More On Electronic Payments Coalition Campaign Against HR 2695

Legislative Alert! Learn more about the bill in Congress that would shift one of merchants' costs of doing business to YOU. Small Business Alert! Will small businesses really benefit from giant retailers' "sweetheart deal" from Congress? Convenience. Security. Increased Sales. Peace of mind.   What is Interchange? Video » How Interchange Helps YOUR Community Banks and Credit Unions Letters to Congress: Important Voices Speak Out about Interchange Learn how damaging interchange legislation will hurt consumers and small businesses

Electronic Payments Coalition Responds Opposes HR 2695

Electronic Payments Coalition Opposes Chairman Conyers Interchange Legislation

Merchants Want Consumers to Foot the Bill for Their Costs of Accepting Credit and Debit

WASHINGTON, PRNewswire -- The Electronic Payments Coalition issued the following statement in response to the interchange legislation introduced today by Congressman John Conyers (D-MI):

"The Electronic Payments Coalition strongly opposes interchange legislation introduced today in the U.S. House of Representatives by Rep. John Conyers (D-MI) - a bill nearly identical to one that received broad bipartisan opposition last year.

This legislation is an attempt by giant retailers to make consumers pay for one of their business expenses - the cost of accepting credit and debit. It's simple: merchants do not want to pay their fair share to accept debit and credit cards, and they want consumers to foot the bill.

If this legislation passes, American families will end up footing retailers' bills when it comes to accepting debit and credit cards.

Merchants that accept credit and debit cards benefit from more sales, lower costs and greater profits. It is only fair that they pay a fee for this service.

At a time when American families everywhere are struggling to make ends meet, they shouldn't be forced to pay more so giant retailers can profit at their expense. We understand that every business wants to find ways to cut overhead costs for valued services, but forcing consumers to pick up the bill for giant retailers just isn't fair.

Consumers pay their bills. Giant retailers should pay theirs, too. On behalf of every American consumer who pays his or her own bills, the Electronic Payments Coalition urges Congress to oppose this harmful legislation."

About Electronic Payments Coalition

The Electronic Payments Coalition is dedicated to protecting consumer value, choice, and competition in electronic payments systems. The coalition is a broad-based group of payment card networks, financial services companies, and financial services trade associations whose primary goal is to educate policy-makers, consumers, and the media about the value of electronic payments systems -- including economic growth, convenience, speed, reliability, and security -- and to ensure the continued growth of global commerce by promoting consumer choice and the stability of the vast payment networks that connect millions of consumers with millions of retailers each and every day.


SOURCE Electronic Payments Coalition

H.R. 2695, HR 2695, Credit Card Fair Fee Act, Interchange, John Conyers, Electronic Payments Coalition

MasterCard Responds to Credit Card Fair Fee Act

Legislation Would Let Merchants Keep the Benefits of Card Acceptance But Make Consumers Pay the Price

Purchase, NY, June 04, 2009 - MasterCard said today that legislation introduced today by U.S. Rep.John Conyers (D-MI), by exempting merchants from antitrust laws, wouldtake away the fundamental protections that these laws provideconsumers. This would result in less credit availability, along withhigher prices and reduced benefits when Americans choose to use theircredit or debit cards. Antitrust laws are designed to protectcompetition and consumers, but this bill would have the opposite effect.

Conyers’ legislation, H.R. 2695, would give merchants a specialexemption from antitrust laws enabling them to engage inanticompetitive and collusive behavior when establishing the fees andterms applicable to accepting payment cards. The bill is part of anorganized merchant campaign to shift their card acceptance costs toconsumers, and does not require merchants to pass on any savings toconsumers if they succeed in lowering these fees.

When similar legislation was considered last Congress, it stirredconsiderable controversy and was only narrowly approved by a deeplydivided Judiciary Committee. In addition, a wide array of organizationsfrom non-profits to community banks and credit unions to minority smallbusinesses voiced their opposition. The Department of Justice alsoexpressed concern about the bill indicating that its antitrustexemptions “would appear to be the type of naked collusion that theantitrust laws condemn as per se unlawful because such conduct lacksplausible benefits to competition.”

