Reasercher Demo's SSL Attack (Still Can't Hack the PIN)

As the name implies, "Browsers" are for "browsing" ...when you're done and it comes time to make that online purchase...it should be done "outside the browser." 

I posted earlier this year (Browsers and E-Commerce Don't Mix - January 2nd  2009) that researches disclosed that a key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability. 

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss. 

They also said it was unlikely to affect most Internet users in the "near future" because taking advantage of the vulnerability requires discovering some techniques that "are not expected to be made public." 

Oh really...?  Well that's good news!   Oops!  Wanna watch the video on YouTube?  It's embedded at the end of this post... 

Researcher demonstrates SSL attack
By Tom Espiner ZDNet.co.uk
Posted on ZDNet News: Feb 20, 2009

A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.

Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.

"SSLstrip man-in-the-middles all of the potential SSL connections on the network, specifically attacking the bridge between http and https,"Marlinspike said in the video. (embedded at the end of this post)

Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. SSL and TLS are often used by banks and other organizations to secure web transactions.

The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.

"That opens up all kinds of avenues for ways that you might intercept [details]," Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 email accounts, seven PayPal logins and 16 credit card numbers, within a 24 hour period.

SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested.

Marlinspike said that an https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security.

While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted.  In August last year, researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user's communications with supposedly secure websites over an unsecured Wi-Fi network.

This article was originally posted on ZDNet.co.uk.

homeatm, SSL attack, hackers,

Related articles

• HTTPS - Not As Secure As You Thought (lockergnome.com)

Citi Replacing Cards After Breach...but How Many?

According to the Press Association, Citigroup has started sending replacement credit cards to its customers, apparently in response to a massive security breach at Heartland Payment Systems.

"Heartland Payment Systems revealed that its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached late last year.  The Princeton, New Jersey, company said the breach did not involve  personal identification numbers (PINs)"

(Editor's Note:  Translation for They didn't get the PIN's.  What If banks and V/MC  had pushed the more secure "PIN Debit, instead of pushing the less secure "signature debit"?  Sure, their excessive profit's derived from higher interchange fees and the milking of $17 Billion dollars off consumers from overdraft charges was nice but now it's kinida biting them in the *ss.  I guess there is a price to pay when self-interests are given priority over what's best in the long run.  What's best in the long run is securing payments...so at the end of the day, this dilemma has been exacerbated by their own self-serving modus-operandi.

Earlier this week I posted that every $100 of PIN based transactions there was 1.09 cents of fraud.  Signature debit comes in at 5.4 cents.

It will be interesting to see how drastically those numbers shift after the final tally on how much this breach winds up costing. Don't expect anything too drastic however...it wouldn't be in V/MC's best interest if those numbers become any more disparate.

Prediction 1: The new signature debit fraud numbers WILL NOT include costs associated with replacing cards and monitoring accounts...only the actual amounts of fraud committed using the breached card numbers. They want to keep these numbers as low as possible.

Prediction 2:  The PIN debit fraud number's will always include every single penny derived from skimming, tampering, the use of camera's, people foolish enough to provide their PIN's to scam artists, and if they could, they'd include ATM Bombs.  V/MC will manipulate the data in order to skew these numbers to appear as high as possible, to keep people from questioning their mindset in pushing SigDebit over PINDebit.

Predilection 101: Visa and MasterCard will continue to push whatever makes them the most money.

Prediction 3:  Because of their aforementioned predilection, V/MC will be involved in yet another Antitrust lawsut, drag it on for as long as possible, and settle for about a third of what they wrongfully profited while they dragged it out over the years on the morning the case is scheduled to begin.  OR...they will see the light of day and determinie that their strategy won't hold up in the long term, and having learned from past mistakes, work with the other EFT networks (Visa owns Interlink/MC owns Maestro) and empower PIN Debit instead of fraudsters.  Flip a coin. 

So...how many cards will Citi have to replace?  Citibank has not revealed how many of its customers are involved however...Citi has more than 150 million credit card accounts worldwide.

Meanwhile...the growing number of banks across the US have that have said their customers were involved in the Heartland breach and have issued new cards to consumers has climbed to 440+. . The rest are still monitoring their systems for unusual activity to detect fraud.

Please take a moment to participate in our poll. 
You will be able to view results after voting.

