Say it Aite So

Aite Says It Isn't...

Aite debunks unbanked, underbanked myths

Boston, Feb. 4, 2009 -- A new report from Aite Group, LLC debunks 10 myths commonly held by bank executives, regulators and consumer advocates about unbanked and underbanked consumers. The analysis is based on a 400-person survey with consumers at check-cashing stores, completed in November and December of 2008.

Among the myths debunked by the report is the belief that consumers are unbanked or underbanked because of cultural and attitudinal reasons. Instead, it reveals that people are unbanked for very practical reasons, including credit, pricing, cash flow and service issues. Fifty-three percent of unbanked consumers in Aite Group's survey are impeded by credit issues, while an additional 28% face pricing issues with checking accounts, 12% are impeded by cash flow issues, and 7% constrained by service issues.

"Consumers that are underbanked and unbanked often choose to be so for practical reasons rather than attitudinal ones," says Gwenn Bézard, research director with Aite Group and co-author of this report. "Greater education and marketing wizardry is unlikely to succeed in attracting this group to checking account relationships. The only way for banks to seriously compete is to deliver a better product and value proposition."

This 29-page Impact Note contains 22 figures. Clients of Aite Group's Retail Banking service can download the report by clicking on the icon to the right. Related Aite Group Research:

* Nine for '09: Opportunities and Challenges for Banks in 2009
* Mobile Banking for the Underbanked: Lessons from Africa
* Competing in Money Transfers

To purchase this report or for additional information, please contact: Aite Group Sales Tel: +1.617.338.6050 sales@aitegroup.com

About Aite Group, LLC Aite Group is a leading independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry. It was founded by leading industry experts in Banking and Securities & Investments. Aite Group brings together a team of business strategy, technology and regulatory experts to deliver comprehensive, timely and actionable advice to financial institutions and technology vendors. It seeks to become a true partner, advisor and catalyst by exchanging ideas with and challenging basic assumptions of its clients, ensuring that they always stay one step ahead of the competition.

Source: Company press release.

10th Annual Online Fraud Report

Online payment fraud trends, merchant practices and benchmarks

This year's study found that online merchants estimate they lose 1.4% of their revenue to fraud or $4 Billion in annual sales.  Read about this and over 25 other fraud management benchmarks, trends and practices. 

The 2009 edition of CyberSource's Online Fraud Report is based on an independent survey of hundreds of web merchants.  This annual industry report is essential for finance, risk and eCommerce professionals.

 Download your copy of the CyberSource Online Fraud Report 2009 Edition today!

Contents:

• Detailed fraud metrics (fraud, chargebacks & order rejection)
• Detection tools used/planned at each stage
• Manual review rates, staff turnover and training time
• Full process/metric maping
• Budgets (overall and how allocated) 
  

Related articles:

•  
•  
•  
• Lost: $4 Billion Online (pindebit.blogspot.com)
• Merchant Risk Council 2009 e-Commerce Conference (pindebit.blogspot.com)
• E-Commerce Transaction Risks That HomeATM Solves (pindebit.blogspot.com)
• Online Fraud Up...Down Under (pindebit.blogspot.com)
• Is Online PIN Debit For Real This Time Around? (pindebit.blogspot.com)
• PIN Debit on the Web (pindebit.blogspot.com)
• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• The Benefits of Debit Cards by Bruce Cundiff via DebitFacts.org (pindebit.blogspot.com)
• Perfect Storm Brewing, HomeATM Perfectly Placed (pindebit.blogspot.com)
• Top 15 eCommerce Sites in November (pindebit.blogspot.com)

KPG Ventures Funds Nat'l Payment Card

I wrote about National Payment Card earlier this year. Why $4.00 a Gallon Gas is More Appealing to NPS.   Now comes word that they've raised $2 million for expansion, so apparently KPG Ventures found something very appealing about their decoupled debit program.  Here's the press release:

KPG Ventures Funds National Payment Card Association With $2 Million for Expansion Into Supermarket and Chain Drug Verticals

SAN FRANCISCO--(BUSINESS WIRE)--KPG Ventures—a venture capital firm specializing in seed-stage disruptive technology companies, today announced it has invested $2 million in National Payment Card Association, an emerging company responsible for creating a large scale, low cost debit settlement system benefiting consumers and merchants with lower transaction fees. KPG Ventures’ investment will propel National Payment Card Association’s growth beyond the fuel and convenience markets and into supermarkets and chain drug outlets.

National Payment Card Association’s technology is currently being deployed in fuel and convenience stores across the country, allowing consumers to save money and merchants an alternative to the large transaction processing fees charged by traditional transaction processors.

“National Payment Card Association’s product is an innovative, money-saving concept that has already met with a great deal of success,” said National Payment Card Association CEO and Founder Joe Randazza. “In these difficult times, the support and vote of confidence we have received from a specialized venture capital firm like KPG Ventures is validation of our model and technology, and well positions us for future growth.”

“KPG seeks investments that can scale and solve a highly defined consumer problem and found both of them in National Payment Card Association,” said Dave Hills, a General Partner of KPG Ventures. “Joe and the team have built a great product and we’re happy to support them.”

