Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.
Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online banks we looked at. It asks for three pieces of information to confirm a customer’s identity. "As each entry is typed in full, this makes the information vulnerable" to a simple keylogger, a virus that sits on a computer and tracks every keystroke with the aim of collecting passwords.
The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct, Halifax and HSBC have no visible security controls for money transfers, so if a banking session is hijacked, a criminal can enter the amount they want to.
Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer. Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.
Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.
Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.
Editor's Note: PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator. By contrast, HomeATM utilizes 2FA for log-in, but it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.
"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security... HomeATM - http://pindebit.blogspot.com/
Debit cards are fast becoming the payment instrument of choice for U.S. consumers. According to Visa Inc., the value of purchases made using Visa-branded debit cards in 2008 surpassed dollars spent using Visa credit cards for the first time. For many consumers who have made the switch, there may be no turning back.
A Review of the Types and Trends of Data Breaches Involving Financial Institutions
August 28, 2009 - Linda McGlasson, Managing Editor
There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.
In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.
The good news, Foley says, is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations. "This means they're doing a better job of controlling and protecting their data," she says.
The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers, and its loss is costly to consumers.
Atlanta-based startup Moneta raises $4M, to combat Paypal
ATLANTA - Moneta, a startup that says it will challenge PayPal for online payment services, has closed on $4 million in venture funding.
The Atlanta Business Chronicle reported the funding on Friday. One of Moneta’s partners is Delta Airlines.
In 2007, Moneta purchased the retail payments product from CheckFree. The system transfers money directly from the buyer’s checking account to participating merchants with lower fees than those required by charge cards.
CheckFree had offered the program for more than two years. Financial terms were not disclosed. The deal includes all customer accounts for the service. CheckFree also will provide Moneta with payment processing services.
Voltage Security Finishes Record-Setting First Half Highlighted by Diversified End-to-End Data Protection Solutions
Total contract value of deals in the first half grows by over 70%
Palo Alto, California–August 25, 2009–Voltage Security, Inc., (www.voltage.com), the global leader in end-to-end data protection, today announced another record finish to the first half of their fiscal year ended July 31, 2009. The period ended with the highest revenue quarter in the company’s history, a 35% growth over the same period last year. In addition, the company was cash flow positive from operations and profitable for the quarter. Total contract value of deals in the first half grew by over 70%.
The company also announced a 34% increase in total customer count over the past 12 months to reach more than 780 enterprise customers and more than 3,000,000 total licensed users. During the period, several seven figure deals were closed including the largest in the company’s history.
“Our recent success, especially noteworthy given the tough economic climate, reflects three major benefits of our end-to-end data protection approach: we offer a diverse and complete product set that is well aligned to large enterprise environments, provide products that scale the most cost efficiently, and offer customers the most rapidly deployable solutions in the market,” said Sathvik Krishnamurthy, president and CEO of Voltage Security. “We are finding enterprise customers want a holistic approach for data protection versus a piecemeal or point-to-point approach. Ultimately cost efficiencies are strongest when all of the moving parts are designed to work together.”
Growth Driven by Diversified Product Portfolio
Large enterprise customers are increasingly turning to Voltage to solve their corporate-wide encryption needs which center around securing sensitive and confidential employee and customer data inside applications, databases, emails, files and documents.
Milestones included:
One of the world’s largest telecommunications companies, a Fortune 50 company, licensed the entire product suite including Voltage SecureMail™ and Voltage SecureData™ for enterprise-wide deployment, enabling hundreds of thousands of employees and business partners to send and receive secure email, and protecting private customer data in thousands of applications throughout the organization.
Heartland Payment Systems, a leading payment processor, selected Voltage Security as a partner to develop end-to-end encryption specifically suited to payments processing. Heartland also licensed Voltage SecureMail™ and Voltage SecureFile™ to protect personal information throughout its corporate and extended business network. Click here for more information.
Wells Fargo & Company, one of the nation’s largest banks, announced it had selected and deployed Voltage SecureMail™ to secure email between Wells Fargo team members, customers vendors and extended business partners. Click here for more information
Early Vision Being Realized
Adding to the popularity of Voltage end-to-end data protection solutions is the ease provided by the underlying key management architecture.
“We’ve always understood that the way to make encryption work for large-scale deployments is through simplified key management,” continued Krishnamurthy. “Now, we are seeing our vision reach a tipping point where enterprises have an urgent need to comprehensively protect information, and we offer them a complete family of easy to deploy, scalable, cost-efficient and powerful solutions.”
