IBA Website Hacked/Cloned This Morning

As we have pointed out a few times on this blog, these types of problems plaguing banks could be severely reduced, if not completely eliminated in three simple steps...two of which have already been done.

Authenticating an online banking customer with "username | password" (or "any form of log-in" which a consumers must type/enter) is the fundamental basis of the problem.

Banks issued a card, Banks issued a PIN, the last issue they must contend with is for them to issue the card/PIN reader. True two-factor authentication. What you have (card) and what you know. (PIN)

Prior to HomeATM breaking the price barrier, a low-cost secure card reader/with integrated PIN Pad did not exist. Therefore, the only other choices banks had for authenticating their customers (besides username |passwords) were to upgrade their log-in capabilities with OTP's (one-time passwords) and Dongles. OTP"s can and have been intercepted, and Dongles can ONLY be used as authenticators. Not anymore. With HomeATM's "low cost" terminals, banks are in a position whereby they could give these things away faster than toasters and prevent themselves and their customers from getting burnt by fraudsters.

The added benefits of HomeATM's device is that it is NOT LIMITED to authentication. Our device also provides Zone 1-4 End-to-End-Encryption (for Track 2 data) and full Zone 1-5 E2EE for the PIN during an "online" financial transaction. (Thereby protecting the cardholder data as well as any $500+ point of sale terminal and $150 PIN Pad) Our device also utilizes existing bank rails, which enables the cardholder to instantly transfer money from any bankcard to any other bankcard. That feature also inherently provides a unique way to pay bills/utilities online.

Apparently, in spite of events like the one reported below becoming more commonplace, (see Commonwealth Bank stories over the past week) some banks think they are immune. Unless they utilize an inoculator, (such as our SafeTPIN) I can assure them they're not.

The Hindu Business Line : IBA website hacked

IBA website hacked

MUMBAI: Indian Banks Associations (IBA) website was hacked this morning, leading to panic among bank customers across the country. The IBA warned the public not to share bank account details to the website as demanded by the hackers.

The IBA website has been compromised and there is a bogus message doing rounds asking people to give their ATM Card details online at the bogus link.

The webpage is a copy of IBA's web home page, a top IBA official said. Translation: A "Cloned" Bank Website.

(Never heard of such a thing? Enter "Cloned Website" in the HomeATM Search Bar on the top left sidebar...or check out "Related Articles below)

IBA is the national body of Indian banks and has members from public, private and foreign segments. IBA has deployed a special team to examine the matter and will resolve the issue at the earliest, the official said. - PTI

IBA Hacked, ATM, Card Details, PIN, Cloned Website,

Related articles by Zemanta

• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• Privacy is Dead, Long Live the PIN (pindebit.blogspot.com)
• Visa Tests New Anti-Fraud Card Device, But What About The Data Leaks? (techdirt.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)
• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• HomeATM Prevents Cloned Bank Site Threat! (pindebit.blogspot.com)

According to Mercartor ACH = Bedrock of AltPay

The ACH Network: The Bedrock of Alternative Payments; New Research Report by Mercator Advisory Group

The ACH Network began as a low volume network transmitting large recurring transactions between well-established entities; however changes in rules and business models have brought about significant changes in the nature and volume of ACH activity.

More than 18 billion ACH payments were made in 2007, representing a 12.6% increase from the total number of transactions generated in 2006. Much of the growth in ACH volume can be attributed to fundamental changes in payment methods used by consumers and businesses with the network transforming into a high volume platform of relatively low-value, non-recurring transactions. These transactions are originated from a rapidly expanding number of merchants, aggregators, corporations, and financial institutions.

Alternative payment providers such as Google Checkout, Bill Me Later and of course PayPal leverage the ACH to provide consumers and merchants with a secure and efficient means of payment and in doing so are experiencing phenomenal growth.

Non-financial institutions have been beating the banking industry to the punch of developing unique and cost efficient payment solutions, especially in the e-commerce space. Ironically, alternative payment providers have succeeded using the banking industry’s own infrastructure to capture interchange-like revenues.

However, a new solution has emerged from the National Automated Clearing House Association (NACHA) that could level the playing field for banks to compete against alternative payment providers and push the ACH network in a new direction. NACHA’s recently released Secure Vault Payments (SVP), an e-commerce payment solution not only enables customers to move payments from their direct deposit accounts to merchants and service providers, but transactions occur with real-time authentication and authorization from the consumer’s bank Web site. The push method ensures merchants and service providers that payments are being made with “good funds” thus reducing concerns about fraud, chargebacks, and non-sufficient funds.

Although signature debit and credit card usage online has yet to be hugely impacted by alternative payment solutions, in many cases, non-traditional payment providers offer significantly enhanced value propositions including discounts, sales and loyalty tools, and the ability for merchants to cross sell on non-competitive merchant Web sites. These value added services create significant competitive pressures for traditional payment types and are giving alternative payment methods solid traction.

Brent Watters, Senior Analyst of Mercator Advisory Group’s Prepaid Advisory Service and principal analyst on the report, comments, “As alternative payment methods continue to evolve and more players step into the space, the use of traditional payment cards for online transactions will continue to decrease. It is foreseeable that merchants will increasingly promote alternative payments and consumers will become more accepting of new payment types. Mercator believes that in the next five years (2014) 35% of payments made online will be in the form of alternative payments, including prepaid cards, new forms of credit and programs leveraging the ACH.”

