Why $4.00 a Gallon is More Appealing to NPS

There's a company that came up with a nifty idea...at least it was nifty  when gas prices skyrocketed and gas station owners saw how credit card usage affected their bottom lines. 

According to  a story on CreditCards.com (How to turn your driver's license into a debit card)  they  have come up with a patent-pending process that allows consumers to use their drivers license (or any card with a magstripe) to bypass the national bank-owned credit/debit card networks (Honor, Star, Interlink and others) and offer debit card processing through the direct deposit Automated Clearing House (ACH) network to gas stations and convenience stores at a fraction of the cost.

I'll bet that National Payment Card is hoping that gas goes back up to $4.00 per gallon, because at that level, (IMHO) this program would have a lot more momentum.  Even their website uses the $4.00 per gallon comparison price point. 

My viewpoint is that at $1.60 per gallon, it doesn't quite have the stigma it would have at gas price levels we saw last summer.  Nonetheless, to go after a vertical with an ACH Decoupled Debit Platform, that uses any card with a magnetic stripe was/is an innovative approach after the Honor All Cards ruling in 2004, and if gas goes back up to $4.00 per gallon, then I'd look for this idea to be more appealing to petrol owners. 

Still, there's always Europe.  (oops, don't know if DL's have magstripes there)... In the US, less than 50% (24 states) use magstripes on the back of their drivers licenses.  (see map on right.)..the one's in yellow use magnetic stripes.  Still, the one's that do, make up 61% of total gas stations in the US according to their website. 

Still, I thought it interesting and innovative enough to share on the PIN Debit Payments Blog.  Here's some information on the program from their website:

National Payment Card is introducing a next-generation payment mechanism with the designation “Payment Card.” The National Payment Card substantially reduces your cost associated with "bank-networked" debit and credit card processing.

The Payment Card system provides consumers access to funds in their checking accounts so they may pay for fuel at participating locations. Editor's Note:  Once again, at $4.00+ a gallon there would be more of a willingness for gas station/convenience store owns to participate, but as of now, only a handful , well, six to be exact...are doing so...

The Payment Card is not a credit ordebit card that is linked through the national bank networks such as  “Honor, Star, Nice and Interlink."  The National Payment Card system can provide connectivity via existing payment processing networks or directly to the National Payment Card host services.Consumer authentication is via PIN at the pump.

How They Do It:

• The Consumer becomes aware of the program at the station through pump toppers and audio messages.
• The consumer enrolls in the program via the Internet, telephone or mail. The consumer's checking account information and consumer-selected PIN are the key elements of the enrollment data.
• At the time of tender, a consumer who chooses the Payment Card as a method of payment will swipe the Payment Card as a credit card. The POS application will prompt for a PIN and the transaction will be sent to National Payment Card for validation.
• The transactions are processed through the National Payment Card network.
• National Payment Card then performs an EFT on the accounts, collects the funds and credits the gas station operator’s account within 24 hours. National Payment Card bills once a month for the transaction fees.
• The entire process is computerized and automated with a solid audit trail. Reports can be sent by e-mail or viewed 24/7 on a secure VeriSign merchant web site.
• At a predetermined time each day, transactions collected by National Payment Card are batched to the ACH for settlement.
• The Payment Card is designed to be a traffic builder and loyalty program for your operators by providing consumers an immediate savings benefit while shopping.

30% of Online Retailers Offer AltPay

According to a study conducted by Brulant and relRosetta, 30% of online retailers are offering AltPay methods, up from 24% last February.  Bill Me Later had the highest adoption at 21% followed by PayPal at 19%. 

Here's their press release along of their study.  The graphic is just a portion.  To see the full illustration, (PDF) click here.

Online retailers offering more alternative payment methods, new study shows

30% of 100 major online retailers were offering new payment methods as an alternative to credit cards in December 2007, up from 24% in February, according to a study by Brulant, a provider of interactive marketing and web site design services.


The study showed the highest alternative payment adoption rates for the Bill Me Later deferred billing service, at 21%, followed by PayPal at 19% and Google Checkout, 10%. 5% of the companies in the study offered all three of these payment methods.


“One of the most surprising findings is the increase in retailers offering all three alternative payment methods,” says Brulant principal Adam Cohen, noting that none of the same retailers offered all three methods in February 2007. “Today we find 5% adoption of all three at a variety of retailers from Toys ‘R Us to PetSmart to Rite Aid. This reinforces the ‘customer is king’ mentality, as retailers begin to offer a multitude of choices for checkout.”

Brulant also notes that 76% of online retailers surveyed accept private label gift cards as a payment method.

The study found that PayPal scored the largest increase in adoption between February and December 2007, at 217%, while the adoption of Google Checkout doubled. PayPal, a subsidiary of eBay Inc., is a third-party payment service that pays merchants on behalf of consumers, who fund their PayPal account with payment cards or bank accounts. PayPal also offers PayPal Pay Later, a deferred payment system that, like Bill Me Later, lets consumers make payments over time, often as part of a retailer’s promotional plan.