Click Here to Take Poll/View Results

Related articles

• US credit card payment house breached by sniffing malware (theregister.co.uk)
• Will any one of Bank of America, Citibank, CapOne or Chase buy a transaction network in 2009? (hubdub.com)
• Another day, another 100 million credit cards compromised (venturebeat.com)
• Perfect Storm Brewing, HomeATM Perfectly Placed (pindebit.blogspot.com)

HomeATM Plans On Participating in FinovateStartup09

HomeATM has committed to attend Finovate Startup '09
and plans on participating as one of the presenting company's as well. 
Developing...

To learn more about Finovate Startup ''09 and Finovate '09 you may visit either
www.Finovate.com or Netbanker.com

HomeATM in the News

MONTREAL FIRM PLANS TO TEST HOME-USE CARD READER

Heightened attention to data breaches tied to point-of-sale software and online shopping carts is bolstering a security-engineering company's argument that the use of PINs on the Internet can be done securely only using a payment card terminal that (easily) attaches to consumers' personal computers. (in milliseconds)

HomeATM ePayment Solutions, which is based in Montreal, is close to piloting a personal card-swipe device and PIN pad that consumers plug directly into a PC's USB port. The system requires no installation or software. When consumers check out at a participating merchant's Web site, the site prompts them to use the device to swipe their card and enter their PIN to complete a transaction. If a retailer conducts a successful pilot, the hardware will provide peace of mind for the consumer while turning card-not-present interchange rates to cheaper card-present rates for merchants, contends Kenneth Mages, HomeATM chairman and CEO. The company has an agreement with a major electronic funds network to begin the pilot, but first HomeATM wants to secure participation from a large, Tier 1 merchant, Mages says. Tier 1, or Level 1, merchants process more than 6 million transactions per year. The company is considering several merchants, including a major U.S.-based airline, which Mages declined to name. The device, called SafeTPIN, received Payment Card Industry Data Security Standard certification two weeks ago.

Editor's Note:  The headline can be a little misleading. We don't "PLAN TO TEST" the device.  We tested it already.  Rigorously!  But, in order to prove our results were objective, it was thoroughly tested by a fully accredited outside resource.This from the Witham Laboratories website:

One of only eight in the world…

Among our many certifications, Witham Laboratories is the only organization in the Asia-Pacific region accredited by the PCI to test PIN Entry Devices (PEDs) - we are one of only eight organizations in the world with this accreditation. So, do we plan to pilot the device...yes.  Do we plan on testing it?  Done.

For more information on the accreditation process, visit Witham Labs.

For more information visit: www.HomeATM.net

Click Here to participate in HomeATM's Poll on whether you would use such a device if insured your safety

HomeATM, Cardline, Ken Mages, SafeTPIN

Related articles

• SwipePIN" Your Card Data...Better You than Fraudsters! (pindebit.blogspot.com)
• SwipePIN device Now Available for Smartphones/Blackberry's
  

Please Take This Poll

If you have a moment, our Chairman and CEO, Ken Mages, would be interested in hearing your opinion. After you vote you will be given the results

Would you use a personal swiping device if it 100% protected your ID/Card Data?

Click Here to take the Poll

Thank you in advance for taking the time to share your valued opinion and for visiting the HomeATM PIN Debit Payments Blog!

John B. Frank
HomeATM ePayment Solutions

Also, feel free to leave your comments on this post!

HomeATM Slider Now Compatible with Your Blackberry!

Yesterday, in a post I saracastically dubbed "DumbPhoneded" I talked about security vs. convenience and a new McAfee report showing mobile device manufacturers are seeing more malware attacks than ever before.   Here's some excerpts from DarkReading's Smartphone Threats Intensify

• Security threats were bound to catch up with the proliferation of smartphones across the enterprise...
  
  
• Experts have long warned that smartphones...could become the new weakest link in the enterprise...
  
  
• But they are [typically] completely bypassing the IT infrastructure." They are also bypassing security, he says, putting sensitive data at risk...
  
  
• McAfee's report, which is based on a survey of 30-plus mobile device manufacturers from around the world, found these vendors are getting hit with more malware attacks than ever before. As a result, they are spending more money on recovering from them.
  
  
• Around 48 percent said their devices accounted for data loss problems, up from around 27 percent in 2007. (Editor's Note: You mean like my card information, and other personal data?)

Of course, as this blog has been consistently stating, if you want security in your transactions, it CANNOT be done in a browser environment and that especially includes phones.  Think of the highly publicized Caylee Anthony case.  Her mother's every single phone call, every single text...(even pinged her locations) to PINpoint her whereabouts on certain days and certain times.  If they can do it, don't think for a moment the hackers can't.

In fact, they are "wizards" at it.

So should you ever be in the market for a "guaranteed" secure/end-to-end encrypted financial transaction (send or receive: direct payment, person 2 person, bill pay, you name it) using existing bank rails, there's no place like HomeATM.