Highlights from this report include:

• The ACH continues to show solid growth and transaction volume will continue to escalate as more alternative payment schemes leverage the network.
• The ACH is moving to push versus pull method of payment thus creating direct competition for EFT networks that have been eager to develop a PIN-less debit solution for online transactions.
• The ACH’s eCheck services continue to fuel the networks’ transaction volume and penetrate markets currently targeted by debit and credit cards.
• NACHA’s Secure Vault Payment (SVP) creates an opportunity for banks to compete in online alternative payments.
• Within the next five years (2014), 35% of payments made online will come in the form of alternative payments, including prepaid cards, new forms of credit and programs leveraging the ACH.

Members of Mercator Advisory Group have access to this report as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits.  Please visit us online at http://www.mercatoradvisorygroup.com/.

For more information  send email to info @ mercatoradvisorygroup.com. Author Information: ROBERT MISASI     Mercator Advisory Group

Alternative Payments, ACH Network

7-Eleven Takes Lead Role in Credit Card Fee Fight

7-Eleven leads fight against what it calls excessive credit card fees | News for Dallas, Texas | Dallas Morning News | Dallas Business News

By MARIA HALKIAS / The Dallas Morning News
mhalkias@dallasnews.com

7-Eleven Inc. is using its 6,300 U.S. stores to send a message to Washington and the credit card industry.

Starting this week, the Dallas-based convenience store operator hopes to solicit 1 million signatures on petitions calling for Congress to change what the chain says are unfair and excessive credit card transaction fees.

Credit card companies charge retailers a fee for every transaction. The size of the purchase doesn't matter. And retailers have no power to negotiate the fees, they say.

For convenience stores alone, the fees totaled $8.4 billion last year, up 10.5 percent from 2007. That's more than the $5.2 billion the industry made in profit, the National Association of Convenience Stores says.

7-Eleven, which alone paid $160 million to credit card companies last year, is leading the lobbying effort, working with the association, which represents 146,000 stores nationwide. The efforts come as the sweeping credit card rules that Congress passed go into effect in February prohibiting certain fees on consumers.

Petitions are prominently displayed at 7-Eleven checkout counters.

Continue Reading at The Dallas Morning Herald

7-Eleven, NACS, 7-11, Credit Card Industry, Excessive Fees

PayPal Opens Platform to 3rd Party Developers

From Finextra:

PayPal woos third party developers with Adaptive Payments

PayPal is set to open up its platform to third party developers in a move the firm says will make it easier for them to make money from their ideas.

The new application programming interface (API), called Adaptive Payments, will give developers more flexibility in building apps that move money between PayPal accounts.

The API allows straight payments from customers to the PayPal accounts of receivers such as owners of Web sites or widgets on social networking sites.

It also means developers can build applications for "parallel payments", enabling a sender to make a payment to multiple receivers.

PayPal says this means users can set up a shopping cart that enables buyers to pay for items from several merchants with one payment. The cart would allocate the payment to merchants who actually provided the items.

In addition, "chained payments" will enable a sender to make a single payment to a "primary receiver", who can then keep a part of it and send the rest to "secondary receivers".

The firm says this could be used by companies such as online travel agencies which handle bookings for airfares, hotel reservations and car rentals. The primary receiver allocates their commission with the secondary receivers then getting their share of the payment.

The new API is similar to Amazon's Flexible Payments Service, which was launched in beta in 2007 as part of the e-commerce giant's attempt to muscle in on PayPal's territory.

However, in a blog post responding to TechCrunch, which broke the story, Osama Bedier, VP, platform and emerging technology, PayPal, insists Adaptive Payments is "not an effort to 'crush Amazon's fledgling payment service'".

Security in a Post-Heartland World

Understanding How PCI- Compliant Companies Can Be Breached: Security in a Post-Heartland World

Dublin - Research and Markets has announced the addition of Javelin Strategy & Research's new report "Understanding How PCI-Compliant Companies Can Be Breached: Security in a Post-Heartland World" to their offering.

The Payment Card Industry Data Security Standard (PCI DSS) raises the high water mark for data security. But there's a persistent myth that PCI compliance equals security. The reality is that PCI is only a baseline, and one that needs to be monitored constantly as the threat landscape changes. In the months following what may be the largest the data breach in U.S. history at Heartland Payment Systems, many people are wondering if PCI is effective. In response, the PCI Security Standards Council has released new guidance around risk-based compliance and Qualified Security Assessor (QSA) reviews and remediation. But will these be enough to calm the concerns that merchants have with PCI? This report includes an update of PCI, an overview of emerging technologies, and lessons learned from the Heartland breach. Hashing, tokenization, end-to-end encryption, and Chip and PIN are covered in depth.

Primary Questions - Does PCI compliance equal security? - Which are the most common requirements not met by previously PCI-certified firms? - What has been learned about the Heartland breach? - How can merchants store PAN data without violating PCI? - What are the emerging technologies that can help merchants take PAN data out of scope for PCI compliance? Methodology This report is based on data collected online from a random-sample panel of 2,339 respondents in September 2008. The survey targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Overall margin of sampling error is 2.03% at the 95% confidence level, for 2008.The report was also based on interviews with executives from the PCI Council, Heartland, and eight security vendors Companies Mentioned: - Merchant Bank - PCI Security Standards Council - Trustware - Merrick Bank - Princeton Payments Solutions - U.S. Department of Veterans Affairs - Micheals - Qualys - Veracode - National Retail Association - RBS WorldPay - VeriSign - NT Objectives - Securosis - Verizon - nuBridges - Shift4 - Visa - Ounce Labs - T-Mobile - WhiteHat Security - Payments Software Company - The Cadence Group - Paymetrics - TJX For more information visit http://www.researchandmarkets.com/research/3113c7/understanding_how 

PCI, Heartland, Breach, Hack,

Related articles by Zemanta

• Heartland Regains PCI Compliance Status (information-security-resources.com)
• Visa Yanks Heartland/RBS Compliance Status - BTN (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)
• Heartland Threatening Legal Action (pindebit.blogspot.com)

Microsoft Video-ActiveX Trojan Discovered

Hackers using Active X flaw for remote code execution - Computer Business Review : News

Hackers using Active X flaw for remote code execution
Published:07-July-2009

By Kevin White

Security researchers warn on Video ActiveX Control vulnerability

Potential cybercriminals have been found to be inserting a data-stealing Trojan onto PCs left vulnerable by a flaw in the Microsoft Video ActiveX Control, security experts have warned today.

