Retail Systems Research Report on eCommerce

Thanks to Susan Kohl, Founder and Partner of ThoughtKey Inc. for bringing this newly released Retail Systems Research report to my attention.

ThoughtKey, Inc. provides advisory and review services for the payment industry including encryption service organizations, financial institutions, independent sales organizations, merchants, processors, and payment vendors. They have developed a platform of services and products to assist their clients in minimizing their risk exposure associated with emerging industry mandates such as:

• PCI Personal Identification Number (“PIN”)
• PCI Data Security Standard (“DSS”)
• PCI PIN Encryption Device (“PED”) and Encrypting Pin PAD (“EPP”)
• Payment Application Data Security Standard (“PA DSS”)
• Payment Industry Sponsorship Management
• FACTA truncation and other banking regulations

To find out more about ThoughtKey, Inc. please visit their site. They come very highly recommended and of course, HomeATM ePayment Solutions is a client.

Here's the report:

BOSTON, MA (PRWEB) August 13, 2008 — According to a new RSR Research report: Playing Well with Others: eCommerce’s Evolving Role in the Customer Experience, released today, retailers are holding back on investing in improving consumers’ online shopping experience while they wait for consumers to figure out what they want that online experience to look like.

Download the Report Here

Survey respondents, while concerned about providing a high quality online experience, are instead investing in foundational capabilities like product information and availability, and taking a cautious approach to next generation eCommerce technologies like Web 2.0 and mobile.

“Given that eCommerce is starting to have a better reputation for customer service than stores, we were surprised to see that the business challenges driving retailers’ strategies today focus more on product-related issues,” says Steve Rowen, Partner at RSR Research and one of the report’s authors. “What’s not surprising, however, is that online pure-play e-tailers are at the forefront of innovation in online shopping.”

RSR’s new publication, Playing Well with Others: eCommerce’s Evolving Role in the Customer Experience, sponsored by Gomez and Microsoft Corp., also finds that some multi-channel retailers are not focused on a multi-channel strategy, but instead are trying to emulate pure-plays in building a “stand-alone” online experience for consumers. Laggards, retailers that under-perform the market in sales, were particularly prone to this issue.

“It appears that the online market is diverging – online pure-plays are trying to differentiate themselves from multi-channel retailers by offering a larger product assortment and a differentiated customer experience in order to battle the cross-channel capabilities that they can’t offer,” says Nikki Baird, Managing Partner at RSR Research and co-author of the report.

“Some multi-channel retailers have recognized that cross-channel offers a real opportunity to provide a high-quality customer experience, but others appear to be blindly copying e-tailer pure-plays in an effort to boost their online presence. It’s a real disadvantage, if you’re primarily a store-based retailer, to ignore the advantages that cross-channel can give you.” According to the report, reviews, promotions, and mobility offer real opportunities for eCommerce, but many retailers are hampered by their existing systems and infrastructure supporting online shopping.

To obtain a complimentary copy of the report, follow this link:

http://www.retailsystemsresearch.com/_document/summary/636

CONTACT:
Steve Rowen 617-337-5228 srowen@rsrresearch.com or
Nikki Baird 303-683-6613 nbaird@rsrresearch.com

About Retail Systems Research

Retail Systems Research (“RSR”) is the only research company run by retailers for the retail industry. RSR provides insight into business and technology challenges facing the extended retail industry, and thought leadership and advice on navigating these challenges for specific companies and the industry at large. To learn more about RSR, visit http://www.rsrresearch.com/.

Intel on Intel from Reuters

Intel, the world's biggest computer chipmaker, is comfortable with its forecast for revenue in the current third quarter in spite of the continued macroeconomic woes, its CFO said on Tuesday.  Asked if he was OK with Intel's (NASDAQ: INTC) forecast for third-quarter revenue of $10.0 to $10.6 billion, CFO Stacy Smith told Reuters: "Of course I'm still comfortable with it. It's still my forecast."  Analysts currently expect the company to have third-quarter revenue of $10.3 billion, according to Reuters Estimates.

"It's a very uncertain macro environment," Smith said in an interview. "It's not true just in the United States, it's true in Europe in terms of slowing growth. That being said, what we've seen in the last nine months is our business being pretty normal."

Intel last month reported a 25 percent rise in quarterly profit, helped by strong sales of its microprocessors used in notebook computers and gave a forecast that topped expectations at the time. It continues to do well despite a weak global economic environment, aided by market share gains against its smaller rival Advanced Micro Devices (NYSE: AMD)

Smith also said demand for Intel's low-power, low-cost chip called Atom is off to a good start. It is designed to go into super-slimmed-down notebook PCs, consumer electronics devices and embedded markets such as set-top cable boxes.  "Atom is off to a very, very rapid start, far exceeding our expectations when we started the year," Smith said. "It's the perfect recession product to have in the marketplace.

