Is Heartland Hacker in Custody?

Is Heartland/World Pay Suspect in Custody?

By Anthony M. Freed, Information-Security-Resources.com Financial Editor

Jailed international hacker and cyber criminal “The Analyzer,” (See Analyze This...More on "Hack You!") who awaits extradition to the U.S. from Canada to face charges related to cyber crimes committed in 2008, is now also a suspect in several other unspecified electronic crimes, according to authorities. 

Finextra.com - Ehud Tenenbaum, a notorious Israeli hacker arrested in Canada last year in relation to the theft of around $1.5 million, is now suspected of breaking into the systems of four US institutions as part of a global “cashout” conspiracy that resulted in the loss of at least $10 million. In 1998 Tenenbaum gained notoriety as “The Analyzer” after being arrested following hacks on computer systems used by the Pentagon, Nasa, the Israeli parliament and Hamas.

In August he made the news again as one of four gang members arrested by Canadian police for allegedly stealing C$2 million by hacking the database of a Calgary-based business and loading money onto pre-paid cards. The gang allegedly compromised the company’s computer system and loaded money onto the pre-paid debit cards before withdrawing the cash at ATMs in Canada and several other countries.

The few details that have been released by authorities show a number of similarities to details from the RBS WorldPay breach of their pre-paid credit card division in late 2008, that resulted in a reported $9 million dollar heist perpetrated at numerous ATMs in several different countries.

ISR news - RBS WorldPay announced on December 23 that they’d been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach.

Authorities investigating the RBS WorldPay breach, as well as the breach at Heartland Payment Systems, have used similar language to describe an international conspiracy that is targeting multiple financial institutions.

Based on these similarities, it seems highly likely that Tenenbaum and his cohorts may indeed be the culprits behind a rash of major information security breaches that have the Payment Card Industry pointing fingers and attempting to dodge responsibility for security compliance.

Early in the Heartland investigation, authorities indicated that the perpetrators were most likely part of an international crime ring, and stated that they had already identified a suspect, leading infosec blogger Evan Schuman to conclude in an article that this could be evidence that authorities had already been on the perpetrator’s trail for some time:

Given the word that the Secret Service believes it has located the prime suspect, it raises the possibility that law enforcement was already on their trail long before the Heartland spyware was detected.

In an email from Evan, he offered:

“The similarities of the modus operandi here are eerie. I’m not hearing that this guy is involved in Heartland, but it certainly wouldn’t stun me if he turns out to be.”

Heartland was apparently breached sometime in the Spring of 2008, but was supposedly not aware of the security lapse until notified by Visa and MasterCard at the end of October that they had problems.

This corresponds to the time line of similar criminal activities revealed in the investigation of Tenenbaum, with the majority of activity beginning in early 2008 and lasting most of the year:

Finextra.com - According to the affidavit, in January and February 2008 a US Secret Service investigation into a computer hacking “conspiracy” against banks and other firms, uncovered attacks on the systems of Texas-based OmniAmerican Credit Union and pre-paid card distributor Global Cash Card.

In April and May 2008, authorities investigated further SQL injection attacks on 1st Source Bank in Indiana, and pre-paid debit card processor Symmetrex, which resulted in losses of over $3 million.
According to the affidavit, in an MSN instant messenger conversation, on 18 April 2008, Tenenbaum revealed that he was responsible for hacking into the network of Global Cash Card, adding “yesterday I rechecked [Global Cash Card] they are still blocking everything. so we cant hack them again.”
On 20 April, the affidavit says he received updates on a “cashout” operation, where accomplices used stolen card data to withdraw money from ATMs in the US, Russia, Turkey and Canada, among others.

It would be quite a relief to the finance industry if we knew for sure that the ringleader of such a prolific group of criminals was behind bars and awaiting trial.  We can only hope that he turns on his partners in an effort to gain leniency for himself.

Until more details of the breaches are released, this is all purely speculation.  Even if Tenenbaum turns out to be responsible for the RBS WorldPay and Heartland breaches, there are still an undisclosed number of participants on the loose, and an unknown number of systems that may be under threat of dormant malware that has yet to be discovered and neutralized.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Related articles by Zemanta

• Feds Charge 'Analyzer' Hacker With Stealing $10 Million (wired.com)
• Visa: New Payment Processor Breach Not New (pindebit.blogspot.com)
• Mystery Processor's Breach Timeline (pindebit.blogspot.com)

ATM Scam at BofA Extracts PIN and PAN

From "The Brown and White"... 

Last Thursday, police confirmed a skimmer, which is a removable device that scans and stores card information, had been attached to the Bank of America ATM on East Third Street.  Video surveillance was also used to film ATM users' personal information as it was entered into the machine.

A total of 286 accounts have already been compromised and over $43,000 lost, investigator Rob Toronzi said.

According to an article on LehighValleyLive.com, $43,625 was stolen from 34 accounts as a result of the skimmer on East Third Street and another on Catasaqua Road.