The discovery, which was made yesterday by researchers in China and since confirmed by several authoritative security software vendors, enables remote code execution on targeted machines.

Finjan CTO Yuval Ben-Itzhak told us, “It stands as a zero-day attack until a patch is issued or a workaround is made, and it basically means that a hacker could take control of a remote PC by someone visiting a compromised web site.”

Some popular European music download and gaming sites are among those he said had already been be comprised. “It is low volume at present, but we expect to see it increase in the coming weeks,” he said. 

(Editor's Note:  Low in volume?  Was that a pun considering it's music downloads that put users at risk?)

Continue Reading at CBR

Trojan, Video ActiveX, Zero-Day Attack, hacker, music download

Indian E-Commerce Changes Card Verification Norms

Indian E-Commerce Braces For Changes In Credit Card Verification Norms | MediaNama

Indian E-Commerce Braces For Changes In Credit Card Verification Norms
By Nikhil Pahwa ⋅ July 6, 2009 Post a Comment ⋅ Email This Post Email This Post ⋅ Print This Post Print This Post ⋅

The e-commerce industry in India needs to brace for the coming of a lull in transactions, which owes its origin to a notification from the Reserve Bank of India.

According to the notification, it order to enhance the security of online card transactions, it will become mandatory from August 1st 2009 onwards, to provide:

1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions.  (Editor's Note:  How about making the "card present" by swiping the magnetic stripe and encrypting it through Zones 1-4?, then entering the PIN and encrypting it through Zones 1-5?

2. A system of “Online Alerts” to the cardholder for all “card not present” transactions of the value of Rs. 5,000/ and above. 

Implications

Travel Portal Cleartrip recently set up a page to help its users register at various bank sites for Verified by Visa and Mastercard Secure verification norms which banks in India are adopting in order to comply with point 1 mentioned above.

Hrush Bhatt, co-founder, Cleartrip, told MediaNama that for completing transactions, merchants will have to re-direct consumers to bank sites, which will require the additional password for verification of payment. For methods that involve redirection, payment failures are around 10 times more.

Bhatt said that though the RBI circular is correct in spirit, but the manner in which this is being implemented, is going to cause disruption for customers and merchants. Cleartrip is gearing up for at least a 2-3 week disruption, “when people won’t know what this stuff is. Hopefully, after that people will enroll.” ICICI Bank is planning to mandate usage of these additional passwords on July 20th, while the rest are expected to switch between July 20th and August 1st, except American Express. “AmEx already has billing address verification in their API,” he said.

Bhatt added that this also puts Indian online companies at a disadvantage to international ones, because “International companies do not have this extra hoop to jump through. Any (Indian) company that wants to serve an international audience is also at a disadvantage.” This is because international customers will not be able to use sites from Indian merchants unless they have the additional password.

Alternatives & Why Banks Went For Additional Passwords

“Last date we heard, less than 8% of the world is enrolled in any of these programs,” Bhatt said, referring to Verified by Visa and Mastercard Secure. “In the US, merchants are provided with a variety of fraud control measures like billing address verification, date of birth verification; obviously, the banks have this information.” Bhatt said that the biggest processors of transactions online - Amazon and iTunes - do not support the additional password.

“There could be other ways, but the banks have chosen to go with the method that involved the least amount of work for them.

The existing gateways and the APIs don’t process these fields right now, so they will have to reverse integrate with wherever that information sits in their system to ensure that that an additional field is provided to the gateways.” 

Editor's Note:  Why mess with all that when it doesn't solve the problem anyway?  Additional passwords are not needed.  Encrypted True 2FA is needed.  If anyone can tell me a better way to authenticate the user than swiping their own card in the safety of their own home, followed by entering their PIN, (besides using EMV and entering PIN) and transmitting the encrypted data safely with a derived unique key per transaction (DUKPT) I'd love to hear about it.  In my opinion, redirecting will only create another link in the chain and another way for fraudsters to find the Gap in that system.

Impact On WAP?

Bhatt wonders how this will work on WAP, because with this additional layer of security involves a redirection to the bank sites: Do mobile browsers support those redirects?

Continue Reading

DUKPT, online banking

Chip and PIN for ATM's

Fraud, like water finds the path of least resistance.  As more and more countries migrate to Chip and PIN, more and more criminals migrate to the web, where security is somewhere between lax and non-existant.  This article talks about the fact that countries that have initiated Chip and PIN must do so across the board...including ATM's.  For the record, HomeATM's PCI 2.0 Certified PIN Entry Device is EMV (Chip and PIN) ready...

Chip and PIN cards wasted by Australian banks

Bank delays exposing Aussies to credit card fraud
Marissa Calligeros
July 7, 2009 - 2:05PM

New security-enhanced credit cards fitted with anti-skimming microchips are useless in the fight against credit card fraud because Australia's banks have been too slow to introduce ATMs and EFTPOS machines capable of reading them, experts say.

Former cybercrime consultant to Britain's MI5 security intelligence service Fraser Smith said banks were lulling consumers into a false sense of security with the introduction of chip and PIN enabled credit cards because the technology to make them fully effective - while available - had not been fully rolled out.