"It plays very well, in the mobile marketplace, it plays in emerging markets, it plays into people's desire to have a second PC or one for the kids that's low coast yet sill capable," Smith said of Atom. "It's off to the races."

Smith also said that he was not unduly concerned about Atom cannibalizing sales of its existing Core chips, but allowed that he would not mind sales of Atom eating a bit into those of its low-cost Celeron processors. "If it's cannibalizing from the Celeron part of the market, I'll take that any day," Smith said.

He said that Intel gets about 2,500 Atom processors per silicon wafer, meaning that its profitability on Atom -- while not as great as on a Core or Xeon chip -- is still quite healthy.

"We'll know kind of in six months how much of this demand [for Atom] is real and how much is customers thinking they're going to win in the market place and double ordering," Smith added. "It seems to be growing the market rather than cannibalizing existing PC sales."

Smith also said that interest among customers that would use Atom in the embedded market has been strong. While it takes longer for Intel to realize revenue from the embedded market because of longer design cycles, once its product has been designed in to a car or cable box, it remains for years.

"They now have a product that's designed much more for their market than what they've had available to them in the past," Smith said of Atom in the embedded market. "They're getting great interest from their own customer base." Smith also said that despite economic uncertainty in markets around the world, Intel's own business continues to hold up well.

Smith said he believes the strength of Intel's product lineup relative to AMD is helping it to weather uncertain economic times, as well as a rapid move to mobile PCs and devices.

"Even in the downturn we're seeing investments in technology continue," Smith said. Intel's shares rose 4 cents to $24.42 in late trading

Cost Plus World PIN Debit Breach Spreads to Arizona

I've blogged about the Cost Plus World Breach in California. Now it seems that the breach includes their stores in Arizona as well. Detectives have said that the criminals are taking out $500 at a time. Once again, I reiterate that using a HomeATM Wedgie for online purchases is eminently safer and more secure than using one provided by bricks and mortar retailers. Look for more breaches similiar to the Cost Plus World one in the near future...

Several stories hit the newswire today regarding the Arizona breach. Here's one of them...

Tucson police Detective Doug Musick said the scam has spread and now includes the Cost Plus store at 5975 E. Broadway.

Tucson Police say the criminals replaced existing counter card pin pads with their own, then later came back and switched them again, gaining access to consumers card and pin information. He explained that the scammers will replace PIN pads left on the counter with their own PIN pad. "Their PIN pad looks the same, but stores the credit card information," Musick said.

"Once the fraudulent PIN pad has been used, the scammers will come back and retrieve it and its stored information."

Information from Cost Plus customers' debit and credit cards has been used to make counterfeit debit cards, he said. "Be very cautious of using PIN pads left out on the counter like that," Musick said. "They can be unplugged and replaced within three seconds."

Shoppers at the Cost Plus World Market on East Broadway in March or April most likely had their credit or debit card information stolen, police said Monday. The problem started in California, where the company reported in July that customer information was taken from eight stores in February, March and April.

Musick said the information retrieved from Tucson customers' debit cards has been used at ATMs in the Phoenix area and in California. He said the scammers are taking out around $500 at a time. Musick said Vantage West Credit Union in Tucson first noticed that its customers' cards were compromised and brought it to the attention of the Tucson Police Department. Police are collecting information for use in a federal case.

Cost Plus customers who have had problems with their checking account are encouraged to discuss them with their banks. Musick said local banks are collecting information about which customers have been compromised and are passing that information on to authorities.

Nordstrom's Chooses First Data

First Data has announced that they have entered into a payment processing agreement with Nordstroms which will run for the next 7 years.  Here's the press release:

 

First Data Corp., a global technology leader in transaction processing and information commerce, announced today it has entered into a new payment processing agreement with Nordstrom fsb, a wholly owned subsidiary of Nordstrom, Inc. and a federally chartered thrift savings bank.

The seven-year agreement calls for First Data to provide card processing, call center and back office automation tools, fraud and risk management, customer analytics as well as e-statements and email alerts for Nordstrom's entire card portfolio including Nordstrom Visa(R), private label credit and debit cards and commercial cards for Nordstrom employees. The portfolio totals about 4.5 million card accounts on file. Financial terms of the agreement were not disclosed.

"We are always looking at ways to improve the experience our customers have with us, even regarding details such as how we process our credit transactions," said Kevin T. Knight, chairman and chief executive officer of Nordstrom fsb, president of Nordstrom Credit, Inc. "We're pleased to partner with First Data, a company that has such a strong reputation for their technological capabilities and expertise, and has a clear understanding of our strategic needs."