Experience demonstrates that consumers lose when merchants no longerpay their fair share for the valuable benefits they receive fromaccepting payment cards. This is precisely what happened in Australiawhen the government reduced interchange fees. Although it cut costs formerchants, many Australian consumers now pay more for their paymentcards and receive less in return as a result of the government'sintervention. Furthermore, there is no evidence that merchants reducedprices for consumers as a result of the government's intervention.

Both merchants and consumers benefit from the ability to use and acceptelectronic payments, and in today’s free market system, each pays ashare of the cost of the service. The benefits and the cost of cardpayment services are now shared between merchants and consumers but themerchants behind the Conyers bill seek to retain the benefits whileshifting the costs to consumers.

Finally, MasterCard noted that any serious discussion of these issuesshould wait for the results of the Government Accountability Office(GAO) study ordered by Congress as part of the Credit CARD Act.Consumers stand to be severely damaged by government intervention andthe findings of the GAO study may help avoid consumer harm thatinevitably flows when merchants no longer pay their fair share for thebenefits they receive.


About MasterCard Worldwide
MasterCard Worldwide advances global commerce by providing a criticaleconomic link among financial institutions, businesses, cardholders andmerchants worldwide. As a franchisor, processor and advisor, MasterCarddevelops and markets payment solutions, processes approximately 21billion transactions each year, and provides industry-leading analysisand consulting services to financial-institution customers andmerchants. Powered by the MasterCard Worldwide Network and through itsfamily of brands, including MasterCard®, Maestro® and Cirrus®,MasterCard serves consumers and businesses in more than 210 countriesand territories. For more information go to www.mastercard.com.

Chase Paymentech Simplifies Chip and PIN Migration for Integrated Merchants

The latest payment offering from Chase Paymentech delivers a solution for EMV certification, providing a faster answer to the migration process for integrated merchants.

TORONTO, June 8 /CNW/ - Chase Paymentech(TM) is pleased to introduce their Electronic Cash Register Interface (ECRi); a semi-integrated solution that is certified for EMV and is PCI compliant.

"Chase Paymentech is always looking for solutions that help merchants improve the way they accept payments and the customer experience. ECRi is the ideal solution for the retailer who wants to migrate to EMV with as little work and cost as possible," Bill Farris, Product Management, Chase Paymentech

Beyond the benefits related directly to chip migration and PCI compliance, ECRi offers integrated merchants the option to leverage their existing Chase Paymentech point-of-sale (POS) solution and use the latest in payment technology for a fraction of the costs they would otherwise pay to certify their mag-stripe payment application.

"The 2009 Retail Council of Canada's STORE Conference was a great opportunity to introduce the ECRi solution to the retail industry," added Farris. "Current topics of interest with retailers are compliancy and software integration with existing POS. We are offering retailers the opportunity to experience the ease of our ECRi solution at the STORE Conference."

ECRi is now available with select Chase Paymentech VeriFone devices and gives merchants and software developers the ability to connect their existing point of sale system to an EMV-certified and PCI compliant payment terminal -all in just a few short weeks.

About Chase Paymentech

Chase Paymentech, a subsidiary of JPMorgan Chase & Co. with headquarters in Toronto, ON and Dallas, TX, is a global leader in payment processing and merchant acquiring. The company's proprietary platforms provide access to a wide variety of payment methods, such as credit cards, chip-and-pin debit cards, and prepaid stored value cards. Chase Paymentech also provides a full set of solutions aimed at accelerating cash flow and managing transaction data. On the Internet or at the point of sale, Chase Paymentech's unique combination of outstanding service, innovative solutions and financial strength offers solid benefits to Canadian companies both large and small. For more information please visit www.chasepaymentech.ca

Trademark of Chase Paymentech Solutions, LLC, Chase Paymentech Solutions authorized user.

Chase Paymentech, PIN, EMV, ECRi

73% of Companies Believe They are Vulnerable to Hacking

Seventy three percent of IT professionals admit their software applications are still vulnerable to hackers, only an eight percent reduction on last year’s startling discovery.

In a repeat of its survey conducted amongst IT security professionals, Fortify Software – the application security specialists, has learned that, this year, forty six percent think that hacking at the application level is the easiest way into a company - an increase on a third compared with last year’s Fortify survey. Worryingly five percent report that between 76% and 100% of hacks are targeted at applications.

