Got Hacked? Bank on It

In December, I posted twice about Fiserv's CheckFree Hack whereby their  domain name was "webjacked."  (see: CheckFree Not Hackfree and/or CheckFree Not Hackfree 2) 

So, for the third time (but only the first time this year) I'm covering an article written about domain name webjacking...this time from USBanker.

I'm sorry to report  that it doesn't look like this will be the last time this year, for lack of an official word,  I'll be talking about webjacking .  Some observers say they've seen signs that  these webjack attacks will become almost as common as a Gulf of Aden pirate attack.

When I wrote in the first post, "Imagine how exponentially more "effective" the "webjacking" would have been if unsuspecting users were "redirected" to what looked to be CheckFree's site vs. a blank page, I was hinting at the fact that it was most likely, only a test.   

After all, why would someone go through the hassle of bringing  CheckFree users to a blank page when they could have brought them to an exact replica of CheckFree's log-in site?   That's probably the easiest part to create in the whole scheme.   I'm purely speculating here, but maybe they were simply running a test  which gave them insight as to how they could take full advantage of  the "httbs" in the "https."  (prior to "researchers" having "let the cat outta the bag" in Berlin last week. 

I mean, who's to say that these "White Hats" (as they are also known) are always beating the "Black Hats" to the starting gate?   What if the opposite is true? Maybe these Black Hat guy's are light years, well maybe not light years, but dark years ahead of us?

One thing I am sure of...I'm sure there's a lot more "Max Vision's" out there than we are led to believe. Keep in mind, that the Max Vision's of the world are working at cracking code "full-time."  They're  hackers, not slackers.  On the flip side of the equation, most "White Hats" are hobbyists  (they used Playstation 3's for chrissakes :)    go to MIT (see: Sorry Charlie, You've Been Hacked) while others have full-time jobs, (for instance, those very same MIT students who were then hired by the MBTA as a reward for hacking into their system)...see related stories, below for more.

Black Hats not only work "full-time"  on hacking...and subsequently wreaking havoc on financial institutions/account holders but there's a bigger picture, beyond just the hack itself.  Where do you think a good portion of the money goes?  Suffice it to say, that unlike the Chicago White Sox mantra, good guys don't wear black.

That said, let's see what we're up against here...

There's unsafe web browsers  there's: webjacking, phishing, whaling, wardriving, malware, keylogging, screen capturing, skimming, pharming, spyware, botnets, worms, viruses, DoS attacks, packet-sniffers...(you starting to get the picture?)  So what is an online shopper to do?

I once again state, the best way to purchase via the internet is with your own personal card swiping device.  It could even be used to log on to your online bank.  Just swipe and enter your PIN.  

Hey...maybe the banks, whom are already at huge risk...could mitigate some of that very same risk, and at the same time, keep their customers from getting burnt.  I have a toast.  Here's to a campaign similar to the one they ran back in the 50's and 60's, only this time...they give away our personal swiping devices.   Otherwise, if this continues,  which it will, they're toast...

Sorry, kinda got off on a tangent there...here's more on "when hackers take control of a bank domain  name" with more instances to follow...I'm sure of it...(said the same thing about skimming last year) 

From American Banker publication, usbanker:

Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.

The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.

The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.

"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."

Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.

Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.

A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."

Continue Reading at American Banker (for a limited time, then it's subscribers only)

Related articles on Hacking the Net

• Sorry Charlie...You've Been...Hired!
• Experts Uncover Weakness In Internet Security
• Experts predict rise in 'virtual' malware
• Web browser flaw could put e-commerce security at risk
• One in four public DNS servers insecure

Anti-Skimming Recommendations from SEPA

I've covered card skimming on this blog extensively in 2008.  There's a big problem in Europe, where they have instituted EMV, with having the magstripe skimmed there, then transferred onto cloned cards, and used in the United States, where EMV is nowhere to be found.  SEPA (Single Euro Payments Area) has now released recommendations to fight skimming in Europe. 

Here's page one of a three page PDF.  Click here to open the PDF file in full.

INTRODUCTION

SEPA Countries - Image via WikipediaThe growth of skimming fraud is a major driver for the rollout of EMV across the SEPA. This should be completed by 2010 and it has already resulted in dramatic reductions in the use of fraudulently duplicated cards in the countries where it has been introduced. However, it has also resulted in fraudulent transactions migrating to countries where EMV has not yet been implemented or is not planned, often outside the SEPA area. As many such countries have no plans to introduce EMV, cards will continue to have both mag-stripe and chip and therefore there will remain a significant risk of a fraudster skimming a magstripe in an EMV country and using the duplicate card in a non-EMV country or environment.

BACKGROUND

Card skimming involves the capture of a card’s mag-stripe information (which may be debit, credit or ATM only), and matching it with the card’s PIN number in order to produce a duplicate card. This may occur at ATMs, Point of Sale (POS), or indeed any other location where a customer uses their card and PIN.

