Phishing 2.0 - PAN Fried

FYI: A Credit/Debit Card "Personal Account Number: is what creates the "PAN" acronym.

Over the past couple of months, I've posted that: eCommerce and Browsers Don't Mix, I've talked about how unsafe web browsers are...why you should NEVER enter your PAN into a browser space.

I've also pointed out that recent data shows that software is 92 times more likely to be breached than hardware.

So, if you're like me, you're probably starting to get the "pheeling" that browsers are an extremely unreliable platform for ecommerce. 

That said...let me put it another way. 

I'm sure that you would agree that most of the time browser's are not even safe for browsing, let alone typing in our PAN or PIN's...

 It seems like almost everyday, we read about how hackers are getting more sophisticated in the ways they try to obtain your personal information from financial sites:

Now, comes a story from Kelly J. Higgins published by Dark Reading which explains how the next generation of phishing attacks are so-phisticated that it targets users in real time . (they call it "In Session Phishing," because it targets online banking sessions with phony popups...but I'll call it PAN Fried - Phishing 2.0)

Here's a portion of the story from Dark Reading. Click the link below to read it in it's entirety... 

New Phishing Attack Targets Online Banking Sessions With Phony Popups - DarkReading

'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials

Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking (thus making payments) online -- sending phony "pop-up "messages pretending to be from their banks/payment providers. (So I guess the only thing "that's safe"to say about pop-ups is that they're "not safe"...and I'll bet you're glad I didn't say there's something fishy about them...were you not?)

The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a pop-up that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.

From Trusteer's PDF:

"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."

The popup message could take other forms according to the researchers (such as a Graphical User Interface I have to wonder out loud?) -- anything that could dupe the user into handing over credentials. In order for in-Session phishing attacks to succeed the following conditions are required:

1. A base website must be compromised from which the attack can be launched

2. The malware (injected on the compromised website) must be able to identify which website the victim user is currently logged on to.

The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Each one of them can be used as a base for this attack.

Once the website is compromised, the attacker injects code into the website. This code does not change the appearance of the website and does not download malware to the user’s PC.

Therefore it is very hard to detect.  This code is designed to search for online banking websites that visitors are currently logged onto, and present them with a pop-up that claims to be from the banking website they are logged on to. These pop ups ask for log-in and personal information.

Therefore once again, I state for the record: "NEVER type your PAN or your PIN into a web browser...

Is it Safe? Know...NO...Know!

PIN Debit Payments Blog -JBF

SourceMedia's 4th Underbanked Forum Announced

About The Event - 4th Annual Underbanked Financial Services Forum

 The 4th Annual Underbanked Financial Services Forum presented with the Center for Financial Services Innovation will be held this year June 1-3 in Dallas, TX at The Westin Galleria.

This year's forum will be exploring multiple perspectives on serving the underbanked in today's climate. As awareness of the potential value and demographic diversity of the underbanked market continues to grow, the Underbanked Financial Services Forum remains the best single place to learn from and connect with the people transforming the financial services landscape.

Since its inception in 2006, this annual gathering has become the premier event for players across the financial services spectrum:

* Financial institutions and credit unions
* Technology and service companies
* Retailers and other providers
* Nonprofit organizations
* Government agencies

Back by popular demand...

Underbanked Xtreme Networking is back by popular demand! Borrowed from the idea of speed dating, this networking event delivers an accelerated meet and exchange between industry leaders and innovators. Pre-register before the event to receive an optimized schedule tailored to fit your specific networking needs.

Who are the underbanked?

Get the latest information from industry experts and case studies from on the ground and across the globe on the best strategies and offerings to achieve profitable growth and long-term success.

REGISTER EARLY & SAVE!

Javelin Prepaid Card Report Available

New Javelin Report on Evolving Prepaid Card Market, Consumer Usage and How Financial Institutions Benefit

(Click Pic to Enlarge)

SAN FRANCISCO, January 13, 2009 – Javelin Strategy & Research (www.javelinstrategy.com), today announced availability of a new report about the prepaid card market, which highlights consumer usage and what financial institutions can gain through a prepaid program—more specifically, how a prepaid card issuer should assess and choose a processing partner in order to obtain the greatest success and return on investment from their prepaid card programs.

According to Javelin, the processor choice is often overlooked and undervalued by prepaid program managers. But growth in the complexity of prepaid products, as well as year-over-year transaction volume growth underscores the criticality of selecting the right processor to keep pace and optimize investments long-term. Javelin delves into four key components of an effective prepaid processing program, including managing the card, serving the cardholder, executing the transaction and, getting the most from the platform. A detailed discussion of each component provides decision-making guidance to prepaid issuers chartered with managing a program. The study also takes on several of the common misconceptions about the processor selection criteria, dispelling myths and setting the record straight based on perspectives from practitioners and current market trends.

“Consumers are becoming more reliant on prepaid cards as a primary payment method as the variety of prepaid products expands,” said Javelin President and Founder, James Van Dyke. “This behavioral shift offers financial institutions and other prepaid issuers an opportunity to not only establish longer-term relationships with account holders, but create additional revenue.”

