Hacker Pokes Hole in Secure Sockets Layer (SSL)

Editor's Note:  I received a couple of emails regarding my post: Comparing Apples to...Let Just Say "The Real Deal" saying I was wrong and  that transactions conducted by typing your credit card number into a mobile phone, using SSL is safe. 

Here's one quote from an email: "SSL and other mechanisms are available to iPhone developers to do this right. There is nothing fundamentally insecure about entering a credit card number into a browser with SSL enabled"

Oh?  Let me remind you that SSL was hacked back in February.  Guess he must have been out sick that day...

Hacker pokes new hole in secure sockets layer • The Register

Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.  Unveiled at Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical.

It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.

The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.


"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."

Editor's Question: Still think it's safe to enter
your credit card number into a mobile phone?

Then read "Related Articles" below and maybe you'll "Think Different!"

ssl, secure sockets layer, insecure, https, httbs, httb.s, SSLstrip, hacker, encryption, website flaw, ecommerce, credit card number, PAN, PIN, Moxie Marlinspike

Related articles by Zemanta

• Https = Httb.s. (pindebit.blogspot.com)
• Caveat Emptor: Swipe Do Not Type! (pindebit.blogspot.com)
• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)
• New SSL Web site hack revealed (infoworld.com)
• SSL subverted by hacker (vnunet.com)
• Software *sorta* lets you cut through SSL encryption like nobody's business (crunchgear.com)
• 'S' Is for Safety: New Browser Hack Uncovered (abcnews.go.com)
• Inventor: SSL not to blame for security woes (news.cnet.com)

5 to 1 Baby...1 in 5...No One Here Gets Out...Without Having Their Card Cloned

1 in 5 people have bank cards cloned (From The Argus)

Bank card cloning has become a major problem as criminals become more desperate as the recession bites. Figures show that card fraud is growing with one fraudulent transaction taking place every eight seconds.  They reveal that more than £609 million was lost to credit card fraud last year. 

Almost one in five people had their cards cloned at hole-in-the-wall cash machines or in-store chip and pin terminals. 

High-profile victims include Top Gear presenter Jeremy Clarkson who was targeted at a petrol station in California two years ago.  His card was cloned after he filled up his car with petrol. He was hit with a bill for £35,000 after his credit card details were sold on.

Card holders have been warned to be even more vigilant when using automatic cash machines and to check their bank statements carefully.   Kerry D’Souza, a fraud expert at card protection company CPP, says: “Criminals like card crimes because they can do it without having to make face-to-face transactions.

“People need to be vigilant and check their bank statements.  “Being a victim of fraud, with average sums of £650, can be very stressful and a lot of hassle.  “The banks do look for unusual transactions but we all need to be careful.”

The warning came as two Crawley men were sentenced yesterday after they were caught with cloned credit cards.

One of them said he got caught up in the scam after getting himself heavily into debt.

Americo Ferreira, 25, and Sarwar Abdurahaman, 22, were stopped by police after they were seen acting suspiciously in a car that was not theirs at the Tesco petrol station at Broadbridge Heath, Crawley, at 1am on July 15 last year.

They were about to use the cloned cards to fill 15 plastic drums in the car with petrol.  Undercover police targeted the area after they were told that cloned cards were repeatedly being used at the unmanned all-night service station.

Petrol pumps in use at the time meant that customers only had to swipe their bank cards through the machine and did not need to enter a PIN number.

Continue Reading at the Argus

Obama Transcript at Credit Card Law Signing

SPEAKER: PRESIDENT BARACK OBAMA

OBAMA: Hello, everybody. Please have a seat. I’m sorry.  It is a great pleasure to have all of you here at the White House on this gorgeous, sunny day. The sun’s shining; birds are singing; change is in the air. (LAUGHTER)

This has been a historic week, a week in which we’ve cast aside some old divisions and put in place new reforms that will reduce our dependence on foreign oil, prevent fraud against homeowners, and save taxpayers money by preventing wasteful government contracts, a week that marks significant progress in the difficult work of changing our policies and transforming our politics.

But the real test of change ultimately is whether it makes a difference in the lives of the American people. That’s what matters to me; that’s what matters to my administration; that’s what matters to the extraordinary collection of members of Congress that are standing with me here, but also who are in the audience.

We’re here today because of a bill that will make a big difference, the Credit Card Accountability, Responsibility and Disclosure Act.

I want to thank all the members of Congress who were involved in this historic legislation, but I want to give a special shoutout to Chris Dodd, who has been a relentless fighter to get this done.  (APPLAUSE)

Chris -- Chris wouldn’t give up until he got this legislation passed. He’s spent an entire career fighting against special interests and fighting for ordinary people, and this is just the latest example.

I want to thank his partner in crime, Senator Richard Shelby. (APPLAUSE)

On the House side, Representatives Barney Frank , Carolyn Maloney, and Luis Gutierrez, for their outstanding work.(APPLAUSE)


And I want to also thank all the consumer advocates who are here today who fought long and hard for these kinds of reforms. You
know, most Americans use credit cards all the time. In the majority of
cases, this is a convenience or a temporary occasional crutch, a means
to make life a little easier, to make rare large or unexpected purchase
that is paid off as quickly as possible.

We’ve also seen credit cards become for a minority of customers part of an uneasy, unstable dependence. Some end up in trouble because of reckless
spending or wishful thinking. Some get in over their heads by not using
their heads.

