Name Your Poison and Cache In

From now on, every time you see the graphic on the left, expect to read a post or article about why banks need to get rid of the username: password: routine.  It ain't safe!!!  Here's another example why...

Complete item: http://www.theregister.co.uk/2009/04/22/bandesco_cache_poisoning_attack/

One of Brazil's biggest banks has suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware, according to an unconfirmed report.

According to this Google translation of an article penned in Portuguese, the redirection of Bradesco was the result of what's known as a cache poisoning attack on Brazilian internet service provider NET Virtua.

DNS cache poisoning attacks exploit weaknesses in the internet's domain name system. ISPs that haven't patched their systems against the vulnerabilities are susceptible to attacks that replace the legitimate IP address of a given website with a fraudulent number. End users who rely on the lookup service are then taken to malicious websites even though they typed the correct domain name into their browser.

"That's pretty serious when you're talking about a banking organization," said Paul Ferguson, a security researcher with anti-virus provider Trend Micro. "If people are trying to log in to their account and they get rejected, they'll try again and again with the same user name and password."

DNS cache poisoning has been around since the mid 1990s, when researchers discovered that DNS resolvers could be flooded with spoofed IP addresses for sensitive websites. The servers store the incorrect information for hours or days at a time, so the attack has the potential to send large numbers of end users to fraudulent websites that install malware or masquerade as a bank or other trusted destination and steal sensitive account information.

In 1998, Eugene E. Kashpureff admitted to federal US authorities that on two occasions the previous year he used cache poisoning to divert traffic intended for InterNIC to AlterNIC, a competing domain name registration site that he owned.

Makers of DNS software were largely able to prevent the attacks by adding pseudo-random transaction ID numbers to lookup requests that must be included in any responses. Then, last year, IOActive researcher Dan Kaminsky revealed a new way to poison DNS caches, touching off a mad scramble by the world's ISPs to fix the vulnerability before it was exploited.

The article from Globo.com cited a Bradesco representative who said that about 1 percent of the bank's customers were affected by the attack. It went on to suggest that customers who were paying attention would have noticed Bradesco's secure sockets layer certificate generated an error when they were redirected to the fraudulent login page.

Interestingly, it also said that a domain used for Google Adsense was redirected to a site that used malicious Javascript to install malware redirected machines. The attacks have since been resolved, the article stated.

It's still not clear exactly how the caches were tainted. Representatives for the ISP and the bank hadn't responded to requests for comment at time of publication.

For more details :
http://translate.google.com/translate?prev=hp&hl=en&js=n&u=http%3A%2F%2Fg1.globo.com/Noticias/Tecnologia/0,
,MUL1088103-6174,00-ATAQUE+LEVA+CLIENTES+DO+VIRTUA+A+SITE+CLONADO+DE+BANCO.html

I'll Give You $10k for Your Nokia 1100!

Why?  Cause I can selll it for $25k.  No...scroll down further ...I can sell it for $32k.  Of course if you hooked up our device to your phone, and swiped your card and entered your PIN (ONE TIME) that phone would be a secure payment terminal.  I've gotten a few emails regarding hooking up our device to a mobile phone and wanted to clarify.  You would only need to swipe and enter your PIN "one-tiime" to morph your phone into a secure payment device.  Not everytime you wanted to purchase something.  I'll have more on this in future posts, but in the meantime, if you've got a Nokia 1100 let me know!

Complete item: http://www.theregister.co.uk/2009/04/21/nokia_1100_scam/

Description:
Scammers are reportedly prepared to pay $25,000 for German Nokia 1100 handsets, on the basis that they can be reprogrammed to intercept SMS messages and thus crack banking security.

The claim comes from Ultrascan, a security association that generally follows up 419 scams and ID theft. Ultrascan tells us it was approached by Dutch police concerned that the price of a second-hand Nokia 1100 was unexpectedly rising. The company subsequently discovered that buyers were interested in a security flaw that makes the German version of the handset worth so much, though the technical background remains obscure.

The supposed exploit is based around codes - mTAN - that are sent to customers over SMS and are unique to each mobile-banking transaction. The premise is that criminals have "thousands" of login details and just lack these single-use codes, so are trying to get hold of Nokia 1100 handsets to intercept them.

The problem with this hypothsis is that the GSM security model is managed by the SIM, which colludes with the network's authentication server to create an encryption key which is made available to the handset. Communications can only be intercepted by getting hold of that key, or breaking the encryption itself, neither of which is easier to do while in position of a Nokia 1100, German or otherwise.

We put these technical issues to Ultrascan who told us that they "did not investigate [the technical] part", but are hoping to get hold of a '1100 for testing in the next few days to see what is possible.

In the early days of GSM some operators introduced a critical flaw (zeros) into early versions of GSM cryptography, to enable the use of cheaper SIMs, but almost all operators have since upgraded to proper security and 3G networks have open algorithms that are well known to be pretty secure. Some countries, such as Pakistan, aren't permitted to use cryptography so still suffer from SIM-cloning and the like, but such places don't generally offer mobile banking for obvious reasons.

Ultrascan say they'll be in touch when they have more technical details, but for the moment it's beyond us how one phone can intercept calls made to a different SIM, and it seems more likely that one scammer is simply ripping off another with promises of magic handsets.