"It is a great honor to have earned the confidence of such a renowned retailer," said Ed Labry, president, First Data's U.S. division. "Our strategic view of the payments industry, our ability to offer the full spectrum of industry-leading services and the expertise of our dedicated employees is the value we can bring to Nordstrom."

Nordstrom, Inc. works with First Data's TeleCheck(R) unit for check verification services. The new processing contract with Nordstrom fsb runs through March 2016.

About First Data

First Data is a global technology leader in information commerce. The company processes transaction data of all kinds, harnesses the power of that data and delivers innovations in secure infrastructure, intelligence and insight for its customers. With operations in 37 countries, First Data serves over 5.4 million merchant locations, 2,000 card issuers and their customers. It powers the global economy by making it easy, fast and secure for people and businesses around the world to buy goods and services using virtually any form of payment.  The company's portfolio of services and solutions includes merchant transaction processing services; credit, debit, private-label, gift, payroll and other prepaid card offerings; fraud protection and authentication solutions; electronic check acceptance services through TeleCheck; as well as Internet commerce and mobile payment solutions.

The company's STAR Network offers PIN-secured debit acceptance at 2.1 million ATM and retail locations. Through First Data's centers of excellence, such as security, analytics, customer loyalty and mobile payments, it offers data-driven commerce solutions for customers around the globe. For more information, visit www.firstdata.com.

Forrester Research/eBillMe Webinar on August 26th

eBillme, the alternative payment provider that brings online banking to the eCommerce checkout, has announced that it will host an industry Webinar featuring Forrester Research Retail Analyst, Sucharita Mulpuru, who will discuss the opportunity offered by alternative cash payments for eCommerce checkout, with timely analysis based on the current economic downturn.

The Webinar will discuss the obstacles facing the retail industry and identify solutions to help retailers succeed, despite the economic climate. Topics will include lowering cart abandonment, increasing consumer confidence, and increasing sales though credit card alternative payment options.

"The Webinar, which will be held on Tuesday August 26th, 2008 at 1 PM EST, is an opportunity for merchants and industry executives to receive a leading analyst’s report of the current state of the industry, and to learn about the role of alternative payment options for retailers to capture sales during today’s economic climate."

“Consumers are looking for better ways to manage their spending and limit debt,” says Marwan Forzley, President and CEO of eBillme. “We understand that it is now more important than ever for online merchants to find ways to attract consumers to their checkout. This Webinar will discuss how merchants can use cash-like payment options to gain a competitive edge, reach new customers, increase sales, and build customer loyalty. Sucharita is a leading analyst in the retail space and we are thrilled to have her lead this Webinar and educate participants on this timely topic.”

The Webinar will be hosted on Tuesday August 26th at 1:00 pm EST. It is open to the media, online retailers, and the entire retail industry. To register, please visit:

https://www2.gotomeeting.com/register/633666421

More on the 40 Million Card Data Breach

The graphic (click to enlarge) from today's story "On the Trail of a Global Crime Ring" in the New York Times provides us with more   information  regarding the members of the  international identity theft ring.

Last week came the announcement that the DoJ had indicted 11 people in the 40 million card T.J. Max WarDriving Bust.  I found it interesting that, until then, it T.J. Max had bore the brunt of being the company involved in the hackattack.  In reality, there were 11 companies that were breached.  (1 for each culprit indicted?)  Why then, was T.J. Max so independently maligned?  Why were the other companies nary a mentioned?

According to an article in the Wall Street Journal it's because...

...only four of the chains clearly alerted their customers to breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they never told customers because they never confirmed data were stolen from them.  The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.

The other companies allegedly targeted by the ring charged last week were: TJX Cos., BJ's Wholesale Club Inc., shoe retailer DSW Inc., and restaurant chain Dave and Buster's Inc. They each disclosed to customers they were breached shortly after the intrusions were discovered.

The disclosure issue emerged after the government charged 11 men in five countries, including the U.S., Ukraine and China, with orchestrating a high-tech operation to steal credit-card numbers from 2003 to 2008.

After an increasing number of such thefts in recent years, more than 40 states have adopted laws requiring companies to give consumers an early warning when their personal information is stolen. Companies typically have made disclosures by letter, whenever possible, and through public announcements on the Web sites and in press releases to the media. Disclosure allows consumers to act quickly to limit losses -- by canceling their credit cards, changing their passwords or setting up credit-monitoring services. The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks.

"If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data breach expert. "If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.

Dan Clements, chief executive of Affinion Security Center's CardCops unit, which monitors Internet chat-rooms for illegal trafficking of credit and debit cards, says many companies are reluctant to disclose breaches. "Telling the public that they've been breached is embarrassing for them, it makes them suffer a loss of goodwill and in the case of public companies, the stock price goes down."