I want to be clear: We do not excuse or
condone folks who’ve acted irresponsibly. We don’t excuse
irresponsibility. But the reason this legislation is so important is
because there are many others, many who’ve written me letters or
grabbed my arm along rope lines or shared their stories while choking back tears, who’ve relied on credit cards not because they were avoiding responsibilities, but precisely because they wanted to meet their responsibilities and got trapped.


These are hard-working people whose hours were cut or the factory closed, who turned to a credit card to get through a rough month, which turned into two or three or six months without a job.These are parents who found, to their surprise, that their health insurance didn’t cover a child’s expensive procedure and had to pay the hospital bill, families who saw their mortgage payments jump and used the credit card more often to make up the difference.


These are borrowers who discover that credit card debt is all too easily a one-way street. It’s easy to get in, but almost impossible to get out.  It’s also, by the way, a lot of small-business owners who have helped to
finance their dream through credit cards and suddenly, in this economic downturn, find themselves getting hammered.


Part of this is the broader economy, but part of it is the practices of credit card companies.

Contracts are drafted not to inform, but to confuse.  Mysterious fees appear on statements. Payment deadlines shift. Terms change. Interest rates rise. And suddenly, a credit card becomes less of a lifeline and more of an anchor.

That’s what happened to Janet Hard of Freeland, Michigan, who’s here today. Where’s Janet? Right here. Janet’s a nurse. Her husband is a pipe-fitter. They’ve got two boys. Janet and her husband have
tried to be responsible. She’s made her payments on time. But despite this, Janet’s interest rate was increased to 24 percent. That 24 percent applied not just for new purchases, but retroactively to her
entire balance. And so despite making steady payments totaling $2,400 one year, her debt went down only by $350 that year.

Janet’s  family is not alone. Over the past decade, credit card debt has inceased by 25 percent in our country. Nearly half of all Americans carry a balance on their cards. Those who do carry an average balance  of more than $7,000.

And as our economic situation worsens and many defaulted on their debt as a result of a lost job, for
example, a vicious cycle ensued. Borrowers couldn’t pay their bills, and so lenders raised rates. As rates went up, more borrowers couldn’t pay. Millions of cardholders have seen their interest rates jump in
just the past six months. One in five Americans carry a balance that has been charged interest rates above 20 percent, one in five.


I also want to emphasize, these are costs that often hit responsible credit card users. Interest can be charged even if you pay your bill on time. Rates can be increased on outstanding balances even if you aren’t late with a payment.  And if you sit -- if you start to pay down your balance, which is the right thing to do, a company can require you to pay down the debt with the lowest interest rate first instead of the highest, which makes it much harder to ever get out of the red.

So we’re here to put a change to all that. With this bill, we’re putting in place some commonsense reforms
designed to protect consumers like Janet. 

I want to be clear about this: Credit card companies provide a valuable service.  We don’t begrudge them turning a profit. We just want to make sure that they do so while upholding basic standards of fairness, transparency and accountability.

Just as we demand credit card users to act responsibly, we demand that credit card companies act
responsibly, too. And that’s not too much to ask. And that’s why, because of this new law, statements will be required to tell credit card holders how long it will take to pay off a balance and what it’ll cost in interest if they only make the minimum monthly payments.

We also put a stop to retroactive rate hikes that appear on a bill suddenly with no rhyme or reason.

Every card company will have to post its credit card agreements online, and we’ll monitor those agreements to see if new protections are needed. Consumers will have more time to understand their statements, as well. Companies will have to mail them 21 days before payment is due, not 14.

And this law ends the practice of shifting payment dates. This always used to bug me, you know? When you’d get like -- suddenly it was due on the 19th when it had been the 31st.

Lastly, among many other provisions, there will be no more sudden charges -- changes to terms and conditions. We require at least 45- days notice if the credit card company is going to change terms and conditions.

So we’re not going to give people a free pass, and we expect consumers to live within their means and pay what they owe, but we also expect financial institutions to act with the same sense of responsibility that the American people aspire to in their own lives. This is a difficult time for our country, born in many ways of our
collective failure to live up to our obligations, to ourselves and to one another.

The fact is, it took a long time to dig ourselves into this economic hole. It’s going to take some time to dig ourselves out. But I’m heartened by what I’m seeing, by the willingness of all the adversaries to seek out new partnerships, by the progress we’ve made these past months to address many of our toughest challenges.

And I am confident that as a nation we will learn the lessons of our recent past and that we will elevate again those values at the heart of our success as a people, hard work over the easy buck, responsibility over recklessness, and, yes, moderation over extravagance. This work’s already begun, and now it continues.

I thank the members of Congress for putting their shoulder to the wheel in a bipartisan fashion and getting this piece of legislation done.  Congratulations to all of you. The least I can do for you is to sign the thing.

END

Source: CQ Transcriptions

Barack Obama, Credit Card Accountability, Responsibility and Disclosure Act, CCARDA, Visa, MasterCard, Legisilation, Barney Frank, Chris Dodd, Credit Card Debt,

Judge: IRS Can Force First Data to Provide Details on US Merchants

A New Front In War on Offshore Tax
by William P. Barrett | Forbes Magazine

IRS seeks data on U.S. merchants who may be diverting online credit card sales revenue to foreign accounts.

