The federal government's financial regulator should audit the credit-card operations of Canada's banks to figure out whether their profit margins are tantamount to gouging, a leading consumer group testified Thursday at a parliamentary probe into the credit and debit markets.
A day after the Canadian Bankers Association declined to answer a pointed question from senators about how much banks make for every dollar invested in the credit-card business, the country's bank accountability coalition said it's time the Financial Consumer Agency of Canada or the auditor general is allowed to go in and get the answers.
"The solution is to empower the FCAC or auditor general to do an audit of actual costs and revenues and actual profit margins," said Duff Conacher, chairman of the Canadian Community Reinvestment Coalition. "Simply having a public report would cause fees and rates to come down the next day because I think there's ample evidence of gouging going on."
He cited unilateral increases of interest rates and extra fees charged on purchases made outside Canada as examples.
"Based on what? Who knows. That's why we need an audit. . . . The banks have all the figures and they can claim anything they want," said Conacher.
The FCAC, established by the government in 2001, enforces consumer-protection laws and monitors codes of conduct at banks and federally incorporated trust, loan and insurance companies.
A previously convicted Maple Grove (Minnesota) computer hacker has been sentenced to five years in prison for stealing credit card information from thousands of victims to add to restaurant gift cards and then selling them on Craigslist. (Editor's Note: It's about time some of these sentences starting getting a little harsher Mann.)
Zachary W. Mann, 22, sentenced Tuesday in Minneapolis, pleaded guilty in June to wire fraud and aggravated identity theft.
According to Mann's plea agreement, he stole credit card account information over the Internet from individuals over a three-month period early last year.
Mann obtained the credit card information from thousands of victims by hacking into an Internet-based order processing server. He then added to gift cards he bought for small amounts at restaurants. He then would sell the inflated gift cards on Craigslist.
According to the plea agreement, Mann committed these offenses while he was on supervised release in connection with a December 2006 federal conviction for conspiracy to commit computer fraud and aggravated identity theft in Florida.
In that case, Mann admitted tapping personal information on actor Laurence Fishburne(Editor's Note: Within the fraud "Matrix"I couldn't help but notice how much more apropos it would be if they said Laurence was Phish-Burned by this Mann)and other celebrities but denied that what he and his cohorts did was wrong.
Mastercard announced earlier this week that it would run its first corporate social responsibility-themed Priceless ad campaign in the UK. The ads form part of a partnership between the credit card company and The Eden Prject organisation called The Big Lunch.
The Big Lunch is a social cohesion scheme aiming to get the whole of the UK to sit down with their neighbours on their street and have lunch on July 19, 2009. The Mastercard campaign for the initiative, which uses the tagline "Turning your street into a neighbourhood - priceless" launched in national print media on Tuesday. A TV campaign will follow in May, with social media elements added at a later date.
With the credit industry under scrutiny following the financial turmoil of the past few months, Master-card is hoping that advertising this partnership will help position the company as one that understands "what matters to people" in any economic environment.
Mastercard vice-president of marketing for the UK and Ireland Ben Rhodes says: "We're a brand that is in most people's pockets. We're a huge enabler of commerce in the UK so we can't pretend we don't exist just because there is a tricky economic climate. Now's when you have to be brave and stand up for what you believe are the right things."
As many corporate sponsorships are coming under fire from consumers (see cover story, page 16), Mastercard claims that focusing on social change is "the right thing" for 2009. Although the brand has long been a sponsor of sporting and music events, such as the UEFA Champions League and The Brits, its competitor Visa has been more involved with community projects through its Olympics sponsorship scheme.
Rhodes claims the company had been keen to boost its involvement in community areas for a long time but felt it didn't have "permission in the space to say: 'let's create social change'. We have a reputation tracker and one of the key drivers is about being seen to have a positive effect on society. But this wasn't something we could do on our own."
On board as a partner
Mastercard's involvement in the project began after The Eden Project's founder Tim Smit, and Paul Twivy, chief executive of The Big Lunch, approached the company back in the summer of 2008. While Royal Mail, EDF Energy and the Post Office signed up as "supporter" brands, Mastercard is the sole "partner" company for the initiative.
Aside from the consumer advertising campaign, Mastercard is pushing the initiative to its partner bank businesses. These banks make the decision whether consumers have the Visa or Mastercard logos on their cards, so it is vital for the brand to utilise any partnerships to push preference among the banks.
