Acculynk and Pulse Agree to Pilot

PULSE to Pilot Secure Internet PIN Debit Technology

Debit Network Partnering with Acculynk, Financial Institutions and Major Merchants to Test Consumer Use of PIN Debit for Web-Based Shopping

Note: Pictured on left is Acculynk President Nandan Sheth along  with a graphical depiction of Acculynks floating PIN Pad.  Once again...kudos to Acculynk for bringing PIN Debit on the Web to the forefront.  

Editor's Note: Good news for Internet PIN Debit pushers.  I will say it's a good thing it's a pilot...in the event of a breach, god forbid, the collateral damage will be relatively contained".  Speaking of pilots, HomeATM does not need to be "piloted" because HATM transactions are identical to how they are done at a brick and mortar location.  Therefore, everyone "knows" "it will fly" (on it's own...doesn't need a pilot...)  

There have been only 16 vendors "worldwide" who have tested positive for PCI 2.0 approval and HATM is the only ONE, whose PED device was designed for the web.  We'd love to have the EFT Networks on our side, but at the end of the day, HomeATM utilizes eFunds which handles the majority of PIN Debit transactions for the EFT Networks.  So, in effect, they are middlemen.  Wouldn't that be ironic if there were to be a "man in the middle attack?"

Before I go any further, it's important to note that I want to preface any more statements I make by stating that this is not a "HomeATM vs. Acculynk" argument.  It is however, a PCI 2.0 PED certified hardware solution vs. a software-based approach (which CANNOT capture the PIN Offset or the PVV.) argument.   It IS a security vs. convenience argument. 

Suffice it to say that It is extremely difficult for many security analysts to conceive of an instance whereby a PIN is transmitted and NOT AUTHENTICATED against the PIN Offset.  Payments industry professionals are extremely concerned that a hacker would be able to steal both the account number and the PIN and conduct online transactions. 

If you don't believe me, check out next months magazine from "The Society of Secure Payment Professionals."  I might be going out on a limb here, but my guess that an organization called "The Society of Secure Payment Professionals" might know a little bit about payments security.  Then again, maybe it's them who are  "off-base" instead of a software PIN Debit application.

At the end of the day, when the smoke clears, there is no doubt that the publicity PIN Debit for the Internet is getting these days is a good thing.  Internet PIN Debit is long overdue.  That said, it's overdue because it's more secure.  So, once again, it becomes a security vs. convenience argument.  Most everyone would agree that processing a PIN Transaction via hardware is the more secure.  Nonetheless, when EFT Networks, such as Accel/Exchange and PULSE agree to pilot PIN Debit for the Web, it is a step forward towards making PIN based transactions on the Internet a reality.    Or as John Stewart from Digital Transactions says, in announcing Pulse's decision to run an Acculynk pilot:

"Lendingfurther impetus to the trend is the development of a hardware-basedproduct by Acculynk rival HomeATM ePayment Solutions, a Montreal-basedengineering company. HomeATM’s PIN pad, which consumers hook up totheir PCs via a USB link, on Friday became the first such device toachieve certification under Payment Card Industry PIN Entry Device (PCIPED) 2.0 rules.

Interestingly...(and I invite you to read between the lines here) his article goes on to say: "Pulseremains open to both hardware- and software-based solutions for PINdebit on the Internet, the spokesperson says. “We are interested inunderstanding more about any solution that would be viable in themarket,” she says. “

Such a solution would need to be consumer-friendlyand provide value for both merchants and issuers.”  Editor's Note:  If viable means "most closely resembles a consumer checkout experience at a grocery store" then HomeATM is certainly a "viable" solution.  

Here's the press release  (PDF) announcing Pulse's decision to Pilot Acculynk's PIN Debit Technology along with some comments. (in grey)

 

HOUSTON--(BUSINESS WIRE)--PULSE, one of the nation’s leading ATM/debit networks, has signed an agreement with Acculynk under which PULSE will test Acculynk’s PaySecure^® Internet PIN debit technology in a pilot program. The pilot will involve selected PULSE merchant and financial institution participants and is slated to begin in the second quarter of 2009.

The goal of the pilot test is to assess consumer acceptance of Internet-based PIN debit transactions. Acculynk’s technology enables consumers to use their debit cards with a personal identification number (PIN) to pay for online purchases.