National Payment Card Association first introduced its alternative payment solution in June 2006 and has earned much attention from industry insiders and consumers. The National Payment Card Association PIN based payment system processes transactions through the Federal Reserve Automated Clearing House (ACH), resulting in lower merchant fees and a self-funded loyalty program that can provide immediate savings to consumers. Specifically, the program benefits retailers by helping them shift away from the interchange fees credit card companies normally charge on each transaction by moving them to the lower cost ACH system. The merchant can then use some of the savings to change customers’ payment behavior by passing some of that savings along to them right at the pump.

Founded in 2006, KPG Ventures is a San Francisco-based venture capital firm. KPG focuses on the consumer Internet sector of technology-driven businesses, investing at the seed-stage cycle of a company’s development. With a proven track record of picking the right companies and teams who are focused on highly capital efficient opportunities that require little capital to reach profitability, KPG has launched many successful companies. The firm concentrates its efforts on a small handful of companies at a time so that it can leverage the strategic and operating expertise of its general partners.

For more information about KPG Ventures, please visit kpgventures.com. For more information on National Payment Card Association, please visit nationalpaymentcard.com or contact Shep Doniger at 561-637-5750.

pin debit, decoupled debit, venture capital, payments industry

Related articles by Zemanta

• Fighting Visa and MasterCard (pindebit.blogspot.com)

ATM Skimming Card News Video

In light of the previous post, whereby I mentioned that I knew how they got the PIN, I've dug up a news report from Cincinnati, (WCPO...not WKRP) called ATM Scam Targets Debit and ATM Cards.

I've embedded the video report below for your convenience:

Related articles by Zemanta

• WKRP is back - as a TV station! (tvsquad.com)
• WKRP in Cincinnati ... back on the air (msnbc.msn.com)

More ($9 million) on the RBS Breach (Video)

Below you'll  find a fascinating story by John Deutzman with Fox NY regarding the recent RBS WorldPay breach.  Didn't hear of it?  That's probably because they issued their press release concerning the breach during the busy Christmas season, December 23rd. 

To read about what I thought about it then, visit "Mother of All Hacks Coming?  from December 24th.

This incident happened after midnight on November 8th.  Now...I know how they got the PINs, (here's a hint, you're on candid camera), so the most intriguing part of this story, at least in my opinion, is the fact that the hackers were able to lift the daily limits on the cards, providing a larger payday. That's the coup de' tat. 

The coordination and scope of this effort is also amazing even causing the FBI to make comments to that effect.  130 different ATM machines in 49 cities with 100 cards in 30 minutes. 

As the story goes, no suspects, only mule drivers, but I think Clive Owens is going to be the guy behind it when they do the movie.  Speaking of movies, watch the video on the right if you have the time.

Reported by John Deutzman


A Fox 5  investigation   exposes a  worldwide ATM  scam that  swindled $9  million and  possibly  jeopardized sensitive information from  people around  the world. Law enforcement sources  told Fox 5 it's   one of the most frightening  well-coordinated heists   they've ever seen. (Watch video report at right.) 

Photos from security video obtained by Fox 5 show of  a small piece of a huge scam that took place all in one  day in a matter of hours. According to the FBI,   ATMs from 49 cities were hit -- including Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.

"We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told Fox 5.

These people in the photos are believed to be "cashers," low-level players, in a scheme devised from some mastermind -- a dangerous computer hacker or hacking ring authorities fear could strike again. Here's how it all came down, according to information Fox obtained from the FBI and law enforcement sources:

The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards.

"We've never seen one this well coordinated," the FBI said.

Then shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world. "Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again.

When it was all over, they only used 100 cards but they ripped off $9 million.

The RBS Web site says that card holders will not be responsible for any unauthorized transactions. But there is fear that the hackers might have had access to sensitive information used in identity theft for a potential 1.5 million customers -- including their including Social Security numbers.

"The number of machines that were accessed, the number of cities that were targeted, and the number of people that had to be involved in this is quite significant," Agent Rice said.

Investigators are hoping a break in the case may come from one of the cashers. The theory is they probably were recruited, paid a small fee to be solders in the scam, and might be likely to rat out the people who hired them.

There are millions of people out there these days with these payroll cards. RBS officials say they have sent out letters to anyone who might have been affected. They are also offering one-year credit protection for people whose Social Security number may have been jeopardized by this scam. However, the good news is that it doesn't look like any identity theft has occurred yet.

So far, the FBI has no suspects and has made no arrests in this scam. An attorney in Atlanta has filed a class-action lawsuit against RBS WorldPay for allegedly failing to protect personal information.

RBS WorldPay told Fox 5 the company has hired a security firm to try to figure out what happened and to prevent it from happening again.

VIEW DOCUMENTS:

>FBI STATEMENT

>CLASS-ACTION LAWSUIT

>WANTED POSTER

>RBS INFORMATION

UKashes in on UK Snowstorm

Snowed in Brits turn to online shopping- Ukash

Ukash, the international provider of online payments with cash, reported a growth in sales of its prepaid vouchers yesterday, as millions of UK workers were homebound after the heavy snowfall turned to shopping and entertainment online.