Rhodes adds: "One of the key roles and tenets of our marketing is to make sure we have assets that can be used, whether intellectual, reputation or sponsorship, that we can use to help drive our customers' businesses."
UPDATE: Twitter is not negotiating a sale with Google, according to Kara Swisher. The AllThingsD journalist says acquisition talks are first touted by TechCrunch (see below) are inaccurate.
However, the two are in talks focused on “product-relateddiscussions”, Swisher reports, which makes more sense and confirms myearlier post about Google and Twitter being in cahoots.
It came a day late to be an April Fool’s but rumors are trendingacross the twitterhood, on the blogosphere, and just plain in the newsthat Google is in late stage talks to acquire microblogging siteTwitter for $250m cash, half what Facebook offered for the plugged incelebrity’s favorite web service.
TechCrunch claims it has confirmation from two independent sources close to the talks that a deal is imminent.
This ties in with my thoughts of a few days ago about cross-linkedactivity between Google SERPs and twitter changes. I tweeted how google and twitter were in cahooots well over a week ago.
There is quite a lot of discussionon Twitter itself regarding this putative acquisition, much of itsimply retweets of the TechCrunch link and remarkably few expletives sofar.
What such an assimilation will mean for millions of tweeps willremain to be seen, although you can get your bottom adword dollar thatone thing that will certainly change is that Google will slap itsAdSense program all over your tweets within weeks of the legal papersbeing deposited. Whether or not you see that as a good or a bad thingwill depend on whether you think making money from your online outputis a viable business model or a way to boost pocket money.
Old update: Yet another source says the acquisition discussions are stillfairly early stage, and the two companies are also considering workingtogether on a Google real time search engine.
Public Search Engines Mine Private Facebook Details - DarkReading
By Kelly Jackson Higgins DarkReading
Another reason to be careful what you post on Facebook:
All it takes is a simple Google search, and phishers and marketers can glean a treasure trove of private information based on relationships among Facebook "friends," according to new research.
Researchers from the U.K.'s University of Cambridge recently published a paper (PDF) detailing a project in which they developed a software tool to correlate and map Facebook profiles they found via public search engines, such as Google, to build detailed maps of relationships among Facebook members. Continue DarkReading
Four former servers at three upscale Washington D.C. restaurants blocks from the White House were arrested last week for allegedly using covert skimming devices to clone customer credit card data, in a year-long counterfeiting operation that's put $750,000 in fraudulent charges on the plastic of Washington's elite.
Servers at Clyde's of Gallery Place, M&S Grill, and 701 Restaurant, along with Maryland workers at Carrabba's Italian Grill and the Gaylord Hotel, allegedly stole the card numbers. According to the Secret Service, the data wound up in the hands of 28-year-old Joseph Artemus Bush, III, a Maryland man who was repeatedly caught on surveillance video using counterfeit cards with the skimmed account numbers.
Bush's alleged MO was to purchase American Express gift cards at area Target and Walmart stores, then redeem them at high-end shops like Barney's of New York and Gucci. Last week he was charged with credit card fraud, along with two alleged confederates, Erick V. Burton and Aaron Gilbert. The four servers charged are Lavelle Denise Payne, Shannon Eileen McLaughlin, Jamaal Snowden and Simone Carrie Diane Folk.
Skimmer With unobserved access to diner's credit cards, restaurant wait staff have long been the source of a steady stream of stolen magstripe data. It takes only a second to swipe a customer's card through a tiny skimming device purchasable over the internet, which is easily concealed in pocket or apron.
Corrupt servers are typically recruited by a ringleader who encodes the data -- like customer names and account numbers -- onto blank cards, in some cases turning out full blown replicas, complete with holograms. The servers often earn up to $50 per card if they work at an upscale eatery, down to just $10 each if, as in a recent Florida case, the cards were stolen from a Burger King.
The D.C. skimming ring was first spotted a year ago by Citibank, which noticed a froth of fraudulent transactions trailing legitimate card use at Clyde's, where cards skimmed by a single server wound up accounting for $107,000 in bogus charges.
The most prestigious, and recent, hot spot was 701 Restaurant, the clubby eatery where Hillary Clinton rang out her presidential campaign last June. Restaurant owner Ashok Bajaj says the Secret Service told him about the skimming earlier this month. According to court records, cash register logs tied $38,000 in fraudulent transactions to cards handled by server Lavelle Denise Payne from August 2008 until this month.