“Internet-based PIN debit has tremendous potential value for consumers, who enjoy the convenience of debit cards,” said Judith McGuire, PULSE senior vice president, product management. “Of debit users who have a preference, 56 percent prefer PIN authentication over signature,” McGuire added, referring to the findings of the Hitachi Consulting/BAI 2008 Consumer Payment Preferences Study. “We also believe this new payment option could provide significant value to both card issuers and merchants, driven in part by reductions in fraud and cardholder disputes.”

“In addition to reducing fraud losses and chargebacks associated with online purchases, Internet PIN debit is predicted to increase online debit purchase transactions,” said Acculynk President Nandan Sheth. “These incremental transactions will come from three sources: consumers who have PIN-only debit cards, individuals who are currently hesitant to use their signature-enabled debit cards online without the PIN authentication, and consumers who are inclined now, or in the future, to use alternative Internet payment methods.”

How it Works


Acculynk’s PIN-pad technology integrates directly into the merchant checkout process, providing a seamless experience for online shoppers. The consumer will be aware of the PIN entry option only if his or her card is enabled for PIN debit. The consumer will have the choice of entering their PIN or completing the purchase as a signature debit transaction.

Acculynk’s Internet PIN debit service utilizes many advanced security features, including a graphical, scrambling PIN pad for the secure entry of PIN data. The PIN pad numbers appear on the purchaser’s computer monitor in random order, and the numbers re-scramble each time the cardholder clicks on a digit of his or her PIN using the mouse.(Editor's Note: if it appears on a screen, even for a nanosecond, it can be argued that it can be screen scraped.)

The PIN itself is not captured on the consumer’s PC (Editor's Note:  that statement "might" be true, but only due to a technicality.  The real truth is if  it appears on the screen, it can be seen...and if the consumer can see it, so can a hacker.  i.e.  nor is it transmitted over the Internet. (Editor's Question: Then how does Acculynk get it?) 


Instead, Acculynk captures  and encrypts data associated with the PIN entry process, (they are readily admitting that they are capturing unenrypted data associated with the PIN entry process...otherwise they wouldn't have to encrypt it...right?) then transmits that encrypted data (Editor's Question:  So exactly "when" do they encrypt it?)  in a separate message from the message used for the card number. This makes it extremely difficult (Editor's Note: that's "press releasian" for it's entirely possible.  It's analogy time...ready?  Okay, here goes: It's "extremely difficult" to get into Harvard, but every year people do) for fraudsters to capture any information that could be used to compromise a consumer’s debit card or account. 

In addition, producing a counterfeit card would be virtually impossible because the magnetic stripe data is not captured during the online transaction. (Editor's Note:  This statement is accurate.  The magnetic stripe data IS "NOT CAPTURED" which is the what HomeATM feels is the security issue.  We would respectfully like to point out that a cybercriminal doesn't need a "cloned card" to make purchases online...you need the PAN and the PIN.  So the cloned card argument is completely irrelevant.  If you don't believe me, send me your PAN and PIN.  In order to properly prophetize (sic) I would kindly request that only people with more than $10,000 in their checking account should comply.  C'mon, Humor me! I'll bet that there's several people at PULSE that qualify...  I promise I won't make a counterfeit card!  I also promise you bank balance will drop dramatically!)

“PULSE believes that Internet PIN debit could provide significant benefits to cardholders, e-commerce merchants and financial institutions,” said McGuire. “Our pilot program will help us determine whether this product delivers a favorable cardholder experience.”(Editor's "Dry" Note:  Or quite possibly an unfavorable one) 

I want to be clear.  Once again, I love the attention that all this is bringing towards making PIN Debit on the Internet a reality.  But there's a different reality that concerns me.  It's the H-Word.  Right now the "H" is silent in Acculynk's approach to bringing it.  If the Hackers "bring it" the industry will receive a huge black eye...the retailers will get reemed, and the consumers, well ironically, they'll be severely "inconvenienced."   Here's some food for thought...Who's got the liability if there is a breach?  

About PULSE
PULSE is one of the nation’s leading ATM/debit networks, currently serving more than 4,500 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services (NYSE: DFS). The network links cardholders with more than 289,000 ATMs, as well as POS terminals at retail locations nationwide. The company is also a valued resource for industry research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulsenetwork.com.

