Make the "Hack You" Link...

You've heard of  the F-Bomb, the H-Bomb and the F-Word.  With the recent rash of Hack's (Heartland, RBS WorldPay and more coming) there's a new one...I call it the H-Word.  It's Black Hat slang for Hack You!

Heartland knows what it feels like when a Black Hat says "Hack You!"  Suffice it to say their stock symbol might be HPY, but shareholders are not.  Why?  Again...two words.  Hack You!  So what's the safer approach to protecting your Online Debit (PIN) number?

A PCI 2.0 PED "certified" approach...or a soft(ware is the PVV?) approach?   What's more readily hackable?  Hardware or Software.  It's not "hard" to make the "Hack-You"-Lynk...

Although the answer is an obvious one, never underestimate the impact of good marketing prowess.  The EFT Networks may have fallen for a good sales pitch Hook, Line and Sinker, but they should know better.  They'll know soon enough...why a software only approach to protecting a consumer's PIN is soft.   My biggest concern is a breach, not competition.  I don't want to see peoples PIN's hacked because it will affect the industry as a whole, and we are part of that industry.  The writing is SO CLEARLY on the wall.  I'd like to see it encrypted...

Since data is what's at stake here, we'll provide some.  

What follows are some excerpts from a paper called "Breaking VISA PIN" written by Luis Padilla Visdómine.   If you're not a tekkie, you'll have to read it a little bit more slowly in order for it to properly digest.  In the meantime, here's the meat and potatoes:  A software approach WILL BE HACKED, PERIOD, END OF STORY, GUARANTEED.   Many prominent industry insiders agree.  HomeATM's CEO guarantees it will happen within 30 days of it going live.  If it takes 60 or 90 days, don't hold it against him...he's only trying to help.

There's only one way to prevent a Black Hat attack resulting in the H-Word.  You've got to fight fire with fire...in this case, with "another" H-Word...HomeATM.  (bet you thought I was going to say Hardware, didn't you?...)

HomeATM reached the summit or PINNACLE of security with it's recent PCI 2.0 certification.(Click any picture to enlarge)  What does this mean?
 
It means that HomeATM's "SAFE-T-PIN™" solution encrypts the entire transaction, beginning to end which should thus remove participating merchants from the scope of the PCI DSS as NO CARDHOLDER DATA is transmitted during the transaction.  What does THAT mean?

Considering the fact that PCI DSS compliance is a costly process, that fact alone should result in considerable interest.  Instead of paying tens of thousands, in some cases hundreds of thousands of dollars, an e-merchant could employ HomeATM's payment platform and be in like Flynt. 

Additionally, since the HomeATM SAFE-T-PIN™ provides a "card present" environment, interchange morphs from the significantly higher "Card NOT Present" rates into a significantly lower "Card Present" rate.  But we're not done yet.  In addition to our solution removing our clients from the PCI DSS scope and lowering interchange to Card Present rates, we ALSO further reduce interchange by providing a true PIN based transaction.

PIN based transactions, because of their inherent dual-authentication processing (What you have/Card and What you Know/PIN) enjoy a reduced interchange rate on top of the CP rate.  In effect, HomeATM could save giant e-tailers tens of millions of dollars on Interchange.  "Annually!"

On the flip side, considering that a "software" approach requires the card holder to "type" their PAN (Primary Account Number) into a browser, e-tailers will still have to pay a "card not present" rate.  So even if it isn't H'd in the first 90 days, Internet Retailers would still be paying a higher rate in return for the convenience of not having good security.  But since the Internet Retailer is the one who is going to be liable when it is dot.hacked, they'll quickly learn they've been had. 

Here are the excerpts:  To read his entire paper, click here

VISA PVV algorithm

One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer.

There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

Preparing the attack

A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output. Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

The attack

Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that's the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it's around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt.

The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command "make -f Makegetpvvkey"). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don't know what you are missing ;-) you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

 

Related articles by Zemanta

• Visa Yanks Heartland/RBS Compliance Status - BTN (pindebit.blogspot.com)
• SATIRE: Acculynk Most Closely Mimics Grocery Store Experience? (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• HomeATM Blog Included in "Best of the Best" by Alltop (pindebit.blogspot.com)
• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• Card Cloning Ring Nets $9M in ATM Heist (abcnews.go.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Hacked! Is Visa Next? (pindebit.blogspot.com)
• Shoppers Choice Runs Acculynk PaySecure (tm) PIN Debit Transaction (pindebit.blogspot.com)
• Who Needs an Ounce of Prevention...We Have 10 pounds of Cure! (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)
• Nostra(para)digmus (pindebit.blogspot.com)

E-Tailers Missed Out on $21 Billion

$21 Billion might not cover the bonuses at AIG but it's still a mighty big number...HomeATM can help bring those numbers back up by properly  "securing" the transaction with their PCI 2.0 PED SAFE-T-PIN, the very first PCI certified PIN Entry Device designed for use on the web.   