OfficeMax has denied having any knowledge of a breach. New Jersey authorities who investigated the company in 2005 believed it was one of a number of retailers who was compromised, and last week's indictments describe how the defendants allegedly broke into their networks. Boston Market and Forever 21 say their own investigations couldn't corroborate the government's findings. Federal officials say they stand by the information in the indictments.

The indictments allege that one of the suspects, Christopher Scott and another man identified only by initials broke into the wireless network of an OfficeMax store in Miami in 2004 and gained access to credit-card data. Mr. Scott, through family members, declined to comment.

Authorities also said they discovered in 2005 that OfficeMax's computer systems had been breached by another group that obtained customer data and used it to make counterfeit credit cards. "We believe the [credit-card] information was coming out of an OfficeMax in North Carolina," said Lt. Tom Cooney, of the Hudson County Prosecutor's office in Jersey City, N.J. "It turned out that a number of the victims" were customers at the same OfficeMax.

Edward DeFazio, a Hudson County prosecutor, says investigators in the joint federal-state probe notified OfficeMax and other retailers that their systems had been breached in a card-theft ring. Fourteen people were arrested in March 2006.

That month, OfficeMax acknowledged in an SEC filing an "ongoing federal investigation involving legitimate debit-card use at various retailers that was later tied to fraudulent transactions outside the U.S." But the filing added that "we have no knowledge of a security breach at OfficeMax."

In a statement following last week's indictments, the Naperville, Ill.-based company said, "it would be inappropriate to express our views relating to an ongoing criminal investigation." It said it has cooperated with authorities in their probe and was "confident in the integrity and security of our systems."

Last week's indictments also describe "attacks on Forever 21," which operates more than 350 clothing stores. Prosecutors allege that sometime this year, Damon Patrick Toey, of Miami, broke into Forever 21's system and shared access with Albert Gonzalez, the group's alleged ringleader, "for the purpose of downloading credit-card information of customers of Forever 21." Lawyers for Mr. Gonzalez declined to comment. Mr. Toey couldn't be reached to comment.

Larry Meyer, spokesman for Forever 21, says that this spring, federal authorities notified the Los Angeles-based retailer that it was among several retailers whose computer systems were "potentially infiltrated" by a crime ring. Authorities "asked us to investigate for a breach," he says.

He says Forever 21 conducted an internal investigation but didn't find a sign of a breach. Therefore, he says, the company didn't notify customers that their credit-card information was potentially at risk. "There was no breach," he says. "There was nothing to tell people." He says Forever 21 believes it is only obligated to make a disclosure if it finds a breach.

He added that as a result of last week's indictments, the company was in discussions with federal authorities.

The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit-card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 about a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."

Ms. Proctor now says it isn't likely the company will inform consumers "because there is no way for us to identify customers who might have been affected." She added, "The consumer always does have an opportunity to report fraudulent activities" to credit-card companies.

Barnes and Noble, the New York-based bookseller, issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." A company spokeswoman declined to comment further.

Sports Authority, based in Englewood, Colo., didn't return phone calls.

TJX, the Framingham, Mass.-based owner of stores including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright retail chains, says it has spent $202 million in expenses related to the breach, which compromised the cards of millions of its customers. Most of the money is being used to settle lawsuits brought by consumers and banks and to pay settlements with credit-card associations.

Write to Joseph Pereira at joe.pereira@wsj.com and Jennifer Levitz at jennifer.levitz@wsj.com

jetBlue Hopes to Cash In

Here's a press release regarding jetBlue and Western Union teaming up to allow their customers to pay cash for jetBlue tickets online.

Anyway, it sounded like a relatively good way for JetBlue to get their money up front and eliminate interchange fees...until I got to the part whereby they explained that a customer must first go to an ATM...hopefully one without fees, or their bank to withdraw the cash and secondly,  jet-over  Happy Jetting!  to a Western Union location following their booking.  One more important note to consumers considering this payment option...don't forget the Western Union transfer fee! (and you've got to get there before midnight of the following day, so please, hurry!) 

Paying With Cash? JetBlue Airways and Western Union Make Flight Purchases Easy and Convenient

NEW YORK, Aug 11, 2008 (PrimeNewswire via COMTEX News Network) -- JetBlue Airways Corporation (Nasdaq:JBLU) and The Western Union Company (NYSE:WU) today announced an agreement that provides customers with an easy cash payment option for purchasing flights when they book their travel reservations via www.jetblue.com or 800-JETBLUE and select the fast, reliable and convenient money transfer service.

Customers can now visit any participating Western Union(r) Agent location following their booking to send a full payment of their JetBlue reservation and Western Union service fee in cash. Through a direct link to the low-fare, high-frills airline's system, Western Union can confirm a JetBlue reservation until midnight the following day.