Chip and PIN cards are designed to reduce the risk of card skimming and require a "PIN pad" terminal, or a modified swipe-card reader, which accesses the security chip on the card.  While several thousand of the new machines are believed to be in circulation already, the Australian Banking Association says it could be up to two years before the majority of ATMs and EFTPOS machines in Australia are upgraded to include the chip readers.

Queensland fraud investigators fear the lag is exposing already vulnerable bank customers even further.  "It is a mistake," Mr Smith said of the delay, at a meeting of the Asia/Pacific Group on Money Laundering in Brisbane today.  "If you're going to go (with chip and PIN) go the whole way."

Chip and PIN technology was introduced across-the-board in the UK in 2006, but Australia, like Canada and the United States, still relies on magnetic strip technology, whereby credit cards are swiped through ATM and EFTPOS machines.

Queensland Detective Superintendent Brian Hay of the Fraud and Corporate Crime Group said Australians were becoming increasingly vulnerable to international banking scams as a result. 

"Whilst we still rely upon magnetic strip data and the rest of the world migrates to chip and PIN, it's going to become a bigger problem here," he said.

"It's like fish in a pond... as that pond dries up those fish are going to become more concentrated. "In Australia we are going to have a higher concentration of cyber-based criminals around the world migrating to Australia to exploit our vulnerabilities.  "We will not be fully secure until all our point of sale terminals are chip compliant."

Continue Reading at the Brisbane Times

Chip and PIN, magnetic strip, ATMs, EFTPOS, MI5, SAFETPIN

Nevada Mandates that "ALL" Merchants Comply with PCI

Is Nevada's New Privacy Law a 'Game-Changer?' (You Betcha!)

A First: PCI Compliance Mandated for State's Merchants

Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.  Read Entire Article Editor's Note: More good news for HomeATM as our PCI 2.0 Certified Safe-T-PIN instantaneously encrypts Track 2 data for transmissions between Zones 1-4 (click the illustration below to enlarge and read the description of Zones 1-5 in the end-to-end-encryption process) and the Safe-T-PIN's integrated PIN Pad instantaneously encrypts the PIN for Zones 1-5.   HomeATM does all that for about half the cost of other Point of Sale Terminals that encrypt Track 2 data (and we include the PIN Pad!)   I'll have more on this "game-changing" historic law tomorrow. For example...how will this law affect online merchants who have their corporate offices in Nevada?  See:  HomeATM Safe-T-PIN Could Cut E2EE Costs by $3 Billion!

Related articles by Zemanta

• MasterCard beefs up security requirements (computerworld.com)
• HomeATM at the (Security) Summit! (pindebit.blogspot.com)
• PCI Compliance FAQ (pindebit.blogspot.com)
• Society of Payment Security Professionals Welcome 50 New CPISM/CPISA's (pindebit.blogspot.com)

Phishing Jumps as More Africans Go Online

Online Scams Jump as More Africans Go Online - Business Center - PC World

Online scams targeting the financial sector are on the rise in Africa as more people access online banking services and mobile banking.

Phishing attacks are mainly occurring in South Africa where online banking is common, while mobile money theft is common in other parts of Africa where Internet penetration is still low. As a result of the increase, South Africa's Absa bank, the largest in Sub Saharan Africa announced Tuesday that its Internet banking customers can download security software to curb cybersecurity attacks. (See "How to Spot an E-Mail Scam.")

A phishing attack aimed at Absa customers features a plain, yet clever unsolicited message instructing them to follow a link and confirm their account information as a way for criminals to obtain passwords and user IDs.

Continue Reading at PC World

online scams, more africans go online, financial sector, online banking

Michael Jackson Death Probe Spam Threatens Bank Account Numbers, Passwords

I blogged a warning about this last week, but here's more information on the Michael Jackson death probe spam.  Your online banking credentials are at risk...(unless of course your bank utilizes the HomeATM PCI 2.0 Certified Safe-T-PIN for 2FA two-factor-authentication log-in, in which case your bank numbers and password wouldn't be on your PC for the MJ Malware to mal.  Bank issues card, Bank issues PIN, Bank issues Safe-T-PIN and you swipe your card, enter your PIN and it's all instantaneously encrypted, including the Track 2 data.  We make the MJ malware threat not scary... 

Jackson death probe spam a threat to bank account numbers, passwords

Washington: Beware of any emails regarding the investigation into King of Pop Michael Jackson's death, for they may be spam messages that infect computers with a virus able to steal bank account numbers and passwords.

Experts at the University of Alabama at Birmingham (UAB) have revealed that they began tracking the celebrity-focused spam early on June 30.

"We've been tracking the cyber criminals behind this spam and the associated virus for many weeks, but it is just today that they have shifted their strategy by embedding their virus into an e-mail that claims to link you to a Web site that will reveal Michael Jackson's killer," said Gary Warner, UAB's director of research in computer forensics.

"The spam related to this virus has taken many forms, including e-cards, shipment tracking links and, most recently, a fake update to Microsoft Outlook, but with the high interest in Michael Jackson's death the cyber criminals decided to change their delivery method to capitalize on that," he added.

The message in the Jackson virus spam reads "Michael Jackson was killed ... but who killed Michael Jackson."  Warner said that anyone who clicks on the message won't find an answer to the question.  "If you click on that e-mail and go to the page the cyber criminals have linked to the message, your computer is immediately infected with malware," he said.

He warned that the malware is capable of stealing bank account information and passwords from computer hard drives.