Are some U.S. merchants using the credit card processing system to divert Internet sales to offshore accounts and hide taxable profits from the Internal Revenue Service?  That’s the suggestion in a case in federal court in Denver that appears to represent a new front in the IRS’ war against offshore tax evasion.

A federal judge there has granted permission for the IRS to force big credit card processor First Data of Greenwood Village, Colo., to provide details on any U.S. merchants who have arranged since 2002 to have payments from credit and debit cards deposited in offshore accounts with the assistance of First Atlantic Commerce, an obscure company headquartered in Bermuda.

Editor's Note: First Data itself is NOT being accused of any wrongdoing and said in a statement that First Data does NOT support the transfer of credit card proceeds by US businesses to offshore accounts.

Continue Reading at Forbes

IRS, First Data, Offshore Accounts, Credit Card Sales, Internal Revenue Service, FDC, Offshore Tax Evasion,

MoneyGram Exits Payment Processing Biz

May 22 (Reuters) - MoneyGram International Inc (MGI.N) will sell its payment processing business to privately-held Solutran to focus on its profitable money transfer and bill payment businesses.

The deal is expected to close in the third quarter and majority of the current 37 FSMC business employees will join Solutran, said the company, which boasts of having Wal-Mart (WMT.N) as one of its clients.

"It's a move that enables MoneyGram to shift our organization closer to our core businesses and at the same time provides Solutran with an exceptional business that fits its growth strategy," Chief Executive Anthony Ryan said in a statement.

FSMC, or the payment processing business, represents less than 1 percent of MoneyGram's total revenue.

MoneyGram's investment portfolio has taken a hit due to deteriorating credit market conditions, and the company has been struggling to move away from riskier asset-backed securities to safer instruments such as government debt.

Shares of the Minneapolis-based company closed at $1.60 Friday on the New York Stock Exchange. The stock has gained 56 percent in value since January this year. (Reporting by Sweta Singh in Bangalore; Editing by Ratul Ray Chaudhuri)

How To Hack an ATM Part V

Thieves use tractor to try to steal ATM from Gilbert bank

Related videos:

• Thieves used stolen tractor   
• Attempted ATM theft under investigation   
• ATM robbers didn't get far 

GILBERT, AZ -- Police are investigating an attempted ATM robbery in Gilbert.  It happened just before 5 a.m. Thursday at an M&I Bank near Higley and Queen Creek roads. Police said the would-be robbers tried to make off with the entire machine. Video from the scene shows that they didn't get past the parking lot.

Police said the suspects used a stolen John Deere tractor to bust the ATM loose.

By the times officers arrived on the scene, the thieves were gone. The ATM, however, was on the ground and all of the money was still inside.It's early in the investigation, but at this point police have few leads in the case. They believe the tractor was stolen from Chandler Heights and Higley. Anybody with information about the incident is asked to call the Gilbert Police Department.

How to hack an ATM

PCI SSC Announces New Board of Advisors

PCI SSC ANNOUNCES NEW BOARD

May 21, 2009 by ADMIN · 1 Comment

From the PCI Security Standard Council  via Anthony Freed Feed at Information-Security Resources.com

The PCI Security Standards Council (PCISSC), an independent industry standards body providing management ofthe Payment Card Industry Data Security Standard (DSS) on a globalbasis, today announced the results of elections for the PCI SSC Boardof Advisors.

The Board of Avisors will representthe current global roster of over 500 PCI SSC ParticipatingOrganizations and provide critical feedback to the ongoing enhancementof security standards managed by the Council.

More than 140 organizations from acrossthe payment industry were nominated for their direct experience andleadership in the field, reflecting the varied perspectives ofdifferent global stakeholders. To ensure the desired breadth ofindustry focus, the elected seats were distributed within thecategories of: Financial Institutions; Merchants; Processors; Vendors,and Others (Industry Associations, etc).

Of those nominated, 14 organizationswere elected by their peers in the PCI SSC Participating Organizationsmember base to serve on the board and provide strategic and technicalguidance to the PCI Security Standards Council. To ensure geographicand functional diversity, an additional seven seats were appointed fromthe Participating Organization roster by the PCI SSC Executive Councilto fill any gaps in representation and to help augment anyunder-represented stakeholder sector or geographic market. As aworldwide organization managing a portfolio of industry standards, theCouncil seeks input from EMEA, North America, Latin America and AsiaPacific to reflect the global nature of card data security threats.

The new Board of Advisors is comprised of representatives from the following organizations:

• Bank of America
• Banrisul S.A.
• Barclaycard
• Chase Paymentech Solutions Inc
• Cisco
• Citrix Systems, Inc.
• European Payments Council
• Exxon Mobil Corporation
• First Data
• Global Payments Inc.
• JPMorgan Chase & Co
• Lufthansa Systems Passenger Services
• McDonald’s Corporation
• MICROS Systems, Inc.
• National Australia Bank
• PayPal
• Royal Bank of Scotland Group
• Tesco Stores Ltd
• TSYS Acquiring Solutions
• VeriFone
• Wal-Mart Stores, Inc

The inaugural Board of Advisors, whichserved a two year term from 2007 to 2009, played an integral part insetting strategic direction for the Council during its formative years.Some of the areas the Board helped guide over this term include theevolution of the PCI Data Security Standard from version 1.1 to 1.2,publication of the Prioritized Approach to PCI DSS and the formation ofspecial interest groups on wireless, scoping, virtualization andpre-authorization. Board representatives will continue to play aleadership role in these groups, working with other industrystakeholders to examine the impact of different technologies andindustry specific challenges on the implementation of PCI SecurityStandards.

