Mobile Payment Industry News

Sunday, January 11, 2009

Online Retailers Familiarizing Themselves with Foreign Markets

According to CyberSource many U.S. online retailers are "overseaing" ways to increase volume from international markets...

With sales in the U.S. slowing for many retailers, many of them are accepting orders from customers in emerging foreign markets including India and China, CyberSource Corp. says in a new study.

One way many retailers are getting more revenue is through international online orders, says Doug Schwegman, director of market and consumer intelligence for CyberSource, a provider of online payments processing and risk management technology and services. The study is based on a survey of 400 online retailers conducted for CyberSource by Mindware Research between Oct. 21 and Nov. 11, 2008. The 400 respondents account for a total of more than $60 billion in 2008 online revenue; 41% of them have annual revenue of $10 million or more, 29% have annual revenue of $25 million or more.

The study found, for example, that about half or more of merchants accept orders from 15 countries outside of the U.S. and Canada. On average, each merchant accepts orders from nine foreign countries.

Most surprising, Schwegman says, is that nearly half, or 49%, of merchants accept orders from India, and that 52% accept orders from China, two markets that may present challenges in shipping and payments. Most payment transactions in these and other foreign markets, however, are handled with common major credit cards including Visa, MasterCard and American Express, he adds.

Also surprising, however, is that few of the surveyed merchants who accept orders from overseas use payment options popular among consumers based in foreign markets. For example, in Germany, where 73% of the surveyed merchants accept orders, only 12% of them accept payments through the bank transfer methods preferred by many local consumers even though CyberSource and other payment services companies can enable U.S. merchants to accept such payments, Schwegman says.

Following are the 15 countries included in the study and the percentage of U.S. merchants that accept orders in each:
U.K., 87%
Germany, 73%
France, 68%
Australia, 68%
Japan, 68%
Spain, 66%
Mexico, 66%
Italy, 65%
Brazil, 55%
Hong Kong, 55%
Singapore, 53%
South Korea, 53%
China, 52%
Taiwan, 50%
India, 49%

ChipPin In

Stanley Opara writes for the Nigerian Punch about his country's transition from magstripe to Chip and PIN. Interswitch is that county's premier transaction switching platform and it won't be long before the United States stands alone as the only country on the globe yet to commit to EMV.

Nigerian financial market and the chips/PIN revolution

By Stanley Opara
Published: Sunday, 11 Jan 2009

The e-payment industry remains a faction of the techno-driven set-ups, and the impact of this marriage between technology and finance has recorded huge successes as inferred from current statistics and industry analysis.

The truth, therefore, is that e-payment machinery, especially the card technology, is presently enjoying popular patronage, even as its applications in the day to day business activities rest on geometric cruise.

With the penetration deepening by the day, carrying abreast huge transactions, the issue of security and reliability has indeed become an industry subject-matter, with operators, regulators and users really concerned about the way forward.

The move by the Central Bank of Nigeria in this regard, could be described as prompt, and the compelling directive to players to convert technology from the traditional magnetic stripe to chip and PIN/smart card platform, a welcome development.

However, saying the country‘s card payment industry has come a long way, is stating the obvious. Nigeria was among the very first countries that adopted smartcard payment platform in the 90s with the ValuCard and SmartPAY schemes. These e-purse smart cards could not generate the expected mass adoption due to some technical and strategic challenges. Hence, it was rested in the early 90s. In its place, Nigerian banks decided to adopt a cheaper but fraud-prone magnetic stripe cards.

The success of the initiative, powered by InterSwitch, the country‘s premier transaction switching platform, helped lay a foundation for the e-payment industry in the country and the West African region as a whole.

Today, as a result of this initiative, Nigerian banks have issued over 25 million cards. These cards are being used to process payment transactions on over 11,000 point of sale terminals, 7,000 ATMs and 200 web locations, 50,000 mobile devices...

But in its efforts to follow global best practice and secure global acceptance for cards of Nigeria origin, the CBN has mandated all the banks to convert their payment cards to a smartcard platform by the end of the second quarter of 2009. The CBN shifted the initial September 2008 deadline in order to permit the banks to prepare thoroughly for the expected cutover.

Since major payment card schemes in Europe, Middle East, South America and Africa have been converted to the secured smartcard platform, CBN‘s position is therefore in line with this global trend.