The thieves are believed to be Armenian or of some other European origin and driving a dark-colored Mercedes E55 sedan, according to the same article.  The Bank of America employees realized something was wrong after they started receiving numerous calls about unusual card activity and problems.   Upon investigation, they discovered a skimmer on the ATM on Catasauqua Road and later found a skimmer and video device at an ATM on East Third Street, Toronzi said.

The skimmers are believed to have been attached from Feb. 25 to March 9, according to an article in The Morning Call.  "Customers with unauthorized card transactions, if reported within 60 days from the statement date, will be reimbursed," the same article stated.

"My Bank of America debit card was frozen here and the teller told me it was probably due to the scam," said Corrado Altomare, '09.  The Bethlehem Investigative Bureau is currently working to track down those who are responsible for the scam.  "We're working in conjunction with the Secret Service and they are aware of the individuals," Toronzi said. "We know of them but not exactly who they are. We have photos."

The men have been targeting ATMs in southeastern Pennsylvania since mid-December, but may be difficult to find because they move around and do not live in the area, Toronzi said.

As for the skimmer itself, it is a small, battery-operated device that is glued to the card-scanning machine on an ATM and works by reading the magnetic strip on the debit card. Skimmers vary in appearance.

"One is a sliver of plastic glued to the slot of the ATM's card reader," according to the same article. "Others are more sophisticated, including an overlay fastened to the ATM's keypad."

The other device that was employed in the scam was a video surveillance camera. According to Toronzi, the surveillance cameras are tiny and are usually attached to either the upper light fixtures on the ATM or the brochure holders.  Toronzi encouraged all ATM users to check both visually and physically for illegal devices before swiping their cards or entering their PIN.  "If there is something that protrudes out of the card holder, pull on it hard," Toronzi said. "If it comes off, then it is a skimming device. If all else fails, when you are putting in your pin number, just hide the pin number."

Toronzi insisted everyone should search the Internet for images of skimming devices, so they know what to look for while making transactions at an ATM.  "I would never put my card into a sketchy-looking slot," Chris Brunn, '11, said.  Toronzi warned that skimming devices are not only used on ATMs.  "A skimming device can be put on anything," he said. "Gas pumps, look for it there."

Related articles

• High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Acculynk and Pulse Agree to Pilot (pindebit.blogspot.com)
• Card Cloning Ring Nets $9M in ATM Heist (abcnews.go.com)

E(F)T Call Home(ATM)

450,000 Websites Attacked with SQL DAILY!

(up from 5000 per day during Q2 2008)

E.T. (Ehud Tenenbaum) a.k.a.(The Analyzer) allegedly used SQL injection exploits to gain access to these supposedly secure financial databases, giving him access to account and card details."

Let me be "The Analyzer" for a moment here. E.T. "gained access" to"supposedly secure""financial databases using SQL injection. Allow me to do some "needling" myself: Don't worry...I'll be NYCE...

When's the SeQueL? Who'sgoing to STAR in it? This guy Accel's in the Exchange of Information. So if you put your finger on the PULSE, then Shazam! You'll Discover that Tyme after time a PCI 2.0certified Hardware device designed for the web (can you say SAFE-T-PIN)is EXPONENTIALLY safer than a software approach.

But, I "could" be wrong. Guess we'll have to wait for the SeQueL. When it happens, it'll have a "familiar ring" to it.

Developing...in the meantime...E.F.T. - Call Home(ATM)! Hackers can "screw" with us all they want. We're impregnable!

E.T. End Encryption

Related articles

• ATM Megaheists Reach Epidemic Levels (wired.com)
• Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers (pindebit.blogspot.com)
• High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers (pindebit.blogspot.com)
• Kaspersky denies leaks after SQL hack (news.cnet.com)
• Americans Have a False Sense of PC Security (pindebit.blogspot.com)

Analyze This...More on Hack You!

Maybe we should rename this guy, Ehud Tenenbaum "The Innoculator" since he used SQL Injection.

Or get him as a spokesman.  After all...his initials are E.T. and he can tell the E(F)T Networks to "Call Home(ATM)  Maybe we should call our product "The Innoculator" as we would fully protect Internet Retailers AND Financial Institutions from SQL Attacks.  (Did  you know there's ONLY 450,000 SQL attacks per day, up from 5000 in the 2Q '08?)

Here's more on this guy:

A hacker previously convicted of breaking into the Pentagon may be responsible for as much as US$10 million of similar thefts from US banks, investigators believe.Israeli Ehud Tenenbaum, aka. “The Analyzer”, is currently in Canadian custody on charges relating to a fraud which netted US$1.47 million from Direct Cash Management in Calgary, a firm that sells pre-paid debit cards.

Editor's Note: "He allegedly used SQL injection exploits to gain access to these supposedly secure financial databases, giving him access to account and card details." 

