Sunday, August 30, 2009

HomeATM: "Inevitably For Our Own Good"

Here's an excerpt from an article written by Rhodi Mardsen which unequivocally states the reality of what it takes to secure online banking and credit/debit card transactions conducted online. It's the ~~economy~~ typing stupid! Don't Type: Swipe!

HomeATM encrypts the card details so that hackers only find "random gobblygook" and manufactures the "only device" designed for eCommerce to be PCI 2.x Certified. We did it because "it's for your own good." The shift towards everyone using a HomeATM to conduct secure transactions and online banking continues...

There is a worldwide standard (the PCI-DSS) that any companies dealing with cardholder information are obliged to sign up to, but many security experts have pointed out that it's possible to tick all the PCI's boxes and still be insecure. The offence allegedly committed by Gonzalez is as vivid an illustration of that as one can imagine.

For once, this lapse in online security has nothing to do with us, the general public. We're guilty of all manner of stupidity when it comes to our personal financial security – writing down PIN numbers on Post-it notes, using the word "password" as our password (or typing "anything" into online banking sites or merchant checkout) just because we are "instructed to.") – but in this case there's nothing we could have done, save for withdrawing entirely from the 21st century and using cash instead.

So what should these companies be doing to protect us? Graham Cluley, (sounds like he has one...Clu that is) from internet security firm Sophos, has expressed his disbelief that our card details aren't encrypted when they're stored, so that hackers just find random gobbledygook. "If they were properly encrypted," he says, "it would take until the sun burns out for anyone to decode it."

Editor's Note: HomeATM believes that they shouldn't even be stored. This is why HomeATM instantaneously encrypts the card details (including the Track2 data). By doing so the Internet Retailers (IR) never store it, in fact never even handle it. This provides three distinct benefits. 1. It keeps the data safe, 2. instantaneously places the IR within the realm of PCI compliance and 3. protects the IR from significant fines which would be levied against them by V/MC in the event of a breach. Those are three pretty significant benefits...but first, we have to eliminate typing.

But it's not just the companies storing our details that need to shape up. The 130 million stolen credit card numbers would be of no use to anyone if they couldn't be used to buy stuff. Any masterminds wouldn't have been the ones picking a card number and using it to buy soft furnishings on eBay; they'd sell the numbers on to other criminals in blocks of a few thousand. But eventually, someone would pretend to be you and use your money, because it's still disconcertingly easy to do.

Online shopping is a click-happy cinch, but with that convenience comes risk; if you can tap out your 16-digit number, expiry date and a supposed "secret" three-digit number on the back of your card to book a flight to the South of France, so can anyone else.

"We may balk at the idea of carrying around an additional device (of the kind Barclays customers now have to use for online banking) to enter our PIN every time we make a credit card purchase online, but when these kind of measures are inevitably introduced, we'll have to grin and bear it. It's for our own good, after all.

As for the likes of Alberto Gonzalez, they're talented individuals capable of writing sophisticated software that can detect weaknesses in even the strongest computer defences. Indeed, such characters frequently find themselves with job offers in the industry following their release from prison. But after a 35-year stretch, technology is likely to have marched on a bit too far for anyone to catch up. Marched on so far, one would hope, that our money would finally be safe from marauding cybercriminals. Fingers crossed.

^{Source: Independent}

You Say You Want an Evolution?

Fraud Schemes Evolving Payments Instruments

While some of the latest schemes borrow from scams
past, today’s fraud schemes are as sophisticated as banks’ most
advanced payments systems. And stopping them is still a challenge.

By
Maria Bruno-Britz - Bank Tech

Evolving Fraud Schemes Keep Pressure on Evolving Payments Instruments

Retail Payments Risk Forum Collaborates to Fight Payments Fraud

The SEPA Direct Debit Scheme and the Payment Services Directive Pose Challenges and Opportunities

Name a payment method and there is probably some scheme to defraud it.

Since the Chinese introduced paper money,
banks have been concerned about fraud. More than a thousand years
later, payments fraud continues to haunt banks, consumers and
businesses.

"Fraud is still rampant," comments Paul Sussman, VP with First
Manhattan Consulting in New York. "The majority of businesses over $1
million in revenue are going to be exposed to payment fraud, and almost
every bank is being hit by fraud today.