Experts have maintained that until the introduction of smart card payment system, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification, and as worries over the level of fraud associated with magnetic stripe cards heightened in the 1980‘s, the introduction of extra security measures including on-card photographs and holograms failed to solve the problem.

In the 1990s, card fraud increased. As a result, the payments industry commenced a quest for more secure and authentic replacement for the magnetic stripe.

This search inadvertently led to the mass deployment of the smart cards also knows as chip and PIN cards. Specifically, the French developed chip technology, which is also known as smart card technology, and had over the years recorded advancements in processor and circuit technology, following the chip to grow in complexity and size with many now holding 100 times the information stored on a magnetic stripe. continue reading at "The Punch"

Saturday, January 10, 2009

CompuCredit must "Comp You Cash"

$114 million refund in pipeline for subprime credit card users - Action Line - MiamiHerald.com

The Miami Herald is reporting today that CompuCredit was ordered to reverse fees it charged customers they secured with deceptive marketing practices.

Those fees total $110.3 million in reversals and $3.7 million in cash refunds. I suppose that's gives a new twist to their "Comp" You Credit branding strategy. Oh, they've got to "comp you cash" if your balance is lower than the the amount they've been ordered to compensate.

Here's the story from the Miami Herald...

CompuCredit, a company marketing Visa and MasterCard credit cards to consumers in the subprime credit market, has agreed to reverse fees charged to eligible consumers' accounts to settle allegations that it violated federal law, according to the Federal Trade Commission. It is estimated that the redress program will result in more than $114 million in credits to consumer accounts.

Eligible consumers whose current balances are less than the amount of credits to be applied will receive an estimated $3.7 million in cash refunds.

In a federal court complaint filed in June 2008, the FTC alleged that CompuCredit engaged in deceptive conduct in connection with marketing credit cards. The FTC also alleged that Jefferson Capital Systems, a debt collection company wholly owned by CompuCredit, engaged in deceptive conduct in marketing credit cards as part of its debt collection activities and engaged in abusive practices while collecting debts.

Eligible consumers will be identified from company records and contacted.

Friday, January 9, 2009

Software Breach 92 Times More Likely than Hardware Breach

Yesterday, DTN wrote that Fireman's Fund Insurance is offering SME's payment card breach insurance. That kinda gives you an idea how serious of a problem these breaches really are.

Remember, software is 92 times more likely to be breached than hardware. (In 400+ breaches, 92% were "software related" (combining POS and Online Shopping Cart software) while only 1% were hardware related). Source: Trustwave (PDF)

Oh, by the way, the 1% of hardware device breaches were the result of tampering, which is highly unlikely, if not virtually impossible, to occur with your own personal swiping device from HomeATM. I sincerely doubt anyone would break into your home and start fiddling with your personal card swiper and leave your big screen HDTV on the wall...don't you?

So which would you rather use if you were shopping online? A software based application, or a hardware based solution.

With Breaches Rising, Insurer Offers Card-Compromise Coverage

"Fireman’s Fund Insurance Co. this week unveiled what it says is the first coverage available to small and medium-sized businesses for losses from payment card data breaches. News of the policy came on the same day that a non-profit research organization reported that data breaches increased 47% last year. The idea behind the coverage, according to Brian Gerritsen, product director at Novato, Calif.-based Fireman’s, is to give peace of mind to business owners who are diligent about complying with the Payment Card Industry data-security standard, or PCI, the card networks’ uniform protection rules that all card acceptors are supposed to meet.

Continue reading at Digital Transaction News

TJX Suspect Gets 30 Years

In a follow up to a series of posts I've dubbed "Hacker's 11, The Boston Globe reports that a suspect has been jailed in Turkey for an unrelated (well, related in the sense that he was found guilty of an unrelated cybercrime) It is believed to be the harshest sentence ever for a cyber-related crime.

In a separate article, Finextra reports: "Although US authorities filed extradition papers against Yastremskiy he has now been convicted in Turkey on the separate charges. According to local reports, he pleaded not guilty but was convicted yesterday in a court in the city of Antalya."

Here's the story from the Boston Globe:

Suspect in TJX data theft sentenced in Turkey in unrelated case - The Boston Globe

By Ross Kerber and Musa Kesler, Globe Correspondent | January 9, 2009

ISTANBUL - A Ukrainian man who authorities allege played a key role in the largest data theft on record was sentenced to 30 years in prison in Turkey yesterday in an unrelated case.