Let me be "The Analyzer" for a moment here.  He "gained access" to "supposedly secure" "financial databases using SQL injection.  When's the sequel?  Who's going to STAR in it?  This guy Accels in the Exchange of Information.  So if you put your finger on the PULSE, then Shazam!  A PCI 2.0 certified Hardware device designed for the web (can you say SAFE-T-PIN) is EXPONENTIALLY safer than a software approach. 

Tenenbaum was arrested in Montreal a month before his six month tourist visa ran out last year.Tenenbaum first achieved notoriety back in 1998 when - at the age of 19 - he was caught and convicted of hacking into US government computers including those of NASA and the Pentagon, as well as the Israeli Knesset. He escaped jail and was sentenced by an Israeli court to one year probation and also received a two year suspended sentence and a fine. Since then he has been off the radar.US authorities now wish Tenenbaum to be held in custody and may wish to extradite him over several hacks on US banks and card processing companies. According to an affidavit (PDF, obtained by Wired.com), US authorities believe Tenenbaum to be the ringleader in a global “PIN Cashout” conspiracy, using “cashers” in numerous countries to systematically empty accounts at institutions that he successfully hacked and taking a 10%-20% cut of the proceeds.

US financial organizations listed in the affidavit include OmniAmerican Credit Union of Texas, Global Cash Card of California, Symmetrex of Florida and 1st Source Bank of Indiana.

Tenenbaum allegedly used SQL injection exploits to gain access to these supposedly secure financial databases, giving him access to account and card details.

Once inside, he is alleged to have increased card limits before farming out card details to accomplices who would burn copies onto blank swipe cards and withdraw money in the US and abroad. US investigators believe that losses of at least US$10 million occurred as a result of these attacks.Curiously for a hacker capable of such audacious and complex fraud, Tenenbaum appears to have become careless, using a hotmail address that was registered under his real name to discuss some of the hacks. Feds also traced an IP address used to access the hotmail account back to Tenenbaum’s security company Internet Labs Secure.

Read the full story over at Wired

Related articles by Zemanta

• ATM Megaheists Reach Epidemic Levels (wired.com)
• Man to enter plea in Calgary in $1.8M fraud case (cbc.ca)
• Acculynk and Pulse Agree to Pilot (pindebit.blogspot.com)
• Flashmob of ATM crooks scores $9 million in 49 cities (boingboing.net)
• Kaspersky denies leaks after SQL hack (news.cnet.com)

Information Security Resources on E2EE

E2E Encryption Prescription Is Bad Medicine : Information Security Resources

E2E Encryption Prescription Is Bad Medicine

By Kevin M. Nixon, Information-Security-Resources.com Security Editor

“We need end-to-end encryption…”

I have heard that statement repeated many times as customers, colleagues, and press quickly point out that it is necessary for consumers and companies to conduct business on the Internet.

For a security practitioner, ironically, it is a very bad idea.

The Problem

Before you shoot me for saying it’s a bad idea, end-to-end encryption should be defined first as to set the backdrop for my arguments.

End-to-end’s definition is the means utilized when a computer communicates with the server from which or to which it is sending information, using some encryption technology.

By way of example, VPN software on a laptop communicates with the VPN server internally to build the IPSEC tunnel, and end-to-end encryption starts on the desktop VPN client and ends at the VPN server.

A second example is a web browser using SSL to transport traffic to/from a web site, whereby the end-to-end encryption starts at the browser and finishes at the web server.

A key point: the traffic is at its destination before it is evaluated and therein is the problem.

The Concern

Current best practice methodology states that security is best practiced with a Defense-In-Depth security strategy. Defense- in-Depth recommends that more than one “layer” be used in the defense of the protected assets in question.

One example of an added layer in a network topology is filtering unnecessary traffic at an ingress network point through, say, the IP Access Lists.

If a network is protected by access-lists alone protection is limited at best, given that so many attacks are conducted over “acceptable or trusted” IP ports.

Defense- in-Depth requires taking at least one additional step, frequently the use of a firewall.

Traffic which passes the first layer, and that has successfully matched the allowed traffic rules for the network’s designated IP characteristics, is then secondarily evaluated at a firewall for protocol compliance so as to avoid exploits utilizing buffer overflows or overly lengthy data requests.

Oftentimes a third step is implemented: as traffic is traversing the security checkpoints, intrusion detection engines monitor the ‘knocking on the door’ attempts and alert based on various situations.

Lastly, traffic checks occur on the destination host to ensure that the data matches what is expected before being processed.

“End-to-end” encryption circumvents some of these steps under the accepted definition.

Since the traffic has characteristics that allow it through the filtering (it has a TCP destination port 443 (SSL), for example), the next two protection depths are the Intrusion Detection engines and the Firewall… but since the traffic is encrypted, these two technologies all too frequently can’t read the traffic!

It is here that we undermine a defense in depth strategy, and here that end-to-end as good practice takes on bad characteristics.

As a result of encryption, the new set of simple attacks is targeting encrypted web sites, VPN servers, or extranet sites.