Year-on-year figures reflect a 79% increase in transactions online made using Ukash compared to the same day in 2008. The first Monday of February is often a poor day for retailers and providers of retail solutions such as Ukash, as the December and January spending hits consumers' pockets. However, the heavy snow fallen in the UK bumped the figures of redemption of Ukash across most retail sectors yesterday. A gaming site specialised in poker games saw a 96% increase in transactions with Ukash, followed closely by the 80% growth registered by a betting site. Bingo also enjoyed a peak yesterday, with a 81% growth, however the greatest surge was registered in VoIP (202%) as the UK turned to internet calling to share the extraordinary weather news with friends and family in the UK and abroad.

Mark Chirnside, CEO of Ukash, puts this excellent performance down to Ukash's wide availability and convenience: "With a large number of us unable to travel, local stores became by far the most convenient stations for the provision of goods yesterday. Four in five Ukash vouchers are acquired from convenience stores in the UK and, with the prospect of being 'homebound' in mind, customers had a perfect excuse to get down to their corner shop and get a convenient and safe way to spend a fun day shopping and playing online alone or with family."

Ukash prepaid vouchers are a safe and convenient way to spend online as they allow customers to pay without having to disclose sensitive financial information. Ukash is available from 275,000 locations throughout Europe and South Africa and also via Vodafone mobiles in the UK.   A recent research showed Ukash's average customer in the UK is in full time employment, has a bank account and a credit or debit card but prefers alternative and safer payment methods to transact online.

Related articles

• Ukash introduces online issuing of vouchers with Citadel Commerce (newswire.ca)
• Perfect Storm Brewing, HomeATM Perfectly Placed (pindebit.blogspot.com)

E-Commerce Growth 2 Continue in '10

SAN FRANCISCO (Reuters) - E-commerce in the United States is expected to climb back to last year's levels by 2010 after experiencing slowing growth in 2009 due to the recession, a research group said on Monday.

Online sales in 2010 could reach approximately $176.9 billion, representing 13 percent growth, said Forrester Research in its five-year e-commerce forecast.  Last week, the group released data saying the online retail channel was expected to grow 11 percent to $156 billion in 2009, below the 13 percent growth seen in 2008, and the 15 percent growth it had earlier predicted for 2009.

"While there is the possibility of a bearish scenario in which no recovery surfaces in 2009, consumers appear to be enthused about a new president, and government plans to stimulate the economy," the report said. "Furthermore, few recessions have lasted longer than a year in total."  The deteriorating U.S. economy led to tepid online sales in 2008 as consumers cut back on all but the most necessary of purchases.

Online retailers faced severe competition from brick-and-mortar establishments that were heavily discounting merchandise, while giants from Amazon.com Inc to eBay Inc have acknowledged the challenging macroeconomic environment that has spooked not only consumers, but financial markets around the globe.

In 2009, greater numbers of affluent customers shifting their purchases from traditional retailers to online outlets will outweigh decreases seen from other customers stemming their spending overall, the report found.

But after an acceleration in 2010, Forrester predicts that growth will slow, with 10 percent, 9 percent, and 8 percent growth expected for 2011, 2012 and 2013, respectively.

"It's just the maturity of the market -- it's reaching its maximum size," Sucharita Mulpuru, author of the report, told Reuters. "Even a few years ago we would have suggested it would be single-digit growth then."

At the same time, e-commerce will pick up a greater piece of overall U.S. retail sales. (Editor's Note: As the Paradigm Shift gathers momentum)


"Despite the deceleration in growth, Web sales are nonetheless expected to be positive as e-commerce continues to capture market share from brick-and-mortar stores," the report found, citing Web shopping's convenience and the ability for consumers to search for low prices.

Whereas the online channel will make up 6 percent of total retail sales in 2009 and 2010, that will increase to 7 percent and 8 percent in 2011 and 2012, respectively.

Visa Issues Security Alert

Visa issues security alert (click pictures to enlarge and enable full viewing)

Source: Merchant Account Blog:

Visa has issued a security alert (relating to the recent Heartland breach?) outlining some specific applications and IP addresses to look out for.

What is unique about this alert is that Visa gave a very specific list of malicious applications to search for on a network/computer, and a specific list of IP’s to block.

This would indicate that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good...

War Cloning Passport Cards on the Fly

War Cloning: Homeland Security's Passport Cards Can Be Cloned with $250 Worth of Equipment

You know those new Homeland Security Issued "Passport Cards?  Those wallet sized ones that allow American's to travel too and from Mexico and Canada?  Well if an Islamic terrorist had $250 bucks, he could drive by your house at 30 mph (or within 2 miles of it) clone it, and use your passport card to travel to and from Mexico and Canada under the guise of being you. Oh, cloning your driver's license is just as easy. 

