Sunday, November 22, 2009

Hardware Required for PIN Debit - NYCE



NYCE Says PIN Debit Encryption Must Be Hardware Based



I was looking for more e-vidence that a software application for PIN Debit is unsafe and I happened to stumble upon the NYCE.net website which published a white paper called: "PIN Debit Security Awareness."



In it they explain how encryption works (see charts on left and below and click to enlarge)



The most interesting (and striking) piece of e-vidence supporting hardware (HomeATM) vs. a software (whomever) approach were two "key" statements regarding PIN Encryption.



Here they are...



1. "NEVER USE SOFTWARE" followed by another simple statement:





2. "ALWAYS EMPLOY SECURE HARDWARE" (see graphic below right...click to enlarge) 





I think those two statements sum it up rather NYCELY!



However, lest there be an ambivalence regarding whether hardware is the way to go...they go...on to say:





3. Secure encryption practices also depend on using secure hardware.



Financial institutions must ensure that all PINs and encryption keys never appear in the clear.



This control objective is most often accomplished by using secure hardware (also known as firmware) which masks PIN generation, encryption and decryption from human sight and, more importantly, from disclosure.



You (banks) should review the functionality of your secure hardware by assessing the vendor documentation and by asking your vendor to confirm that their devices meet the ANSI definition of tamper resistance(Editor's Note: Tamper Resistance is part of the certification process as a PCI 2.0 PIN Entry Device) 








It's NYCE to know they stand "firm" in their belief that Hardware is essential! 



To Read "Best Practices for PIN Encryption" Download the white paper



This paper is intended to help you:

  • Learn about the "dos" and "don'ts," associated with American National Standards Institute (ANSI) standards and NYCE Network Operating Rules, for sound key management procedures and security.

  • Understand your responsibility for safeguarding encryption keys, even if you outsource some tasks to third parties.

  • Anticipate what you might expect from an audit or security review of your encryption key management procedures.

  • Align your encryption key processes with bank regulatory requirements









More On How SSL (used for online banking security) is Flawed

    1.  Critical Flaw in SSL Found, Software Makers Scrambling for Band-Aid ...



      Nov 5, 2009 ... A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https ...

      pindebit.blogspot.com/2009/.../critical-flaw-in-ssl-found-software.html - Cached



      -More on SSL is SOL (i.e.) Forget about Secure Financial Transactions on the Web using Software ...



      Nov 6, 2009 ... Here's some more on the recently discovered/secretly addressed/accidentally exposed critical flaw in SSL which is what the online banking ...



      pindebit.blogspot.com/2009/.../more-on-ssl-is-sol-ie-forget-about.html -
      Cached -








    News results for ssl flaw



    SSL Flaw Could Have Been Used to Hack Twitter‎ -
    According to Ray, people should realize that "this is a serious bug and people need to patch it." PC World - 30 related articles »

    Security Pro Says New SSL Attack Can Hit Many Sites‎ - PC World - 11 related articles »











    1. SSL flaw revealed at Black Hat - The H Security: News and Features







      Jul 30, 2009 ... Moxie Marlinspikes and Dan Kaminsky have presented a significant flaw in the issuing of SSL certificates at the Black Hat conference.

      www.h-online.com/.../SSL-flaw-revealed-at-Black-Hat-742713.html - Cached -








    2. Major SSL Flaw Find Prompts Protocol Update - DarkReading







      Nov 5, 2009 ... Vendors, IETF, have been working on a fix since last month for a newly discovered vulnerability in the SSL protocol that spans browsers, ...

      www.darkreading.com/security/.../showArticle.jhtml?articleID...cid... - Cached -




    3. SSL flaw could have been used to hack Twitter







      Nov 16, 2009 ... A flaw in the protocol used to secure communications over the Internet could have been used to hack Twitter accounts, according to an IBM ...

      www.computerworld.com/.../SSL_flaw_could_have_been_used_to_hack_Twitter - Cached -








    4. Microsoft: SSL flaw is in operating system, not Web browser







      Aug 15, 2002 ... Microsoft said it's working on patches for its Windows operating system after finding that a recently discovered SSL flaw is in the OS, ...

      www.computerworld.com/action/article.do?command... - Cached - Similar -








    5. SSL flaw could have been used to hack Twitter | Topics | Macworld





      A researcher has shown how to hack Twitter using a previously disclosed bug in SSL.

      www.macworld.com/article/143881/2009/11/twitter_sslflaw.html - Cached -








    6. SSL flaw allows man-in-the-middle attacks - Security





      Nov 6, 2009 ... A vulnerability in the SSL protocol is causing a bit of stir after it was discovered that the flaw would allow an attacker to inject ...

      www.thetechherald.com/.../SSL-flaw-allows-man-in-the-middle-attacks - Cached -








    7. Major SSL Flaw Was Being Patched in Secret - The cat's out of the ...





      Nov 5, 2009 ... A serious design flaw in the SSL and TLS protocols has been kept secret since its discovery in August. Major technology companies have been ...

      news.softpedia.com/.../Major-SSL-Flaw-Was-Being-Patched-in-Secret-126241.shtml - Cached -