Google Inc.’s Google Checkout lets shoppers pay with their credit and debit cards through a streamlined checkout process. Google has offered merchants free card processing, an offer that ends Jan. 31. After that, online retailers will be able to process $10 in purchases free for every $1 they spend on Google’s AdWords search marketing program. Otherwise, Google will charge 2% of the purchase amount plus 20 cents.

Related articles by Zemanta

• Alternative Payments Growing Threat to Cards - Bank Technology News
• Best and Worst Online Payment Options in the UK
• Traditional Payment Cards for Online Transactions Continue to Decrease

Triple DES for GAS

In an effort to fight an onslaught of card  skimming at gas stations,  Visa has mandated that all new gas dispensing machines must support Triple DES effective January 1st.  For existing machines, Triple DES must be implemented into pay at the pump stations by July,  2010.

Last night, when I was on ComputerWorld's site reading about CheckFree's 5 million (or more) customers put on alert, I also noticed this article announcing Visa mandating Triple DES support on all new fuel dispensing machines.  For your convenience,

I've included a couple links, in order to familiarize anyone who's interested in learning more about Triple Data Encryption Standard

Here's a couple paragraphs from a story by ComputerWorld's Jaikumar Vijayan...

Clock Ticking For Gas Stations to Pump Up Security

Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.

So-called card-skimming devices placed on gas pumps have been used to compromise payment card data in the past — for example, in 2005 at stations operated by Wal-mart Stores Inc.'s Sam's Club division.  Editor's Note:  And hundreds of gas dispensers across the country since then...this blog has covered many of those stories...click here for the complete list.

Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES.

Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale systems that is being developed by the PCI Security Standards Council, which is responsible for the Payment Card Industry Data Security Standard and other data protection measures.

Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES.

(Continue Reading at ComputerWorld)

Related articles

• Credit Card Processors to Ban WEP in 2010
• "SwipePIN" Your Card Data...Better You than Fraudsters!
• The Benefits of Debit Cards by Bruce Cundiff via DebitFacts.org
• Gas Station Skimming Becoming More Popular
  
• Credit card processors finally get clue, will ban WEP

CheckFree Warns 5 Million Customers After Hack

I received a couple emails in the last few weeks from CheckFree customers that had read my postings about the Fiserv DNS hack. One such email, whose name I'll leave out to respect his privacy, expressed concern that there was more to this than CheckFree was letting on. He wrote...

..."It is my belief that there was more to this hack that checkfree is 'fessing up too (I am writing you because you alluded to how much worse the attack could have been in your blog post). When I spoke with the checkfree folks, they assured me the only thing that would have happened was I would have been redirected to a blank screen. If the process was different, I would have noticed. Do you have any suggestions as to how I might find others who may have had the experience I had?"

To which I responded:

"First, sorry to hear about your experience with CheckFree. Second, thanks for following the PIN Debit Blog. Unfortunately, I am not aware of any methods to identify other victims of the recent CheckFree hack.

I do agree, (with you) that there is probably more than meets the eye,in terms of the fallout of the hack. Some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password. I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

If I hear of anything that might be of help to you, I certainly forward it. In the meantime, your best bet is to work directly with CheckFree. My understanding is that some malware may have been uploaded to your PC, so stay alert and keep an eye on your personal accounts..

Now it seems that he was right about them not totally "fessing up" because today, CheckFree warned 5 million customers to be on alert.

Here's the story from Robert McMillan from ComputerWorld.

CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine.

The Dec. 2 attack was widely publicized shortly after it occurred, but in a notice filed with the New Hampshire Attorney General, CheckFree disclosed that it was warning many more customers than previously thought.

That's because CheckFree is not only notifying users of its own CheckFree.com Web site of the breach, it is also working with banks to contact people who tried to pay bills from banks that use the CheckFree bill payment service.

"The 5 million people who were notified about the CheckFree redirection were a combination of two groups," said Melanie Tolley, vice president of communications at CheckFree's parent company, Fiserv Inc., in a statement. "1.) those who we were able to identify who had attempted to pay bills from our client's bill pay sites and minus those who actually completed sessions on our site, and 2.) anyone enrolled in mycheckfree.com."

Tolley wouldn't say what banks were affected by the hack... (continue reading at ComputerWorld)

Related articles by Zemanta

CheckFree warns 5 million customers after hack

• CheckFree Not HackFree
  
• CheckFree.com customers redirected to Ukraine site

Got Hacked? Bank on It

In December, I posted twice about Fiserv's CheckFree Hack whereby their  domain name was "webjacked."  (see: CheckFree Not Hackfree and/or CheckFree Not Hackfree 2) 

So, for the third time (but only the first time this year) I'm covering an article written about domain name webjacking...this time from USBanker.

I'm sorry to report  that it doesn't look like this will be the last time this year, for lack of an official word,  I'll be talking about webjacking .  Some observers say they've seen signs that  these webjack attacks will become almost as common as a Gulf of Aden pirate attack.