The reason I'm bringing you this story is to provide an example of what hackers are capable of.  So let's all wave our contactless cards and NFC enabled phones when they become widely available because they're safe and secure and convenient, (personally,  I'm not buyin' it) 

What's more disturbing about this story is the fact that it creates a scenario whereby Homeland Security is actually potentially providing the instrument of mass destruction.  WarCloning is indeed the right word for this type of hack, as this story suggests the following hypothetical.

After a devastating attack on a major US city, it could be proven that on such and such a day, at such and such a time, you entered the US from Mexico, (your cloned DL and Passport card provide the evidence) and that two days later you purchased 250 pounds of fertilizer (your cloned debit card transaction record provides that proof)  went on to rent an industrial van, (proven by your cloned credit card transaction) drove to a specific location, and then...we'll you get the morbidity of my point.  You may or may not have alibi's to disprove the "evidence" but even if you did, the investigation was thrown enough off track to allow the true culprit to enter Canada via another passport card, and hop on a plane with a ticket bought online with yet another cloned card and fly to a cave in Pakistan to join his bin-buddies whom we (in fairness,  it's only Bin nearly a decade) can't seem to find.  Nice job Homeland Security.   

I've included a video of the act of cloning these cards.  Amazing.  This was dark reading indeed.  Here's the YouTube Video, followed by the excerpts of the story.

Drive-By 'War Cloning' Attack Hacks Electronic Passports, Driver's Licenses
Researcher demonstrates the ease of scanning and cloning new Homeland Security-issued IDs

With a $250 used RFID scanner he purchased on eBay and a low-profile antenna tucked away in his car, a security researcher recently cruised the streets along Fisherman's Wharf in San Francisco, where he captured -- and cloned -- a half-dozen electronic passports within an hour.

Chris Paget, who will demonstrate the privacy risks with these IDs at the Shmoocon hacker confab later this week in Washington, D.C., coined this newest RFID attack "war cloning" given its similarity to war-driving, or wireless sniffing. "War cloning -- it's the new hacker sport," he says.

The security weaknesses of the EPC Gen 2 RFID tags, which lack encryption and true authentication, have been well-known and of concern to privacy advocates for some time. These tags are being used in the new wallet-sized passport cards that the U.S. Department of Homeland Security offers under the new Western Hemisphere Travel Initiative for travel to and from Western Hemisphere countries. The e-cards are aimed at simplifying and speeding up the border-crossing process, providing U.S. Customs and border agents with information on the individual as he or she queues up to inspection booths at the border.

Until now, security researchers for the most part have shied way from hacking away at the new e-passports and e-driver's licenses to illustrate the potential privacy problems because the necessary scanners are expensive -- nearly $3,000 new -- and tough to get. "I found a way to procure equipment on the cheap and repair it and make it do exactly what I wanted it to do," Paget says. (Editor's Note:  That's great news, security researchers can't afford equipment, but fraudsters are "well-funded.")

Unlike previous RFID hacks that have been conducted within inches of the targeted ID, Paget's hack can scan RFID tags from 20 feet away. "This is a vicinity versus proximity read," he says. "The passport card is a real radio broadcast, so there's no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles."

Paget says he was able to drive his car at 30 miles per hour and capture an RFID tag in a matter of seconds. "The software for [copying them] lets you just choose the tag you want to copy, wave a blank tag in front of it, and it writes it out," he says.

Read Full Article at Dark Reading

Related articles by Zemanta

• Borderline Security: RFID Chips Vulnerable (abcnews.go.com)
• US rolls out 'Vicinity RFID' to check IDs in moving vehicles (theregister.co.uk)
• Passport RFIDs cloned wholesale by $250 eBay auction spree (theregister.co.uk)

AmEx Joins Visa, MasterCard and JCB at EMVCo

Payments News: American Express Joins EMVCo As Fourth Owner-Member - February 03, 2009

EMVCo, the EMV standards body jointly owned by JCB International, MasterCard Worldwide and Visa Inc., has announced American Express as its fourth owner-member. According to the organization, "the addition of this latest international payment organisation aligns with EMVCo’s intent to attract further industry participation in the development of the EMV Specifications."

As an established supporter and end-user of EMV technology, American Express has acquired a one-fourth share of EMVCo from the respective holdings of JCB International, MasterCard Worldwide and Visa Inc., and will therefore have an equal interest in the organisation. EMVCo’s management structure has been changed to give American Express representation on the organisation’s Executive Committee and Board of Managers, in addition to equal participation in its working groups.

“EMVCo welcomes American Express as its fourth global payment system member,” said Tad Fordyce, Chairman of the EMVCo Executive Committee and Head of Global Cross Product Platforms at Visa Inc. “American Express will be able to lend expertise at both the technical and management level which will directly support the EMVCo goal to enhance global chip standards, and offer secure and interoperable payments at the point of sale around the world.”

Susan Hillel, Senior Vice President of Global Network Operations at American Express, says: “American Express is delighted to join and become a member of EMVCo. We are committed to driving interoperability in payments and know that our participation in EMVCo will facilitate this for our merchant, issuer and cardmember customers. Involvement by the four major payment organisations will drive secure and interoperable payments globally for transactions made with chip cards by aligning and progressing EMV Specifications. We look forward to working with JCB, MasterCard and Visa on this very critical industry initiative.”