The virus also will redirect certain Google searches performed on an infected computer, meaning the malware inserts links to other virus-infected pages into the top positions of search results.  That, according to Warner, means that search results that unsuspecting users would otherwise think valid are actually portals to other virus programs and malware.

Michael Jackson, spam, bank account numbers, passwords, UAB, Michael Jackson was killed, Who Killed Michael Jackson

MLM Payouts Made Easy with CredoCard

OfficialWire: Multilevel Marketing (MLM) Payouts Made Easy With CredoCard.com

Multilevel Marketing (MLM) Payouts Made Easy With CredoCard.com

CredoCard.com specializes in branded and co-branded debit card programs, white label programs, software and payment integration programs, and turnkey payment solutions
Published on July 06, 2009

by CredoCard.com Press Office  (OfficialWire)  VIENNA, AUSTRIA

CredoCard.com specializes in branded and cobranded debit card programs, white label programs, software and payment integration programs, and turnkey payment solutions. We offer the co-branded services to our client base in following regions:

1. Africa
2. North America
3. South America
4. Asia
5. Caribbean
6. Latin America
7. Middle East
8. European Union
9. Europe

We have an extensive range of service for Multilevel Marketing Companies (MLM). Our cobranded card programs are made through self-issuance, straight partnership or the transition of a private label portfolio.

Co-branded debit cards from Credocard lead to stronger brand attachment and customer loyalty. Cobranding signifies placing the MasterCard or Visa Card logo on a simple debit card or credit card. Hence, the card gets a double identity or two brands. This gives your MLM Company a higher recognition, as Visa and MasterCard are well-known names in the credit card sector.

The Credocard holders enjoy a galore of benefits as listed below:

1. The cobranded debit cards allow easy cash outs from ATMs
2. A cardholder does not require a bank account or credit checks to accept the payment worldwide.
3. Credocard holders enjoy a global acceptance, as they are partners with well-known names like MasterCard and Visa Card. These names are extremely popular with the brand loyal customers.
4. The cardholder can have an easy access to the fund transferred on their card at ATMs, shops or restaurants.

Multilevel marketing is very popular with people seeking flexible businesses or part-time businesses. It is a type of business, where a distributor network is needed to build the business. In this business model, the payouts occur at more than one level. Direct deposits to a bank account or mailing a commission check is comparatively simple. But, a distributor abroad, who may not have a bank account, have to wait longer to cash their checks.

Electronic fund transfer services made available are faster and less expensive as compared to the traditional methods of checks and wire transfers. But, the most efficient way to transfer funds is through cobranded debit cards offered by Credocard.

MLM companies can highly benefitted by the service of www.credocard.com. Some of the services being offered are:

1. With a Credocard, your MLM Company can get a global recognition, as we are associated with names like MasterCard and Visa Card, who are market leaders in the credit card segment.
2. By incorporating our cobranded payment cards into your payout process, you can reduce the cost and hassle of international payments.
3. You can instantly transfer the funds to the card accounts, saving on your precious time and money.

Credocard strategic partners include MasterCard, Visa, ID Data, Metavante and Comodo Group. We have partnership agreement with more than 500 worldwide mobile networks, which offer both mobile payment options and SMS services. Our turnkey solutions include unlimited upgrades for all software and services needed to operate a business platform.

You can get in touch with us for more information on payroll solutions through our co-branded debit card programs, specially designed for MLM clients. Please log on to our web site credocard.com for more information or you may talk to us directly on phone to work out on your specific requirement related to MLM services.

About Credocard Ltd.

Credocard is the industry leader for software and payment integration platforms, turnkey solutions, white label programs and co-branded debit card programs. For more information on our programs please visit www.credocard.com

credocard

EyeWonder...How Malware Got Onto CNN

On July 3rd, the ZDNet Blogs reported that eyewonder.com, a digital advertising provider, has infected some popular sites via, what they call, a "malvertising" campaign.  Here's an excerpt, you can read the full story by clicking the link at the end of the excerpt:

During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity; Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

Let’s assess the butterfly effect of a single malware incident affecting an ad network whose ads get syndicated across the entire Web.

What originally started as “we have been mistakenly flagged as malware“, briefly turned into “appears the EW.com domain was potentially maliciously “hacked” causing these errant and erroneous alerts to appear” malware incident.

Is the EyeWonder attack a typical malvertising campaign where malicious content is pushed on legitimate sites through the ad network, or did their web site actually got compromised in the ongoing Cold Fusion web sites compromise attack?

Continue Reading at ZDNet

Facebook Payments System Facing Uncertain Demand

Daniel Wolfe writes for Bank Technology News and asks whether Facebook should promote their own proprietary payment...

American Banker  |  Monday, July 6, 2009  by Daniel Wolf

Could Facebook credits become the currency of the Internet?

Facebook Inc.'s popular social networking site already has a small toehold in payments through its virtual gift shop, and is reportedly trying to expand the system.

The company claims more than 200 million active users worldwide who trade gossip and keep in touch with friends through its Web site, and analysts said this vast audience might welcome a way to interact commercially as well.

However, they warn that Facebook's efforts to promote an alternative currency may be unnecessary and that demand for a Facebook payments system will likely be minimal unless there is a corresponding market for products or services available through the site.

Offering more payments services through Facebook could be popular with users, "but the recipient would have to see value in Facebook credits," said Bruce Cundiff, a director of payments research and consulting for Javelin Strategy and Research of Pleasanton, Calif. "That's the big issue: are they valuable when they're no longer dollars?"

People can use credit cards now to purchase 10 credits for a dollar through the site's virtual gift shop, and can spend the credits on inexpensive digital novelties such as playful icons sent to one another's Facebook pages, including images of birthday cakes, balloons and sock monkeys — the electronic equivalent of a greeting card.