A Wide Array of Prepaid Card Products Make This Payment Method Attractive

Prepaid card applications span a wide range of consumer needs, including teen financial management, gifts, travel, online and in-store shopping, payroll and healthcare benefits. According to the report, with multiple loading and reloading mechanisms available today, prepaid cards have longer-term usage and are less disposable in nature—making prepaid programs attractive to financial institutions as a versatile method to increase revenue.

Prepaid is Not Just for Lower Income and Younger Consumers

According to the study, consumer usage of prepaid card products is growing and extends well beyond the commonly assumed demographics of lower income and younger consumers. Bruce Cundiff, the report author and Javelin’s Director of Payments Research and Consulting, said, “Consumer usage has spread relatively evenly among most income groups, with middle income Americans demonstrating the highest usage of prepaid products both online and offline. What is interesting to note, the multi-channel nature of the prepaid relationship with middle-to-higher income consumers demonstrates and validates the revenue stream capabilities that prepaid issuance provides.”

Security, Risk Mitigation and Regulatory Compliance

Javelin finds that security is paramount in prepaid card issuance, not only in terms of fraud mitigation but also in the scrutiny that issuers face to comply with regulatory Homeland Security standards—anti-money-laundering (AML) and know your customer (KYC) initiatives. Because security matters, prepaid card issuers may be increasingly held accountable for the actions of not only their immediate constituents and customers, but also the indirect usage of their products.

Learn More About Javelin’s New Report

For financial institutions, payment companies and other third parties in the prepaid market, this report delves into the primary components of a prepaid platform and processor relationship. It challenges common myths and describes important risks surrounding prepaid processing. Javelin’s Prepaid Product Evolution Report helps prepaid program mangers better understand how to navigate creation of a prepaid program or expansion of an existing one in order to increase revenue. Javelin provides an overview about the study at : www.javelinstrategy.com/prepaidproductevolution.html

Or click here to download the brochure (PDF

Related articles by Zemanta

• Look at Prepaid Processors - Javelin Strategy & Research

How Online Buyers Pay

eMarkerter published an article this morning regarding which payment methods online shoppers use. and projections until 2013.  While credit cards usage is expected to drop 32%, from it's 59% level in 2007 to 40% in 2013, debit usage is expected to grow 15% during the same time period.  (see chart on left)

eMarketer also talked about "why" consumers use "payments services" (e.g. PayPal) and the number one reason, was "most secure...don't have to enter credit card information online."  (they must mean everytime, because when I chose PayPal to make a purchase on eBay, {see number two reason in chart below right} I had to enter my credit card/debit card information) 

With our personal swiping device, you "never" had to enter your credit card information online...just swipe (more convenient and faster) and enter PIN (outside browser space) making for a more secure online payment.   No skimming worries, no tampering worries, just you and your own private swiping device, in the privacy of your home...  Here's the article from eMarketer. 

How Do Online Buyers Pay?

JANUARY 14, 2009

Mostly by credit card, but other payment methods are gaining ground.  Most online buyers pay with credit cards. But the online credit card retail purchase volume growth rate is falling, and not just because of the recession.

Data from a January 2009 Javelin Strategy and Research study reveals that credit card purchase volume will continue to grow online and command the largest market share among payment types, reaching $107 billion by 2013, up from $81 billion in 2008.

Yet that is less than a 6% compound annual growth rate (CAGR), and the percentage of online purchases made with credit cards is set to fall to 40% in 2013, down from 59% in 2007. Javelin said that the share of online purchases made with private-label and prepaid cards would increase during that time.

The increased usage of other payment types is not an outright rejection of cards; Javelin estimated that e-mail payments such as PayPal would still account for only 10% of online purchases in 2013, up from 7% in 2007.

Rather, prepaid and debit cards may be viewed as ways to avoid interest charges, and private-label cards frequently have loyalty or rewards programs that give users cash or products back.

Some online buyers are still concerned about credit card fraud as well. In 2007, JupiterResearch and Ipsos Insight asked users of alternative payment methods including PayPal why they did not use credit cards, and the findings are worth remembering.

More security was the top reason given by online buyers for using payment services instead of credit cards. Respondents also said they used such services because of restricted options on credit cards, and greater flexibility, more convenience and easier dispute resolution than when they used credit cards.

Advertisement: Agencies and brands from all verticals rely on eMarketer Total Access for analysis and data. Daily articles are just the tip of the iceberg. Find out what you are missing. Learn more about Total Access today.

Related articles by Zemanta

• Debit Card Use Rises 547% in South Africa
• Skimmers Arrested in Sin City

Obopay Launches Widgets

If you'd like to try it, go ahead...make my day!
I'll let you know how it works out...

By the way, Chip In did this a while ago...

Just type in the amount ($300 limit, but you can do it more than once or in each widget...lol), click send, and you done.

If you're not sure which one to use, try both and I'll let you know which one I liked better...

JBF

Cred-Ex's New Alt-Pay

New Alternative Payment Solution Cred-Ex Soon to be Available in the US

Secaucus, New Jersey (PRWEB) January 13, 2009 -- Cred-Ex (www.Cred-Ex.com) prepares to launch its new alternative payment solution. Cred-Ex helps combat identity theft through its patented process.