Complete item: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9131906&source=NLT_SEC

Description:
The mystery why cybercriminals want a discontinued Nokia phone isn't getting any clearer. Hackers have been offering up to $32,413 in underground forums for Nokia 1100 phones made in the company's former factory in Bochum, Germany. The phone can allegedly be hacked so as to facilitate illegal online banking transfers, according to the Dutch company Ultrascan Advanced Global Investigations.

Nokia said on Tuesday it is not aware that resale prices for a phone that retailed for less than $17 when it debuted in 2003 have risen so high. Further, Nokia maintains the phone's software isn't flawed.

"We have not identified any phone software problem that would allow alleged use cases," the company said in an e-mailed statement.

The 1100 can apparently be reprogrammed to use someone else's phone number, which would also let the device receive text messages. That capability opens up an opportunity for online banking fraud.

In countries such as Germany, banks send an mTAN (mobile Transaction Authentication Number) to a person's mobile phone that must be entered into a Web-based form in order to, for example, transfer money into another account. A TAN can only be used once, a security feature known as a one-time passcode.

Criminals have proven adept at obtaining people's usernames and log-ins for online bank accounts, either through tricking people into visiting look-alike bank Web sites, through clever e-mail messages or simply hacking PCs.

European banks typically issue customers a list of TANs, but phishers tricked people into revealing those. Deutsche Postbank used to accept any TAN from the list to complete a transaction. Then the bank moved to requesting specific TANs from the list. After continuing fraud, it decided in 2005 to expanded the use of mTANs.

"The mTAN is valid only for the requested transfer and only for a short period," according to the bank's Web site. "It thus has no value for a fraudster."

That is, unless the hacker could also receive the mTAN, which Nokia 1100 hack allegedly allows.

Nokia said it doesn't know of an 1100 software problem that would allow call spoofing. The company said that a phone's SIM (Subscriber Identity Module) card -- which holds the device's phone number -- has security mechanisms that are separate from the phone itself.

Nokia said it is aware of commercial services that claim to provide caller identification or phone-number spoofing services, but in those cases the service provider acts as a proxy between the caller and the recipient, Nokia said.

But it is possible to have multiple phones running on a service provider's network that use the same phone number, said Sean Sullivan, a security adviser at F-Secure Corp., a security vendor in Helsinki, Finland. Usually, the last phone that used the network will be the one that receives inbound messages, he said.

Web Site Redirects for Coke, Microsoft and HSBC

This is just the tip of the iceberg as to what we can expect in the near future.  Again, bank websites are most at risk of these DNS Hijack's and as long as they continue to use what many consider to be obsolete "username, password" they continue to needlessly put their online banking customers at risk.  It isn't hard to imagine a scenario whereby a bank website is cloned and their DNS hijacked.  The bank's customer, completely unaware, enter's their username and password into the box.  The bad guys now go to the "real" site, enter the username and password and "voilla" complete unfettered access to that individuals account.

Of course, if Banks used HomeATM's PCI 2.0 certifed SafeTPIN Pin Entry Device for secure 2FA (2 factor authentication) log-in,  a cloned website would NOT work.  The unsuspecting banking customer would be redirected to the "hijacked" site, but instead of a username/password log-in they would be instructed to swipe their card and enter their PIN.  Since the information is encrypted inside the SAFETPIN (instead of the browser) the bad guys wouldn't have anything with which to get into the genuine site.  Same thing with cloned cards.  They wouldn't work. 

Same thing with phishing....which costs banks $350 a pop.  I'll give you 10 SafeTPIN's for $350 and reduce your phishhing attacks to zero.  Click on the graphic on the right about phish-stick-tistics  as to why that would be the best investment a bank could make.

Here's the article about the DNS hijacking...

Source: Zone-h
Complete item: http://www.zone-h.org/news/id/4708

Description:
Some Turkish defacers broke into the New Zealand based registrar Domainz.net (which belongs to MelbourneIT) and redirected some of their customers' high profile web sites to a third party server with a defaced page. Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox.

The hacked websites carried the messages: "Hacked by Peace Crew" ,"STOP THE WAR ISRAEL". In addition the crackers inserted a picture of Bill Gates creampie'd on the Microsoft defacements.

It is interesting to note that the attacker going by the handle of "agd_scorp", a member of Peace Crew, hacked a big amount of MSN and microsoft.* web sites in the past (Microsoft Canada, Morocco, Tunisia, Austria, Ireland... MSN Israel, Korea, Spain, Denmark, China, Norway...).

This time they exploited a simple SQL Injection vulnerability to hack the administration panel of the registrar, where they modified the DNS records of the domains. Again, it is quite scary to see how a so big company can get hacked because of a famous programming vulnerability.

Registrars have been one of the main aims during the past months as they are often the weakest link and an easy target for attackers who want to hijack high profile web sites.

E-Secure-IT
https://www.e-secure-it.com

Related articles

• IBM Agrees with HomeATM...Hardware Required (pindebit.blogspot.com)
• Conficker worm sends instructions to grow botnet (cbc.ca)

Blogging Has Come a Long Way

Blogging Has Come a Long Way, Baby

APRIL 22, 2009
Blogging ain’t what it used to be.

If yesterday’s blogs were about personal expression, today’s are about two-way conversations that take place on many fronts: independent, standalone blogs; social networks; e-commerce and mainstream media sites; and microblogging platforms such as Twitter.

“This blogging activity presents new opportunities for marketers to influence—and monitor—conversations that may be relevant to their businesses,” says Paul Verna, eMarketer senior analyst and author of the new report, The Blogosphere: A-Twitter with Activity. “These conversations will continue to happen with or without participation from marketers, but those who join in—whether through their own sites or through a brand presence on independent ones—will have a place at the table.”