The flagship Voltage SecureMail™, powered by Voltage Identity-Based Encryption™ (IBE), is consistently selected for the largest enterprise-wide implementations in corporate America with typical deployments in the 50,000 to 500,000 employee range. Voltage SecureData™, by reducing audit scope and ongoing operational cost, is experiencing a rapid increase in demand and quickly establishing itself as the preferred solution for end-to-end encryption and stateless tokenization.
Enterprise Customers Representing a Wide-Variety of Industries
A wide-variety of enterprise customers are increasingly turning to Voltage to protect information throughout their organizations and beyond. A selection of new customers includes:
Fortune 100 global payments and travel company
Fortune 100 provider of property and casualty insurance for auto, home and business
Fortune 200 global media and entertainment company
Fortune 500 provider of financial services to institutional investors
Voltage Standardization Initiatives Continue
Voltage continues to participate in a number of industry standardization initiatives including:
NIST (National Institute of Standards and Technology) is reviewing Feistel Finite Set Encryption Mode (FFSEM), designed to encrypt smaller blocks of data in a manner that preserves the format of data – see the Computer Security Division annual report
PCI Security Standards Council – Voltage is a participating organization and is a strong advocate of end-to-end encryption and tokenization technologies as effective mechanisms for the reduction of audit scope
IEEE– Voltage is involved in developing the P1619.3 key management protocol and the P1363.3 pairing-based public key cryptography standard
ASC X9 – Voltage is participating in the F1, F4 and F6 efforts to protect payment data
IETF – Voltage-contributed RFCs 5048, 5049 and 509 which cover open standards for Identity-Based Encryption and have now been approved.
Most recently, Voltage was one of the few security vendors that participated in the National Cyber Leap Year Summit. This invitation-only event was organized by the White House Office of Science and Technology Policy and the Federal Networking and Information Technology Research and Development Program, and was designed to provide expert advice to the government on the best ways to address today's most pressing cyber-security problems.
About Voltage Security
Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureFile™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.
As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach . The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.
U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet
By Kelly Jackson Higgins - arkReading
A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.
U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.
The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."
IBM's X-Force Trend and Risk Report has "officially" verified what the HomeATM Blog has been messaging for the last 16 months, which is basically that if you are going to conduct a financial transaction, it must be done outside the browser space...because browsers are unsafe. You may had seen yesterday's post concerning the Top 11 eCommerce Paradigm Shifters which put HomeATM in Gear. Combined with today's release of their X-Force Report, you gotta like HomeATM's approach to securing online transactions as we are the only company who does it "outside" the browser space. (using our simple 2FA 3DES DUKPT E2EE. :-)
The IBM X-Force Trend and Risk Report is produced twice per year: once at mid-year and once at year-end. This report provides statistical information about all aspects of threats that affect web security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity.
They are intended to help customers, fellow researchers, and the public at large understand the changing nature of the threat landscape and what might be done to mitigate it...like swipe vs. type! The report also reveals what it describes as “an unprecedented state of Web insecurity" as Web client, server, and content threats converge to create an untenable risk landscape.”
IBM’s researchers have clocked a 508% increase in the number of new malicious Web links and a level of veiled Web exploits, especially in PDF files, which is now running at an all time high.
The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. PDF vulnerabilities disclosed in the first half of 2009 apparently surpassed disclosures from all of 2008.
“No one is to be trusted,” said X-Force Director Kris Lamb. “There is no such thing as safe browsing. We’ve reached a tipping point where every web site should be viewed as suspicious and every user is at risk.”
Editor's Note: Sound like a familiar rant? I'm coming from help when I say: "Don't Type...Swipe!" Want to register to read the report? Here's the Link (PDF) Also...here's IBM"s Press Release:
ARMONK, N.Y.
-
26 Aug 2009:
IBM (NYSE: IBM ) today released results from its X-Force 2009 Mid-Year Trend and Risk Report. The report's findings show an unprecedented state of Web insecurity as Web client, server, and content threats converge to create an untenable risk landscape.
According to the report, there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of 2009. This problem is no longer limited to malicious domains or untrusted Web sites. The X-Force report notes an increase in the presence of malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal Web sites, online magazines and mainstream news sites. The ability to gain access and manipulate data remains the primary consequence of vulnerability exploitations.
The X-Force report also reveals that the level of veiled Web exploits, especially PDF files, are at an all time high, pointing to increased sophistication of attackers. PDF vulnerabilities disclosed in the first half of 2009 surpassed disclosures from all of 2008. From Q1 to Q2 alone, the amount of suspicious, obfuscated or concealed content monitored by the IBM ISS Managed Security Services team nearly doubled.