"We are constantly looking for ways to simplify our booking and payment process and enhance the customer experience," said Don Uselmann, Manager of Business Development for JetBlue Airways. "Our relationship with Western Union is a great example of how we can provide greater flexibility and more options for new customers to choose JetBlue for their travel needs.

Paying with cash has never been easier."  (Editors Note:  What...say again?)

"Millions of consumers already know how easy it is to pay their bills using Western Union services," said David Shapiro, senior vice president, Western Union Payment Services. "Now JetBlue customers will have the convenience of purchasing their airline travel in cash at the places they already do business every day. What could be simpler than paying for your travel while you purchase groceries or fill up your gas tank?"

Western Union is a leading provider of global money transfer services, providing consumers with fast, reliable and convenient ways to send and receive money around the world via a network of Agent locations in more than 200 countries and territories.

Again, Debit Growth Far Outpaces Credit

U.S. credit card transaction and dollar-volume growth once again played second fiddle to debit, According to the latest financial reports from MasterCard Inc. and Visa Inc., U.S. debit and still-strong international growth kept the networks’ operating earnings in the black during their quarters ended June 30th.

MasterCard’s U.S. debit- purchase transactions, excluding the PIN-based Maestro brand, rose 17.8% to 1.9 billion in the quarter from 1.61 billion in the year earlier period. Over the same period, U.S. debit purchase volume rose 18.6% to $79 billion from $67 billion.

In contrast, U.S. credit and charge card purchase transactions rose only 0.8% to 1.59 billion, and credit/charge purchase volume increased just 2.8% to $142 billion.

In all, MasterCard’s U.S. credit and debit purchase transactions rose 9.4% from the corresponding year-earlier quarter to 3.49 billion. Worldwide, MasterCard’s network processed 5.22 billion transactions on MasterCard, Maestro, and Cirrus cards, up 13.6%. U.S. credit didn’t fare as badly at Visa, yet growth still fell far short of debit. U.S. debit payment transactions rose 15.8% to 4.91 billion from 4.24 billion in the year-earlier quarter.

Debit purchase volume, including that on Visa’s Interlink PIN-based network, hit $193 billion, up 16.3% from $166 billion in fiscal 2007’s second quarter.

On the credit side, U.S. payment transactions posted a 7.2% increase to 2.17 billion from the year-earlier quarter’s 2.02 billion, while payment volume rose 8.1% to $195 billion from $181 billion.

And the Password Is...(Information Card)

Information Cards (protected by a PIN) look to be a logical replacement to passwords.  Microsoft, Google and Oracle are among the founding members.  So what exactly is an information card?  Here's a brief overview from the Information Card Foundation: (ICF)

Information Cards are the digital, online equivalents of your physical identification credentials such as a drivers license, passport, credit card, club card, business card or a social greeting card. Users control the distribution of their personal information through each Information Card. Information Cards are stored in a user’s own online wallet (called a “selector”) and “handed out” with a mouse click just like a physical ID card.

Information Cards can be issued to users by organizations for general or specific use. Users can also create their own Information Cards as a shortcut to avoid the endless process of filling out web forms. But more importantly, the infastructure behind the cards allows for trusted sources (a bank, a credit union, a government office, etc.) to verify specific information (“claims”) made by a user. In other words, Information Cards give users the ability to make claims about themselves, verified by qualified 3rd parties, while using the Internet.

Here's an excerpt from an article from yesterday's NY Times "Goodbye Passwords You Aren't a Good Defense" talking more about Information Cards:

Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.  In short, we need a log-on system that relies on cryptography, not mnemonics.

As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.  And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.

It is the author of the NY Times article that we won’t make much progress on information cards in the near future because of what he calls "wasted energy and attention devoted to a large distraction, the OpenID initiative". OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”

Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.

BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.

“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.  The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.

Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.

Sorry Charlie...You've Been Hacked

There's been a lot of hype regarding contactless RFID cards and their security, or lack thereof.  My last post, entitled WarDriving 101 provides a good intro to the following one, which I could've called WarCarting 101. 

A federal judge on Saturday granted the Massachusetts  Bay Transit Authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.   For the full restraining order click here: 


The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference in Las Vegas that they had said would "describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

The Electronic Frontier Foundation, (EFF)which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.  EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."  Here's the press release from the Electronic Frontier Foundation: followed by Defcon 16's overview of the scheduled presentation:

The Anatomy of a Subway Hack:

Breaking Crypto RFID's and Magstripes of Ticketing Systems

Zack Anderson Student, MIT
RJ Ryan Student, MIT
Alessandro Chiesa Student, MIT

In this talk we go over weaknesses in common subway fare collection systems. We focus on the Boston T subway, and show how we reverse engineered the data on magstripe card, we present several attacks to completely break the CharlieCard, a MIFARE Classic smartcard used in many subways around the world, and we discuss physical security problems. We will discuss practical brute force attacks using FPGAs and how to use software-radio to read RFID cards. We survey 'human factors' that lead to weaknesses in the system, and we present a novel new method of hacking WiFi: WARCARTING. We will release several open source tools we wrote in the process of researching these attacks. With live demos, we will demonstrate how we broke these systems.