About Acculynk
Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. Acculynk is headquartered in Atlanta, Georgia, with a management team that brings extensive experience in the financial, network, security and payment processing industries. For more information, visit www.acculynk.com.

Contacts

PULSE
Anne Rhodes, 832-214-0234
arhodes@pulsenetwork.com

Acculynk
Danielle Duclos, 678-894-7013
dduclos@acculynk.com

 

Related articles

• HomeATM Featured in American Banker (pindebit.blogspot.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• Society of Payment Security Professionals Welcome 50 New CPISM/CPISA's (pindebit.blogspot.com)
• IBM Agrees with HomeATM...Hardware Required (pindebit.blogspot.com)
• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• Acculynk Most Closely Mimics Grocery Store Experience? (pindebit.blogspot.com)

Eurozone Banks Told - Ditch Direct Debit Interchange by 2012

EUROZONE BANKS TOLD TO DITCH DIRECT DEBIT INTERCHANGE BY 2012

Europe's banks have been told that they will have to ditch interchange fees on direct debit transactions by 2012 under EU antitrust rules.

More on this story: http://www.finextra.com/fullstory.asp?id=19812

Skimmers Net $500,000 at ATM

Finextra: Australian ATM skimming gang nets $500,000

Australian police are hunting thieves suspected of stealing over $500,000 from ANZ customer bank accounts using details obtained from a skimming device attached to a cash machine in Melbourne.

Investigators suspect the device has been attached to the ATM intermittently over the past two months, with stolen card details then used to access funds from accounts.

Police say an international syndicate may be responsible and have released images of two men they believe can help with the investigation.

According to local press reports, at least four other local cash machines are suspected to have had skimmers attached to them and over 5000 people have been affected.

Editor's Note:  Good thing these people aren't determined and the punishment fits the crime.  It also helps that they're not highly organized.  Editor's Sacarstic Comment: All those variables will certainly help deter  future breaches...

Related articles

• Intelligent ATM's (pindebit.blogspot.com)
• ATM snatched from Legion building on Bell Island (cbc.ca)
• High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers (pindebit.blogspot.com)

Criminal Hackers Attack 450,000 Webpages Each Day

So really...what are the chances of a software based approach to protecting the Holy Grail known as PIN's being compromised.  There's only 450,000 per day.  It's not like it's 165 Million per year.  Thank God were only talking about 164,250,000 per year. 

The good news (NOT) is the number of SQL attacks appear to be slowing down. (insert sarcastic smile here) 

After all, in the first two quarters of 2008, the number was 5000 per day.  By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.   So by this time next year, there will be hardly anything to worry about...

To put into perspective the odds that a software based approach to protecting your PIN will succeed, I bring you the following story from Robert Siciliano, a security analyst and regular contributor to the Finextra Blog.  Here's the link:  His website is IDTheftSecurity.com

Finextra Blog - Robert Siciliano

There is just no end to the vulnerabilities that computer users face. SQL injection.  SQL is abbreviation of Structured Query Language.   Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.   Editor's Note:  "Sequel" seems more apropo, since they'll be more breaches in the future than there were Rocky movies..

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007.

The infection is called a SQL injection. According to Wikipedia, a “SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.”

In other words, a SQL injection is a virus or bug that effects an application that is not properly coded or secured. There are many different configurations of various software used to build and run a website. An example would be the common Wordpress blog platform that many use and that has been found to be vulnerable. This is just one of hundreds of applications that can be hacked in this way.

In 2005, a now defunct 3rd party payment processor called CardSystems suffered a SQL injection, compromising a reported 40 million credit cards.  Editor's Note:  I remember CardSystems.  Pay By Touch bought CardSystems!  Pay By Touch is now defunct too.  Food for thought...Coincidentally Pay By Touch also bought ATMDirect (now Acculynk)  Hmmm, wonder if there's a connection...either to the SQL attack or being defunct in the future.      

Since that time, criminal hackers have multiplied their efforts. SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchants database and steal data, the attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether its a signup form or a login page for a favorite networking site.”

The attack on the user’s PC is simple. This type of attack is often called a “drive-by,” because sometimes all the user needs to do is surf the site. Many of the attacks take place during common web tasks such as watching videos, listening to music or downloading files.

The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected. Their PC becomes part of a “botnet,” which is a robot network of computers specifically designed for hacking.