From simple "Dumpster diving" to organized crime rings that rely
on complex computer programming, fraud scams grow in sophistication to
match the evolution of payment forms. "Fraud trends continue to
evolve," notes Douglas Twining, director of fraud services for
Cleveland-based KeyBank ($99 billion in assets)....

click box to continue reading this or other articles...

Saturday, August 29, 2009

FDIC: Online Banking Flawed

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today.

"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.

The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud. The Threat

The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.

Continue Reading at Bank Info Security

Special Alert from the FDIC: (whom I think needs to learn more about our 2FA 3DES DUKPT E2EE PCI 2.x HomeATM)

Special Alerts

SA-147-2009

August 26, 2009

TO:	CHIEF EXECUTIVE OFFICER
SUBJECT:	Fraudulent Electronic Funds Transfers (EFTs)
Summary:	The Federal Deposit Insurance Corporation is aware of an increased number of fraudulent EFT transactions resulting from compromised login credentials.

The
Federal Deposit Insurance Corporation (FDIC) is alerting financial
institutions that provide Web-based payment origination services for
business customers to increased reports of fraudulent EFT transactions
resulting from compromised login credentials. Over the past year, the
FDIC has detected an increase in the number of reports and the amount
of losses resulting from unauthorized EFTs, such as automated clearing
house (ACH) and wire transfers. In most of these cases, the fraudulent
transfers were made from business customers whose online business
banking software credentials were compromised.

Web-based
commercial EFT origination applications are being targeted by malicious
software, including Trojan horse programs, key loggers and other
spoofing techniques, designed to circumvent online authentication
methods. Illicitly obtained credentials can be used to initiate
fraudulent ACH transactions and wire transfers, and take over
commercial accounts.

These types of malicious code, or "crimeware," can
infect business customers' computers when the customer is visiting a
Web site or opening an e-mail attachment.

Some types of crimeware are
difficult to detect because of how they are installed and because they
can lie dormant until the targeted online banking session login is
initiated. These attacks could result in monetary losses to financial
institutions and their business customers if not detected quickly.

Financial
institutions and technology service providers can refer to the
following guidance for additional information on authentication and
information security for high-risk transactions:

FFIEC Guidance Authentication in an Internet Banking Environment

Authentication in an Internet Banking Environment Frequently Asked Questions

FFIEC Information Security Examination Handbook - PDF 866k (PDF Help)

FFIEC Retail Payment Systems Examination Handbook

and

FDIC Guidance on Mitigating Risks from Spyware

Consumers who want to learn more about computer security and online scams can find additional information at http://www.fdic.gov/consumers/consumer/guard/index.html and http://www.onguardonline.gov/topics/overview.aspx.

Businesses and local government agencies can find cyber security resources at http://www.us-cert.gov/.

Information
about cyber-fraud incidents and other fraudulent activity may be
forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550
17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted
electronically to alert@fdic.gov.
Questions related to federal deposit insurance or consumer issues
should be submitted to the FDIC using an online form that can be
accessed at http://www2.fdic.gov/starsmail/index.asp.

For your reference, FDIC Special Alerts may be accessed from the FDIC's website at www.fdic.gov/news/news/SpecialAlert/2009/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.

Online Banking Insecure...Only 1 Bank Rated Excellent

Online Banking's Innate Security Flaws

Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.

Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online
banks we looked at. It asks for three pieces of information to confirm
a customer’s identity.

"As each entry is typed in full, this makes the
information vulnerable" to a simple keylogger, a virus that sits on a
computer and tracks every keystroke with the aim of collecting
passwords.

The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct,
Halifax and HSBC have no visible security controls for money transfers,
so if a banking session is hijacked, a criminal can enter the amount
they want to.

Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer. Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.

Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.

Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.

Editor's Note: PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator. By contrast, HomeATM utilizes 2FA for log-in, but it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.

Which? would you rater have at your bank?

41% of Americans Say No to Online Banking Citing Security Fears15 Jun 2009 by jfrank@homeatm.net (John B. Frank)

"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security ...
HomeATM - http://pindebit.blogspot.com/

Friday, August 28, 2009

Debit Gets a Boost

Financially strapped boost payment alternatives

Debit cards are fast becoming the payment instrument of choice for U.S. consumers. According to Visa Inc., the value of purchases made using Visa-branded debit cards in 2008 surpassed dollars spent using Visa credit cards for the first time. For many consumers who have made the switch, there may be no turning back.