The mag-stripe information is captured by fitting an additional card-reader over the ATM’s card slot and the PIN is usually obtained by the use of micro cameras, although “shoulder surfing,” may also be used. This information is then stored on a chip within the skimming device or more usually transmitted immediately to a lap-top PC nearby. Devices are usually attached to ATMs for short periods e.g. 20 minutes and the device is usually being observed. For this reason ATMs which are busy and which have ample adjacent parking are particularly attractive to fraudsters.

The duplicate card can then be used in a non-EMV ATM, or if the duplicate card passes visual inspection, Point of Sale (POS). Information on the chip is not captured which means that the card cannot be used in an EMV environment and this normally limits use to locations where EMV has not been introduced. Fraudulent data may be sold on and mixed with other sources of data and the actual card production may be months after the data was captured, although on other occasions duplicate cards have been used less than 24 hours after the attack.

With a duplicate card a bank account can be drained until there are no funds available, or in the case of a credit card, until the credit limit is reached. As ATM usage is subject to daily withdrawal limits, these transactions usually take place close to, or at the daily limit over a number of days. EAST (European ATM Security Team), reports that the number of cases of skimming remains high across Europe with over 4501 ATM incidents in 2007, resulting in losses of over € 438 million1.

PIN Debit Payments Blog

Related articles by Zemanta

• Terminal Disease Boosts Fraud
• Chipping Away at Credit Card Fraud
• Pumping Gas Just Got Much Riskier - MSNBC
• Top 10 Risks to Banks in 2009
• Canada's EMV Transition Numbers
• Gas Station Skimming Becoming More Popular
• Signature Debit Wrestles Fraud, Get's PIN'd
• Gemalto Wants EMV in USA
• Is Online PIN Debit For Real This Time Around?
• PIN Debit Has Highest Growth of All Payment Segments
• PIN Debit on the Web
• Top 15 eCommerce Sites in November
• DebitFacts.org Launches Today

Twitter Outwitted

First there was Facebook, and now Twitter users have been lured into a phishing  scheme causing some users to give up their Twitter username and password to a site "masquerading" as Twitter.com.  (this is  what easily could have happened to CheckFree users instead of them being brought to a blank page...and what will happen more and more in the not so distant future.  This may be a drill, to test the waters.   I predict it will happen frequently in 2009 and I predict there will be a post on the subject tomorrow morning...adorned  with the same graphic that's on the laptop on the right...

The phishing links arrived as direct messages, usually saying something like “hey! check out this funny blog about you….” If you clicked on the provided link your browser was redirected to the URL twitter.access-logins.com, which looks just like the main Twitter login page, but steals your credentials. 

With a main domain name of access-logins, this phishing scheme is not what you’d call subtle, but if you’re worried you might have been duped, the Twitter blog suggests changing your Twitter password. It appears that all the scammers did with the captured login info is send more direct messages, furthering the scam. If you’ve been suckered, Twitter will reset your password for you.

While Twitter did a good job of containing the problem, the suggestion that you not give out your “secret info” is bit ironic since that’s the only way you can access Twitter through third-party sites and apps.

News of the attack led many a savvy Twitter user to gripe about the service’s lack of OAuth support, but, while OAuth would allow third party sites to access your Twitter account without giving up your password, it wouldn’t completely stop phishing attacks.

But OAuth would have one huge benefit that could lessen phishing attacks on Twitter: it would get users out of the habit of giving their Twitter username/password to any cool new site that pops up without thinking about the potential side effects — like the fact that you just gave an unknown party complete access to your account...

Read more at wired.com

Related articles by Zemanta

• Twitter and Facebook hit by phishing attacks
• Phishing: now Twitter is under attack

The Glitch That Stole Christmas?

ONE-THIRD OF ONLINE SHOPPERS ENCOUNTERED GLITCHES THIS HOLIDAY SEASON, NEW GUIDANCE SURVEY REVEALS

Some 64 Percent Shopped Online Without Incident -- While 37 Percent of Those Online Didn’t Shop the Web at All

Source: Guidance/Synovate Survey

MARINA DEL REY, Calif. - In what may have been the most closely-watched holiday shopping season in the short history of the online medium, some 36 percent of online shoppers ran into roadblocks en route to buying that gift – ranging from molasses-like website response to fruitless efforts to check out, to outright system crashes.

That’s the principal finding of a new nationwide survey from Guidance, conducted through December 23. In association with Chicago market researcher Synovate, Guidance asked 1,000 online consumers, “When you think of online shopping this holiday season, which of the following have you had issues with?”

The findings come amid a dramatically weakened economy, declining brick-and-mortar retail sales, a shortened holiday shopping season – due to a late Thanksgiving – and uncertainty about whether online shoppers would pick up the slack.