Bots, the infected PCs, are also known as zombies. Zombies, as a result of the SQL injection, generally have a virus installed that gives the hacker control from anywhere in the world. The “botnet” can consist of 10 PCs, 10,000 PCs or into the hundreds of thousands. Studies show there are potentially millions of zombies globally, all part of numerous botnets.

Lax security practices by consumers and small businesses are giving scammers a base from which to launch attacks.

Botnet hackers set up phishing websites targeting well known online brands. They send junk mail emails and install redirection services to deliver viruses, malware and keyloggers.

USA Today reports IBM Internet Security Systems blocked 5000 SQL injections every day in the first two quarters of 2008. By midyear, the number had grown to 25,000 a day. By late fall, attacks climbed to 450,000 daily.

The key to identity theft protection and preventing your computer from becoming a zombie is to engage in every update for every browser and media player that you use, keeping your operating system updated and using anti-virus software such as McAfee Total Protection.

Identity Theft Speaker Robert Siciliano discusess SQL injection here

Related articles

• WWW security getting impossible (warintel.blogspot.com)
• 500,000 Websites Hit by SQL Injection in '08 (pindebit.blogspot.com)

Official Letter of HomeATM PCI 2.0 PED Certification

PCI Security Standards Council's Official Letter of Approval  of HomeATM's SAFE-T-PIN Device.  Click to Enlarge 

BSMS - Both Sides of the Mouth Syndrome

I bring you this story from IT World because it demonstrates the direction the payments industry is going with data at the point of sale.

Interestingly, the opposite direction (You're doing it Wrong) is being taken by EFT Networks who will be piloting a software vs. hardware Internet PIN Debit initiative. 

While the brick and mortar world is looking for ways to improve security, the Internet Payments Space is apparently is looking for ways to improve convenience "at the expense" of security. 

In the following article, VISA  talks about new initiatives to reduce payment card fraud.  Visa wants to "utilize" the "magnetic stripe" to improve security!  

Meanwhile, Accel/Exchange and Pulse is rolling out a pilot that completely ignores the security the magnetic stripe provides. 

Utilizing the Acculynk "convenience over security approach" a consumer can simply type in their PAN (primary account number) for all to see but...ironically, they then lock your keyboard, saying "don't type in your PIN" (because typing is not secure)  



Okay, so which is it?  If we're supposed to trust you when you say it's okay to "type, not swipe" your PAN, but then tell us "We have to lock your keyboard," in order to ensure you "DON'T TYPE in the PIN", (because it's NOT SAFE)  why should I believe you when you say it's safe to click?  I may be dumbfounded, but I'm not dumb.  It's just not "clicking" for me...   

I call that BSMS... "Both Sides of the Mouth Syndrome".  It's safe to TYPE in your PAN,  but whatever you do... DON"T TYPE  in your PIN.   That TICS (Tongue in Cheek Syndrome) me off! 


Whereas Visa is talking about "enhancing" the magnetic stripe with a digital fingerprint, Acuulynk, Pulse and Accel are piloting a program whereby NO MAGNETIC STRIPE data is even captured, and because the card is NOT SWIPED...your PAN and PIN probably will be)... 

I guess that qualifies merchants for that elusive and infamous Interchange Rate known as "Card Not Present -  PIN." 

Here's excerpts from the story...demonstrating, in no uncertain terms, that not only is the magnetic stripe essential for security, but needs to be further enhanced.  Meanwhile, on the web, certain players don't think they need it at all.  Amusing to say the least:

Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive Thursday described two new initiatives to reduce payment card fraud being tested by the company.

One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said during at a security event being hosted by Visa today. 


Dan Roeber, vice president and manager of merchant PCI compliance at Fifth Third, said the bank had rolled out about 1,000 card readers to retailers who have not been informed about the pilot effort. The terminals (Editor's Note:  HARDWARE) are capable of reading the magnetic stripe information and creating a "DNA picture" of the card which is then matched during the authorization process, against baseline information for that card stored by the card issuer, he said during a panel discussion at the event Thursday.

During the pilot process, baseline images or fingerprints for a card are created when it is first swiped through one of the new readers (HARDWARE), Roeber said. But going forward, if the approach works, baseline images for each card could be created and stored during the card issuing process itself, Roeber said. "Even if somebody gets into a database and makes fraudulent cards, the DNS fingerprints are not going to match," Roeber said. "The thing I really like about this technology is that there are no key management issues," as is the case with the use of end to end encryption for protecting cardholder data.