When I wrote in the first post, "Imagine how exponentially more "effective" the "webjacking" would have been if unsuspecting users were "redirected" to what looked to be CheckFree's site vs. a blank page, I was hinting at the fact that it was most likely, only a test.   

After all, why would someone go through the hassle of bringing  CheckFree users to a blank page when they could have brought them to an exact replica of CheckFree's log-in site?   That's probably the easiest part to create in the whole scheme.   I'm purely speculating here, but maybe they were simply running a test  which gave them insight as to how they could take full advantage of  the "httbs" in the "https."  (prior to "researchers" having "let the cat outta the bag" in Berlin last week. 

I mean, who's to say that these "White Hats" (as they are also known) are always beating the "Black Hats" to the starting gate?   What if the opposite is true? Maybe these Black Hat guy's are light years, well maybe not light years, but dark years ahead of us?

One thing I am sure of...I'm sure there's a lot more "Max Vision's" out there than we are led to believe. Keep in mind, that the Max Vision's of the world are working at cracking code "full-time."  They're  hackers, not slackers.  On the flip side of the equation, most "White Hats" are hobbyists  (they used Playstation 3's for chrissakes :)    go to MIT (see: Sorry Charlie, You've Been Hacked) while others have full-time jobs, (for instance, those very same MIT students who were then hired by the MBTA as a reward for hacking into their system)...see related stories, below for more.

Black Hats not only work "full-time"  on hacking...and subsequently wreaking havoc on financial institutions/account holders but there's a bigger picture, beyond just the hack itself.  Where do you think a good portion of the money goes?  Suffice it to say, that unlike the Chicago White Sox mantra, good guys don't wear black.

That said, let's see what we're up against here...

There's unsafe web browsers  there's: webjacking, phishing, whaling, wardriving, malware, keylogging, screen capturing, skimming, pharming, spyware, botnets, worms, viruses, DoS attacks, packet-sniffers...(you starting to get the picture?)  So what is an online shopper to do?

I once again state, the best way to purchase via the internet is with your own personal card swiping device.  It could even be used to log on to your online bank.  Just swipe and enter your PIN.  

Hey...maybe the banks, whom are already at huge risk...could mitigate some of that very same risk, and at the same time, keep their customers from getting burnt.  I have a toast.  Here's to a campaign similar to the one they ran back in the 50's and 60's, only this time...they give away our personal swiping devices.   Otherwise, if this continues,  which it will, they're toast...

Sorry, kinda got off on a tangent there...here's more on "when hackers take control of a bank domain  name" with more instances to follow...I'm sure of it...(said the same thing about skimming last year) 

From American Banker publication, usbanker:

Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.

The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.

The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.

"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."

Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.

Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.

A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."

Continue Reading at American Banker (for a limited time, then it's subscribers only)

Related articles on Hacking the Net

• Sorry Charlie...You've Been...Hired!
• Experts Uncover Weakness In Internet Security
• Experts predict rise in 'virtual' malware
• Web browser flaw could put e-commerce security at risk
• One in four public DNS servers insecure

Anti-Skimming Recommendations from SEPA

I've covered card skimming on this blog extensively in 2008.  There's a big problem in Europe, where they have instituted EMV, with having the magstripe skimmed there, then transferred onto cloned cards, and used in the United States, where EMV is nowhere to be found.  SEPA (Single Euro Payments Area) has now released recommendations to fight skimming in Europe. 

Here's page one of a three page PDF.  Click here to open the PDF file in full.

INTRODUCTION

SEPA Countries - Image via WikipediaThe growth of skimming fraud is a major driver for the rollout of EMV across the SEPA. This should be completed by 2010 and it has already resulted in dramatic reductions in the use of fraudulently duplicated cards in the countries where it has been introduced. However, it has also resulted in fraudulent transactions migrating to countries where EMV has not yet been implemented or is not planned, often outside the SEPA area. As many such countries have no plans to introduce EMV, cards will continue to have both mag-stripe and chip and therefore there will remain a significant risk of a fraudster skimming a magstripe in an EMV country and using the duplicate card in a non-EMV country or environment.

BACKGROUND

Card skimming involves the capture of a card’s mag-stripe information (which may be debit, credit or ATM only), and matching it with the card’s PIN number in order to produce a duplicate card. This may occur at ATMs, Point of Sale (POS), or indeed any other location where a customer uses their card and PIN.

The mag-stripe information is captured by fitting an additional card-reader over the ATM’s card slot and the PIN is usually obtained by the use of micro cameras, although “shoulder surfing,” may also be used. This information is then stored on a chip within the skimming device or more usually transmitted immediately to a lap-top PC nearby. Devices are usually attached to ATMs for short periods e.g. 20 minutes and the device is usually being observed. For this reason ATMs which are busy and which have ample adjacent parking are particularly attractive to fraudsters.