Javelin Strategy & Research in its latest research has stated that the volume of online sales has decreased by $21 billion in 2008.

According to survey results only 45% are satisfied with the quality of the merchandise sold online and the time of shipping whereas 37% of consumers complained of late shipments and 28% of online customers found that the quality of the goods they received is below their expectations.

19% of Internet users said that they have cut their online spending and 12% of consumers stated that they stopped using online shopping services due to online fraudsters.

To motivate online shoppers the retailers use various strategies. So, according to Javelin Strategy & Research the sellers assure users in safety of their personal information (83%), (Editor's Note: how do they do that if  the information isn't properly protected in the first place?) and by guaranteeing price (79%), quality expectations (80%) and reimbursement.

Among other top promises are a zero liability against identity theft (81%) and stronger security at the store website (80%).

Source: eBillme blog

Related articles

• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Fraud Continues to Increase Across Canada (pindebit.blogspot.com)
• AIG Issues Fraud Warning (firedoglake.com)

HomeATM at the (Security) Summit!

HomeATM CEO, Ken Mages and I, just returned from Salt Lake City, where we attended the ProPay Data Security Summit. 

On Wednesday, March 18th, after ProPay CEO Gary Goodrich completed his opening remarks, he introduced PCI Security Standards Council General Manager Bob Russo.

We had been informed by our PCI Testing Lab representative (Witham Labs) that the PCI SSC would probably "officially list" our Safe-T-PIN (the T stands for Transaction) device later that morning.
 

Ironically, while Bob Russo was a featured speaker at the event. 

While he  was addressing attendees, I refreshed my laptop's screen to see that, indeed,  HomeATM had been added to the distinguished list of PCI 2.0 PED Devices on the PCI SSC website.  My first thought was, how ironic is that?  Two plus years in the making, an we get certified while the GM for PCI SSC is 50 feet away talking about the importance of such certification. But all irony aside, the fact remains that:

For the first time in the history of the PCI Security Standard Council's existence, a PIN Entry Device designed for e-Commerce, achieved PCI 2.0 certification.  That device is HomeATM's SAFE-T-PIN, which provides consumers and merchants with an unmatched level of 3DES DUKPT "fully beginning to end encrypted" security on Web Transactions.


In order to duly record the moment, I "pinned down" (yeah...pun intended) PCI SSC's Bob Russo and asked if he would participate in a picture with Ken Mages, HomeATM's CEO.   Bob kindly obliged, and pictured above is the resulting photo...forever capturing this historic milestone in e-payments history! (Click Pic to Enlarge)

So, what does this all mean?  The security benefits of a PCI 2.0 PED certified device CANNOT be overstated.  Tomorrow I will publish a review of the Safe-T-PIN device, conducted by The Society of Secure Payment Professionals. 

About the PCI Security Standards Council 

The PCISecurity Standards Council is an open global forum, launched in 2006,that is responsible for the development, management, education, andawareness of the PCI Security Standards, including: the Data SecurityStandard (DSS), Payment Application Data Security Standard (PA-DSS),and Pin-Entry Device (PED) Requirements.

All of the five founding members have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs and ASVs certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS.

A Limited Liability Corporation (LLC) chartered in Delaware, USA, the PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc..

All five payment brands share equally in the council's governance, have equal input to the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the group and review proposed additions or modifications to the standards.

 

Executive Committee - PCI SSC

• Seana Pitt, Vice President, Merchant Policy & Data Quality, American Express
• Suzanne Smits, Vice President, Network Services, Discover Financial Services
• Lib de Veyra, Vice President, Emerging Technologies, JCB International
• Bruce Rutherford, Group Head, Fraud Management Solutions, MasterCard Worldwide
• Lance Johnson, Senior Vice President, International Risk Management, Visa Inc.

From Digital Transaction News, earlier today:

Online PIN debit continues to move from concept to reality in the early months of 2009.  HomeATM ePayment Solutions announed its PIN pad and point-of-sale device, the Safe-T-PIN, has achieved certification under the Payment Card Industry PIN Entry Device (PED) 2.0 standard.