Kazuhiro Matsumoto, member of the EMVCo Executive Committee and Executive Vice President of Global Infrastructure and Technologies at JCB International, comments: “The participation of American Express within EMVCo supports our focus on broadening industry involvement within the organisation and leveraging the experience of all major payment stakeholders. This new member will bring extensive industry knowledge and valuable chip card experience to EMVCo which will considerably benefit the smart card industry as a whole.”

Art Kranzley, member of the EMVCo Executive Committee and Chief Emerging Technology Officer at MasterCard Worldwide, adds: “The existing members of EMVCo recognise the benefits of expanding industry involvement in the ongoing development and support of the EMV Specifications. Achieving global chip standards and interoperability has never been more important as smart card payment technology is rapidly being deployed throughout the world. EMVCo looks forward to having American Express participate as a new owner-member who brings additional market experience and resource to the organisation.”

EMVCo’s growing commitment to increase industry engagement with its activities was demonstrated last year when it announced the launch of a new subscriber service. The programme will provide interested parties with an opportunity to access advanced information regarding revisions to the EMV Specifications and draft documents, and attend an annual user meeting. For further information visit http://www.emvco.com.

About EMVCo

EMVCo LLC was formed in February 1999 by Europay International, MasterCard International and Visa International to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems. With the acquisition of Europay by MasterCard in 2002 and JCB Co., Ltd. joining the organisation in 2004, EMVCo is currently operated by JCB International, MasterCard Worldwide and Visa Inc.

Related articles by Zemanta

• Canada's EMV Transition Numbers (pindebit.blogspot.com)
• PCI's QSA's/ASV's Must Participate in Quality Assurance Program (pindebit.blogspot.com)
• Chipping Away at Credit Card Fraud (pindebit.blogspot.com)

Data Breaches Cost $202 Per Compromise - Study

Ponemon Study Shows Data Breach Costs Continue to Rise

Fourth Annual Study Shows Significant Increase in Cost of Lost Business Americans Continue to Stay Attentive to the Loss or Theft of Personal Information

Menlo Park, CA and Traverse City – Press Release

PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research firm, today announced results of the fourth annual U.S. Cost of a Data Breach Study. According to the study which examined 43 organizations across 17 different industry sectors, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007.

Editor's Note: That being the case, and assuming that the Heartland Breach compromised 100 million cardholders, I am shocked in amazement that their stock is hovering around the 8 or 9 dollars.

Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.

The annual U.S. Cost of Data Breach Study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. Other key findings from the study include the following:

• Average total per-incident costs in 2008 were $6.65 million, compared to an average per-incident cost of $6.3 million in 2007.
• Healthcare and financial services companies experienced the highest churn rate – 6.5 percent and 5.5 percent respectively, on a total average of 3.6 percent, which reflect the sensitivity of the data collected and the customer expectation that information will be protected.
• Third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees.
• More than 84 percent of 2008 cases involved organizations that had had more than one data breach in 2008 - meaning that companies are becoming more experienced in managing breaches over time.
• More than 88% of all cases in this year’s study involved insider negligence.
• More than half of respondents believe that training and awareness programs assist in preventing future breaches and 44 percent have expanded their use of encryption.
• The most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost effective in managing data breaches.

"After four years of conducting this study, one thing remains constant, U.S. businesses continue to pay dearly for having a data breach,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

The study, sponsored by PGP Corporation and independently conducted by the Ponemon Institute, examines the financial consequences of data breaches involving consumers’ personally identifiable information. The study uses objective methods for quantifying specific activities that result in direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.

“In this current economic climate, U.S. businesses can’t afford to give their customers any reason to go elsewhere," said Phillip Dunkelberger, president and CEO of PGP Corporation. “This study continues to show that the results of a data breach can seriously wound a company’s bottom line and reputation. This begs the question, when are organizations going to get proactive about protecting their critical data.”

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 43 data breach cases with a range of 4,200 to 113,000 records that were affected. The study found that there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 17 different industries, including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels and leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. Copies of the study are available via this weblink: www.encryptionreports.com

About the Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About PGP Corporation
PGP Corporation is a global leader in email and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 80,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune® 100, 75 percent of the Fortune® Global 100, 87 percent of the German DAX Index, and 51 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at www.pgp.com

Media & Analyst Contacts for PGP Corporation:
North America:
Christina Grenier
PGP Corporation
+1 650 543 3697
cgrenier@pgp.com

Tom Rice
Merritt Group
+1 703 856 2218
rice@merrittgrp.com

Media Contact for Ponemon Institute:
Mike Spinney
Ponemon Institute
+ 978 597 0342
mspinney@ponemon.org

$143K in Card Fraud, Gets 2 Months Jail

Well this certainly sends a wonderful message to anyone out there (with questionable character, I might add) who may have lost their job during this tough economy.  Had he walked inside the same county pathologist house and stolen $143, he'd have gotten years in prison.  But he walks into his house of cards, steals $143,000, and he gets 2 months?  Something not sound right about that? 