And the opportunities are large—larger than many people and pundits expected only a few years ago.

“Blogs are now mainstream media,” said Richard Jalichandra, CEO of Technorati. “You’re also seeing mainstream media coming in the other direction by adding blog content.”

This point of view is echoed by David Tokheim, of Six Apart Media. “The lines are becoming blurred between a standalone blog that might be created on TypePad or Blogger or WordPress and blog content that’s created by The New York Times.”

Currently, 27.9 million US Internet users have a blog they update at least once per month, and they represent 14% of the Internet population. By 2013, 37.6 million users will update their blogs at least monthly.

Several sources put the number of US bloggers even higher (Note: Though often reported in 2009, the estimates are for 2008.)  Even more important than the number of bloggers, though, is the number of blog readers.

eMarketer estimates that in 2009 96.6 million US Internet users will read a blog at least once per month. By 2013, 128.2 million people, or 58% of all US users, will do the same.

“Blog sites now touch tens of millions of people in the US, and the numbers of blog readers and creators are projected to continue growing,” says Mr. Verna.  The numbers tell the tale—or long tail, if you prefer.

“Blogging activity presents new opportunities for marketers to monitor and influence conversations relevant to their businesses,” says Mr. Verna. “Opportunities no marketer should ignore.”

Before you read your next blog, or tweet, download the new eMarketer report, The Blogosphere: A-Twitter with Activity.

pin payments blog, technorati, HomeATM Blog, PIN Payments News Blog, Blogging, eMarketer

On Online Banking

Source: Finextra
Complete item: http://www.finextra.com/fullstory.asp?id=19946

Description:
The number of US online banking customers continued to grow at a steady rate throughout 2008 as customers looked to keep a close eye on their finances during the recession, according to research from Web metrics firm comScore.

The study found the growth in the number of customers at the 10 most-visited online banks hardened in 2008 as financial institutions became more aggressive in their customer acquisition efforts, after weak gains the previous year.

Over 51 million Americans visited one of the top ten online banking sites in the fourth quarter of 2008, around four million more than in the same period the previous year.

ComScore says nearly 60% of the total US Internet population now visits any one of the top 20 financial institutions' sites in any give quarter.

The study also examined customer satisfaction with online services and a survey of over 4800 US adults shows 71% are "highly satisfied" with their primary online bank - just one per cent down on the previous year.

Satisfaction with credit card issuers also held steady at 62%, compared to 65% the previous year.

However, brokerage firms saw their highly satisfied customers decline from 70% of respondents in 2008 to 58% in 2009.

And You Say You Want Software Internet PIN Debit?

Back in 2002, a company called ATMDirect was hyping their software based Internet PIN Debit platform...but nobody listened.  Eventually they went bankrupt and Pay By Touch bought their assets out of bankruptcy.

Pay By Touch pushed ATMDirect but nobody listened. (okay Accel Exchange did do a pilot with JPaul)  Then Pay By Touch went bankrupt...and ATMDirect's assets went up for sale AGAIN!

Not a single payments entity placed a bid.  Not Paypal (who paid almost a billion for eBillMe) not a single EFT Network, no alternative payment company whatsoever even showed a hint of interest.

Finally, it was purchased for a measly $600k, including Dell according to one report./IBM according to another, Blade Servers valued at $1.5 million plus.  Fast forward to 2009.  ATMDirect's software-based platform, under a new name, "Acculynk" is gaining some traction.  With the exponential growth of malicious threats hitting the web, time may have passed this "application" bye.

Ironically, in the short history of the Internet, the year 2002 was probably the optimal time to introduce a software-based PIN Debit application. But 2009? Look at the chart above. A 12 Fold increase in malicious code threats since the beginning of 2007?  That means that there are web-based attacks that exist this morning that didn't exist last week, let alone in 2000.  So what does tomorrow hold? Not a lot of promise for alternative PIN debit.  Especially when you consider that (not surprisingly) the "VAST MAJORITY" of attacks focus on Financial Services.

Take a gander at the article below from The Sydney Morning Herald based on last week's release of  the results of a new study on Intenet security by Symantec...it seems obvious the time for an internet PIN Debit application was years ago, not now.

False sense of security - Banking - Money - Business - Home - smh.com.au John Kavanagh - April 22, 2009

No website is safe from the increasing number of internet criminals who want your money. Internet security threats are increasingly likely to come from popular, trusted sites with a large number of visitors. The growing sophistication of internet fraudsters and the techniques they use are resulting in an increasing number of cases where malicious code is finding its way into the web browsers of visitors to websites of reputable organizations.

This is the main finding of the Internet Security Threat Report, published last week by Symantec. The report is based on feedback from 240,000 sensors monitoring attack activity in 200 countries. The report says the online underground economy is maturing, with a range of "service providers" selling phishing tool kits and blank credit cards, as well as stolen data.

The area where the threat level is highest is financial services. Frauds and malicious attacks involving bank and other finance sector websites make up more than 75 per cent of the total.

The senior director of Symantec Australia and New Zealand, David Dzienciol, says bank account and credit card details are the most popular items being traded by internet criminals.

The report says 76 per cent of phishing attacks target financial-services sites. Keystroke logging, a technique used to steal online banking log-on details, is another common form of attack. Twelve per cent of all data breaches in 2008 involved credit card information.