Zack Anderson is studying electrical engineering and computer science at MIT. He is an avid hardware and software hacker, and has built several systems such as an autonomous vehicle for the DARPA Grand Challenge. Zack is especially interested in the security of embedded systems and wireless communications. He has experience building and breaking CDMA cellular systems and RFID. Zack has worked for a security/intelligence firm, and has multiple patents pending. He enjoys building systems as much as he enjoys breaking them.


RJ Ryan is researcher at MIT. His longtime passion for security has resulted in a number of hacks and projects, including a steganographic cryptography protocol. RJ works on a number of technical projects ranging from computer security to operating systems, distributed computation, compilers, and computer graphics. He enjoys learning how things work, and how to make things work for him.

Alessandro Chiesa is a Junior at MIT double majoring in Theoretical Mathematics and in Electrical Engineering and Computer Science. Born and raised in Varese,Italy, he came to MIT with interests in computational algebraic geometry, machine learning, cryptography, and systems security. He has authored papers such as "Generalizing Regev's Cryptosystem", which proposes a new cryptosystem based on shortest vector problems in cyclotomic fields. He is currently working with Oracle's Database Security group.

WarDriving 101

Earlier this week the DoJ busted the international hacking ring behind the TJMax data breach. The method used to "break-in" was simplistic, a technique called "wardriving." I wanted to learn more about it, so I googled "wardriving and jejune as it may be, I thought I'd share the following article from the London Times:

The picture of the BlueTooth WiFi Sniper Gun came from an image search.

The charge sheet for the 11 alleged conspirators in what the US DoJ calls "the largest hacking and identity theft case ever prosecuted" identifies a technique known as wardriving.

Wardriving involves a computer user driving around searching for insecure wireless networks. All the hacker needs to steal credit card and other information from a shop is a standard laptop that picks up the signal from the wireless network in a store.

If the security on the shop's wireless network is weak, the hacker can break in within a matter of seconds in some cases — gaining access to information held by the indivudual store, such as credit card numbers, as well other information kept on the company network to which the store is connected.

Wireless networks are now extremely common in retail stores. Restaurants also use wireless terminals so that customers can pay bills with a debit card without leaving their table.

Staff in supermarkets and clothing shops carry wireless handheld devices to scan and manage stock, and many shops now also manage their entire payment systems over such networks —to avoid the hassle of moving jumbles of wires should they wish to change their layout.

Hackers who engage in wardriving will typically search for shops that use outdated security systems — or protocols — to protect their wireless networks. One of the oldest protocols, called Wired Equivalent Privacy (WEP) — which is still widely in use — can be hacked in a matter of seconds, experts said.

Modern protocols, such as Wi-fi Protected Access (WPA), and WPA2 are more resilient, but can still be successfully hacked if the shop or other outlet has not chosen effective passwords or followed other basic network safety guidelines.

"In some cases you're talking about the equivalent of locking the side gate with a suitcase padlock — it's that insecure," said Paul Vlissidis, a security expert with the Manchester-based company NCC Group.

Once a hacker has stolen the credit card and other information, he or she will typically sell it in online chatrooms where criminals gather to trade such details.

The US charge sheet accuses the alleged hackers of laundering the money using "internet-based currencies" — likely a reference to online payment systems such as e-gold, which facilititate anonymous money transfer.

The main reason that wireless networks used by retail outlets remain weak is the cost of upgrade. "If it's a supermarket that has thousands of those devices to check stock, then you're talking about a massive cost to rip out the old wireless infrastructure," said Paul Cronin, a security tester with the Reading-based company Pentura.

An alliance of credit card companies and banks is working to introduce a new standard that would increase security by requiring stores to satisfy 12 criteria before being allowed to process payments wirelessly.

The Payment Card Industry Data Security Standard (PCI DSS) — which is supported by APACS, the UK payments association — would require stores to use up-to-date encryption, install firewalls, restrict access to information kept on the network and monitor and test their networks regularly.

Skimming Threat Strengthens Inherent Value of HomeATM Wedgie

Credit and Debit card Skimming is becoming all the more commonplace. Fortunately for us, law enforcement is becoming more and more diligent. But will it help, can they keep up?

I believe these articles provide further insight, if not downright proof, that utilizing a personal swiping device (such as HomeATM's Wedgie) for online transactions, is "significantly safer" than swiping a card through a POS device provided by retailers in the physical world.



Another pain at the pump -- credit card skimmers.