The duplicate card can then be used in a non-EMV ATM, or if the duplicate card passes visual inspection, Point of Sale (POS). Information on the chip is not captured which means that the card cannot be used in an EMV environment and this normally limits use to locations where EMV has not been introduced. Fraudulent data may be sold on and mixed with other sources of data and the actual card production may be months after the data was captured, although on other occasions duplicate cards have been used less than 24 hours after the attack.

With a duplicate card a bank account can be drained until there are no funds available, or in the case of a credit card, until the credit limit is reached. As ATM usage is subject to daily withdrawal limits, these transactions usually take place close to, or at the daily limit over a number of days. EAST (European ATM Security Team), reports that the number of cases of skimming remains high across Europe with over 4501 ATM incidents in 2007, resulting in losses of over € 438 million1.

PIN Debit Payments Blog

Related articles by Zemanta

• Terminal Disease Boosts Fraud
• Chipping Away at Credit Card Fraud
• Pumping Gas Just Got Much Riskier - MSNBC
• Top 10 Risks to Banks in 2009
• Canada's EMV Transition Numbers
• Gas Station Skimming Becoming More Popular
• Signature Debit Wrestles Fraud, Get's PIN'd
• Gemalto Wants EMV in USA
• Is Online PIN Debit For Real This Time Around?
• PIN Debit Has Highest Growth of All Payment Segments
• PIN Debit on the Web
• Top 15 eCommerce Sites in November
• DebitFacts.org Launches Today

Twitter Outwitted

First there was Facebook, and now Twitter users have been lured into a phishing  scheme causing some users to give up their Twitter username and password to a site "masquerading" as Twitter.com.  (this is  what easily could have happened to CheckFree users instead of them being brought to a blank page...and what will happen more and more in the not so distant future.  This may be a drill, to test the waters.   I predict it will happen frequently in 2009 and I predict there will be a post on the subject tomorrow morning...adorned  with the same graphic that's on the laptop on the right...

The phishing links arrived as direct messages, usually saying something like “hey! check out this funny blog about you….” If you clicked on the provided link your browser was redirected to the URL twitter.access-logins.com, which looks just like the main Twitter login page, but steals your credentials. 

With a main domain name of access-logins, this phishing scheme is not what you’d call subtle, but if you’re worried you might have been duped, the Twitter blog suggests changing your Twitter password. It appears that all the scammers did with the captured login info is send more direct messages, furthering the scam. If you’ve been suckered, Twitter will reset your password for you.

While Twitter did a good job of containing the problem, the suggestion that you not give out your “secret info” is bit ironic since that’s the only way you can access Twitter through third-party sites and apps.

News of the attack led many a savvy Twitter user to gripe about the service’s lack of OAuth support, but, while OAuth would allow third party sites to access your Twitter account without giving up your password, it wouldn’t completely stop phishing attacks.

But OAuth would have one huge benefit that could lessen phishing attacks on Twitter: it would get users out of the habit of giving their Twitter username/password to any cool new site that pops up without thinking about the potential side effects — like the fact that you just gave an unknown party complete access to your account...

Read more at wired.com

Related articles by Zemanta

• Twitter and Facebook hit by phishing attacks
• Phishing: now Twitter is under attack

The Glitch That Stole Christmas?

ONE-THIRD OF ONLINE SHOPPERS ENCOUNTERED GLITCHES THIS HOLIDAY SEASON, NEW GUIDANCE SURVEY REVEALS

Some 64 Percent Shopped Online Without Incident -- While 37 Percent of Those Online Didn’t Shop the Web at All

Source: Guidance/Synovate Survey

MARINA DEL REY, Calif. - In what may have been the most closely-watched holiday shopping season in the short history of the online medium, some 36 percent of online shoppers ran into roadblocks en route to buying that gift – ranging from molasses-like website response to fruitless efforts to check out, to outright system crashes.

That’s the principal finding of a new nationwide survey from Guidance, conducted through December 23. In association with Chicago market researcher Synovate, Guidance asked 1,000 online consumers, “When you think of online shopping this holiday season, which of the following have you had issues with?”

The findings come amid a dramatically weakened economy, declining brick-and-mortar retail sales, a shortened holiday shopping season – due to a late Thanksgiving – and uncertainty about whether online shoppers would pick up the slack.

The Guidance/Synovate survey revealed that 64 percent of shoppers completed their purchases incident-free. At the same time, 37 percent of those online skipped Internet shopping altogether, a small percentage of whom reported doing so because of problems in the past. Of those who reported trouble this year, 13 percent said they had to abandon a very slow website while they were trying to shop, 8 percent said a website froze or crashed altogether, 7 percent could not complete a purchase on their first attempt, 6 percent tried to access a website that was down temporarily and 4 percent said a purchase they thought they had completed actually didn’t go through.

According to the survey, online shopping hassles affect the overall degree to which people will shop online. Across nearly every demographic breakdown -- other than race -- the group least likely to say their online shopping was incident-free was also the group least likely to shop online.