Why? Because the traditional methods for stopping these attacks are rendered useless by encryption. Traffic cannot be reviewed except under the most basic conditions, such as IP header data, which we have already established is not enough by itself.

The scenario plays out as follows: When web traffic was unencrypted, it was reviewed by firewalls for protocol compliance, header fields, and others. With that same web traffic tunneled over SSL, the payload (which is the same HTTP traffic as before, encrypted) cannot be analyzed.

In short, SSL in a very odd way is assisting the hacking community, not impeding it.

Another example is secure email. Since S/MIME is on the rise, the contents of email will be more and more difficult to analyze until decrypted, and as a result, the contents of those emails will have to be analyzed/controlled on the desktop.

This change will undermine the virus mail firewall scanners that currently aide us, for example, which then lowers our overall protection.

The Solution(s)

As an advocate for best practice, end-to-end encryption takes on a different meaning for me.

The encryption termination point (one “end”) is a device that peels off the encryption layer, perhaps even temporarily, allows the payload and previously encrypted traffic to be analyzed as defense in depth dictates, and if approved, then and only then does the firewall allow it to continue - in short, the traffic is decrypted and then the defense in depth methodology is instituted as if the traffic were never encrypted.

The change in architecture has a cost, e.g. “another” device is involved, but the benefits outweigh the costs. The defense in depth strategy is enforced while still maintaining the needed design confidence.

The existing generation devices and designs fall into three categories.

The first category terminates encrypted traffic on a front-end device, decrypts and analyzes the traffic in the clear, and if approved, sends it on in the clear to the back-end devices.

Oftentimes, this is the approach of the all- in-one vendors whereby the traffic is terminated on a VPN tunnel and/or SSL tunnel, sent to the virus and IDS scanning engine in the device, and then passed on into the back end network in the clear.

The all in one device is a security proxy. This design has strengths in defense in depth, but weaknesses in defense in exposure as the information is in the clear for too long.

The second category terminates the traffic similarly on a front-end device, decrypts and analyzes the traffic in the clear, then re-encrypts the traffic on another device and sends it to the back-end.

To address the weaknesses inherent in the previous all- in-one example, network administrators “work around” and create minimalist networks (which is good) that meet the ideological goal of end-to-end. This approach has similar strength in defense in depth, and marginal (but better) strength in defense in exposure since the traffic is re-encrypted.

The third category is evolving in the technology industry today. In this category, traffic is decrypted on a device, analyzed on the same device, and then re-encrypted on the same device and sent on.

This design ensures a minimal exposure, while still retaining the multi-tiered security capabilities. This has the now-familiar strength of defense in depth, as well as the highest strength for defense in exposure.

Conclusion

Encrypted traffic cannot be analyzed by a firewall unless either decrypted permissively or decrypted forcibly.

The same traffic cannot be cleansed of viruses, or worm signatures, or attack characteristics (IIS URL length overflow) until the traffic is decrypted on the host.

Clearly, traffic should never hit a multi-purpose operating system until after all of this happens.

End-to-end encryption is what we want, but not at the price we’d have to pay. Protection of data during creation, transmission, processing and storage or End-to-End-Defense-in-Depth is what we really want, as it ensures the defense in depth best practices are not lost.

Without it, break-ins will increase not decrease, and we again lose.

Kevin has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Wish They Had This When I Was a Kid...

On Tuesday Socialwise, Inc., a wholly owned subsidiary of ideaEDGE, Inc. and developer of integrated e-Commerce payment solutions and social network group gifting platforms, announced that it completed the production version of the company's BillMyParents payment system which is ready to go live with key e-Commerce partners. BillMyParents is a payment option created for the children to allow them to shop online while parents retain control.

Before the launch Socialwise conducted an extensive testing of the platform and related Application Programming Interfaces (APIs) that will be integrated into popular social network applications and online e-Commerce environments. BillMyParents youth payment system is launching with the popular social networking services targeted at young audience. Socialwise expects BillMyParents to be fully integrated into these partners sites within 60 days.

"We believe that BillMyParents will be a great benefit for kids, and a valuable tool for parents and online merchants," said Jim Collas, CEO of ideaEDGE, Inc. "To date, the BillMyParents concept has been very well received by potential partners in the social networking space and the e-Commerce world. BillMyParents will enable online merchants to capture a piece of the estimated $40 billion in sales transactions that are currently lost because some kids don't have a payment method for safe and responsible online purchasing. With one solution, BillMyParents meets the needs of all parties in the value chain - with helpful and trusted services for everyone."