"We are very excited about this technology," he said.

Richey said that while these projects were not quite ready for broad roll-out yet, they were indicative of the kind of approaches that could be used to make stolen data useless at the point of sale.


Richey said Visa was not opposed in the future to the idea of using chip and PIN technologies that are used widely in Europe. They require consumers to enter PIN numbers, instead of signing, when making credit card transactions. The approach is widely considered to be safer than purely signature-based transaction, but it would require considerable investments on the part of card issuers to make the change. Richey said today that Visa "fully" supports the technology and said it was not a matter of "if" but "when" and "how" the technology would be adopted in the U.S.

Editor's Note:  Translation:  If  it's not a matter of "if" but a matter of "when" then BY DEFINITION, Acculynks solution is short-lived, because without hardware, you cannot do an EMV transaction.  HomeATM's hardware is EMV ready.

Dave Weick, CIO at McDonalds Corp., discussed during a panel a new plan to minimize threats against payment card data. He described how the fast-food giant was exploring how to completely segregate all payment card data and transactions from the rest of its internal network. Weick said McDonalds had developed a way to accept payment card transactions without letting any of that data touch any of its own internal systems, including its point-of-sale devices.

Editor's Note: Hmmmm....sounds like something HomeATM already DOES...for web based merchants, including the following:

No one in the company's internal system would have access to any cardholder data, and even the portion of the network that deals with card transactions would be handled by an outside vendor, Weick said. "We are very early on in this," he said, adding that the plan was to first roll out the approach to company-owned restaurants before deploying it across all franchises.

Click To Read the Entire Story at IT World

Related articles

• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• HomeATM Blog Included in "Best of the Best" by Alltop (pindebit.blogspot.com)

Fraudsters Watch as You Enter PIN

Scam targets big-box shoppers

Below is the Brick and Mortar Version of a story which demonstrates what lengths fraudsters are willing to go through to get your card information and your PIN. 

The Internet Version will be out about 30-60 days after Pulse starts their pilot...stay tuned:

Police say sly thieves steal credit card, debit card information from unsuspecting targets
By Laura Payton, The Ottawa Citizen

OTTAWA — Police are warning about a fraud ring targeting shoppers at big-box stores like Wal-Mart and Super-C.

Police say the thieves pick out a shopper inside the store, usually a woman 45-years-old or older. Their goal is to steal her credit or debit card information.  They follow her to the checkout, watch as she enters her personal identification number, and then follow her to the parking lot.
 
Once outside the store, one person asks for directions to distract the shopper, while an accomplice takes the shopper’s cards. The thieves are well equipped with a card reader. They either steal the shopper’s wallet, or slip the card out of the wallet, run it surreptitiously through the card reader to obtain the information, and return it to the victim.

“The victim doesn’t see that until the bank calls her and says to her, ‘You are a victim of fraud’,” says Const. Isabelle Poirier, Gatineau police spokeswoman.  Poirier says the fraudsters could be working around the province.  “It’s been (happening) in all the province of Quebec. It appears in other towns, too. They come here, they do one or two events like that and probably they do that everywhere in Quebec,” she said.

The suspects are men and women, between the ages of 25 and 45. They speak French with a Middle-Eastern accent. Police say they are investigating 15 incidents since last summer, and they ask anyone who has been a victim of this type of crime to contact them.

Shoppers should make sure they watch anyone who approaches them and keep their personal belongings close. Always cover your hand when you enter your PIN, and never give out personal information such as a birth date to strangers.  Editor's Note:  Another bit of advice:  Never type your card number into a browser.  I'd tell you to cover your screen when you enter your PIN on a floating PIN Pad, but that won't do anything to help you.   Oh, and never give out your PIN to strangers.  In fact, never give out your PIN to ANYONE.  

Related articles

• Complete Listing of Everyone's PIN Number (pindebit.blogspot.com)
• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)

More Investment Needed to Secure Credit Cards

Media Center | Visa Corporate

Visa Calls for Maintaining Investment, Shared Responsibility at Global Security Summit

New Survey Shows Consumers Avoiding Retailers Who May Not Protect Data

VisaInc. (NYSE: V) chief enterprise risk officer Ellen Richey told securityexperts today that payment card data fraud rates remain near historiclows despite economic woes and high-profile compromises, and called forcontinued industry investment, collaboration and innovation, three keycomponents in keeping the electronic payment system secure in thefuture. She made her comments to a gathering of business, government,academic and law enforcement officials at Visa's Global SecuritySummit, its' third cross-functional symposium on payment security, heldin Washington, DC.