The device, which attaches via a USB connection to PCs to allow consumers to make PIN debit transactions on Web sites and to do person-to-person money transfers online, is the first of its kind to win PED 2.0 certification. For more on HomeATM, click here. 

Editor's Note: To learn more about a software based solution, which is NOT PCI certified (and never CAN be) click any of the related articles below...

Software Based PIN Debit Application from Acculynk

• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)
• Acculynk Most Closely Mimics Consumer Grocery Store Checkout Experience - (satire)
• HomeATM Challenges ATMDirect (Acculynk) to a "PIN-OFF" - PIN Payments Blog 
• HomeATM still waiting to hear from ATMDirect regarding "PIN-OFF" 
• HomeATM officially invites ATMDirect to a "PIN-OFF"
  
  
  
  
  
  

  10 Apr 2008 by John B. Frank   i was speaking with ken mages, the founder and ceo of homeatm and george gendron, homeatm's president regarding atmdirect's questionable press release smoke, mirrors and patents last sunday, and the notion of calling them on their bluff ...

• ATMDirect has (as of yet) still not accepted the "PIN-OFF ...21 Apr 2008 by John B. Frank  
  homeatm prepaired (sic) to prove atmdirect is vaporware: after reading this public "let's take it outside" challenge by homeatm's ceo, there is little question that atmdirect is either going to have to accept the challenge and prove ...
  
  
  
  
  
  
  
  
  An Open Letter to ATM Direct Executives  May 01, 2008  by John B . Frank
  Withless than 13 days remaining, we still have yet to hear from ATMDirecteven though our CEO, Kenneth Mages, has made them aware of it from thebeginning. However, in the interest of complete and unbiased fairness,this morning I sent ... (you gotta read this!)
  
  
• ATMDirect president's response to open letter3 May 2008 by John B. Frank  
  on thursday, i received a telephone call from nandon sheth, the president and new owner of atmdirect. we had a pleasant conversation and nandon addressed a few of the issues made in "an open letter letter to atmdirect". ... (READ BETWEEN THE LINES...WE'LL  LET THE INDUSTRY DECIDE!...WHAT LIKE PCI 2.0 PED?  OKAY!!!
  

PIN Entry Devices

To gain approval by PCI Security Standards Council, PIN entrydevices must comply with the requirements and guidelines specified inthe following documents. Vendors preferring to complete formselectronically should download the appropriate documents.

Listing of PCI Security Standards Council Approved PIN Entry Devices

Payment Card Industry Resources

• Testing and Approval Program Guide (PDF)

Security Requirements

• Encrypting PIN Pad Devices (PDF) (DOC)
• Encrypting PIN Pad Devices 2.1 (PDF) (DOC)
• Point of Sale Devices (PDF) (DOC)
• Point of Sale Devices 2.1 (PDF) (DOC)

Evaluation Vendor Questionnaires

• Encrypting PIN Pad Devices (PDF) (DOC)
• Encrypting PIN Pad Devices 2.1 (PDF) (DOC)
• Point of Sale Devices (PDF) (DOC)
• Point of Sale Devices 2.1 (PDF) (DOC)

FAQs

• General Frequently Asked Questions (PDF)
• Technical Frequently Asked Questions** (PDF)
• Technical Frequently Asked Questions 2.0** (PDF)

Derived Test Requirements
Payment Card Industry (PCI) Recognized Laboratories
PED AnnouncementsFor questions please contact, pciped@pcisecuritystandards.org.

India's ICICI Selling ATM/POS Networks?

Finextra: ICICI considers spinning off ATM and POS networks - report

TSYS and First Data Interested

According to finextra.com, India's ICICI Bank is looking into spinning off its network of ATMs and payment terminals to a separate company and has sounded out technology vendors about joining the new entity.

According to the Economic Times, Visa, Total System Services and First Data are among those to have expressed interest in participating in the new business, managing ICICI's network of 4000 cash machines and 200,000 POS terminals.

Developing...

homeatm, pin payments, atm, ICICI, India, First Data, TSYS

Related articles

• Diebold Failure: Not Just for E-Voting Anymore (bradblog.com)
• Card-sniffing trojans target Diebold ATM software (theregister.co.uk)
• Intelligent ATM's (pindebit.blogspot.com)
• ICICI bank's exception service. (computerknowledge1.blogspot.com)
• 'Building a startup is a marathon, not a sprint' (via Google Reader) (rediff.com)

11% of US Adult's Use Twitter - Pew

According to a recent report from thePew Internet & American Life Project, some 11 percent of the U.S.adult population had used Twitteror similar micro-blog personal update services by December 2008.

This represents a 22-percent, one-month leap in usage from November 2008.