San Mateo man gets jail time in $120,000 credit fraud case - Inside Bay Area

REDWOOD CITY — A San Mateo man accused of stealing nearly $120,000 from credit card companies by opening multiple bogus credit card accounts in the name of a county pathologist was sentenced Monday to two months in jail.

Rel Kempf, 63, pleaded no contest in December to four felony charges of identity theft, grand theft and forgery. He had initially been charged with 10 felony counts of grand theft and three counts of forgery.

Kempf opened five credit card accounts in the pathologist's name over an eight-year period, according to prosecutors. He set up the fraudulent accounts while working at a business that was run by the pathologist's wife and managed to run up the charges to nearly $120,000 by paying the minimum amount of the cards' balances each month, prosecutors said.

Kempf used the stolen funds to pay for vacation trips, airplane flights and other personal affairs, prosecutors said. Meanwhile, Kempf pulled the identical identity theft scam on his roommate to steal $23,000, according to prosecutors.

Want to See Something Really Scary?

In a very scary article written by BYRON ACOHIDO and JON SWARTZ in USA Today last week, readers were provided the opportunity to gain some insight into just how unsafe it is to enter your debit or credit card numbers online.

These bullet points should be enough to (rightfully) scare the living bejeezeeze outta you and steer you away from the idea of ever typing in your credit or debit card numbers online again.

Remember: "Don't Type, Swipe" You're 92 time more likely to be the victim of fraud if you type rather than utilize hardware, such as our personal card swiping device. (see Software Breach 92 Times More Likely Than Hardware Breach)

The good news is that there is a way to "mask" your data and "safely" make purchases online. You have to swipe your own card data before the bad guys do.  The day AFTER this story ran in USA Today, a game changing event occurred. On January 29th, I wrote that HomeATM was pleased to announce that they met PCI 2.0 requirements. When you combine that achievement along with the fact that HomeATM provides End-To-End Encryption (E2EE) protocols, you'll see that there truly is only one way to securely purchase goods online. And that's with HomeATM's online (PIN) debit platform.

Consider the following highlights, er lowlights...from the USA Today article...

• The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September...
  
• Cybergangs now routinely activate hundreds of accounts by the minute, dedicating them to criminal pursuits.
  
• The offense tends to outpace the defense," the FBI said, "The cyberthieves are extremely creative

"This Justin"

They tell the story of Justin Terrazas, 27, a beverage merchandiser from Seattle. Now pay close attention here, so you know what NOT to do. Justin clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cell phone bill online. The data-stealer swiftly siphoned his information

(Editor's Note: As we've been stating on this blog for almost a year now, NEVER TYPE your Personal Account Number, let alone your PIN while you are online.)

A few days later, someone used Terrazas' debit card account to make a $501.41 online purchase from Modabrand.com, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess. "This is definitely something you don't need in your life," he said.

• The boom in cyberthreats that occurred during the last three months of 2008 could accelerate, especially if the economy continues to falter, security specialists say.
  
  
• Organized cybercrime groups have become increasingly efficient at assembling massive networks of infected computers, called botnets, and deploying them to amass large caches of stolen data
  
  
• "There is a well-funded, well-educated horde continually probing for cracks and finding their way in" to consumers' financial information, said Roger Thornton, chief technology officer of security firm Fortify Software.
  
  
• "They are breaching ... the highest levels of the global finance infrastructure and a majority of our home computers."
  
  
• Some cybercriminals have begun to spread malicious programs by corrupting online banner ads. Security firm Finjan reports that new tools being sold on criminal forums can be used to infect online ads that use Adobe's popular Flash player.
  
  
• Last fall, virulent programs called Trojans began to circulate more widely in e-mail and instant-message spam, got embedded in tens of thousands popular Web pages and spread in a widening barrage of online ads. Click on the wrong thing, and you would download an invisible Trojan crafted to steal sensitive data and allow the attacker to control your computer.
  
  
• Unemployed IT personnel potentially can find easy income by purchasingand using crimeware," says Finjan CTO Yuval Ben-Itzhak. "We expect a rising number of people will try.
  
  
• "In the next year or two, these challenges will increase in both breadth and depth of threats," says Larry Ponemon, chairman of Ponemon Institute.

You may remember the "CheckFree is Not HackFree" post, whereby I described how hackers redirected anyone going to their site to a dummy site in the Ukraine? According to the USA Today story, that's just the beginnings of what to expect in the future.

• "The moral of this attack is that it's so easy to take over your website," Klein says. "I just need to get a hold of your user name and password once. And we all know how easy it is to get your credentials."

Do you really know how easy it is? If you truly did understand the scope of the problem I guarantee that you would never again type your debit/credit card number online. Instead, you would happily acquire HomeATM's PCI 2.X personal card swiping device so you could be protected by both dual-authentication (what you have/your card and what you know/your PIN) and our End-To-End Encryption. None of the threats listed above would have an effect on you, provided you completed your transaction by "swiping your own card" in our personal card reader with built-in PCI 2.0 certiified PIN pad.