P.S.  Our Smart Phone Personal Swiping Device is network agnostic. CDMA or GSM and will secure transactions via phone to PC, phone to merchant, phone to phone, etc. 

For more information, feel free to contact me and I'll make sure you get to through to the necessary channels.

The Rising Threat of Alternative Payment Channels - Report

There's a new report on Alternative Payments Channels being released tomorrow from VRL.

The graph on the left is from a previous released Celent Report and shows that PIN Debit has the highest Customer Value Proposition and only slightly trails "Invoicing" in Merchant Value Proposition.  Of course, when you add our Email-based P2P application, HomeATM looks like it's sitting pretty. 

Here's an overview from the latest report.

Alternative Payment Channels
By: Ray Cain

Published: 20 February 2009

Cost: £1297

There is a growing awareness of the importance of payments in the retail banking business. The transaction account is at the core of the customer relationship and payment services play a critical role in customer acquisition and retention. Payments are also an important source and driver of revenue. At the same time banks´ traditional role in retail payments is coming under growing threat from a plethora of alternative payment providers. This is being driven by a need for payment mechanisms that are faster, more convenient, and more secure, and that meet the needs of new transaction channels and emerging market segments, along with a confluence of regulatory factors and market conditions.

In many respects banks are in a strong position to compete. They already have an installed base of customers who rely on them for payment services. They are trusted as repositories of funds and financial intermediaries. And network externalities pose a formidable barrier to new entrants. At the same time alternative players establishing themselves in market niches consistent with the classic model of disruptive innovation are looking to expand from there into the mainstream payments space.

Report Content

• Alternative payments – background to the threat
• Drivers of alternative payments
• Alternative payments - serving niche markets
• Micropayments
• The un(der)banked
• Alternative POS networks
• Enhancing point-of-sale payments
• Enhancing online payments
• Enhancing payments with promotions
• Integrating payments with the shopping process

Who should read this?

• CEOs, heads of retail banking, strategic planners, e-channels, IT and marketing managers of financial institutions
• CEOs, strategic planners, marketing managers of alternative payments providers
• Consultants, analysts and industry observers
• What are they looking for?
• To understand alternative payments and the potential threat they pose to banks’ position in retail payments, initiatives underway and solutions available to allow banks to respond to this threat.
• To understand the current state of the industry and what alternative payments mean to banks.
• To deepen their understanding of the potential impact of alternative payments on the financial services industry and the industry’s response.

About the author:

Ray Cain is a researcher specialising in banking and finance. He holds a post-graduate Diploma in banking and a Master of Management in banking from Massey University in New Zealand. He is also studying for a PhD in economics at the University of Fribourg in Switzerland. During his working career, he has held management and consulting roles in economic development projects in Indonesia and Serbia.

Wyndham Hotel Hack Followup

Here's a follow-up to the Wyndham Breach

It seems that the criminals not only were able to get guest names, credit card numbers and expiration dates,  but they also were able to steal the data from the card's magnetic stripe, Wyndham said.  That magnetic stripe information contains Track 1 and Track 2 data including the (CVV) code, "which is critical if the thieves want to make fake credit cards, according to Avivah Litan, an analyst with Gartner Research."

"That's the hot information," she said. "You can sell that information for much more on the black market." CVV codes were also taken in the high-profile Heartland Payment Systems and The TJX Companies credit card thefts.

When fraud is perpetrated using fake cards that include the CVV codes, the banks are responsible for the charges;

When they are able to obtain only the card numbers and expiration dates -- for example,online transactions NOT DONE by HomeATM -- then the retailer is responsible for the charges.

"The banking industry is all up in arms whenever bank stripe data is stolen," Litan said.  

As posted in "DumbPhoneded" the retailers should be up in arms everytime a transaction is conducted without the  Track 2 data being swiped.  Not only are they paying up to 100 basis points more, but in the face of increased fraud, they could lose their product and lose the money they thought they got for it.  Call that a double whammy, no cheese.

Related articles

• Major Data Breach Puts Millions At Risk (cbsnews.com)
• Heartland data breach could be bigger than TJX's (infoworld.com)

Dumbphoneded...

So you say that you can't wait for mobile payments eh? 

Well, in an article published by Kelly Jackson Higgins of DarkReading.com, (Smartphone Risks Intensifying)  quoting research from  McAfee, you might want to wait until they figure out how to make those Smartphone's more secure. 

I say we tackle the Internet payment problems first, then  move  on to mobile.