Cred-Ex will grant instantaneous credit to consumers online on its website or at its participating merchants' shopping cart screens. Merchants will feature the Cred-Ex icon next to Visa, MasterCard, American Express and Discover. Security-conscious consumers that don't want to use their credit cards online will be able to make online purchases with Cred-Ex. Online research firm comScore, Inc. reported that online shopping is increasing at approximately 15% per year, as more and more consumers shop on the Internet. Further, according to Rosetta, retail adoption of Alternative Payments Soared 23 Percent in 2008.

While composed of complex algorithms, Cred-Ex's patented process is easy for merchants and consumers to use. Unlike its competitors, Cred-Ex's platform does not require consumers to input harmful personal data such as their credit card, bank account or Social Security numbers. As a result, Cred-Ex does not store consumers' sensitive data on its servers. This will protect the consumer's identity. Cred-Ex typically approves a new application in 5 to 10 seconds.

Cred-Ex's patent also applies to its new m-Commerce solution. Consumers who have a Cred-Ex account will be able to use their cell phones to make purchases at the point-of-sale at participating merchants' brick and mortar locations. The Company expects their m-Commerce solution to increase consumer loyalty and combat consumers' rotating their credit cards. m-Commerce is already prevalent in Europe and Asia and is just starting to take hold in the US. The Company has satisfactorily concluded testing its m-commerce solution.

Coleen Barbiere, Chief Operating Officer, says, "Merchants welcome new ways to increase webstore sales and profits by increasing conversion ratios. And our Cred-Ex payment option, coupled with our new m-Commerce solution, will revolutionize alternative payment solutions in the US."

Merchants benefit from alternative payment solutions because they increase webstore profits. CyberSource recently reported that additional payment choices can increase merchants' sales conversion rates by up to 14%. Plus, Jupiter Research found that alternative payment solutions increase average order size by 13.3%. In today's challenging economy, alternative payment solutions can improve a much needed increase in the bottom line.

About Cred-Ex: Cred-Ex is the main brand of Emerging Payments Technologies, Inc. that has been a leader in alternative billing for over 10 years. Emerging Payments Technologies, Inc. began developing the Cred-Ex platform and brand in 2004 to lead the trend in online billing, e-Commerce, and now m-Commerce. Cred-Ex's owners have built several major companies in Europe that include Nocreditcard.com (www.nocreditcard.com), the European pioneer in alternative billing; Fluendo (www.fluendo.com) that specializes in delivering products and consulting services focusing on UNIX and GNU/Linux; Fluendo comes out ahead by combining best-of-breed systems from the Open Source world with a strong team of highly knowledgeable software engineers; and Aedgency (www.aedgency.com ), a leading interactive advertising agency, performance-based only, that specializes in Search Engine Marketing (SEM), and contextual advertising. Aedgency was responsible for generating over €200 million in online traffic arbitrage from network end users in 2008.

Contact:
Eric Gelb
Business Development
Cred-Ex
T: 201-865-7600 x 102

Source: Press Release

Swiping Device Takes Back Seat

Creative Mobile Technologies (CMT), the nation's largest comprehensive taxi technology services provider, has inked a deal with Boston Cab Dispatch, Boston's premier radio affiliation service with almost 500 member taxis comprising over 25% of the Boston taxi industry. The deal will bring Boston taxi passengers a quick and easy rear-seat, self-swipe credit card payment system as well as multi-channel, interactive media screens and additional technologies designed to enhance the passenger experience and drive new efficiencies into taxi service offerings. The technology will also bring Boston Cab members into compliance with the City of Boston's mandate, that by April 2009, all taxis must provide rear-seat credit card acceptance capability.

This is the second major American taxi company in less than three months to announce the implementation of CMT's state-of-the-art taxi technology. In October 2008, CMT struck a similar deal with Chicago's Yellow, Checker and Blue Diamond family of 2,600 taxicabs. CMT is currently operating in more than 5,500 New York City taxicabs.

These new service offerings are based on CMT's "FREEdom Solution," developed in New York City by leading technology professionals and recognized leaders of the taxi industry. CMT's signature Passenger Information Monitors (PIMs) feature credit card acceptance functionality enabling passengers to securely swipe their own credit card and complete wireless transactions in seconds. The CMT PIM, which features a uniquely tailored news and entertainment network as well as GPS-powered maps that passengers can control with state-of-the-art touch-screen technology, has revolutionized and redefined the modern rider's taxicab experience.

"CMT is very excited about bringing our award-winning product to the great City of Boston whose exceptional taxi system is exemplified by Boston Cab Dispatch and its forward-thinking CEO, Brett Barenholtz," said Ron Sherman, CEO of Creative Mobile Technologies.

Jason Poliner, CMT's Chief Operating Officer, said "Boston taxi passengers will now have the quickest, safest, and most reliable credit card payment process available while the Boston taxi industry will benefit from higher passenger volumes and larger tips. Our completely re-engineered, state-of-the-art touch screens feature entertaining media content and important local information that will provide a value-added service previously unavailable to Boston riders."

Boston Cab Dispatch is a well-respected innovator in the Boston taxi industry. The company has remained ahead of the curve, having implemented the first computerized dispatch system in Boston -- 12 years before any other taxi company. Boston Cab currently has the greenest taxi service in New England.