Read entire story

Bank Info Security Reviews Financial Institution Breaches

A Review of the Types and Trends of Data Breaches Involving Financial Institutions

August 28, 2009 - Linda McGlasson, Managing Editor

There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.

In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.

The good news, Foley says, is that, based on percentages,
financial institutions consistently have lower percentages of data
breaches than other organizations. "This means they're doing a better
job of controlling and protecting their data," she says.

The bad news is when financial institutions - or their
third-party service providers -- are breached ... it's big. Example:
the Heartland Payment Systems
breach, which resulted in the compromise of 130 million credit and
debit cards. Financial data -- bank account numbers, social security
numbers, and other personal identifying information - is invaluable to
hackers, and its loss is costly to consumers.

Continue Reading at Bank Info Security

Moneta Raises $4 Million...to Combat PayPal

Atlanta-based startup Moneta raises $4M, to combat Paypal

ATLANTA - Moneta, a startup that says it will challenge PayPal for online payment services, has closed on $4 million in venture funding.

The Atlanta Business Chronicle reported the funding on Friday. One of Moneta’s partners is Delta Airlines.

In 2007, Moneta purchased the retail payments product from CheckFree. The system transfers money directly from the buyer’s checking account to participating merchants with lower fees than those required by charge cards.

CheckFree had offered the program for more than two years. Financial terms were not disclosed. The deal includes all customer accounts for the service. CheckFree also will provide Moneta with payment processing services.

Voltage Security Bolts to Record Setting First Half

Voltage Security Finishes Record-Setting First Half Highlighted by Diversified End-to-End Data Protection Solutions

Total contract value of deals in the first half grows by over 70%

Palo Alto, California–August 25, 2009–Voltage Security, Inc., (www.voltage.com), the global leader in end-to-end data protection, today announced another record finish to the first half of their fiscal year ended July 31, 2009. The period ended with the highest revenue quarter in the company’s history, a 35% growth over the same period last year. In addition, the company was cash flow positive from operations and profitable for the quarter. Total contract value of deals in the first half grew by over 70%.

The company also announced a 34% increase in total customer count over the past 12 months to reach more than 780 enterprise customers and more than 3,000,000 total licensed users. During the period, several seven figure deals were closed including the largest in the company’s history.

“Our recent success, especially noteworthy given the tough economic climate, reflects three major benefits of our end-to-end data protection approach: we offer a diverse and complete product set that is well aligned to large enterprise environments, provide products that scale the most cost efficiently, and offer customers the most rapidly deployable solutions in the market,” said Sathvik Krishnamurthy, president and CEO of Voltage Security. “We are finding enterprise customers want a holistic approach for data protection versus a piecemeal or point-to-point approach. Ultimately cost efficiencies are strongest when all of the moving parts are designed to work together.”

Growth Driven by Diversified Product Portfolio

Large enterprise customers are increasingly turning to Voltage to solve their corporate-wide encryption needs which center around securing sensitive and confidential employee and customer data inside applications, databases, emails, files and documents.

Milestones included:

One of the world’s largest telecommunications companies,
a Fortune 50 company, licensed the entire product suite including
Voltage SecureMail™ and Voltage SecureData™ for enterprise-wide
deployment, enabling hundreds of thousands of employees and business
partners to send and receive secure email, and protecting private
customer data in thousands of applications throughout the organization.

Heartland Payment Systems,
a leading payment processor, selected Voltage Security as a partner to
develop end-to-end encryption specifically suited to payments
processing. Heartland also licensed Voltage SecureMail™ and Voltage
SecureFile™ to protect personal information throughout its corporate
and extended business network. Click here for more information.

Wells Fargo & Company,
one of the nation’s largest banks, announced it had selected and
deployed Voltage SecureMail™ to secure email between Wells Fargo team
members, customers vendors and extended business partners. Click here for more information

Early Vision Being Realized

Adding to the popularity of Voltage end-to-end data protection solutions is the ease provided by the underlying key management architecture.

“We’ve always understood that the way to make encryption work for large-scale deployments is through simplified key management,” continued Krishnamurthy. “Now, we are seeing our vision reach a tipping point where enterprises have an urgent need to comprehensively protect information, and we offer them a complete family of easy to deploy, scalable, cost-efficient and powerful solutions.”

