Friday, June 18, 2010

PCI 2.x Approved PIN Entry Devices - HomeATM SafeTPIN



Approved PIN Transaction Security

Please review the legal conditions and restrictions regarding PCI PTS approval contained in the Payment Card Industry PIN Transaction Security Testing and Approval Program Guide (PDF 2.25 MB).



  Filter PTS Vendors by Company Name:

  Show All   # A B C D E F G H I J K L M N O P Q R S T U V W X Y Z



  Filter PTS by:










Alphabetical

Expiry Date
   





Search PTS by Vendor name, Product name, Approval number:
   




Export To ExcelPrintable Format
Last Update: Apr 21st, 2010
4 Vendors, 6 Devices























Hangzhou Sunyard Technology Co Ltd
PTS Identifier1Approval

Number2
VersionProduct

Type3
Expiry

Date4
P80





hardware # : HD-D-0x-S-0x
firmware # : BIOS-V001
applic # : USR-V001
4-400432.xPED30 Apr 2017
S180





hardware # : HD-V1.01
firmware # : BIOS-V1.01
applic # : USR-V1.00
4-400472.xPED30 Apr 2017
HomeATM
PTS Identifier1Approval

Number2
VersionProduct

Type3
Expiry

Date4
SafeTPIN





hardware # : 3.0
firmware # : 1.02
applic # : 
4-400352.xPED30 Apr 2017
Hypercom
PTS Identifier1Approval

Number2
VersionProduct

Type3
Expiry

Date4
L4150 and SKP4150





hardware # : 0220xx and 0240xx
firmware # : FPE 5.P.0xx,

FPE 5.P.1xx

and HYCSKP_2.0x
applic # : 
4-600282.xPED30 Apr 2017
L4150 





hardware # : 0220xx
firmware # : FPE 5.P.0xx,

FPE 5.P.1xx
applic # : 
4-600282.xPED30 Apr 2017
Hypercom
PTS Identifier1Approval

Number2
VersionProduct

Type3
Expiry

Date4
T42xx, M42xx





hardware # : 0630xx
firmware # : 5.0.x xxxxxxxx
applic # : 
4-600362.xPED30 Apr 2017






Top of Page
Enhanced by Zemanta

Yet Another Reason Banks Should Call for the Mass Adoption of Peripheral Card Readers for Online Banking




European Banks:  29

American Banks: Zero
During the course of the past year, I have made a huge effort to point out that online banking (the way it is conducted now) is doomed for failure. (see related posts below)  I started with a series I called: "Online Banking is Weak Week."



Bottom line?  Online Banking MUST be done "outside" the browser space.  We've seen the ZeuS, Clampi, URLZone, BlackEnergy2 banking trojans, we've seen lawsuits filed by customers against banks accusing them of lax authentication procedures, we've see keylogging, man in the middle and man in the browser attacks, we've seen billions of phishing attempts, we've seen the head of the FBI swear off online banking, we've been told we need a "dedicated" machine for online banking.  We've seen Avivah state that nothing in the browser can be trusted, I can go on and on... and I will because...











OTP's (One Time Passwords) will be circumvented

by MITB attacks. (and real-time keylogging)
American banks go on and on with their belief they can protect the security of their customers by asking them to type data into boxes in a browser.  (European Banks are trending towards issuing card readers and almost 30 percent (see chart above) of European online banking customers use a card reader)



Either I don't get it or the banks don't.  I'm confident enough to say that if you were to go back through the PIN Debit blog over the past 18 months or so and look at everything I've posted regarding online banking, you will see that I'm not the one who doesn't get it.  (type "online banking security" into the custom search box for proof)








I'm not Nostradamus, but I can tell you this.  Banks would "prophet" from the eradication of "typing" and thus all the problems associated with with it. 


When Kaspersky Labs calls for the mass adoption of peripheral card readers and suggests that banks could be big drivers of this type of hardware, then banks might want to pay more attention.  On the horizon is a new dilemma for online banking security.  






Avivah Litan, distinguished analyst from Gartner Research points out that banks rely on "flash cookies" to identify legitimate users and that's about to change.  



Again...Why not use a common sense approach to authenticate legitimate users.  Take your "bank issued" card out of your purse/wallet and swipe it through a PCI certified PIN Entry Device designed for online commerce and securely enter your PIN.  What you have (card) and what you know (PIN) is entered into what the bank owns (the peripheral PED card reader)  






Adobe Flash Player Private Browsing May Force Change in Fraud Fight 





A report from Gartner highlights how the reliance on Flash cookies as an authentication mechanism by online banks may need to change with the release of Adobe Flash Player 10.1. Flash Player's "Private Browsing" feature will make it easier to clear Flash cookies, and e-commerce businesses will need to adjust, some say.