Continue Reading

Fortify Software

East European ATM Sniffing = Poor Code Auditing

East European ATM sniffing down to poor code auditing

Reports that malicious hackers have developed a range of data-sniffing and stealing trojans that have skimmed cardholder data from Eastern European ATMs since the end of 2007 highlight what can happen if security code auditing is not carried out at all stages in program development, says Richard Kirk, Fortify's European director.

"Our colleagues at Sophos and SpiderLabs have discovered that the trojans home in on the data stream from the magnetic stripe of ATM users' cards and store/relay that data for subsequent fraudulent usage," said Kirk.

"What's interesting about this case is that, if the ATM program code - which probably runs on Windows operating system as most ATMs are driven by the Microsoft operating system - had been fully code audited from day one, the security loophole that allows this trojan to operate probably wouldn't be there," he added.

What is also of concern, says Kirk, is the fact that hackers were able to use their trojan applications for around 18 months - and refine their own program code many times - before being detected.

This, he says, indicates that the hackers probably have a development process equal to, if not better, than the developers of the ATM software.

This, he explained, is ironic, and illustrates the dedication – driven by the illegal revenues available - that criminal gangs now have when pursuing their illegal careers.  "Now that the hackers' trojans have been rumbled, they will probably move on to new revenue-generating pastures. It is to be hoped that these pastures do not include the bank's ATM-controlling computers, otherwise we're all in deep trouble," he said.

ATM Sniffer, Malicious Code, Eastern European ATM, Magnetic Stripe, Hacking, Sniffer

Phantom of the Soap Opera

Court rules in bank’s favor in “phantom withdrawal” caseby Gill Montia

Story link: Court rules in bank’s favor in “phantom withdrawal” case

A UK court has found against a customer who sued his bank afterbeing held liable for withdrawals from cash machines, which he claimshe did not make.

So called “phantom” withdrawals occur when money is withdrawn atbank ATMs without the card holder’s permission and where card detailshave not been revealed to third parties. Chip and PIN technology has been designed to prevent stolen and lostcards being used in this way but Halifax customer, Alain Job, claimedthat he was not responsible for £2,100 disappearing from his account.

However, Mr Job failed to convince Nottingham County Court that hiscard could have been used to withdraw the money at ATM’s without anynegligence on his part.  Lawyers argued that the card could have been cloned but Halifaxproduced evidence that it claimed showed Mr Job’s original card hadbeen used in the transactions.IT experts appear to differ over whether cloned cards can be used inthis way and Mr Job is reported to be considering an appeal.

Related articles

• FreeMason Job: Chip-and-PIN On Trial (pindebit.blogspot.com)
• Chip-and-PIN security goes on trial (computing.co.uk)
• To Hell With Convenience (pindebit.blogspot.com)
• BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)

Top 10 Signs Your PC has the Conficker Worm

Top 10 Signs Your Computer Has the Conficker Worm - David Letterman

 

Related articles

• Conficker Attacks ANZ Bank (pindebit.blogspot.com)
• McAfee Online Threats Report (PDF) 15 pages (pindebit.blogspot.com)
• Confick(er) of Interest? (pindebit.blogspot.com)

What You Don't Know About the World's Worst Breaches

What You Don't Know About the World's Worst Breaches - Dr. Peter Tippett on the 2009 Data Breach Investigations Report

Tom Field, Editorial Director Verizon Business investigated 90 major databreaches in 2008, including 285 million compromised records. Nearly ¾of those breaches were external hacks, and 99.9 percent of the recordswere compromised via servers and applications. These are among the findings of Verizon's new 2009 Data BreachInvestigations Report. In an exclusive interview, Dr. Peter Tippett, VPof Technology and Innovation at Verizon Business, discusses: The survey results; What these results mean to financial institutions and government entities; Which threats to watch out for most in the coming months. Tippett is the chief scientist of the security product testing andcertification organization, ICSA Labs, an independent division ofVerizon Business. An information security pioneer, Tippett has led thecomputer security industry for more than 20 years, initially as avendor of security products, and over the past 16 years, as a keystrategist. He is widely credited with creating the first commercialanti-virus product that later became Norton AntiVirus. Read Entire Article

Related articles

• Verizon Business 2009 Data Breach Study, Rise in Targeted Attacks (comsecllc.blogspot.com)
• RIM warns on security weakness in BlackBerry (financialpost.com)
• Americans Have a False Sense of PC Security (pindebit.blogspot.com)
• Criminal Hackers Attack 450,000 Webpages Each Day (pindebit.blogspot.com)
• Caveat Emptor: Swipe Do Not Type! (pindebit.blogspot.com)

List of Latest Phishing Attacks and How to Stop the Threat

Here's a compilation of the latest phishing attacks designed to "lure" online banking customers into providing their username and password to fraudsters. 