"While our mandate is simply to provide credit card access in the back seat, we have chosen to go a step further and embrace the latest technology available to the taxi industry," said Brett Barenholtz, CEO of Boston Cab Dispatch. "After an exhaustive and thorough research process, we are convinced that CMT's excellent record of safe, reliable credit card processing, coupled with its superior media screen product, provides a perfect match for Boston Cab which always strives to provide our members and customers with the best possible service."

Boston Cab Dispatch's drivers will also benefit from the implementation of CMT's advanced solution. The technology will vastly improve credit card transaction reliability, efficiency, and ease-of-use in both the driver and passenger components of the transaction process, and the seamless integration with Boston Cab Dispatch's existing host dispatch technology will increase the fleet's geographic coverage capabilities and eliminate the need for redundant in-vehicle data communications appliances.

About CMT:

Creative Mobile Technologies (CMT) began providing New York City taxicabs with credit and debit card processing, media and advertising content, text messaging, interactive passengers maps, GPS, and electronic trip sheets in 2007. In New York, CMT, which gained a reputation as the "by the industry, for the industry" taxi technology solution, partnered with Bank of America, World Line Communications, Feeney Wireless and Mobile Knowledge. CMT's media partner, Clear Channel Taxi Media developed the exclusive NY10 Taxi Entertainment Network with content by NBC Universal. CMT is now the nation's leading provider of total taxi technology solutions, operating in over 5,500 New York City taxicabs and soon to be in over 2,600 Chicago taxicabs. CMT's "FREEdom Solution" received one of VISA's highest honors for its commitment to credit card security and privacy protection. To learn more, visit www.cmtnyc.com .

About Boston Cab Dispatch, Inc.:

Boston Cab Dispatch has been the taxi industry leader in Boston for the last 50 years, relying on its four generations of experience. Boston Cab's premier radio association boasts almost 500 taxis as members. For over a decade, the company has featured computerized dispatching and continues its commitment to update, improve, and advance its dispatch system to meet the evolving needs of the industry.

Source: Company press release.

Related articles by Zemanta

• Techie Visa Card Features Buttons and Screen to Generate CCV Dynamically

PIN Debit and PCI Compliance

Howard Riell, in an article written for Convenience Store Decisions, writes about PCI compliance.  As you'll undoubtedly notice while reading the article, PIN entry devices, or PED's are an integral part of PCI certification. The long and the short of it is that all PED's must be certified by PCI-approved laboratories and encrypt PIN's with Triple DES.  I know how that's done with a hardware device...(we're in the midst of getting our personal swiping device tested and approved for PCI compliance) but I'm not quite sure how it would/could/should be done with a software application.  (See "Software Breach 92 Times More Likely Than Hardware")

Here's some snippets from from the CSN story, entitled: "The High Stakes Of Compliance:"

It was in September 2006 that the credit card companies formed the PCI Security Standards Council in the hopes of battling fraud. Today, all merchants who accept payment card transactions must comply with the PCI Data Security Standard or face sizable penalties.  Indeed, the passing grade for PCI is 100%, which means failing even one of the criteria will bring consequences...

Editor's Note:  So, it's obvious that these Triple DES mandates are an integral element of PCI compliance and in 5+ months TDES is required on "all debit transactions." Since Jan. 1, 2008, all newly manufactured debit card processing terminals must incorporate PIN entry devices that have been certified by PCI approved laboratories

• By January 2009, newly installed fuel pumps that accept debit cards must feature PCI-compliant encrypted PIN pads.  See "Triple DES for GAS" 
• Manufacturers have to begin installing key pads capable of implementing a new Triple Data Encryption Standard (TDES), which requires that data be encoded several times through an encrypted PIN pad.
• By July 1, 2009, TDES will be required for all debit transactions and by
• June 30, 2010, all fuel dispensers will need to be able to encrypt PINs according to the TDES.

The very next day, July 1st 2010, pumps that process debit transactions must be upgraded with encrypted PIN pads, and in-store POS terminals have to be certified as PCI-compliant.  The devices must also process all debit transactions using TDES.

One of my favorite lines from the article comes from Bruce Snyder, manager of IP retail systems for 395-store Kwik Trip based in La Crosse, Wis“ who instead, sounds like a spokesman for Gemalto.  (see: Gemalto Wants EMV in US)  Apparently he doesn't like the implementation costs (retailers will need to replace outdated hardware) and thinks that as long as they have to get new equipment anyway, then V/MC and the banks should spend billions to implement EMV and when they're done, he'll replace Kwik Trip 'sexisting equipment with Chip and PIN readers.  Problem is, it won't be Kwik...it'll be years, if they started today.  (don't hold your breath)


"We have this silly little mag stripe that is so vulnerable and penetrable and we are building an infrastructure around it to protect the information, and a lot of people are making good money on that,” Snyder said. “With the new rulings on EPPs, if I want to continue to do debit we have to replace all of our dispenser doors and PIN pads at a huge expense to us to remain compliant. What we have to do is put in an encrypted PIN pad at the dispenser if we want to continue to do debit there.” But the new door and PIN pad will cost $1,500 per dispenser. (Ouch!  Consumers can get our SwipePIN device for merely the cost of shipping and handling, which in the face of $1500...makes for a rather compelling value proposition)

“Start doing the math on that and now you have to make a decision: can we afford to do this? And what happens if we don’t?” Snyder said. “We need to change that method of presenting ourselves for a credit transaction and make it more secure so that we don’t have to build all of this stuff around it to try to protect a very flawed method...”