“Our Participating Organizations cameout in force in the recent Council nominations and election process. Itis exciting to see such widespread participation,” said Bob Russo,general manager, PCI Security Standards Council. “I would like tocongratulate not only our new Board of Advisors but everyone whocontinues to join the Council in pursuing its mission of securingpayment card data, through these collaborative processes. I’m confidentour new Board of Advisors will build upon the success of theirpredecessors in helping the Council to effectively evolve the PCIstandards and bring new tools and resources to market to help improveeducation and implementation of PCI standards.”

The first order of business for the newBoard of Advisors will be reviewing the results of a Councilcommissioned emerging technology study and preparing for the 2009 PCISecurity Standards Council Community Meetings in Las Vegas (22-24September) and Prague, Czech Republic (27-28 October).

For more information about the PCISecurity Standards Council or to become a Participating Organizationplease visit pcisecuritystandards.org, or contact the PCI SecurityStandards Council at participation@pcisecuritystandards.org.

About the PCI Security Standards Council:

The mission of the PCISecurity Standards Council is to enhance payment account security byfostering broad adoption of the PCI Data Security Standard and otherstandards that increase payment data security.

The PCI Security StandardsCouncil was formed by the major payment card brands American Express,Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc. toprovide a transparent forum in which all stakeholders can provide inputinto the ongoing development, enhancement and dissemination of the PCIData Security Standard (DSS), PIN Entry Device (PED) SecurityRequirements and the Payment Applications Data Security Standard(PA-DSS). Merchants, banks, processors and point of sale vendors areencouraged to join as Participating Organizations.

Related articles by Zemanta

• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• HomeATM "Officially" PCI 2.0 PED Certified (pindebit.blogspot.com)
• HomeATM PCI PED 2.0 Certification Imminent (pindebit.blogspot.com)
• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)
• Merchants On "Warpath" Against Interchange (pindebit.blogspot.com)

Hackers Hold Banks "Strictly and Indirectly" Liable

Source: Korea Times
Complete item: http://www.koreatimes.co.kr/www/news/biz/2009/05/123_45312.html

Though it did not catch the attention of many people, something very interesting is happening in the world of Korean Internet transactions. In April 2006 when the Electronic Financial Transaction Act (EFTA) was promulgated, it was at the
center of controversy as banks were burdened with the precautions against the wrongdoings of hackers.

Since the contents of the EFTA are focused mostly on who will be held liable (Article 9) if there are any problems while engaged in electronic financial transactions, legislators of the EFTA worked with the presumption that there will be hacker attacks and concentrated mostly on how to protect consumers.

Although supporters of the EFTA argue that financial Internet service providers are in a better position than general participants of the electronic financial transaction, it remains questionable and leaves much room to be rectified at least in the eyes of U.S.-trained lawyers like me. In the traditional jurisprudence of law and equity, is it fair and just to hold the
financial Internet service providers (FISPs, mostly banks) strictly liable even without faults to be indirectly liable for any attacks from hackers?

Now since there is a move to amend the EFTA, though it is still not certain yet as to whether the banks will become less burdened after the amendment, I believe it is the right timing to revisit the EFTA almost three years after its debut.

The key issue about the EFTA is that the FISPs, mostly banks, in Korea under the act are ``strictly liable'' by ``vicarious rule'' in Internet  transactions. Of course there are some exceptions in the law for a few minor cases when the banks will be off the hook by proving the contributory negligence by its clients, for example when there is malice or gross negligence by the clients. The whole controversy can be boiled down to two questions:
1. Is t fair and right to hold the FISPs strictly liable for all the wrongdoings of
electronic financial transactions?
2. Will the strict vicarious liability for the FISPs by the EFTA detect and prevent all the wrongdoings of electronic financial transactions?

Continue Reading at Korea Times

FISPs, EFTA, liablility of banks,

Related articles by Zemanta

• Visa & Interlink Interchange Rates (Reimbursement Fees) (pindebit.blogspot.com)

Heartland Breach Ramifications Thousands Don't Subscribe To

An interesting ramification to the Heartland Breach...because banks have "canceled" untold thousands of credit and debit cards, and reissued new ones, companies are seeing losses "in the millions of dollars" from automatic billing revenue that, is, well...not so automatic anymore. 

Automatic Billing which results in monthly subscription revenue has been, and is, being severely impacted.  The Heartland Breach has caused that bird in the hand to fly the coop...and it's safe to say some will litigiously blame the "non"payment processor.  Here's a great story from the Washington Post Blog "Security Fix:"

Security Fix - Heartland Breach Blamed for Failed Membership Renewals

Heartland Breach Blamed for Failed Membership Renewals - Brian Krebs | Security Fix

In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.

But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.

The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.

For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number.

The Heartland breach happened late in 2008 and was quietly announced in late January. Since then, Oesterle said, Angie's List has seen an increase of two to four percentage points in the rejection of auto-billed payments.

"We estimate that we're seeing an impact of perhaps as much as $1 million in revenue as a result of the increased turnover in card turnover," Oesterle said.

Oesterle said the possibility of the Heartland breach as the source of the increased turnover became clear at a recent staff meeting, when he discovered that three out of four of the people around the table had recently been re-issued new credit cards by their banks, which had attributed the action to the Heartland breach.