It's an ongoing problem nationwide -- thieves putting small devices on card readers at gas pumps to steal credit or debit card information. Steve Meissner with Arizona Weights and Measures said it hasn't really been a problem in Arizona. ``About a year ago, we did find evidence of a skimmer in one location," Meissner said, adding that he has not seen another case since.

But, he said the state is still vigilant. ``We're checking about 22,000 meters a year... Every time we check a fueling device, we open up the meter on the gas pump and look for any evidence of an illegal device like that." Meissner said some devices are easy to spot -- they're external, big and loose. Other times, they're really hard to detect. ``There are other devices that are put internally inside the gas pump, which is why we get the key from operators of the gas pump and physically look for anything," he said.

###

Customers and police agencies across the USA are dealing with another pain at the pump, thieves who install hard-to-detect electronic devices at stations to steal credit and debit card data. The skimmed data are used to create cards used at the victims' expense, says James Van Dyke, president and founder of Javelin Strategy and Research, a financial consulting firm that focuses on fraud and identity theft.

Investigations of theft related to skimming devices at gas pumps continue in Arizona, California, Washington, Nevada, Pennsylvania and Delaware, according to various police departments.

Though the most recent cases don't necessarily represent an epidemic, the Secret Service is investigating incidents across the country, says Ed Donovan, spokesman for the agency, which has financial and electronic crimes units. Skimming devices have been used for several years, most often at ATMs. Thieves increasingly target pumps because it's a cheap, easy way to steal credit and debit card information, Van Dyke says.

"Card fraud at gas pumps is a significant problem, and that's because of the unintended nature of the checkout devices," he says. "Essentially, every gas pump is an electronic cash register."

The skimming devices can be installed both inside OR outside the pump.Thieves glue a plastic sleeve, equipped with covered wires that capture data, over the pump's card reader or connect the device directly to the reader inside. The devices are molded and painted to match the machine and are small, making them hard to detect, Van Dyke says. Among recent cases:

•California: San Jose police are investigating a case that began in May, when thieves placed a skimming device at an Arco station, eventually taking more than $200,000 from up to 180 victims, says police department spokesman Jermaine Thomas. The device was on the pump for more than a month, after which the suspects retrieved the machine, Thomas says. "Your normal, average person would not even know that the skimming device is attached," he says.

• Washington: The Pierce County Sheriff's Office is investigating a case where thieves installed a skimming device at an Arco gas pump last August, leaving it there for 11 months and cleaning out at least 120 victims' bank accounts over the July 4th weekend, says sheriff's spokesman Ed Troyer. Reports of fraudulent withdrawals are still pouring in, and the number of victims could reach 250 with a total of $500,000 stolen, he says.

• Pennsylvania: State police recovered four skimming devices installed inside gas pumps at Wawa stations in Delaware, Chester, Montgomery and Bucks counties beginning in April, trooper Christopher Shoap says. He suspects more devices were used at other stations and estimates that several dozen victims have lost tens of thousands of dollars.

•Delaware: The Pennsylvania case is linked to one in Delaware, where police suspect a device was placed and later retrieved at a New Castle Wawa pump, Shoap says. The Secret Service is investigating, says Cpl. Jeff Whitmarsh of the Delaware State Police. The Secret Service would not comment because the investigation is continuing.

•Nevada: The Las Vegas Metropolitan Police Department is investigating two devices placed at gasoline pumps within the past four months, in addition to several cases where devices were placed on ATMs, says Lt. Bob Sebby of the financial crimes unit.

The combined cases total $1 million to $3.5 million stolen from hundreds of victims' accounts, Sebby says. The department is trying to prevent additional identity fraud by asking gas stations to consider placing sticker seals on the pumps that employees can check daily.

"With identify theft, it's not a matter of if you're going to be a victim, it's a matter of when," Sebby says.

###

Meanwhile...on the ATM front:

Police in Montgomery County say they need help from the public in tracking down the suspects who allegedly set up a camera and a skimmer device to record card and PIN numbers from an ATM machine at a Bethesda bank.

Investigators say they were alerted to the scheme on August 2 when a customer told employees of the Bank of America on Rockville Pike he had noticed something suspicious. Police say the man discovered that the light cover of the bank's ATM machine was lying on the counter with a small counter taped to the inside.

Officers say they believe the camera was placed inside the machine to record PIN numbers of customers who used the ATM. Further investigation revealed that a skimmer device had also been placed at the ATM, and it captured the credit and debit card numbers when customers put their cards into the machine.

Detectives say the devices were in place from about 2 p.m. to 6:20 p.m. on Saturday, August 2. Bank of America is in the process of contacting customers whose accounts may have been affected by the scheme.