Credit card details are the most popular items for sale in the "underground economy". The reason for this, the report says, is that "there are numerous ways for that stolen information to be cashed out. The underground economy has a well-established infrastructure for monetising such information."

The report states: "The lengthy and complicated steps being pursued to launch successful web-based attacks demonstrate the increasing sophistication of the methods used by attackers."

Local banks are reporting that fraud levels in some areas, such as check fraud, have gone down but..."The area where there has been a big increase is in card-not-present transactions involving credit and debit cards (card-not-present transactions take place online)

The Australian Payments Clearing Association (APCA) reports that in the 2007-08 financial year, check fraud declined from 1.4 cents to 0.8 of a cent in every $1000 of payments. Debit card fraud (involving Eftpos and ATM transactions) went up from 7.1 cents to 7.4 cents for every $1000 of payments. Credit and charge card fraud jumped from 38.6 cents to 50.2 cents for every $1000.

APCA says card-not-present fraud accounts for 48 per cent of card fraud. (Editor's Note: A software PIN Debit application is a "card-not-present" approach) True PIN Debit is a debit card that is 1. Swiped, in order to capture the PIN Offset, the PIN Verification Value and the Track 2 Data and has True 2FA (two-factor authentication) by entering the PIN after the magnetic stripe data is captured. HomeATM has the ONLY TRUE PIN Debit solution designed for eCommerce.)



symantec, malicious code, Internet PIN Debit, Acculynk, HomeATM

Related articles

• HomeATM Featured in American Banker (pindebit.blogspot.com)
• Acculynk Accel/Exchange Announce PIN Debit Pilot (pindebit.blogspot.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com) Type the PAN but Don't Type the PIN
  
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)

Visit HomeATM at ETA...Booth 647! (FIS Booth) and We'll Put $10 on Your Card in Real Time!

HomeATM will be at Fidelity Information Services Booth (eFunds/Metavante/NYCE) Tuesday thru Thursday!  So stop by booth #647 during the ETA Meeting & Expo April 21-23at the Mandalay Bay Resort & Casino and visit with one of ourmerchant experts. 

(Look for anyone wearing a Polo with "PINterchange for the Internet " on their back) 
Cause when it comes to providing "TRUE" PIN Debit for the Web, and military grade security,
we've got YOUR back covered!

Also...be sure to check out FIS’:

• Creative solutions to accepting PIN Debit for payment at Web-based merchant sites
  
  
• Expanding payment options
  
  
• Reduced interchange costs  (PINterchange!)

Stop by and say hello.

We've got a $10.00 "Card" Present  for you!

Correction: Booth #647

Just mention the fact that you saw this post in the "PIN Payments News Blog" and we'll put $10 on ANY US BANKCARD in "REAL TIME."
(right before your eyes)

Related articles

• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• HomeATM Featured in American Banker (pindebit.blogspot.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)

RKL ATM Security (Remote Key Loading)

ATM Security | Remote key loading: The next in ATM security for ISOs | ATM Marketplace

By Tracy Kitten editor • 20 Apr 2009

Dennis "Abe" Abraham has spent the last five years waiting for remote key loading to reach a tipping point. The president of Concord, N.C.-based Trusted Security Solutions Inc., developer of the A98 remote key loading system, says the timing for RKL is finally right, and independent sales organizations are now seriously considering their options.

Though complicated by complex algorithms and multiple levels of encryption, the function of remote key loading is simple. Basically, RKL eliminates the need for ATM technicians to physically visit ATMs for manual key changes — thus eliminating expense and the possibility for human error.
story continues below...


After completing their investments in Triple DES upgrades, ATM deployers are now finally able to focus some time and money on RKL. Up to this point, financial institutions have expressed interest in RKL, but few have made large investments. In the ISO space, movement has been, by and large, non-existent.

And there are a few reasons for that.

Deployers of off-premises ATMs have not been as diligent about ensuring their keys are changed. In fact, before the October 2008 release of version 1.2 of the Payment Card Industry Council Data Security Standard, no definitive requirements for key changing existed. ATM deployers were required to change keys if and when audited, but audits were not mandated across the board.

Under version 1.2, keys must be changed every 12 months, and the networks are watching, says Chuck Hayes, product development manager for Long Beach, Miss.-based Triton Systems of Delaware. That PCI push has encouraged manufacturers like Triton to start marketing RKL part of the overall ATM offering.

"It's a differentiator for us," Hayes said. "It's the first time an RKL solution has been brought to market for the off-premises space, and that's helping us enjoy a competitive advantage."

Triton's patent-pending RKL offer may only require a software upgrade, if the ATM already has Triton's upgraded encrypting PIN pad.

For an ISO that acquires and needs to merge a fleet of remote-key capable ATMs with an existing fleet of ATMs that aren't remote-key ready, the Triton solution calls for a mere switch of the host for transaction processing, Hayes says.

"The business case for ISOs is simple: less key handling," he said. "That's an advantage. If an ATM key was corrupted, the host could rekey that ATM within minutes, rather than having to go through the manual process of sending someone out, which takes time and expense."

A case for ISOs and FIs

Continue Reading at ATM marketplace

Midnight Raid Attack Creates HelluvaSMS

Source: CNet
Complete item

Description:
Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.

In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.

Dearing demonstrates how this can be done in a video on YouTube.

In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information. This attack is explained in another YouTube video.

While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.