"So we started doing some random sampling, and took a look at people [whose cards were] being declined, and started contacting them," Oesterle said. "Most of the people we contacted said they were happy with the service, but had had their credit card re-issued by their bank as a result of the Heartland breach."

The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information, Oesterle said.

"We have processes in place to track these rejections that allow us to go back to members, asking for updated information, but we generally accept that some rejected auto-bills will never be recouped," he said. "We'll work hard to re-capture those members, but it will cost us additional resources to do so - and some will be lost."

Avivah Litan, a fraud analyst with Gartner Inc., said no doubt much of the attrition companies like Angie's List are seeing is in fact due to cards being re-issued by banks in response to the Heartland breach. But she said Heartland is likely also being wrongly blamed as the source of cards compromised in other -- less publicized -- data breaches that happened at the same time.

Continue Reading at Security Fix

heartland breach, angie's list, subscriptions, 

Related articles by the PIN Payments News Blog

• Data Sniffing Costs Heartland Bigtime (pindebit.blogspot.com)
• HomeATM Featured in American Banker (pindebit.blogspot.com)
• Banks File Class Action Against Heartland (pindebit.blogspot.com)
• Mystery Processor's Breach Timeline (pindebit.blogspot.com)
• Is Heartland Hacker in Custody? (pindebit.blogspot.com)
• Heartland Reinstated to Visa's List of PCI DSS Providers (pindebit.blogspot.com)
• Heartland Threatening Legal Action (pindebit.blogspot.com)
• Elavon Put in Angie's List Penalty Box? (pindebit.blogspot.com)

Fugheddaboudit Says MS to EU on Hearing

Microsoft won't bother with EU hearing

Microsoft wanted the European Commission to reschedule a hearing at which Redmond would be be able to defend itself against the EU's conclusion that tying IE to Windows is anticompetitive. The reason: Microsoft's top antitrust staff would be attending a big conference in Zurich. The EU declined. Microsoft's response: Just forget it.

Related articles by Zemanta

• Microsoft withdraws from EU antitrust hearing. Claims it's just not fair. (thenextweb.com)
• EU gets official Microsoft response to IE antitrust charges (arstechnica.com)
• Intel Fined Record $1.45 Billion in Antitrust Case (nytimes.com)
• Intel Smacked With Staggering $US1.45 Billion Fine in Euro Antitrust Case (gizmodo.com.au)

Hannaford Lawsuits Dismissed...You Didn't Lose Money Says Judge

Dismissing Hannaford Lawsuits, Federal Judge Tells Consumers: Show Me The (Lost) Money

Written by Evan Schuman and Fred J. Aun
May 13th, 2009

U.S.District Court Judge D. Brock Hornby on Tuesday (May 12) became thelatest jurist to rule in favor of data-breached retailers, tellingHannaford consumers that because they were compensated by their banks,they have no basis to sue civilly here.


“There is no way tovalue and recompense the time and effort that consumers spent inreconstituting their bill-paying arrangements or talking to bankrepresentatives to explain what charges were fraudulent. Those are theordinary frustrations and inconveniences that everyone confronts indaily life with or without fraud or negligence.

The class-action-lawsuit-wannabe stems from lastyear’s data breach at the grocery chain, which exposed 4.2 millioncredit and debit cards and led to 1,800 reported cases of fraud.Similar to rulings from cases fellow data-breach retail victim TJX,Hornby said he couldn’t allow almost any of the defendants to continuewith the case because the consumers hadn’t suffered out-of-pocketfinancial losses.

In an ironic sense, this all stems from thecard brands’ zero liability programs. Those programs guarantee thatconsumers will have all fraud losses wiped clean. (The one defendantwho can continue is a consumer whose fraud loss costs ”for reasonsunknown were not covered by her bank.)

In his decision (full text copy available),Hornby rejected all but one of the claims brought by 21 plaintiffsagainst the Maine-based operator of more than 200 stores in NewEngland, New York and Florida.

Continue Reading at StoreFrontBacktalk.com

Related articles by Zemanta

• Banks File Class Action Against Heartland (pindebit.blogspot.com)

X86 Virtualization Should Be Virtually 86'd - IBM

IBM security expert: X86 virtualization not ready for regulated, mission-critical apps

By paulmah

Created May 22 2009 - 11:32am

In a session on virtualization held at Interop Las Vegas this week, IBM security expert Joshua Corman argued that X86 virtualization in not ready for highly regulated, mission-critical applications. The problem is that virtualization opens up new attack surfaces, as well as presents additional operational and availability risks.

In addition, the presence of advanced features--such as live migration of virtual machines--also increases the complexity. Besides the possibility of man-in-the-middle attacks designed to intercept unencrypted data when virtual machines are in transit, another pertinent question to ask is whether a virtual machine moved to a less secure machine.

Indeed, virtualization makes it difficult to meet regulatory requirements such as the PCI DSS. Corman, who is the principal security strategist for IBM's Internet Security Systems division, said, "If you have a choice, I highly recommend you don't adopt virtualization for any regulated project. If you're going to make mistakes, it's better to do so on less critical systems."
Ironically, though, Corman noted how obsession with compliance results in people giving up on risk management. He does offers some advice for organizations working with virtualization. For one, only Type 1, or bare-metal hypervisors should be used for production applications. Also, production applications should be separated from those used for testing or development.