The Guidance/Synovate survey revealed that 64 percent of shoppers completed their purchases incident-free. At the same time, 37 percent of those online skipped Internet shopping altogether, a small percentage of whom reported doing so because of problems in the past. Of those who reported trouble this year, 13 percent said they had to abandon a very slow website while they were trying to shop, 8 percent said a website froze or crashed altogether, 7 percent could not complete a purchase on their first attempt, 6 percent tried to access a website that was down temporarily and 4 percent said a purchase they thought they had completed actually didn’t go through.

According to the survey, online shopping hassles affect the overall degree to which people will shop online. Across nearly every demographic breakdown -- other than race -- the group least likely to say their online shopping was incident-free was also the group least likely to shop online.

Crash-Free Commerce

“While online shoppers may have escaped the ferocious winter weather, a significant number didn’t elude the issues that tend to afflict overburdened, under-engineered eCommerce sites,” said Jason Meugniot, Guidance CEO and Owner. “Ideally, every shopping cart that is not abandoned by the shopper should be converted – and every one that doesn’t sends a message to the consumer. Uptime, speed and reliability ought to be prerequisites of the online shopping experience. Still, I’m heartened by the success that many online shoppers enjoyed, especially since deep discounts, special offers and free shipping/returns made online shopping a better value than ever this season.”

Among the survey’s major findings:

• Women were more likely to say their purchases were completed without incident (44 percent, compared with 36 percent of men).
• Respondents at both ends of the age spectrum seemed to have more problems than their counterparts overall: just 35 percent of both the 18-24 and the 65+ age groups said their shopping was incident-free, versus 40 percent of the overall sample. Respondents 25-54 were most likely to say their online shopping was incident-free: 44.5 percent of those 25-34, 46.5 percent of those 35-44, and 40 percent of those 45-54.
• That might explain why the youngest and oldest also were the least likely to shop online: nearly half of both groups (45 percent of those 18-24, and 48 percent of those 65+) said they didn’t shop online at all this holiday season. The group most active online were those between the ages of 35 and 44: just one-quarter of them (26 percent) did not shop online.
• Those with higher incomes had an easier time of it: just 27.5 percent of those who earn less than $25,000 per year said they didn’t encounter problems, compared with 46 percent of those who earn more than $75,000.
• Weather wasn’t the only thing bedeviling those in the nation’s midsection. Respondents in the Midwest were far more likely to experience problems: only 29 percent reported no problems, compared with 44 percent for those in both the Northeast and the South, and 42.5 percent of those in the West. Respondents in the Midwest were also least likely to shop online: nearly half (46 percent) said they didn’t shop online, while just 30.5 percent of those in the Northeast agreed.
  

Guidance has been designing, developing, hosting and managing eCommerce websites for clients since 1995.

“Keeping an eCommerce website up and running smoothly requires more than simply lining up enough servers,” said Meugniot. “Retailers need application support for the database, the eCommerce apps and the website itself – and a partner that understands how everything works together. Finding an experienced and reliable hosting and managed services provider is vital, to make sure retailers capture every transaction and keep customers coming back for more.”

The Guidance/Synovate survey has a margin of error of +/- 3 percent. For a full copy of the survey results and a graphic presentation of top-line data, email info@edgecommunicationsinc.com.

About Guidance
Since 1993, Guidance (www.guidance.com) has helped companies seize opportunities and solve problems through the innovative and practical use of technology. Guidance designs, builds and maintains eCommerce websites for retailers that are pure-play online or multi-channel – creating captivating experiences so consumers will buy more, come back often and value greater engagement with the retailer. Guidance's systems facilitate $500 million in online sales every year. Members of the Guidance team are seasoned professionals, passionately committed to providing technical leadership and powering ingenuity. Key clients include Foot Locker, GEARYS Beverly Hills, Relax the Back, Salvation Army, and many others. Guidance is based in Marina del Rey, Calif.

Related articles by Zemanta

• One-Third Of Online Shoppers Encountered Glitches This Holiday Season, New Guidance Survey Reveals
• Web Passes Bricks and Mortar as Preferred Shopping Channel
• Who's Afraid of the Big Bad Web?
• e-Commerce Expanding into Bricks and Mortar?
• Paradigm Shift: Retails 70%-22% Lead over Web Changes to 44%-49%

Encrypted Email for Donors/Client Info

The "e" in e-mail now stands for "encrypted?"

Michele Donohue writes for The NonProfitTimes about a new Nevada (and Massachusetts) state law requiring encryption of personal information email transmissions that contain donor's credit/debit card information... 

States Push To Encrypt Donor/Client Info
Michele Donohue

Fred Schultz, CEO and founder of the Foundation for Positively Kids (FPK) in Las Vegas, deals with a lot of confidential information in his program for medically-dependent children. The organization stores names, addresses, medication, family information and donor credit card information.

A good portion of that information arrived via email. That system now must be overhauled to accommodate a new Nevada law that requires personal information transmissions to be encrypted.

“We are trying to take care of sick and dying kids -- why do I have to worry about a new Nevada encryption law?,” Schultz asked rhetorically.