Banks Should Be Big Drivers

of this kind of hardware.  First

they need to admit that they're

in a losing battle with hackers

and must stop with the band-aid

responses to the real threats they face.
When the final version of Adobe Flash Player 10.1 hits desktops later this year, it will bring with it new functionality designed to allow users to automatically clear Flash cookies after a Web session. But while the feature may be lauded in the name of privacy, it may also force online banks to change how they fight fraud.


Flash cookies, also known as LSO (local shared objects), are used by many banks and e-commerce sites to identify legitimate users and block unauthorized or fraudulent access. In a report entitled, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Gartner analyst Avivah Litan writes that the practice of using HTTP browser cookies for authentication gained steam roughly three years ago due to guidelines imposed by the Federal Financial Institutions Examination Council.



“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.


“Upon entering a user ID to log into an online banking session, the bank Web server would check for the presence of this cookie…If the bank software could not find the cookie – for example because the user was logging in from a different PC – then the bank software would generally challenge the user with a series of questions that only the legitimate user could presumably answer.”


But a growing desire for privacy led users to delete their browser cookies more often, meaning banks had to find something else to rely on, the report noted. Enter Flash LSOs, which are “basically hidden from casual users who aren’t aware of them and don’t know how to delete them.”


Now that approach could be threatened as well, Litan told eWEEK...<<read more>>
Enhanced by Zemanta

Man-in-the-Browser (MITB) Attacks Targeting Online Banks

Understanding Man-in-the-Browser Attacks Targeting Online Banks - eWeek










A PCI 2.1 PIN Entry Device

and peripheral card reader such as the one

manufactured by HomeATM would eliminate

the threats caused by phishing (nothing to

phish phor) and since the authentication is done

"outside the browser"

a "MITB" threat would also be mitigated...
Malware integrating itself into a victim's Web browser is nothing new. Increasingly however, these man-in-the-browser attacks are being used to successfully bypass authentication mechanisms used by online banking sites, according to a security researcher.  

(Editor's Note:  Kaspersky Labs has called for the mass adoption of peripheral card readers for ALL internet banking users and HomeATM has the ONLY PCI 2.1 Certiified Peripheral PIN Entry Device/card reader designed for eCommerce.)  
Jason Milletary, technical director for malware analysis at SecureWorks, explained banking Trojans like ZeuS, Gozi and SpyEye utilize man-in-the-browser (MITB) techniques to provide cyber-criminals with additional information needed to conduct financial fraud, such as the victim's Web browsing activity and data.
"These types of threats have been technically established for several years," he said.



"The concern is how these types of attacks are potentially being used to attempt to bypass more advanced authentication mechanisms being implemented by online banking sites."




Editor's Note 2:  No matter how "supposedly" advanced an authentication mechanism is, if online banking continues to be conducted "inside the browser" it will be eventually defeated by MITB attacks.  Online banking authentication, and for that matter, ALL financial transactions, MUST be conducted OUTSIDE the browser.



Also see:  Banking's Big Dilemma: How to Stop Cyberheists via Customers PC's





partner logo
By Ellen Messmer
In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places.
Enhanced by Zemanta

Featured Post: Banking's BIG Dilemma: How to Stop Cyberheists via Customer PCs

There's a great article today on Network World written by Ellen Messmer. Here's a sampling and my thoughts about the article (which I shared with Ms. Messmer)



Providing online bank customers with security software an imperfect cybercrime antidote

By Ellen Messmer, Network World  



In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places. The dilemma for banks boils down to this:



How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?



MY Answer: How about they provide something that IS owned by the bank (and uses existing bank rails) i.e.: Issue bank-owned PCI Certified PEDs...so they have a dedicated machine for online banking.



Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region. Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines. <<read more>>



Editor's Note: Here's my response to Ellen's story (which was picked up by BusinessWeek today)...



Good morning Ellen: I enjoyed your article today on Network World and thought you might be interested in hearing that there is indeed a simple solution to the online banking problem to which you refer, specifically:  "The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?"





Question: If you are 2000 miles from your bank, at 2:00 AM and need $200.00 what process is trusted to authenticate you and disperse the $200?

Answer: You insert/swipe your "bank issued card" then enter your "bank issued PIN" into a "bank owned ATM" and voilla. In seconds, you get your $200. That same trusted process is what should be used to authenticate online banking sessions.





