Friday, November 20, 2009

Top Cyber Threats of 2009

From Symantec:

Top Internet Security Trends of 2009

•    Malware-Bearing Spam – Spam is usually thought of in the context of annoying, but not necessarily dangerous. However, between September and October 2009, on average, more than two percent of spam email messages had attached malware; this represents a nine-fold increase in the number of spam messages actually containing malware.

•    Social Networking Site Attacks Become Commonplace – 2009 was the year attacks against both social networking sites themselves and the users of those sites became standard practice for criminals. The latter half of 2009 saw attacks utilizing social networking sites increase in both frequency and sophistication. Such sites combine two factors that make for an ideal target for online criminal activity: a massive number of users, and a high level of trust among those users.

•    Rogue Security Software – Symantec has identified 250 distinct misleading applications that pretend to be legitimate security software—quite convincingly so in many instances—but which actually provide little or no protection and can in reality infect a computer with the very malware it purports to protect against. From July 1, 2008, to June 30, 2009, Symantec received reports of 43 million rogue security software installation attempts.

•    Ready-Made Malware – 2009 saw malware become easier than ever to create. This was largely due to the availability of popular user-friendly toolkits, such as Zeus, that enable even novice hackers to create malware and botnets. Many ready-made threats are in reality a conglomeration of components from other, more established malware (for example, Dozer, which contained components from MyDoom and Mytob). This trend has also made malware more disposable, with a threat appearing then disappearing—sometimes within just a 24 hour period.

•    Bot Networks Surge – Bot networks are quickly becoming the foundation of all cyber crime. Symantec has observed that the majority of today’s malware contains a bot command-and-control channel. In 2009, we even saw botnet designers expand their forte by using social networking sites as communication channels.

•    Intra- and Cross-Industry Cooperation to Stamp Out Internet Threats – With the anniversary of the first variant of the Conficker threat upon us, we’re reminded of how the increasing organization and sophistication of cybercrime has led to greater cooperation among security vendors, law enforcement, and Internet service providers. Examples seen in 2009 include the Conficker Working Group (CWG), the FBI’s “Operation Phish Phry” bust, and the Digital Crimes Consortium (which had its inaugural gathering in October).

•    Current Events Leveraged More Than Ever – Valentine's Day, NCAA March Madness, H1N1 Flu, the crash of Air France Flight 447, Serena Williams, balloon boy, and the deaths of Michael Jackson and Patrick Swayze. Each of these events—along with countless others—were used by malware authors and spammers in 2009 to try and lure unsuspecting Internet users into downloading malware, buying products, and falling for scams. We’ve reached a stage where no popular story goes unnoticed, and we can expect more of the same as major world events such as the 2010 FIFA Soccer World Cup and Winter Olympics get nearer.

•    Drive-by-Downloads Lead the Way – The number of attackers secretly infecting Internet surfers by compromising legitimate websites continued to increase. In 2008, Symantec observed a total of 18 million drive-by download infection attempts; however, from just August to October of 2009 alone, Symantec observed 17.4 million.

•    The Return of Spam to Pre-McColo Levels – Symantec saw a 65 percent decrease in total spam messages between the 24 hours prior to the late 2008 McColo shutdown and the 24 hours after, resulting in spam levels dropping to just 69.8 percent of all email. In 2009 however, overall spam volumes returned to an average of 87.4 percent of all email, reaching a maximum of 95 percent of all messages at the end of May.

•    The Rise of Polymorphic Threats – Polymorphism denotes the ability to mutate. Therefore, polymorphic threats are those in which every instance of the malware is slightly different than the one before it. The automated changes in code made to each instance do not alter the malware’s functionality, but virtually render traditional antivirus detection technologies all but useless against them. Symantec has observed polymorphic threats such as Waladac, Virut, and Sality become more common as online criminals seek to expand their repertoire of ways to circumvent conventional antivirus technology.

•    An Increase in Reputation Hijacking – Geocities was a common brand name hijacked by spammers in an attempt to dupe computer users, but with Yahoo’s late October shutdown of the Web hosting service, Symantec has witnessed a vast increase in the number of smaller free Web services, such as URL-shortening sites whose names, and legitimate reputations, are being abused by spammers. This has no doubt been aided by advances in CAPTCHA-breaking technology, which makes it easier for malicious characters to establish multiple disposable accounts and profiles used for spamming. Symantec has even observed that some of these smaller Web services companies’ sites actually shut their own sites down as the only way to stop the spam.