"The trends highlighted by the report seem to indicate that the web has finally taken on the characteristics of the Wild West where no one is to be trusted," said X-Force Director Kris Lamb. "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware.
We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity."
Web security is no longer just a browser or client-side issue; criminals are leveraging insecure Web applications to target the users of legitimate Web sites. The X-Force report found a significant rise in Web application attacks with the intent to steal and manipulate data and take command and control of infected computers. For example, SQL injection attacks - attacks where criminals inject malicious code into legitimate Web sites, usually for the purpose of infecting visitors - rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.
"Two of the major themes for the first half of 2009 are the increase in sites hosting malware and the doubling of obfuscated Web attacks," Lamb said. "The trends seem to reveal a fundamental security weakness in the Web ecosystem where interoperability between browsers, plugins, content and server applications dramatically increase the complexity and risk. Criminals are taking advantage of the fact that there is no such thing as a safe browsing environment and are leveraging insecure Web applications to target legitimate Web site users."
The 2009 Midyear X-Force report also finds that:
Vulnerabilities have reached a plateau. There were 3,240 new vulnerabilities discovered in the first half of 2009, an eight percent decrease over the first half of 2008. The rate of vulnerability disclosures in the past few years appears to have reached a high plateau. In 2007, the vulnerability count dropped for the first time, but then in 2008 there was a new record high. The annual disclosure rate appears to be fluctuating between six and seven thousand new disclosures each year.
PDF vulnerabilities have increased. Portable Document Format (PDF) vulnerabilities disclosed in the first half of 2009 already surpassed disclosures from all of 2008.
Trojans account for more than half of all new malware. Continuing the recent trend, in the first half of 2009, Trojans comprised 55 percent of all new malware, a nine percent increase over the first half of 2008. Information-stealing Trojans are the most prevalent malware category.
Phishing has decreased dramatically. Analysts believe that banking Trojans are taking the place of phishing attacks geared toward financial targets. In the first half of 2009, 66 percent of phishing was targeted at the financial industry, down from 90 percent in 2008. Online payment targets make up 31 percent of the share.
URL spam is still number one, but image-based spam is making a comeback. After nearing extinction in 2008, image-based spam made a comeback in the first half of 2009, yet it still makes up less than 10 percent of all spam.
Nearly half of all vulnerabilities remain unpatched. Similar to the end of 2008, nearly half (49 percent) of all vulnerabilities disclosed in the first half of 2009 had no vendor-supplied patch at the end of the period.
Translation: Do Not Type...Swipe!
The X-Force research team has been cataloguing, analyzing and researching vulnerability disclosures since 1997. With more than 43,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure.
IBM is one of the world's leading providers of risk and security solutions. Clients around the world partner with IBM to help reduce the complexities of security and strategically manage risk. IBM's experience and range of risk and security solutions -- from dedicated research, software, hardware, services and global Business Partner value -- are unsurpassed, helping clients secure business operations and implement company-wide, integrated risk management programs.
Finextra: Over eight million Brits have handed over their Chip and PIN details to someone else in the last year, with a quarter of these falling victim to fraud, according to a survey for insurance firm LV=.
An online poll of 3002 people shows 20% have given out their card and PIN number - 85% of these in the past year - to someone else to make a purchase on their behalf or get money from a cash machine.
By far the worst offenders are younger people with over one in three of the under 35s admitting they have asked someone else to use one of their cards. The most common location for 'borrowed' cards to be used is at a cash machine.
"Credit card companies should be federally regulated"
OTTAWA, Aug 26 (Reuters) - Canada's banking regulator should license and approve all financial instruments available to investors in the country, even if they originate in the United States, a new report recommended on Wednesday.
The report by two economists at the Canadian Centre for Policy Alternatives, a left-leaning think tank, also urged the rapid creation of a single securities regulator in Canada to make sure officials can properly monitor markets and detect risky behavior or excesses before they get out of control.
A single financial markets watchdog, replacing the 13 regional regulators now in place, is a key ambition of Finance Minister Jim Flaherty and would bring under federal jurisdiction the "shadow" banking sector. That unregulated sector once accounted for nearly half of all Canadian borrowing and includes non-bank lenders as well as hedge funds and securitized debt vehicles.