Read the complete story at Convenience Store Decisions

Related articles by Zemanta

• Chipping Away at Credit Card Fraud
• PIN Debit on the Web
• Gemalto Wants EMV in USA
• More on PCI and Tiers 1, 2 and 3
• Unembossed Around
• Signature Debit Wrestles Fraud, Get's PIN'd
• Gas Station Skimming Becoming More Popular
• Ouch! Card Swiping Devices Now Being Doctored During Manufacturing
• Chip and PIN Coming to Dubai
• UK Card Fraud 14 Times Higher Overseas
• Travel advice Don't pack these cards

Wanna Get Away? Get Banks OK in UK

If you "wanna get away" and you live in the UK, make sure your bank nose..otherwise you'll have "slim pickin's" when it comes to payment options...

Travelers have been told that they need to inform their banks about their travel destinations, when they go away, according to a recent report in the newspaper The Times.

This is in the aim of combating credit card fraud, where several holiday goers found their debit or credit cards frozen, when they are abroad. Banks monitor card usage and often freeze them if they begin showing unusual behavior.

The banks claim that if customers inform them of their travel plans, then it means they can make a proper assessment of the information. HBOS told the newspaper, saying: “If people are going to Africa, South America, we like to know. Also, we like to know about people going to Eastern Europe.” This is due to the increase of credit card fraud taking place in these locations.

However, locations in the United States are said to be the most likely places that involve fraud with British cards. Around £24.6 million was taken from UK cardholders in the country in 2008, marking an increase of 118 percent in the last three years. Much of this fraud is conducted by criminals who copy the information on the card's magnetic strip when it is used. They can then use this information to create fake cards for their own use. Credit card fraud has become less likely in the UK, due to the introduction of Chip and PIN.

Related articles

• Bank customers forced to disclose travel plans to cut fraud cost
• U.K. Blames Abroad for Increased Fraud in Broad Campaign
• Gemalto Wants EMV in USA
• Terminal Disease Boosts Fraud

Free Javelin Webinar - Data Breach Defense 2009

Complimentary Webinar on January 28, 2009

Attend a Javelin Strategy & Research Webinar on January 28, 2009 at 10:00 AM PST to learn about the latest developments in data breach risk management for financial services and other industries.

Senior Javelin Analyst, Tom Wills, will share updates and insights based on recent Javelin primary market research about:

(1) The data breach risk landscape in 2009
- Insider fraud, Web application attacks, and other emerging threats
- The impact of a down economy on identity theft

(2) The impact of data breaches on customer relationships and corporate reputation
a. Customer attrition statistics
b. How consumers view financial institutions as responsible for data breach incidents – even when the institution is not directly involved
c. What actions customers expect of organizations that have suffered a breach

(3) US regulatory update
- New State laws requiring specific preventative steps
- The Federal Trade Commission’s Red Flag rules

(4) Best practices for Prevention, Detection, and Resolution™
a. Securing sensitive information
b. How to recognize when a data breach has taken place
c. How a careful, high-touch and cross-functional data breach response can mitigate the risks of customer loss and litigation

(5) Vendor Spotlight: ID Experts – led by ID Experts President Rick Kam

Javelin Speaker: Tom Wills, Senior Analyst – Security, Fraud, and Compliance
Title: Data Breach Defense 2009: Prevention, Detection and Resolution Strategies to Protect Your Reputation and Stay Compliant with Regulations
Date: Wednesday, January 28, 2009
Time: 10:00 AM PST

Space is limited. Reserve your Webinar seat now at: https://www1.gotomeeting.com/register/285178252

Related articles by Zemanta

• Dual Authentication for All Consumer Accounts - FTC
• U.S. Identity Theft Convictions Up 26 Percent, Feds Say

Visa "Zero-ing In" on Liability

Zero Liability Helps Protect Canadian Visa Business Cards

Additional fraud protection adds value for Canadian small businesses

Visa Inc. (NYSE: V) announced today in Canada an important expansion of its Zero Liability program, which will now include Visa Business cards issued by Canadian financial institutions. The move can help better protect Visa Business cardholders from losses due to fraudulent transactions.

In a consumer survey(i) of more than one thousand Canadian Visa cardholders, 80 percent of respondents indicated they were extremely or very interested in having Zero Liability protection on their Visa card, with 30 percent ranking Zero Liability as the most appealing feature.

"Visa Business cards offer many benefits to small business owners in Canada and the addition of Zero Liability is another reason for them to use a Visa card with confidence," said Kareem Chouli, Head of Commercial Solutions in Canada, Visa Inc. "Security is a priority for Visa, and the Zero Liability policy is an important layer of our fraud prevention efforts."

Visa's Zero Liability policy protects business cardholders against fraud exactly the same way as it protects personal cardholders. Zero Liability means that business cardholders who have been victims of credit card fraud, including unauthorized transactions made via telephone or on the internet, do not pay for fraudulent transactions. Zero Liability does not apply to transactions with Visa Corporate or Visa Purchasing cards.

Personal Visa cardholders, including those who have been issued a Visa chip and PIN card, from Canadian-issued financial institutions will continue to be protected by the Zero Liability policy. All Visa cardholders must comply with the terms of their cardholder agreement including protecting their PIN where applicable.