If you'd like to follow this blog on Twitter,
click below:

"Overall, Twitter users engage with news and own technology at thesame rates
as other Internet users, but the ways in which they use thetechnology -- to communicate, gather and share information -- revealstheir affinity for mobile, untethered and social
opportunities forinteraction," the Pew project said in a release.

Alook at the demographic profile
of Twitter users as a whole reveals
some additional details about who uses Twitter and how they communicateand consume information.

As noted above, Twitter users areoverwhelmingly young. However, unlike the majority of otherapplications with a similarly large percentage of youth...

Twitter use isnot dominated by the youngest of young adults.  Indeed, the median ageof a Twitter user is 31.

In comparison, the median age of a MySpaceuser is 27, Facebook user is 26 and LinkedIn user is 40.⁷

Twitterusers are slightly more racially and ethnically diverse than is thefull U.S. population, most likely because they are younger – andyounger Americans are a more ethnically and racially diverse group thanis the full population.

Twitter users are also slightlymore likely
to live in urban areas, with 35% of Twitter users living inurban areas (compared to 29% of all internet users) and just 9% ofTwitterers and status updaters living in rural areas, compared to 17%of internet users.

"Twitter and similar services have been most avidly embraced byyoung adults," Pew said. "Nearly one in five (19%) of online adultsages 18 and 24 have ever used Twitter and its ilk, as have 20% ofonline adults 25 to 34. Use of these services drops off steadily afterage 35 with 10% of 35 to 44 year-olds and 5% of 45 to 54 year-oldsusing Twitter. The decline is even more stark among older Internetusers; 4% of 55-64 year-olds and 2% of those 65 and older use Twitter."

To view the report, click any of the links below:

The iChart above was created by Practical E-Commerce

Twitter and status updating

by Amanda Lenhart, Susannah Fox

Browse Sections

• Twitter users are mobile, less tethered by technology
• Younger internet users lead the way in using Twitter and similar services.
• Portrait of a Twitter user
• Twitter users are more mobile in their communication and consumption of information.

Related articles

• Pew Internet: Twitter and status updating (tsurch.com)
• Study: Twitter users are mobile, urban, and engaged online (textually.org)
• Twitter: 11% (battellemedia.com)
• Twitter & the Pew Internet Project 2009 (weblogs.elearning.ubc.ca)
• Twitter is for Losers! (agentgenius.com)
• Twitter Demographics (socialmediatoday.com)
• 1 in 10 Adults Has Microblogged - on Twitter or Elsewhere (marketingvox.com)

Heartland Annual Report Shows Breach Effects

Digital Transaction News

Breach-Related Woes Continue to Pile up for Beleaguered Heartland

The breach-related troubles just keep piling on for merchant acquirer Heartland Payment Systems Inc., according to the acquirer’s annual report filed on Monday with the U.S. Securities and Exchange Commission. In the filing, Heartland revealed the data breach it sustained last year is under investigation not only by the U.S. Department of Justice, the SEC, the Federal Trade Commission, and the Office of the Comptroller of the Currency, but also by the Federal Financial Institutions Examination Council, attorneys general of several states, including Louisiana, the Canadian Privacy Commission, and other government officials.

Negative publicity from the breach, which Heartland disclosed Jan. 20, also could cause an increase in merchant attrition, according to Heartland’s filing. During 2008, 2007, and 2006, Heartland experienced average annual attrition of 17.3%, 12.6% and 11.1%, respectively. Major causes of attrition included business closures, transfers of merchants’ accounts to competitors, account closures initiated by Heartland due to heightened credit risks, or contract breaches by merchants.

Continue Reading at Digital Transactions

Related articles

• Hacker behind credit card chaos at U.S. firm (nationalpost.com)
• Heartland Being Thoroughly Investigated (pindebit.blogspot.com)

StoreFront BackTalk on Duplicate Debit Debacle

Duplicate Debit Debacle Hits Best Buy, Macys. Who’s Next?

Written by Evan Schuman and Fred J. Aun
March 18th, 2009

Following a December glitch at Macys that saw 8,000 customers double- and tripled charged for debit transactions comes word of an eerily similar triple charge glitch at Best Buy this month.

In both cases, the retailers initially painted the problems as isolated incidents. In both cases, the retailers thought initial debit card swipes didn’t work and asked the customer to try again, sometimes twice more. And in both cases, the banks removed money from the consumer’s bank account equivalent to two and three times the price of the product.