Aug. 26 (Bloomberg) -- Redecard SA and Cia. Brasileira de Meios de Pagamento, Brazil’s biggest debit- and credit-card payment processing companies, fell the most in at least two weeks after a newspaper reported the companies may face increased competition from state-controlled lenders. Redecard, the processor of Mastercard Inc. payments, lost 1.7 percent to 26.25 reais in Sao Paulo trading for the biggest decline since Aug. 12. VisaNet, as the processor of Visa Inc. payments is known, slid 3.3 percent, the most since Aug. 6, to 16.81 reais.
Federally controlled banks Banco do Brasil SA and Caixa Economica Federal will “soon” start offering credit cards under their own brand as part of a government effort to increase competition, Brasilia-based Correio Braziliense newspaper reported today without saying where it obtained the information.
“The report adds to concern that these companies will face more competition in the future,” said Mariana Taddeo, an analyst with Link Investimentos in Sao Paulo.
I read an article at Internet Retailer.com and it got me going as to why I believe it's a great time to be the only company in the world with a PCI 2.x certified PIN Entry Device! Here's an excerpt, followed by my Top 11 List...
The web outgrew total revenue and store sales for Gap Inc. in the second quarter. But the most telling statistic in Q2 about the overall importance of e-commerce to Gap is the fact that the Internet now accounts for a significantly larger share of total sales than it did just one year ago. In the quarter ended Aug. 1,
Web sales areup 17.3% from $224 million to $191 million in the second quarter of 2008.
Comparable-store sales decreased 8%.
The web’s percentage of total sales for Gap is 25% larger than one year ago
Net income declined 0.4% to $228 million from $229 million.
“Building upon two years of work improving our economic model, we’re now putting further emphasis on changing the trajectory of our top line performance,” says Gap CEO Glenn Murphy. For the first half of the year:
E-commerce revenue increased 15%to $491 million from $427 million.
Total sales declined 7.4% to $6.37 billion from $6.88 billion.
The web’s percentage of total sales for Gap is 24% larger than one year ago.
Net income declined 7.3% to $443 million from $478 million.
Okay...that is what instigated this post. There have certainly been some interesting developments over the course of the last two years. Let's take a look at my "Top 11 List" as it relates to an eCommerce payments platform:
Debit has surpassed credit in both the number of transactions and volume.
PIN Debit is the preferred of the two debits, online and offline. (PIN and Signature)
The "GAP" between eCommerce and Bricks and Mortar is lessening.
Consumers have the fear of god, (I guess I shouldn't give hackers that much credit) instilled in them to the degree that over half have serious reservations and one-third won't even risk shopping online.
So when you add it all up what does this all mean? It means that the Paradigm Shift...feel free to call it the "perfect storm"...has begun to brew and gain momentum.
Why not make "everybody" happy and solve all 11 problems at once. The main culprit of CNP Fraud is the Web Browser. So why not eliminate the CNP environment by eliminating typing and mandating swiping just as they do in the brick and mortar world?
Therefore, now is a really good time to offer the world the "only" PCI 2.x end-to-end 3DES DUKPT encrypted Pin Entry Device in two hemispheres. By the way, our device, it could be argued, removes Internet Retailers from the scope of PCI Compliance because the data is neither stored nor handled when the card is swiped.
It's also beneficial for HomeATM to own a globally patented PIN Debit platform which not only lowers risk and virtually eliminates chargebacks but is preferred by both merchants and consumers alike.
Imagine the demand if that very same platform were to significantly lower Internet Retailers Interchange Fees...especially if the cost of the device was so inconsequential that it provided a return on investment as quickly as the first transaction.
I would be great if that same platform eliminated the threat of phishing, cloned cards, cloned bank websites, DNS Hijacking and to a large extent malware. (what would the malware steal if there wasn't any card holder/financial information data?)
Having removed those threats, I guess the only "threat" to HomeATM's solution is...the dreaded Software PIN debit :-) I still don't quite understand, especially in light of the recent exposes' on inherent weaknesses within the browser space, how software PIN debit has gained the momentum it has, but I will say that Acculynk has done a wonderful job marketing their solution. (In fairness to HomeATM, they have a lot less pushback as they don't have to move molecules. (hardware) Then again, I don't consider that to be an encumbrance...I consider hardware to be an advantage.
For the sake of argument, let's give the software approach the benefit of the doubt. Let's assume that hackers are too dumbfounded by mouse clicking technology to figure out how to crack a floating PIN Pad, they aren't handicapped when it comes to stealing credit and debit card numbers...
The only way to prevent that from happening is for people stop typing. So the obvious question is: If typing is eliminated...thus the required first step for a software PIN debit application is eliminated as well... what initiates the popup...oops, floating...PIN Pad at the checkout on a merchants website? Hmmmm.....