Of course, if banks would stop using username and password log-in, and graduate to a more secure, two factor authentication...one that requires users to swipe their bank issued card, and enter their bank issued PIN, (replicate what they do at an ATM machine) then they would, at the same time,  eliminate phishing altogether. 

With HomeATM's PCI 2.0 Certified Terminal and PIN Entry Device, Internet banking has never been more secure.

Banks can enhance their users onlineexperience and security with strong two-factor authentication per theFFIEC directive, guard against many forms of cyber attacks and malwareand reinforce the financial institutions’ brand. 

In addition, our terminal eliminates the threat of cloned cards, the threat of DNS Hijacking, the threat of cloned websites and "enables" online banking customers to securely transfer money, whether it be account to account (A2A) person-to-person (P2P), pay bills, and securely transact online. 

The 2 best reasons (besides E2E Encryption, 2FA and PCI 2.0 Certification) 2 choose HomeATM are:

1. There is no other authentication device on the market with a PCI 2.0 Certified PIN Entry Device (PED).
2. HomeATM's terminal, manufactured by HomeATM, "WITH a built-in PED" costs significantly less than competitors (i.e. Magento) who offer their product  "WITHOUT a PED."

For a limited time, you can get 2 of ours for the price of 1 Magenta.  For more information, please email us.

Here's the list of the latest phishing attacks, compiled by MillersMiles.com

Alliance and Leicester	6th June 2009
Alliance-Leicester Group
Wells Fargo	6th June 2009
Notification of Account Suspension
Halifax Bank	6th June 2009
Information - Access Suspended
Abbey	6th June 2009
Please Update Your Account
Cahoot	6th June 2009
Important Message:-
Aol	6th June 2009
Dear valued Aol ® member
Abbey Bank	5th June 2009
Overdraft Application Received
PayPal	5th June 2009
Update Your Paypal Account!
Cahoot Bank	5th June 2009
Payment Notification Update(customers Verification Required)
Halifax	5th June 2009
Halifax Online Banking - Your contact details these have now been updated
Commonwealth Bank of Australia	5th June 2009
Online Alert
Abbey Bank	5th June 2009
Your online banking security.
Abbey	4th June 2009
You have 1 unread message
Egg Bank	4th June 2009
Protect Your Online Banking.
Abbey	4th June 2009
IMPORTANT MESSAGE
Commonwealth Bank	4th June 2009
Notification from Commonwealth Bank
Cahoot	4th June 2009
Protect Your Privacy:1 New Message
Cahoot	4th June 2009
Account Suspended
Cahoot	3rd June 2009
Cahoot Online Security Service
Alliance and Leicester Bank	3rd June 2009
Important Message: Your Account Has Been Temporarily Block
National Savings and Investmen	3rd June 2009
Important: Your NSI Savings Account is Limited!!
Oregon Community Credit Union	3rd June 2009
Personal Information Error!
Abbey Bank	3rd June 2009
Abbey Instant Access Saver { Secure Your Account Access }

Related articles by Zemanta

• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)
• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Privacy is Dead, Long Live the PIN (pindebit.blogspot.com)
• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)
• IBM Agrees with HomeATM...Hardware Required (pindebit.blogspot.com)
• Online Theft Doubles...Fastenating! (pindebit.blogspot.com)
• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)

Credit Card Fair Fee Act Introduced by House

 
Updated: D-Day for Visa/MC?



Legislationseeking to tighten rules on so-called "interchange fees" levied bycredit card companies could hurt transaction processors like TotalSystem Services Inc. and First Data Corp. if it becomes law, a MorganKeegan & Co. analyst said in a research note Friday.

The legislation would yield a mixed bag of results for various otherplayers in the credit card industry, with potentially significanteffects on payment networks like Visa Inc. and MasterCard Inc. as wellas "acquiring banks" like Global Payment Systems Inc., analyst RobertDodd said.