Crash-Free Commerce

“While online shoppers may have escaped the ferocious winter weather, a significant number didn’t elude the issues that tend to afflict overburdened, under-engineered eCommerce sites,” said Jason Meugniot, Guidance CEO and Owner. “Ideally, every shopping cart that is not abandoned by the shopper should be converted – and every one that doesn’t sends a message to the consumer. Uptime, speed and reliability ought to be prerequisites of the online shopping experience. Still, I’m heartened by the success that many online shoppers enjoyed, especially since deep discounts, special offers and free shipping/returns made online shopping a better value than ever this season.”

Among the survey’s major findings:

• Women were more likely to say their purchases were completed without incident (44 percent, compared with 36 percent of men).
• Respondents at both ends of the age spectrum seemed to have more problems than their counterparts overall: just 35 percent of both the 18-24 and the 65+ age groups said their shopping was incident-free, versus 40 percent of the overall sample. Respondents 25-54 were most likely to say their online shopping was incident-free: 44.5 percent of those 25-34, 46.5 percent of those 35-44, and 40 percent of those 45-54.
• That might explain why the youngest and oldest also were the least likely to shop online: nearly half of both groups (45 percent of those 18-24, and 48 percent of those 65+) said they didn’t shop online at all this holiday season. The group most active online were those between the ages of 35 and 44: just one-quarter of them (26 percent) did not shop online.
• Those with higher incomes had an easier time of it: just 27.5 percent of those who earn less than $25,000 per year said they didn’t encounter problems, compared with 46 percent of those who earn more than $75,000.
• Weather wasn’t the only thing bedeviling those in the nation’s midsection. Respondents in the Midwest were far more likely to experience problems: only 29 percent reported no problems, compared with 44 percent for those in both the Northeast and the South, and 42.5 percent of those in the West. Respondents in the Midwest were also least likely to shop online: nearly half (46 percent) said they didn’t shop online, while just 30.5 percent of those in the Northeast agreed.
  

Guidance has been designing, developing, hosting and managing eCommerce websites for clients since 1995.

“Keeping an eCommerce website up and running smoothly requires more than simply lining up enough servers,” said Meugniot. “Retailers need application support for the database, the eCommerce apps and the website itself – and a partner that understands how everything works together. Finding an experienced and reliable hosting and managed services provider is vital, to make sure retailers capture every transaction and keep customers coming back for more.”

The Guidance/Synovate survey has a margin of error of +/- 3 percent. For a full copy of the survey results and a graphic presentation of top-line data, email info@edgecommunicationsinc.com.

About Guidance
Since 1993, Guidance (www.guidance.com) has helped companies seize opportunities and solve problems through the innovative and practical use of technology. Guidance designs, builds and maintains eCommerce websites for retailers that are pure-play online or multi-channel – creating captivating experiences so consumers will buy more, come back often and value greater engagement with the retailer. Guidance's systems facilitate $500 million in online sales every year. Members of the Guidance team are seasoned professionals, passionately committed to providing technical leadership and powering ingenuity. Key clients include Foot Locker, GEARYS Beverly Hills, Relax the Back, Salvation Army, and many others. Guidance is based in Marina del Rey, Calif.

Related articles by Zemanta

• One-Third Of Online Shoppers Encountered Glitches This Holiday Season, New Guidance Survey Reveals
• Web Passes Bricks and Mortar as Preferred Shopping Channel
• Who's Afraid of the Big Bad Web?
• e-Commerce Expanding into Bricks and Mortar?
• Paradigm Shift: Retails 70%-22% Lead over Web Changes to 44%-49%

Encrypted Email for Donors/Client Info

The "e" in e-mail now stands for "encrypted?"

Michele Donohue writes for The NonProfitTimes about a new Nevada (and Massachusetts) state law requiring encryption of personal information email transmissions that contain donor's credit/debit card information... 

States Push To Encrypt Donor/Client Info
Michele Donohue

Fred Schultz, CEO and founder of the Foundation for Positively Kids (FPK) in Las Vegas, deals with a lot of confidential information in his program for medically-dependent children. The organization stores names, addresses, medication, family information and donor credit card information.

A good portion of that information arrived via email. That system now must be overhauled to accommodate a new Nevada law that requires personal information transmissions to be encrypted.

“We are trying to take care of sick and dying kids -- why do I have to worry about a new Nevada encryption law?,” Schultz asked rhetorically.

Nevada is not alone. A data security measure became law on January 1 in Massachusetts and it is being talked about in several other states. FPK’s information technology (IT) support implemented a new program that would require recipients to have a password to access sensitive emails. “It’s the law, and whether it has teeth behind it or not, there has to be an effort made by nonprofits large and small to try to abide by what the new statute would be,” he said.

The Nevada law, which falls under Nevada’s Miscellaneous Trade Regulations and Prohibited Acts, states that personal information cannot be transferred through electronic transmission outside a secure system unless it’s encrypted.

Both Nevada and Massachusetts define personal information as: “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (1) Social security number, (2) Driver’s license number or identification card number, and (3) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.”