Did you know that in Europe, almost 30% of consumers use a card reader for online banking (see graphic above) In America that number is ZERO.





Cost? WAY Less than what banks are already dishing out for "useless giveways. (When I say "useless" I am simply implying that the promotions they run don't "solve the problem.") The purpose of these give

aways is to attract customers. Well guess what? The purpose of "typing" is to provide online banking credential "giveaways" to the hackers, keyloggers and/or phishermen.





Consumers are already clamoring for a more secure online banking login process and they would "flock" towards the most secure online banking site in America, which is what a bank that deploys PCI Certified PED's to their online banking customers would become. Do you doubt me? Ask your friends. Would they rather type their online banking credentials into a box in a browser or swipe their card and enter their PIN?





Our device plugs into the USB port or smartphone and encrypts the cardholder data (including the Track 2 data) at the maghead using 3DES encryption. It then DUKPT encrypts the PIN for the only genuine end-to-end encryption.





The most important thing our device does is it "eliminates" typing "login" data into a box in a browser. That's the inherent problem. That's why (as you mention in your article) the Russian's get/got control of the PC's. (malware/phishing) Our PED eliminates the usage of inadequate and way obsolete "username/password" login...thus it eliminates phishing.





What do phishers phish phor? "Online Banking Credentials" AND "credit/debit card numbers. How do they get them? They fool people into thinking they are "typing" their card numbers/online banking authentication into a legitimate site when in fact it is not. That problem would be "eradicated" with our device.





Thus if all a banks customers securely login by doing what they do at an ATM, swipe their bank issued card, enter their bank issued PIN and do it on a bank issued PCI certified PIN Entry Device the problem created by "typing" would be eliminated by "swiping."I'd be happy to provide further insight as to why this is a "no-brainer" for banks to deploy.





Kaspersky Labs (which provides software security) knows that hardware is required as their recent proclamation calling for "mass adoption of card readers" professes. Software helps but at the end of the day it is simply a band-aid.





The internet was NOT designed to conduct financial transactions. It's called a "browser" for a reason and between malware, keylogging and phishing, the only solution to the problem is to replicate what we do at ATM's and/or brick and mortar retailers. Swipe vs. Type. As I like to say on the company blog. "If someone is going to "Swipe" your card information online, shouldn't it be you?





Question: Why would banks want to fork out $18 to give their customer a PCI Certified PED?

Answer: Well besides the obvious (they would save the millions of dollars lost to phishing) online banking is destined to fail. Most everyone is aware that fraud is running at epidemic levels and that what banks report is only a fraction of the real losses. (see graphic on right)





Other benefits: In addition to providing "True Two-Factor Authentication (and NO, a username and password is NOT really 2FA) Our device also completely eliminates the threats and fraud losses/costs created by typing...AND there is a return on investment in the form of Interchange revenue every time the device is used for online shopping or P2P payments.



Related articles by Zemanta

Enhanced by Zemanta

BlackEnergy 2 - Next Generation Trojan Plunders East European Bank Accounts




It's the Typing
From Help Net Security



Russian and Ukrainian banks have been lately trying to stop the onslaught of BlackEnergy 2, a Trojan that manages to bypass the Java application that the customers use to authenticate themselves when accessing their accounts, steals the credentials, and then proceeds to bombard the same application with data until it crashes - diverting the bank's attention from the heist in progress.
According to Joe Stewart, a researcher with Secure Works, the people behind these attacks are Eastern European criminal gangs. The attacks started in late 2009, and they are still being carried out. The exclusive targets are banks (and customers) from Russia and Ukraine.  The Register reports that Stewart analyzed the Trojan and has presented his findings at the Forum of Incident Response and Security Team (FIRST) being held this week in Miami. He claims that the Trojan has been modeled upon BlackEnergy, the DDoS Trojan (mis)used in the Russian/Georgian conflict in 2008.







Online Banking in Singapore 2010

Downtown Core, Singapore's business centre.Image via Wikipedia
Author: Bharat Book Bureau



Online Banking in Singapore 2010



 The Singaporean online banking market is among the most advanced in the world, with a high proportion of the population using the online channel. However, there remains several issues for online banking providers. Singaporeans show a high level of security concern and are hesitant to apply for financial products online. ( http://www.bharatbook.com/detail.asp?id=141522&rt=Online-Banking-in-Singapore-2010.html )



 Scope



 * Includes a comprehensive overview of the Singaporean online banking market.

 * Provides online banking customer numbers, forecasts and market share of top competitors.

 * Discusses security issues and two-factor authentication.

 * Based on a global consumer survey covering 9,000 respondents.