Could these be coincidences? Might they indeed be isolated debit card incidents? Absolutely. But this also might be an initial heads up that the debit card system relied on by major retailers today has inherent flaws. What happened, with both Macys and Best Buy, with software specifically designed to look for and prevent these kinds of multiple identical charges? What about the systems at the card processors and the banks?

The most frightening part about debit card transactions today is that they subject retailers to a debit double whammy. Debit transactions are exponentially more delicate—and more prone to glitching—than their credit card counterparts. At the same time, an error with a debit transaction can deliver an order of magnitude more damage, potentially cleaning out a customer’s bank account and causing them to unknowingly bounce checks to everyone they’re trying to pay. Few IT glitches have the potential to get a loyal customer in trouble with the police, but debit card glitches have that distinction.

Continue Reading at StoreFront BackTalk

Related articles

• Macy's reports overcharging customers (money.cnn.com)
• If You Shopped at Macy's, Check Your Statement! (gothamist.com)
• E-vidence of Paradigm Shift...MasterCard Focusing on Debit Business (pindebit.blogspot.com)

HomeATM Receives First Ever Internet PCI 2.0 PED Certification

Recent Rash of Breaches Heightens Need for "Secure" Internet PIN Transactions

HomeATM ePayment Solutions, a leadingprovider of secure hardware and software solutions, today announced theirnewest product, Safe-T-PIN™, has been Payments Card Industry (PCI)PIN Entry Device (PED) 2.0 certified.

The Safe-T-PIN point of sale device,manufactured by HomeATM, is the first ever Internet PED to achieve suchcertification.  Safe-T-PIN™ providessafer and more secure two factor authentication for e-commerce transactions andsecure log-in. 

The pocket-sized Safe-T-PIN™ is a ready to use USB “plug and play” device, thatrequires no user software installation and works with any operating system orbrowser.  The device provides users with the added convenience ofswiping their cards versus keying in their numbers (Swipe Don’t Type™), and will work with any bank,card processor, and currency.

The significance of this product is that the end to end security ofconsumer financial transactions on the web is now assured through the use of standard financial industryand military grade encryption combined with dual authentication, and is now availableand affordable for consumers worldwide.

HomeATM’s mission from it’s inception was to design,build and deliver an affordable POS device thatbrought End-to-End-Encrypted (E2EE) security and thus lower fees tomerchants and consumers alike. 

The Safe-T-PIN™ also allows authorized secure person-to-person (P2P) moneytransfers in real-time.  “We are proud of our engineering teamand extremely excited to provide a cost-effective solutionto those who can least afford fraud and risk,” said Ken Mages, CEO.

"The Safe-T-PIN™ exponentiallyreduces the likelihood of a breach and provides the dual authenticationsolution that e-tailers and money remittance companies have been seeking inorder to fill the current fraud/security void in secure transactions on theweb.  HomeATMis already in advanced discussions with several Fortune 100 companies and thiscertification will certainly result in expediting those talks.”

AboutHomeATM

HomeATM owns a global patent for secure Internet PIN basedtransactions.  Leveraging our E2EE PCI 2.0 PED certifiedsolution, a merchant or remitter can move funds from their bank account oropen loop/closed loop payment card in real-time.  Utilizing HomeATM’spatented solution with a bank issued debit or credit card alleviates theburden for merchants to address fraud issues as HomeATMleverages the issuing bank’s KYC/AML (Know Your Customer/Anti-Money Laundering)protocols.  No other payment solution serves P2P,Business-to-Consumer (B2C) Business-to-Business (B2B), and Mobile Payments withthe speed, security and cost-effectiveness of HomeATM.  HomeATM isEMV ready and already enjoys strategic relationships with Microsoft,Cardinal Commerce and UATP

For further information please visit: www.HomeATM.netor www.HomeATMblog.com or contact Mitchell Cobrin, COO mcobrin@HomeATM.net or514-207-5000

---

Related articles

• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Ten Commandments of Web Payments (pindebit.blogspot.com)
• HomeATM Featured in American Banker (pindebit.blogspot.com)
• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• IBM Agrees with HomeATM...Hardware Required (pindebit.blogspot.com)
• Acculynk Most Closely Mimics Grocery Store Experience? (pindebit.blogspot.com)
• Signature Debit Wrestles Fraud, Get's PIN'd (pindebit.blogspot.com)
• HomeATM Prevents Cloned Bank Site Threat! (pindebit.blogspot.com)
• HomeATM PCI PED 2.0 Certification Imminent (pindebit.blogspot.com)

ATM's At Risk...HomeATM's Not...