"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."

Online Security Fears Deepening...HomeATM Can Help

Consumers in Belgium apparently feel least anxious about online security than people in any other European country.

In an Index that tracks trends in consumer perception of security issues among approximately 8,500 people in nine countries, Unisys has reported that ID theft and fraud fears have surged in the last six months as recession bites.

“Reports that fraudsters are increasingly moving online, in addition to well publicized security breaches, may have also helped push up the Unisys Security Index for Internet security concerns from 105 a year ago to 121 in the UK,” the company said.

Editor's Note:  See the device on the left?  Fraudsters hate it because instead of "Typers" consumers become "Swipers."  I love the irony...  "Consumers "swipe their card information" vs. Fraudster's being the "Swiping Type"...

Virtually "every" security expert knows that  entering a card number, expiration date and CVV with a keyboard is the exact "type" of transaction that allows fraudsters to "swipe" your financial details.  On the flipside, when you "swipe" your own card details with our SafeTPIN terminal, and enter your PIN, it's done "outside" the browser space, is "instantaneously" 3DES encrypted "inside" the box" and the data is never transmitted in the clear. 

In addition to 3DESD end-to-end encryption, HomeATM employs DUKPT key management AND also encrypts the Track 2 data. 

These procedures helped the HomeATM "SafeTPIN"  become the FIRST and ONLY payment terminal/PIN Entry Device IN THE WORLD, designed solely for e-commerce to be PCI 2.0 PED Certified.

Thus, HomeATM is also the "FIRST and  ONLY" provider of  "Tried and TRUE" PIN Debit for eCommerce."  The card is present, the Track 2 data is captured (including the PIN Offset (PVKI) AND the PIN Verification Value (PVV) and the PIN provides 2FA (two factor authentication) 

Again, on the flip side, with a software PIN Debit "application" (see graphic below/right) the card is NOT PRESENT, the Track 2 data is NOT captured, (nor is the PVKI/PVV), and the PIN does NOT provide 2FA, because the Primary Account Number (PAN) could have been purchased for a dime online.  So, if your perception is that there's "TWO" Internet PIN Debit choices, hardware or software, it's time to re-evaluate...because the truth is: 

There's only ONE TRUE PIN Debit "solution" for the web.  HomeATM...period.   Speaking of "conventional" you can visit us at Booth 347 at the ETA Convention.  Oh...and did I mention that HomeATM is EMV/SmartCard/Chip and PIN ready?  I think I just did...back to the article

According to the survey, 69% of UK consumers are now concerned about computer security and 65% are worried about their safety and security when shopping or banking online.

The study assessed attitudes towards national security and epidemics, financial services security, as well as sentiment towards spam, virus and online financial transactions, and physical risk and identity theft.

It used measures of consumer perceptions on a scale of zero to 300, with 300 representing the highest level of perceived anxiety. The relaxed Belgians scored a low 94 on a rating of internet security concerns.

Overall, the average score for citizens of the nine countries surveyed is 133, representing a moderate level of concern. Those surveyed are most concerned about financial security and least concerned about Internet security.

Unisys said its twice yearly survey presents an interesting social indicator regarding how safe consumers feel on key areas of security.

Some 72% of UK citizens believe they are at greater risk from identity theft and related crimes such as credit card fraud, as a result of the financial crisis

Four out of every five people in Germany are extremely or very concerned about identity theft, yet under half would accept biometric technology to verify their identities.

As many as 88% of consumers are concerned about other people obtaining and using their credit card, debit card or bank account details or are concerned about others gaining unauthorized access to or misusing their personal information.

“Fraud fears have deepened as a result of the financial crisis,” Neil Fisher, VP at Unisys said.

The company found that bankcard fraud is the greatest single area of concern across all markets, with concerns about misuse of credit or debit card details being the top concern among adults in five countries and the number two concern in four more countries.

Identity theft is seen as the second greatest area of concern, being the number one concern in three countries and the number two concern in four more.

Since the last survey six months ago, Unisys measured a jump of ten-points in its Internet Security Index and charted a significant six-point rise in its Financial Security Index. Its National Security Index continues its downward trend, while its Personal Security Index is essentially flat.

Fraud Fears, Online Security, Unisys, HomeATM, true pin debit, pin debit, interet pin debit, ecommerce

Related articles

• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• How to Capture $21B of Lost eCommerce Sales - Security (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• HomeATM Featured in American Banker (pindebit.blogspot.com)

Mikeyy Worm: Jokes on Twitter...Womp!

http://twitter.com/homeatm

Source: Sophos
Complete item: http://www.sophos.com/blogs/gc/g/2009/04/18/mikeyy-worm-jokes-twitters-expense/

Description: Another day, another Twitter worm. After yesterday's attack referencing the likes of Ashton Kutcher and Oprah Winfrey we are now seeing many Twitter users spreading messages on behalf of a new version of the Mikeyy worm, this time their common denominator is that they're all jokes including the (somewhat bizarre) word "womp".

Here are some of the messages that are being sent from compromised accounts on Twitter right now:

• Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.
• If your father is a poor man, it is your fate, if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.
• If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.
• Money is not the only thing, it's everything. Womp. mikeyy.
• Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.
• Success is a relative term. It brings so many relatives. Womp. mikeyy.
• Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.
• 'Your future depends on your dreams', So go to sleep. Womp. mikeyy.