Let us assume the elimination of typing "isn'tin the stars" (contrary to the picture I have envisioned in my mind and pictured on the right) for another couple years. That would mean that Internet Retailers would have to choose between a software and a hardware approach to Internet PIN Debit.
Aside from the aforementioned fact that hackers have proven they can steal credit and debit card numbers at their whim, why do I believe that HomeATM has the advantage?
One "very big" reason is that we provide the PCI compliance by removing the merchant from the scope of said compliance. That fact alone would save Internet Retailers not only a pocketbook of cash, but eliminate more headaches than 10 cases of Excedrin.
More importantly, the fact that Internet Merchants would be PCI compliant would potentially save their business from an involuntary insolvency caused by exorbitant fines levied by MasterCard or Visa in the event of a non-compliance breach.
Considering that 85% of businesses suffered a breach in the last 12 months (see 2009 Ponemon Report) that possibility poses a real threat.
Another HomeATM advantage is there is no arguing the fact that our transaction methodology is immensely more secure. In fact "security" is why we have the only PCI 2.x Certified PED specifically designed for eCommerce. (in the world)
But, maybe our biggest advantage is that when you "swipe" the magnetic stripe, the Track2 data is captured...which is a requisite for a Card Present environment.
HomeATM takes it one-step further and immediately encrypts the Track2 data providing another layer of security. (the fact that our PED does that is now referred to as an "encryption enabled" Point of Sale Device)
HomeATM Worst Case Scenario - "Card Present" Internet PIN Debit
In my humble opinion, the "worst" case scenario, is that we create a Card Present "Internet" PIN Debit" environment. (although I would argue that we 100% replicate a brick and mortar PIN Debit transaction...for instance, one conducted at the Gas Pump, or at a Kiosk.) But we would encourage MasterCard or Visa to create a Win (V/MC) Win (Internet Retailers) Win (consumers) "Card Present Internet PIN Debit" classification for Interchange. Card Not Present Fraud has reached epic levels and shows no signs of letting up.
Software's Best Case Scenario: "Card NOT Present" Internet PIN Debit
On the other hand, Internet Retailers who decide to risk offering a "type and click" format, which does not capture the Track2 data could only hope for a "best case scenario" classification of "Card Not Present" Internet PIN Debit. By definition, (Visa and MasterCard's) if the magnetic stripe data is never captured, then it creates a "Card Not Present" environment, thus transaction.
The fact that "CNP Fraud is at it's all-time high and is expected to continue to grow" bodes well for a Card Present Solution. But, nevermind that...Simply ask "anyone" in the brick and mortar space if they prefer "card present" Interchange over "card not present" Interchange and you'll learn why HomeATM has a distinct advantage over a software, CNP solution. We replicate a brick and mortar PIN Debit transaction whereas "software PIN debit" does not exist. (anywhere in the payments ecosystem). We are simply taking a "conventional approach" to securing card holder data for web transactions. Software PIN debit is just another "alternative payment" system.
Oh...last point. HomeATM is EMV (Smart Card/Chip and PIN) ready. There's no such thing as a software Chip and PIN. Then again, I guess I could argue that there's no such thing as a software PIN Debit solution either as both require swiping vs. typing. Add to that fact that our device would also provide secure 2FA 3DES DUKPT E2EE secure online banking log-in and there's a value-added component to the mass distribution of our devices. Especially considering the inherent flaws in online banking authentication. (see related story below)
SQL Injection attack still spreading - 84000 and counting
by Steve Ragan - Aug 26 2009, 21:10
The automated SQL Injection (SQLi) attacks that gained attention late last week are spreading, and according to the researchers that discovered the attack, they are related to similar SQLi attacks in China. ScanSafe, who discovered the attacks, thinks these attacks may be regionally targeted.
The original report from ScanSafe looked only at the domain, which is injected via a malicious Iframe into a legitimate site by using various automated SQLi methods. At the time of the first report on Friday, the count was just under 55,000 sites. On Wednesday, the number of sites swelled to just over 84,000. Adding to this is the discovery of similar SQLi attacks taking place in China, leading ScanSafe to speculate that the attacks may be regional.
The Malware served in the attacks reported by ScanSafe on Friday are a nasty cocktail of code, including backdoor related Malware, keylogging Malware, various Trojans and more...
Nokia Enters Increasingly Crowded Mobile Money Market
Teams with Obopay targets unbanked people in developing countries.
Nokia is getting ready to launch Nokia Money, which will offer basic financial services on mobile phones, it said on Wednesday.