The flagship Voltage SecureMail™, powered by Voltage Identity-Based Encryption™ (IBE), is consistently selected for the largest enterprise-wide implementations in corporate America with typical deployments in the 50,000 to 500,000 employee range. Voltage SecureData™, by reducing audit scope and ongoing operational cost, is experiencing a rapid increase in demand and quickly establishing itself as the preferred solution for end-to-end encryption and stateless tokenization.

Enterprise Customers Representing a Wide-Variety of Industries

A wide-variety of enterprise customers are increasingly turning to Voltage to protect information throughout their organizations and beyond. A selection of new customers includes:

Fortune 100 global payments and travel company

Fortune 100 provider of property and casualty insurance for auto, home and business

Fortune 200 global media and entertainment company

Fortune 500 provider of financial services to institutional investors

Voltage Standardization Initiatives Continue

Voltage continues to participate in a number of industry standardization initiatives including:

NIST
(National Institute of Standards and Technology) is reviewing Feistel
Finite Set Encryption Mode (FFSEM), designed to encrypt smaller blocks
of data in a manner that preserves the format of data – see the
Computer Security Division annual report

PCI
Security Standards Council – Voltage is a participating organization
and is a strong advocate of end-to-end encryption and tokenization
technologies as effective mechanisms for the reduction of audit scope

IEEE–
Voltage is involved in developing the P1619.3 key management protocol
and the P1363.3 pairing-based public key cryptography standard

ASC X9 – Voltage is participating in the F1, F4 and F6 efforts to protect payment data

IETF
– Voltage-contributed RFCs 5048, 5049 and 509 which cover open
standards for Identity-Based Encryption and have now been approved.

Most
recently, Voltage was one of the few security vendors that participated
in the National Cyber Leap Year Summit. This invitation-only event was
organized by the White House Office of Science and Technology Policy
and the Federal Networking and Information Technology Research and
Development Program, and was designed to provide expert advice to the
government on the best ways to address today's most pressing
cyber-security problems.

About Voltage Security

Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureFile™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.

As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach . The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.

###

Attack of the Tweets: Major Twitter Flaw Exposed

U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

By Kelly Jackson Higgins - arkReading

A newly exposed cross-site scripting (XSS) vulnerability in Twitter
lets an attacker wrest control of a victim's account merely by sending
him or her a tweet.

U.K. researcher James Slater reported the serious flaw earlier this
week, and now says Twitter's fix in response to his disclosure doesn't
actually fix the problem. "It seems they've made a pretty amateurish
attempt to fix the issue, completely missing the massive problem
staring them in the face," Slater said in his blog.

The attack basically exploits an input validation weakness in a field
of the form used for adding third-party Twitter clients, such as
TweetDeck and Twitterific. The form doesn't fully vet what can go in
that box, Slater said, so an attacker can put JavaScript tags there as
well as raw HTML code, for instance. "Whatever I type in that box will
appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."

Continue "Dark Reading"

Thursday, August 27, 2009

IBM: Unprecedented State of Web Insecurity - No Such Thing as Safe Browsing

IBM's X-Force Trend and Risk Report has "officially" verified what the HomeATM Blog has been messaging for the last 16 months, which is basically that if you are going to conduct a financial transaction, it must be done outside the browser space...because browsers are unsafe. You may had seen yesterday's post concerning the Top 11 eCommerce Paradigm Shifters which put HomeATM in Gear. Combined with today's release of their X-Force Report, you gotta like HomeATM's approach to securing online transactions as we are the only company who does it "outside" the browser space. (using our simple 2FA 3DES DUKPT E2EE. :-)

The IBM
X-Force Trend and Risk Report is produced twice per year: once at
mid-year and once at year-end. This report provides statistical
information about all aspects of threats that affect web security,
including software vulnerabilities and public exploitation, malware,
spam, phishing, web-based threats, and general cyber criminal activity.

They are intended to help customers, fellow researchers, and the public
at large understand the changing nature of the threat landscape and
what might be done to mitigate it...like swipe vs. type!

The report also reveals what it describes as “an unprecedented state of Web insecurity" as Web client, server, and content threats converge to create an untenable risk landscape.”

IBM’s researchers have clocked a 508% increase in the number of new malicious Web links and a level of veiled Web exploits, especially in PDF files, which is now running at an all time high.

The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. PDF vulnerabilities disclosed in the first half of 2009 apparently surpassed disclosures from all of 2008.