With Visa Business cards, small businesses can conveniently manage their finances by separating business and personal spending, and tracking and analyzing expenses online. Online resources at visa.ca/smallbusiness include free business tools and guides, articles, as well as information about the Visa Savings for Business program - offering exclusive discounts to Canadian Visa Business cardholders.

Source: Press Release

Related articles by Zemanta

• Signature Debit Wrestles Fraud, Get's PIN'd
• Credit card costs soar for hard-hit consumers
• Visa, MasterCard fee hikes suggest price fixing: business group
• Chipping Away at Credit Card Fraud

Interswitch Targeted by Fraudsters

Last week, in a post entitled "ChipPin In" I covered a story from the Nigerian Punch regarding that country's transition from magstripe to Chip and PIN.  Interswitch is Nigeria's premier transaction switching platform and evidently, they have their hands full when it comes to dealing with fraudsters.  From "phishing"  to "phake" websites, it's no wonder they have decided to implement Chip & PIN...

Interswitch exposes failed ATM fraud attempt, says ‘don’t disclose your PIN number’

Internet fraudsters are at work again. They are trying once again to defraud Automated Teller Machine (ATM) card users by sending fraudulent mail purportedly in the name of Interswitch Nigeria Limited, the switching company which drives the ATM and debit card network of Nigeria’s 24 banks.

Mitchell Alegbe, managing director of Interswitch assures card users however that his company is on top of the situation and that the card users will have no problems as long as they do not disclose their PIN numbers to anyone. Alegbe says Interswitch is the nation's foremost transactions and switching company, with all the 24 banks connected to its network to provide electronic banking services through debit and credit cards, ATM and point of sale terminals (POS) and that it is constantly deploying new technologies to address the issue.

In a recent attempt, the fraudsters sent out e-mail to random addresses attempting to get ATM and debit card users to disclose their PIN numbers. The said mail read”:This is to notify you that our services are being upgraded to a new, better and more secured system . You are now required to click here and register all your debit cards, X-change cards, and cash cards online immdiately so as to enable your card to work on our new servers. Only registered cards will work with the ATM machines.”

Interswitch says this message is not from it and that card holders should ignore it.The company adds that on no account should any card holder disclose his or her PIN number to any third party.

In a previous attempt, fraudsters allegedly set up a fake website which attempted to replicate the Interswitch website and the company promptly moved to get the site shut down. Officials of the company told Business Day that the company has put in place a technology that enables it detect and shut down any fake Interswitch website immediately it appears on the internet and it has shut down such websites since the technology was installed.

In addition to this, the company in collaboration with participating banks embarked on a massive enlightenment campaign to inform cardholders on the activities and operations of the company and means of detecting fraud attempts and protecting their card information from getting into wrong hands.

Related articles by Zemanta

• Chip and PIN Coming to Dubai
• Chipping Away at Credit Card Fraud
• Signature Debit Wrestles Fraud, Get's PIN'd
• Terminal Disease Boosts Fraud

CheckFree Users not Scot-Free

CheckFree initially reported that about 160,000 consumers were exposed to their recent breach, but has since adjusted those numbers by +4.84 million.  The reason for the adjustment was straight-forward...their "inability to determine the actual identities of customers redirected to the Ukraine by hackers."  So one has to question how they came up with the 160,000, er 5 million number.  They have 40 million plus users. 

According to a story from Bank Technology News' John Adams; entitled "CheckFree's Hack Attack Has a Long Tail"  it's been a good year for hackers.  "The CheckFree hacking put the cap on a brutal year for security, with Guardium estimating a 50 percent increase in data breaches across all industries in 2008—affecting nearly 36 million Americans—with another 50 percent increase predicted for 2009".

Wow...that's a disturbing trend.  What's more disturbing, is that Avivah Litan, VP and distinguished analyst at Gartner, says payments and funds transfer processors, rather than retailers are now the one's being targeted by hackers.

Still, the takeaway for the payments industry is that crooks are getting very wise to where the real booty is to be found—the payments and funds transfer operations which provide access to the point at which money enters and exits financial institutions. “There’s an emphasis on attacking processors now instead of retailers,” Litan says.

Here's a portion of the news story from Bank Technology News:

For a five-hour period in December, customers accessing CheckFree’s electronic bill payment site instead found themselves unknowingly redirected to the worst neighborhood on the Internet—a bogus malware site manned by Ukrainian hackers. That’s the easy part to figure out.

According to a notice recently filed by CheckFree parent Fiserv with the New Hampshire attorney general’s office, about 160,000 customers were exposed to the breach. Yet the firm and a number of its banking clients are alerting a whopping five million consumers to possible exposure.

The reason for that 4.84 million-customer gap between estimated and potential exposure is the inability to determine the actual identities of customers redirected to the Ukraine by hackers, requiring the additional notification of clients of banks that outsource their bill payments to CheckFree.



continue reading at American Banker/BTN

Related articles

• CheckFree warns 5 million customers after hack - infoworld.com
  
• FiServ's View on Next Gen Payments

News: Gaza Strip(s) PC of Financial Data

Last week in a post entitled: "Got Hacked? Bank on It" I talked about webjacking and made a prognostication that these types of hacks will  milk your hard drive for information and become more common in 2009. 