The Nevada statute holds organizations financially accountable for security breaches, which could include civil suits from effected parties... (continue reading at NonProfitTimes

Related articles by Zemanta

• New Privacy Regulations A Burden for Most Massachusetts Companies, A Blessing for Others
• New state laws affect encryption practices

Barclay Up the Wrong Tree?

From what I've read the jurys still out on whether NFC is secure.  WEP wasn't.  We'll see. Barclayscard is smart...they're playing both sides, everything remains the same with their IC debit cards, except for the addition of embedding an NFC chip.  If Near Field Communications is proven secure by then, Barclay's will be ready by 2011.  Will NFC be?

Barclays Goes Contactless on Debit Cards

Barclays customers will soon be able to pay their way with the wave of a card as the bank is set to be the first in the UK to roll-out contactless VISA debit cards to its customers.

From March, most Barclays debit cards that are issued or reissued will have contactless technology built in as standard. More than three million customers are expected to be using contactless debit cards by the end of the year.

The cards use contactless technology to enable transactions of £10 or less to be paid for by holding the card up to a special reader, without the need to enter a PIN or insert the card into a terminal. The transaction is debited directly from the customer's current account in the same way that a standard card transaction is. The cards will still have chip and PIN which will be used for purchases and for ATM transactions. Periodically the card will prompt for the PIN to be entered to verify the customer's identity.

Mark Parsons, Managing Director of Current Accounts for Barclays, said: "Barclays has long been a pioneer in banking. We were the first to launch the debit card in 1987 and now we are the first to give our customers the latest incarnation ­- the contactless debit card. This gives people a new way to pay for things that is quick, secure and convenient and we are confident that it is going to be really popular with customers."

Over 8000 retailers already accept contactless payments with more installing the technology every week. Barclaycard was the first to introduce contactless technology on credit cards in the UK in September 2007 with the launch of Barclaycard OnePulse, the three in one oyster, credit and contactless card.

For more information on Barclays contactless debit cards go to barclays.co.uk/contactless. To search for outlets which accept contactless payments visit the Visa website at visapaywave.co.uk

Source: Press Release

Related articles by Zemanta

• Chip and PIN Coming to Dubai

E-Commerce Not Safe in Web Browser Followup

SSL Crisis Averted -- For Now - DarkReading

Last Friday,  I posted about a "serious vulnerability" within ALL web browsers and " that a "key piece of of Internet technology that banks, e-commerce sites,  and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability.

(see my post "E-Commerce and Browsers Don't Mix)

Yesterday, Dark Reading said the SSL crisis has been "possibly" (there's no way of knowing)  averted...for now anyway.  (as a die-hard Cub fan, I cannot resist the temptation to add the famous "Wait til next year" mantra. Wait...since last week, this week IS next year...)

Anyway, here's a portion of that article.  To read it in it's entirety, click the link at the bottom of this post...

SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks 

Jan 05, 2009 | 02:55 PM

By Kelly Jackson Higgins - DarkReading

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.  (Editor's Note:  The bad news is that 15 percent of all digital certificates were signed with MD5)

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

Story continued at Dark Reading  (but before you go...here's an additional snippet)

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.

Related articles by Zemanta

• 200 PS3s used to create an undetectable hack attack
• Researchers Create Web Skeleton Key With 200 PS3s [PS3]
• Web browser flaw could put e-commerce security at risk (Jonathan Stray/CNET News)

Global Smart Card Outlook

Smart card applications make transactions safer

New Dehli, India, Jan. 05, 2009 -- RNCOS in its new research report "Global Smart Card Market Outlook" says that the financial/retail sector is expected to continue to represent the largest application area for the global smart card industry. And the shipment of smart cards in financial/retail/loyalty is estimated to increase by 15% in the current year.

According to the report, the rising applications of smart cards in diverse sectors are due to the high security they provide. Consequently, smart cards are being widely used in financial applications such as payment cards and ATM or banking cards.

With robust growth in the global financial market, particularly in the Asia-Pacific region, the opportunities for the global smart card industry have increased tremendously, says the report. Rising number of fraudulent cases has highlighted the risks associated with using magnetic strip cards for transactions. Moreover, the growth opportunities for smart cards have further increased by the decision taken by Visa and MasterCard to use Europay, MasterCard and Visa (EMV) specification worldwide.

Besides, the banking sector represents an area of tremendous opportunities for smart card industry because its functionalities, such as value-added services and enhanced consumer benefits, have made smart card viable and the safest option for end users. Thus, the demand for smart cards is expected to grow at an unprecedented rate.

"Global Smart Card Market Outlook" provides in-depth and comprehensive information on the growing marketplace for smart cards at the global and national level. It contains thorough analysis along with statistical data on the present market trends, emerging markets and future growth prospects for the smart card industry.

Apart from this, the report contains statistical information on value, shipments and applications of smart cards at the global and national level that helps clients to identify critical opportunities for growth of the smart card industry. It helps clients to evaluate key factors driving growth in the industry and future avenues. The study also provides forecast on the number of mobile subscribers and smart card shipment by region.

