs of doing business onto consumers in the form of checkout fees, also known as surcharging.

Reblog this post [with Zemanta]

H.R. 2382 (Interchange Fees) Hearing Scheduled for October 8th...

Interchange Bill Scheduled for House Committee Hearing

Thursday, October 8, 2009, 10:00 a.m., 2128 Rayburn House Office Building. The Full Committee will hold a hearing on: “H.R. 2382, the Credit Card Interchange Fees Act of 2009 and H.R. 3639, the Expedited CARD Reform for Consumers Act of 2009

H.R. 2382, the Credit Card Interchange Fees Act of 2009 and H.R. 3639, the Expedited CARD Reform for Consumers Act of 2009

10 a.m., Thursday, October 8, 2009, 2128 Rayburn House Office Building

Full Committee 

Reblog this post [with Zemanta]

Anatomy of a Debit Card Fraud Group

There has been a LOT of news lately on the staggering number of malware (5 million new ones between July and September) and banking trojans. (Clampi, Zeus and URLZone)

Meanwhile, let's not forget about the potential for fraud caused by low level scammers.

The PIN Payments News Blog has posted a couple times on the subject of stealing and replacing PIN Pads at retail locations or tampering with the PIN Pads in order to enable them to steal card information and PINs.

When Gas Prices jumped to $4 and $5 plus dollars a gallon, online shopping numbers spiked.  If people were more aware of the threats imposed by these lower level hackers and became fearful of swiping their cards into machines at retail locations, I imagine the same thing would happen.  Of course, it's easier to steal your card information when it "isn't swiped" so they would probably want their own HomeATM device to secure the transaction.

One of side benefits of shopping at home with your very own personal HomeATM device, is the assurance that the device has not been tampered with.  In fact, part of the PCI 2.1 Certification process is to make sure the PIN Entry Device is Tamper Proof.  Therefore, in the unlikely event someone were to break into your home and pass by your big screen LCD TV and instead try and tamper with your HomeATM (in order to get your credit/debit card numbers) it would  immediately shutdown. 

Unfortunately, MOST PIN Entry Devices in the brick and mortar world are NOT PCI 2.x certified, which is why I thought I'd bring you some excerpts from "
Anatomy of a Debit Card Fraud Group" at

"The three crooks busted in July trying to swipe a PIN pad from a local Boston Pizza were a perfect match for the description of a debit card fraud ring: a small cell from out of province that swooped into town and tried to replace legitimate equipment with a modified version.

Fortunately, a sharp-eyed staff member spotted the guys in action and called police. Police later said the three males were from Quebec, but only one of them was an adult.

Sgt. Tim Kreiter from the RCMP E Division’s Commercial Crimes Units, said debit card fraud rings can range in size from just two or three people who do all the work, to more sophisticated networks that divide the work of stealing PIN pads, doing the technical modifications and using the cloned debit cards to get cash.

Kreiter noted that while they are organized crime rings, debit card fraudsters are not alway associated with the traditional crime groups frequently in the news. He has, though, seen some cases where groups have gone so far as to buy a corner store or gas bar in order to run a scam. The appeal of such fraud, he said, is the relatively low risk of getting caught and the fact the reward is usually cash. As well, it’s “attractive to a lot of people who have a criminal bent but are not violent.”

Generally speaking, the groups will have a technician who modifies stolen PIN pads to enable them to capture data from bank cards and their accompanying PIN numbers. The units are then swapped for a similar model at another – or even the same – retailer, and the data collection begins. The necessary parts are available online and the requisite electronics and computer skills are usually passed down in the style of an apprenticeship.

Modifying the PIN pads “really isn’t a particularly difficult skill to learn,” Kreiter said. “It’s usually simply a matter of soldering on a couple of wires.”

The card data is either then transmitted wirelessly or kept on the PIN pad, which is later stolen back by the crooks, who quickly produce cloned cards, withdraw money from ATMs and then hit the road. That’s what makes catching them so difficult.

Read the Article in it's Entirety

Reblog this post [with Zemanta]

MoneyGram and CUNA Partner to Provide Money Transfer and Bill Payment to 7900 Crediut Unions

MoneyGram International and CUNA Strategic Services Partner to Provide Money Transfer and Bill Payment Services to Nearly 8,000 Credit Unions

Strategic services agreement establishes MoneyGram as the preferred provider of money transfer services to credit unions.

MINNEAPOLIS --PIN Payments News Blog--MoneyGram International (NYSE:MGI), a global leader in the payment services industry, announced yesterday an agreement to partner with CUNA Strategic Services (CSS), owned jointly by the Credit Union National Association (CUNA) and the state leagues, to provide 7,900 credit unions simplified access to MoneyGram’s global money transfer and bill payment services. The agreement extends a relationship that started more than 35 years ago when CSS began offering MoneyGram money order services to credit unions.

“Our 35-year relationship with CUNA Strategic Services provides a great framework for MoneyGram to help the 7,900 individual credit unions establish money transfer and walk-in bill payment services for their members,” said Tim Summers, general manager Consumer Products - Americas for MoneyGram International. “Approximately 90 percent of these institutions do not offer the service today and MoneyGram provides a technology solution to easily connect each branch with person-to-person money transfer to more than 190 countries, and direct-to-account services in a growing number of locations including Mexico.”

Consumers are increasingly turning to their local credit unions. Recently the AITE Group, a financial services research organization, issued a report summarizing that 85 percent of credit unions have increased their deposits over the last year and 70 percent have attracted deposits from banks. With new members and increased visits from members, credit unions are working to expand their services.

