San Francisco Chronicle Cross says cybercriminals are using stolen credit cards to pay cloud service providers to host virtual machines, exploiting these cloud services to operate
The Federal Reserve Bank of Boston has published The 2008 Survey of Consumer Payment Choice From the abstract: This paper presents the 2008 version of the Survey of Consumer Payment Choice (SCPC), a nationally representative survey developed by the Consumer Payments Research Center of the Federal Reserve Bank of Boston and implemented by the RAND Corporation with its American Life Panel. The survey fills a gap in knowledge about the role of consumers in the transformation of payments from paper to electronic by providing a broad‐based assessment of U.S. consumers’ adoption and use of nine payment instruments, including cash. The average consumer has 5.1 of the nine instruments, and uses 4.2 in a typical month. Consumers make 53 percent of their monthly payments with a payment card (credit, debit, and prepaid). More consumers now have debit cards than credit cards, and consumers use debit cards more often than cash, credit cards, or checks individually. Cash, checks, and other paper instruments are still popular and account for 37 percent of consumer payments. Most consumers have used newer electronic payments, such as online banking bill payment, but they account for only 10 percent of consumer payments. Security and ease of use are the characteristics of payment instruments that consumers rate as the most important.
TechCrunch (blog) That's obviously great news for WePay, but also impressive is the company's roster of angels: as of tonight the company can count PayPal cofounder Max ...
Last weekend's big snowstorm helped online sales for the week post a 6% gain, making it the biggest single week in e-retail history, comScore says. Sales for the week ended Dec. 20 totaled $4.803 billion, compared with $4.532 billion during the comparable week last year. For the holiday season, e-retail sales are up 4%.
Through September retailers have paid publishers more than $109 million for U.S. e-book content, compared to $52.4 million for all of 2008. With e-books' strong growth, Forrester predicts overall e-book content revenues will top $500 million next year.
Most consumers are happy with their online shopping experience if they buy online, but it's a different story if they use the web to browse and then attempt to make a purchase in a store, a new study from Forrester finds.
Huffington Post (blog) That means that stimulus money -- your money -- cannot be used by powerful Internet service providers to "manage," throttle or re-route you whenever you
Data Center Knowledge ... has been silent on company accounts on Twitter, which has evolved into one of the most effective channels of outage updates for many service providers
Is it secure? Is it all hype? Is it a game-changer? Paying with Plastic author David Evans gets the dirt on Square from its CEO, Twitter vet Jack Dorsey. Listen to the interview
Eye of Dubai (press release) Western Union, a leading provider of global money transfer services, has launched the Western Union Sulit 24 Hour Service[1] for the United Arab Emirates to
The Gazette (Montreal) Western Union is the market leader, handling $74 billion US in money transfers annually – 17 per cent of the global money-transfer business, said Kristin
Banks are scrambling to find new footing as lawmakers and regulators undermine one of the industry's profit foundations: consumer fees.
Feature Article:
Two-Factor Authentication Security Failing
According to Gartner, it's important that organizations adopt new approaches for combating attacks against the system of two-factor authentication, as per the news published by itbusinessedge.com on December 14, 2009.
Comments Avivah Litan, vice-president and noted security analyst at Gartner, in a newly published study named "Where Strong Authentication Fails and What You Can Do About It", that man-in-the-browser assaults based on Trojans are beating the strong authentication mechanism. This, therefore, demonstrates the possibility of defeating any authentication technique depending on communications through web browsers, Litan contends. EWeek.com published this on December 14, 2009.
As for examples of the two-factor authentication's failure, an instance is cited where malicious software rewrites the transactions that a user transmits to an online-banking site. Evidently, all this takes place in secret so that the user and the bank don't get to know about the altered data.
Significantly, as per Litan, these assaults have been using Trojan Zeus as well as other customized malicious codes.
Moreover, these assaults have repeatedly and successfully targeted several banks along with their clients across the world during 2009. While the chief targets are bank account details, the methods of these attacks are also employed in other sectors as well as applications which hold sensitive and precious data, Litan explains.
Litan further suggests that companies need to employ a three-pronged approach towards fraud prevention so that their consumers as well as accounts could be safeguarded. Mybroadband.co.za published this on December 14, 2009.
In the meantime, Litan recommends the use of fraud detection, which tracks the activity of users' access. The method works by seizing and examining the web-traffic of a user -assuming that the user works on a web-based application -including navigation, login and transactions. Further, it detects anomalies in access patterns such as application access by automated software instead of a human.
One more method recommended is tracking of suspicious transaction values. In this, a particular transaction is compared with the "normal" behavior profile of the concerned user(s). Litan also suggested verification of out-of-band user dealings.
Finally, security should be regularly updated to ward off cyber-crimes, experts said.
The Grocery Trader conducted an interview with Verifone's Marketing Director for Northern Europe, Middle East and Africa (NEMEA) Here is what he had to say:
Operating in over 100 countries worldwide, VeriFone is the global leader in secure electronic payment systems and for the past 30 years has excelled in providing solutions, services and expertise that enable electronic payment transactions and value-added services at the point of purchase. VeriFone’s solutions incorporate existing and emerging technologies, comply with global security standards, and take advantage of the latest connectivity options. Tony Saunders, VeriFone’s Marketing Director for Northern Europe, Middle East and Africa (NEMEA), spoke to The Grocery Trader.
The Grocery Trader - First of all, Tony, to set the scene, what do your different electronic payment technologies do, in non-technical terms?