 Highlights



 Consumer trepidation about buying more complex financial products online exists in all countries, not just Singapore, but there is data to suggest that the aversion toward online applications is stronger in Singapore than in comparable countries, especially when it comes to loan products.



 Security concerns still constitute a potent barrier for online banking customers, and with new threats as well as solutions for two-factor authentication emerging, providers need to constantly reassess their security solutions and communications with users.



 The number of online banking customers is forecasted to increase over the next three years, although growth in the market is gradually slowing down as it becomes more saturated. As an example, customer numbers grew by 49% between 2004 and 2005, but grew by less than 6% between 2009 and 2010.



 Reasons to Purchase



 * Improve your strategic position using in-depth analysis of the Singaporean online banking market.

 * Understand the unique challenges the online banking market is facing, and benefit from forecasts of future product trends.

 * Plan for the future by learning from one of the most innovative financial markets in the world.



 To know more and to buy a copy of your report feel free to visit : http://www.bharatbook.com/detail.asp?id=141522&rt=Online-Banking-in-Singapore-2010.html   

 Related Reports



 Security in Online Banking Strategic Focus

 http://www.bharatbook.com/detail.asp?id=103359&rt=Security-in-Online-Banking-Strategic-Focus.html



 Consumer Attitudes to Security in Online Payments and Banking

 http://www.bharatbook.com/detail.asp?id=129778&rt=Consumer-Attitudes-to-Security-in-Online-Payments-and-Banking.html



 Or



 Contact us at :



 Bharat Book Bureau

 Tel: +91 22 27578668

 Fax: +91 22 27579131

 Email: info@bharatbook.com

 Website: www.bharatbook.com

 Follow us on twitter: http://twitter.com/3bbharatbook



About the Author:

Bharat Book Bureau, the leading market research information aggregator provides reports, company profiles, newsletters, country info. and online databases for the past twenty two years to corporate, consulting firms, academic institutions, government departments, agencies etc., globally, including India. Our reports help global companies to know different market before starting up business / expanding in different countries across the world.



Article Source: www.linkroll.com -

Online Banking in Singapore 2010

Enhanced by Zemanta

Gift Cards Rebate Better than Paper Checks

Innovative solutions extend gift card use in promotion marketing to new levels through cutting-edge pricing, extensive distribution, and strategic partnering initiatives launched by Lakes Communication Services.



Los Angeles, CA -PR Web- Lakes Communication Services, a business development organization specializing in marketing prepaid debit and gift cards, announces new programs for marketers to increase customer loyalty, create new revenue streams and build their brands.



Providing customer service experiences that measure up to the demands of today's consumer requires companies to rethink how they fulfill the promotional offers that drive product sales. Replacing rebate checks and certificates with gift cards is key to reshaping promotional fulfillment services to better suit the needs of product marketers and their retail partners. For instance, as rebate incentives (mail-in or instant) for completed purchases, gift cards are more effective than checks or certificates. Gift cards are faster to process than paper checks, and also require less handling. Overall, gift cards cost less and offer more branding and reload options in ways that extend relationships with customers, while rebate checks are increasingly symbolic of the end of the relationship.



DynamicDebits extends use of gift cards in promotional marketing to new levels through cutting edge pricing, extensive distribution, and strategic partnering initiatives recently launched by Lakes Communication Services, based in Los Angeles. For example, Lakes Communication Services offers customized $10 gift cards at up to 80% off card's face value. Minimum quantities are required to capitalize on this ground-breaking offer. For proof of purchase or on-pack/in-pack promotions, just to name a few, product marketers can now offer $10 gift cards where they have grown accustomed to offering the more nominal $3-5.00 rebate check.



All gift cards powered by DynamicDebits will redeem at The Ultimate GiftCard Marketplace, and with Lakes Communication Services soon announcing definitive agreements to extend its gift card network to over 5,000 U.S. retail merchants, their gift cards will also redeem for tens of thousands of products. Product marketers can also tap into The Ultimate GiftCard Network to customize their campaigns to suit specific themes, regions, and other marketing opportunities available through this expansive retailer alliance. The Ultimate GiftCard Marketplace is also a burgeoning community of "ready to spend" gift card recipients seeking every opportunity to flex their muscles wherever buying opportunities exist. For product marketers touting their brands, gift cards are essential to elevating their customer relationship management capabilities above the fray of rebate checks and certificates. LCS' passion for innovation makes it more profitable for marketers to build their brand, create new revenue streams and increase customer loyalty.



