Smart Card Alliance Executive Direct Unhappy with Online Banking Security

In today's Smart Card Newsletter, issued by the Smart Card Alliance,  Randy Vanderhoof, Executive Director of the Smart Card Alliance, had the following to say about online banking fraud:  

Payment fraud resulting from massive data breaches was in the news again this month and one specific type of payment fraud–online banking fraud–got a little too close to home for me personally...



The Smart Card Alliance fell victim to such fraud this month. Our online banking account was breached by someone who created a valid account relationship with the Alliance’s business checking account and began making large, unauthorized ACH withdrawals from our account.



What was most shocking was how inept the bank’s (I won’t mention any names, but it is one of the BIG ones) internal business processes were in responding to the fraud, locking down the account, and putting on additional controls after the fraud was reported. What I was told was that I could set up manual controls to limit ACH deposits and withdrawals to only authorized accounts, but that I needed to upgrade our account to a “stronger” type of account.  It took 10 business days just to have an ACH blocking feature turned on!

I was also told that the bank can provide me with a smart card–not to securely log in and authenticate myself to my account in place of my current user name and password , but rather to have the chip generate a dynamic one-time password (OTP) each time I authorize a transaction.



For authentication, I would still have to type the password into my desktop computer , which just might be infected with a key logger connected to Twitter-like instant messaging that can capture my account information "and the OTP" as I type and log in as me without me even knowing it. (Such a “man-in-the-middle” attack was recently revealed in this NY Times article).

I am on a mission now: to find out how our bank account got hacked, why all online personal and business checking accounts are vulnerable–at least in this bank–and why no one is doing anything about it.

An Open Letter to Mr. Vanderhoof:   Randy,  HomeATM agrees that typing your password into your desktop computer is a futile way to prevent hackers from obtaining your sensitive data and HomeATM IS  trying to do something about it.  We are in the midst of speaking with several national banks in order to demonstrate that consumers need to authenticate themselves the same way they do at an ATM machine.  I am aware, that as Executive Director of the Smart Card Alliance you would probably be more interested in our EMV version (which we have, should you know anyone in Europe who might be interested) , but until EMV is prevalent in the United States, we are offering banks the opportunity to offer their customers our PCI 2.x Certified PIN Entry Device, the only one of its kind.  One which would provide users with the security and protection of a two-factor (what you have/card and what you know/PIN) 3DES DUKPT TRUE "End to End Encrypted" Log-In.   (Most are End-to-Almost-End Encrypted)  HomeATM provides true Zone 1 through Zone 5 encryption for the PIN.  (The track2 data is encrypted through Zones 1-4)



Our device would also provide consumers with the means to conduct "card present" transactions in a "card not present" fraud infested world (wide web) and enable the bank to offer a real time (not ACH) P2P Money Transfer option as well as " real time" online bill payments.  



Maybe the Citizen's Bank lawsuit, which I blogged about earlier today will open their eyes to the risk they are not only exposing their customers to, but the risks they are exposing themselves to as well!   Feel free to drop me a line anytime if you'd like to discuss further!   

John B. Frank

Online Fraud Shows No Signs of Letting Up

Card Not Present Fraud is the biggest culprit. 



HomeATM provides a low cost, 2FA 3DES E2EE PCI 2.x Certified Solution which allows Internet Retailers and Consumers to level the playing field by eliminating the "card not present" environment. 





If an online consumer was instructed to  "Swipe their Card thereby capturing the data on the magnetic stripe, it would be, by definition, a "card present" transaction. 



Therefore, our device would eliminate "card not present" fraud by "morphing" the "card not present" environment into a "card present" environment.  Yes? 



You might say that HomeATM changes the way card information is swiped. 

The way it is done now, the card details are "swiped by the fraudsters."   Does it not make more sense for the online shopper to "swipe" their own card details? Then again, we could ignore all the red flags and just keep on typing!