At the agency's request, Bajaj kept Payne on for another week while the government firmed up its case. "We watched her very carefully for that week," says Bajaj. "She was the nicest person. I don't know. Maybe this is a sign of the economy."
"It's very sad when people do these things," Bajaj adds. "I mean, she was making excellent money working at the restaurant. But I guess it's never enough."
Update March 31, 2009 | 12:30:00: A fifth server -- Vasha Monique Carter -- has been arrested in St. Augustine, Florida, and is scheduled for a preliminary hearing in Jacksonville on Wednesday. Like defendants McLaughlin and Folk, Carter is a former waitress at M&S Grill in D.C.
Research in Motion (RIM) has revealed revenue for fourth quarter of fiscal 2009 of $3.46bn (£2.33bn), up 84% year on year. Net income for the quarter stood at $518.3m (£350m), up from $412.5m (£278m) the previous year.
Revenue for the financial year ended February 28, 2009 was $11.07bn (£7.45bn), up 84% from $6.01bn (£4.06bn) the previous year. Net income for the year came in at $1.89bn (£1.27bn), a 46.3% increase from the previous financial year.
During FY09 Q4, RIM shipped about 7.8 million devices while about 26 million were shipped during the financial year, boosted no doubt by the release of the BlackBerry Storm, RIM’s first touchscreen smartphone, released in October 2008 in direct competition to Apple’s iPhone.
The Storm has certainly impacted on RIM’s financial results. Approximately 83% of revenue generated during the quarter was from devices, 12% was through services, 2% came from software and the remainder from other means.
The company also added 3.9 million new accounts during the quarter and its subscriber base now stands at roughly 25 million.
Jim Balsillie, Co-CEO at RIM, said: “We are very pleased to report another record quarter with standout subscriber growth that speaks volumes about the early success and momentum of our new BlackBerry products.
“RIM experienced an extraordinary year in fiscal 2009, shipping our 50 millionth BlackBerry smartphone and generating $11bn in revenue. Looking ahead into fiscal 2010, we see exceptional opportunities for RIM and its partners to leverage the investments and success of the past year to continue growing market share and profitability.”
Guidance for FY10 Q1 suggested revenue in the region of $3.3-$3.5bn
UATP, the low cost travel payment network privately owned by the world's airlines, has been looking for alternative payment solutions to provide the global airline industry with access to the lucrative cash market.
Its deal with Ukash will open up air travel to a huge proportion of the world's population that are currently 'unbanked' or without credit or debit cards, as well as those that choose not to make purchases over the internet due to fears of online fraud and identity theft.
UATP, which works with over 250 airlines, is diversifying its product offering as it looks to attract new consumers and maintain demand for air travel in the difficult current economic climate.
Ukash customers exchange cash for a prepaid voucher containing a unique 19-digit number which is then used to pay online. As an online payment method, Ukash provides those without access to bank accounts with a viable, safe solution for spending their money over the Internet and offers a solution to the problem of credit card fraud.
The secure Ukash voucher number is used to pay online, and as it's prepaid the payment is assured to the merchant. No financial details are exchanged with the merchant, making Ukash increasingly attractive to online consumers concerned about data security.
"Working with UATP to offer Ukash to airlines around the world will bring considerable benefits. Carriers now have the option to accept risk-free payments from consumers in countries with low card penetration whilst reassuring their customers that online payments are safe," adds Ukash CEO Mark Chirnside.
"The growth of low cost carriers is putting air travel within reach of many more people so we're delighted to add Ukash to the range of payment methods we can offer our airline partners," comments Ralph Kaiser, CEO of UATP. "We want to remove the barriers to travellers getting online access to the best range of flights and other travel services so adding payment services like Ukash that are prepaid and preserve financial anonymity is a great move forward."
Consumers from across the world can purchase Ukash vouchers online, on mobile or at more than 275,000 stores globally.
About Ukash(TM)
Ukash(TM) is a globally-recognised e-commerce payment method to enable online purchases using cash, providing freedom from credit and debit card fraud, repudiations and charge-backs, and protecting personal identity.
Ukash(TM) is regulated by the UK Financial Services Authority (FSA) and operates as one of the only a small number of Electronic Money Institutions, a status that allows a single maximum online cash payment transaction of up to 500 Sterling pounds/750 euros.