Nevada is not alone. A data security measure became law on January 1 in Massachusetts and it is being talked about in several other states. FPK’s information technology (IT) support implemented a new program that would require recipients to have a password to access sensitive emails. “It’s the law, and whether it has teeth behind it or not, there has to be an effort made by nonprofits large and small to try to abide by what the new statute would be,” he said.

The Nevada law, which falls under Nevada’s Miscellaneous Trade Regulations and Prohibited Acts, states that personal information cannot be transferred through electronic transmission outside a secure system unless it’s encrypted.

Both Nevada and Massachusetts define personal information as: “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (1) Social security number, (2) Driver’s license number or identification card number, and (3) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.”

The Nevada statute holds organizations financially accountable for security breaches, which could include civil suits from effected parties... (continue reading at NonProfitTimes

Related articles by Zemanta

• New Privacy Regulations A Burden for Most Massachusetts Companies, A Blessing for Others
• New state laws affect encryption practices

Barclay Up the Wrong Tree?

From what I've read the jurys still out on whether NFC is secure.  WEP wasn't.  We'll see. Barclayscard is smart...they're playing both sides, everything remains the same with their IC debit cards, except for the addition of embedding an NFC chip.  If Near Field Communications is proven secure by then, Barclay's will be ready by 2011.  Will NFC be?

Barclays Goes Contactless on Debit Cards

Barclays customers will soon be able to pay their way with the wave of a card as the bank is set to be the first in the UK to roll-out contactless VISA debit cards to its customers.

From March, most Barclays debit cards that are issued or reissued will have contactless technology built in as standard. More than three million customers are expected to be using contactless debit cards by the end of the year.

The cards use contactless technology to enable transactions of £10 or less to be paid for by holding the card up to a special reader, without the need to enter a PIN or insert the card into a terminal. The transaction is debited directly from the customer's current account in the same way that a standard card transaction is. The cards will still have chip and PIN which will be used for purchases and for ATM transactions. Periodically the card will prompt for the PIN to be entered to verify the customer's identity.

Mark Parsons, Managing Director of Current Accounts for Barclays, said: "Barclays has long been a pioneer in banking. We were the first to launch the debit card in 1987 and now we are the first to give our customers the latest incarnation ­- the contactless debit card. This gives people a new way to pay for things that is quick, secure and convenient and we are confident that it is going to be really popular with customers."

Over 8000 retailers already accept contactless payments with more installing the technology every week. Barclaycard was the first to introduce contactless technology on credit cards in the UK in September 2007 with the launch of Barclaycard OnePulse, the three in one oyster, credit and contactless card.

For more information on Barclays contactless debit cards go to barclays.co.uk/contactless. To search for outlets which accept contactless payments visit the Visa website at visapaywave.co.uk

Source: Press Release

Related articles by Zemanta

• Chip and PIN Coming to Dubai

E-Commerce Not Safe in Web Browser Followup

SSL Crisis Averted -- For Now - DarkReading

Last Friday,  I posted about a "serious vulnerability" within ALL web browsers and " that a "key piece of of Internet technology that banks, e-commerce sites,  and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability.

(see my post "E-Commerce and Browsers Don't Mix)

Yesterday, Dark Reading said the SSL crisis has been "possibly" (there's no way of knowing)  averted...for now anyway.  (as a die-hard Cub fan, I cannot resist the temptation to add the famous "Wait til next year" mantra. Wait...since last week, this week IS next year...)

Anyway, here's a portion of that article.  To read it in it's entirety, click the link at the bottom of this post...

SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks 

Jan 05, 2009 | 02:55 PM

By Kelly Jackson Higgins - DarkReading

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.  (Editor's Note:  The bad news is that 15 percent of all digital certificates were signed with MD5)

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

Story continued at Dark Reading  (but before you go...here's an additional snippet)

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.

Related articles by Zemanta

• 200 PS3s used to create an undetectable hack attack
• Researchers Create Web Skeleton Key With 200 PS3s [PS3]
• Web browser flaw could put e-commerce security at risk (Jonathan Stray/CNET News)

Global Smart Card Outlook

Smart card applications make transactions safer

New Dehli, India, Jan. 05, 2009 -- RNCOS in its new research report "Global Smart Card Market Outlook" says that the financial/retail sector is expected to continue to represent the largest application area for the global smart card industry. And the shipment of smart cards in financial/retail/loyalty is estimated to increase by 15% in the current year.

According to the report, the rising applications of smart cards in diverse sectors are due to the high security they provide. Consequently, smart cards are being widely used in financial applications such as payment cards and ATM or banking cards.

With robust growth in the global financial market, particularly in the Asia-Pacific region, the opportunities for the global smart card industry have increased tremendously, says the report. Rising number of fraudulent cases has highlighted the risks associated with using magnetic strip cards for transactions. Moreover, the growth opportunities for smart cards have further increased by the decision taken by Visa and MasterCard to use Europay, MasterCard and Visa (EMV) specification worldwide.