US prosecutors have said that Maksym Yastremskiy was instrumental in the sale of credit and debit card numbers stolen from the retailer TJX Cos. of Framingham and other companies. While the sentence may be one of the longest ever handed down in a cybercrime, the conviction could hamper his prosecution in the United States.

He and 10 others were charged last year with (Editor's Note: See Graphic on Right) being part of a ring of thieves from around the world that broke into nine major US retailers' computers systems, stealing customer data and then selling that information. The thieves allegedly hacked into the systems and installed programs to capture data.

Yastremskiy, according to prosecutors, earned more than $11 million from his illicit activities. He has also been charged in another US case, involving theft of data from a Texas restaurant chain.

Court documents indicate that in TJX's case, as many as 100 million card numbers were stolen. Prosecutors alleged the ringleader was Albert Gonzalez of Miami.

A 27-year-old business school graduate, Yastremskiy was arrested in 2007 while on vacation in the Turkish resort of Kemer. His attorney, Ridvan Yildiz, said he was charged with breaking into Turkish bank accounts electronically, to which he pleaded not guilty.

He was sentenced yesterday in Antalya, a city on Turkey's southwestern Mediterranean coast near the resort town.

Before sentencing, Yildiz said, Yastremskiy told the judge: "I am innocent. I didn't do anything to break bank accounts. Somebody else did it, not me. I want to be released from the jail."

Yastremskiy had also argued that a laptop computer found in his hotel room containing bank information belonged to a friend.

Yildiz plans to appeal the sentence to Turkey's highest court, known as the Yargitay.

The 30-year sentence was at the low end of the range of 24 to 72 years sought by prosecutors.

Mark Rasch, a former federal prosecutor and computer-crimes expert in Bethesda, Md., said the sentence was the longest he had ever heard of involving a cybercrime. It would be allowed under US laws only if the offenses had led to death or other extreme consequences, he said.

Yet the heavy sentence could give US prosecutors influence in obtaining Yastremskiy's cooperation against others. "This would be great leverage," Rasch said.

A previous defense attorney for Yastremskiy had said that US officials have sought to extradite him, but that Turkish law prevents that until after he serves his sentence.

Yesterday, US Justice Department officials would only say they continue to seek Yastremskiy his extradition. US prosecutors in Boston have already won several guilty pleas from minor figures in the case.

Ross Kerber can be reached at kerber@globe.com. Kerber reported from Boston. Kesler, a correspondent for the newspaper Milliyet, reported from Istanbul

POS Special Issue from JBF (not me)

The Journal of Business Forecasting (JBF) has published a special Point of Sale Issue. Here's there press release.

Great Neck, N.Y., Jan. 9, 2009 -- As businesses continue to search for better ways to thrive in a volatile economic climate, the IBF offers guidance with a special issue of the Journal of Business Forecasting, which includes 12 articles on demand planning & forecasting with Point-of-Sales (POS) / Syndicated data. This issue has all you need to know about how to keep pace with consumer behaviors and make better decisions with consumption data. Winning companies are the ones leveraging consumption data for forecasting in this economic climate.

Over the past months, the world's current economy has forced change in demand planning and forecasting processes. Consumers continue to be less loyal, more demanding, and more cost conscious. In order to operate efficiently and profitably in this environment, making decisions based on what consumers are doing is extremely valuable. This special issue will give professionals best practices in forecasting & planning with POS/ Syndicated data that can spell survival for retailers who integrate them into their business strategy.

Highlights include the articles by demand planning & forecasting professionals, such as Jeff Brown's article (Consumer Driven Forecasting to Improve Inventory Flow: Brown Shoe Company's Journey) about how the Brown Shoe Company implemented a forecasting process to capture information about consumers' purchases so they could synchronize demand with factory operations. The article by Robin Simon gives the ABC's of POS-based demand planning and forecasting while the article by Larry Lapide from MIT discusses the what, why, and how of POS data. Hugh McCarthy from Nestle explains how to enhance the demand planning process with POS forecasting; Mike Borgos from Osram Sylvania tells how to maximize POS as a source of data and insight; and Richard Shapiro from Jarden Consumer Solutions gives details on how to use POS data in demand planning.