Our solutions provide a secure method of taking electronic payments at the point of sale. At a grocery retailer, that can be at the checkout lane, self-service kiosk or pay-at-pump. We provide the hardware - such as PIN pads and contactless readers - together with payment software, and sometimes the back-end software and infrastructure. Individual retailers use our products differently: many take our PIN pads combined with our enterprise software solution, PAYware Merchant, for card authorisation and settlement.
GT - What card processing devices and applications do you supply ‘in the box’, and how do they interface with retailers’ existing EPOS systems?
We offer many kinds of payment solutions. Our most popular PIN pad is the Vx 810, which is available with an optional contactless module. With the Vx 810 we provide an API that talks to a retailer’s POS device. We also have an extensive software solutions portfolio for card acceptance, card management and adding value. These products include PAYware Merchant, PAYware GiftCard, PAYware Prepay and PAYware Link, our payment integration middleware solution.
GT – How do you service the needs of the different kinds of retailer?
We work closely with all of our retail clients to provide customised advice, service and support. When first meeting with a prospect we take a consultative approach, learning from the retailer their key pain points with regard to the payments process and how VeriFone can help. And the relationship doesn’t end with the sale – we meet with our retailers regularly to help them optimise their systems and streamline operations. On staff we have technical experts in petro, security, software, retail, unattended and more! There is someone available to help with any kind of problem.
GT - What proportion of UK payment card transactions involve your technologies?
The total UK POS footprint is 800-850,000 devices, and VeriFone has a majority share of that install base, making us number 1 in UK retail.
GT - What different card payment types do your solutions cover?
We cover debit and credit EMV cards, loyalty cards, pre-paid gift cards, e-top up, contactless cards and fuel cards.
GT - What industry standards are your products and solutions made to?
VeriFone has more PCI (Payment Card Industry) approved products than any other payment technology vendor. Every card accepting system in the UK must also meet Common Criteria, mandated by the UK Cards Association. Again, we have more UKCC approved products than any other vendor. We take security very seriously at VeriFone.
With the deadline for PCI compliance fast approaching, many retailers are struggling to keep up. Being non-PCI compliant can open up a retailer to expensive fines or legal woes if a data breach occurs. To help with this, we recently launched VeriShield Protect in the UK. VeriShield Protect is an end-to-end encryption solution, where cardholder data is encrypted at the exact instant of card acceptance and kept encrypted throughout the entire enterprise. The burden on the retailer is significant; if they don’t have an encrypted solution, they will need additional processes and checks and balances in place to maintain the security of their retail environment. VeriShield Protect mitigates many of these costs and avoids much of the expense of maintaining PCI compliance.
GT - How has VeriShield Protect been received?
We’ve had a lot of interest. VeriShield Protect is the only true end-to-end encryption product available - because we encrypt data at the hardware level, not the application level. Encrypting at the application level is too late, a fraudster could intercept cardholder data as it travels to the POS. VeriShield Protect is also the only commercially deployed solution that meets all of Visa’s best practices for data field encryption. Another valuable USP for us.
GT - Do your technologies stop hackers accessing people’s accounts?
If the merchant allows their database to be accessed, card data can still be stolen, but with VeriShield Protect the card data is encrypted, so it’s completely useless to fraudsters.
GT - Does this extra security slow down the processing of transactions?
The encryption takes just milliseconds, so it doesn’t slow things down. The consumer and the merchant won’t notice any difference.
GT – How long does it take for a retailer to see a return on investment?
Retailers need to weigh up the cost of achieving and maintaining compliance with PCI DSS and addressing breaches, plus the cost to their brand reputation. Security should not be treated lightly. Our fees for VeriShield Protect depend on the size of the retailer, number of transactions and whether they want to retain ownership of their decryption - but for what the retailer gets in return, the costs aren’t onerous.
In the security section of verifone.com there is a calculator based on the US card schemes, showing the cost of a card breach as $150 per card. With some US organisations processing 100 million transactions a month, the costs can be astronomical.
GT - Are you members of the various industry bodies developing card security standards?
Yes we are. We’re the only technology vendor member of the PCI Security Standards Council, alongside the likes of Tesco and RBS. We also work with EMV Co, the major CHIP and PIN industry body, comprising MasterCard, Visa, JCB and Amex, which creates the global CHIP and PIN protocols.
GT - What other market sectors besides retail do you supply electronic payment systems for?
Our systems can be used wherever electronic payments take place. In the hospitality sector we have pay at table solutions that are GPRS, Wi-Fi and Bluetooth enabled. In Africa and the Middle East we have successful prepay installations. In the UK we have gift card installations with our PAYware GiftCard solution. In transportation, our Secura devices are at every London Transport station: you pay for Oyster card top-ups using a VeriFone device. In the US we also offer wireless payment devices for use in taxis, which we plan to bring here. We have unmanned kiosks and payment systems for use in retailers, vending and parking. You can read some of our case studies at: www.verifone.com/about-us/press-room/case-studies.aspx
GT - How long have you been with VeriFone? What does your role involve?
I’ve been here two and a half years, and became Marketing Director in September 2008. I was previously with a competitor, and before that in computer network systems. My role involves communicating the VeriFone brand across Northern Europe, Middle East and Africa. I work with our colleagues in California to bring in new payment platforms. I speak at exhibitions, conferences and seminars in various sectors and demographics, and am personally involved in developing customer solutions.