Related Stories from the past 10 days:

Editorial: 'Skimmers' add insults to injuries
Crooks steal cash when you pump gas
Thieves Skim Cards at Gas Pumps
Credit card info 'skimmed' from Phila. area gas pumps
2 sought in debit card skimming thefts The News Journal
Police Issue Warning About Credit Scammers CBS 3
Updated: Wawa 'skimming' case All Around Philly
Suspects sought in skimming
Debit skimmers hit Galaxy patrons
Tips to spot a skimming device on that debit card reader

High Gas Prices to "Drive" More Shoppers Online

iCongo, Inc., a leading developer of e-business systems and software, today released the results of a consumer survey conducted on their behalf by Harris Interactive(R) that shows the surge in gasoline prices will sharply cut consumers' holiday spending and drive more shoppers online. (pun intended?)

As a result of increasing gasoline prices, nearly 3 in 4 online adults, 73 percent, expect their holiday shopping habits to change in some way, for example, by spending less on gifts (42 percent) and doing more one-stop shopping (40 percent).

Findings show more than one in three online adults (36 percent) are now more likely to shop online rather than in-person as a result of the increasing price of gasoline.

The iCongo survey also shows that nearly nine in ten online adults, 88 percent, currently shop online and, of those, the majority, 96 percent, are more likely to shop online than in-person at a store.  Here's why:

• 69 percent of online shoppers prefer the ability to shop at any time as a reason they are more likely to shop online;
• 60 percent said free shipping is a reason they are more likely to shop online; and,
• 59 percent of online shoppers said lower prices drive them to shop online over in a store.
• E-retailers frequently offer free or discounted shipping and online-only pricing to drive consumer interest in online shopping.
  
  For full survey results, please email your request to harrispoll@icongo.com.
  
  "Painful gas prices are hitting consumers' pocketbooks and impacting spending habits," said Irwin Kramer, founder and CEO of iCongo. "Our survey shows that 73 percent of all online adults expect their holiday shopping habits to change--a dramatic indication that gas prices are deeply impacting shoppers' attitudes." According to this data, regardless of age, gender, region of the country or income, high gas prices are driving many consumers to shop online.

But...We Need Unfair/Deceptive Practices to Be Profitable, J.P.Morgan?

I gotta kick-outta this one...let's cut to the Chase...

In May, the Federal Reserve and other regulators proposed steps to end what they called "unfair and deceptive" practices in the credit card industry. The rules aim to protect people from having their interest rates raised arbitrarily. (among other practices)

However, today came this (From JPMorgan Chase):

"The Federal Reserve's proposed rules for credit card lenders could lead to the banking industry to lose at least $10.6 billion in interest annually, JPMorgan Chase & Co. said in a letter to regulators, citing a study."

The bank said those industry losses would likely result in a nearly 12 percent increase in annual percentage rates to an average of 16.58 percent! They also said it would result in a $1.1 trillion reduction in total credit lines to consumers; and tighter standards that would stop $11 billion in new accounts from being booked each year.

Editors Note: Wait...am I getting this right? Is J.P Morgan really saying "If the Federal Reserve (in order to prevent our "arbitrary" interest rate spike in cards) steps in and attempts to END our "unfair and deceptive" credit card practices, an interest rate increase will become mandatory. Are they really saying that they "cannot afford" to do business without deceptive and unfair behavior? Or are they saying, "we'll meet you halfway...we'll get rid of the deception part, but please let us keep "unfair" or we stand to lose $10.6 billion in interest fees.

Wait...there's more:

In a letter sent Monday to the Fed's board of governors, the "Office of Thrift Supervision" and National Credit Union Administration, JPMorgan's Chase Bank subsidiary said the proposed regulation, if finalized, "is likely to have profound effects on Chase's operations and financial results."

The cumulative impact for the participating banks is at least $10.6 billion in annualized interest lost, Chase said in its letter, signed by Associate General Counsel Andrew T. Semmelman.

On Monday, the chairman of the Senate's investigations subcommittee said he supports the Federal Reserve's proposed restrictions on credit card practices -- but that he believes there should be more. Sen. Carl Levin, D-Mich., wrote in a 13-page letter to the Fed that it should expand its rules to end or restrict such practices as charging interest for debt paid on time; interest on transaction fees; fees levied on consumers paying their bills on time; and billing amounts that force consumers to pay four or five times their original debt.

Back in March, JPMorgan Chase, at the behest of the U.S. government, bought the ailing investment bank Bear Stearns Cos. when it appeared to be near collapse.

Editors Note: Kind of gives new meaning to the term "conflict of interest" doesn't it? It'll be interesting, to say the least, to watch how this turns out.

Prediction..not good for consumers. Not good for the credit card companies.

Related: Chuck Jaffe writes for MarketWatch: Cost of Credit Card Reform? Pricey