M-Payment supporters cite convenience as the thrust behind the interest in mobile payment. 

Convenience may be nice but it's way overrated.  Anyone who argues that convenience is the number one driving force behind the popularity of a payment methodolgy simply doesn't get it.   Security is the key and convenience arrives at the expense of security.  (How convenient is airport check-in and boarding post 911?  Yeah, quite the "departure" from convenience, is it not?)  Allow me to provide another analogy.


Would it not be of the "utmost" convenience for you and your family to get in and out of your house, (along with your relatives and/or neighbors who want to come and pay you a visit) if you always left the front and back doors of your house unlocked?  Sure it would. 

Then why don't we do it?

It's because that very same convenience comes at the expense of security which in turn, would also be likely to attract malicious characters.

On the flipside, if you always locked your door, you may occasionally be  "inconvenienced" by having to fumble around in your coat-pocket or purse, looking for (those damn) keys. 110% inconvenienced if you've ever lived in the US/Midwest in January, I might add. 

But we go through these same insanely inconvenient motions everyday anyway. Why?  Because it's worth it to us have the peace of mind in knowing that it's safe.   Why should it be any different with securing payments?  Don't the bad guys want to get into our house to steal our money?  Don't we use money to make payments?   

(BTW, I know we used to leave our doors unlocked back in the "Leave it to Beaver" days, but sadly, even prior to "Beavis & Butthead" becoming the number 1 movie in America {which marked the day I started locking my doors, heh heh heh...}, it became a much different world out there.  

We threw convenience out the window and not only started locking our doors, but also the very window we threw convenience out of...along with locking our garages, our bicycles, blah blah blah...etc. etc. etc.) 

So, convenience is not really the core issue.  Risk and security are.  

So the question begs to be asked: When will retailers understand that because fraud is rising exponentially (a trillion last year) and because it's them who are always the one's getting stuck with the bill, maybe it's time to stop complaining about Interchange and time to "implement change."   I would argue that it's time to "take charge" and stand up and fight.  Instead of being responsible for chargebacks and fraud, take responsibility and implement and push a more secure (thus lower interchange) payment method.  (such as the one afforded by HomeATM?  You betcha!) 


Face it, consumer's only want convenience in the face of zero liability.

V/MC knows that, which is why they have implemented their so-called "zero liability" programs...to make consumers feel like they have no risk of exposure.

Heck, if my auto insurance had a zero liability program, I'd never take my keys out of and never lock the door to my car.  Wouldn't it be nice if you never had to look for your car keys or worry about losing or leaving them somewhere?  They'd always right where you left them, right where they need to be...in the ignition.  If that isn't convenient, I don't know what is.  So why don't we do it if it's "all about convenience?"  Because it's not.  It's all about safety, security and protection.
 
The bottom line, is if you ask anyone who has had their purse,wallet or ID stolen, it's a very time consuming, aggravating and frustrating effort to deal with all the financial institutions, credit bureaus' etc. to right the ship.  Not one would say they found the process to be anything but "inconvenient." So one could argue that there are some "untruths that lie" beneath the zero-liability programs pushed by V/MC. Imagine that. 

Even worse, on the flip-side, (of zero liability), it's the merchants whom are almost certainly always at risk. We'll call that program the "100% Full Liability Merchant Left Holding the Bag Program."  They're the one's liable for fraud, chargebacks, thefts, etc.  It's no secret that V/MC has them by the bollocks because they can't afford to NOT take credit cards.  Or can they?

With the decline in credit card usage and the rise in debit card usage, now may be the perfect time to make a move and switch over to a more secure payment mechanism.  What is a more secure payment mechanism? 

For one, Card Present is more secure than Card Not Present.  That's the singular purpose of HomeATM's personal swiping device...to facilitate card present transactions.  Wait, there's a dual purpose to our "slider" as we take it a step further in order to provide "dual authentication" Therefore, we have incorporated a PIN Entry Device into our "slider."  Why?  To make it more convenient for people who want a secure transaction.

According to this months issue of Card and Payments,

"PIN Debit transactions have lower fraud rates because of the required PIN, while signatures are relatively easy to forge.  Betwen 2005 and 2007, the average fraud cost on PIN Debit transactions was 1.09 cents per $100 of card spend compared with 5.4 cents per $100 of card spend on signature debit transactions."       

Through HomeATM, online retailers now have a choice.   A choice whereby they can increase security, reduce risk, hence interchange fees, virtually eliminate chargebacks and increase their bottom line...all in one fell swoop. 