Source: Company press release

Related articles by Zemanta

• Canada's EMV Transition Numbers
• Computer glitch puts Visa cardholder over and over her limit
• Chipping Away at Credit Card Fraud
• U.K. Blames Abroad for Increased Fraud in Broad Campaign
• Gemalto Wants EMV in USA

Mob Implicated in Credit Card Scheme

Armenian Mob Imiplicated (sic) in Credit Card Scheme - beaconcast.com

Don't know if they spelled it wrong or if because they were illegal immigrants, they added the "Imi in plicated", but nontheless, here's a snippet from Beaconcast on an Armenian Mob Ring in Alpharetta, GA.

It all started around late August when four alleged Russian gang members of Armenian descent, all of them likely near the bottom of the crime mob totem pole, descended on Alpharetta from Glendale, Ca. to set up crime operations. All four entered the country illegally. No one knows exactly how the four made their way into the U.S. But like the millions of other foreigners who are in America illegally, they did...

Once established, the suspects engineered an elaborate credit card fraud scheme they perpetrated on unsuspecting late night BP customers. This involved changing out the electronic credit card swipe machine when no one was around and replacing the BP supplied one with their own version by simply unplugging BP’s and plugging in their counterfeit replica. This bogus machine would do everything the BP device did, like send the funds to the BP clearing bank, print out a BP receipt and balance BP’s cash register. What it also did was capture the name of the card user, the credit card number and electronically encode the metallic stripping.

Each time a customer would buy something in the store with a credit or debit card, Khalatyan caught the information in his fraudulent machine. The suspect would ask the customer if it was a debit. If so, the user would then enter his or her pin number in the device, and Khalatyan would capture that too by using a small hidden camera...

continue reading at Beaconcast

Related articles by Zemanta

• 6 Tips to Avoid Becoming a Skimming Victim
• Pumping Gas Just Got Much Riskier - MSNBC
• Terminal Disease Boosts Fraud
• Chip and PIN Coming to Dubai

Macy's Multiple Debits = Multiple Questions?

Evan Shuman (and Fred J. Aun) wrote an interesting story regarding the recent "multiple debits" charged to 8000 Macy's debit card customers.  Like the recent RBS breach, (see: Mother of All Hacks Coming?) it was "quietly" announced (purposefully?) during the busy holiday season when many reporters are on holiday.  Unlike the RBS breach, and to Macy's credit...er...debit, they didn't wait 2 months  (see below) to announce it.  Here's the story from StorefrontBackTalk.com 

Questions Surround Some 8,000 Macy's Debit Cards That Got Charged Repeatedly

When Macy's distributed a very cryptic statement on Dec. 23 that "some" debit card customers had been charged had seen "multiple" debits for single transactions, it went virtually unnoticed.

Much of that had to do with the very quiet way Macy's shared that knowledge, by E-mailing it to a handful of reporters, many of whom were on vacation. Unlike the typical way Macy's—and others—make statements, there was no statement issued to any of the major news release wires nor was it was placed on their own news release page. It was ideally handled if someone wanted to say that they "announced" something but have no one know about it. 

Continue Reading at StorefrontBackTalk

In a related story, BTN came down on RBS for waiting two months before announcing that 1.5 million of it's customers were breached.

"Our Computers Were Compromised…Two Months Ago" - 01..2009 - Bank Technology News Article

"The institution discovered the breach shortly after Halloween, yet apparently waited almost two months—an eternity in ID theft time—before making a public announcement.  That has some people scratching their heads. “Two months? That’s enough time for someone to go out and apply for a loan under your name, to get a credit card, to mess up your credit. The way to build trust in relationships is with communication,” says Jacob Jegher, an analyst at Celent."

Related articles by Zemanta

• Macy's reports overcharging customers

Skim Through this Card Skimming Article

In addition to the fact that E-Commerce is outpacing bricks and mortar in several sectors, (see previous story) there is a mounting problem with bricks and mortar POS devices.  They've been tampered with, they've had skimmers attached to them, or they've been replaced with clones and then taken back filled with credit/debit card numbers. 

I am adamant in my beliefs that the safest transaction is online debit for online shopping.  You swipe your own device outside the browser space and because you're left to your own devices, they are not in danger of being tampered with.  So swipe your own card, with your own device...in your own home...and your card information will remain your own...

Here's a story about a Buffalo man, who is to be sentenced shortly.  I'm curious to see how much time he'll do.

According to today's Buffalo News, a local skimmer was convicted and is scheduled to be sentenced 1/22.  It'll be interesting to see how long this skimmer will be a "jail bird". 

If you'd like to read the "entire" article, click the headline below.  Otherwise you can "skim" through Dan Herbecks report below: 

Skimmers prey on credit card users

By Dan Herbeck
NEWS STAFF REPORTER

Skimmer fraud is a growing international problem, according to police, and it all starts with a process that is so routine that it happens millions of times every single day at businesses all over the world.