Once again, Twitter is left looking amateurish in its response as it clearly hasn't properly hardened its systems from these kind of cross-site scripting attacks. Until they get their act together, users need to remember to turn off scripting (the combination of Firefox and NoScript is a good one) if viewing users' profiles.

Related articles by Zemanta

• Twitter's big day today? Here comes Oprah (news.cnet.com)
• Ashton Kutcher and Evan Williams Talk Twitter With Oprah (mashable.com)
• Ashton Kutcher Beats CNN In Twitter-Off (mtv.com)

Oracle Buys Sun Microsystems

Had to bring you "tomorrow's  news today!"  From the April 21st edition of iTWire:

iTWire - Oracle vertically integrates paying $7.4B for Sun

by Stan Beer
Tuesday, 21 April 2009

In what is being viewed as a move to vertically integrate its business, business software giant has agreed to buy struggling servers hardware vendor Sun Microsystems for US$7.4 billion cash.

The deal will see Oracle pay a more than 40% premium of $9.50 a share for the company whose founder Scott McNealey coined the phrase “the network is the computer”.

Sun was at one time a rising star in the Unix servers business, with its Solaris operating system and Sparc based proprietary servers.

However, the commoditisation of the servers business through the x86 platform has bitten deeply into Sun’s bread and butter.

While Sun is primarily considered to be a hardware company, it does have some considerable software jewels in its crown. Aside from Solaris, Sun was the developer of the Java software development platform and owns Star Office, the commercial version of Open Office.

From Oracle's point of view - or least what its boss Larry Ellison claims - the Sun purchase will give Oracle a one-stop-shop or "applications to disk" capability, where the company could offer customers a tightly integrated hardware and software solution.

Commentators at this stage seem unsure about the wisdome of Oracle's strategy with this purchase because it's the first time the software giant has ventured boldly into the hardware space.

However, many note that previous acquisitions for Oracle such as PeopleSoft, Siebel and Bea have been successful.

In addition, as some pundits point out, Sun is not just a hardware company but is also strong in the software platform space. And the vertical integration of major computing conglomerates in the mould of IBM and HP, with hardware, software and services appearsto be where the market is heading.

6 Degrees of Separation to Preventing Fraud - Deloitte Consulting

A Discussion about Applying Six Degrees of Separation to Preventing Fraud

Consideringthe human element of fraud and channeling information and specializedresources already in your company toward that effort, could helpmitigate fraud and other compliance risks. In “A Discussion about Applying Six Degrees of Separation to Preventing Fraud,” Toby Bishop, director of the Deloitte Forensic Center for Deloitte Financial Advisory Services LLP,moderates a discussion with Yogesh Bahl, Northeast leader of Anti-FraudConsulting for Deloitte Financial Advisory Services LLP, and TimLupfer, director in the Human Capital practice of Deloitte ConsultingLLP. Listen to the discussion of how companies may be able toapply techniques used in fraud investigations to prevent and detectfraud before it causes serious damage.  To watch the video, click the screen below... Related content: Overview: Applying Six Degrees of Separation to Preventing Fraud Services: Anti-Fraud Consulting Services: Deloitte Consulting

TRUE Internet PIN Debit - See us at FinovateStartup09

Tried and True!

Visit HATM at FinovateStartup09 in our Hospitality Suite on April 28th in San Francisco and we will demonstrate the ONLY functional "TRUE" PIN Debit Internet system by putting $10 on ANY US Bank Card in "Real Time!"


Yes...you read this right. "THE ONLY" True Internet PIN Debit Payment in the World. True PIN Debit Interchange, True PIN Debit Transactions, True Card Present Rates.

Software solutions ARE NOT TRUE PIN Debit.

Sure, you can type or mouse click your PIN into a box, but since the card is not swiped, it's not TRUE PIN Debit...it's a "Card NOT Present" transaction. Without "card present' status, it's an "alternative" payment system.

True PIN Debit is conventional ...there's "NO ALTERNATIVE" way to do it...other than swiping the magnetic stripe (which contains the PIN Offset, the PIN Verification Value and the Track 2 data).

To see a LIVE Demonstration of the world's ONLY TRUE PIN Debit, simply Mention the PIN Payments News Blog OR cut out the Coupon above right, and bring it up to our Hospitality Suite.

We'll Remit $10.00 into your bank account using your (any U.S.) bank card "LIVE" in "real time"...right before your eyes!

HomeATM has engineered, patented and manufactures the ONLY PIN Entry Device in the WORLD to achieve the notoriety of PCI 2.0 PED Certification. In a sense we're the Porsche of Payments. "There is NO substitute! The most secure internet payment mechanism in the world...wide web! HomeATM enables:

• Internet PIN Debit Transactions
• Person to Person Payments
• Secure 2FA (two-factor authentication)
• Online Banking
• P2B Online Bill Payments
• B2B Payments
• Secure Money Transfer/Remittance

All in Real-Time. Always 3DES DUKPT End to End Encryption...including Track 2 Data.

Related articles

• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)
• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• HomeATM Added To FinovateStartup09 Lineup (pindebit.blogspot.com)
• Software PIN Debit Doesn't Exist (pindebit.blogspot.com)
• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)

Something Phishy About Bank's Not Using 2FA from HomeATM

Research shows that most online banking sites have inbuilt flaws which could potentially put valuable customer data into the wrong hands.

Now there is a way (since March 17th, 2009) to vastly increase the security of online banking. 