"I'm sorry to report  that it doesn't look like this will be the last time this year...I'll be talking about webjacking ...these webjack attacks will become almost as common as a Gulf of Aden pirate attack."

Well, it didn't take long for a webjacking to make "news."

The bad news is, IT IS THE NEWS. 

Using mainstream news headlines regarding recent events in Gaza, it lures people to a site that apprears to be CNN.   The bad news is, it isn't CNN...it's a clone, and you there is nothing which clearly indicates that you've been duped. 

According to the report, this has been planned for weeks, initially  the hackers had designed  the attack  using Barrack Obama's inauguration as the basis for the allurement, but  instead, have decided to lure people with headlines relating to the recent events in Gaza.

This email spam attack contains "headline" news links to a website masquerading as CNN.  Once there, user's are innocuously instructed to download an Adobe Acrobat 10 update, which, instead, infects the user’s computer with a password-stealing Trojan virus which scrapes the hard disk looking for banks/financial service data. 

This is a disconcerting development to say the least, and I've got some "ews" for you.  If you EVER type in your credit/deibt PAN (Personal Account Number) or PIN into a browser space that's "your bad."  The "good news" is that you can protect yourself with your own personal swiping device from HomeATM. 
Here's the story from ComputerWorld:

Hackers have launched a large-scale spam attack masquerading as CNN.com news notifications about the Israeli invasion of Gaza, security researchers said today, in a repeat of a massive campaign last summer that also posed as CNN alerts.

Yesterday morning, RSA's FraudAction Research Lab spotted the first messages in the new attack, which take advantage of the ongoing conflict in Gaza. Israeli ground forces entered Gaza on Jan. 3 after several days of airstrikes and naval bombardments that began Dec. 27.

The messages, said Sam Curry, vice president of product management at RSA, pose as alerts from the CNN cable news channel, and promise "graphic and striking" images about the conflict in Gaza between Israel and Hamas.

"It starts off with phishing e-mail that tries to look like CNN," said Curry, "and then the social engineering aspect kicks in. The message tries to get you to go to a Web site that looks like CNN.com. There, the [fake] site says you must update to Adobe Acrobat 10." Accepting the download delivers a Trojan horse to the PC instead.

"The Trojan is an 'SSL' stealer," added Curry. "It scrapes the disk and looks for traffic to and from known financial services."

The attack had been prepared weeks in advance, said Curry, and the hackers had only decided in the last several days to hang it on the events in Gaza. The FraudAction Research Labs' usual monitoring of cybercriminal activity, he said, had uncovered talk about an impending attack as much as four weeks ago.

During the interval, the attacks bandied ideas about what current event they would use to bait their attack. "There was some talk about the inaugural [of Barack Obama next week], the economy and massive drops in the Dow," Curry said. "They talked about how the news had to hit a critical threshold."

They eventually selected news of the Israeli attacks in Gaza against Hamas. "The thing is that they're completely apolitical," Curry noted. "They were ready to exploit significant news either way, whether there was a cease fire or an intensification of the conflict...  (continue reading at ComputerWorld)

Related articles from PIN Debit Payments Blog

• Got Hacked? Bank on It 
• Software Breach 92 Times More Likely Than Hardware Breach
• E-Commerce Not Safe in a Web Browser 2 
• Browsers and E-Commerce Don't Mix
  

Online Retailers Familiarizing Themselves with Foreign Markets

According to CyberSource many U.S. online retailers are "overseaing" ways to increase volume from international markets...

With sales in the U.S. slowing for many retailers, many of them are accepting orders from customers in emerging foreign markets including India and China, CyberSource Corp. says in a new study.

One way many retailers are getting more revenue is through international online orders, says Doug Schwegman, director of market and consumer intelligence for CyberSource, a provider of online payments processing and risk management technology and services. The study is based on a survey of 400 online retailers conducted for CyberSource by Mindware Research between Oct. 21 and Nov. 11, 2008. The 400 respondents account for a total of more than $60 billion in 2008 online revenue; 41% of them have annual revenue of $10 million or more, 29% have annual revenue of $25 million or more.

The study found, for example, that about half or more of merchants accept orders from 15 countries outside of the U.S. and Canada. On average, each merchant accepts orders from nine foreign countries.

Most surprising, Schwegman says, is that nearly half, or 49%, of merchants accept orders from India, and that 52% accept orders from China, two markets that may present challenges in shipping and payments. Most payment transactions in these and other foreign markets, however, are handled with common major credit cards including Visa, MasterCard and American Express, he adds.

Also surprising, however, is that few of the surveyed merchants who accept orders from overseas use payment options popular among consumers based in foreign markets. For example, in Germany, where 73% of the surveyed merchants accept orders, only 12% of them accept payments through the bank transfer methods preferred by many local consumers even though CyberSource and other payment services companies can enable U.S. merchants to accept such payments, Schwegman says.

Following are the 15 countries included in the study and the percentage of U.S. merchants that accept orders in each:

1. U.K., 87%
2. Germany, 73%
3. France, 68%
4. Australia, 68%
5. Japan, 68%
6. Spain, 66%
7. Mexico, 66%
8. Italy, 65%
9. Brazil, 55%
10. Hong Kong, 55%
11. Singapore, 53%
12. South Korea, 53%
13. China, 52%
14. Taiwan, 50%
15. India, 49%

Related articles by Zemanta

• Credit Card History
• Visa and MasterCard under DOJ Investigation
• Best and Worst Online Payment Options in the UK
• Discover To Make a Killing and I'm Lovin' It!