Related articles

• Not Coming Soon: Facebook Indefinitely Scraps Plans for Platform Payment System (insidefacebook.com)
• Chart - 2000-2008 Online Fraud Losses (pindebit.blogspot.com)
• Annual E-Commerce Fraud Survey Results (pindebit.blogspot.com)

3 Busted in Sin City Credit Fraud Ring

18 month credit fraud ring investigation leads to three arrests - KTN Las Vegas Box after box, jewelry, DVD players, cars of every size and all of it is now evidence. "Right now they're astronomically tired," said Lt. Robert Sebby of his Metro Police team. "this started Monday morning." Sebbysays Metro has been investigating the charge card fraud ring for 18months or more. It all came to a head Monday, according to arrestreports, when an officer pulled-over Davit Kudugulyan and found severalcredit cards in a glove box, along with a fake I. D. The numbers on the magnetic strips of those cards didn't match the numbers on the front. So how were they making them?  "A smoke-shop and another business," Lt. Sebby said. "In the smoke shop we recovered an active skimmer." That'sa card-swipe device that records the magnetic information on yourcard. Police say the crooks were also collecting personalidentification numbers, or PINs, with a tiny camera as well. "Nextto the pin pad, mounted in a counter display, was a pin-hole camerarecording people's numbers. So people have to be aware of theirsurroundings," Sebby said. At the home on Chicory Court, policearrested Arytun Khoudagoulian after they say they found more creditcards, receipts, and a point-of-sale machine that had been tamperedwith.  An the investigation expanded again after when policearrested a third man - Hrachya Arakelyan and investigators say theyaren't done yet.

Related articles

• BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)
• Chipping Away at Credit Card Fraud (pindebit.blogspot.com)

450K Per Day...Can You Say...SQL (Sequel)

Despite financial institutions taking sensible precautions and employing the latest technologies, the exploits of a young hacker exposes flaws in the system, Wired first reported.

Editor's Note: Oh KNOW!  (or should I say, oh don't  I know IT?) I think it's safe to say that we've (HomeATM) been trying...trying...trying...to drive home(atm)  that message for (at least) the last six months. 

But let's take a time out.  We're going to rely on outside sources now.  Nobody seems to be connecting the dots.  Everything that has transpired over the last year, 5000 SQL attacks per day during the first 2 quarters of 2008 has seen an exponentiation into 450,000 per day. 

So to Imagine that there are flaws in the system related to online fraud really confounds me...NOT!   Sir Prise, Sir REPrise. 

So...all you EFT Networks out there...do you still want a software-based (PIN-Based) so-called solution?  Okay...go for it.  You might be blind to the risks now, but YOU"LL SEE!  Why are you taking the Easy Way out?  Convenience OVER Security?  Anybody out there want to share their opinions?  Click Here, go to the bottom of the post and please comment!    Do you really believe a software approach to protecting your PIN is safe?  We will publish any comment anyone wants to share. 

BACK" to the story...(from SC Magazine)

Court records obtained by Wired show how Israeli-born hacker Ehud Tenenbaumand and his cohorts, using SQL attacks and obtaining administrative passwords, were able to break into the networks of several financial institutions in the United States to steal confidential personal information, which they then sold via the internet. This data was copied onto counterfeit credit cards and used at ATMs to withdraw cash,

Tenenbaum, 29, also known as "The Analyzer," gained notoriety 10 years ago when he broke into computer networks of NASA, the Pentagon and the Knesset, the legislative branch of the Israeli government.

At the time, he was celebrated in Israel -- first being congratulated by now Prime Minister-designate Benjamin Netanyahu for his "damn good IT skills," and then being featured in an advertisement and given a replacement computer to replace the one confiscated by the police, according to the U.S. Department of Defense Information Analysis Center. He then worked as a computer security consultant assisting Israeli enterprises to protect their networks from cyberattacks.

According to the court documents filed in Canada in September 2008, the U.S. Secret Service has been on his trail since October 2007, when they began an investigation into what they termed "an international conspiracy" of hackers attempting to make their way into computer networks of U.S. financial institutions and other businesses.

Continue Reading at SC Magazine

Safe-T-PIN Receives PCI 2.0 PED Certification - The Paypers

HomeATM ePayment Solutions' Safe-T-PIN receives PCI 2.0 PED certification


Online payment services provider HomeATM ePayment Solutions' Safe-T-PIN POS terminal has received Payments Card Industry PIN Entry Device (PCI PED) 2.0 certification.

The pocket-sized Safe-T-PIN provides two-factor authentication for e-commerce transactions and offers users the possibility to swipe their cards instead of keying in their numbers. The terminal allows for authorized person-to-person (P2P) money transfers and offers End-to-End-Encrypted (E2EE) security.

Continue Reading at The Paypers

Safe-T-PIN, HomeATM, PCI 2.0 PED, PCI Certification, Acculynk, Fraud, Hack, Hardware vs. Software, Convenience vs. Security,

First Data Sells 12.5% of JV with Wells Fargo, owns 40%

Wells Fargo takes majority stake in First Data merchant alliance JV

First Data has extended its merchant alliance joint venture with Wells Fargo for five years, the US payments processor revealed today in its full year earnings statement.

As part of the deal, First Data has sold 12.5% of the membership interests in the Wells Fargo Merchant Services venture to the bank for an undisclosed cash consideration. Wells now owns 60% of the company, with First Data holding 40%.