Uniquely numbered Ukash(TM) vouchers are widely available through payment terminals in retail outlets across Europe and South Africa. In the UK, they are also available direct to mobile for Vodafone subscribers and from spring 2009, Ukash vouchers will also be issued online from the company's website in most European territories.
The technology behind Ukash is protected by several patents registered across the Smart Voucher database and functionality and is, as such, protected by Patent Law in all the major economies of the world. Ukash(TM) is a registered trademark of Smart Voucher Ltd.
In 2008, Ukash(TM) established a strategic partnership with South African payments giant Blue Label Telecoms to develop the brand's services.
For more information please visit http://www.ukash.com
The upcoming ruling will determine whether parts or all of the lawsuit against the company will go forward. By TREVOR MAXWELL, Staff Writer April 2, 2009
PORTLAND — A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.
Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial.
The upcoming ruling will determine whether parts or all of the suit will go forward.
The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?
"These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.
By Jim Bruene on 2009/04/01 17:49 Eastern Daylight Time
In a completely unscientific poll of 123 LinkedIn users I conducted about two hours ago, I found they overwhelmingly prefer the online channel over all others when accessing bank transaction data (see notes 1, 2, 3).
I was expecting mobile to be higher. But unless you have a new-generation smartphone and your financial institution supports mobile, it's unlikely to be your first choice. So given that mobile's only been widely available in the United States for about a year, a one-in-ten preference is a strong start.
I also expected a bit more interest in the other choices: ATM, voice and social network, which only drew 3% of responses in total. Social networks went 0 for 123, showing that it's not yet viewed as a place to review financial data (note 4), at least among LinkedIn users. In a much differently worded poll of Facebook users a year ago, we found that 13% willing to view their bank balance within the social network.
Q. All else being equal, how would you prefer to access bank transaction data?
Source: Netbanker/Online Banking Report poll of 123 U.S. Linked:In users who self-selected to respond to poll while logged in to Linked:In; fielded between 1 and 2pm on 1 April 2009 using in-network polling tool.
Notes: 1. The question is strictly limited to 75 characters, I couldn't make it as precise as I would have liked. For instance, I would have like to add "assuming its secure" and "your personal" to "transaction data." It's possible some respondents were thinking more about global banking data than their own personal transactions. The poll also displayed "by Jim Bruene, Owner, Online Banking Report" in the lower-left, potentially biasing results. 2. LinkedIn users are given opportunities to respond to polls while logged in to the service. There is no financial benefit to taking the survey, but they do get to see results after taking it. 3. There were significant differences based on demographics, for instance women were almost twice as likely to select "mobile." And zero men, and 4% of women, chose voice call as the preferred method. But due to the small sample size, these demographic breakdowns don't hold much weight. There also appears to be some mathematical errors in the demographic splits, so I'm not going to cite them further until Linked:in cleans up it algorithms. 4. An interesting result, given the poll was conducted within a social network among social network users. Actually, "the branch" beat social networks, drawing one "write-in vote" in the poll comments (it was not one of the five choices). 5. For more info on mobile banking see our latest Online Banking Report on Mobile Banking 2.0 -- iPhone Edition.
New tool to be unleashed at Amsterdam conference uses SQL injection to gain a foothold into the underlying database server
By Kelly Jackson Higgins - DarkReading
A researcher at Black Hat Europe this month will demonstrate a new hack that uses SQL injection as a stepping stone to take control of a database server.
"SQL injection becomes a stepping stone to the real target: the operating system," says Bernardo Damele Assumpcao Guimaraes, an IT security engineer based in London. "I will focus on exploiting SQL injection in a Web application to get control over the underlying OS," in addition to the database software, says the researcher, who goes by the surname Damele .
SQL injection is a popular attack vector in Web applications, (Editor's Note: 450,000 Attacks PER DAY!) mainly because it's one of the most common flaws found in these apps. Web application SQL injection attacks typically target client browsers, infecting them when the victim visits a compromised Website. Another SQL injection attack is on the database itself, via a Web application carrying that vulnerability.
But Damele's new hack kicks SQL injection up a notch, using it as a first level of attack to gain control of the database server itself, as well as any systems connected to it. That includes other servers in the same LAN, plus the data in the database itself. His attack goes after MySQL, Microsoft's SQL Server, and PostgreSQL running on Windows or Linux servers. "[This] possible scenario of attack for a SQL injection is the most overlooked and [under]researched," he says.