HomeATM engineered AND manufactures the world's FIRST and ONLY PIN Entry Device solely designed for online authentication and eCommerce to achieve PCI 2.0 certification.  What that means is:

Banks now have a choice.  They can use what many consider to be a very obsolete UserName/Password login OR they can provide a methodology which safely and securely authenticates their online banking customers with two-factor authentication. 

Logging on to a bank's online banking site is now quick/convenient and easy. 

Bank customers would simply swipe their bankcard through HomeATM's SafeTPIN device and enter their bank assigned PIN. 

HomeATM is proud to introduce the security of "True" 2FA (two-factor authentication) to the online banking community AND provide the impetus for banks to procure more online banking customers via the allure of the most secure online banking platform in the industry.

I don't mean to oversimplify how easy it would be for a financial institution to implement "True 2FA" with HomeATM's device, but it's unavoidable.

To keep it short, I'll provide but one recent fact from Gartner Research:

• Phishing attacks are costly:

According to research firm, Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks.  (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) 

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.  (That's $196 to the banks and $154 to the consumers)  "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.  (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

Guess what?  The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers. 

Additional benefits include empowering online banking customers with the ability to perform:

• Person to Person Money Transfers,
• Bill Payment Online (with "True PIN" vs. PINless Debit)
• Secure online transactions with online retailers.

As I said, I don't mean to oversimplify WHY they banks should investigate our solution further, but sometimes the simplest things in life are the best...aren't they?

In closing out this week's edition of the PIN Payments News Blog, 'll state one more "food for thought" item. 

According to a trustworthy source, Bank of America spent $129 Million on PCI DSS compliance last year. 

Now I'm not saying that our SafeTPIN device would eliminate the entire cost of PCI DSS compliance, BUT...on account of how we are "already" PCI 2.0 PED certified, any bank that utilizes our device for "True Two Factor Authentication" during the log-in process, would effectively be removed from the scope of PCI DSS requirements. 

• at least for their online banking application
• and Bill Pay
• and online eCommerce Transactions
• and Money Transfers

So...to anybody out there that knows some high level banking executives...pop me an email and let's talk. 

I'll make you some serious money, save the bank's some serious money, enhance the banks' image AND provide consumers with the peace of mind knowing that their financial information is secure!. 

Consumers fear financial security threats more than the threat of a terrorist attack (see graph on left)  

Here's a quote from:  Convenience or Security?  How About BOTH?

American's "DEFINITELY" want security.

In fact American's worry more about credit and debit card fraud than they do about a terrorist attack...according to a new report from Unisys.  

Oh...and in quantity, our device costs about 10% of what it currently costs banks and consumers for each "phishing incident."  Simple...ain't it?

online banking, security, 2FA, two-factor authentication, HomeATM, Banks, Financial Institutions, Terrorist Attack, Phishing, Hack, Fraud, Bill Pay, login, SafeTPIN, PIN Debit

Related articles

• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)

Online Fraud Benchmark Report - RSA Conference

Source: eFraud Network
More info: https://www.e-secure-it.com/upload/348032.pdf

To download a copy of the PDF, courtesy of E-Secure-It.com click the link above.  Click the graph on the left to enlarge.

Executive Summary

Experts know there are more stolen credentials in the hands of the cybercriminals than ever before.

And, we’re seeing more fraudsters cash‐out using stolen credentials with unprecedented speed.  Last year, RBS WordPay reported their debit card payroll card system was the victim of a hacking ring compromising over one million personal records. What was different about this hack, however, was the speed with which the cybercriminals behind the hack were able to cash‐out. News agencies in the U.S. reported that nine million in cash was netted by cloning cards in 49 cities across the globe in the U.S.,  Canada, Russia and Hong Kong all in about 30 minutes1. Similarly, in the U.S., PIN cashers were able to withdraw five million in less than 48 hours from Citibank2 using compromised prepaid debit card accounts.

In testimony at Homeland Security Committee hearings about data breaches, the Department of Justice said “the problem has grown so big federal prosecutors across the country are pursuing 2,000 cases related to identity theft” and that “the number of convictions for identity theft have more than doubled – a 138 percent increase, in the last four years.”3

Combine this testimony, and the attacks mentioned above with the Heartland Breach – the largest data breach on record as far as number or identities compromised – and 2008 will be remembered as the year the cybercriminals not only perfected their identity‐stealing skills but also their bank robbing skills.

To try and understand how online fraud and data breaches are impacting multiple industries and organizations, the Program Committee of the eFraud Network™ Forum (eFN)– a global group of antifraud professionals from the financial services, payment, merchant and law enforcement community created its first in‐depth survey about online fraud.

We received 104 responses from individuals representing organizations in many different industries and countries. We provide information about the survey respondents and our methodology in Appendix A.

Key Findings: The 2009 Online Fraud Benchmark Report highlights five significant findings:

• Data breaches are no longer a rarity and current regulations are not working.
• Spending to prevent fraud is up or holding steady through 2009.
• More cross‐industry information sharing is needed to prevent online fraud.
• We still don’t know the economic damage of the Heartland Breach.
• There is a direct correlation between the number of attacks and number of customer accounts
managed by the survey participants.

1 http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam
2 http://blog.wired.com/27bstroke6/2008/06/citibank‐atm‐se.html
3 See: http://www.cnn.com/2009/US/03/31/identity.theft/index.html

2FA is Needed for Online Services

Will 2FA use transcend online banking? : News : Security - ZDNet Asia

Will 2FA use transcend online banking?
By Vivian Yeo, ZDNet Asia
Friday, April 17, 2009 07:25 PM

SINGAPORE--Two-factor authentication (2FA) is starting to become available for online services other than banking and remote logon to corporate networks, but it remains to be seen whether consumers will take to it.