It will enable consumers to send money, pay for goods, services and bills, and recharge their prepaid SIM cards, according to Nokia.
Some Nokia phones will have the necessary client pre-installed, but users will also be able download and install the client on Nokia phones and devices from other vendors, said to Nokia spokesman Mark Durrant.
It is also building a network of agents, where consumers will be able to deposit or withdraw cash from their accounts.
Nokia has previously been a proponent of using NFC (Near Field Communication) -- a wireless communication technology with a range of a few inches -- for contactless payments.
Nokia Money lets users send funds to another person just by using their mobile phone number. It can also be used to buy goods and services from merchants, pay utility bills and top up pre-paid SIM cards. Read More at PC World
Visa Hires Oliver Jenkyn as Global Head of Strategy and Corporate Development
San Francisco, Aug. 26, 2009--Visa Inc. (NYSE:V) today announced the appointment of Oliver Jenkyn as Visa Inc.'s Global Head of Strategy and Corporate Development. In this role, Jenkyn is responsible for developing and managing the company's corporate strategy across the 170 countries where Visa Inc. does business. Jenkyn succeeds Rupert Keeley, following Keeley's recent appointment to Group President of Visa's Asia Pacific and CEMEA regions. Jenkyn reports to Joe Saunders, Chairman and CEO of Visa Inc, and is a member of the company's Operating Committee.
"Oliver has been a trusted advisor to Visa for several years, including important contributions to our global restructuring and IPO," said Joseph W. Saunders, Chairman and CEO of Visa Inc.
Jenkyn joins Visa from McKinsey & Company's San Francisco office, where as Partner he was a leader in the firm's North American Payments and Retail Banking practices. While Jenkyn has extensive global experience across the financial services industry, he developed a specialty in payments including all aspects of the card business (issuing, acquiring, processing), ACH, check processing and cash management.
Prior to McKinsey, Jenkyn worked with Bain & Company's private equity group.
Jenkyn graduated summa cum laude from McGill University in Montreal with a bachelor's degree in economics. He also earned master's degrees in business and finance from Harvard University and Queens University.
About Visa Inc.
Visa Inc. operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit www.corporate.visa.com .
The Analyzer’ Pleads Guilty in $10 Million Bank-Hacking Case
By Kim Zetter | Wired
Ehud Tenenbaum, aka “The Analyzer,” quietly pleaded guilty in New York last week to a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks.
Editor's Tongue in Cheek Note: Now that both "The Analyzer" and "The Soup Nazi" are in Federal custody, it looks like the threat is over! Man, those two guys sure wreaked havoc. Good thing we caught them! Now I look forward to typing my credit and debit card numbers into boxes on merchant websites and pick and pecking my username: and my 7 digit password: (1 of them is a number to make it harder!) into boxes at online banks with the peace of mind in knowing that these two bad guys have been caught! Here's more on E.T. from Wired:
The Israeli hacker was arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks. But before Canadian authorities could prosecute him, U.S. officials filed an extradition request to bring him to the States. (I think they whisked him here)
Prosecutors alleged in an extradition affidavit that Tenenbaum hacked into two U.S. banks, a credit- and debit-card distribution company and a payment processor, in what they called a global “cash-out” conspiracy. But he was only charged with one count of conspiracy to commit access-device fraud and one count of access-device fraud.
Tenenbaum is set to be sentenced Nov. 19, and he faces a maximum of 15 years in prison. Prosecutors declined to comment on the case or describe the details of his plea agreement. The second count in the indictment, charging conspiracy, appears to have been dropped.
“The Analyzer”, is currently in Canadian custody on charges relating to a fraud which netted US$1.47 million from Direct Cash Management in Calgary, a firm that sells pre-paid debit cards. Editor's Note: "He allegedly used SQL injection...
Jailed international hacker and cyber criminal “The Analyzer,” (See Analyze This...More on "Hack You!") who awaits extradition to the US from Canada to face charges related to cyber crimes committed in 2008, is now also a suspect in ...
“There are also new reports that 'The Analyzer', who was arrested last year in Canada for stealing $1.5 million from Canadian banks, also allegedly hacked two US banks, a credit card and debit card firm, and a payment processor firm. ...
Tenenbaum, 29, also known as "The Analyzer," gained notoriety 10 years ago when he broke into computer networks of NASA, the Pentagon and the Knesset, the legislative branch of the Israeli government. At the time, he was celebrated in ...