“No one is to be trusted,” said X-Force Director Kris Lamb. “There is no such thing as safe browsing. We’ve reached a tipping point where every web site should be viewed as suspicious and every user is at risk.”

Editor's Note: Sound like a familiar rant? I'm coming from help when I say: "Don't Type...Swipe!" Want to register to read the report? Here's the Link (PDF) Also...here's IBM"s Press Release:

ARMONK, N.Y.

-

26 Aug 2009:

IBM (NYSE: IBM
) today released results from its X-Force 2009 Mid-Year Trend and Risk
Report. The report's findings show an unprecedented state of Web
insecurity as Web client, server, and content threats converge to
create an untenable risk landscape.

According
to the report, there has been a 508 percent increase in the number of
new malicious Web links discovered in the first half of 2009. This
problem is no longer limited to malicious domains or untrusted Web
sites. The X-Force report notes an increase in the presence of
malicious content on trusted sites, including popular search engines,
blogs, bulletin boards, personal Web sites, online magazines and
mainstream news sites. The ability to gain access and manipulate data
remains the primary consequence of vulnerability exploitations.

The X-Force report also reveals that the level of veiled Web
exploits, especially PDF files, are at an all time high, pointing to
increased sophistication of attackers. PDF vulnerabilities disclosed in
the first half of 2009 surpassed disclosures from all of 2008. From Q1
to Q2 alone, the amount of suspicious, obfuscated or concealed content
monitored by the IBM ISS Managed Security Services team nearly doubled.

"The trends highlighted by the report seem to indicate that the
web has finally taken on the characteristics of the Wild West
where no one is to be trusted," said X-Force Director Kris Lamb. "There
is no such thing as safe browsing today and it is no longer the case
that only the red light district sites are responsible for malware.

We've reached a tipping point where every Web site should be viewed as
suspicious and every user is at risk. The threat convergence of the Web
ecosystem is creating a perfect storm of criminal activity."

Web security is no longer just a browser or client-side issue;
criminals are leveraging insecure Web applications to target the users
of legitimate Web sites. The X-Force report found a significant rise in
Web application attacks with the intent to steal and manipulate data
and take command and control of infected computers. For example, SQL
injection attacks - attacks where criminals inject malicious code into
legitimate Web sites, usually for the purpose of infecting visitors -
rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1
to Q2.

"Two of the major themes for the first half of 2009 are the increase
in sites hosting malware and the doubling of obfuscated Web attacks,"
Lamb said. "The trends seem to reveal a fundamental security weakness
in the Web ecosystem where interoperability between browsers, plugins,
content and server applications dramatically increase the complexity
and risk. Criminals are taking advantage of the fact that there is no
such thing as a safe browsing environment and are leveraging insecure
Web applications to target legitimate Web site users."

The 2009 Midyear X-Force report also finds that:

Vulnerabilities have reached a plateau. There
were 3,240 new vulnerabilities discovered in the first half of 2009, an
eight percent decrease over the first half of 2008. The rate of
vulnerability disclosures in the past few years appears to have reached
a high plateau. In 2007, the vulnerability count dropped for the first
time, but then in 2008 there was a new record high. The annual
disclosure rate appears to be fluctuating between six and seven
thousand new disclosures each year.

PDF vulnerabilities have increased. Portable
Document Format (PDF) vulnerabilities disclosed in the first half of
2009 already surpassed disclosures from all of 2008.

Trojans account for more than half of all new malware.
Continuing the recent trend, in the first half of 2009, Trojans
comprised 55 percent of all new malware, a nine percent increase over
the first half of 2008. Information-stealing Trojans are the most
prevalent malware category.

Phishing has decreased dramatically. Analysts
believe that banking Trojans are taking the place of phishing attacks
geared toward financial targets. In the first half of 2009, 66 percent
of phishing was targeted at the financial industry, down from 90
percent in 2008. Online payment targets make up 31 percent of the share.

URL spam is still number one, but image-based spam is making a comeback.
After nearing extinction in 2008, image-based spam made a comeback in
the first half of 2009, yet it still makes up less than 10 percent of
all spam.

Nearly half of all vulnerabilities remain unpatched.
Similar to the end of 2008, nearly half (49 percent) of all
vulnerabilities disclosed in the first half of 2009 had no
vendor-supplied patch at the end of the period.

Translation: Do Not Type...Swipe!