Local security technology firm Data Security Systems Solutions (DSSS), is set to showcase a new two-factor authentication service for online services at the RSA Conference next week. Called BetterThanPin, the service is unique in that it allows consumers, rather than service providers or enterprises, to initiate stronger authentication for the online services they deem important, said Tan Teik Guan, the company's chief executive and chief technology officer, in an interview Friday with ZDNet Asia.

The BetterThanPin service requires a user to create an account on the BetterThanPin portal and register the online accounts. (Editor's Note...IMHO, that makes it "worse than PIN" because it's done on the web.  Anything done in the browser space is hackable.)

During the sign-up process, the user is also asked to select the preferred mode or token of receiving the weekly-generated passwords. These temporary passwords--six-digit numbers--will be added to the string of characters in a user's static password for a particular account.

According to Tan, the service currently only allows users to initiate 2FA for their Gmail accounts. However, it is also ready to manage Facebook accounts, and there are plans to include Yahoo Mail and Skype to BetterThanPin. The service is also envisioned to be compatible with hardware and software tokens.

Starting next week, DSSS will initiate a trial for Gmail users, he added. The company is targeting 1,000 users of different demographics globally to participate in the trial, which will last till August.

"From the feedback, we will decide whether to continue [developing] the service [and] what [other] online services to ready [it for]," said Tan.

The company has so far been focused on developing BetterThanPin, which uses existing authentication technology by DSSS, and paid scant attention to the commercial viability of the service, admitted Tan. However, he said the service could eventually be offered through the cloud by service providers, in individual enterprise deployments such as Intranet sign-in or directly to individuals.

Should DSSS market the service direct to consumers, it may include advertisements sent with the temporary passwords as it would not be realistic to offer the service for free long-term to consumers, he noted.

DSSS is not alone at trying to introduce stronger authentication for online services. Last month, Vasco Data Security announced in a media release that customers of Square Enix would be offered stronger authentication to access content and services by the Tokyo-based video game company.

With the move, Vasco noted the popular massively multiplayer online role-playing game, Final Fantasy XI, would be the first online game in Japan to make use of one-time passwords for authentication.

Citing statistics released by Japan's Ministry of Internal Affairs and Communications in February, Vasco said there were nearly 2,300 cases of fraudulent access to online services in the country last year--a 26 percent increase year on year. Over half of the cases involved online auctions, while some 457 were related to online games.

Security vendors including Sophos and Symantec, have also, in the past, warned of cybercriminals tapping on malware such as Trojans to steal credentials of online gamers. With the growing number of online game sites and players, it was increasingly lucrative for malware writers looking to profit from online assets.

Continue Reading at ZDNETAsia

better than pin, homeatm

Breaches Will Get Worse in '09

Data Breaches Rampant in 2008

More electronic records were breached in 2008 than the previous four years combined, according to the 2009 Verizon Business Data Breach Investigations Report (pdf) released this Wednesday.

The research is based on Verizon Business data of 285 million compromised records from 90 confirmed breaches.

Key findings from Verizon's report:

• Most data breaches investigated were caused by external sources. External data breaches are highest in Eastern Europe, East Asia and North America; these regions combined account for 82% of all external attacks.
• Most breaches (64%) resulted from a combination of events rather than a single action. For example, an attacker exploiting a mistake committed by the victim, hacking into the network, and installing malware on a system to collect data.
• In 69% of cases, the breach was discovered by third parties - most organizations do not discover their own breaches.
• Nearly all records compromised in 2008 were from online assets, but not desktops, mobile devices, portable media, etc. Rather, 99% of all breached records were compromised from servers and applications.
• Roughly 20% of 2008 cases involved more than one breach.
• "Highly sophisticated" attacks account for only 17% of breaches, Verizon said. Still, these cases accounted for 95% of the total records breached, which indicates that hackers know where and what to target.
• Being Payment Card Industry (PCI) -compliant is critically important: 81% of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.

Data breaches investigated in 2008 affected a wide array of organizations:

• Food and beverage establishments, the second most frequently hit industry in the first report, dropped to 14% in 2008, down from 20%.
• The retail industry accounts for a third of all cases.
• Breaches in the financial services increased the most, doubling to a share of 30%, and representing 93% of the compromised records in the study - with 90% of these records involving groups engaged in organized crime.

Mistakes and oversight failures - as opposed to lack of resources and hindered security efforts - were identified as the main cause of the breaches. And 90% of all breaches could have been avoided if basic security guidelines had been followed, Verizon concluded from a previous study, covering 230 million compromised records from 2004 to 2007.

These are: changing default credentials; avoiding shared credentials; reviewing user accounts; employing application testing and code review; patching comprehensively; assuring HR uses effective termination procedures; enabling application logs and monitoring them; and defining "suspicious" and "anomalous" - be prepared to defend against and detect very determined, well-funded, skilled and targeted attacks.

Cybercrime is always evolving, Verizon said.

For example, new methodologies, like memory scraping malware, are being used to steal personal identification codes, or PIN numbers, associated with credit/debit accounts, to withdraw cash directly from a consumer's account.

Acculynk, HomeATM, Breach, PIN Codes