GT - Which countries are you responsible for?
NEMEA consists of the UK, Ireland, France, the Nordics, Middle East and Africa. In most of these countries we work through our international partner network, or VIPs.
GT - We’re talking in your UK offices in Uxbridge. What operations happen here?
Uxbridge is our NEMEA headquarters. Sales and marketing for the region happens here. We also have development teams on PAYware and payment applications, and front line help desks for Tier 1 and Tier 2 retailers.
GT - Where does VeriFone rank in the league table of payment technology vendors? What sets you apart from other vendors?
We turn over just short of $1bn globally, and are either ranked 1 or 2 in each country we operate in. We’re at the forefront of security development, and lead the way with VeriShield Protect. We offer payment solutions for every sector and market space; whether that’s retail, government, transportation, healthcare, hospitality, financial, petroleum - even e-commerce or telephone order!
GT - When was VeriFone set up? Who owns it now? Are you formally linked to any other IT or financial services companies?
VeriFone was founded in 1981, and is listed on the NYSE under ‘PAY.’ We’re totally independent.
GT - How big is VeriFone in NEMEA? What differentiates the UK from other markets?
The UK stands out as a leader in CHIP and PIN adoption, and the POS environment has seen major changes since we came in. Denmark, Finland and Sweden also follow the PCI standards, but Britain is a more mature market, though people here still use dial-up for a lot of transactions. There are a large number of players here in POS and retail infrastructure.
The UK is the lynchpin to the whole area, and offers the region’s largest revenues. 2008 was a relatively flat year for us, but considering conditions across the world, that’s pretty good! In the UK we’ve grown market share even with many retailers closing and taken share from our competitors.
GT - Where is your global HQ?
Our HQ and our hardware platform development are in San Jose, California. We develop applications regionally for different markets, either ourselves or through partners or resellers.
GT - What are your best selling products and applications for Tier 1 retailers?
We offer Tier 1 retailers PIN pads and PAYware software solutions for their retail environment. Our largest volume product is currently the Secura PIN pad, which is in Tesco, Sainsbury’s and other majors but we are migrating customers to the Vx 810 because of our VX platform. All our core investment is in VX, which also offers a migration platform for contactless cards. The benefit of our extensive partner network is that the Vx 810 has been accepted and certified by all POS integrators, making it basically “plug-and-play” for retailers. Vx 810 will ultimately replace Secura as the main platform in the retail space. Retailers are also very interested in contactless.
In the banking channel our biggest selling products are the Vx 810 DUET countertop solution and the portable Vx 670, our pay at table product.
GT - What are your latest security products for retail environments?
We’re in the process of bringing VeriShield Protect to the EMV environment. One major retail customer is rolling it out in the next four months and we have installations in the US as well. Several major Tier 1 UK retailers are very interested, but it needs to fit in with their timetables: that said, they know they need to be PCI DSS compliant soon, and this offers significant savings in achieving that.
GT - Which UK retailers have adopted your solutions so far? Can you talk about what you do for them?
So far we have thoroughly rolled out Vx 810 with Thorntons and Clinton Cards (see case study on next page), who are early adopters. Other major high street retailers are also interested. The contactless transaction value threshold is £10, which will hopefully change to £15 very soon, making contactless a more desirable proposition for retailer and consumer alike.
GT – How long does it take to put a Vx 810 solution in place?
Switching over all the PIN pads in a retailer’s estate can take 3-6 months: if a particular retailer has no relationship with the POS vendor, you have to start from scratch, and it could take up to a year to develop a spec. We have relationships with so many retailers and POS vendors, the chances are we have a solution already available.
GT – What happens about training?
The integrators or retailers’ own organisations do the training, but we provide user guides and have a help desk and technical support analysts to carry through the implementation process and sort out problems.
GT - What effect has the worldwide recession had on your business?
We addressed our organisational needs within NEMEA before the recession hit. We readjusted our structure and budgets, so we haven’t been impacted: instead, we’ve taken market share. We’ve had to work harder but we’ve been very successful, growing numbers and hitting expectations. We’re in excellent shape.
GT - Does the rise of contactless cards pose a major risk to the security of consumers’ accounts?
Contactless cards don’t pose any additional security risk compared to other types of cards. And VeriShield Protect is available for ironclad cardholder data protection. People were talking about contactless cards a decade ago, and it’s taken far too long to come in. In the UK it is great that Barclaycard has now issued five million contactless credit and debit cards, which helps consumers become more comfortable with the technology.
GT - Where do you see VeriFone going from here?
2010 will be a major year for VeriFone. The UK payment acceptance market won’t grow to any extent, but we will by taking more market share in both the retail and banking space. We will be rolling out contactless technology with a major high street retailer from January. Our PAYware suite of software solutions is gaining traction, and we recently launched a PAYware Partner Program to recruit resellers who will further the reach of our card acceptance, card management and value-added software solutions. Finally, a lot of opportunities we’re working on at the moment will also come to light in 2010, along with some exciting new hardware developments, which will roll out in the second half of the year.
Value-Conscious Consumers Continue to Drive Holiday Spending
ATLANTA, DEC. 23, 2009 – First Data Corporation, a global leader in electronic commerce and payment processing, today released First Data SpendTrend™ transaction data that compares Dec. 1 through Dec. 14, 2009 to the same period last year. SpendTrend tracks same-store consumer spending using credit, signature debit, PIN debit and EBT cards at U.S. merchant locations.