The X-Force research team has been cataloguing, analyzing and
researching vulnerability disclosures since 1997. With more than 43,000
security vulnerabilities catalogued, it has the largest vulnerability
database in the world. This unique database helps X-Force researchers
to understand the dynamics that make up vulnerability discovery and
disclosure.

IBM is one of the world's leading providers of risk and security
solutions. Clients around the world partner with IBM to help reduce the
complexities of security and strategically manage risk. IBM's
experience and range of risk and security solutions -- from dedicated
research, software, hardware, services and global Business Partner
value -- are unsurpassed, helping clients secure business operations
and implement company-wide, integrated risk management programs.

For more security trends and predictions from IBM, including graphical representations of security statistics, download the 2009 IBM X-Force Mid-Year Trend and Risk Report today.

About IBM

For more information about IBM, visit www.ibm.com...nuff said.

Survey Says! 8 Million Brits Share PIN Numbers

Eight million Brits share PIN numbers - survey

Finextra: Over eight million Brits have handed over their Chip and PIN details to someone else in the last year, with a quarter of these falling victim to fraud, according to a survey for insurance firm LV=.

An online poll of 3002 people shows 20% have given out their card and PIN number - 85% of these in the past year - to someone else to make a purchase on their behalf or get money from a cash machine.

By far the worst offenders are younger people with over one in three of the under 35s admitting they have asked someone else to use one of their cards. The most common location for 'borrowed' cards to be used is at a cash machine.

Continue Reading at Finextra

Canadian Think Tank: Credit Card Companies Should be Federally Regulated

Canada urged to expand financial regulatory powers | Markets | Markets News | Reuters

"Credit card companies should be federally regulated"

OTTAWA, Aug 26 (Reuters) - Canada's banking regulator should license and approve all financial instruments available to investors in the country, even if they originate in the United States, a new report recommended on Wednesday.

The report by two economists at the Canadian Centre for Policy Alternatives, a left-leaning think tank, also urged the rapid creation of a single securities regulator in Canada to make sure officials can properly monitor markets and detect risky behavior or excesses before they get out of control.

A single financial markets watchdog, replacing the 13 regional regulators now in place, is a key ambition of Finance Minister Jim Flaherty and would bring under federal jurisdiction the "shadow" banking sector. That unregulated sector once accounted for nearly half of all Canadian borrowing and includes non-bank lenders as well as hedge funds and securitized debt vehicles.

Continue Reading at Reuters

Canadian Centre for Policy Alternatives, Jim Flaherty

VisaNet, Redecard Shares Fall on Brazil Competition Concern

Aug. 26 (Bloomberg) -- Redecard SA and Cia. Brasileira de Meios de Pagamento, Brazil’s biggest debit- and credit-card payment processing companies, fell the most in at least two weeks after a newspaper reported the companies may face increased competition from state-controlled lenders.

Redecard, the processor of Mastercard Inc. payments, lost 1.7 percent to 26.25 reais in Sao Paulo trading for the biggest decline since Aug. 12. VisaNet, as the processor of Visa Inc. payments is known, slid 3.3 percent, the most since Aug. 6, to 16.81 reais.

Federally controlled banks Banco do Brasil SA and Caixa Economica Federal will “soon” start offering credit cards under their own brand as part of a government effort to increase competition, Brasilia-based Correio Braziliense newspaper reported today without saying where it obtained the information.

“The report adds to concern that these companies will face more competition in the future,” said Mariana Taddeo, an analyst with Link Investimentos in Sao Paulo.

Continue Reading

Redecard, VisaNet, Brasil, Brazil, Reais, Banco do Brasil, Caixa Economica Federal

Wednesday, August 26, 2009

Top 11 eCommerce Paradigm Shifters Put HomeATM in Gear

I read an article at Internet Retailer.com and it got me
going as to why I believe it's a great time to be the only company in the world
with a PCI 2.x certified PIN Entry Device!
Here's an excerpt, followed by my Top 11 List...

The web accounts
for a bigger slice of the sales pie at Gap

The web outgrew total
revenue and store sales for Gap Inc. in the second quarter. But the most
telling statistic in Q2 about the overall importance of e-commerce to Gap is the
fact that the Internet now accounts for a significantly larger share of total
sales than it did just one year ago.

In the quarter ended Aug. 1,

Gap, No. 25 in the Internet Retailer Top 500 Guide,
reported:

Web sales are up
17.3% from $224
million to $191 million in the second quarter of 2008.