"While we believe the prospect for interchange regulation is real -though far from certain - we believe the impact on the sector would bemixed, generally positive for acquirers and modestly negative fornetworks," Dodd wrote. (Continue reading at Forbes)




Is this the beginning of the end of the "fee ride" given to Visa and MasterCard? 

Has the Dynamic Duo(poly) finally met their match?  

Have Merchants finally seen a "bill" loaded with "Interchange Fees" that they actually like? 

Stay tuned to find out the answers to these and other duo-processing (due processing) questions, as the Federal Government takes on Visa, MasterCard for Round Two. 

First it was the consumers crying foul...

This time it's the merchants who are claiming they have been hacked, oops, let's change that to: this time it's the merchants who "get to go to the line" and shoot their Interchange "Fee Throws."  

They say things happen in three's, so after Visa and MasterCard lose Round Two, Round 3 might involve companies such as HomeATM.  

Why HomeATM?  Because, we offer the world's ONLY PCI 2.0 certified terminal with PIN Pad specifically designed for eCommerce use.  Even though our process cannot "get hacked," (because our data is never in the clear) we still  "jumped through their (PCI) hoops"...got certified, and thereafter, we get "slapped" on the wrist most every time we try and get the to the (shopping) "basket" on the web.  We've been told that Visa will NEVER allow PIN Debit on the web...which I find hard to believe, based on the recent gaffes in "card not present" security. (or the lack thereof)  Put another way...

Online (PIN) Debit for online shoppers is more secure, yet the duo(poly) pushes credit and "offline" debit transactions because of the higher interchange rates. (including the EFT networks pushing the infamous, "Card Not Present PIN Debit" solution offered by a competitor.) 

• Higher interchange exists because there is higher risk. 
• Lower Interchange exists because there is lower risk. 
• Sotware PIN Debit ("Card Not Present PIN Debit Interchange") does NOT exist!!  

At the "rate" they are going, (or should I say at their going rate?) I don't see how the dynamic duo(poly) could argue there's a "free market" when it's obviously nothing but a "fee market."  Of course, we'd prefer to work "with" Visa than against them. That said, I must say: "Balls in their court...but we "got game!"

U.S. bill could help merchants cut credit card fees | U.S. | Reuters

U.S. bill could help merchants cut credit card fees
Thu Jun 4, 2009 3:53pm EDT

By John Poirier

WASHINGTON (Reuters) - Merchants and retailers would be able to negotiate with banks to reduce costs associated with credit card purchases, according to legislation introduced on Thursday by lawmakers in the U.S. House of Representatives.

The measure, called the Credit Card Fair Fee Act, focuses on the so-called interchange fee that restaurants, service stations and other stores pay banks for credit card-related purchases.

Merchants and some lawmakers have complained that merchants and retailers have been blocked from being able to negotiate a fee structure with credit card networks Visa Inc and MasterCard Inc, whose members are banks.

Visa and MasterCard set the fee structure and control almost three-fourths of the volume of transactions on general purpose cards. American Express Co and Discover Financial Services have their own systems.

Store owners and retailers have also complained that banks collude to set the fee structure and block them from being able to negotiate lower fees, even going as far as calling the practice anti-competitive.

Critics have said those fees are passed on to consumers.

Visa and MasterCard have said merchants and retailers do have the opportunity to negotiate lower fees.

"This legislation will give merchants a seat at the table in the determination of these fees," said House Judiciary Committee Chairman John Conyers in a statement.

"It is not an attempt at regulating the industry and does not mandate any particular outcome. This bill simply enhances competition by allowing merchants to negotiate with the dominant banks for the terms and rates of the fees."

Continue Reading at Reuters

Credot Card Fair Fee Act, House of Representatives, Interchange Fees, HomeATM, PIN Debit

Related articles

• Small grocers risk folding over credit card changes, feds told (canada.com)

Windows XP ATM's Can Steal Your PIN

I blogged about this yesterday, (Malware Allows Complete Control Over ATM) but it's still big news today, so here's a refresher excerpt from today's iTWire:

iTWire - Windows XP cash machines can steal your PIN

Technology news and Jobs arrow Information Technology News arrow Windows XP cash machines can steal your PIN
Windows XP cash machines can steal your PIN E-mail
by Davey Winder | Friday, 05 June 2009

It is bad enough that the bad guys constantly try and phish your financial data via email and fake websites, now cash machines are getting in on the act.