•    Data Breaches Continue – As of October 13, 2009, 403 data breaches have been reported for the year, exposing more than 220 million records, according to the Identity Theft Resource Center. Well-meaning insiders continue to represent the bulk of data loss incidents with 88% of all data loss incidents caused by insiders such as employees and partners, according to The Ponemon Institute. There are rising concerns, however, about malicious data loss. Fifty-nine percent of ex-employees admitted that they took company data when they left their jobs, according to another study by Ponemon. While organizations are increasingly focused on preventing data loss, it’s clear that more needs to be done to prevent sensitive information from leaving an organization.

Verified by Visa Phishing Scam

Webroot reports on fake Verified by Visa phishing scam

20 November 2009

IT security vendor Webroot says that a phishing scam purporting to come from Visa, the international card issuer, is scamming internet users as they start their online shopping for Christmas.

According to a blog posting by Webroot, the phishing scam commences with a phishing email advising the recipient that he or she can now sign up for Verified by Visa, an online authentication system designed to enhance security for online shoppers.

Whilst the Verified by Visa security scheme is legitimate, Webroot noted that the phishing email links to a bogus page that logs your credentials for - presumably - later use by the fraudsters.

"The thing is, you don't have to go to a special web page to sign up for Verified by Visa. You are supposed to be offered the chance to sign up while you're completing your purchase on the participating merchant's web site, as you're entering your billing details", said the blog posting.

"The Visa website spells this out in a simple graphic (though there have been some interesting problems with the way the system works)", it added.

According to Webroot, in the Verified by Visa phishing scam, users are sent to a web page that asks you for the information you gave the card-issuing bank at the time you first signed up for the card.

"That's red flag #1, but it's worth repeating: In a real sign-up form for Verified by Visa, you won't be asked to provide your mother's maiden name, social security number, birthdate, or any other sensitive details that you wouldn't otherwise enter into a web-based order form while shopping online", the blog notes.

The other red flags include the lack of a secure (httbs) connection and the registration of the domain name used by a Google email account.

Faux “Verified By Visa” Phishing Scam Targets Holiday Shoppers

By Andrew Brandt

When you sign up for a credit card — even with one of those pre-approved applications — you still have to provide the bank with your name, address, mother’s maiden name, social security number, and a host of other personally identifiable information. Once the bank issues the card, it shouldn’t ever need to ask you for all of that information again. But a phishing scam making the rounds this week — one that appears to be targeted at holiday shoppers who buy gifts online — aims to fool victims into doing just that.

The scam begins with an email, informing the recipient that they can sign up for Verified by Visa, a real program offered by the eponymous credit card company. The email links to a bogus page (part of which is shown at left) designed to lure an unsuspecting online shopper into the trap. (And this is only one of several scams you should watch for, leading up to Black Friday, Cyber Monday, or whenever it is you decide to go online for deals on that fruit basket for Grandma. Webroot released findings today on additional data-stealing malware, and the larger pool of online shoppers this year which it appears to be targeting.)

Once you register with the (real) Verified by Visa service, participating merchants permit you to enter a password in addition to your card information. In addition to providing the purchaser with an additional layer of safety, the password also gives the merchant some assurance that larger-than-normal transactions (like the ones you make during holiday shopping season) will be approved quickly, without triggering fraud alerts.

The thing is, you don’t have to go to a special Web page to sign up for Verified by Visa. You are supposed to be offered the chance to sign up while you’re completing your purchase on the participating merchant’s Web site, as you’re entering your billing details. The Visa Web site spells this out in a simple graphic (though there have been some interesting problems with the way the system works).

In the phishing scam, you’re sent to a Web page that asks you for, essentially, all the information you gave the card-issuing bank at the time you first signed up for the credit card. That’s Red Flag #1, but it’s worth repeating: In a real sign-up form for Verified by Visa, you won’t be asked to provide your mother’s maiden name, social security number, birthdate, or any other sensitive details that you wouldn’t otherwise enter into a Web-based order form while shopping online.