In one attack demo, Damele will show how to exploit a buffer overflow flaw in the database software by injecting valid SQL code. He has a few other attacks up his sleeve for Black Hat, too: "I will demonstrate other possible techniques to exploit other Windows design flaws to escalate privileges via a SQL injection," he says. "The idea is to take advantage of some of the design weaknesses of the database management system, and combine it with [weaknesses] in the programming development of the Web app to execute arbitrary code, upload binary infection files, and carry out also buffer overflow exploitation."
Editor's Note: Again I have to ask...when peoples PIN's are eventually obtained due to inherent weaknesses in ALL software, who has the liability? Cause it's going to be one helluva'n expensive breach...who pays the bill?
The consumers? No, they just get to go through two weeks of hell...
The merchants? They'll lose their cost of goods bought with the fake transactions, but, I don't think that hackers will be wasting their time buying goods when they can go straight to the ATM and get CASH.
If they go straight to the ATM's the banks lose the cash, but then do they go after the EFT Networks to get it back? It'll be one mell of a hess when it (or, I suppose in "fairness" I should say) "if" it happens... Continue "DarkReading"
At the Web 2.0 Expo Internet conference yesterday in San Francisco,Hutchinson painted a bleak portrait of the combat.
Boiler rooms filledwith fraudsters who try to gain access to credit card numbers using avariety of means from phishing e-mails to computer keystroke monitoringto software that guesses credit card numbers, (Editor's Note: OR PINS) sometimes accurately,sometimes not, zombies, malware, bots, viruses, remote takeovers, DNS Hijacking, the list goes on and on...and on.
Hutchinson had a few interesting points to share about fraud rates,based on the countries where the transactions originate.
Lowest risk:
1. Austria
2. New Zealand
3. Taiwan
4. Norway
5. Spain
Highest risk:
1. Ukraine
2. Yugoslavia (curious, since the country doesn't exist anymore)
The following post , "Payment Card Industry Swallows it's Own Tail" is courtesy of Anthony Freed - Financial Editor of Information Security Resources. I've gotten to know Anthony a little bit via the blogging community and have come to enjoy his unique style of writing. (he's a REAL journalist...while I'm aware of the fact that I'm just a third rate blogger...okay...I digress...fourth-rate! (And to those who would disagree I would simply ask... c'mon be nice...fifth-rate is a little harsh on me, is it not?:-) Anyway..., Mr. Freed wrote an article (which I'm sure you'll be able to find posted at a multitude of respected websites today)about on the recent House of Representative's Committee hearings on payment card security. Personally...I abide by the belief that the Payment Card Industry Security Council does exponentially more good than bad, and after having personally met Bob Russo, I have no doubt he is on a mission to fully protect payment card data. He's got a tough job. There are a multitude of hackers, and they work 24/7/365...(unless it's leap year). Coincidentally, the only time I've ever posted the picture (above left) was the last post (On to the Next Breach) I covered from Anthony. Based on the title of THIS POST...I had to use the same graphic. Here's Anthony's article...
Payment Card Industry Swallows Its Own Tail
By Anthony M. Freed, Information-Security-Resources.com Financial Editor
PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.
Why the dire prognosis?
Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.
But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.
The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.
Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.
First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.
Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their being listed as in good standing with the council at the time of the breach. From Securosis.com:
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming - or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”
To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.
“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”
This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.
Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all. From Forbes.com:
Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”
Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.
Is it any wonder that the future of PCI DSS is in question?
And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?
Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.” Also from Forbes.com:
“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”
This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.
It’s all uphill now.
During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.
I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.
I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.
That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate everyone concerned.
PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.
Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
WASHINGTON (CNN) -- Internet-based rip-offs jumped 33 percent last year over the previous year, according to a report from a complaint center set up to monitor such crimes. The report said that about 77.4 percent of perpetrators of Internet fraud were men.
The report said that about 77.4 percent of perpetrators of Internet fraud were men.
The total dollar loss from those crimes was $265 million. That's $26 million more than the price tag in 2007, the National Internet Crime Center said. For individual victims, the average amount lost was $931.
"This report illustrates that sophisticated computer fraud schemes continue to flourish as financial data migrates to the Internet," said Shawn Henry, the FBI's assistant director of the Cyber Division.
Americans filed 275,284 reports claiming to be ripped off on the Internet, the highest number reported since the center began keeping statistics in 2000.