In these times of both fraud and economic frugality, you'd think, now more than ever, retailers would demand security over convenience.  Transactions don't have to be "inconvenient," they just should NEVER be insecure.
 

Let's use HomeATM as an example...just how "inconvenient" is it to swipe a card into our Slider versus type in a 14 or 16 digit number, an expiration date and a CVV?  Most would agree that it's actually "more convenient" to "swipe vs. type."  One thing is certain...with HomeATM's E2EE, it's about a million times more secure.

Anywho, I almost forgot...here's the article questioning the security behind smartphones...and always remember...hackers are smart too.  They figured out the insecurity behind web browsers, amounting, by at least one account, to $1,000,000,000,000 (one-trillion) dollars in losses due to cybercriminal activity.  That was in 1 (one) year. 

Maybe we should secure the Internet with PIN before we start worrying about transacting with mobile phones. HomeATM feels it has already accomplished that task, having engineered a patented process that utilizes existing bank rails and provides end to end encrypted (E2EE) internet transactions. 

But did you know that HomeATM has also engineered and is testing a secure SmartPhone PIN based (click pic to enlarge) E2EE mobile transaction platform?  More on that later. 

Let's get this Internet payments mess fixed first...

     Smartphone Threats Intensify - DarkReading

Enterprise data at risk, according to new McAfee report, which shows mobile device manufacturers seeing more malware attacks than ever before.  IEditor's Note:  Oh yeah?  Wait til Next Year!)

By Kelly Jackson Higgins - DarkReading

Security threats were bound to catch up with the proliferation of smartphones across the enterprise. More than half of mobile device-makers said their products experienced malware, voice-, or text spam attacks last year, according to a newly published report from McAfee.

Experts have long warned that smartphones, such as Windows Mobile and iPhone handsets, could become the new weakest link in the enterprise, with more users relying on them for accessing corporate email, surfing the Web, and other applications. "[Users] want to do everything on them," says Stewart Allen, a Toronto-based independent consultant. "But they are [typically] completely bypassing the IT infrastructure." They are also bypassing security, he says, putting sensitive data at risk.

McAfee's report, which is based on a survey of 30-plus mobile device manufacturers from around the world, found these vendors are getting hit with more malware attacks than ever before. As a result, they are spending more money on recovering from them.

Nearly 55 percent said network or service-capacity problems have ensued due to mobile security incidents -- up from 25 percent in 2007. Around half said third-party application/content problems had plagued their devices last year, up from around 25 percent in 2007. Around 48 percent said their devices accounted for data loss problems, up from around 27 percent in 2007.

Continue "DarkReading"

 smartphones, security, malware, HomeATM

Related articles

• Mobile banking: Safe, at least for now (news.cnet.com)
• Full-Fledged Flash on Smartphones. Most of Them, Anyhow... (technologizer.com)
• Mobile Processor Chip War Looming (retrevo.com)
• New mobile virus goes 'old school' (vnunet.com)
• The mobile web sucks (crunchgear.com)
• Yahoo and Its New Mobile Service (arnoldit.com)
• The smartphone buzz in '09? It's not a product (news.cnet.com)
• Fighting Visa and MasterCard (pindebit.blogspot.com)
• Perfect Storm Brewing, HomeATM Perfectly Placed (pindebit.blogspot.com)
• It's Global Warfare Against Visa/MasterCard (pindebit.blogspot.com)
• PIN Debit on the Web (pindebit.blogspot.com)

1 in 8 UK firms lose 5% of Revenue to Fraud

Computer Business Review

Business left to fight online fraud
By Kevin White

Lacks government coordination: security vendors

Businesses are largely being left on their own to counter financial fraud, security companies have agreed.

In a newly issued study CyberSource has said its findings highlighted online retailers’ frustration at the lack of coordination and government support in the fight against fraud.

It concluded that merchants continue to bear the increasing burden of fraud.

In the absence of any recommendation in the report for the creation of a centralised anti-fraud body to coordinate efforts across the financial and enforcement industries, Yuval Ben-Itzhak CTO at secure web gateway supplier Finjan Inc said is clear that companies are on their own.

Although technology can significantly mitigate the risk of a company’s systems being breached, it appears that as many as one in eight online UK firms are losing more than 5% of their revenues to fraud...this illustrates the phenomenal cost that card fraud is costing UK organizations...