Besides, the banking sector represents an area of tremendous opportunities for smart card industry because its functionalities, such as value-added services and enhanced consumer benefits, have made smart card viable and the safest option for end users. Thus, the demand for smart cards is expected to grow at an unprecedented rate.

"Global Smart Card Market Outlook" provides in-depth and comprehensive information on the growing marketplace for smart cards at the global and national level. It contains thorough analysis along with statistical data on the present market trends, emerging markets and future growth prospects for the smart card industry.

Apart from this, the report contains statistical information on value, shipments and applications of smart cards at the global and national level that helps clients to identify critical opportunities for growth of the smart card industry. It helps clients to evaluate key factors driving growth in the industry and future avenues. The study also provides forecast on the number of mobile subscribers and smart card shipment by region.

Source: Company press release

Related articles by Zemanta

• Canada's EMV Transition Numbers
• Computer glitch puts Visa cardholder over and over her limit
• Chipping Away at Credit Card Fraud
• U.K. Blames Abroad for Increased Fraud in Broad Campaign
• Gemalto Wants EMV in USA

Mob Implicated in Credit Card Scheme

Armenian Mob Imiplicated (sic) in Credit Card Scheme - beaconcast.com

Don't know if they spelled it wrong or if because they were illegal immigrants, they added the "Imi in plicated", but nontheless, here's a snippet from Beaconcast on an Armenian Mob Ring in Alpharetta, GA.

It all started around late August when four alleged Russian gang members of Armenian descent, all of them likely near the bottom of the crime mob totem pole, descended on Alpharetta from Glendale, Ca. to set up crime operations. All four entered the country illegally. No one knows exactly how the four made their way into the U.S. But like the millions of other foreigners who are in America illegally, they did...

Once established, the suspects engineered an elaborate credit card fraud scheme they perpetrated on unsuspecting late night BP customers. This involved changing out the electronic credit card swipe machine when no one was around and replacing the BP supplied one with their own version by simply unplugging BP’s and plugging in their counterfeit replica. This bogus machine would do everything the BP device did, like send the funds to the BP clearing bank, print out a BP receipt and balance BP’s cash register. What it also did was capture the name of the card user, the credit card number and electronically encode the metallic stripping.

Each time a customer would buy something in the store with a credit or debit card, Khalatyan caught the information in his fraudulent machine. The suspect would ask the customer if it was a debit. If so, the user would then enter his or her pin number in the device, and Khalatyan would capture that too by using a small hidden camera...

continue reading at Beaconcast

Related articles by Zemanta

• 6 Tips to Avoid Becoming a Skimming Victim
• Pumping Gas Just Got Much Riskier - MSNBC
• Terminal Disease Boosts Fraud
• Chip and PIN Coming to Dubai

Macy's Multiple Debits = Multiple Questions?

Evan Shuman (and Fred J. Aun) wrote an interesting story regarding the recent "multiple debits" charged to 8000 Macy's debit card customers.  Like the recent RBS breach, (see: Mother of All Hacks Coming?) it was "quietly" announced (purposefully?) during the busy holiday season when many reporters are on holiday.  Unlike the RBS breach, and to Macy's credit...er...debit, they didn't wait 2 months  (see below) to announce it.  Here's the story from StorefrontBackTalk.com 

Questions Surround Some 8,000 Macy's Debit Cards That Got Charged Repeatedly

When Macy's distributed a very cryptic statement on Dec. 23 that "some" debit card customers had been charged had seen "multiple" debits for single transactions, it went virtually unnoticed.

Much of that had to do with the very quiet way Macy's shared that knowledge, by E-mailing it to a handful of reporters, many of whom were on vacation. Unlike the typical way Macy's—and others—make statements, there was no statement issued to any of the major news release wires nor was it was placed on their own news release page. It was ideally handled if someone wanted to say that they "announced" something but have no one know about it. 

Continue Reading at StorefrontBackTalk

In a related story, BTN came down on RBS for waiting two months before announcing that 1.5 million of it's customers were breached.

"Our Computers Were Compromised…Two Months Ago" - 01..2009 - Bank Technology News Article

"The institution discovered the breach shortly after Halloween, yet apparently waited almost two months—an eternity in ID theft time—before making a public announcement.  That has some people scratching their heads. “Two months? That’s enough time for someone to go out and apply for a loan under your name, to get a credit card, to mess up your credit. The way to build trust in relationships is with communication,” says Jacob Jegher, an analyst at Celent."

Related articles by Zemanta

• Macy's reports overcharging customers

Skim Through this Card Skimming Article

In addition to the fact that E-Commerce is outpacing bricks and mortar in several sectors, (see previous story) there is a mounting problem with bricks and mortar POS devices.  They've been tampered with, they've had skimmers attached to them, or they've been replaced with clones and then taken back filled with credit/debit card numbers. 