ATMs At Risk

Targeted attack on ATMs raises the bar -- as well as concerns -- about security of cash machines

By Kelly Jackson Higgins  DarkReading

Cracking automatic teller machines isn't new: ATMs have been rigged with sniffers, spoofed with cloned cards created from successful phishing attacks, and even physically blasted open by explosives. But a new, sophisticated attack that inserted information-stealing malware on ATM machines has raised the bar on just what determined criminals can and will do to steal banking information and money.

The latest ATM hack came to light yesterday after Sophos revealed its discovery of a Trojan that had been specially crafted to steal information from users of Diebold ATM machines. Diebold in January had issued a security update for its Windows-based Opteva ATMs, some of which it said had been physically broken into and infiltrated with the Trojan software in Russia.

"We immediately notified our customers globally of the malware risk and sent a precautionary software update," a Diebold spokesperson says. "We were made aware of the isolated incident in Russia in the January time frame. The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise. "

The attackers (those dogs) were well-versed in the software internals of the ATM machines. "It's fascinating that the hackers went to this extent...they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before.

"This is not something the average hacker on the street would have access to," he adds. "They need physical access to the ATM -- they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. "

HomeATM doesn't use software.  It's Plug and Play.  In order to gain access, a fraudster would have to break-in to a user's home...but it's tamper-proof, so that wouldn't do them any good either.  So, I think it's "safe" to say that,  well...HomeATM's are NOT at risk.

It's unclear just how the attackers got such inside access to the machines, but security experts say it represents a whole new attack vector for bank machines, and that this incident may be only scratching the surface. "There could be many other ATMs under this type of malicious and hidden Trojan," says Kim Singletary, director of OEM and compliance solutions for Solidcore Systems.

In its security update to ATM machine customers, Diebold said the attackers had been caught and that an investigation was under way. Once the bad guys obtained access to the internals of the ATM machines, they were able to implant the malware and intercept sensitive data, the company says. The risk of such an attack increases when the Windows administrative password is compromised or if the built-in firewall is disabled, for instance.

Continue DarkReading

homeatm, atm's,

Semi Annual Guide on eCommerce Alternative Payments

The Fraud Practice Releases their Semi Annual Guide on eCommerce Alternative Payments

RED BANK, N.J. --(Business Wire)-- Alternative payments represent only a fraction of e-commerce total sales today but according to Javelin Strategy and Research, an independent consultancy focused solely on the financial services and payment industries, about 1/3 of all online retail transactions ($268 billion) are predicted to be alternative payments by 2013. The explosive growth of alternative payments can be attributed to consumer and regional preferences. In these economic times, it is now more critical than ever that e-merchants understand and offer payment choices based on consumer and regional preferences.

When considering alternative payment options, more often than not, merchants are limiting their discussion to ACH, PayPal, Amazon and Google Checkout. In fact, there are a number of payment options and a rapidly growing number of service providers offering them. The Fraud Practice's Guide to Alternate Payments identifies 8 categories of alternative payment solutions with over 100 service providers offering their services globally. The categories include credit card payments, ACH & bank payments, payment aggregators, credit-term providers, cash alternative providers, advertising/promotional providers, mobile payment providers and invoicing payment providers.

Not all alternative payment options will produce the same results. Determining the right alternative payment options for your company means evaluating payment options based on regional support, consumer preference, customer base and return on investment (ROI).

Regional Support: There is no one payment option that is equally effective in all regions worldwide. Credit cards are accepted worldwide but while they have dominated the US and Western European eCommerce markets, they have not shown the same dominance in emerging markets such as Africa, South America, Asia and Eastern Europe. In Germany credit cards are present and used, but they are not the preferred payment method.

In these markets a merchant needs to support other payment options otherwise they will be limiting their potential customer base to only a small fraction of the overall population.

Customer Base: The best alternative payment option has little value if the supported customer base isn't large enough to warrant the effort to integrate and support it. Evaluating a customer base should be done on two levels, potential and current. Consider China, 93% of the 1.3 billion person population has access to direct debit while according to China Daily there were just over 100 million credit cards in circulation in China as of June 2008.

Return on Investment (ROI): The reasons why a merchant may implement alternative payments vary from access to markets, cost reduction, easier supportability to consumer preference. In a majority of cases, merchants are able to show a favorable ROI on integrating alternative payments in a timeframe that is more tactical than strategic. This is primarily attributed to increased sales from new consumer populations, lower costs than traditional credit cards and better fraud protection.