The Journal of Business Forecasting, a leading quarterly publication of the IBF for nearly 30 years, is complimentary with IBF membership. This commemorative Point-of-Sale (POS) and Syndicated Data Winter 2008-2009 issue will hit the shelves in January 2009.

To reserve your copy and download a free sample article from this special issue visit: www.ibf.org/POSPR.cfm

Source: Company press release.

See You Later...

Amazon Cuts Ties with Bill Me Later, still holds equity stake.

On Dec. 31st, 2008, (to no one's surprise) Amazon removed Bill Me Later as a payment option from it's website. PayPal purchased BillMeLater in October for $945 million and Amazon had invested in them almost a year earlier.

According to the The GreenSheet, "Amazon's statement offered no explanations; it simply said, "Bill Me Later will no longer be accepted as a payment method on Amazon. However, all sales and orders processed with Bill Me Later prior to the sunset date will continue to be processed." More than 1,000 online stores, catalogs and travel sites currently offer BML as a payment method they said.

In December of 2007, Amazon took and equity stake in Bill Me Later which competed with PayPal's Pay Later Service. The way Bill Me Later works is you enter your birth date and last four digits of your social security number online, and it does a credit check on you in three seconds to determine whether you are worth the risk. Bill Me Later pays the merchant, and sends you a bill.

I imagine that Amazon will sell it's stake in BML but as of yet, no announcement has been made.

Big Show Starts Sunday

http://nrf.com/annual09

What are you doing this Sunday?

Thursday, January 8, 2009

Custom Fraud Possible? Yahmon!

Here's a letter to the editor of the "Jamaica Gleaner" published under the title: "A dangerous practice"

It illustrates how aware consumer's are becoming to potentially fraudulent/risky practices. Mr. Cooke knows better than to punch debit/credit card numbers into a computer. So I have two questions:

1. Why isn't the Jamaican Custom's Office as aware?

2. What on earth was the agent thinking (drinking) entering a PIN (using a keypad) into a computer? It's high time they put some more energy into preventing this type of behavior...

As the title states...it's a dangerous practice.

The Editor, Sir:

Kindly publish this as an open letter to Director of Customs Danville Walker and Minister of Finance Audley Shaw.

Dear Sirs,

I wish to comment on a practice I encountered at the Customs office at Berth 6 Newport West on January 5. I attended there to clear a barrel of food and clothing sent by my wife's siblings in New York. The process was relatively quick and easy, given past experiences clearing personal effects there in 1999. But when I went to pay the customs duty at the cashier, I was shocked to be asked to hand over my debit card with which I was paying the fee.

Instead of asking me to swipe my debit card in a machine, as is usual, the clerk asked for my card and then entered the number of the card and relevant particulars in the computer, and enquired whether it was a chequing or savings account. She then asked me to enter my PIN and press enter, before handing me back my card.

I remarked to her that this was unusual, (translation: he wasn't "a custom'd" to this?) and that the card was private as it contained personal information that could be retrieved and used by someone fraudulently.

This practice is dangerous and should be stopped as identity theft has become a very prevalent crime in recent years. It should be necessary only to have the customer swipe his card, enter his PIN, and press enter to get confirmation from the card company for the amount required.

I must strongly object to this dangerous practice which can put customers' bank accounts at risk to unscrupulous persons. Please mister Commissioner of Customs and mr minister, review and change this practice for the security of your customs.

I am, etc.,
LLOYD A. COOKE
Royal Flat Box 642 Mandeville PO

Mercator on China's Payment Market

New research report by Mercator Advisory Group.

China's payment card market continued to grow at dazzling speed from an already sizable base over the past two years.

By September 30, 2008, there were 1.73 billion credit and debit cards in circulation, up 18.8% from a year earlier. By the end of 2008 the number should reach over 1.8 billion, making China by far the largest card market in the world by card numbers.

Even though payment cards' share of China's consumer spending still lags behind major developed card markets such as the U.S. and the U.K., there is tremendous upside potential for payment cards in China with the improving card acceptance environment and the growing consumer spending.

There are important changes in the industry in 2008; however, as the impacts of global economic recession caught up with China, consumer spending has slowed down. Sales and marketing costs have stayed high, the debit card market is quickly approaching saturation and growth has significantly slowed down. The credit card delinquency rate has risen sharply and could double in 2009. Regulators have issued alerts on the rising risks, and issuers are starting to adopt a more cautious approach towards new card issuing and to look at their existing card accounts more carefully. It appears that many credit card issuers might delay, change, or cancel their aggressive market expansion plans and put more focus on improving the performance of existing accounts than they used to.