Continue Reading at Finextra

Heartland Threatening Legal Action

Finextra: Heartland threatens rivals over PCI compliance claims

Heartland Payment Systems is threatening legal action against competitors it says are misleading merchant customers with claims they will be penalized for doing business with the processor after it was struck off Visa's list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers.

Earlier this month Visa removed Heartland, along with RBS WorldPay, from its list of PCI DSS compliant service providers following major data breaches that put the card details of millions of people at risk.

The move prompted confusion among merchants concerned they may judged to be non compliant for using the two payments processors and therefore open to fines.

However, Gartner analyst Avivah Litan says she has received a statement from Visa confirming merchants can continue doing business with the two firms without threat of penalty charges.

This stance will remain valid as long as Heartland and RBS continue to work towards revalidating their PCI compliance, which they are expected to complete within weeks.

"Visa clearly did not want to risk putting the processors out of business, partly because of the potentially enormous disruption to their hundreds of thousands of merchant customers," says Litan.

Continue Reading at Finextra

Heartland Payment Systems, Avivah Litan, Hack, PCI, Visa, HomeATM, Acculynk

Related articles

• Visa Yanks Heartland/RBS Compliance Status - BTN (pindebit.blogspot.com)
• Visa Covers Butt By 'Delisting' Breached Credit Card Payment Processors [Data Breaches] (consumerist.com)
• More Investment Needed to Secure Credit Cards (pindebit.blogspot.com)
• HomeATM at the (Security) Summit! (pindebit.blogspot.com)
• Malware Inside the Credit Card Machine (loosewireblog.com)
• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)

Card Not Present Fraud up 132% in UK

UK Online Fraud Up 132 Percent From 2007, 243% Since 2001
By Andrew Donoghue  - eWeek Europe

A new police e-crime unit will help combat the threat, according to payments industry body.  Banking trade body APACS has released figures showing that online fraud in the UK has increased by 132 percent from losses in 2007. 

Editor's Note: Wait til next year!  Do you think this trend is going to slow down?  Card Not Present Fraud can ONLY be prevented by  employing and utilizing a PCI 2.0 PED  device.  It would enable online shoppers to swipe their card and safely transmit their beginning to end encrypted PIN (and Track 2 data).  HomeATM provides such a device.  A software only solution, by definition, is still a card not present transaction.  Which do you feel is better?  Feel free to comment below.  My position is that this is just the beginning.  This is a REAL threat and we should not enable the fraudsters...we should enable the consumers, banks and merchants...

Here's the story from eWeek Europe:

In a report released late last week, detailing total fraud figures across all forms of payments, the UK payments association said Internet only fraud totaled around £52.5m.

Apacs also noted that so-called "card not present fraud" which covers internet, phone and mail order, had increased by 243 percent from 2001 to 2008. But the organization was also keen to point out that actual transactions in the sector had increased by 524 per cent from £6.6 billion in 2001 to £41.2 billion during the same period.

Phishing has been a particular problem for the banking and payments industry in the past but according to Apacs other forms of malware are also becoming a problem.

"Although phishing incidents continue to increase, online banking customers are increasingly being targeted by malware attacks, which is why the industry continues to remind customers to ensure that they have their computer’s firewall switched on and anti-virus software installed and kept up-to-date," the organisation stated.

To help combat the growing problem of malware, Apacs said that the recently formed Metropolitan Police Service Police Central e-Crime Unit (PCeU), is helping to coordinate law enforcement in the UK to combat criminal gangs exploiting hacking and malware technology.

"The PCeU will also work with the National Fraud Reporting Centre (NFRC) to provide an enforcement response to technologically-enabled serious crime, and support other police forces on receiving intelligence data from the NFRC," Apacs said in a statement.

The payment association defended recent changes to its infrastructure, designed to speed up processing of online payments: "The new Faster Payments Service is not believed to have impacted last year’s online banking fraud losses. The system was only introduced from the end of May – and the online banking fraud losses in the second half of 2008 more or less match those in the first half of the year," Apacs stated.

HomeATM, PCI 2.0 Certified, PCI 2.0 PED, Acculynk, Card Not Present, Card Present, Fraud, Hackers, UK, Online Fraud, Online Payments, Online Shopping

Credit Cards Next Shoe to Drop for Banks

Credit cards 'next shoe to drop' for Canadian banks

Bloomberg News - Excerpts

Credit-card delinquencies and losses have risen with higher unemployment and personal bankruptcies, according to Moody’s Investors Service. Those trends will continue through 2009, even as issuers reduce credit limits and scale back on offers to entice clients.

Rising Losses

Canadian card losses in the third quarter rose to 3.1% of average balances, the seventh straight period of year- over-year increases, according to Moody’s. By comparison, U.S. card losses rose to 6.6% of balances.

Canadian Imperial Bank of Commerce (CIBC), the country’s No. 5 bank, set aside $152-million for card losses for the period ended Jan. 31, nearly double a year ago. Royal Bank of Canada earmarked $83-million, a 28% increase, while Bank of Montreal reserved $56-million for losses in its MasterCard portfolio, up 47%.