"Massiveinvestments and innovative solutions have kept fraud rates near anall-time low," said Richey. "The best way to build on this track recordis by having all players in the payment system share responsibility andmaintain their investments in security - even during these times ofeconomic challenge."

Richeyalso addressed recent security compromises by reminding the audiencethat compliance with the Payment Card Industry Data Security Standard(PCI DSS) continues to be the industry's best tool to guard againsttheft of cardholder data and the best protection for businesses againstunwanted intrusions. She also added that PCI DSS validation is anannual, minimum requirement for organizations but that true compliancewith PCI DSS is an ongoing effort requiring vigilance.

Read the Security Summit keynote address given by Ellen Richey, Visa's chief enterprise risk officer.
Watch a webcast of the Security Summit

"PCIDSS remains an effective security tool when implemented properly - andremains the best defense against the loss of sensitive data. Nocompromised entity to date has been found to be in compliance with PCIDSS at the time of the breach," she said.  (Editor's Note:  Thus the importance of HomeATM achieving PCI 2.0 PED Certification...)

Reinforcingthe need for vigilance on security at the merchant level, Visa releaseda new survey showing that many consumers are choosing to shop only withretailers they trust to protect their personal data. Of the 800 U.S.credit and debit cardholders surveyed February 3-5, 2009, 59% said theyhad decided not to make an online purchase at a particular web sitebecause they did not trust that site. Another 49% said they had optednot to shop with a merchant they did not recognize, for fear of havingtheir personal data stolen.

EchoingRichey's themes of shared responsibility and cooperation was summitkeynote speaker Dave DeWalt, president and CEO of McAfee Inc., whocalled for better cross-border collaboration and for businesses to makesecurity a priority through risk assessments, closing gaps, and beingvigilant. 

"Nowmore than ever, security is mission critical to all organizations,"said DeWalt. "Compliance with mandates such as PCI DSS should notsimply be a checklist item; instead organizations should always bevigilant and continuously assess their risks and exposure and implementstrong security controls." 

MassachusettsAttorney General Martha Coakley also provided a key note address at theevent and said that increased collaboration between government and theprivate sector is imperative to protect consumer data. She called onindustry to make data security a commitment on par with protectingintellectual property and trade secrets.

"Privacyprotection, safety and security is an ever-changing landscape asgovernment, law enforcement, industry, and consumers seek to balancetechnological advances in society with traditional expectations ofprivacy and security," said Coakley. "Creating and implementingstrategies and solutions to combat these problems will requirethoughtful planning and commitment from decision makers in both theprivate and public sectors."

Richey conveyed four priorities she sees as critical for the future security of the payment industry, including:

• Accelerate global data breach preparedness with greater PCI DSS compliance
• Actively engage consumers in the process of protecting their data
• Increase collaboration across the payment system to close security gaps and share critical information more quickly
• Reduce the value of stolen data through investment in new authentication measures

Driving homethe importance of empowering consumers to take a more active role inprotecting their card accounts, Richey highlighted a Visa service toprovide near real-time alerts and notifications when a registered Visacard is used for a purchase or cash withdrawal. In addition toproviding cardholders a tool to track and manage their accounts,transaction alerts can also help limit the extent of potential fraud.If a cardholder receives a suspicious alert, they can immediately calltheir issuer. 

"Visa'searly-warning system can provide peace of mind and help protectconsumers from card fraud at the crime's initial stage," Richey said."A consumer who receives an alert would be able to make a simple phonecall to stop fraud in its tracks."

Visa'stransaction alerts and notifications service is commercially availabletoday for Chase Visa cardholders with mobile devices powered byAndroid, the Open Handset Alliance's open source platform for mobiledevices. The service will be rolled out to additional financialinstitutions and for additional mobile devices later this year.

Heldin cooperation with the Economist Intelligence Unit, Visa's GlobalSecurity Summit was convened to discuss how payments systemparticipants can collaborate to protect cardholders against current andemerging security threats. Five panels were assembled to cover topicsrelated to innovations in payment security, strengthening e-commercesecurity, small business data protection, global executives' securitypriorities, and the world of hackers. A webcast of the summit can beviewed at www.visasecuritysummit.com.