Continue Reading at CBR

Related articles

• Security fears keeping shoppers offline (computeractive.co.uk)
• Lost: $4 Billion Online (pindebit.blogspot.com)
• Fraud on the increase, BDO survey reveals (accountancyage.com)

V/MC to Slash Expenses, Increase Prices

Standard  and Poor - "The companies have not been run very tightly"

Reuters is reporting that Visa and MasterCard are slashing expenses and increasing prices.  I

NEW YORK (Reuters) - As cash-strapped U.S. consumers think twice before buying a coffee or a newspaper, and banks fight for survival, Visa Inc and MasterCard Inc are cutting costs to sustain earnings.

In their latest quarterly results, the world's largest payment networks beat expectations by slashing expenses and increasing prices.

That contrasts with previous periods when the companies could rely more for growth on people switching to electronic payments from cash for an increasing number of transactions.

That trend had Mastercard and Visa in the sweet spot of the credit and debt card industry -- getting paid each time a transaction took place on their branded cards while not having to deal with the risks of consumers defaulting that are faced by the credit card issuers.

Rising defaults have led to mounting charges for the issuers, such as Citigroup Inc or Bank of America Corp, which are major clients of Visa and Mastercard. American Express is both an issuer and a payments company.

Governments around the world have bailed out many of the battered banks, making it more difficult for the credit card-payment networks to raise the prices they charge them for transactions.

"Most likely, the bottom line will benefit from cost cuts (rather) than growth in volumes," said Michael Kon, an analyst at Morningstar

"The companies have not been run very tightly and there is room to cut," said Standard & Poor's analyst Stuart Plesser.

The article goes on to say that Visa, which slashed expenses as part of a restructuring plan to integrate the former U.S., Canada and international operations into one company, has accelerated the pace and expects to finish that plan -- which will save $300 million in 2009 -- a year earlier than expected.

Editor's Note:  I didn't see where they stated they'll increase prices, however, that usually happens in April anyway when new Interchange Rates come out.   It'll be interesting to see what happens this year when the new rates are released.  Regardless, if you'd like to save up to 100 basis points off of Interchange, you can make the switch to HomeATM's E2EE Internet PIN Debit platform.  

homeatm, pin debit, interchange, Visa, MasterCard

Prepaid Not Good Solution to Combat Fraud

Yesterday I touched upon an article in the Telegraph.co.uk about whether or not Prepaid Cards could keep fraudsters at bay. She wondered if prepaid cards were the solution to rampant fraud.  In that post, which I entitled "Can Prepaid Cards Be Loaded by Hackers?" I stated that I didn't think so, because it is much easier to produce a $50.00 counterfeit prepaid card than to produce a counterfeit $50 bill.  Therefore I imagined that hackers have probably got close eye on the prepaid industry. 

As it turns out, only one day later, there's a report that prepaid Visa gift cards are being targeted by the bad guys.  Here's that video report from KTEN.



Visa Gift Cards Turned into Phony Credit Cards

Tales from Encrypt

Prediction: "Encryption" is going to wind up being one of the biggest buzz words of 2009.  End to End Encryption (E2EE) more specifically.   There are some seriously nasty hackers with some seriously nasty approaches and companies that don't secure their data are, simply put, the walking dead.  

Last week I posted about a company named  Voltage Security who announced that their SecureData program now provides end-to-end-encryption or E2EE.  (I also made mention of the fact HomeATM has provided E2EE since January of '07, so it's been a buzz word for us at HATM for quite a while now) 

Yesterday Voltage Security announced that Wells Fargo has agreed to implement Voltage SecureMail™, their Identity Based Encryption email solution.  That's not only a "good get" for Voltage, but it probably paves the way to "securing" other Financial Institution's as clients.    Watch out for Zombies! 

 

Voltage Security Protects Email at Wells Fargo

Palo Alto, CA --  Voltage Security, the global leader in information encryption, today announced that Wells Fargo & Company, (NYSE: WFC), has selected and deployed Voltage SecureMail™ to secure email communications between Wells Fargo team members, customers, vendors and extended business partners.

Voltage SecureMail was selected and deployed by Wells Fargo because of the following:

1. Ease of adoption by team members, and customers.
2. Lowest total cost of ownership; there are no directories, certificates, or duplicate systems to manage.
3. Ease of Integration with the pre-existing messaging environment.

“We see secure communications as a mission critical part of our overall business strategy and a valued service to enable our customers to interact with the bank,” said Steve Ellis, executive vice president of Wells Fargo’s Wholesale Services Group. “With Voltage, our team members, customers, and business partners can interact online in a secure simple manner,” said Ellis.

“Wells Fargo’s deployment of Voltage SecureMail has quickly grown to be one of the largest use cases of secure email in the world,” said Sathvik Krishnamurthy, president and CEO of Voltage Security, Inc. “Voltage SecureMail, powered by Identity-Based Encryption (IBE), is the only solution that scales to this level across very large, complex extended business networks,” continued Krishnamurthy.