Comparable-store sales decreased 8%.

The web’s percentage of total
sales for Gap is 25% larger than one year ago

Net income declined 0.4% to $228 million from $229 million.

“Building upon two years of work
improving our economic model, we’re now putting further emphasis on changing the
trajectory of our top line performance,” says Gap CEO Glenn Murphy.

For the first half
of the year:

E-commerce revenue increased
15% to $491 million from $427 million.

Total sales declined 7.4% to $6.37
billion from $6.88 billion.

The web’s percentage of total
sales for Gap is 24% larger than one year ago.

Net income declined 7.3% to $443 million from $478 million.

Okay...that is what instigated this post. There have
certainly been some interesting developments over the course of the last two
years. Let's take a look at my "Top 11 List" as it relates to an eCommerce
payments platform:

Debit
has surpassed credit in both the number of transactions and volume.

PIN Debit is the preferred of the two debits, online
and offline. (PIN and Signature)

The "GAP" between eCommerce and Bricks and Mortar is
lessening.

Consumers have the fear of god, (I guess I shouldn't
give hackers that much credit) instilled in them to the degree that over half
have serious reservations and one-third won't even risk shopping online .

Brick and Mortar merchants are clamoring for lower Interchange Fees,

PCI "certification" and "compliance" are at top of
the news forefront,

End-to-End Encryption, a term not heard prior to the
Heartland Breach, is fast becoming a buzzword...

Phishing, Keylogging and Malware are at an all-time high

"Card NOT Present" Fraud is at an all-time high ...AND GROWING

Recent reports state that no website is
safe...and, number 11:

Banks are "worried" for the first
time. (The Password is "2FA E2EE Security")

So when you add it all up what does this all mean?
It means that the Paradigm Shift...feel free to call it the "perfect
storm"...has begun to brew and gain momentum.

Why not make "everybody" happy and solve all 11 problems at once. The main culprit of CNP Fraud is the Web Browser. So why not eliminate the CNP environment by eliminating typing and mandating swiping just as they do in the brick and mortar world?

Therefore, now is a really
good time to offer the world the "only" PCI 2.x end-to-end 3DES DUKPT encrypted Pin
Entry Device in two hemispheres. By the way, our device, it could be argued,
removes Internet Retailers from the scope of PCI
Compliance because the data is neither stored nor handled when the card is
swiped.

It's also beneficial for
HomeATM to own a globally patented PIN Debit platform which not only lowers risk
and virtually eliminates chargebacks but is preferred by both merchants and
consumers alike.

Imagine the demand if that very same platform were to significantly
lower Internet Retailers Interchange Fees...especially if
the cost of the device was so inconsequential that it provided a return on
investment as quickly as the first transaction.

I would be great if that
same platform eliminated the threat of phishing, cloned cards, cloned bank
websites, DNS Hijacking and to a large extent malware. (what would the malware
steal if there wasn't any card holder/financial information data?)

Having removed those threats, I guess the only "threat" to HomeATM's
solution is...the dreaded Software PIN debit :-) I still don't quite
understand, especially in light of the recent exposes' on inherent weaknesses within the browser space, how software PIN debit has
gained the momentum it has, but I will say that Acculynk has done a wonderful
job marketing their solution. (In fairness to HomeATM, they have a lot less
pushback as they don't have to move molecules. (hardware) Then again, I don't
consider that to be an encumbrance...I consider hardware to be an advantage.

For the sake of argument, let's give the software approach the benefit
of the doubt. Let's assume that hackers are too dumbfounded by mouse clicking
technology to figure out how to crack a floating PIN Pad, they aren't handicapped when it comes to stealing credit and debit card numbers...

In my humble opinion, the problem (SNAFU) with software
PIN Debit is that in order for
it to work, consumers must still "type" their Primary Account Number (PAN) into
a box on a merchant checkout and...I think that
hackers have already
proved beyond a shadow of a doubt that they can easily hack the PAN.

The only way to prevent
that from happening is for people stop typing. So the obvious question is: If
typing is eliminated...thus the required first step for a software PIN debit
application is eliminated as well... what initiates the popup...oops,
floating...PIN Pad at the checkout on a merchants website? Hmmmm.....

Let us assume the elimination of typing "isn't in the
stars" (contrary to the picture I have envisioned in my mind and pictured
on the right) for another couple years. That would mean that Internet Retailers
would have to choose between a software and a hardware approach to Internet PIN
Debit.