I am adamant in my beliefs that the safest transaction is online debit for online shopping.  You swipe your own device outside the browser space and because you're left to your own devices, they are not in danger of being tampered with.  So swipe your own card, with your own device...in your own home...and your card information will remain your own...

Here's a story about a Buffalo man, who is to be sentenced shortly.  I'm curious to see how much time he'll do.

According to today's Buffalo News, a local skimmer was convicted and is scheduled to be sentenced 1/22.  It'll be interesting to see how long this skimmer will be a "jail bird". 

If you'd like to read the "entire" article, click the headline below.  Otherwise you can "skim" through Dan Herbecks report below: 

Skimmers prey on credit card users

By Dan Herbeck
NEWS STAFF REPORTER

Skimmer fraud is a growing international problem, according to police, and it all starts with a process that is so routine that it happens millions of times every single day at businesses all over the world.

A customer walks into a store or restaurant, makes a purchase and hands a credit card to a cashier. The cashier then swipes the card through an electronic device that reads the information on the card.

Usually the purchase is approved, but sometimes a dishonest cashier also swipes the card through a small, illegal, hand-held device called a skimmer.

This device — no bigger than a pager — steals information from the card and activates a form of identity theft that causes headaches for consumers and, in recent years, has cost credit card companies billions of dollars.

Fraud experts say these scams occur every day — often on a much bigger scale — in businesses all over the world. Some of the skimming operations are run by organized crime.

“Credit card scams and shady waiters can easily turn customers into identity theft victims,” said Dawn Handschuh of CreditFYI.com, an online educational forum on personal finance issues.

“Credit card skimming occurs when someone swipes the magnetic strip on a customer’s credit card to get the account number with a device small enough to hide in a pocket or hand. It takes about two seconds.”

Skimmers usually cost a few hundred dollars and can be purchased over the Internet, police said. Some Web sites even offer information on how to make such a device.

In Europe, a growing number of restaurants are fighting this form of fraud by using small portable devices that allow consumers to pay their bill at their table. A limited number of restaurants in the United States have begun using them.

“Industry and law enforcement sources estimate credit card fraud losses exceed a billion dollars annually. And it’s no wonder why, when thousands of skimmed credit card numbers can be sold and e-mailed anywhere around the globe in seconds,” the Consumer Affairs office of the State of Georgia said in a recent advisory on skimming.

Skimming affects every consumer because fraudulent credit transactions are sometimes charged back to the merchant who accepted the card. The merchant ultimately winds up raising prices to make up for the losses, the Georgia office said.

Authorities also warn about a second form of skimming that does not require the participation of dishonest cashiers. Some skimming rings have learned how to install skimming devices on automated teller machines, gasoline pumps and other legitimate devices that read credit cards or banking cards.

According to federal prosecutors in Orange County, Calif., a man pleaded guilty in 2007 after agents learned that he put illegal skimming devices on gas pumps at several gas stations in the region.  The man admitted that he obtained credit card and debit card information from 90 customers and then used the information to steal $186,000 from his victims’ accounts.

Related articles by Zemanta

• Pumping Gas Just Got Much Riskier - MSNBC
• 6 Tips to Avoid Becoming a Skimming Victim

E-Commerce Outperforms Bricks-and-Mortar Across Many Sectors

"eCommerce continues to grow says "JPMorgan Analyst Imran Khan  as he pointed out in a research note that while U.S. retail sales grew just 2 percent in the first nine months of 2008, eCommerce grew by 8 percent.

Meanwhile...comScore, a leader in measuring the digital world, today released online spending data by category for the online holiday shopping season, which showed that trends in online spending outperformed offline in several key product categories. The study compared comScore e-commerce data to overall (online and offline) consumer spending data published by MasterCard Advisors' SpendingPulse Unit for the period of Nov. 1 -- Dec. 24 vs. year ago.

"For an online holiday shopping season that recorded a disappointing 3-percent decline in sales, a positive note is that e-commerce trends outperformed overall consumer spending in several product categories, which is to say that e-commerce continued to capture an increasing share of consumers' wallet," said comScore chairman Gian Fulgoni.

"Clearly, 2008 was an extremely challenging time for many retailers, and the beginning of 2009 may not be much better. But when the consumer economy eventually does rebound, e-commerce is poised to benefit from its emergence as an important consumer sales channel."

Wealthiest Households Spent More Online this Holiday Season

comScore also analyzed non-travel e-commerce spending by household income segment for the holiday shopping season, revealing that growth in online spending only occurred (up 7 percent) within households making at least $100,000 in annual income, while lower income segments logged significant declines in spending. Those households earning less than $50,000 per year appear to be the most affected by the current economic environment, with their online spending declining by 13 percent versus year ago.

Source: Company press release.

MC inC: "MasterCard inControl" of Orbiscom

After RBS implemented a commercial application called "MC inC," a collaboration between Orbiscom and MC, they have decided to purchase the company.