Click here to read the article in it's entirety, (but I think you get the jist) otherwise, click one or more of the 7 links below:

• Browsers and E-Commerce Don't Mix
• E-Commerce Not Safe in a Web Browser Followup
• PC's are Insecure...So are You?
• Safest Way to Pay Online
• Sexiest or Best Looking...What's More Attractive Alternative?
• SwipePIN your Card Data...Better You than Fraudsters!
  

Chip and PIN (+ Magstripe) = Fraud

Back in the middle of September, (see below) I blogged about a rash of PIN numbers that were stolen by Russian and Ukrainian skimmers via the rigging of ATM machines in Dubai. As a result, it caused Lloyds TBS to announce a switch-over to Chip and PIN last December. (also linked below)

Now word comes that the National Bank of Abu Dhabi has officially announced that all banks will be required to introduce Chip and PIN. You will find the link to the story, an excerpt, and some of my comments below:

Chip and PIN system to be introduced - The National Newspaper

In a move to thwart widespread credit card fraud, banks will start introducing a “chip-and-pin” system to replace the traditional magnetic security strip.

Editor's Note: Yes, but if the magnetic stripe is still on the back of the card it can be easily skimmed and cloned. Therefore the "increased security" is only applicable in "card present" situations. Otherwise the data contained on the magstripe can be lifted, and cloned for use overseas and online.

In my opinion, that is why I think it is a mistake for banks to be pushing "signature debit" over "PIN Debit" here in the states. Sure, they might be making a killing on overdraft fees today, but what's getting lost in translation is that they are leaving everyone else in the world open to fraud.

Back to the story:

"The introduction of such technology has proved to be extremely successful in other parts of the world in reducing card fraud, particularly in Europe,” the Central Bank said.

Editor's Note: That may or may not be true as the "flip-side" of the story is that overseas fraud was 14 times higher and last week, it was reported that more than 1 in 4 Brits have been a victim of credit or debit card fraud. Fraudsters, like water, seem to find the path of least resistance, which is another reason to be surprised at the banks pushing of the "least resistant" platform, known as signature debit.

They say that the argument against switching to a Chip and PIN system in the U.S. is the cost. But I say there's a more cost-effective approach. We don't need to spend the $15 plus billion to make the switchover when we could do it for nothing by pushing PIN based transactions over signature debit. At the same time we'd vastly increase the security of our transactions, and drastically reduce the instances of card cloning, especially in "card not present" situations by requiring the entry of a PIN, which is the preferred payment mechanism by both consumers and merchants anyway.

"While the cost of making the switch to Chip and PIN in America would be exorbitant, we could simply require the use of PIN's here in the States which would go a long way to combating fraud and cloned cards"

But I guess, in the long run (and I'm being extremely facetious here) it makes more sense for the banks to push "signature debit" in order to make their $35 overdraft profit on a "$4 Big Mac and Coke" purchase than to diligently prepare for the storm that is approaching. Banks have known for years that PIN Debit is more secure than signature debit. So I have to agree with Avivah Litan when she says:

"Signature-based transactions are definitely less secure, so it's really outrageous that banks are steering customers to use signatures rather than PINs simply because it generates more fee income," says Avivah Litan. One major retailer confided to her that fraud on signature-based debit purchases at his company's stores is 15 times higher than for transactions authorized by a PIN.

Signature is 15 times higher than PIN Debit? No wonder banks are pushing signature debit. It makes for complete non-sense. Common sense dictates the the push for PIN Debit , both in retail and on the web. Regarding the web, in it's current "card not present" state, there's not only more fraud, but cloned cards can be used almost at will. So you'd think even the banks would "get it." Especially based on the fact that they already seem to be PIN-heads. I'll try again:

"A PIN based transaction would be both "dually authenticated" and, with HomeATM, provide the added security of End-To-End Encryption. (E2EE)" Question: If PIN Debit fraud is 15 times LOWER in retail (a card present space) what are the numbers in a "card not present" environment, such as the web? I can only speculate. The fact that e-commerce transactions are all software based, (and fraud is 92 times more likely to be associated with software vs. hardware) provides me with evidence that the time for swiping your card and entering your PIN in a PCI 2.0 tamper proof PIN Pad , (thus making it "card present") has arrived.

But, seemingly, for now anyway, the bank's are focused on pushing/steering American consumers towards a fraud-centric payment mechanism that is 15+ times more likely to induce fraud, depending on the environment. Without doing research, I'm willing to bet that while the Interchange Fees contribute, it's the overdraft fees that are the main ingredient behind their recipe of pushing signature debit. I thought the Fall of Wall Street was supposed to teach us some truths about greed. Talk about "lie-ability."

Anyway, getting back to the story: Chip-and-pin cards rely on a personal number, usually four digits, rather than a signature, and are thought to be harder to defraud. All banks will be required to introduce the new technology, according to a statement from the Central Bank yesterday, although no timetable was given.“This is in line with global industry trends intended to reduce the risk of debit and credit card fraud.