The Trustwave SpiderLabs, an outfit that deals with everything from ethical hacking through to incident response and security forensics, is warning that the bank cash machine network is at risk from a malware attack that collects PIN numbers.

The SpiderLabs team reports that it has been able to perform an analysis of the malware, which had been discovered on compromised East European cash machines running Windows XP.

The malware was able to capture the magnetic stripe data from the private memory space of transaction-processing applications that were installed on these compromised ATMs, along with PIN codes for good measure.

Continue Reading

Malware, ATM, SpiderLabs, TrustWave, Windows XP, cash machines, Steal Your PIN, Hacking

Yet Another Online Banking Threat - Fake Digital Certificates

Virus and Spyware - New Fake Banking Cert Attacks In Play - eWeek Security Watch

Editor's Note: It dawned on me that I could devote this entire blog to stories about how insecure online banking is, but since we can fix it, I'll stay with the HomeATM PIN Payments Blog. Here's yet another serious threat, this time it's fake digital certificates, that HomeATM would eliminate with our PCI 2.0 Certified SafeTPIN device. Swipe Bank Issued Card, Enter Bank Issued PIN, and you're authenticated. And the data is encrypted and is NEVER in the clear. Keep It Simple indeed.

New Fake Banking Certificate Attacks In Play

Researchers with security training experts SANS Institute have reported the emergence of a new wave of attacks seeking to take advantage of trust in online banking sites and digital certificate e-banking security programs.

The involved attacks target customers of Bank of America, asking targets to click through from e-mail borne links to URLs where they are asked to upload new digital certs to protect themselves when e-banking.

Of course, once an end user has clicked on one of the links on the phony BoA pages they are instead infected with malware.

As SANS expert G.N. White highlights in a blog post on the topic, technologically savvy users may be even more likely to fall for the campaigns as they specifically target people who are to some extent educated about, and aware of, digital certs and the role they play in protecting e-banking applications.

At the same time, the example White touts in his post actually tips its own hand by warning users not to worry if after clicking on its links they receive any computer warnings about "potential scripting violations."

How industrious.

Continue Reading at eWeek

fake digital certificates, Online Banking, SafeTPIN, PCI 2.0, 2FA, End to End Encryption, E2E, E2EE, Swipe Don't Type

Should Banks Use Twitter?

Banks using Twitter need to proceed with caution, experts say

By Marcia Savage, Features Editor, Information Security magazine | SearchFinancialSecurity.com

Editor's Note:  This story is yet another reason why banks should discard the blatantly obsolete username | password login process and replace it with a secure two factor authentication end to end encrypted login.  They are two-thirds of the way there.  They issue a card, they issue a PIN, now they need to issue their online banking customers a card processing terminal which enables their users to Swipe their bank issued card, enter their bank issued PIN and voilla, all these potential threats are eliminated.  Since HomeATM designed, patented and manufactures the world's first and only PCI 2.0 certified PIN Entry Device, made specifically for online eCommerce use, the terminal of choice is a no-brainer.   So if banks want to eliminate phishing entirely (no data means no phish) cloned websites, DNS Hijacks, the threat spoken about below, etc. then who are they gonna call?  There's no place like HomeATM!  Here's an excerpt from the latest threat faced by online banking article:

"Banks are jumping onto the Twitter bandwagon but experts say financial institutions need to consider the fraud risk and other security issues associated with the micro-blogging site and other social networking services.

Bank of America, Wells Fargo and ING DIRECT are among the many financial institutions using Twitter for marketing, customer service, community outreach, and other activities. According to a recent study by Williams Mills Agency, an Atlanta-based public relations firm serving financial services, financial institutions of all sizes, including community banks and credit unions, are using Twitter to communicate with consumers.

Types of information shared on Twitter by financial institutions include promotions, replies to followers, personal finance tips, links to industry news, community event news, and personal comments on mundane topics like the weather, the study showed. William Mills looked at 1,176 "tweets" posted by 63 financial institutions in March.

However, banks moving into social networking should proceed with caution, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm. Jegher wrote earlier this spring about social networking risks for banks.