Wes Millar, senior vice president of CUNA Strategic Services said, “Consumers look to credit unions for trusted, valuable services to meet their financial needs. MoneyGram’s convenient and reliable money transfer service provides a great opportunity for credit unions to immediately fill a gap in their services and attract new members. Last year, more than 6,000 credit unions implemented solutions offered via CUNA Strategic Services’ partnerships. Expanding our relationship with MoneyGram to money transfer and bill payment services provides an instant opportunity for credit unions to enhance their products.”

Under the agreement, the 7,900 credit unions, representing 21,000 individual branches in all 50 states and Puerto Rico, are eligible to implement MoneyGram money transfer and bill payment services. Once implemented, credit unions will be connected to the 180,000 agent locations in more than 190 countries and territories for money transfer services. MoneyGram ExpressPayment services are also available for payments to 2,200 U.S.-billers including mortgage and auto lenders. Many prepaid cards are also conveniently loaded with the MoneyGram ExpressPayment service including RushCard, Visa ReadyLink and Netspend cards.

About MoneyGram International

MoneyGram International offers more control and more choices for people separated from friends and family by distance or those with limited bank relationships to meet their financial needs. A leading global provider of money transfer services, MoneyGram International helps consumers to safely send money around the world with funds arriving at available agent locations in as little as 10 minutes. Its global network is comprised of 180,000 agent locations in more than 190 countries and territories. MoneyGram’s convenient and reliable network includes retailers, international post offices and financial institutions. To learn more about money transfer at an agent location, please visit

About CUNA Strategic Services

CUNA Strategic Services Inc., owned jointly by Credit Union National Association (CUNA) and the state leagues, provides credit unions with access to high quality products, services, and technologies delivered with a competitive advantage made possible through volume pricing and strategic program development. For more information, visit

Canadian Tire Throws It's Customers a Curve

Canadian Tire Financial Services Introduces MasterCard Curve, integrated with Paypass contactless technology.

After visiting their website, it's clear that they are making a pitch towards younger professionals.

Do you really want to throw your target market a Curve?  If so... better make it a hang-er!

VeriSign Bought by AT&T

DALLAS, Oct. 1 -- AT&T today announced the acquisition of VeriSign's global security consulting business in a transaction that closed today. Terms of the deal were not disclosed.

VeriSign's Global Security Consulting Services business helps Fortune 500 companies understand corporate security requirements, navigate diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk and meet business and industry security compliance requirements.

The transaction aligns VeriSign's security consulting experience in comprehensive risk assessment with AT&T's suite of network-based cybersecurity services. AT&T has long been a pioneer in the development of cybersecurity services and capabilities, with AT&T Labs and its cybersecurity organization working closely together to provide industry leading enterprise services and technology. AT&T recognizes that security cannot rest in a single layer of defense - security intelligence must be embedded in all network layers to quickly and easily determine threats to network and application performance and address risks.

As businesses continue to merge multiple forms of content - from voice to video to data -- on to a single communication network, and integrate mobility access to corporate networks, enterprise security becomes more complex. IT research firm IDC estimates the annual enterprise IT security services market in the U.S. is $11.7 billion. Within that market, IDC estimates the U.S. security consulting services market to be $3.6 billion. (1)

"AT&T delivers today's most powerful weapons to help combat cybersecurity attacks. Our network security solutions rely on three key ingredients - a scalable, reliable global IP network, security experts with in-depth, hands-on experience, and the innovation and research of AT&T Labs," said Ron Spears, President and CEO of AT&T Business Solutions.

"The combined capabilities of VeriSign's security consulting business with AT&T's global reach, networking and security portfolio will broaden our consulting and risk analysis expertise, and enable us to more quickly develop and bring to market capabilities to address the evolving security needs of businesses around the world," said Spears.

"Through the sale of the Global Security Consulting business, VeriSign continues toward its divestiture goals while aligning with buyers with complementary strengths," said Mark McLaughlin, president and CEO of VeriSign. "AT&T is a recognized leader who we believe will facilitate a smooth transition for customers and partners while presenting the most promising opportunities for our employees."

The experienced security consulting professionals joining AT&T as part of this transaction have an average of eight years of experience and 95 percent are Certified Information Systems Security Professionals. The team holds more than 55 industry certifications including CISM, ISO 27001.

For more information go to

Source: (1) IDC, "Worldwide and U.S. Security Services 2009 - 2012 Forecast and Analysis: Economic Crisis Impact Update," Doc # 216111, January 2009. Market size shown represents entire U.S. security services spending in 2008

*AT&T products and services are provided or offered by subsidiaries and affiliates of AT&T Inc. under the AT&T brand and not by AT&T Inc.

About AT&T

AT&T Inc. (NYSE: T - News) is a premier communications holding company. Its subsidiaries and affiliates - AT&T operating companies - are the providers of AT&T services in the United States and around the world. With a powerful array of network resources that includes the nation's fastest 3G network, AT&T is a leading provider of wireless, Wi-Fi, high speed Internet and voice services. AT&T offers the best wireless coverage worldwide, offering the most wireless phones that work in the most countries. It also offers advanced TV services under the AT&T U-verse(SM) and AT&T | DIRECTV(SM) brands. The company's suite of IP-based business communications services is one of the most advanced in the world. In domestic markets, AT&T's Yellow Pages and YELLOWPAGES.COM organizations are known for their leadership in directory publishing and advertising sales. In 2009, AT&T again ranked No. 1 in the telecommunications industry on FORTUNE® magazine's list of the World's Most Admired Companies.
Reblog this post [with Zemanta]

Disqus for ePayment News