A customer walks into a store or restaurant, makes a purchase and hands a credit card to a cashier. The cashier then swipes the card through an electronic device that reads the information on the card.

Usually the purchase is approved, but sometimes a dishonest cashier also swipes the card through a small, illegal, hand-held device called a skimmer.

This device — no bigger than a pager — steals information from the card and activates a form of identity theft that causes headaches for consumers and, in recent years, has cost credit card companies billions of dollars.

Fraud experts say these scams occur every day — often on a much bigger scale — in businesses all over the world. Some of the skimming operations are run by organized crime.

“Credit card scams and shady waiters can easily turn customers into identity theft victims,” said Dawn Handschuh of CreditFYI.com, an online educational forum on personal finance issues.

“Credit card skimming occurs when someone swipes the magnetic strip on a customer’s credit card to get the account number with a device small enough to hide in a pocket or hand. It takes about two seconds.”

Skimmers usually cost a few hundred dollars and can be purchased over the Internet, police said. Some Web sites even offer information on how to make such a device.

In Europe, a growing number of restaurants are fighting this form of fraud by using small portable devices that allow consumers to pay their bill at their table. A limited number of restaurants in the United States have begun using them.

“Industry and law enforcement sources estimate credit card fraud losses exceed a billion dollars annually. And it’s no wonder why, when thousands of skimmed credit card numbers can be sold and e-mailed anywhere around the globe in seconds,” the Consumer Affairs office of the State of Georgia said in a recent advisory on skimming.

Skimming affects every consumer because fraudulent credit transactions are sometimes charged back to the merchant who accepted the card. The merchant ultimately winds up raising prices to make up for the losses, the Georgia office said.

Authorities also warn about a second form of skimming that does not require the participation of dishonest cashiers. Some skimming rings have learned how to install skimming devices on automated teller machines, gasoline pumps and other legitimate devices that read credit cards or banking cards.

According to federal prosecutors in Orange County, Calif., a man pleaded guilty in 2007 after agents learned that he put illegal skimming devices on gas pumps at several gas stations in the region.  The man admitted that he obtained credit card and debit card information from 90 customers and then used the information to steal $186,000 from his victims’ accounts.

Related articles by Zemanta

• Pumping Gas Just Got Much Riskier - MSNBC
• 6 Tips to Avoid Becoming a Skimming Victim

E-Commerce Outperforms Bricks-and-Mortar Across Many Sectors

"eCommerce continues to grow says "JPMorgan Analyst Imran Khan  as he pointed out in a research note that while U.S. retail sales grew just 2 percent in the first nine months of 2008, eCommerce grew by 8 percent.

Meanwhile...comScore, a leader in measuring the digital world, today released online spending data by category for the online holiday shopping season, which showed that trends in online spending outperformed offline in several key product categories. The study compared comScore e-commerce data to overall (online and offline) consumer spending data published by MasterCard Advisors' SpendingPulse Unit for the period of Nov. 1 -- Dec. 24 vs. year ago.

"For an online holiday shopping season that recorded a disappointing 3-percent decline in sales, a positive note is that e-commerce trends outperformed overall consumer spending in several product categories, which is to say that e-commerce continued to capture an increasing share of consumers' wallet," said comScore chairman Gian Fulgoni.

"Clearly, 2008 was an extremely challenging time for many retailers, and the beginning of 2009 may not be much better. But when the consumer economy eventually does rebound, e-commerce is poised to benefit from its emergence as an important consumer sales channel."

Wealthiest Households Spent More Online this Holiday Season

comScore also analyzed non-travel e-commerce spending by household income segment for the holiday shopping season, revealing that growth in online spending only occurred (up 7 percent) within households making at least $100,000 in annual income, while lower income segments logged significant declines in spending. Those households earning less than $50,000 per year appear to be the most affected by the current economic environment, with their online spending declining by 13 percent versus year ago.

Source: Company press release.

MC inC: "MasterCard inControl" of Orbiscom

After RBS implemented a commercial application called "MC inC," a collaboration between Orbiscom and MC, they have decided to purchase the company.

Deal enhances MasterCard's ability to deliver advanced and customizable payments solutions for today's demanding marketplace

PURCHASE, N.Y., Jan. 5 /PRNewswire-FirstCall/--

MasterCard Incorporated (NYSE: MA) announced today the acquisition of Orbiscom Ltd., a Dublin, Ireland-based leading payments solutions software provider for major financial institutions. The purchase price is approximately $100 million, a portion of which is contingent upon the future performance of Orbiscom's business.

The acquisition builds on the companies' existing partnership that created MasterCard inControl, an innovative platform featuring an array of advanced authorization, transaction routing and alert controls designed to assist financial institutions in creating new and enhanced payment offerings.

In 2008, Royal Bank of Scotland became the first financial institution to implement MasterCard inControl for its commercial card customers.

Click the following link to read the entire press release:MasterCard Acquires Orbiscom to Accelerate Development of Innovative Payment Solutions | MasterCard®