For more on this story:

- check out this article [1] at Network World

Related articles

• Inventor: SSL not to blame for security woes (news.cnet.com)
• Nostra(para)digmus (pindebit.blogspot.com)
• Https = Httb.s. (pindebit.blogspot.com)
• 99% of "SSL Secure" Websites Are Not (pindebit.blogspot.com)

RSA (EMC) Unveils New InfoSec Products to Protect PII

RSA, the security division of EMC, has announced a comprehensive suite that is expected to help organisations comply with the US Data Breach Notification Laws for protecting personally identifiable information (PII) and mitigate the risk of security breaches.

RSA is announcing three distinct packages of information security products, including two-factor authentication, security information and event management (SIEM) and data loss prevention (DLP) which are expected to be designed to meet the needs of mid-sized companies.

Reportedly, RSA SecurID prevents data breaches by enabling organizations to ensure that both business data and private customer data are available only to authorized users.

Continue Reading at CBR security

RSA, RSA SecurID, EMC, Two Factor Authentication

RSA Pledges to Tackle Credit Card Fraud

RSA pledges to tackle credit card fraud

Insurance firm offers package to help businesses.  Insurance provider RSA has launched a package of materials aimed at helping retailers tackle credit card fraud.

Credit card theft and cloning have been heavily in the news of late, with rising incidences and new security technologies both recently reported.  RSA has now launched a series of tools - including workshops and self-assessment questionnaires - which retailers can use to ensure they adhere to the Payment Card Industry's Data Security Standard, which is a series of measures aimed at tackling fraud.

"Retailers currently face a great deal of challenges with fragile sales and regular and frequent changes to legislation," said Des Cross, RSA retail director.  "The threat of security attacks on their computer systems leading to the abuse of customer data is yet another growing worry for them and could prove costly to their reputation.  "We have created a package to help businesses keep all of these worries under control."  Some of the more novel approaches to tackling credit card fraud revealed lately have included a card with its own keypad and a card that can tell which country its owner is in.

US Bank and BofA Websites Vulnerable to XSS

Banking / Finance Alerts
Source: Softpedia
Complete item: http://news.softpedia.com/news/U-S-Bank-and-Bank-of-America-Websites-Vulnerable-112148.shtml


Description:

Cross-site scripting weaknesses have been discovered in two websites belonging to the Bank of America and U.S. Bank. The flaws facilitate potential phishing attacks, because they allow attackers to inject IFrames, hijack sessions, or prompt arbitrary alerts.

Cross-site scripting, more commonly known as XSS, is a class of vulnerabilities typically affecting web applications, which facilitate arbitrary code injection into pages. They are the result of poor programming, manifested by the failure to properly escape input passed into web forms.

The flaws discovered in the websites of the U.S. Bank and Bank of America are referred to as non-persistent XSS weaknesses and are the most widely spread type in the class. This means that, while they can be exploited through URL manipulation, the injected code does not persist if the URL is changed.

Even if the actual risk posed by these weaknesses is lower than that of persistent XSS flaws, they are still dangerous for various reasons. For example, such malformed URLs can be used in complex phishing campaigns, significantly raising their credibility. This is because users are, obviously, more likely to visit unsolicited links pointing to domains they trust.

The latest vulnerabilities have been reported and documented by a grey-hat hacker calling himself Methodman, who is a member of Team Elite, a group of programmers and security enthusiasts. In his proof-of-concept (PoC) attacks, he outlines how attackers can sniff session cookies (text files stored by websites inside browsers in order to automatically authenticate users).

However, even if Methodman limited his PoCs to session hijacking attacks, this is not the only unauthorized action cybercrooks can perform through these flaws. As demonstrated by the screenshots we took ourselves, IFrame injection is also possible. IFrame is an HTML element, which allows loading externally hosted content into a web page.

IFrames are heavily used in most web-based attacks, because they can be entirely hidden. Hidden IFrames are generally used by malware distributors to load malicious JavaScript code in the background. However, styles can be applied to them fairly easy, which is a great advantage for phishers. For example, such an IFrame could be used to inject a rogue form, which asks for the visitor's financial details, and be made to look as being part of the legit page.

At the time of posting this article, the XSS weaknesses on the U.S. Bank and Bank of America websites remained active.

E-Secure-IT
https://www.e-secure-it.com

Related articles by the PIN Payments News Blog

• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)
• Cybercrime (pindebit.blogspot.com)
• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)
• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• If "Https://" is Really "Httbs//" Then How Do You Secure Online Transactions? (pindebit.blogspot.com)
• Merchants On "Warpath" Against Interchange (pindebit.blogspot.com)

MasterCard Losing $30 Billion of Debit Portfolio to Visa

Source: Bloomberg
Complete Item: http://www.bloomberg.com/apps/news?pid=20601087&sid=afXOJIFHtiS0&refer=home

MasterCard Inc., the world’s second- largest electronic payments network, will lose more than half of a $59 billion portfolio of U.S. debit-card users after JPMorgan Chase & Co. decided to shift more business to Visa Inc., "two people" familiar with the matter said.

MasterCard held the portfolio since 2005, said "the people", who declined to be identified because the switch hasn’t been officially announced. The customers had checking accounts at Seattle-based Washington Mutual Inc. until JPMorgan bought assets of the failed lender last year, the people said. Bidding for the accounts began in October, "the people" said.