In recent months the Palo Alto, Calif., company has also opened up its payments system to eight software developers that offer games, calendar tools and other simple applications; (fluff)Friends, for example, lets people buy gifts for digital pets.

Facebook did not respond to numerous attempts to contact the company, and it has said little to date about its payments strategy.

Continue Reading at Bank Technology News

Related articles by Zemanta

• Facebook revising privacy settings (canada.com)

SEPA Direct Debit Launch Date Wanted

By Huw Jones

LONDON (Reuters) - A deadline is needed to ensure full switchover to a single pan-EU system of bank payments and help industry and public authorities plan ahead, a top European Central Bank official said on Monday.

The European Union's executive European Commission has launched a public consultation on whether such an end date is needed and, if so, when it should be.

The EU has adopted a law to introduce a single euro payments area (Sepa) so that consumers can send and receive payments in euros and use their payment cards anywhere in the 27-nation bloc, all from one bank account.

The aim is to exploit the single currency to boost competition and choice in services to bring down prices for the EU's 495 million consumers. National payments systems would be shut down with transactions moved to the new Sepa system.

The introduction of direct debit under Sepa was on track for November 2009, she said, but there was still not enough competition in cross-border cards where MasterCard (MA.N) and Visa Europe dominate.   "Competition concerns are an on-going concern," she said.

Continued...

Related articles by Zemanta

• France Delays SEPA Direct Debit Launch for a Year (pindebit.blogspot.com)
• Europe Tests Banks, and Worries (nytimes.com)

Battle for EMV Card Supremacy in Nigeria

Here's an interesting story from Vanguard regarding the battle for supremacy between the two biggest card companies in Nigeria.  (search the HomeATM blog for more on Interswitch)

Valucard, Interswitch in Battle for Supremacy | Vanguard News

Valucard, Interswitch in Battle for Supremacy - Finance Jul 6, 2009  By Babajide Komolafe

The wave of competition caught up with the two card giants in Nigeria last week as they make claims of superiority over each others products, Babajide Komolafe writes

The market was taken by surprise last week when the two card giants, Valucard and Interswitch, traded claims of authenticity of their cards opening in what could be better described as an exercise in perfect de-marketing.

The whole exercise was to enable one of them gain an upper hand in an intense competition for the market for chip and PIN, Europay, MasterCard and Visa (EMV) compliant payment cards in the country.

Valucard had last week dismissed Interswitch’s Verve cards claim to be EMV compliant saying its Visa and VPay cards are the only EMV compliant cards in the country. Interswitch in a swift reaction said Valucard claims is a lie and unnecessary de-marketing. It said the truth is that its Verve card is an EMV compliant card with more features than any other in the world. Interestingly both Valucard and Interswitch are owned by consortium of banks with some banks belonging to both consortia.

EMV is an international e-payment standard developed by Europay, MasterCard and Visa to maximize e-payment security by replacing the current and fraud prone magnetic stripe cards with EMV Chip and PIN cards Chip (EMV).

It represents the latest in payment card technology. Unlike the magnetic strip card that can be cloned by fraudsters, chip and PIN (EMV) cards cannot be cloned as a result it is considered safer and more secure.

Against this background the Central Bank of Nigeria (CBN) directed banks to stop issuing magnetic strip cards and migrate to chip and PIN (EMV) cards on or before April 30th this year.

Consequently, last year Interswitch Nigeria Limited, the sole switching company to Nigerian banks with the largest payment cards issued on its Nigeria Debit Card Scheme, developed and introduced Verve cards which is a chip and PIN (EMV) compliant card. The card was introduced to replace the 28 million magnetic strip cards on its network.

Already about six million Verve cards have been issued while 12 banks have ordered for Verve cards. The banks are Intercontinental Bank, Nigeria International Bank, Skye Bank, Bank PHB, Oceanic Bank, Ecobank, First City Monumental Bank (FCMB), First Bank, Stanbic IBTC, Unity Bank, Zenith Bank and United Bank for Africa (UBA).

Valucard however was the first to introduce EMV compliant cards. In 2004 following its partnership with Visa International, the company introduced Visa and VPay cards which are EMV compliant. The company in a statement last week however warned that the banking public should disregard any payment card claiming to be EMV compliant.

Continue Reading

Nigeria, EMV, Valucard, Interswitch,

07/06/09 06:54 AM via The Buffalo News

CREDIT 
Weak security opens door to hackers
By Jordan Robertson | ASSOCIATED PRESS

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

Editor's Note:  The sensitive data of which they speak is the Track 2 data, and if the Track 2 data is encrypted, the above threat does not apply.  Which is why HomeATM's devices have been engineered to "instantaneously encrypt" the Track 2 data providing the industry with our unique end-to-end encryption methodology.  (Zones 1-4 click pic to enlarge) and eradicating the threat spoken of in this story...

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.

The government leaves it to card companies to design security rules that protect the nation’s 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the analysis of data breaches dating to 2005.

It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you’ll spend weeks straightening your mangled credit, though you can’t be held liable for unauthorized charges. Even if your transaction isn’t hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.

More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn’t detect it. Even the companies that had the payment industry’s top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.

Companies that are not compliant with the PCI standards—including one in 10 of the medium-sized and large retailers in the United States—face fines but are left free to process credit and debit card payments. Most retailers don’t have to endure security audits, but can evaluate themselves.

Credit card providers don’t appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.

That is of little consolation to consumers who bet on the industry’s payment security and lost.

It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hack-

ers in a breach traced to a Hannaford Bros. grocery store.

LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees—which were eventually refunded— while the banks investigated.