This may not be a bad thing after all. Terry Xie, Director of Mercator Advisory Group's International Advisory Service and principal analyst on the report, comments,"The economic slowdown might be a disguised blessing to the development of China's credit card industry. There is little question that it would further delay the whole industry from breaking even. Nonetheless it provides an opportunity for Chinese credit card issuers to slow down their pace and re-examine their developments and possibly rethink their growth strategies before the problem becomes too big."

The latest report from Mercator's International Advisory Service provides an overview on the latest developments in China's payment card market. Market growth in card issuing, card acceptance, credit card receivables, and purchase transactions are discussed. Key strategic developments, including the slowing market expansion, changes in issuer strategies, increasing credit risks and card frauds, increasing roles of the Big Four, and the entry of foreign banks such as the Bank of East Asia, HSBC, Standard Chartered, and Citibank in the domestic card markets are also discussed.

Highlights from this report include:

After several years of explosive growth, China's payment card market is moving into a new development stage, in which risk control, profitability and controlled growth become key themes over the next two years.

China's card market continued to grow significantly over the past two years, and the growth is expected to continue through the next two upcoming years, though the pace will slow down.

Issuers will need to better control the increasing credit risks, even at the expense of slowing down their expansion plans.

Card fraud in China is still relatively low thanks to the fact that PIN's are required for all POS/ATM transactions on domestic cards. But ID theft, fraudulent cash advances, and counterfeit international cards are rising.

The Big Four state-owned banks will become dominating players in the credit card market, just as they have been in the debit card market.

Foreign banks will seek to play a more important role in the competition in the domestic market. But they will need to find their niche market segments and they still have a long way to go.

Members of Mercator Advisory Group have access to this report as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits.

Please visit us online at http://www.mercatoradvisorygroup.com/

APAC Overseas Fraud

A spokesman for the APAC's says overseas fraud using British cards has increased over the last couple of years because scam artists are using them to pay for goods in countries that do not yet use Chip and Pin technology. I wrote about this in early October. (Some People Claim That There's a Woman to Blame)

They are advising cardholders to make sure their bank has up-to-date contact details for them and that they always check their statements against their receipts to detect any suspicious transactions.

"Your card can be used abroad even when you're not. You are getting cards being compromised in the UK and then going abroad without you," the spokesman said.

According to APACS fraud statistics for January to June 2008, plastic card fraud losses were up 14 per cent to £301.7 million in first six months of last year, of which more than 40 per cent was the result of fraud abroad. Around 40 per cent of the total was due to fraud committed overseas, it said.

Why $4.00 a Gallon is More Appealing to NPS

There's a company that came up with a nifty idea...at least it was nifty when gas prices skyrocketed and gas station owners saw how credit card usage affected their bottom lines.

According to a story on CreditCards.com (How to turn your driver's license into a debit card) they have come up with a patent-pending process that allows consumers to use their drivers license (or any card with a magstripe) to bypass the national bank-owned credit/debit card networks (Honor, Star, Interlink and others) and offer debit card processing through the direct deposit Automated Clearing House (ACH) network to gas stations and convenience stores at a fraction of the cost.

I'll bet that National Payment Card is hoping that gas goes back up to $4.00 per gallon, because at that level, (IMHO) this program would have a lot more momentum. Even their website uses the $4.00 per gallon comparison price point.

My viewpoint is that at $1.60 per gallon, it doesn't quite have the stigma it would have at gas price levels we saw last summer. Nonetheless, to go after a vertical with an ACH Decoupled Debit Platform, that uses any card with a magnetic stripe was/is an innovative approach after the Honor All Cards ruling in 2004, and if gas goes back up to $4.00 per gallon, then I'd look for this idea to be more appealing to petrol owners.

Still, there's always Europe. (oops, don't know if DL's have magstripes there)... In the US, less than 50% (24 states) use magstripes on the back of their drivers licenses. (see map on right.)..the one's in yellow use magnetic stripes. Still, the one's that do, make up 61% of total gas stations in the US according to their website.