Chip-and-pin technology has been used widely in Europe for many years, and was introduced in Britain in 2004. There is still some debate about its effectiveness, although according to a British government website, counterfeit and fraud were reduced by nearly £60 million the year after its introduction. Last week, a senior Dubai police officer told The National that its introduction could prevent increasingly sophisticated credit card fraud... (click here to continue reading)

Related Stories:
Russian Hack Creates "Rush On" Changing PIN's in Dubai
Sep 15, 2008 -Dubai — Some banks in the UAE have slashed the daily cash withdrawal limit of ATM users by almost half after hackers, who police said were from Russia and Ukraine, used counterfeit bank and credit cards to steal funds from customer ..

Chip and PIN Coming to Dubai
Dec 22, 2008 -Chip and PIN Coming to Dubai - Decision to switch based on recent hack and rise in card related fraud. Many banks across the UAE experienced a concerning rise in the
instances of card related fraud in the latter part of ...

More Related articles

UK Card Fraud 14 Times Higher Overseas (pindebit.blogspot.com)

• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• Canada's EMV Transition Numbers (pindebit.blogspot.com)
• Chipping Away at Credit Card Fraud (pindebit.blogspot.com)
• Gemalto Wants EMV in USA (pindebit.blogspot.com)
• Chip and PIN Coming to Dubai (pindebit.blogspot.com)

SmartCard Marketing Posts 1,700% Gain

SmartCard Marketing Systems Inc. Posts 1,700% Gain in Payment Processing Volume in December 2008 Compared to Same Period Last Year

SmartCard Marketing Systems Inc.(PINKSHEETS:SMKG) announced today another record high month in their Prepaid Card loading, PIN Debit (powered by HomeATM) and Bill Payment processing volume for December 2008.

The company saw an increase of 1,700% in Payment processing for December 2008 as compared to same period last year. This volume exceeds the previous record high by 211%, which was posted the month before in November of 2008. This growth trend started mid-2008 when SMKG completed development of its full complement of alternative financial services. The growth is anticipated to continue through 2009 and 2010 as the company grows its transaction volume and active customer base.

(SMKG:PINKSHEETS) President Bruce Baillio said, "Our bill pay, online PIN debit (powered by HomeATM) and card loading volumes are growing exponentially as we get caught up on product deliveries and customer installations. We are in the beginning stages of a major growth curve in both transactions and dollar volumes processed. Not only is the company catching up on backlogged orders, but we are signing new corporate customers every month. In spite of weakness in the overall economy, there is no sign of a slowdown in our business. "

gosmartcard.com

Gemalto, mChek Partner in South Asia

Gemalto, the world leader in digital security, today announced its partnership with India-based technology partner mChek, a leading provider of mobile security, banking and payment applications, to bolster the range and choice of secured mobile banking solutions available on Gemalto SIM cards to markets in South Asia.

Since September 2008, Gemalto and mChek have successfully deployed a broad range of mobile banking services with telecom operators in India and Sri Lanka on millions of SIM cards. This includes a mobile top-up service where its customers can recharge anywhere, anytime for themselves or others.

Tan Teck Lee, president of Gemalto Asia said, "mChek has demonstrated an exceptional platform that is flexible and scalable for a broad range of mobile banking and payment applications. By leveraging Gemalto's worldwide partnership program, we can partner with mChek to better serve our customers be they telecom operators or subscribers. Together we aim to bring new levels of security and convenience beyond India and Sri Lanka into markets such as Bangladesh, Indonesia and the Philippines."

The Gemalto Partner Network consists of leading companies that develop products that are complementary to Gemalto products and solutions. Gemalto partners such as mChek have the benefit of exchanging information and getting access to technology and business support as the company looks at expanding its secured mobile banking solutions. This move reaffirms Gemalto's commitment to the region and to bringing convenient, easy to use, secure-mobile solutions to subscribers.

Facilitating secured transactions on the mobile phone

The rapid adoption of mobile phones around the world, notably in emerging countries, provides an opportunity for the telecom and banking industries to leverage the uniqueness of the SIM card (i.e. a network-enabled personal security device) to provide a range of banking services. While some mobile operators have implemented Stored-Value Account (SVA) wallets, in most countries, banking regulations do not allow non-banks to accept deposits or limit the scope and value of operator managed SVA wallets.

The mChek platform addresses these two issues and provides a solution for telecom operators through Gemalto SIM cards. In a unified environment, mChek enables a broad range of services, including mobile banking, two-factor authentication, secure message delivery, cross-border and domestic money transfer and mobile payments using SVA wallets, direct debit and credit/debit card support.

About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries. Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.  Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM) in mobile phones, smart banking cards, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto's software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit www.gemalto.com.

About mChek

mChek (www.mChek.com) is a leading provider of mobile security and payments solutions. Based in Bangalore, India, mChek's solutions are deployed on a large-scale at Bharti Airtel in India and Dialog Telekom in Sri Lanka.Bharti Airtel recently announced 1 million users on the mChek platform. mChek is approved by Visa International and is deployed by leading banks including Citibank, State Bank of India, ICICI Bank, HDFC bank, Corporation bank, NDB Bank and Seylan Bank.

Source:  Montner & Associates Tech PR Agency