Overall transaction growth remained healthy at 7.9 percent, while the Midwest experienced the highest growth rate of 10.8 percent. Transaction growth for all regions was up from November. Data indicates that consumers continued to focus on value, leading to large transaction increases in petroleum (13.4 percent) and value retailers (14.9 percent).
Same-store sales volume growth increased 6.9 percent year-over-year. This was an improvement over November’s growth rate of 6.2%. Overall transactions for the month showed a growth of 7.9 percent over 2008. Transactions in the month of November 2009 were 8.9 percent higher than the previous year.
December Transactions
CHANGE
Credit & Signature Debit
+5.1%
PIN Debit
+11.7%
EBT
+26.2%
Total Transactions
+7.9%
Note: Growth reflects same store transactions only.
Value merchants continued to outperform, both in terms of transaction growth, which increased to 14.9 percent, and sales volume growth of 13.5 percent. The average ticket held steady as consumers remained value-oriented through December. Additional data from the SpendTrend mid-December 2009 report can be accessed at www.firstdata.com from the home page dashboard.
James Heary, a "Cisco Security Expert" writes for Network World on his Top 5 Breaches of 2009.
About Cisco Security Expert
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean AccessCisco Subnet blog community. Contact him. book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's
The number of personal records exposed skyrocketed to 285 million records this year, compared with 35 million in 2008.
1) Conficker - Conficker is the most widespread botnet ever recorded. Sure it isn't a specific breach persay but I just had to make it my number one. It still infects millions of PCs. In fact, according to a report recently released by shadowserver.org, china telecom's chinanet still has over a million infected PCs or about 1% of its total IP address space. Conficker exploited a Microsoft vulnerability described in the Microsoft Security Bulletin MS08-067.
2) Phishing attacks on banking sites - A recent report by Trusteer shows that phishers are making huge bank by phishing banks. The report shows that only a very very few bank customers actually click on a phishing email, in fact it is only 0.000564%. Of these people that do click though 45% of them divulge their personal credentials to the fake phishing site. The report calculates that even though the click rate is super low the scale of users involved makes this a significant loss for our banks. They estimate that banks loose between 2.4 and 9.4 million dollars (per million online bank users) to phishing fraud Annually!
3) Heartland Payment Systems - I'm sure you all know about this one already. It occurred in January 2009 when attackers where able to steal more than 130,000,000 credit card records. Many of the attacks used were basic SQL injection exploits. Just a few days ago Heartland agreed to pay AMEX $3.6 million to settle claims related to the breach. Heartland has set aside $12.6 million more to settle other claims it is anticipating from Visa, Mastercard, etc.
Six Months Later, MasterCard Softens a Controversial PCI Rule
(December 23, 2009) MasterCard Inc. is changing a controversial policy, and pushing back a deadline, that it announced only six months ago regarding enforcement of the Payment Card Industry data-security standard. With the changes, which involve assessing computer systems for PCI compliance, MasterCard could be viewed as responding to valid complaints after first disclosing the planned changes, or it could be viewed has having done a flip-flop. Or both at the same time.
In June, MasterCard adopted a new policy governing whether big merchants can do so-called self-assessments of their PCI compliance. The new policy applied to so-called Level 2 merchants, those submitting 1 million to 6 million total MasterCard and Maestro (PIN-debit) transactions annually, and Level 1 merchants, those submitting more than 6 million transactions. MasterCard previously had let Level 2 merchants to do annual self-assessments for PCI compliance unless they brought in a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council for an on-site assessment. But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.
That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services. MasterCard’s policy also diverged from Visa Inc.’s, which lets Level 2 merchants do self-assessments. Many observers also wondered whether there were enough QSAs to go around to handle all the new work from Level 2s.
This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation. MasterCard also said its definitions of merchant levels now match Visa’s, so, for example, if a merchant is a Level 2 merchant in Visa’s eyes, it’s also one in MasterCard’s eyes.
SOME MERCHANTS claim they can’t do business without credit cards, and can’t discount for cash. That’s why we were interested in your recent article about a Boston merchant who cuts the price of sushi by 55 percent on Sundays for customers who pay cash to avoid the fee of about 2 percent she pays to accept credit cards (“Taking a swipe at card processing fees,"
Is this really about cash discounts or about a practice followed by some sushi vendors who cut prices by half on Sunday to make room for fresh fish on Monday? Dec. 12, Metro, B1).
Says Shawn:
"Merchants’ lobbyists want consumers to believe they will benefit if Congress regulates the fee of about 2 cents on a dollar merchants pay for the benefits they get by accepting credit cards: they outsource their credit risk to the banks that issue the cards and are responsible if customers default; they get protection from fraud and theft; guaranteed payment, and efficient record keeping. Plus higher sales, as consumers aren’t constrained by the amount of cash they have in their wallet.
If merchants don’t pay their fair share, consumers get hurt. Like any other valuable service, electronic payments have a cost. Today, those costs are split between the two key beneficiaries - merchants and cardholders. If merchants get their way and persuade Congress to regulate their share, consumers will pay more. That happened in Australia, where the government regulated these fees. Consumers there now pay more for their cards through higher annual fees, fewer benefits, and sometimes, surcharges when they choose to use their cards. Merchants pocketed the savings, as there is no evidence that they have cut the prices they charge.
SHAWN MILES
Purchase, N.Y.
The writer is head of global public policy for MasterCard.