“Maybe somebody who doesn’t live paycheck to paycheck, it wouldn’t matter to them too much, but for me it screwed me up in a major way,” she said. LaMotte says she pays more by cash and check now.

It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford’s servers that snatched customer data while it was being sent to the banks for approval.

Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS World- Pay Inc. got taken for more than 1 million Social Security numbers—a golden ticket to hackers that enables all kinds of fraud.

In the past, each credit card company had its own security rules, a system that was chaotic for stores.

In 2006, the big card brands—Visa, MasterCard, American Express, Discover and JCB International— formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.

Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U. S., and 88 percent of medium-sized ones, are compliant with the PCI rules.

Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.

“It’s like going to a doctor and getting your blood pressure read, and if your blood pressure’s good you get a clean bill of health,” said Tom Kellermann, a former senior member of the World Bank’s Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google’s Internet payment processing system.

“PCI compliance can cost just a couple hundred bucks,” said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. “If that’s the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need.”

For some inspectors, the certification course takes just one weekend and ends in an open-book exam.

Security experts say there are several steps the payment industry could take to make sure customer information doesn’t leak out of networks.

Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.

Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.

Related articles by Zemanta

• Weak security opens door to credit card hacks (msnbc.msn.com)

MoBank Sets July 6th Launch Date

LONDON, July PRNewswire/ -- NTT Europe Online is providing a bespoke hosting platform for a new mobile banking service, MoBank, which launches on 6th July 2009. MoBank - the brainchild of ex First Direct and Egg bankers, Steve Townend and Dominic Keen - is a brand new service that works with your existing bank account to let you buy and pay for items using your mobile phone.

At launch, consumers will be able to buy all sorts of things using MoBank, such as cinema tickets, clothes, music, books, flowers, gifts and tickets; and check the balance on their card from their phone. Soon, it will include extra convenient banking features such as money transfers, bill payments and budget trackers.

MoBank will initially be available on the iPhone, with plans to roll it out to Java, Google and Blackberry phones later in the year.

With a proven history of working with security-critical online financial services, NTT Europe Online's managed hosting platform is built to deliver maximum performance to MoBank users. With multi-tiered firewall protection, anti-virus and intrusion-prevention technology, the platform is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) to protect users' sensitive personal data. NTT Europe Online's managed hosting services also meet the ISO27001 Information Security Standard, allowing MoBank to guarantee the reliability and availability of the service.

Dominic Keen of MoBank said: "The Internet has revolutionised how we shop and manage our money. The next step is to take this to mobile phones. MoBank has been designed to make people's lives easier and save them time by providing banking services on the move.

"A secure hosting platform is extremely important. We worked closely with NTT Europe Online to provide this, ensuring it was scalable and capable of delivering high performance levels. The technical backing we receive from NTT Europe Online is critical in helping us achieve our goals."

Damien Skendrovic of NTT Europe Online comments: "We're delighted to be working with MoBank and their application shows us just how exciting and useful mobile technology can be. A service such as this has to have the right technological foundations to make it succeed. In MoBanks' case, its hosting platform needs to meet the levels of security required by any financial service as well as the specific demands of mobile data applications. We're convinced that MoBank will be a huge success."

MoBank is already attracting interest: in 2008, it won a Red Herring 100 award for the best startups in the world; and it won the Oxford University Saïd Business School Venture Competition in 2008.

About NTT Europe Online

NTT Europe Online provides managed hosting, security and application management services to businesses globally. These services provide the reliability, availability, security and scalability needed to underpin business success online.

NTT Europe Online is certified to ISO27001 for Information Security Management and, as part of NTT Communications, has the global reach and scale to support businesses of all sizes. NTT Communications is the global data and IP services arm of the Fortune Global 500 telecom leader, Nippon Telegraph & Telephone Corporation (NTT). For further information visit http://www.ntteuropeonline.com

About MoBank:

MoBank - http://www.mobank.co.uk - is a new mobile banking service started by ex-First Direct and Egg bankers, Steve Townend and Dominic Keen. MoBank works with your existing bank account to let you buy and pay for stuff using your mobile phone. In 2008, it won a Red Herring 100 award for the best startups in the world; and it won the Oxford University Saïd Business School Venture Fund Competition 2008.

Related articles by Zemanta

• MasterCard beefs up security requirements (computerworld.com)
• How secure are your applications? (theregister.co.uk)