Deal enhances MasterCard's ability to deliver advanced and customizable payments solutions for today's demanding marketplace

PURCHASE, N.Y., Jan. 5 /PRNewswire-FirstCall/--

MasterCard Incorporated (NYSE: MA) announced today the acquisition of Orbiscom Ltd., a Dublin, Ireland-based leading payments solutions software provider for major financial institutions. The purchase price is approximately $100 million, a portion of which is contingent upon the future performance of Orbiscom's business.

The acquisition builds on the companies' existing partnership that created MasterCard inControl, an innovative platform featuring an array of advanced authorization, transaction routing and alert controls designed to assist financial institutions in creating new and enhanced payment offerings.

In 2008, Royal Bank of Scotland became the first financial institution to implement MasterCard inControl for its commercial card customers.

Click the following link to read the entire press release:MasterCard Acquires Orbiscom to Accelerate Development of Innovative Payment Solutions | MasterCard®

Graphic: Soft vs. Hardware

400+ Breaches: Software Responsible for: 92% Hardware: only 1%

According to a Trustwave review of 400+ breaches,

• 67% were from POS Software,
• 25% from an Online Shopping Cart, (also software)
  
• 7% from Back-end Systems while...
• only 1% from a Hardware Terminal.
  (and those were tampered with, which won't happen with our personal card swiping device)
  

Related articles by this blog

• Browsers and e-Commerce Don't Mix
  
• Is Online PIN Debit For Real This Time Around?
• PIN Debit Has Highest Growth of All Payment Segments
• Signature Debit Wrestles Fraud, Get's PIN'd
• PIN Debit on the Web
• Terminal Disease Boosts Fraud

Browsers & E-Commerce Don't Mix

As the name implies, "Browsers" are for "browsing" when you're done, and it comes time to make that online purchase, it should be done "outside the browser."

There are reports of a serious vulnerability with all browsers which makes e-commerce unsafe. This is a sobering moment in e-commerce history... but it's nothing that we at HomeATM didn't see coming...(see the post: It' Safe to Say It's Not Safe..)

Browsers are e Commerce handicapped.

HomeATM has long taken the position that a software only approach to providing PIN based transactions to the web is ripe with insecurity. There are too many holes within the browser space to guarantee a secure transaction. Typing your credit or debit card information in a browser is simply put, "not a wise thing to do" as there's "no such thing" as a "secure site" as the story at the end of this post demonstrates.

So, now there's further proof HATM is right. There's no such thing as a secure website...thus there's no such thing as a secure e-commerce transaction. If you've any doubts simply google: web browser flaw (I've provided a link to make it easy) and you get 17,000+ hits..."Pardon my sarcasm, but "Enter your PAN" (personal account number) into the browser space, and you'll get hits from hackers.This time around, it may have taken 200 Playstation 3 consoles but what about this year...or the year after that?

E-Commerce is NOT safe in a browser space.

This is why the engineers at HomeATM decided to take the "hard"ware approach and manufacture, then distribute a "personal point of sale device.

Sure, by all accounts, it would have been much easier to roll out an Internet PIN debit platform with a software only approach. But that would be taking the "easy way" out. "Soft"ware is, by it's own descriptive, "soft." When you take a software only approach..., and this is a big caveat, we believe it 's only a matter of time before a major breach occurs. It's not so much the software, as it is the consumers PC.

Therefore, in the interest of protecting the consumer AND the merchant, we know that we had no choice but to do it the "hard" way and create a small, easy to use, secure point of sale device . It's the way it's been done since the beginning of electronic payments and...

According to a Trustwave review of 400+ breaches, 67% were from POS Software, 25% from an Online Shopping Cart, 7% from Back-end Systems and only 1% from a Hardware Terminal. (click here to see the graph)

By utilizing (pictured on left) our personal swiping device, (which plugs into a PC's USB port in seconds), the transaction is safely done "outside the browser space" utilizing existing secure bank rails, which have yet to be compromised in 40 plus years. The connection bypasses the user's PC, which could be infected with viruses and other malware that make sending financial information over the Internet unsafe. Here's the latest about browser insecurity...

There's a "proof of concept" that a "key piece of of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability."

At this point, an "I told you so" doesn't do anybody any good, so we'll continue to focus on what we do best...providing a secure environment for PIN based transactions. But rest assured, if a software only approach to PIN debit is released, when it's breached, expect a resounding "I told you so" from the folks at HATM.

With that said, it's relatively baffling to us that an EFT switch Firserv's Accel/Exchange...click to read story (PDF) is willing to "toss the dice" and pilot a browser enabled approach to securing PIN based e-transactions.

Mr. Kelly, currently the GM of Accel/Exchange and pictured on the right, is adamant in his belief that it's safe. We respectfully disagree, and time will tell, we just hope it's won't be at the expense of an entire sector (PIN Debit for the web) being tarnished because of a massive breach. They point out that it would cost millions to distribute a personal POS device like the one produced by HomeATM, but we've got the costs down to the point where, in quantities above 100,000 we could provide them for free, if the consumer/etailer covered the $4.95 cost of shipping and handling. What would cost millions, maybe even billions, would be a breach resulting in the exposure of consumers PAN and PIN.