Still, I thought it interesting and innovative enough to share on the PIN Debit Payments Blog. Here's some information on the program from their website:

National Payment Card is introducing a next-generation payment mechanism with the designation “Payment Card.” The National Payment Card substantially reduces your cost associated with "bank-networked" debit and credit card processing.

The Payment Card system provides consumers access to funds in their checking accounts so they may pay for fuel at participating locations. Editor's Note: Once again, at $4.00+ a gallon there would be more of a willingness for gas station/convenience store owns to participate, but as of now, only a handful , well, six to be exact...are doing so...

The Payment Card is not a credit ordebit card that is linked through the national bank networks such as “Honor, Star, Nice and Interlink." The National Payment Card system can provide connectivity via existing payment processing networks or directly to the National Payment Card host services.Consumer authentication is via PIN at the pump.

How They Do It:

The Consumer becomes aware of the program at the station through pump toppers and audio messages.
The consumer enrolls in the program via the Internet, telephone or mail. The consumer's checking account information and consumer-selected PIN are the key elements of the enrollment data.
At the time of tender, a consumer who chooses the Payment Card as a method of payment will swipe the Payment Card as a credit card. The POS application will prompt for a PIN and the transaction will be sent to National Payment Card for validation.
The transactions are processed through the National Payment Card network.
National Payment Card then performs an EFT on the accounts, collects the funds and credits the gas station operator’s account within 24 hours. National Payment Card bills once a month for the transaction fees.
The entire process is computerized and automated with a solid audit trail. Reports can be sent by e-mail or viewed 24/7 on a secure VeriSign merchant web site.
At a predetermined time each day, transactions collected by National Payment Card are batched to the ACH for settlement.
The Payment Card is designed to be a traffic builder and loyalty program for your operators by providing consumers an immediate savings benefit while shopping.

30% of Online Retailers Offer AltPay

According to a study conducted by Brulant and relRosetta, 30% of online retailers are offering AltPay methods, up from 24% last February. Bill Me Later had the highest adoption at 21% followed by PayPal at 19%.

Here's their press release along of their study. The graphic is just a portion. To see the full illustration, (PDF) click here.

Online retailers offering more alternative payment methods, new study shows

30% of 100 major online retailers were offering new payment methods as an alternative to credit cards in December 2007, up from 24% in February, according to a study by Brulant, a provider of interactive marketing and web site design services.

The study showed the highest alternative payment adoption rates for the Bill Me Later deferred billing service, at 21%, followed by PayPal at 19% and Google Checkout, 10%. 5% of the companies in the study offered all three of these payment methods.

“One of the most surprising findings is the increase in retailers offering all three alternative payment methods,” says Brulant principal Adam Cohen, noting that none of the same retailers offered all three methods in February 2007. “Today we find 5% adoption of all three at a variety of retailers from Toys ‘R Us to PetSmart to Rite Aid. This reinforces the ‘customer is king’ mentality, as retailers begin to offer a multitude of choices for checkout.”

Brulant also notes that 76% of online retailers surveyed accept private label gift cards as a payment method.

The study found that PayPal scored the largest increase in adoption between February and December 2007, at 217%, while the adoption of Google Checkout doubled. PayPal, a subsidiary of eBay Inc., is a third-party payment service that pays merchants on behalf of consumers, who fund their PayPal account with payment cards or bank accounts. PayPal also offers PayPal Pay Later, a deferred payment system that, like Bill Me Later, lets consumers make payments over time, often as part of a retailer’s promotional plan.

Google Inc.’s Google Checkout lets shoppers pay with their credit and debit cards through a streamlined checkout process. Google has offered merchants free card processing, an offer that ends Jan. 31. After that, online retailers will be able to process $10 in purchases free for every $1 they spend on Google’s AdWords search marketing program. Otherwise, Google will charge 2% of the purchase amount plus 20 cents.

Triple DES for GAS

In an effort to fight an onslaught of card skimming at gas stations, Visa has mandated that all new gas dispensing machines must support Triple DES effective January 1st. For existing machines, Triple DES must be implemented into pay at the pump stations by July, 2010.

Last night, when I was on ComputerWorld's site reading about CheckFree's 5 million (or more) customers put on alert, I also noticed this article announcing Visa mandating Triple DES support on all new fuel dispensing machines. For your convenience,

I've included a couple links, in order to familiarize anyone who's interested in learning more about Triple Data Encryption Standard

Here's a couple paragraphs from a story by ComputerWorld's Jaikumar Vijayan...