CIBC has the most consumer credit-card loans among Canada’s five-biggest banks with $10.5-billion, representing 6.3% of total loans, according to filings. Royal Bank of Canada has the second highest, followed by Toronto-Dominion, Bank of Nova Scotia and Bank of Montreal.

Royal Bank CEO Gordon Nixon said he’s more concerned about rising defaults from credit cards than mortgages in the recession. Royal Bank had $8.93-billion in credit-card loans as of Jan. 31.“There is a natural deterioration in credit in a recessionary environment,” Nixon said on Feb. 26. “Credit-card deterioration always happens much sooner and much more dramatically than you’d have in a mortgage portfolio because they are unsecured loans.”

Canadian banks will see “earnings headwinds” from significant increases in provisions for card losses, Dundee Securities Corp. analyst John Aiken said in an interview. A deteriorating credit-card business is a sign of worsening credit among consumers, which will hurt the banks’ other businesses, he said.

• Credit-card balances at Canadian banks have risen by almost 40% since 2004 to $49.9 billion as consumers took on more debt, Deloitte said in a report last month. Banks and issuers may post an additional $800-million in credit-card losses this year, rising to about $4-billion, the consulting firm said.
  
  
• Canadians owned 71.6-million cards issued by Visa Inc., MasterCard Inc. and American Express Co. at the end of 2007, according to The Nilson Report, an industry publication.

Selected Excerpts from the Calgary Herald via Bloomberg News...to read the entire story, click here.

credit cards, Canadian Banks, Shoe to Drop, HomeATM,

Americans Have a False Sense of PC Security

Computer users are in dire need of a "reality check" when it comes to home PC security, according to the National Cyber Security Alliance and security firm McAfee.

Editor's Note:  Just another reason to employ an End-to-End Encrypted PCI 2.0 Certified Hardware Solution.  Remember, 450,000 SQL attacks DAILY, up from 5000 the first two quarters of 2008.  It's gonna get worse before it gets better..  If you want to trade in your "false sense" for  "REAL" security, we've got it waiting for you.  Swipe...Don't Type.  You're in the Clear Because your Card Data Isn't!



PC World Blog: In a survey released by McAfee and NCSA it was found that while 98 percent of computer users agree that having up-to-date security software is important, a significant portion of those same survey respondents are guilty of having home PC's with security software that is incomplete or dangerously out of date.

Today McAfee also announced 2008 editions of its security software products: McAfee Total Protection, McAfee Internet Security, and McAfee VirusScan Plus.

PC Wakeup Calls Needed

Here are some of the survey highlights:

• Ninety-two percent of Americans think that their anti-virus software is up to date, however only 51 percent actually have currently updated their anti-virus software within the past week.
• Seventy-three percent of PC users in the U.S. think they have a firewall installed and enabled, yet 64 percent actually do.
• About 70 percent of PC users think they have anti-spyware software, but only 55 percent have it installed.
• Over a quarter of PC users say they have anti-phishing software, compared to the 12 percent that actually do.

Over Three Quarters Unprotected

The study paints a grim picture of who really is protected versus those that actually are. The survey reveals under a quarter of PC users are "fully protected" against malware and viruses.

Interestingly the study says older respondents showed more computer "savvy" than their younger counterparts when it comes to PC security. Nearly 25 percent of PC users 45 and older are fully protected, compared to 18 percent of PC users below the age of 44.

The takeaway for PC users is a no-brainer and that is ignorance is not bliss when it comes to PC security. That point is especially important when it comes to home PCs and the amount of personal financial, health, and private communications (e-mail) that is stored on them, the study points out.

Sure the survey comes off on the self-servant side for McAfee. But I suppose slapping people with threatening statistics is a good way to get them to buy up on the latest McAfee software. The language is also a little less than flattering of computer owners, which pretty much boils down to, "You don't know jack, America."

Check out PC World's latest review of McAfee's Internet Security Suite 2007.

Acculynk, HomeATM, False Sense of Security, PIN Debit, PIN Payments Blog, PC World, McAfee, Security, PC, Breach, Fraud, PIN,

Related articles

• Three Bad Computing Habits You Need to Break Right Now (enduserblog.com)

PayPal Provides False Sense of Security

Paypal Protection Gives Online Shoppers False Sense of Security - RealWire

Maybe it Works better on Half.com? Seems to work ok for the guy on the left...he seems to sleep okay at night!

Savvy consumers shouldn’t rely on the Paypal’s Protection for Buyers, which includes the Buyer Complaint Policy and Paypal Buyer Protection for eligible ebay purchases.

Paypal have a tendency to frustrate both buyers and sellers by closing disputes for reasons only known to them. Additionally, their Protection for Buyers imposes over-restrictive time limits, has significant exclusions and has some major limitations:

Inadequate Time Limits
To be eligible for Paypal Protection for Buyers you must start the dispute process within 45 days of payment being sent and if you are going to escalate this, you must do so within 20 days of raising the dispute. This is not adequate. For example, you might not discover that the item you bought is counterfeit until it develops a fault after many months, or you may be advised that the item will not be delivered until back in stock, which may take several weeks.