Aside from the aforementioned fact that hackers have proven they
can steal credit and debit card numbers at their whim, why do I believe that
HomeATM has the advantage?

One "very big" reason is that we provide the PCI
compliance by removing the merchant from the scope of said compliance. That
fact alone would save Internet Retailers not only a pocketbook of cash, but
eliminate more headaches than 10 cases of Excedrin.

More importantly,
the fact that Internet Merchants would be PCI compliant would potentially save
their business from an involuntary insolvency caused by exorbitant fines levied
by MasterCard or Visa in the event of a non-compliance breach.

Considering that 85% of businesses suffered a breach in the last 12
months (see 2009 Ponemon Report) that
possibility poses a real threat.

Another HomeATM advantage is there is
no arguing the fact that our transaction methodology is immensely more secure.
In fact "security" is why we have the only PCI 2.x Certified PED specifically
designed for eCommerce. (in the world)

But, maybe our biggest
advantage is that when you "swipe" the magnetic stripe, the Track2 data is
captured...which is a requisite for a Card Present environment.

HomeATM
takes it one-step further and immediately encrypts the Track2 data providing
another layer of security. (the fact that our PED does that is now referred to
as an "encryption enabled" Point of Sale Device)

HomeATM Worst Case Scenario - "Card Present" Internet PIN
Debit

In my humble opinion, the
"worst" case scenario, is that we
create a Card Present "Internet" PIN
Debit" environment. (although I would argue that we 100% replicate a brick and
mortar PIN Debit transaction...for instance, one conducted at the Gas Pump, or
at a Kiosk.) But we would encourage MasterCard or Visa
to create a Win (V/MC) Win (Internet Retailers) Win (consumers) "Card Present Internet PIN Debit"
classification for Interchange. Card Not Present Fraud has reached epic levels and shows no signs of letting up.

Software's Best
Case Scenario: "Card NOT Present" Internet PIN Debit

On the other hand, Internet Retailers who
decide to risk offering a "type and click" format, which does not capture
the Track2 data could only hope for a "best case scenario" classification of "Card
Not Present" Internet PIN Debit. By definition, (Visa and MasterCard's) if the
magnetic stripe data is never captured, then it creates a "Card Not Present"
environment, thus transaction.

The fact that "CNP Fraud is at it's
all-time high and is expected to continue to grow" bodes well for a Card Present
Solution. But, nevermind that...Simply ask "anyone" in the brick and
mortar space if they prefer "card present" Interchange over "card not present"
Interchange and you'll learn why HomeATM has a distinct advantage over a
software, CNP solution. We replicate a brick and mortar PIN
Debit transaction whereas "software PIN debit" does not exist. (anywhere in the
payments ecosystem). We are simply taking a "conventional approach" to
securing card holder data for web transactions. Software PIN debit is just
another "alternative payment" system.

Oh...last point. HomeATM is EMV
(Smart Card/Chip and PIN) ready. There's no such thing as a software Chip and
PIN. Then again, I guess I could argue that there's no such thing as a software
PIN Debit solution either as both require swiping vs. typing. Add to that fact that our device would also provide secure 2FA 3DES DUKPT E2EE secure online banking log-in and there's a value-added component to the mass distribution of our devices. Especially considering the inherent flaws in online banking authentication. (see related story below)

SQL Injection (SQLi) Attacks Spread to 84,000 Website (and Counting)

SQL Injection attack still spreading - 84000 and counting

by Steve Ragan - Aug 26 2009, 21:10

The automated SQL Injection (SQLi) attacks that gained attention late
last week are spreading, and according to the researchers that
discovered the attack, they are related to similar SQLi attacks in
China. ScanSafe, who discovered the attacks, thinks these attacks may
be regionally targeted.

The original report from ScanSafe looked only at the domain,
which is injected via a malicious Iframe into a legitimate site by
using various automated SQLi methods. At the time of the first report
on Friday, the count was just under 55,000 sites. On Wednesday, the
number of sites swelled to just over 84,000. Adding to this is the
discovery of similar SQLi attacks taking place in China, leading
ScanSafe to speculate that the attacks may be regional.

The Malware served in the attacks reported by ScanSafe on Friday are
a nasty cocktail of code, including backdoor related Malware,
keylogging Malware, various Trojans and more...

Continue Reading at The Tech Herald