The Wall Street Journal ran a front page story that Citigroup, Inc. had been hacked. Citi responded that there was no breach, then PC World reported that it was an "old breach confused as a new breach." Then the WSJ story was attacked as being inaccurate...
In any event, there is a very good reason that U.S. banks have generally been loath to disclose computer attacks. Fear of scaring off customers. It's all about deposits. You get hacked, it's harder to get deposits. Therefore, we will never know the magnitude of losses suffered by financial institutions due to cyber-siphoning. Many say take whatever figure they report and times it by 5. I say times it by 10 and you'd be closer to the real numbers. Either way, we're talking losses of $1B+.
According to the Financial Times Paul Murphy,
"Official statistics in the US suggesting $260m was lost last year in all forms of online crime are a complete joke." It’s a scandal. Why the authorities and the banks allow this cover-up to continue is a mystery.
The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.
The fallout, however, is incredibly muddy and opaque.
Citigroup (C) is strenuously denying that there was any breach at all, let alone any losses; it also said in the original story that the WSJ’s smoking gun — the disappearance of $1 million from a Citibank bank account in Mt Vernon, NY — was “an isolated incident of fraud”.
ABC has weighed in too, deciding that Citigroup and the WSJ are both wrong, and that “the truth here is somewhere in the middle”, whatever that’s supposed to mean.
The Financial Times Paul Murphy has an interesting theory: Citigroup, like every major bank in the Western world, is covering up the fact that online fraud — both sophisticated and unsophisticated — is running at epidemic levels. But it can’t be seen to be singled out as an institution with weak controls, where the public at large might be fearful of depositing their money. So it goes on the denial warpath.
HomeATM Provides the only PCI 2.x PED Solution available. Genuine Two Factor Authentication for online banking sessions. (we replicate ATM Access) We also add a real-time "any bankcard to any bankcard" P2P Instant Transfer. Oh, and a transactional revenue sharing model which provides a return on investment for our PIN Entry Device. All done with Instantaneous Triple DES/DUKPT End to End Encryption.
CBS Reports: If you bank online, be warned that hackers are getting better at stealing money from personal accounts. Last year, Americans filed more than 275,000 complaints about cyber crime. Bob Orr reports.
In a headline that will define 2010, CBS lets us know the intent of hackers. Cash Money. Mark my words. In 2010 Financial Institution's will learn that the browser space is untenable. .
Banks can spend millions on security on "their" IT, but hackers don't need to go after the bank. They can go after the online banking customers.
Malware grew exponentially in 2009. Phishing has become more sophisticated. If phishing is words, and malware is music, then fraudsters will "rock" our world in 2010. (Unless we start conducting transactions "outside the browser space.")
HomeATM has the the symphony for the devil. Please allow me to introduce ourselves, ...we do it "outside the box." It's that "TYPE" of thinking that can solve the problem. Until then, they are stuck on band-aids and the band-aids are stuck on you....
Here's an interesting analysis from "Information LawGroup" on a recent Massachusett's Supreme Court ruling which "slams the door on some financial institutions seeking to recover reissuance costs" after a breach. I've provided a case 'backgrounder" below.
...Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach.
The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multipledecisionsinvolving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory.
This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Editor's Note: For those of you who are interested, I've provided a primer on the case below:
Case Background:
Background. We recite the undisputed facts in the summary judgment record, reserving some facts for later discussion. Visa and MasterCard are membership organizations in which issuing and acquiring banks join in order to participate in point of sale transactions using the Visa and MasterCard brands. Issuing banks such as the plaintiff credit unions issue the physical plastic credit cards to cardholders, determine the amount of the authorized credit line available to each cardholder, and approve or decline each transaction when the cardholder presents the credit card to make a purchase.
When a cardholder presents a credit card to a merchant, the merchant transmits the information encoded on the back of the credit card to the acquiring bank. The acquiring bank, in turn, transmits the information to Visa or MasterCard, which submits the request to the appropriate issuer. The issuer then relays its decision to approve or decline the transaction back through the same channels to the merchant. After the transaction is approved, the acquiring bank acquires the merchant's Visa or MasterCard receipt, pays the merchant for the amount of the transaction, and seeks payment from the issuing bank; the issuing bank pays the acquiring bank and debits the cardholder's account. Approximately 16,000 issuers are members of the Visa organization and approximately 20,000 issuers are members of MasterCard. At least 20 million merchants participate in the Visa and MasterCard payment processing systems, but none are members and none contract directly with Visa or MasterCard.
Visa and MasterCard each issue extensive operating regulations that govern the payment processing system and their members' obligations. Every financial institution that becomes a member of the Visa and MasterCard organizations must sign a contract that includes a provision that it will comply with these regulations; acquirers are also contractually obligated to ensure that their merchants comply. Both Visa and MasterCard regulations prohibit merchants and acquirers from storing magnetic stripe data from the back of credit cards, in whole or in part, after a transaction is completed.
In February, 2004, Visa and MasterCard determined that computer thieves had gained access to the computer systems on which BJ's stored credit card transaction data at more than 150 stores, and that the breach had been ongoing since July, 2003. The breach provided the thieves access to the full magnetic stripe data from approximately 9.2 million cardholder accounts, allowing them access to cardholder names, account numbers, account expiration dates, and proprietary Visa and MasterCard security data. It was ultimately determined that the third-party transaction processing software used by BJ's was permanently storing the magnetic stripe data in transaction logs. The agreements between BJ's and Fifth Third contained a requirement that BJ's comply with Visa and MasterCard's regulations, including those prohibiting BJ's from storing any magnetic stripe data after a transaction was completed; the agreements among Fifth Third and Visa and MasterCard required Fifth Third to ensure that its merchants complied with the regulations. BJ's conceded that it was retaining the magnetic stripe data.