Thales extends support to MasterCard Advanced Authentication for Chip
New solution secures online transactions executed with new and existing EMV cards
Thales, leader in information systems and communications security, announces that SafeSign, the company’s identity management and authentication solution, has successfully completed MasterCard evaluation for its Advanced Authentication for Chip. MasterCard Advanced Authentication for Chip is the latest extension to EMV, the international card-based authentication solution. Building on their long-standing relationship, Thales and MasterCard continue to work together to help banks fight online fraud and ensure maximum consumer confidence in online transactions by supporting both newly issued and existing EMV cards.
MasterCard Advanced Authentication for Chip allows two-factor authentication on EMV cards already issued that do not necessarily have offline PIN capabilities or have not been personalized according to the MasterCard Chip Authentication Program™ (CAP). This allows issuers to provide strong authentication to their cardholders without the need to re-issue their cards. This solution has been driven by regional demand, especially from the Asia Pacific Region and Latin America, where there are hundreds of millions of cardholders who need to be able to use their existing EMV cards to protect their online transactions. Thales has long supported MasterCard CAP with its SafeSign, HSM 8000 and payShield solutions.
According to Art Kranzley, Chief Emerging Technology Officer at MasterCard, “Today, consumers still don’t feel safe when buying online or using e-banking facilities which is why it is important that we create the conditions needed for banks to be able to allay these fears. Thales and MasterCard have already delivered strong authentication solutions in the past, now with Advanced Authentication we are best placed to support banks in continuing fighting Card Not Present fraud and building confidence for online customers.”
The new Advanced Authentication for Chip is operated by the cardholder inserting an EMV card into a Personal Card Reader (PCR). Once inserted, the PCR will perform specific card checks. If the card does not support offline PIN, the Advanced Authentication for Chip reader provides the option for a one-time password (OTP), challenge and response (C/R) or transaction data signing (TDS) which can be used for online user authentication and transaction signing. Otherwise the cardholder will first be prompted to introduce the PIN. This also means that Advanced Authentication for Chip is compatible with MasterCard CAP. SafeSign verifies and validates the OTP, C/R and TDS in order to effectively authenticate the user and provide additional security for online transactions.
“Thales has collaborated extensively with MasterCard to provide user authentication solutions and online transaction signing for CAP. We have now added support for EMV cards that have been issued without CAP personalization or an offline PIN”, says Franck Greverie, Vice President, Managing Director for the information security activities of Thales. “Our support for Advanced Authentication for Chip demonstrates our continued commitment to work with MasterCard to enable our customers to make online and Card Not Present transactions safer for EMV card holders and dramatically reduce fraud.”
SafeSign is Thales’s identity management and authentication solution that helps protect financial institutions and their customers against online fraud, enabling them to concentrate on delivering new products and services. Unlike other solutions, SafeSign supports a wide range of authentication technology including EMV/CAP, OATH tokens, mobile phones, smartcards and digital signature technologies. This approach allows SafeSign customers to maintain maximum flexibility in the selection of authentication that they deploy to meet their current and future needs.
About MasterCard Worldwide MasterCard Worldwide advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes approximately 21 billion transactions each year, and provides industry-leading analysis and consulting services to financial-institution customers and merchants. Powered by the MasterCard Worldwide Network and through its family of brands, including MasterCard®, Maestro® and Cirrus®, MasterCard serves consumers and businesses in more than 210 countries and territories. www.mastercard.com
Notes to editor Thales is one of the world leaders in the provision of Information and Communication Systems Security solutions for government, defence, critical infrastructure operators, enterprises and the finance industry. Thales’s unique position in the market is due to its end-to-end security offering spanning the entire value chain in the security domain. The comprehensive offering includes architecture design, security and encryption product development, evaluation and certification preparation and through-life management services.
Thales has forty years of unrivalled track record in protecting information from Sensitive But Unclassified up to Top Secret and a comprehensive portfolio of security products and services, which includes network security products, application security products and secured telephony products.