In the past, secure email systems at the financial services company went largely unused because inherent complexities in the user experience. Voltage provided a solution that is essentially invisible to internal team members and extremely easy to use for external recipients.

About Voltage Security
Voltage Security, Inc., an enterprise security company, is the global leader in information encryption. Voltage solutions, based on next generation cryptography, provide encryption that just works for protecting valuable, regulated and sensitive information persistently and based on policy. Voltage delivers power, simplicity and the lowest total cost of ownership in the industry through the use of award-winning Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption (FPE). Voltage Security offerings include Voltage SecureMail™, Voltage SecureData™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.

Voltage Security is the number one OEM provider of email encryption technology in the world with OEMs that include Microsoft, Proofpoint, Secure Computing, Sendmail, Canon, Code Green Networks and NTT Communications. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government, such as American Board of Family Medicine, Diebold, Integro Insurance Brokers, NTT Communications, SafeAuto Insurance, Winterthur Life UK Ltd. and XL Global Services. For more information please visit http://www.voltage.com.

###

Source: Press Release

How To Hack an ATM Part II

Last Wednesday I did a post on How to Hack an ATM.  Apparently using ATM Bombs is more common that one would have thought. 

Sydney gets hit again by explosive ATM raiders 

(Melbourne, Australia) Herald Sun:

ATM raiders have blown up another ATM in Sydney, the third attack in less than a week. 


Police said the ATM was extensively damaged, but it was not known if any cash had been taken. A spate of ATM blasts across New South Wales and Queensland has prompted the formation of a special police task force.

Click to continue

Related Article:  How To Hack an ATM 

UATP and Alternative Payments - DTN

UATP Keeps Its Eye on Alternative Payments—and Hotels

(February 17, 2009)

Universal Air Travel Plan Inc. is still in growth mode despite some weakness in its core corporate travel business, thanks in part to an ongoing alternative online-payments initiative that started in 2005. Now the specialty payment processor is looking to sign hotels as merchants.

Processing volumes rose about 20% last year for Washington, D.C.-based UATP. “In 2007 we broke the $10 billion mark; in 2008 we were at $12 billion,” president and chief executive officer Ralph Kaiser tells Digital Transactions News by e-mail. “Our profitability is not public, but suffice it to say 2007 was a good year and 2008 was even better.”

UATP has 19 airline shareholder-owners worldwide. Thirteen issue its card, and its brand is accepted by nearly 250. Online payment systems are an increasingly important part of the mix as UATP seeks to offer airlines new product offerings beyond its core corporate travel card, especially ones that cost the carriers less to accept than general-purpose credit cards (Digital Transactions News, Aug. 20, 2008). Already accepted or planned payment brands usable through UATP include PayPal Inc., Bill Me Later Inc. (recently acquired by PayPal parent company eBay Inc.), Moneta Corp., the PIN-based specialists HomeATM and Acculynk Inc., and prepaid cards through Ceridian Corp.’s Stored Value Solutions....

Continue Reading at Digital Transactions

homeatm, pin debit, alternative payments, UATP

A Billion Internet Users

eMarketer.com is reporting that Internet users surpassed the billion landmark in December.   China's number 1, but it is predicted that #7 India will eventually surpass #2 United States.  That surprised me a little bit.  Here's what eMarketer has to say about the comScore World Metrix...  (You may click the graphics to enlarge.)

FEBRUARY 17, 2009

Growing and growing and growing and...

The moment when the Internet passed 1 million users is veiled in history.

The truth is, whenever it happened, no one was counting—or even had the means to do so. But according to the “Internet Growth Survey” from MIT, there were 1 million hosts (defined as either a computer or IP address) in 1995.


At the time, it was estimated that the Internet was doubling in size every year, so there would be over 1 billion users in 2005.

That timeline proved overly optimistic. But according to the comScore World Metrix audience measurement service, the Internet surpassed 1 billion visitors in December 2008.

“Surpassing 1 billion global users is a significant landmark in the history of the Internet,” said Magid Abraham, comScore CEO, in a statement. “It is a monument to the increasingly unified global community in which we live and reminds us that the world truly is becoming more flat.”

comScore got to a billion users without counting access from Internet cafes, mobile phones or PDAs.

By contrast, eMarketer employs a slightly broader audience definition—access by anyone of any age from any location—to estimate that there were 1.172 billion Internet users worldwide in 2008.