    8. Security Writer Questions Impact of SSL Flaw | threatpost





      It is a "man-in-the-middle" (MitM) attack in which an attacker can use an SSL feature called "negotiation" to inject bad stuff into an SSL session. ...

      threatpost.com/en.../security-writer-questions-impact-ssl-flaw-111209 - Cached -








    9. SSL Flaw Has Researchers Hustling to Fix | threatpost





      A flaw i n the SSL protocol that could affect company networks, hosting environments and key machines has security researchers scrambling. ...

      threatpost.com/en_us/.../ssl-flaw-has-researchers-hustling-fix-110509 - Cached -






    10. Securosis Blog | Major SSL Flaw Discovered





      Nov 5, 2009 ... A major flaw has been found that enables a man-in-the-middle attacks against SSL connections. Several other media outlets are reporting, ...

      securosis.com/blog/major-ssl-flaw-discovered/ - Cached -








    11. SSL flaw fixing shows industry can work together > Other > Patch ...





      Aug 6, 2009 ... SSL flaw fixing shows industry can work together. Related Articles. Serious vulnerability in SSL discovered · Browser SSL warnings shown to ...

      www.securecomputing.net.au/.../152166,ssl-flaw-fixing-shows-industry-can-work-together.aspx - Cached -








    12. Programming news: Firefox SSL flaw, Rails BugMash event, browser ...





      Aug 3, 2009 ... Get highlights about a critical Firefox SSL flaw, ATL vulnerabilities, ActiveX flaw, Rx (LINQ to Events) in .NET 4, STM.

      blogs.techrepublic.com.com/programming-and-development/?p... - Cached -








    13. SSL flaw prompts security scramble - V3.co.uk - formerly vnunet.com





      Nov 6, 2009 ... Vendors work to protect against 'man in the middle' flaw.

      www.v3.co.uk/v3/news/2252655/ssl-flaw-prompts-security - Cached -








    14. Join The Revolution! » SSL Flaw by (Browser) Design?







      SSL Flaw by (Browser) Design? Posted by Eddy Nigg; July 21, 2009. A while ago, the two security “white hats” Alexander Sotirov and Mike Zusman announced ...

      https://blog.startcom.org/?p=200 - Cached -








    15. IBM researcher hacks Twitter using SSL flaw - Techworld.com





      An IBM researcher has shown how to hack Twitter using a previously disclosed bug in SSL. A flaw in the protocol...

      news.techworld.com/.../ibm-researcher-hacks-twitter-using-ssl-flaw/ - Cached -








    16. Experts war over seriousness of SSL flaw :: SearchSecurity.com.au





      Nov 6, 2009 ... The discoverers of a new SSL vulnerability warn it could have dire consequences. But another researcher isn't so sure it's a big threat.

      searchsecurity.techtarget.com.au/.../36853-Experts-war-over-seriousness-of-SSL-flaw - Cached -








    17. SSL Flaw Could Have Been Used to Hack Twitter - Legit Reviews





      Nov 16, 2009 ... SSL Flaw Could Have Been Used to Hack Twitter. A flaw in the protocol used to secure communications over the Internet could have been used ...

      legitreviews.com/news/6823/ - Cached -








    18. Mozilla aware of SSL flaw in Feb. Advisory issued in August ...





      Mozilla aware of SSL flaw in Feb. Advisory issued in August. By Sean Michael Kerner on August 3, 2009 1:05 PM. sr-firefox3.jpg ...

      blog.internetnews.com/skerner/.../mozilla-was-aware-of-ssl-flaw.html - Cached -








    19. SSL Flaw Exposed at Black Hat Conference - Web Hosting Industry ...





      Jul 31, 2009 ... theWHIR.com News: SSL Flaw Exposed at Black Hat Conference. ... vulnerabilities in the issuing process for SSL certificates that could allow ...

      www.thewhir.com/.../073109_SSL_Flaw_Exposed_at_Black_Hat_Conference - Cached -



















Reblog this post [with Zemanta]

50% of Americans Say Credit Card Interest Rates were Raised in Last Six Months



Fifty percent (50%) of Americans say interest rates on their credit cards have been raised in the past six months, as Congress seeks to limit the ability of banks to raise those rates.



Roughly 51 percent of credit card users say they pay their bill in full each month, avoiding interest payments, according to a Rasmussen Reports national telephone survey.



A majority of Americans, 77 percent, say credit card companies take advantage of consumers with their interest charges.




Among the report’s findings:



• 31 percent say their rates have not been raised and 19 percent were unsure.

• 69 percent say interest rate increases are likely to make them use credit cards less.

• 16 percent of Americans say they are carrying more debt than a year ago; 34 percent say they have less debt and 46 percent have more.



Nearly 50 percent of Americans say credit card companies need more government oversight, the poll found. Since 2001, the Rasmussen Reports have tracked and distributed public opinion polling as an electronic company.



To read the full report, go to www.rasmussenreports.com.



In other Rasmussen/Credit Card News, Eighty-three percent (83%) of adults say credit cards tempt people to buy things they cannot afford, according to a new Rasmussen Reports national telephone survey. Only eight percent (8%) disagree with that assessment. Another nine percent (9%) are not sure.

Disqus for ePayment News