The dollar loss has been on a steady increase since 2004, while the number of cases referred to law enforcement has decreased steadily since that same year. Continue Reading at CNN
WASHINGTON--The self-regulatory system credit card companies havecreated to protect consumer data sacrifices some consumer protectionsfor the sake of conveniencing the credit card companies and theirfinancial institution partners, retail representatives told CongressTuesday.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach,some congressmen are questioning whether the Payment Card Industry DataSecurity Standards, created and regulated by credit card companies, aresufficiently protecting information.
The credit card industry maintained at a congressional hearing Tuesdaythat self-regulation is effective, pointing out that since the PCIstandards were published, security breaches have occurred only when anentity is not fully in compliance with the standards.
"I have no doubt that compliance to PCI standards are the bestline of defense," said Robert Russo, director of the PCI Data SecurityStandards Council. "We have never found a breached entity to be in fullcompliance at the time of breach."
Yet representatives of the retail industry told a panel of theHouse Homeland Security Committee that when the credit card industryestablished the PCI standards in 2004, it did so mainly to reallocateits own fraud costs.
"In our view, if you peel off all the layers around PCI datasecurity standards, you will see it for what it is," said Dave Hogan,senior vice president and chief information officer for the NationalRetail Foundation. "In significant part, (it is) a tool to shift riskoff the banks' and credit card companies' balance sheets and place iton others."
EBay’s PayPal kicked off the Web 2.0 Expo in San Francisco Wednesday with a frightening presentation on the “arms race” between online fraudsters and online retailers and shoppers.
Online fraud is becoming so lucrative, said Katherine Hutchison, PayPal’s senior director of global risk management, that it has developed into an industry with specialized players that hire each others in areas such as harvesting credit card numbers and freight forwarding. “A single professional thief doesn’t have to have all of the skills needed to commit fraud,” she said.
Here’s one trick: fraudsters use telephone services designed for the deaf to get an operator with a friendly (and middle-American) sounding voice to make calls on their behalf to a call center. “The telephone operator could realize this is very likely to be fraud, but they are legally blocked from saying anything other than what the person placing the call tells them to say,” said Hutchison.
Old techniques to track down fraudsters are becoming less helpful, she added. For example, e-commerce sites regularly check the location of an IP address making a purchase to see if they’re coming from a known high-risk place or see if they’re trying to buy something far away from where they’re asking for it to be delivered. But increasingly fraudsters hide their location by using satellite-based Internet service providers, or use “zombie” computers to reroute their traffic so it looks like it is coming from someplace harmless.
Worse, the recession seems to be contributing to the problem. Hutchison said that consolidation of the banking industry has confused consumers and made many them susceptible to attacks from fraudsters who got them to hand over account information by pretending to be from a new bank that needed to confirm their address and other account details.
Layoffs of technically minded people around the world are also contributing to a spike in sophisticated online fraud, she said. “You always see white collar crime go up when we have a recession,” said Hutchison.
PayPal makes money by selling a transaction service to e-commerce sites and consumers that make them feel more secure with online sales, so the company has a stake in all this. But Hutchison admits that efforts to stop fraud can cause problems for businesses if they go too far, by annoying or turning away legitimate customers, especially outside of the U.S.
“There are some legitimate Nigerian shoppers, but it is very difficult to shop on the Internet if you live in Nigeria,” said Hutchison.
Yesterday, the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the U.S. House Committee on Homeland Security held a hearing titled, "Do the Payment Card Industry Data Standards Reduce Cybercrime?" The subject of the hearing was to examine whether data security requirements for businesses that store, process, or transmit personal information during Internet payments provide sufficient protection against data breaches, fraud, and terrorism. The subcommittee invited me to submit a written statement on the use of credit cards by terrorists. My statement quoted from and summarized posts by Contributing Experts Dennis Lormel, Matthew Levitt, and Michael Jacobson, and included information from our panel on February 29, 2008, “Meta-Terror: Terrorism and the Virtual World,” with Contributing Experts Evan Kohlmann and Roderick Jones and the Senior Vice President and Chief Technology Officer of VeriSign. You can download my three-page statement, and here is an excerpt:
Credit cards are extremely vulnerable to fraud and are used extensively by terrorists. The internet not only serves as a learning tool for terrorists but also functions as a mechanism to steal credit card information through hacking, phishing and other means. In many instances, when terrorist operatives are apprehended, they have multiple identifications and credit cards in a variety of names in their possession. The terrorists who executed the devastating 2004 Madrid train bombings, which killed almost 200 people, and who carried out the deadly July 7, 2005, attacks on the transportation system in London were self-financed, in part through credit card fraud.