About Visa

Visaoperates the world's largest retail electronic payments networkproviding processing services and payment product platforms. Thisincludes consumer credit, debit, prepaid and commercial payments, whichare offered under the Visa, Visa Electron, Interlink and PLUS brands.Visa enjoys unsurpassed acceptance around the world and Visa/PLUS isone of the world's largest global ATM networks, offering cash access inlocal currency in more than 170 countries. For more information, visit www.corporate.visa.com.

CONTACT
Jay Hopkins for Visa
Tel.: +1-703-683-5004 ext. 107
jhopkins@crcpublicrelations.com

Small Biz Being Targeted by Cybercriminals

Small Business: The New Black In Cybercrime Targets

Enticed by poor defenses of mom-and-pop shops, hackers turn away from hardened defenses of banks and large enterprises

By Tim Wilson  DarkReading

WASHINGTON, D.C. -- Visa Security Summit 2009 -- Hacking banks and large businesses? That's sooo 2008.

Hackers and computer criminals this year are taking a new aim -- directly at small and midsize businesses, according to experts who spoke here today at Visa's annual security event. The consensus: Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts.

"As the security becomes better at large companies, the small business begins to look more and more enticing to computer criminals," said Charles Matthews, president of the International Council for Small Business, in a panel presentation here. "It's the path of least resistance."

Matthews quoted industry research that states small businesses are far less prepared to defend themselves against cyberattack. "Nearly one-fifth of small businesses don't even use antivirus software," he said. "Sixty percent don't use any encryption on their wireless links. Two-thirds of small businesses don't have a security plan in place. These numbers are both surprising and disturbing."

And many small businesses still don't know they are targets, according to Chris Gray, director of innovation policy at the Canadian Chamber of Commerce and another member of the panel. "According to a brief survey we conducted, about two-thirds of small and medium-sized businesses believe that large companies are the main target for cybercrime," he reported. "Yet 85 percent of the fraud we see in business occurs in small and medium-sized businesses."

Editor's Note:  Small to Medium Internet Businesses can provide a dually authenticated, end-to-end encrypted payment solution for their e-shoppers.  For these e-SME's the cost of PCI DSS compliance is costly, time consuming and confusing.  You can solve your compliance issues and eliminate the cost by employing HomeATM's PCI 2.0 PED's.  The cost is far less than achieving PCI 2.0 compliance on your own, and since we employ DUKPT key management techniques, the cardholder's data is NEVER transmitted.  End result?  Your e-business would be effectively removed from the burden of PCI DSS' scope.  For more information, email us...



Continue the story at DarkReading

Related articles

• HomeATM at the (Security) Summit! (pindebit.blogspot.com)

Make the "Hack You" Link...

You've heard of  the F-Bomb, the H-Bomb and the F-Word.  With the recent rash of Hack's (Heartland, RBS WorldPay and more coming) there's a new one...I call it the H-Word.  It's Black Hat slang for Hack You!

Heartland knows what it feels like when a Black Hat says "Hack You!"  Suffice it to say their stock symbol might be HPY, but shareholders are not.  Why?  Again...two words.  Hack You!  So what's the safer approach to protecting your Online Debit (PIN) number?

A PCI 2.0 PED "certified" approach...or a soft(ware is the PVV?) approach?   What's more readily hackable?  Hardware or Software.  It's not "hard" to make the "Hack-You"-Lynk...

Although the answer is an obvious one, never underestimate the impact of good marketing prowess.  The EFT Networks may have fallen for a good sales pitch Hook, Line and Sinker, but they should know better.  They'll know soon enough...why a software only approach to protecting a consumer's PIN is soft.   My biggest concern is a breach, not competition.  I don't want to see peoples PIN's hacked because it will affect the industry as a whole, and we are part of that industry.  The writing is SO CLEARLY on the wall.  I'd like to see it encrypted...

Since data is what's at stake here, we'll provide some.  

What follows are some excerpts from a paper called "Breaking VISA PIN" written by Luis Padilla Visdómine.   If you're not a tekkie, you'll have to read it a little bit more slowly in order for it to properly digest.  In the meantime, here's the meat and potatoes:  A software approach WILL BE HACKED, PERIOD, END OF STORY, GUARANTEED.   Many prominent industry insiders agree.  HomeATM's CEO guarantees it will happen within 30 days of it going live.  If it takes 60 or 90 days, don't hold it against him...he's only trying to help.