Of course, we're not alone with our analysis...ask Gartner's distinguished analyst, Avivah Litan how much she would trust a software only approach to bringing PIN based transactions to the web.

You've most likely heard the term "Caveat Emptor"? HomeATM wishes to protect both the buyer and the e-tailer with our approach. At the same time, we also wish to avoid providing fraudsters with the means to carry out "Account Emptor" which is exactly what would happen once they got a hold of your PAN and your PIN.

Anyway, moving on to the story behind all this. A group of researchers have demonstrated a "proof of concept" of an exploit that bypasses Secure Sockets Layer (SSL) security safeguards. Another words, "every web browser (Explorer, Firefox etc.) that implements SSL can be spoofed into displaying the padlock". Translation: Invert the p in "https" and you'll get the picture..."httbs".

This is certainly not good news, but as I've mentioned a couple of times already, for the engineers at HomeATM, it's old news. So, don't be surprised by any more "surprise announcements" about how insecure e-commerce is. As I've vehemently stated, many times over in this blog, the web was originally designed to be an information highway and "Highway robbery "is not a new concept.

Once again, and I want to state this for the record...unequivocally...

In order to secure a PIN based transaction, it needs to be done "outside" the browser space. Period. End of story.


Which brings me to the beginning of the story that instigated this post, (from CNET, written by Jonathon Stray).

Web browser flaw could put e-commerce security at risk | Security - CNET News

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.


The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public (Editor's Note: too late, cat's outta the bag..now that they know it can be done, it'll be done again) as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time

(Editor's Note: yeah, the "initial" digital forgery took that long, but now that they know how to do it how long would it take? Besides, the potential monetary reward for two weeks work is huge ) on a cluster of 200 PlayStation 3 consoles.

In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years. (Editor's Note: What? It's unlikely to happen unless hackers use "well-known techniques?" They're kidding right? That's what the kid with the paper is selling, but I'm not buyin' it.)

Yet if one group can do it today, others eventually will. (Editor's Note: at least that line is clearly stated) "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.

Molnar and six other researchers presented their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov.

Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://". SSL certificates essentially stand for the claim that, for instance, etrade.com actually belongs to E-Trade Inc., and is not being operated by a thief hoping to steal account passwords.

Most browsers indicate that SSL is active by displaying a small padlock icon. (see pic on right) An attack using a forged authentication certificate--which is what the researchers say they have done--is insidious because the browser can't detect it and the padlock icon would still appear.

Unlike most security issues, this problem cannot be fixed with a simple software update. "The bug is not in anyone's software," Sotirov said. "It's not the browser that's at fault. The browser does exactly what it's supposed to do... The problem is that what it's supposed to do is wrong."

The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.

An SSL certificate is a small file that ties a real-world corporate identity to a Web site address and a corresponding public encryption key. This is presented to a private certificate authority firm, which is supposed to verify the link between identity and domain name and then cryptographically "sign" the certificate to vouch for it.

The problem arises when someone else is able to forge the same signature... continue reading at CNET News

• "SwipePIN" Your Card Data...Better You than Fraudsters!
•  PIN Debit on the Web  
• Sexiest or Best Looking..What's More Attractive?  
• Understanding the Web Browser Threat - TechZoom 
• Researchers: E-Commerce is Insecure  
• Consumers Safer When Left To Their Own Devices ****
• Security experts work out how to hack SSL Inquirer 

• all 115 news articles on ecommerce not safe in browser space »
  

Global Payments Wins Processing Award

Global Payments wins top internet card processing award - Taiwan News Online

Global Payments Asia-Pacific Limited ("Global Payments") was recently named by MasterCard Worldwide as its Top Processing Partner for the Global WebPay(TM) product that leverages the MasterCard Internet Gateway Service (MiGS) for online card processing. Global Payments was chosen from more than 69 bankcard acquirers that use MasterCard's Internet gateway today across Asia Pacific, the Middle East and Africa.

Global Payments' win is attributed to Global WebPay's unique solution that provides online merchants with the capability to process multi-country, multi-sales channel and mult-currency card transactions. The Global WebPay product offers merchants a Web-based user interface to integrate their online stores, call centers and IVR sales through a single connection. This single interface requires minimal integration which significantly reduces operating costs and allows merchants to seamlessly integrate all their card-not-present transactions across multiple jurisdictions in Asia.

Global WebPay is currently available in 9 Asian markets: Hong Kong, Brunei, India, Malaysia, the Maldives, the Philippines, Singapore, Sri Lanka and Taiwan. This product offers online merchants more than 50 transaction currencies and ten payment currencies, thereby allowing merchants to receive funding in local Asian currencies and minimize forex related costs.

Related articles by Zemanta

• Gartner lists top 30 offshoring hot spots