The biggest threat, he said, is fraudsters pretending they are a particular bank on Twitter or Facebook in order to steal online banking credentials. For example, a fraudster posing as a bank on Twitter could respond to a customer's question about an account problem by asking for account passwords, Social Security numbers, and other sensitive information. Unsuspecting customers, thinking they're on a legitimate bank Twitter page, could be duped.

"I see that as a huge risk – the social engineering of information out of people," Jegher said. "All it takes is a couple pieces of information and the fraudster can start piecing things together."

Continue Reading at SearchFinancialSecurity.com (registration required)

Twitter, HomeATM, Online Banking, PIN Debit, Alternative Payments

That Was Stupid! $10k If You Can Hack This...Ooops!

Startup: We'll give you $10,000 if you can hack into our CEO's email.  Oops!  Already?

June 2nd:

A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.


The company is in fact so confident in its approach that it’s currently offering $10,000 rewardto the person who breaks into the CEO’s email. To make things eveneasier, they have in fact provided his user name and password (CEO at StrongWebmail.com; Mustang85).

The catch? Aspired participants would have to figure out a way tointercept the 3 digit PIN send over SMS/phone call required for loggingin :

“StrongWebmail.com is offering $10,000 to the firstperson that breaks into our CEO’s email account…and to make thingseasier, we’re giving you his username and password.  There’s just onecatch: to access a StrongWebmail.com email account, the account’s ownermust receive a verification call on his pre-registered phone number. Soeven though you have our CEO’s username and password, you still havesome work to do because you don’t have access to his telephone.”

48 Hours Later... Ooops!

June 4th:

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO’s e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail usingpersistent cross-site scripting (XSS) vulnerability and are nowclaiming the bounty.


[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set upthe attack by sending an e-mail to the company’s CEO DarrenBerkovitz.   When he opened the e-mail, the team exploited an XSS flawto take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz’s task that’s due on June 26. Robert McMillan reports that Berkowitz confirmed the authenticity ofthe calendar entry but StrongWebmail has not yet confirmed thecompromise or pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail’s XSS problems on Twitter.

Nightline: Billions Snatched in Credit Card Theft

Nightline produced a story on Credit Card theft, which ran the night before last.  The story told of the billions of dollars stolen by fraudsters, but in my humble opinion, they left an important part of the story by the wayside.  

When fraudsters attack, who gets hurt the most...  Here's a quick excerpt from their story, followed by exactly what I mean by "who gets hurt the most."

Thieves Snatch Billions in Credit Card Identity Theft Scams - ABC News

'Nightline' Tracks Hackers in Underground Identity Theft Chatrooms; How to Protect Yourself

By ELISABETH LEAMY

Foryears, crimes have followed the same age old mantra: wrong place at thewrong time. For someone to commit a crime against someone else, theyhad to be physically in the same area. But that's no longer the case;it's now easier than ever to be victim of a crime, particularlyidentity theft, without even realizing it.

Identitythieves snatch tens of billions dollars a year through credit cardfraud, either outright, or by selling your card information to othercrooks across the globe. The perpetrators come from a loosely organizedinternational underworld working beyond the reach of the law andwithout limits.

"They can sit in an apartment in Kiev ... andsteal your identity and you're going to be in a world of hurt," saidDan Clements, founder of Card Cops, a company that has been trackinghackers who buy and sell people's identities. "They blatantly ... tradecredit cards. They trade social security numbers. They trade debit cardpin numbers."

Card Cops has been tracking hackers' activity fora decade. Crooks from all over the world meet in Internet chat rooms,in what almost looks like an underground stock market. "Credit cardsare commodity items," Clements said. "They can go for as little as $2or $3 for a regular credit card. If you have a platinum card, it may befor $10 or $20. It's big business. They make a lot of money. There arepeople here that claim to make $20,000 to $30,000 a month selling theseresources in these chat rooms."

The chat rooms operate like acommodity floor, where information is openly traded, and the hackerswho carry out identity theft usually live in another part of theworld.  "It's a global market," Clements said. "It's like a bazaarwhere you can buy anything at any time."  The Card Cops should know:They entered the business of protecting consumers and merchants fromidentity theft because many of them were scammed themselves when theyworked together at another Internet company.