“We recognize that given the highly competitive nature of our industry and the challenging environment facing our financial institution customers today, decisions such as these can occur,” said Joanne Trout, a spokeswoman for Purchase, New York-based MasterCard. The move won’t have a material impact on MasterCard’s revenue, Trout said. (priceless?)

The shift strengthens Visa’s hold on debit cards as consumers use them for a bigger share of their purchases, including staples such as gasoline and food. Visa already controls about two-thirds of the U.S. debit market, according to the Nilson Report, an industry newsletter. Issuers are counting on more debit card use to make up for declining credit-card profit as the 8.9 percent U.S. jobless rate drives up defaults.

Continue Reading

Visa, MasterCard, HomeATM, Debit, Nilson Report, U.S. Debit Market, JPMorgan, Chase, WAMU, Washington Mutual, Priceless

Twitter Cloned at Tvviter: Be Aware!

Security experts warn on malicious tweets
Complete Item: http://www.sophos.com/blogs/gc/g/2009/05/21/beware-tvvitercom-video-live-twitter-phishing-attack/

Twitter users! Be warned that you could be the target of a latest phishing campaign that tries to persuade all you micro-bloggers into revealing your login details. Security researchers at Sophos warn that messages are being circulated that point Twitter users towards a website called tvviter.com (with two 'v's rather than a 'w'). (I wouldn't recommend you visit)  People who make the mistake of clicking on the link will be taken to a bogus (cloned) website which is pretending to be Twitter.

It hopes to fool people into handing over their username and password,” Sophos said on one of its official blogs, which it reckons could lead ultimately to some painful identity fraud, as well as an account being used for the purposes of spam or spreading malware.

Editor's Note: There's those ever present "username and passwords" causing problems again. And yet another cloned website. When Twitter's gets serious about TwitPay I hope these whispers are heard as shouts and they use a secure 2FA (not username and password).

Related articles

• Areps.at - Two Facebook Scams in One Day (blippitt.com)
• Bests.at - Newest Facebook Scam (blippitt.com)
• Another Facebook Phishing Site Areps.at Spreads, Blocked (insidefacebook.com)
• Warning: TwitterHit Porn Name Game Exposes Sensitive User Info (blippitt.com)
• Social Networking is a Security Risk - 2/3rd's of Businesses Say!! (pindebit.blogspot.com)

4 in L.A. Charged in $400k Citibank ATM Skim Scam

4 Charged in San Fernando Valley "Skim" Scam after milking $400k from a Citibank ATM

Source: KTLA News
Complete Item: http://www.ktla.com/news/landing/ktla-atm-scam,0,6322452.story

LOS ANGELES - Four San Fernando Valley men are charged in an alleged electronic crime scheme in which more than two dozen victims lost more than $400,000 via phony ATM withdrawals.  Oganes Tangabakyan, 31, and Edgar Yerkanyan, 25, both of Sherman Oaks, Aznaour Poghosyan, 26, of Tujunga; and Vahe Hovsepyan, 33, of Reseda, are scheduled to be arraigned May 28 at the downtown Los Angeles courthouse on the 57-count complaint.

The investigators also seized several late-model, high-end automobiles
and more than $200,000 in cash -- most of it in $20 bills, officials said. 


The District Attorney's Bureau of Investigation began investigating the
case last August after being informed by Citibank of possible ATM fraud,
according to the District Attorney's Office.


The defendants allegedly gained access to ATM personal identification
numbers through skimming devices placed on debit card point of service
terminals and ATMs in Southern California and at least one other state.


Bail was set at $1 million each for the four men, who were arrested
Tuesday.

San Fernando Valley ATM Scam, Phony ATM Withdrawals, Citibank

ATM Skimming Epidemic Hits Australia

In an article written for Australian PC Authority, Daniel Long talks about the recent rash of card skimming incidents over there. 

Credit card fraud costs Australia $120m, but there are ways to protect yourself

Card skimming and online fraudsters are costing Australians over $120m a year, but there is hope say experts. We've got some tips on how to navigate your local ATM and what to look out for.

According to a new white paper by information security specialist Steve Darrall of CQR Consulting, Australia is experiencing something of a credit card fraud epidemic.

In recent months, ATM machines have been blown sky high, card skimming machines have grown increasingly more prevalent in our suburbs and credit card fraud, online and offline is at an all-time high.

The white paper claims that card skimming alone now costs Australians more than $49m a year, and that's just in 2008. In all, total credit fraud made up around $120m from two main groups:

- Counterfeit cards and card skimming ($49m)
- Card not present fraud (CNP) concerns your mail, telephone, fax and internet transactions. ($71m) 

Two banking security initiatives have been offered by CQR as a better way of protecting against credit card frauds and they hope that the wider adoption of these measures can help the banks/card companies better protect consumers:

1. Payment Card Industry Data Security Standard (PCI-DSS):
Developed by the major credit card brands, this standard applies to all organizations that store, process or transmit cardholder payment data, regardless of size or transaction numbers.

2. Payment Application Data Security Standard (PA-DSS).
This standard applies to software applications designed to store, process or transmit payment card information.

Mr Darrall believes that what's holding back the mass adoption of these standards are costs and mindset of the merchants. Darrall told PC Authority that while the banks are very interested in adopting these standards, merchants have not been so crash hot about the idea. Furthermore, this isn't an area for complacency. Even with the introduction of more advanced chip and PIN cards, "this isn't the magic bullet" we might be hoping for, but a step in the right direction says Mr Darrall.