Visa and MasterCard notified all their member issuing banks that had issued any of the possibly compromised accounts. In response to this notification, the plaintiff credit unions closed all their potentially compromised accounts, without regard to whether fraudulent charges had been made on a particular account; advised cardholders to destroy their old plastic credit cards; and issued new account numbers and new plastic credit cards to all affected cardholders. Cumis paid the plaintiff credit unions millions of dollars for fraudulent transactions made using the compromised accounts; the plaintiff credit unions and Cumis then commenced this action.
[1] In order to resolve potential customer disputes, merchants are permitted to store the customer's name, credit card number, and the card's expiration date.
[2] In addition, MasterCard reimbursed issuers, including the plaintiff credit unions, $2.4 million for fraudulent transactions.
Offering Chase Checking Account Customers a way to enjoy Disney Perks and Rewards
NEW YORK--(BUSINESS WIRE)--Disney and Chase today announced a new offering in the Chase family of Disney Rewards Visa Cards, the Disney Rewardssm Visa Debit Card. The new card gives Chase checking account customers access to valuable Disney perks and rewards through the control and accountability of a debit card.
The Disney Rewards Debit Card introduces a whole new world of Disney benefits to debit cardholders.”
“This is an excellent new choice for Chase customers who prefer to make purchases with debit cards because of the immediacy and financial control it provides,” said Charlie Scharf, chief executive officer of Retail Financial Services for Chase. “The Disney Rewards Debit Card introduces a whole new world of Disney benefits to debit cardholders.”
With the Disney Rewards Debit Card, benefits start immediately: Cardmember save on Disney merchandise when they use the card and also enjoy Theme Park perks, including:
A Character Meet ‘N’ Greet Photo Opportunity at Walt Disney World® and the Disneyland® Resorts that includes a complimentary 5x7 photo
10% off select merchandise purchases of $50 or more at Disney Store locations and DisneyStore.com, and at select locations at Walt Disney World® and the Disneyland® Resorts
In addition, Cardmembers earn points on qualifying debit card purchases* that they can redeem for Disney Theme Park passes, hotel stays, meals, movies, toys, music, books and much more. Chase customers also choose from four exclusive Disney character design cards: two Mickey Mouse versions, a puppy from “101 Dalmatians,” and a group of several beloved Disney characters.
“If you love Disney, this is the debit card for you. It helps you get more of the Disney you love – and makes your Disney experiences even better – from a personal photo opportunity with characters at our Theme Parks to extra savings while shopping at the Disney Store or at our Theme Parks,” says Jenny Cohen, Senior Vice President of Customer Relationship Management at The Walt Disney Company.
Disney Rewards Debit Card has an annual fee of $25. In their first year, Cardmembers get this value back in the form of 25 bonus Disney Dream Reward DollarsSM after making five qualifying debit card purchases.*
* Qualifying purchases include card purchases made without using a PIN. One Disney Dream Reward Dollar is equal to $1 when redeeming for Disney goods and offerings.
About The Walt Disney Company
The Walt Disney Company, together with its subsidiaries and affiliates, is a leading diversified international family entertainment and media enterprise with five business segments; media networks, parks and resorts, studio entertainment, interactive media and consumer products. Disney is a Dow 30 company, with revenues of over $36 billion in its most recent fiscal year.
About Chase
Chase is the U.S. consumer and commercial banking brand of JPMorgan Chase & Co. (NYSE: JPM), which operates more than 5,100 branches and 14,000 ATMs nationally under the Chase and WaMu brands. Chase has 151 million credit cards issued and serves consumers and small businesses through bank branches, ATMs and mortgage offices as well as through relationships with auto dealerships and schools and universities. It also serves 26,000 commercial banking clients, including corporations, municipalities, financial institutions and not-for-profit entities.
The UK Payments Administration has put together an interactive digital map of the United Kingdom. Their press release follows: To take a look at the different regions and how they compare (or differ) click here.
Latest study shows that where we live shapes how we pay
23 Dec 2009
The Payments Council has created an online, interactive map to demonstrate the varied payment attitudes, preferences and behaviours that can be seen in the different regions across the UK
Payments Council research reveals:
Plastic cards: If you live in the South East you are most likely to have a plastic card (97%), whereas if you live in the West Midlands you are least likely to have one (86%).
Phone or internet banking: If you live in the South East you are most likely to use phone or internet banking (59 per cent), whilst if you are in the North East you are least likely to (46%).
Cash: Adults in East Anglia make the lowest number of cash machine withdrawals (51 per person annually).
Cheque usage: Fewer Scots write cheques* than in any other region (20% compared to the average for Britain of 31%), whilst Londoners depend on cheques the most (39%). The national average of people using cheques regularly fell by 6% between 2008 and 2009.
Taking a broad North-South** view, more Southerners hold plastic cards (95%) compared to their northern neighbours (91%); when it comes to cash withdrawals there isn’t a significant North South divide - Northerners and Southerners tend to make a similar number of cash withdrawals, both in terms of volume (59 and 58 respectively) and value (£3,855 and £3,920 respectively). There are however, more cheque users in the South as 35% of adults regularly use cheques for spontaneous payments, compared to 27% in the North.