Either way you count, one thing few prognosticators foresaw in 1995 was that the US would have only the second-largest online population when the Internet hit the billion-user mark. China ranks No. 1.

The Web still has plenty of room to grow.

“China has taken the lead in the number of Internet users worldwide, and today only about 20% of its residents are online,” said Lisa E. Phillips, eMarketer senior analyst. “While China will continue to lead the world in Internet users, look for India to eventually overtake the US, Japan and Germany.”

While Internet usage is close to saturation in the US, Japan and Germany, India’s Internet population lags behind its status as the second-most-populous nation on earth. “But eventually India’s Internet population will grow large enough to overtake those smaller countries that are now in the top spots,” Ms. Phillips continued.
“The second billion will be online before we know it,” said Mr. Abraham, “and the third billion will arrive even faster than that.”

See all that’s happening in digital marketing and media around the world, look into an eMarketer Total Access Subscription for your company today.

Related articles

• Net users top one billion (canada.com)
• Intel partners with LG on mobile Internet devices (reviews.cnet.com)
• ComScore: Internet Population Passes One Billion; Top 15 Countries (Erick Schonfeld/TechCrunch) (techmeme.com)

The Cost of PCI Compliance - Element Payment Services Blog

In a great informational post provided by the PCI DSS Compliance Blog, published by Element Payment Services they talk about the cost of PCI compliance. 

I had the pleasure of working with Sean Kramer,  the founder and CEO of Element Payment Services, when he was with Concord EFS.  We jointly provided an innovative payments package/solution for U.S. FoodService members.  I am happy to see (but not surprised by) the growth enjoyed by Element.  It couldn't happen to a nicer guy!  Congrats to Sean and his team, including Roy Bricker who previously worked at Pay By Touch.

Here's their post: 

PCI DSS Compliance Blog: Cost of PCI Compliance

Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.

To visit the PCI DSS Compliance Blog click here.  Element Payment Services site is located at: www.elementps.com

element payment services, PCI DSS

Related articles

• More on PCI and Tiers 1, 2 and 3 (pindebit.blogspot.com)
• PCI's QSA's/ASV's Must Participate in Quality Assurance Program (pindebit.blogspot.com)
• Gartner Names Entrust as 'Leader' in 2009 Web Fraud Detection Magic Quadrant (newswire.ca)

Can Prepaid Cards Be Loaded by Hackers?

Kara Gammell writes in today's Telegraph.com.uk about prepaid cards and questions whether or not they would provide more protection than credit or debit cards and entice 50% of the UK population to shop online in an article entitled: "Will Prepaid Cards Keep the Fraudsters at Bay?" 

"More than half of the population are so worried about becoming a victim of fraud that they refuse to shop online. The research, conducted by CyberSource, a company specialising in electronic payments, said that one in three respondents knew someone who had been the victim of fraud.

But for these reluctant shoppers, a prepaid card might just be the answer.

A prepaid card looks just like a normal credit or debit card, and enables you to buy products and services where ever these cards are accepted.

The main difference is that you can only spend the balance that has been preloaded onto it. This means there is no risk of running into debt as it has no credit or overdraft facility and crucially, the card has none of your personal bank details attached to it.

In the beginning prepaid cards were used by parents to manage their children's spending habits and the market has been typically has been dominated by Mastercard and Maestro. But now a number of rival cards have appeared, targeting everyone from overseas travellers, nervous online shoppers to new mothers.

Andrew Hagger, spokesman for Moneynet.co.uk, said: "Prepaid credit cards allow such people to be part of the modern day 'plastic culture' which allows you to take advantage of online shopping discounts as well as access to hugely popular sites such as eBay."

For those shoppers who are hesitant about spending on the web, this type of card could help reduce the potential for fraudsters to steal your personal details.

Mr Harrison said: "The risk with a credit card is that the fraudsters will be able to max out your card, where a prepaid card is almost like a pay-as-you-go mobile phone. The only money that can be stolen, is the money you have loaded on.

"And unlike a debit card, a prepaid card does not have any link to your bank account or address, so the chance of fraud is next to none."

Editor's Note:  The problem the UK is having is with cloning/counterfeit cards.  I would imagine that hackers have their eye on the prepaid market as it is readily more easy to counterfeit $50 cards than $50 bills.

How do prepaid cards work?

Money – typically up to £5,000 – can be loaded on to a prepaid card by cash at a bank, Post Office, at Pay zone or PayPoint terminals, bank transfer, through your employer or even by another credit card.  Editor's Note:  or even by a hacker using a stolen credit/debit card! 

Continue Reading

card cloninig, hacking, prepaid, fraud