The Fraud Practice has created the Guide to Alternate Payments (http://www.fraudpractice.com/altpay.html) to help merchants, service providers and financial institutions make more informed decisions on which alternative payment solutions and providers they should be considering. A Guide to Alternative Payments is a prepared research document, 60 pages in length, intended for organizations looking to gain an understanding on eCommerce alternative payment options. The Guide also includes easy-to-understand reference tables on regional service providers (over 100 service providers), preferences and capabilities. Readers should expect to gain: An introduction to the types of solution options available and the service providers that offer them An in-depth understanding of the market dynamics, vertical market preferences, regional preferences and reasons to implement these services A discussion on emerging markets where alternative payments are flourishing A general introduction to the capabilities and services provided by the major players in each of the 8 solution option groups Merchants may also consult The Fraud Library, which contains valuable information for merchants seeking information on fraud prevention techniques and eCommerce payments.

About The Fraud Practice The Fraud Practice (http://www.fraudpractice.com) is a privately held US LLC based in Red Bank, New Jersey. The Fraud Practice provides consulting services on eCommerce payments, fraud prevention and credit granting. Businesses throughout the world rely on The Fraud Practice to help them build and manage their fraud and risk prevention strategies. Utilizing best practices and leveraging key partnerships, our team of industry and technical experts offer customers a single source for learning how to design, deploy, review and integrate fraud prevention practices in their business processes and solutions.

David Montague is the founder and President of The Fraud Practice and has spent the last fourteen years working in the eCommerce space, and is well respected for his business knowledge and thought leadership. His background includes an in-depth application of innovative solutions for preventing business to business and business to consumer e-commerce fraud. Prior to founding The Fraud Practice he held positions as the Director of Risk Solutions at CyberSource Inc. and National Principal at IBM Global Services.

HomeATM, The Fraud Practice, Alternative Payments,

Related articles

• Cardinal and CyberSource Team Up (pindebit.blogspot.com)
• Annual E-Commerce Fraud Survey Results (pindebit.blogspot.com)

Card Not Present Fraud up 13%...HomeATM Can Help!

Official 2008 cardfraud figures show chip and PIN continuing to drive fraudsters onlineor to those cards not yet reliant on PIN protection to authorisepayments.

ITPro.com By Miya Knights, 19 Mar 2009 at 14:07

Themain driver for growth in card fraud is on those transactions withoutchip and PIN protection, the main UK payment industry body, Apacs said today, as it released its fraud figures for 2008.

Card-not-present (CNP) fraud losses increased by 13 per cent overthe last year to now account for 54 per cent of all card fraud losses.This also amounts of a rise in CNP fraud of 243 per cent between 2001to 2008. 

Editor's Note: In addition to providing e-consumers with the ability to transact in a dually-authenticated manner, (What they have/Card, What they Know/PIN) HomeATM also reduces fraud by transforming CNP transactions into Card Present (CP) transactions.  The end result?  CP transactions cost less to process, PIN costs less to process. Why?  Because they are MORE SECURE!.  How Secure?  PCI 2.0 PED secure!

But Apacs said this reflected the growing popularity of shoppingonline, which relies on CNP payments, and providing a lucrativealternative to criminals forced to look for alternatives with theadoption of chip and PIN.

It added that tackling CNP fraud was an industry priority, as itcontinues to encourage cardholder and retailer take-up of secure onlinepayment systems that help prevent online shopping fraud, such asMasterCard SecureCode and Verified by Visa.

Overall, card fraud losses total £609.9 million, online bankingfraud losses £52.5 million and cheque fraud losses £41.9 million.

Online banking fraud losses grew 132 per cent on 2007 levels, duemainly to an increase in phishing, Apacs said. At the same time, onlinebanking customers without sufficient security protection areincreasingly being targeted by malware attacks.

Continue Reading at ITPro.com

Related articles

• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Pago Report 2008 - E-Commerce Payments (pindebit.blogspot.com)
• Dubai: Credit Card Fraud Doubles in Last Year (pindebit.blogspot.com)
• Visa, MasterCard Issue New Breach Warning (wired.com)

HomeATM "Officially" PCI PED 2.0 Certified

Here I sit at the 2009 Data Security Summit and Bob Russo, General Manager for the Payments Card Industry Security Standards Council is speaking.  While he's speaking, I get notified that HomeATM's SafeTPIN Personal Swiping Device has been officially PCI PED 2.0 Certified.  Coincidence?  I think not.  Try many, many man hours of hard work by the engineering department at HomeATM.  But, still...it's kind of cool that as I listen to him speak about the imporatance of PCI, we get our certification.  We agree Bob!