ChipPin In

Stanley Opara writes for the Nigerian Punch about his country's transition from magstripe to Chip and PIN. Interswitch is that county's premier transaction switching platform and it won't be long before the United States stands alone as the only country on the globe yet to commit to EMV. 

Nigerian financial market and the chips/PIN revolution

By Stanley Opara
Published: Sunday, 11 Jan 2009

The e-payment industry remains a faction of the techno-driven set-ups, and the impact of this marriage between technology and finance has recorded huge successes as inferred from current statistics and industry analysis.

The truth, therefore, is that e-payment machinery, especially the card technology, is presently enjoying popular patronage, even as its applications in the day to day business activities rest on geometric cruise.

With the penetration deepening by the day, carrying abreast huge transactions, the issue of security and reliability has indeed become an industry subject-matter, with operators, regulators and users really concerned about the way forward.

The move by the Central Bank of Nigeria in this regard, could be described as prompt, and the compelling directive to players to convert technology from the traditional magnetic stripe to chip and PIN/smart card platform, a welcome development.

However, saying the country‘s card payment industry has come a long way, is stating the obvious. Nigeria was among the very first countries that adopted smartcard payment platform in the 90s with the ValuCard and SmartPAY schemes.  These e-purse smart cards could not generate the expected mass adoption due to some technical and strategic challenges. Hence, it was rested in the early 90s. In its place, Nigerian banks decided to adopt a cheaper but fraud-prone magnetic stripe cards.

The success of the initiative, powered by InterSwitch, the country‘s premier transaction switching platform, helped lay a foundation for the e-payment industry in the country and the West African region as a whole.

Today, as a result of this initiative, Nigerian banks have issued over 25 million cards. These cards are being used to process payment transactions on over 11,000 point of sale terminals, 7,000 ATMs and 200 web locations, 50,000 mobile devices...

But in its efforts to follow global best practice and secure global acceptance for cards of Nigeria origin, the CBN has mandated all the banks to convert their payment cards to a smartcard platform by the end of the second quarter of 2009. The CBN shifted the initial September 2008 deadline in order to permit the banks to prepare thoroughly for the expected cutover.

Since major payment card schemes in Europe, Middle East, South America and Africa have been converted to the secured smartcard platform, CBN‘s position is therefore in line with this global trend.

Experts have maintained that until the introduction of smart card payment system, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification, and as worries over the level of fraud associated with magnetic stripe cards heightened in the 1980‘s, the introduction of extra security measures including on-card photographs and holograms failed to solve the problem.

In the 1990s, card fraud increased. As a result, the payments industry commenced a quest for more secure and authentic replacement for the magnetic stripe.

This search inadvertently led to the mass deployment of the smart cards also knows as chip and PIN cards. Specifically, the French developed chip technology, which is also known as smart card technology, and had over the years recorded advancements in processor and circuit technology, following the chip to grow in complexity and size with many now holding 100 times the information stored on a magnetic stripe.  continue reading at "The Punch"

Related articles by PIN Debit Payments Blog

• Gemalto Wants EMV in USA
• U.K. Blames Abroad for Increased Fraud in Broad Campaign
• Canada's EMV Transition Numbers
• Chip and PIN Coming to Dubai
• Interac Chip and PIN Transition Rollout Begins

CompuCredit must "Comp You Cash"

$114 million refund in pipeline for subprime credit card users - Action Line - MiamiHerald.com

The Miami Herald is reporting today that CompuCredit was ordered to reverse fees it charged customers they secured with deceptive marketing practices.

Those fees total $110.3 million in reversals and $3.7 million in cash refunds. I suppose that's gives a new twist to their "Comp" You Credit branding strategy. Oh, they've got to "comp you cash" if your balance is lower than the the amount they've been ordered to compensate.

Here's the story from the Miami Herald...

CompuCredit, a company marketing Visa and MasterCard credit cards to consumers in the subprime credit market, has agreed to reverse fees charged to eligible consumers' accounts to settle allegations that it violated federal law, according to the Federal Trade Commission. It is estimated that the redress program will result in more than $114 million in credits to consumer accounts.

Eligible consumers whose current balances are less than the amount of credits to be applied will receive an estimated $3.7 million in cash refunds.

In a federal court complaint filed in June 2008, the FTC alleged that CompuCredit engaged in deceptive conduct in connection with marketing credit cards. The FTC also alleged that Jefferson Capital Systems, a debt collection company wholly owned by CompuCredit, engaged in deceptive conduct in marketing credit cards as part of its debt collection activities and engaged in abusive practices while collecting debts.

Eligible consumers will be identified from company records and contacted.

Related articles by Zemanta

• Your Credit Card Costs Consumers ~$50,000,000,000 Per Year [Explainers]
• Visa, MasterCard fee hikes suggest price fixing: business group
• Small businesses: Shopkeepers hit by MasterCard doubling its fees
• Banks Mine Data and Pitch to Troubled Borrowers
• Discover To Make a Killing and I'm Lovin' It!
• As debt grows, collections boom