About Lakes Communication Services:

Lakes Communication Services is a business development organization that specializes in marketing prepaid debit and gift cards. LCS also operates The Ultimate GiftCard Network as an initiative for members to reorganize existing resources into new marketing muscles and profit opportunities; and The Ultimate GiftCard Marketplace as an emerging online portal where gift cards are redeemed, exchanged and purchased in a community-driven environment that delivers lasting customer experiences.


###

Featured Post: Banking's BIG Dilemma: How to Stop Cyberheists via Customer PCs

There's a great article today on Network World written by Ellen Messmer. Here's a sampling and my thoughts about the article (which I shared with Ms. Messmer)

Providing online bank customers with security software an imperfect cybercrime antidote
By Ellen Messmer, Network World  

In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places. The dilemma for banks boils down to this:

How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?

MY Answer: How about they provide something that IS owned by the bank (and uses existing bank rails) i.e.: Issue bank-owned PCI Certified PEDs...so they have a dedicated machine for online banking.

Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region. Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines. <>

Editor's Note: Here's my response to Ellen's story (which was picked up by BusinessWeek today)...

Good morning Ellen: I enjoyed your article today on Network World and thought you might be interested in hearing that there is indeed a simple solution to the online banking problem to which you refer, specifically:  "The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?"


Question: If you are 2000 miles from your bank, at 2:00 AM and need $200.00 what process is trusted to authenticate you and disperse the $200?
Answer: You insert/swipe your "bank issued card" then enter your "bank issued PIN" into a "bank owned ATM" and voilla. In seconds, you get your $200. That same trusted process is what should be used to authenticate online banking sessions.


Did you know that in Europe, almost 30% of consumers use a card reader for online banking (see graphic above) In America that number is ZERO.


Cost? WAY Less than what banks are already dishing out for "useless giveways. (When I say "useless" I am simply implying that the promotions they run don't "solve the problem.") The purpose of these give
aways is to attract customers. Well guess what? The purpose of "typing" is to provide online banking credential "giveaways" to the hackers, keyloggers and/or phishermen.


Consumers are already clamoring for a more secure online banking login process and they would "flock" towards the most secure online banking site in America, which is what a bank that deploys PCI Certified PED's to their online banking customers would become. Do you doubt me? Ask your friends. Would they rather type their online banking credentials into a box in a browser or swipe their card and enter their PIN?


Our device plugs into the USB port or smartphone and encrypts the cardholder data (including the Track 2 data) at the maghead using 3DES encryption. It then DUKPT encrypts the PIN for the only genuine end-to-end encryption.


The most important thing our device does is it "eliminates" typing "login" data into a box in a browser. That's the inherent problem. That's why (as you mention in your article) the Russian's get/got control of the PC's. (malware/phishing) Our PED eliminates the usage of inadequate and way obsolete "username/password" login...thus it eliminates phishing.


What do phishers phish phor? "Online Banking Credentials" AND "credit/debit card numbers. How do they get them? They fool people into thinking they are "typing" their card numbers/online banking authentication into a legitimate site when in fact it is not. That problem would be "eradicated" with our device.


Thus if all a banks customers securely login by doing what they do at an ATM, swipe their bank issued card, enter their bank issued PIN and do it on a bank issued PCI certified PIN Entry Device the problem created by "typing" would be eliminated by "swiping."I'd be happy to provide further insight as to why this is a "no-brainer" for banks to deploy.


Kaspersky Labs (which provides software security) knows that hardware is required as their recent proclamation calling for "mass adoption of card readers" professes. Software helps but at the end of the day it is simply a band-aid.


The internet was NOT designed to conduct financial transactions. It's called a "browser" for a reason and between malware, keylogging and phishing, the only solution to the problem is to replicate what we do at ATM's and/or brick and mortar retailers. Swipe vs. Type. As I like to say on the company blog. "If someone is going to "Swipe" your card information online, shouldn't it be you?


Question: Why would banks want to fork out $18 to give their customer a PCI Certified PED?
Answer: Well besides the obvious (they would save the millions of dollars lost to phishing) online banking is destined to fail. Most everyone is aware that fraud is running at epidemic levels and that what banks report is only a fraction of the real losses. (see graphic on right)


Other benefits: In addition to providing "True Two-Factor Authentication (and NO, a username and password is NOT really 2FA) Our device also completely eliminates the threats and fraud losses/costs created by typing...AND there is a return on investment in the form of Interchange revenue every time the device is used for online shopping or P2P payments.

Related articles by Zemanta


Read more: http://pindebit.blogspot.com/2010/06/bankings-big-dilemma-how-to-stop.html#ixzz0rEp43m6O

Disqus for ePayment News