The page created by the phishing gang responsible for this scam is clearly more professional, slick and clean than most phishing pages. The form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.

The form data is supposed to be sent over a secure HTTP connection (with an HTTPS prefix before the website’s URL in the browser’s Address Bar), but this one clearly is using a standard HTTP connection, which is Red Flag #2. Sniffing the network lets us see exactly what the page sends to the scammers, like the fake data I entered into the form (shown above right).

Red Flag #3 is not as obvious if you don’t dig into the Website’s records, but really: Do you suppose a company as large as Visa International would register a domain name using a Gmail account, a Canadian mailing address, and (Thanksgiving-related puns aside) a telephone number that uses the international dialing code for Turkey?

Verified by Visa is, potentially, capable of helping reduce fraud and may also prevent criminals from using stolen credit card numbers. Just make sure you’re signing up for the right program, not handing your wallet over to crooks.

ETA Apparently Excited About Turning 20

Estimated Time of Arrival: April

The Electronic Transactions Association will mark its 20th anniversary in 2010, the trade group announced today. While the milestone will be celebrated in a variety of ways throughout the year, the anniversary will be the centerpiece of ETA’s 2010 Annual Meeting & Expo, April 13-15, in Las Vegas, NV.

“ETA has played a very important role in the payments industry over the past twenty years,” noted Carla Balakgie, ETA’s Chief Executive Officer. “We’ll be celebrating that role and honoring those who founded the organization as well as those who have contributed in so many ways during the past two decades. But at the same time, we will be calling attention to the challenges ahead and the opportunity for ETA and its members to drive the industry forward.”

The high-point of the anniversary celebration will come during ETA’s annual meeting, where many special events and activities are being planned to mark the occasion. “ETA’s Annual Meeting & Expo is the perfect place mark ETA’s twentieth year,” Balakgie says. “Everyone, from the industry’s pioneers to today’s leaders, will be on hand, and our goal is to make this the most exciting event we’ve ever organized. Anyone who is now part of ETA, who has been, or would like to get involved, should make plans now to join us in

Las Vegas.”

Additional activities and events related to ETA’s anniversary and to the Annual Meeting & Expo will be unveiled throughout the year, including special content in ETA’s magazine, Transaction Trends, and electronic publications.

Registration for ETA’s Annual Meeting & Expo will open in early December.

About ETA:

The Electronic Transactions Association is an international trade association representing more than 500 companies who offer electronic transaction processing products and services. The ETA Annual Meeting & Expo is the largest gathering of acquiring industry companies in the U.S. each year.

Source: Company press release.

Listen to Webcast of Google Chrome OS Update

Image representing Google as depicted in Crunc...Image via CrunchBase

Who:   Google Inc.


Webcast of Google's update on Google Chrome OS, held at its Mountain View, Calif. headquarters.


Anytime you'd like to click on the link below.



Google to offer an update on Google Chrome OS and provide at the work that has been done thus far, an overview of the technology, and launch plans for next year. Speakers will include Sundar Pichai, Vice President of Product Management and Matthew Papakipos, Engineering Director for Google Chrome OS.

About Google Inc.

Google's innovative search technologies connect millions of people around the world with information every day. Founded in 1998 by Stanford Ph.D. students Larry Page and Sergey Brin, Google today is a top web property in all major global markets. Google's targeted advertising program, which is the largest and fastest growing in the industry, provides businesses of all sizes with measurable results, while enhancing the overall web experience for users. Google is headquartered in Silicon Valley with offices throughout North America, Europe, and Asia. For more information, visit

Google is a trademark of Google Inc. Other trademarks are the property of their respective owners.


Google Inc.

Eitan Bencuya, +1-650-930-3555

Reblog this post [with Zemanta]

China Online Payment Industry Report 2009

ResearchInChina, the vertical portal for Chinese business intelligence, announces the release of a new report - China Online Payment Industry Report, 2009. For more information, please contact: or at 86-10-82600893.