There's only one way to prevent a Black Hat attack resulting in the H-Word.  You've got to fight fire with fire...in this case, with "another" H-Word...HomeATM.  (bet you thought I was going to say Hardware, didn't you?...)

HomeATM reached the summit or PINNACLE of security with it's recent PCI 2.0 certification.(Click any picture to enlarge)  What does this mean?
 
It means that HomeATM's "SAFE-T-PIN™" solution encrypts the entire transaction, beginning to end which should thus remove participating merchants from the scope of the PCI DSS as NO CARDHOLDER DATA is transmitted during the transaction.  What does THAT mean?

Considering the fact that PCI DSS compliance is a costly process, that fact alone should result in considerable interest.  Instead of paying tens of thousands, in some cases hundreds of thousands of dollars, an e-merchant could employ HomeATM's payment platform and be in like Flynt. 

Additionally, since the HomeATM SAFE-T-PIN™ provides a "card present" environment, interchange morphs from the significantly higher "Card NOT Present" rates into a significantly lower "Card Present" rate.  But we're not done yet.  In addition to our solution removing our clients from the PCI DSS scope and lowering interchange to Card Present rates, we ALSO further reduce interchange by providing a true PIN based transaction.

PIN based transactions, because of their inherent dual-authentication processing (What you have/Card and What you Know/PIN) enjoy a reduced interchange rate on top of the CP rate.  In effect, HomeATM could save giant e-tailers tens of millions of dollars on Interchange.  "Annually!"

On the flip side, considering that a "software" approach requires the card holder to "type" their PAN (Primary Account Number) into a browser, e-tailers will still have to pay a "card not present" rate.  So even if it isn't H'd in the first 90 days, Internet Retailers would still be paying a higher rate in return for the convenience of not having good security.  But since the Internet Retailer is the one who is going to be liable when it is dot.hacked, they'll quickly learn they've been had. 

Here are the excerpts:  To read his entire paper, click here

VISA PVV algorithm

One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer.

There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

Preparing the attack

A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

The attack

Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that's the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it's around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt.

The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command "make -f Makegetpvvkey"). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don't know what you are missing ;-) you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

 

Related articles by Zemanta

• Visa Yanks Heartland/RBS Compliance Status - BTN (pindebit.blogspot.com)
• SATIRE: Acculynk Most Closely Mimics Grocery Store Experience? (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• HomeATM Blog Included in "Best of the Best" by Alltop (pindebit.blogspot.com)
• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• Card Cloning Ring Nets $9M in ATM Heist (abcnews.go.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Hacked! Is Visa Next? (pindebit.blogspot.com)
• Shoppers Choice Runs Acculynk PaySecure (tm) PIN Debit Transaction (pindebit.blogspot.com)
• Who Needs an Ounce of Prevention...We Have 10 pounds of Cure! (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)
• Nostra(para)digmus (pindebit.blogspot.com)

E-Tailers Missed Out on $21 Billion

$21 Billion might not cover the bonuses at AIG but it's still a mighty big number...HomeATM can help bring those numbers back up by properly  "securing" the transaction with their PCI 2.0 PED SAFE-T-PIN, the very first PCI certified PIN Entry Device designed for use on the web.   

Javelin Strategy & Research in its latest research has stated that the volume of online sales has decreased by $21 billion in 2008.

According to survey results only 45% are satisfied with the quality of the merchandise sold online and the time of shipping whereas 37% of consumers complained of late shipments and 28% of online customers found that the quality of the goods they received is below their expectations.

19% of Internet users said that they have cut their online spending and 12% of consumers stated that they stopped using online shopping services due to online fraudsters.

To motivate online shoppers the retailers use various strategies. So, according to Javelin Strategy & Research the sellers assure users in safety of their personal information (83%), (Editor's Note: how do they do that if  the information isn't properly protected in the first place?) and by guaranteeing price (79%), quality expectations (80%) and reimbursement.

Among other top promises are a zero liability against identity theft (81%) and stronger security at the store website (80%).

Source: eBillme blog

Related articles

• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Fraud Continues to Increase Across Canada (pindebit.blogspot.com)
• AIG Issues Fraud Warning (firedoglake.com)