Significant Exclusions
It is wrong to think that all products are automatically covered under Paypal’s Protection for Buyers. There are exclusions and it isn’t always apparent where this is the case and depends on the particular ebay site being used and the item being purchased. Two notable exclusions are motor vehicles and airline tickets.

Major Paypal Buyer Complaint Policy Limitations
The Buyer Complaint Policy which provides protection for transactions outside ebay also has two significant limitations.

First, Paypal will not make a decision on whether an item is “not as described”. For example, if you buy a new book and it turns out to be used or is damaged, you can use the process to make a dispute, but you are on your own. Paypal will not get involved nor make a decision either way.

Second, for items that are not delivered Paypal will only refund your money if they can recover this from the seller. Fraudsters know this and are likely to withdraw your money as soon as they get it.

Continue Reading

Related articles by Zemanta

• New eBay Fraud (schneier.com)
• eBay Looking to Expand PayPal's Reach (technologizer.com)
• eBay takes a step back from e-commerce (dailyfinance.com)
• EBay's Big Plans for PayPal (businessweek.com)
• Skype on the Block? (marketingpilgrim.com)

Cybercriminals Cache In (Google)

Cybercrime server exposed through Google cache

Channel Register: Some 22,000 card records have been exposed on Google through cached copies of data stored on a defunct cybercrime server.

ITnews in Australia says that 19,000 of the 22,000 exposed details referred to U.S. and U.K. cards and that data came from Google cache records from a disused Internet payment gateway.

The cybercrime site, registered in Vietnam, is no longer operational. The data includes credit card numbers, expiration dates, names and addresses for accounts held with Visa, Mastercard, American Express, Solo and Delta.

Click to continue

Related articles

• On to the Next Breach... (pindebit.blogspot.com)
• Credit cards 'next shoe to drop' for Canadian banks (financialpost.com)
• Will any one of Bank of America, Citibank, CapOne or Chase buy a transaction network in 2009? (hubdub.com)

Gartner: Fraud Increasing Bank's Risk of Losing Customers

Card fraud pushes consumers to non-bank online payments

Digital Transactions: A new Gartner Inc. report suggests that financial fraud could drive consumers away from banks and into the arms of electronic payment systems, such as PayPal, that they perceive to be more secure.

The report, based on surveys of 5,000 adults, estimates about 7.5 percent of U.S. adults lost money to some form of financial fraud in 2008.

Gartner’s results add to a growing body of evidence that fraud costs banks customers, not just dollars.

In 2008, victims of electronic-checking and/or savings-account transfer fraud were five times more likely to change banks because of security concerns.

Fraud involving credit and debit/ATM cards was the method most actively used by crooks to steal money, claiming 36 percent more victims in 2008 than other types of fraud, according to Gartner

Related articles

• Gartner: 7.5% of US Adults Victims of Financial Fraud (pindebit.blogspot.com)
• Mercator Study on Japanese Payment Market (pindebit.blogspot.com)

To Hell With Convenience

Here are some excerpts from an article in todays Mirror.co.uk 

You'll note that criminals prefer Card Not Present crimes.  So how do you get rid of Card NOT Present crimes?  Get rid of Card NOT Present transactions.  Swipe...Don't Type!

You also might take note that "convenience vs. security" only works in a perfect world.  If that perfect world is breached...all hell breaks loose.  Consumers might be protected, but "two weeks of hell" sounds rather "inconvenient" to me.  Wait a minute...If I saved 3 seconds on 20 transactions, no nevermind, still not worth even an hour in hell...

Therefore, "To Hell with Convenience" is this posts title.  Here's theirs: 

Debit and credit card users beware - new fronts have opened in the clone wars
The Mirror UK  By Tricia Phillips 25/03/2009

Maxine Skelton knows to her cost the pain of card cloning fraud – she’s been hit not once, not twice but THREE times. The rip-off’s a big earner for thieves, with cases doubling in the past two years to push dodgy bank transactions to a record £609million.

Maxine fell victim to one of the biggest scams around, a counterfeit card copied using stolen UK card details for use in countries yet to upgrade to chip and PIN.

“It was awful. I had two weeks of hell with no access to any cash in my account.

I had to use my credit card to live off. This type of thing really does mess up your life.” Maxine was able to prove she hadn’t spent the money and got her cash refunded.

“It has made me really careful now. I don’t let my cards out of my sight, I tear up all my receipts, I double-check every item on my statements and I’m wary at cashpoints. It’s worrying knowing strangers can steal from your account.”

Kerry D’Souza, a fraud expert at card protection company CPP, says: “Criminals like card-not-present crimes because they can do it without having to make face-to-face transactions.

Click here to read the entire story at the Mirror