The global economic crisis has impacted on the majority of industries, but China online payment market is growing against the adversity, and has shown rapid growth trend in market scale and number of users. In 2008, the number of users registered 52 million, and in 2009 the figure will exceed 90 million. In 2008, the online payment market valued RMB210 billion, and will reach RMB430 billion in 2009.

With the issuance of Management Measures for Payment and Settlement Organizations, the supervision on online payment industry has been enhanced. The central bank will build up the payment service organization system which is led by the People's Bank, primarily supported by banking financial institutions, and assisted by payment and settlement organizations. The chaos once in payment industry will be controlled and malicious market competition alleviated. Those online payment enterprises in unfavorable operation will be eliminated, only the profit-making enterprises will survive, so the industry concentration will be further strengthened.

The largest third-party online payment platform in China -- Alipay announced the number of its users broke 200 million formally in July 2009, overrunning the giant Paypal to take the first position in online payment industry. As of July 6, 2009, AliPay had boasted of 200 million registered users, with daily trading volume of RMB700 million and daily four million transactions.

With the development of the Internet, particularly the further development of online shopping, the future competition among online payment enterprises will rest with individuation, accuracy and service.

EU Rules on eCommerce are "Counter-Productive"

The EU is in corrective mode on eCommerce after it created a web of burdensome rules in order to inspire more consumer confidence, argues the author of a report examining European rules on online shopping.


At present, the contractual rights of EU consumers are set out in four separate directives on unfair contract terms, sales and guarantees, distance selling and doorstep selling respectively. These date from the 1980s and 1990s, while many EU countries have since adopted stricter rules themselves.

By the European Commission's own admission, this has led to "a patchwork of laws" and "a maze of different rights and practices […] which are as unclear to consumers as they are confusing for business". The EU tabled a merger of these proposals in 2008 called the Consumer Rights Directive. The new directive seeks to simplify this by merging the existing EU consumer rights directives into one set of rules. A clear majority of stakeholders are in favour of increased legal harmonisation and a horizontal legislative instrument on eCommerce, according to the results of a public consultation launched by the Commission.

Patrick van Eecke, a specialist lawyer who was asked by the European Commission to examine laws on cross-border eCommerce, has come to some damning conclusions on EU laws designed to streamline the way cross-border online shopping is done. A recent EU survey on current conditions for both the consumption and sale of online goods across borders concluded Europeans are being turned off the idea by payment difficulties and a lack of trust in online shopping (EurActiv 23/10/09). 60% of online purchases failed in the EU-backed test of 11,000 separate orders on cameras, CDs, books and clothes, the consumer survey showed.


Van Eecke presented some of his findings to industry representatives at a Brussels eCommerce summit on Tuesday (16 November).   Businesses wanting to comply with EU invoicing rules, for example, have to fulfill very specific requirements, one of which is an expensive and tricky electronic signature technology, says the lawyer.  eInvoicing can vary from country to country and gets trickier for cross-border transactions. In Germany, traders face 30 separate security requirements.


Van Eecke, who is also a professor at Antwerp University, criticised the EU's eMoney scheme, which would allow businesses to have their own payment schemes. The scheme would allow customers to have an account with an airline, for example, which can be used to pay for services from other retailers. But the scheme stumbled on a fundamental flaw this year when the original law defined distributors of eMoney exclusively as financial institutions which provide credit. These definitions, which were revised on 16 September, would, for example, prevent airlines from selling flights and effectively turn them into banks, van Eecke argued.

Secondly, businesses complain that the payment technology is expensive. Japan has long outdone the EU in this respect, with over 200 Japanese businesses having implemented eMoney schemes. The success of eMoney in Japan, according to the lawyer, comes from the fact that the country monitored its progress before imposing regulations.


Europe could pioneer new laws on eCommerce but EU legislators have been getting cold feet on making bolder steps, specialist lawyer Patrick van Eecke argues. The Internet's usefulness could be extended to more businesses such as electronic contracts on real estate and family law, he added.

But MEPs should focus on data protection, not the user's perceived entitlements, before drafting new laws on ecommerce, said UK Conservative MEP Malcolm Harbour, who chairs the European Parliament's committee on the internal market and consumer protection, in response to van Eecke's analysis.