The card skimming problem

Even with the growth of online fraud and banking phishing schemes, physical card skimming is a growing problem. Physical card skimming uses electronic equipment to steal your PIN at the ATM. And it can be much harder for customers to detect.

ATM
skimming is getting so high tech that some gangs are resorting to using
Bluetooth and fake keyboards to 'catch' your PIN when you enter it, so
holding your hand over the keyboard will make little difference in this
case.

But according to Mr Darrall, there are techniques you can use to minimize your risk.  (Continue Reading)

credit card fraud, card skimming, atm skimmers, Australia, Online Fraudsters, Credit Card Fraud Epidemic, ATM Blown Sky High, online fraud, card not present, CNP,

Comparing Apples to...Let's Just Say "The Real Deal"

The HomeATM Blog has spent considerable time in its efforts to "attempt" to educate readers about payments security (and/or the lack thereof) Here's a quick rant on mobile phone security.

iCan't help but cringe (the first time iLaughed) every time I see that iPhone commercial, you know the one that shows somebody entering their credit card iNformation iNto an iPhone.  Are they freaking iNuts? iDon'tGetiT.

Here's why:  When you do that you are entering your valuable credit card iNformation iNto a "BROWSER."  Any guesses as to why they call iT a browser?  iF anyone said: "Because hackers can browse for iNformation on iT" congrats!  So here's my beef: "Where's the Security? 

iUnderstand the hoopla and the fact that there iS a rush to market for applications that enable mobile phones as payment devices, but we (hopefully) already have learned that web browsers ARE NOT SAFE.  Question: What does a mobile phone use?  Yup.  So what iS the only logical conclusion you can come to?  Yup.

Have we learned NOTHING from the errors of our ways?  You don't type your PAN (Primary Account Number) iNto a web browser or iT can be seen by anyone who wants to see iT. 

Case in Point:  Arecent study by an American security company found that 93 per cent ofmobile devices in the US lack data loss protection and other systems toprevent a data leak. - Source Credant Technologies 11/18/08


So why on earth have we "graduated" (we shoulda been held back) to typing our number iNto a phone.  The security on a phone iS certainly less formidable than Web security.   Slow down people...Haste makes Waste.  Do iT Right. 

As iN the case of the web, payments need to be done "outside the browser" and they need to be done securely.  That said, here iS an example of a "secure" mobile payments application...


1. Plug in the world's first and only PCI 2.0 Certified 3DES, Protected by DUKPT end to end encrypted PIN Entry Device
2. Swipe your credit or debit card (and thus your PAN & Track 2 data on the magstripe) ONE-TIME!
3. Enter your PIN (if applicable) ONE-TIME!   (Repeat with any credit/debit card you'd like to enable in your iWallet) 

You are done...you are now free to pass along our PED to your friends and family so they can also secure their mobile devices. 

The result?  Your sensitive PAN and PIN (and your Track 2 data) is "instantaneously" encrypted "outside the browser space" and henceforth protected by the aforementioned "military grade" encryption.  The cardholder data is NOT  unencrypted until it arrives safely into a secure HSM (hardware security module) at our processing NOC (Network Operations Center).  

Your phone is now "safely and securely" forever enabled as a payments device and your PAN, your Track 2 data and your PIN is NEVER in the clear...so you are.    Simply pass along the HomeATM PCI 2.0 Certified PED to a friend or family member and they can also "securely enable" their phone as a payments device. 

But NEVER type your PAN into a browser unless you want to "share the wealth."  We say it is imminently more intelligent to "share the HomeATM PIN Entry Device" in order to enable friends and family to safely transact on their mobile phone.

Oh...BTW...in a related (rush to market) story, Intuit, the maker of QuickBooks software for small businesses, is announcing a new service called Intuit GoPayment, (where does it Go?) that will put credit-card processing technology into most cell phones, paving the way for electricians, tow-truck drivers or any other mobile workers who normally depend on sending a bill, collecting a check or sticking to a cash-only model to collect immediate payment.  (Yeah, electricians, tow-truck  drivers, pizza delivery drivers, etc. could also be enabled with our "Don't Go/Stay Secure Payment" application as well.)

But the system does more than just allow mobile workers to collect payment. It also allows users to tap back into their Quickbooks accounts to input different types of information, such as invoicing or estimate information and synchronize it with the Quickbooks data back at the home office.  Yeah, that sounds safe too!

HomeATM, iPhone, Intuit, Mobile Payments, MPay, PCI, PCI 2.0, Encryption, End to End Encryption, 3DES, Triple DES, TDES, HSM, Secure Payments, Alternative Payments, Acculynk, RIM, Blackberry, Smart Phone, DUKPT

Related articles by Zemanta

• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Debit Surpasses Credit for the1st Time in Visa History (Volume & Transactions) (pindebit.blogspot.com)
• If "Https://" is Really "Httbs//" Then How Do You Secure Online Transactions? (pindebit.blogspot.com)
• Data Sniffing Costs Heartland Bigtime (pindebit.blogspot.com)
• Visa Survey Reveals Many SME's Believe They Are too Small to Attract Fraudsters (pindebit.blogspot.com)
• Wireless Security Does Not Have Any... (pindebit.blogspot.com)