Clock Ticking For Gas Stations to Pump Up Security

Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.

So-called card-skimming devices placed on gas pumps have been used to compromise payment card data in the past — for example, in 2005 at stations operated by Wal-mart Stores Inc.'s Sam's Club division. Editor's Note: And hundreds of gas dispensers across the country since then...this blog has covered many of those stories...click here for the complete list.

Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES.

Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale systems that is being developed by the PCI Security Standards Council, which is responsible for the Payment Card Industry Data Security Standard and other data protection measures.

Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES.

(Continue Reading at ComputerWorld)

Wednesday, January 7, 2009

CheckFree Warns 5 Million Customers After Hack

I received a couple emails in the last few weeks from CheckFree customers that had read my postings about the Fiserv DNS hack. One such email, whose name I'll leave out to respect his privacy, expressed concern that there was more to this than CheckFree was letting on. He wrote...

..."It is my belief that there was more to this hack that checkfree is 'fessing up too (I am writing you because you alluded to how much worse the attack could have been in your blog post). When I spoke with the checkfree folks, they assured me the only thing that would have happened was I would have been redirected to a blank screen. If the process was different, I would have noticed. Do you have any suggestions as to how I might find others who may have had the experience I had?"

To which I responded:

"First, sorry to hear about your experience with CheckFree. Second, thanks for following the PIN Debit Blog. Unfortunately, I am not aware of any methods to identify other victims of the recent CheckFree hack.

I do agree, (with you) that there is probably more than meets the eye,in terms of the fallout of the hack. Some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password. I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

If I hear of anything that might be of help to you, I certainly forward it. In the meantime, your best bet is to work directly with CheckFree. My understanding is that some malware may have been uploaded to your PC, so stay alert and keep an eye on your personal accounts..

Now it seems that he was right about them not totally "fessing up" because today, CheckFree warned 5 million customers to be on alert.

Here's the story from Robert McMillan from ComputerWorld.

CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine.

The Dec. 2 attack was widely publicized shortly after it occurred, but in a notice filed with the New Hampshire Attorney General, CheckFree disclosed that it was warning many more customers than previously thought.

That's because CheckFree is not only notifying users of its own CheckFree.com Web site of the breach, it is also working with banks to contact people who tried to pay bills from banks that use the CheckFree bill payment service.

"The 5 million people who were notified about the CheckFree redirection were a combination of two groups," said Melanie Tolley, vice president of communications at CheckFree's parent company, Fiserv Inc., in a statement. "1.) those who we were able to identify who had attempted to pay bills from our client's bill pay sites and minus those who actually completed sessions on our site, and 2.) anyone enrolled in mycheckfree.com."

Tolley wouldn't say what banks were affected by the hack... (continue reading at ComputerWorld)

Got Hacked? Bank on It

In December, I posted twice about Fiserv's CheckFree Hack whereby their domain name was "webjacked." (see: CheckFree Not Hackfree and/or CheckFree Not Hackfree 2)

So, for the third time (but only the first time this year) I'm covering an article written about domain name webjacking...this time from USBanker.

I'm sorry to report that it doesn't look like this will be the last time this year, for lack of an official word, I'll be talking about webjacking . Some observers say they've seen signs that these webjack attacks will become almost as common as a Gulf of Aden pirate attack.

When I wrote in the first post, "Imagine how exponentially more "effective" the "webjacking" would have been if unsuspecting users were "redirected" to what looked to be CheckFree's site vs. a blank page, I was hinting at the fact that it was most likely, only a test.

After all, why would someone go through the hassle of bringing CheckFree users to a blank page when they could have brought them to an exact replica of CheckFree's log-in site? That's probably the easiest part to create in the whole scheme. I'm purely speculating here, but maybe they were simply running a test which gave them insight as to how they could take full advantage of the "httbs" in the "https." (prior to "researchers" having "let the cat outta the bag" in Berlin last week.

I mean, who's to say that these "White Hats" (as they are also known) are always beating the "Black Hats" to the starting gate?   What if the opposite is true? Maybe these Black Hat guy's are light years, well maybe not light years, but dark years ahead of us?