To help understandhow fast a thief can siphon money from an account, ABC Newsexperimentally opened a Visa account. It only took 15 minutes before ahacker got hungry.  "

We had a hit from a retailer inMassachusetts," said Clements. The culprit used the credit card numberto buy Dominos Pizza. "So there is your charge for $39.76. It lookslike some kid might have found the card in this chat room and decidedto buy his buddies pizzas."

Continue Reading at ABC News

Editors' Note:  Regarding that $39.76.  Somebody lost $40 bucks.  Who was it? ABC News didn't take the hit...they are protected by the "Zero Liability" program...introduced by Visa...who also didn't take the hit.  Oh, and the bank that issued the card?  They didn't take the hit either. 

That leaves...Dominos, who got screwed out of not only their $39.76, (and as much as I'd prefer not to call this the "domino effect" it is what it is) but they also got screwed out of the cost of the cheese, the sauce, the sausage, the onion, the mushroom, the pizza box, the labor and payroll involved in making the pizza, the gas to deliver the pizza etc. 

At the end of the day, they lost $40 plus an additional $20+ bucks.  So it's easily a $60 hit. 

There are several groups that have stood up to fight high interchange fees, but here's a suggestion.  Rather than bitch and moan about Interchange, start doing a little b&m'ing about the fact that Visa is pushing a less secure product (signature debit has up to a 15 times higher fraud rate than PIN Debit) which, not coincidentally, also carries a higher interchange fee.  Why would Visa's Signature product be the least secure of the two types (PIN & SIG) of debit products?  

I would make it a point to ensure that argument was all over the House Bill introduced yesterday.  (Credit Card Fair Act Introduced by House)

So the Big Question is simply this:  If Visa stands to "lose nothing" and Visa stands to "make more money" by pushing a "less secure" (Signature Debit) payment product, why on earth  would they be interested in pushing a more secure (PIN Debit) payment product? 

The short answer is "they wouldn't." 

So then the next Big Question becomes: Why is PIN Debit outpacing Signature Debit by a nearly four to one margin? 
Have the merchants finally realized that there are virtually no chargebacks involved with PIN Debit and Interchange Rates are signifcantly lower?  Or have consumers become more savvy?  You tell me.  I'd love to hear your comments.      

Related articles by Zemanta

• ISR News: Credit Card Fraud Explodes (information-security-resources.com)

PIN Debit Growth Nearly 4 Times Higher than Signature Debit

Amid Recession, PIN Debit Growth Far Outpaces Signature

Editor's Note:  I don't see the connection between the recession and PIN Debit usage at all.  In fact, quite the opposite.  Think about it.  Visa and MasterCard attach rewards to "signature" debit, therefore, in a recession, you would think that consumers would want the rewards and SIGNATURE would be outpacing PIN.

Sure, I see the debit over credit recession connection, but cannot digest the PIN over Signature in a recession propaganda.  Now, had the article made the argument that consumers are becoming more wary, (is undesensitized a word?) about payments security, and thus are choosing PIN over SIG, I'd have to wholeheartedly agree.

But, according to research, released yesterday by the Pulse EFT Network, PIN Debit grew nearly four times the rate of signature debit between July and December which is when the recession kicked in.  Here's a blurb from DTN...

This, from John Stewarts' Digital Transactions:

"While the recession is making an impact on consumer spending generally, PIN debit card usage is faring considerably better than that of signature debit.

PINdebit transactions by consumers grew 15% between July and December, theperiod during which the economic downturn began making itself felt,nearly four times the rate of growth for debit transactions securedwith a signature, according to research released on Thursday by the Pulse electronic funds transfer network.

Thestudy, conducted for the Houston-based network by consulting firmOliver Wyman Group, also found that fraud rates on debit cardtransactions are falling; that usage of debit cards for bill payments,including online PIN-less payments, is registering significant numbers;and that awareness of a wide range of alternative-payment methods isvery high among bank card executives. Also, the study shows steadilyrising adoption by banks of mobile-banking technology.

Continue Reading at Digital Transactions

Related articles

• Debit Surpasses Credit for the1st Time in Visa History (Volume & Transactions) (pindebit.blogspot.com)
• Merchants On "Warpath" Against Interchange (pindebit.blogspot.com)
• Thieves Snatch Billions in Credit Card Fraud (abcnews.go.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)