HomeATM is proud and honored to forever own the distinction as beingthe very first Online PIN Debit Solution to be PCI 2.0 certified.    More on this later...want to get back to Bob Russo's presentation. 

Irony abounds...at the 2009 Security Summit as we certified as reaching the summit of security. 


Click the picture on the left to enlarge or visit the PCI Security Standards Website at:


https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html?mn=&dv=&pv=3https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html?mn=&dv=&pv=3

Related articles by Zemanta

• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Shoppers Choice Runs Acculynk PaySecure (tm) PIN Debit Transaction (pindebit.blogspot.com)
• Acculynk Most Closely Mimics Grocery Store Experience? (pindebit.blogspot.com)
• Heartland reveal massive credit card scam (vnunet.com)
• Contactless and "Clueless" How Convenient... (pindebit.blogspot.com)
• More on PCI and Tiers 1, 2 and 3 (pindebit.blogspot.com)
• Acculynk Accel/Exchange Announce PIN Debit Pilot (pindebit.blogspot.com)
• Updated: Acculynk...Where's the PIN Offset? My Pet PVV (pindebit.blogspot.com)

Dutch Biometric Initiative Cracked

Dutch payment by fingerprint initiative stopped

Dutch supermarket chain Albert Heijn has decided not to follow up on a trial with payment via fingerprint. The trial was conducted in an Albert Heijn branch in the town of Breukelen, near Amsterdam, where 580 participants were able to pay for their daily groceries using their finger print instead of cash or debit cards.

The trial, which lasted 6 months, was the first of its kind in the Netherlands, where more than half of all supermarket transactions are completed using a debit card. During the first weeks of the trial, experts already pointed out a number of security issues arising from the use of the fingerprint payment method. A security expert managed to pay using someone else’s finger print.

Albert Heijn has currently decided not to follow up on the trial, citing ‘security issues and vulnerability to fraud’. The participants however were enthusiastic about the payment method and applauded the fact that they could complete their purchases without needing their debit cards, cash or loyalty cards.

Researcher cracks fingerprint payment system

Security expert beats supermarket chain's payment system with fingerprint made out of rubber

Tom Sanders (IDG News Service)  Have your say!

Within weeks after its introduction , a security researcher has cracked the Tip2Pay fingerprint payment system for Dutch supermarket chain Albert Heijn. The researcher succeeded at paying for groceries by using a copied fingerprint.

The Tip2Pay system allows consumers to pay for their groceries through a fingerprint reader. Albert Heijn is the largest chain of grocery stores in the Netherlands and the namesake of Ahold, a global supermarket group with stores in Europe and the US that had annual sales of US$70.4 billion in fiscal 2006.

Security researcher Ton van der Putte, a retired employee for ATOS Origin who specializes in biometric security, successfully crafted a copy of a fingerprint out of rubber that was accepted by the Tip2Pay system. Staff members for the grocery store failed to detect the fraud. The method is easy to copy: typically a fingerprint left on a glass suffices to create a usable copy.

The hack hardly comes as a surprise. Security experts at the time of launch cautioned that the technology used by the store was insecure.  Albert Heijn, however, didn't seem too worried. The store in public comments has brushed away any security concerns.

Van der Putte has a long track record in biometric security. Since 1990 he has undertaken several experiments demonstrating that secure authentication through fingerprints requires additional security measures.

The Chaos Computer Club in 2004 also demonstrated that a stand-alone fingerprint can be easily copied. The club wrote a how-to guide with instructions on how to create a copy. Also, a system similar to the technology deployed by Albert Heijn was hacked last year in Germany.

BioXS, a firm specializing in biometric security, cautions that Albert Heijn's system was poorly designed.

The company worries that the failed experiment will wrongfully damage public trust in biometrics.

A spokesperson for Albert Heijn argues that the hack doesn't demonstrate a genuine security threat, because a registered user of the payment system voluntarily provided his fingerprint to the hacker. The company argues that therefore the hack compares to cloning an ATM (automated teller machine) card.

A company spokesperson told Webwereld, an IDG affiliate, that customers at no time will be at risk. The system has a daily spending limit and will compensate consumers if fraud is detected. Tip2Pay for now is run as a test. Albert Heijn expects to deploy additional security measures in case of a large-scale roll-out.

pay by touch, biometric, Albert Heijn, Fingerprint, Fingerscan

Related articles

• BioPay Launches Prepaid Debit Card Program (pindebit.blogspot.com)
• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Dubai: Credit Card Fraud Doubles in Last Year (pindebit.blogspot.com)
• HomeATM Blog Included in "Best of the Best" by Alltop (pindebit.blogspot.com)