About Thales Thales is a global technology leader for the Aerospace, Space, Defence, Security and Transportation markets. In 2008, the company generated revenues of 12.7 billion euros with 68,000 employees in 50 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers as local partners. www.thalesgroup.com
Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t7UpUmmxbUhjpSucU3qI47tnEwdHy3chuHMZqXmftd3Cnpu9DIVQuaLKLI6ryNQrrKmahRWsAtJ6R52fYldXwxiQNaT2FQY6AK4MmiXy1YiRNpEuP0dAayQ7l6jp97fWObyBmfzhnVPJsimhfV7Y_C=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t88A2FKE2oqwgGXIOrtJ_ltahl5z4AaoSthHg23-goG_OilW62dvWLGwsvAWggfX6CS2NDHTBjug2doWdtldIL-cq0uDntUAWnsEJxZZpY5XZw7P6RVAd7bhRunO_tnjPg1hHTwyeHEcd8gxjQIE-r=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCygwqHKak1wGCmKe-eLwgSX1K7zVoo6sJUQmISSPcH-1NOvFSNciyip1FH-nktsDNqZxTGHVQp-zJHSPQRo5uWYvOwVAie-lqW_8vBfxU0NofuZAzmbZWnAiDtWCCOjKUezITKjGWTIO6RdftQZqP=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uds4GBQHNIZMv3_j3ObfQ4_lxj26GziSiIxzWotbYmkd68xu0V-WwZ7uMbFCbVXIODyIp0tuNM_h158SU1v9c8FgMBlvexDmkGqs8vCDY00JPXqzXtAXLiCFsaoP9ZOCqM0icMi_RFEPeJf6-oh-Q5=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ufPovKhzI_K1W2_WJp3O94yu4j3yzgSAOMxacVbbmcBOP-m4gxHdQW3UbaZskYJJTFBTgqyHBvycGh7f2Di676wGTn6jnR0FyDnErZ8saJpyNwGlCPG1iprUdne5_-sHgsgoCwyVo7LGByBt1bXWYB=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s4aaq3Kw10Y-qf5QlCrwgnVVFVLw6jBCFAhBH3jZTIiac1M7Qxq4oeibmPptYuERxpzniaqxwEZS_3iamXq6TUbPbNvs7lMsMYcksEBRf6s5v1gnetrAevgu_MgjHEvEe1WgdqWvsTVq8heI3wVgE=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uODjtD7ijtsYTG4biISSQaWE5G1GLyuJn61dP56veK2ph5rlkbUJxt29cr92Nem-36VcbM_QgS1g5OGU0UqBehpnAqwNC3plGBJGBvN8QcigFR-dIQcO-IcRx6LGw4-fnfFqr2odeUIRy_Y1a4rCRe=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tUqBfH9FF04PeaP_CzQHHErE2T5eG_xBQgudFhXNHLe52LGy2GAnqzggLIORRbBZG-jnxxD7kOgF4Mha5gNa1NFre9AhJAKSGdPIJ7GgMaPN8r07MrUam-zCJlwp1XDwAD9ndmK7yvA5hIaciYQisg=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vbG4V5kkMsdpNZxA5oWS4LV_JKaToWyc0Nzgez7Y-KUrAQgNDXDpvT7c3mkr2vU0c5PKZJtzDuR6ON9FM2_k1u_vXdsRVj5a1UtHFnez0hP27SaUusHNmIBhqdPBpnMQxj9-4-U5g5SOuMky-NcaQv=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v1p7NzQV_AujjbsAGzE0C15GHaTugYac-A7_LIgUwWVZCZUTpAMCHIj_izjKrqRo9ZP90CnBAoi1AhU57RxDYoJ6eAZ6ciRNW9qbyvUcjVA9d-1cIlhteMlSh3NWAE3Nf_1reEV1_slLxnpi1s64eQ=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sEWdOoqB3pm_usCcftesmoTTu3uqRQ8vtVkUqHPh-fj7C4VQlckGhGltgSdWt1ZZlXRIKC2Zh5b2bWRBu0Yt7-UKPBhOKV6xdy0o8k5xZvd0Rm6sTlGeDZMdWvELlGAxskO_IlQpDq3jNR--Axddsi=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tZuyAh0NDYjwmQQkZHeNjQ13pRlya5GDmg5a_4dGg7eh2ccPTq07PjwXbwZUlRUgRTBoX33mtmAR2dL7-xyhmMl6og-59x29Li99LDN8hwpd6g81zl_bCQkZG2Wd4ajn1Q1GL7VPnB43QoDWnq_51M=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sVyqzMe9aeTPY2ZGM9IvFLYqST_4Tm45kHtau3fe2wgnjMiZ9EERsJ5rCF5pnKiIEPyYOS6OG4zMtBIhnNorHO7XpsnYk4oZsgE_r6Jx3G9iLHfvmDQqnPXhrk3VDdR5PwyKMUCJ1ETztdmwRI4BAy=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s5fmdNjaRdsmpJtp1EAcEnHT-xi85LeFlJEd8p4evPYObQDtLjHpxw4earNltUZMXm_ikx-KS83IahgibXoMDDO5iJd2qn64A1Y8OUqhCF17yyyMfrT46ctxTahJ2Xhuy46THQyIx2eBRw_QEcKwEV=s0-d)