Sandra Quinn, director of communications, says:
"This research, on the whole, confirms long standing trends; increasing reliance on debit cards and phone or internet banking and a noticeable decline in use of cheques. That said, while there are clear nationwide trends there are also parts of the country which stand out in comparison to the national statistics, for example the proportion of adults in the North East using internet or phone banking, which at 46 per cent is 7 per cent below the national average.
“Payment Regions brings together these regional variations and offers a fascinating insight into how our payment habits compare with those of our neighbours. It also demonstrates how as a nation our payment habits have evolved to take advantage of new technology and to meet the needs of our ever more demanding lifestyles."
If you don't follow Dark Reading... and have a passing interest on how financial transactions conducted via a browser are subject to myriad threats from cybercriminals...you should.
Whether they are reporting on that next "next gen" banking trojan or writing about that critical flaw in SSL encryption, used by top banks use to secure their online banking sessions, they are on top of their game.
Today they came out with their Coolest Hacks of 2009. Here's their introduction and the list, which links back to the Dark Reading site where you can sign up for their newsletter, should you be so inclined.
DarkReading |By Kelly Jackson Higgins
Hackers are always probing for ways to crack new technology, even elements so personal you would never imagine they could be hacked -- like, well, your face. Extreme hacks that hit close to home and we can see in the mirror remind us of just how much technology has infiltrated the everyday, and how fragile it ultimately can be at the hands of the bad guys.
This year saw some creative and unusual hacks that gamed biometric facial identities, weaponized iPod Touches, dug up actual missile defense data on a second-hand hard drive, replaced application updates with malware in midstream, and even found a way to silence a teenager's frenzy of text messaging. And don't get us started on a phony Bill Gates "LinkedIN" e-vite that landed in multiple corporate emailboxes unscathed.
These are among the hacks we have selected as nine of the coolest hacks covered here at Dark Reading in 2009 -- sometimes off-the-wall and in-your-face (pun intended) vulnerabilities that were exposed and exploited by creative and imaginative researchers who are all about staying one step ahead of the bad guys, and maybe having a little fun along the way.
So kick back, relax (if you can), and take a look back at the more offbeat yet profound hacks of the year.
Acquisition to Strengthen SafeNet’s Cyber Security Strategy with new technology and professional consulting services
BALTIMORE--(BUSINESS WIRE)--SafeNet, Inc., a global leader in information security, today announced that it has completed the acquisition of Assured Decisions, LLC, a leading provider of professional consulting services to the government’s cyber security community. Assured Decisions will become part of SafeNet’s Cyber Security group.
“The unique expertise brought to SafeNet by Assured Decisions enables us to expand our solutions that protect the data within the U.S. Government’s cyber space,” said Chris Fedde, SafeNet’s president and chief operating officer. “Assured Decision’s expertise will be leveraged throughout SafeNet’s customer base; in addition their product line complements SafeNet’s solutions for government and commercial customers already purchasing data protection products like Authentication, Hardware Security Modules (HSM), File and Database Encryption, and High Speed Encryptors. Combined these products provide data centric solutions within the enterprise, after it leaves the enterprise and as it is distributed.”
Assured Decisions has been a leader in providing professional consulting services including engineering secure solutions that protect electronic information systems and facilitate secure information sharing since 2001. The company’s MDeX solution is used by organizations with high assurance information transfer requirements to quickly and securely exchange information between departments, agencies and allies thereby protecting national security.
“We are pleased to be joining SafeNet, an industry leader in information security,” said Edward Sheehan, Managing Member and President, Assured Decisions. “Organizations continue to invest in information flow control, data sharing and ubiquitous data protection. SafeNet’s plans to expand our MDeX solution through other parts of the government community and global industries that need to share and route information in an assured and controlled manner is another step in protecting overall national security.”
About SafeNet, Inc.
SafeNet is a global leader in information security, founded more than 25 years ago. The Company protects identities, transactions, communications, data and software licensing through a full spectrum of encryption technologies, including hardware, software, and chips. More than 25,000 corporate and government customers in 100 countries including UBS, Nokia, Fujitsu, Hitachi, Bank of America, Adobe, Cisco, Microsoft, Samsung, Texas Instruments, the U.S. Departments of Defense and Homeland Security, the U.S. Internal Revenue Service, trust their security needs to SafeNet. In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the technology sector. For more information, visit www.safenet-inc.com.
Editor's Note: SafeNet is a registered trademark of SafeNet, Inc. All other trademarks are the property of their respective owners.
PYMNTS.com published an interview with Jack Dorsey regarding his "Square" this morning.
When buzz began bubbling up around Square about a month ago, the industry took notice. Many charged that was due mainly in part because the driving force behind Square was the co-founder of Twitter, Jack Dorsey. Many industry insiders, like MagTek CEO Mimi Hart, raised security concerns around where the consumer's data was encrypted.
PYMNTS.com asked "Paying with Plastic" author and industry expert David S. Evans to speak with Dorsey about why Square is "what's next" in payments.
PYMNTS.com Exclusive Interview with Twitter Vet Jack Dorsey on Square
BOSTON--(BUSINESS WIRE)--PYMNTS.com just published an interview with Twitter Co-Founder, Jack Dorsey on his recent launch of Square. Dorsey highlighted that the device is just a small component of what Square is about. He and his “Square-mates” want to redesign the payments experience and innovate the process of establishing merchant accounts.