Younes Tsouli, aka “Terrorist 007,” and his two associates, Waseem Mughal and Tariq al-Daour, used computer viruses and stolen credit card accounts to set up a network of communication forums and web sites that hosted everything from tutorials on computer hacking and bomb making to videos of beheadings and suicide bombing attacks in Iraq. They raised funds through credit card information theft and fraud, which were used to support the communications, propaganda and recruitment for terrorists worldwide, as well as to purchase equipment for Jihadists in the field. One expert described their activities as “operating an online dating service for al-Qaeda.” The three men pled guilty to inciting terrorist murder via the internet.
• Stolen credit card numbers and identities were used to buy web hosting services. At least 72 stolen credit card accounts were used to register more than 180 web site domains at 95 different web hosting companies in the U.S. and Europe. • On one computer seized from al-Daour’s apartment, some 37,000 stolen credit card numbers were found. Alongside each credit card record was other information on the identity theft victims, such as the account holder’s address, date of birth, credit balances and limits.
You can download the testimony by the witnesses from the hearing website. I appreciate this opportunity and thank the subcommittee chairwoman, Rep. Yvette Clarke, for the invitation. April 1, 2009 06:20 AM Print
Finextra: 40% of small to mid-size North American banks not happy with ACH system - survey
01 April 2009
40% of small to mid-size North American banks not happy with ACH system - survey
Almost 40% of small and mid-sized banks in North America are not happy with their current ACH system, according to a survey for Fundtech.
The independently conducted survey of 70 payments professionals shows 60% of banks have seen an increase in revenue from ACH transactions over the last year and 48% recognise the potential of their systems as a source of revenue and competitive advantage.
However, the need for more sophisticated reporting and functionality in order to meet market, regulatory and economic demands, is putting pressure on banks' existing ACH systems, claims the vendor.
Half of respondents say inadequate reporting is an area of concern in relation to their ACH systems, whilst 27% cite insufficient automation. Continue Reading at Finextra
DataCash, the U.K.'s market-leading payments service provider, announced a partnership with Mazooma, the first real-time online debit payment solution for U.S. consumers.
DataCash will offer Mazooma as a payment option for its global merchants. With Mazooma merchants of DataCash can offer their U.S. customers secure option to pay with cash online.
Mazooma enables customers to make online purchases without credit card by using their Internet bank account. The system does not require pre-registration which means that customers can use it immediately. Merchants in turn get instant authorization that allows them to ship the order at once. At present time Mazooma supports over 70% of all consumer bank accounts in the U.S. and has no jurisdictional limitations.
DataCash works with about 1,000 merchants across the globe and provides them with a single interface to process payments both on and offline. Its portfolio includes worldwide merchants from the retail, travel and telecommunications sectors.