One thing I am sure of...I'm sure there's a lot more "Max Vision's" out there than we are led to believe. Keep in mind, that the Max Vision's of the world are working at cracking code "full-time." They're hackers, not slackers. On the flip side of the equation, most "White Hats" are hobbyists (they used Playstation 3's for chrissakes :)    go to MIT (see: Sorry Charlie, You've Been Hacked) while others have full-time jobs, (for instance, those very same MIT students who were then hired by the MBTA as a reward for hacking into their system)...see related stories, below for more.

Black Hats not only work "full-time" on hacking...and subsequently wreaking havoc on financial institutions/account holders but there's a bigger picture, beyond just the hack itself. Where do you think a good portion of the money goes? Suffice it to say, that unlike the Chicago White Sox mantra, good guys don't wear black.

That said, let's see what we're up against here...

There's unsafe web browsers there's: webjacking, phishing, whaling, wardriving, malware, keylogging, screen capturing, skimming, pharming, spyware, botnets, worms, viruses, DoS attacks, packet-sniffers...(you starting to get the picture?) So what is an online shopper to do?

I once again state, the best way to purchase via the internet is with your own personal card swiping device. It could even be used to log on to your online bank. Just swipe and enter your PIN.

Hey...maybe the banks, whom are already at huge risk...could mitigate some of that very same risk, and at the same time, keep their customers from getting burnt. I have a toast. Here's to a campaign similar to the one they ran back in the 50's and 60's, only this time...they give away our personal swiping devices. Otherwise, if this continues, which it will, they're toast...

Sorry, kinda got off on a tangent there...here's more on "when hackers take control of a bank domain name" with more instances to follow...I'm sure of it...(said the same thing about skimming last year)

From American Banker publication, usbanker:

Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.

The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.

The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.

"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."

Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.

Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.

A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."

Continue Reading at American Banker (for a limited time, then it's subscribers only)

Tuesday, January 6, 2009

Anti-Skimming Recommendations from SEPA

I've covered card skimming on this blog extensively in 2008. There's a big problem in Europe, where they have instituted EMV, with having the magstripe skimmed there, then transferred onto cloned cards, and used in the United States, where EMV is nowhere to be found. SEPA (Single Euro Payments Area) has now released recommendations to fight skimming in Europe.

Here's page one of a three page PDF. Click here to open the PDF file in full.

INTRODUCTION

SEPA Countries - Image via WikipediaThe growth of skimming fraud is a major driver for the rollout of EMV across the SEPA. This should be completed by 2010 and it has already resulted in dramatic reductions in the use of fraudulently duplicated cards in the countries where it has been introduced. However, it has also resulted in fraudulent transactions migrating to countries where EMV has not yet been implemented or is not planned, often outside the SEPA area. As many such countries have no plans to introduce EMV, cards will continue to have both mag-stripe and chip and therefore there will remain a significant risk of a fraudster skimming a magstripe in an EMV country and using the duplicate card in a non-EMV country or environment.

BACKGROUND

Card skimming involves the capture of a card’s mag-stripe information (which may be debit, credit or ATM only), and matching it with the card’s PIN number in order to produce a duplicate card. This may occur at ATMs, Point of Sale (POS), or indeed any other location where a customer uses their card and PIN.

The mag-stripe information is captured by fitting an additional card-reader over the ATM’s card slot and the PIN is usually obtained by the use of micro cameras, although “shoulder surfing,” may also be used. This information is then stored on a chip within the skimming device or more usually transmitted immediately to a lap-top PC nearby. Devices are usually attached to ATMs for short periods e.g. 20 minutes and the device is usually being observed. For this reason ATMs which are busy and which have ample adjacent parking are particularly attractive to fraudsters.

The duplicate card can then be used in a non-EMV ATM, or if the duplicate card passes visual inspection, Point of Sale (POS). Information on the chip is not captured which means that the card cannot be used in an EMV environment and this normally limits use to locations where EMV has not been introduced. Fraudulent data may be sold on and mixed with other sources of data and the actual card production may be months after the data was captured, although on other occasions duplicate cards have been used less than 24 hours after the attack.

With a duplicate card a bank account can be drained until there are no funds available, or in the case of a credit card, until the credit limit is reached. As ATM usage is subject to daily withdrawal limits, these transactions usually take place close to, or at the daily limit over a number of days. EAST (European ATM Security Team), reports that the number of cases of skimming remains high across Europe with over 4501 ATM incidents in 2007, resulting in losses of over € 438 million1.

PIN Debit Payments Blog