Harbour believes that more harmonised rules on eCommerce would arrive "by the backdoor" once businesses feel the competitive pressure from a pending Consumer Rights Directive. The awaited directive would merge four existing proposals and is due to be adopted by the European Council before the end of 2009.

Next steps:

  • December 2009: Council expected to adopt conclusions on Consumer Rights Directive. 

  • 2010: Publication of final study from online commerce roundtable.


Limbo 2 Trojan Bad News for Floating PIN Pads

Accel Exchange recently announced they are launching an Internet PIN Debit platform by Acculynk, for the web.

Here's how it works:

PaySecure™ is simple to use.

Just "
type" in personal details, such as your debit card information at the merchant checkout as you normally would...

card number, expiration date, and security code.

If your debit card can be used with a PIN, the PaySecure™ graphical, scrambling PIN-pad will appear

on your computer screen for the secure and easy entry of your PIN.

Just enter your PIN using your mouse, click "Continue" and your transaction is processed. 

PaySecure™ requires PIN entry by mouse; your PIN cannot be entered by typing the numbers on your keyboard. This security feature is designed to prevent keylogging of your PIN.

Sounds great...there's just one problem.  Who says It won't prevent keylogging of your PIN?

China Online Banking Grows 40% YoY in '09

From JLM

China's online banking transaction volumes are expected to come in between RMB 440 trillion and RMB 450 trillion in 2009, reports National Business Daily quoting China Financial Certification Authority Vice General Manager Wei Hedong on November 19. Nationwide, transaction volume for online banking was RMB 225 trillion in 2007 and RMB 317 trillion in 2008, Wei said.

CFCA said in August that online banking transactions were RMB 300 trillion in 2008 and that online banking accounted for 30% of banks' overall business volume.

Tesco Bank Selects Fisev Platform

Tesco Bank, the UK's largest supermarket bank, has selected Fiserv, Inc. and the Signature bank platform to provide its core banking solution. Tesco Bank plans to extend its financial services business from a collection of successful financial products to that of a full service retail bank offering more choice, innovation and value to customers.

Tesco Bank Selects Fiserv Platform

Brookfield, Wis., November 20, 2009 - Tesco Bank has selected Fiserv, Inc. (NASDAQ: FISV) and the Signature(TM) bank platform to provide its core banking solution. Tesco Bank is developing new products and services and needs to build the systems and infrastructure platforms to help provide these services.

Tesco Bank is the UK's largest supermarket bank, with over six million customers and 28 financial products and services and is in the process of migrating its banking products onto a number of new Tesco Bank platforms. Tesco Bank plans to extend its financial services business from a collection of successful financial products to that of a full service retail bank offering more choice, innovation and value to customers. Tesco Bank selected Fiserv based on its ability to provide an innovative, end-to-end banking solution that is proven in markets around the world. Fiserv is the leading global provider of financial services technology with 16,000 clients worldwide.

The implementation of Fiserv solutions at Tesco Bank will provide the foundation of account information and banking transactions for Tesco Bank customers. Consumers will have the convenience of accessing Tesco Bank from UK call centres, stores, online or ATMs.

John Bower, managing director, Europe, Bank Solutions, Fiserv comments:

"Tesco has a history of bringing innovation to the markets it serves. Fiserv will focus its expertise to help Tesco transform several business processes, creating a best-in-class customer experience in financial services."

About Tesco Bank

- Tesco Bank is the UK's largest supermarket bank. Since our launch in 1997, we have grown to have six million customer accounts across 28 financial products and services.

- Our principal activities are: general insurance - motor, home, pet and travel; credit cards and personal loans; personal savings; Tesco Compare and a network of cash machines (ATMs).

- We sell our products through multiple channels including in-store, by telephone and online.

- Tesco Bank is fully-owned by Tesco plc.

- Tesco Bank is the trading name of Tesco Personal Finance plc, Registered in Scotland No. 173199.

- Registered Address: Interpoint Building, 22 Haymarket Yards, Edinburgh, EH12 5BH

About Fiserv

Fiserv, Inc. (NASDAQ: FISV) is the leading global provider of information management and electronic commerce systems for the financial services industry, driving innovation that transforms experiences for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. For more information, visit

#   #   #

Reblog this post [with Zemanta]

Disqus for ePayment News