HomeATM News from Around the World

PCI 2.0 Certified Safe-T-PIN Coverage
愛特梅爾AT91SO25安全微控制器幫助 HomeATM
TechWorks Asia[產品登場][產品新訊]2009/07/06
愛特梅爾AT91SO25安全微控制器幫助 HomeATM 之Safe-T-PIN 互聯網銷售終端機通過PCI 2.0認證 愛特梅爾公司 (Atmel® Corporation) 和HomeATM 公司宣布，HomeATM 的Safe-T-PIN™ 最近通過支付卡行業 (Payments Card Industry, PCI) 2.0認證，這是兩家市場領先企業高效合作取得的成果。使用愛特梅爾AT91SO25安全微控制器的HomeATM Safe-T-PIN，是獲得PCI 2.0認證的首個互聯網身分識別碼輸入器件 (Pin Entry Device, PED)。 愛特梅爾AT91SO25的專有功能和Common Criteria EAL4+ 安全認證，在為Safe-T-PIN™　取得首個PCI 2.0認證的過程中起著重要作用。AT91SO25採用小型BGA144封裝，以小佔位面積提供高度安全性和延伸連接性。Safe-T-PIN為電子商務交易和安全登入提供了可靠的雙因素身分認證功能。 愛特梅爾的 AT91SO 器件系列是基於ARM® 32-bit SecureCore™ SC100 CPU內核，適用於卡付款終端等需高度保安之系統。AT91SO器件系列實現了多個周邊的出色的高度整合水平，具有256 KB EEPROM、100 KB RAM和32 KB ROM，並擁有用於加速DES/TDES、AES、SHA-n、RSA之加密引擎，橢圓形曲綫，以及許多靈活的介面如USB、SPI、UART、 GPIO、磁帶和智能卡介面等。所有器件都是市場上唯一通過Common Criteria EAL4+ 認證的產品。 HomeATM行政總裁Kenneth Mages稱：「在銷售終端 (POS) 系統保護方面，PCI 2.0規範比先前版本嚴格得多。選用愛特梅爾的 AT91SO25 安全系統級晶片，確實幫助我們能夠加速開發和取得產品認證。」 愛特梅爾嵌入式安全產品市場經理 Olivier Debelleix 評論道：「我們針對安全系統的AT91SO 產品系列，一直為眾多通過了先前的 PCI 標準版本認證的POS 應用所採用。HomeATM 之 PCI 2.0 認證，表明愛特梅爾的產品有助應用開發者滿足不斷增長的嵌入式安全需求。」 關於 HomeATM HomeATM 擁有基於安全互聯網 PIN交易的全球專利，利用通過 E2EE PCI 2.0 PED認證的解决方案，使商戶或付款人能夠將資金從其銀行帳戶或開放環路/閉環 (open loop/closed loop) 支付卡即時轉出。因為HomeATM利用了發卡行的客戶身分識別/反洗錢 (Know Your Customer/Anti-Money Laundering, KYC/AML) 協定，所以使用HomeATM的專利解决方案，配合銀行簽發的信用卡，可以減輕商戶應對欺詐問題的負擔。現在尚無其他服務於個人對個人(Person-to-Person)、商戶對消費者 (Business-to-Consumer)、商戶對商戶(Business-to-Business)，以及流動付款的付款解决方案，能夠達到HomeATM方案之速度、安全性和成本效益。HomeATM 支援 EMV 標準，並與 Cardinal Commerce 和 UATP 等付款網絡建立了戰略合作關係。 資訊： 查詢愛特梅爾安全系統級晶片產品系列產品的詳情，請瀏覽： http://www.atmel.com/dyn/products/devices.asp?family_id=700 查詢HomeATM產品的詳情，請瀏覽：www.homeatm.net 或 http://homeatmblog.com 關於愛特梅爾公司 愛特梅爾公司是全球領先的微控制器、先進邏輯電路、混合訊號、非揮發性記憶體和無線射頻 (RF) 器件之設計和製造商。該公司擁有業界最廣泛的矽知識產權 (IP) 技術資源之一，能為電子工業提供全面的解決方案。愛特梅爾公司專注於消費電子、工業、保安、通訊、運算和汽車電子市場。 註：Atmel®、公司標誌和相關组合及其他為 Atmel Corporation 或其子公司的註册商標，ARM®及其他為ARM公司的註册商標或商標。本文中的其他術語和產品名稱可能是其他公司的商標。

Related articles by Zemanta

• HomeATM Receives First Ever Internet PCI 2.0 PED Certification (pindebit.blogspot.com)
• BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)
• 'Both Sides of the Mouth' Security Analysis (information-security-resources.com)

Cornell University Breach Puts 45,000 at Risk

NationalCreditReport.com Recommends Credit Monitoring in the Event of a Breach and Reporting Online and Offline Fraud Activity

Data breach at Cornell puts 45,000 at risk of identity theft. Be sure to safeguard all credit.


Delray Beach, FL - June 25, 2009 - NationalCreditReport.com™ (the"Company"), a leading provider of free credit reports and credit monitoringservices, recommends that all consumers, especially those whoseidentities have been compromised in a data breach, utilize a creditmonitoring service to help protect themselves from identity theft.Also, the Company highly recommends reporting any offline and online fraud activity.

Earlier this week, Cornell University announced that more than 45,000people associated with the university had their names and SocialSecurity numbers exposed after a laptop was stolen. Cornell has said itwill provide credit monitoring and other identity theft protectionservices to those involved.

Thecomputer theft at Cornell demonstrates the vulnerability of consumers'information and the need for protective services such as creditmonitoring, especially in the event of a breach

OurSafeguard Credit service sends email alerts when potentially fraudulentitems, or any significant changes, are made to a credit report, likethe opening of a fraudulent credit card. Our identity securityservices, which encompass credit monitoring, help give consumers peaceof mind.

Credit monitoring is an automated service that reduces the threat ofidentity theft by updating consumers of changes and inquiries made totheir credit files.

NationalCreditReport.com's Safeguard Credit™monitoring alerts the subscriber within 24 hours of any major changesmade to their credit file, and does not affect the subscriber's creditor credit score.

"The computer theft at Cornell demonstrates the vulnerability ofconsumers' information and the need for protective services such ascredit monitoring, especially in the event of a breach," said AllisonTomek, NationalCreditReport.com's Vice President of Investor Relationsand Corporate Communications. "Our Safeguard Credit service sends emailalerts when potentially fraudulent items, or any significant changes,are made to a credit report, like the opening of a fraudulent creditcard. Our identity security services, which encompass creditmonitoring, help give consumers peace of mind."

About NationalCreditReport.com:
Since 2004,NationalCreditReport.com has specialized in providing identity theftprotection services, which encompass credit monitoring and creditreporting, to help protect consumers from identity theft. The Companyencourages consumers to utilize its credit monitoring service, especially in the event of a data breach and encourages the reporting of any fraud activity online and offline.