Consumer group wants audit into credit card profits - Montreal Gazette
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ssh4nBDufstyM23KNOvRDThpyKM8Ao_VNFqgI5hHKBA52XrQ3W2XgJSpa10UxQNiNB4lLt6B2chJy26AIFixFPeb1PX7iKdZlgkkoF-nIM-PGgWIA8L3GbYIvWxuVkwpHoPGcYMMWQMZ80s9Caevw=s0-d)
News: Mastercard lunches with Eden Project for first CSR campaign - Marketing Week
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s_VWbO1lWcneFGk3H0dfPjY7UBRLbhhwqivJDUYYoB4M_jFxVlXLG-F_Xshi8dsc65DoBuXaGwBw5RjN-E6DQ_edmsrfh7PHGl5u3hCIR8dVyGiOs_64ZOUO4GUOEtRWTLxK0hSH1SRivT8RKBXndP=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sFiLAd9dL6Dv8-iVgf3VFYzf6pydmb1gD9KKN_wabURUA97lNyqSCzvQ8dY50Wj750-nbV4M08jlBFy_9wkDJkBzMnwLfB-OG7l_5tQTC4I4qHAfOE3iO4iHCtORvn3NDEXIkYYo1Cb2_DtvY4HqQ=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vPmhUc5SuvvpTVcDBVwhPRIE8Ul75n_aI-XJKRxxAS6iCKJ3Pg41CKh5anXO0WBCowFHh-VSa7mS2DrzJTc5PZAiNEfFFw4JxiXY8V2651Bg0IArj--J0l2hRhgfSdz_LTPMEJyaSTx3ZGPHaNGOj3=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sKXxcDCpG0S4i3RA1s6gGsO7e2JpMUc-0b5Le19dQNMkaYHHSe7GD2mhMav_X-0RFINPGdVahN9Gvw39mOvr7TM7kSbFx4Pg132QnpSMxmLoMrX_lHvlQeC9GtKW0wBx7RaF4C3CsBfKJvCtUca7WY=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sSgtNKQQZK0hY4tRMXw6zkO32zM0clCCtp6K6lXQCYug-mwsjMhgc7ysAqGdMo42GsoFGENoRKOlRbVYyO3R8wLMnr9aXmw5oSlJLzT1LXxYkSNK0HVrVTUsqTkEMzSXkCzsr6bLGY04tGteykopc=s0-d)
Judge to decide if Hannaford data breach should go to trial | Portland Press Herald
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vBaUo51--1I5_Ot2iqRzroIgohFipVsUwB2Q1xOK_CHUU_f4Eeur9x_iWaezvz7TqpriK-Itabf9MOSniJK5etaqd8CoCQvCa8lLrUbDvOXQy3Th_ZbuA1UREMSuarSqA1B-jq9LA0LhHi77vVdraD=s0-d)
DarkReading.com
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vbLfCqLaIUc658ArqjYpJq8pbQUpesbwE4Xnshg0Krl5Can53bwuDTwFN2dI3T2guP9uFu6nXW0FnJB3Uce0MhVsSn4InwTBQga5n_w4JrhPJJhKbjrOwUeoN84r-yDJv8SI7HwYYT-QtqertJP-XH=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tveOKp73bQAydsV_wyhX-iarBLYOcnqg8gVBkzBqUlvhXKvN2XBRG5kaUbj0R0zxB6TWLGsPfcGINxRODkkytlp5-ZRq3Tb1OvmGQSkgApDK554UdpHbX_MiZ03suMBOzmVKS5NpbkuGQo5oLcs_0=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tj7x9i9uKX4ZzmqSmr0rYItmJD4eBuq3bw3ZXK5YFIvki_FDlOp_N6cnWicbtIHcC3EnBvnMfFrs2sLno1lbfwSxxHoOz7OmodnH1yvET1gjkJ-CTS9V1BQvulOYI-uDR3C7NcRCqrktQ10AcPUQam=s0-d)
Web crime jumps by a third last year![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vqbdyv31pe73Xg9xI1hM203wDiz1L1LZjdQeybcOu5xDUMemIp3hAhd2ybUzZsiRnfpGKrHtjA4Dkd2lDS75dc09Q3kIagy5iS7GfDr0b-uYVGHG9bam3W574jMmv6AmDRjNxYEX5A42eIZpctkLx8=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sojaxC8QGUb9eB7fLSUuX3saFmzQMp8sAMC8nMhaEIe2Njn6HQVkOrXtmDM1EqienTjpQigb3hOpXaYOhMU-LeoOYv74U9x7LLGTC2oyxQAkIno1jbnmxSr2ykVja9uiH5lGrHHtTH_BRYHz2m8es=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ugnQOEKWp5W2YkCnuX5jdPoFS-SKd59lOtU2fhImakE_-qUYHRxd6-pabfX0N0L0U4HNaot4t8SRNibTDg-vw4Ruf2sAp8X5evgRuhpqmDz9PZq-0CetY1ngH6BYKvy5S6yUaUoivYXoQaHZNJQYJV=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tUczboFT6KudmUtTnYroLj4DECs5hrxHJQHnf6OE7NJ8EWdGGdh7XGqmIXQnHAWNReOHwk8dw4g4koFW7YzIvr5H0FSN_Nccp2uuhwYqEx1LDtZ05FXMklaozaGjp74TzhyyrISaBqfYwbIG3OFBJ2=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sAM75v3ZLFwuvE5FeBB5P7TkLOvo9aMG8kOJ95zZNrIwWnJ32zT4_9tC_D-VD1sRaMLB3zvG0aTvAONNmtPyZrGon6uOv15Wcg2j3ELm3kTgOM2SkD4-YASedQTvoTPaTysDf3Y4zDBvv4PtnL6uTu=s0-d)