PYMNTS.com is a joint venture between Business Wire, a Berkshire Hathaway Company, and Market Platform Dynamics. It provides a platform for industry professionals to share content related to their latest company and product developments, to tap into the collective commentary and analysis from experts, bloggers and industry pundits, and to interact with industry thought leaders on topics of critical importance to the future of the sector.
MPD is a management consulting firm that ignites catalyst businesses by leveraging new technologies, business models and pricing strategies. MPD has a wealth of experience within industries that are characterized by complex platform-centered ecosystems, including payments, mobile/telecoms, digital and advertising-supported media, and software-based businesses.
MPD works with both incumbents and new entrants, offering a unique lens into the dynamics that shape the competitive playing field. In addition to traditional consulting-based services, MPD’s Catalyst Ventures provides intellectual and human capital to new firms. MPD’s experts include economists, econometricians, product development specialists, and strategic marketers who apply cutting-edge business theory and statistical methods to the practical problems of building and growing a profitable catalyst business. MPD is headquartered in Cambridge, MA, and has offices in London and Hong Kong.
Business Wire, a Berkshire Hathaway company, is utilized by tens of thousands of member companies and organizations worldwide to functionally enhance and communicate investor relations and public relations content to target audiences. As a recognized disclosure service in the United States, Canada and a dozen European countries, Business Wire facilitates the simultaneous flow of market-moving press releases from corporations to financial markets and their audiences, including regulatory authorities, media, investors, financial information systems and consumer news services. Business Wire also handles XBRL tagging, document formatting and regulatory filing into EDGAR, SEDAR, FSA and other systems.
Founded in 1961, Business Wire has dual headquarters in San Francisco and New York, with 30 bureaus in cities including Los Angeles, Chicago, Boston, Miami, Paris, Frankfurt, London, Brussels, Tokyo, Toronto and Sydney and reciprocal offices throughout the world. Business Wire's patented NX data platform supports XML, XHTML and XBRL code that enhances news release interactivity, social media sharing and search engine optimization. More information about Business Wire and its services is located on its website at www.BusinessWire.com.
Online banking executives are optimistic about their budgets for 2010, with half of those surveyed anticipating significant budget increases.
Boston, MA, – A new report from Aite Group, LLC assesses financial institutions' development priorities for the online channel in 2010. The report, which is based on Aite Group interviews with senior online channel executives from 20 of the 100 largest U.S. banks, reveals that executives are optimistic about their budgets for 2010. Among the banks surveyed, half anticipate budget increases more than 15% higher than 2009 budgets.
The year ahead looks to be a good one for investment into and strategic focus on banks' online channels. Driving this renewed focus is a stronger commitment from senior management, according to interviewees. Banks will pursue different online strategies. Some will pinpoint online sales and marketing, while others will focus on online service or improving the customer experience. One theme cuts across all the strategies: channel integration. Many online channel executives stressed the need to improve their bank's ability to integrate sales, service and the customer experience across channels.
"Despite the attention that the online channel has received and its promise to revolutionize traditional banking, many banks have never truly embraced it as a primary channel for customer interactions and transactions," says Ron Shevlin, senior analyst with Aite Group and author of this report. "The tide is finally turning. The combination of two forces - banks waking up to the reality of consumer behavior, and the ascent of a younger group of managers with a more accepting view of technology - is finally helping to bring about this change."
This 24-page Impact Report contains 16 figures and one table. Clients of Aite Group's Retail Banking service can download the report by clicking on the icon to the right.
Research In Motion Ltd. said late Tuesday its technicians are working to resolve e-mail messaging delays on its Blackberry smart phones in North and South America.
Phone calling and texting services appeared to be functional, but users in the Americas have been unable to send or receive e-mail messages. Would-be users tweeted their frustration on social networking site Twitter. Some said they also could not connect to the Internet.
Waterloo, Ontario-based Research in Motion Ltd. said in a statement it apologizes for any inconvenience experienced by customers.
It marks the second time in less than a week that BlackBerry users in North America have had to deal with e-mail outages on their Blackberry devices. Research In Motion said last Thursday that technicians had isolated and resolved the issue and were investigating the cause. RIM didn't say how many users were affected or how long that outage lasted.
RIM apologizes for any inconvenience experienced by customers," an e-mailed statement read. This, of course, comes on the heels of similar short-lived ...
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u4gug10dVQy60TvPIf11gJ1mk8QwwwpzsrKVqA19MobJbEm0QVWyjhayBQK5p4r70vujR-7QVc-yVVzTsKkakBDDnaB4PZrNXU4YIlKjRoREhc7770kMIMvWkCNiE4ExRbbBrs8Xd4JtXtUPaL3tHA=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vo6bZL_wJzhepRuMf3bcJdWLNria1DWD2PcCKienNXLmKp8ocHQJJDUPCexSMzvA_bgA6WSnkB1-OqeLE58ppTFwDn_ubyYPFdC1PUMFo_hK6s1H8GFEWgzmv-2Y20T6P_YPsgSEhuIfJ5wQ27c4I=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uErt7w-P40d07xYFnw88VDm6vtFOdMa2oyBQ8qemEBCOTCC2Cyqe5ZwDGp87JFdFllXwAvF85h6iqXTnG1-yKpgDxL6JIOduzB16kNn7WL4ZtUWz0er5zzt48uai_Ak0i3ccDrFmIoeJVZxX0fKzuZ=s0-d)