No let up by fraudsters as online card spend soars | Response Source

Fraud prevention specialists reveal Britain’s top UK card fraud hotspots

Many of Britain’s high street shops may have been affected by the economic downturn, but millions of consumers have been more than happy to spend their money online and through mail order with their favorite retailers. However, once again the dark side of card usage is revealed as fraud specialists, the 3rd Man, unveil the extent of criminal card activity and in particular the worst places in Britain for attempted card fraud.

An analysis of the 3rd Man’s comprehensive and detailed records shows that between August 2008 and August 2009, shoppers spent an estimated £46 billion using their cards in ‘card not present’ transactions, the term used to describe purchasing when, for example, a customer is buying online or by phone. Of this figure, fraudsters have tried their best to relieve retailers of more than half a billion pounds worth of goods.

“Although Britain has been in a serious recession, it appears that many consumers have been happy to spend their money over the Internet, which is good news,” says Andrew Goodwill, fraud specialist with the 3rd Man.



“However, fraudsters show no signs of giving up. They know that online shopping has become big business and they try every scam imaginable to dupe retailers. More and more honest people are using their cards to buy over the Internet, but unfortunately more and more fraudsters are also upping their game.” 

Editor's Note:  Time to "up OUR game" or these "jokers" will continue to steal our identities, cash, and peace of mind.  Eliminate Typing, Start Swiping and "Card Not Present" fraud will be eliminated. It's really not that difficult to grasp the concept...is it?  

online fraud, fraudsters, fraud prevention, cybercrime, HomeATM, Card Not Present, fraud hotspots

Related articles by Zemanta

• A Third of Web Users are Too Scared To Shop (sitepoint.com)


• MasterCard Interchange Rates (pindebit.blogspot.com)


• Credit Card Primary Account Number and Encryption (deurainfosec.com)


• Banking Internet Security faulty. (warintel.blogspot.com)

Metavante Shareholders Approve FIS Merger

On Friday, I posted a press release announcinig that the Department of Justice cleared the way for an FIS/Metavante merger: See: FIS and Metavante Receive DoJ Clearance to Proceed with Merger



Last July, I posted that Fidelity National Information Services was holding a special shareholder meeting See: Fidelity and Metavante to Hold Special Shareholder Meetings   to vote on the merger.  Apparently, Metavante was waiting on the DoJ clearance to hold and announce the results of their shareholders votes:  RTTNews reports the vote was overwhelmingly "for"...



(RTTNews) - Banking and payment solutions provider Metavante Technologies, Inc., said Friday that its shareholders overwhelmingly approved the proposed merger with Fidelity National Information Services, Inc., FIS at a special shareholder meeting.



Earlier on April 1, Fidelity, also a banking and payment technologies provider. had agreed to acquire rival Metavante in an all stock deal valued at about $2.95 billion. The deal had the approval of the board of both the companies. The Milwaukee, Wisconsin - based company and FIS are targeting an October 1, 2009, completion date for the merger, subject to customary closing conditions. The transaction is expected to be accretive to adjusted earnings per share in fiscal 2010.



The combination is expected to create a company with a pro forma enterprise value of $10 billion and the world's largest provider of comprehensive integrated payment and financial core processing services. The deal is expected to achieve cost synergies of about $260 million and increased long-term organic revenue growth for Fidelity.



Metavante Technologies, spun-off from Marshall & Ilsley Corp. (MI) in November 2007, has been offering processing services to about 8,000 financial institutions of all sizes for more than 40 years. Services include outsourced deposit, loan, and trust account processing, check processing, electronic funds transfer, commercial treasury services, and health care payment services.



Related:

Fidelity and Metavante to Hold Special Shareholder Meetings | PIN ...

Jul 27, 2009

FIS will hold a special meeting of its shareholders to vote on the issuance of FIS common stock in connection with the merger of Metavante into a wholly owned subsidiary of FIS, and to vote on the issuance of approximately 16 million ...

http://pindebit.blogspot.com/

Friday, September 4, 2009

FIS and Metavante Receive DoJ Clearance to Proceed with Merger

Fidelity National Information Services, Inc. and Metavante Technologies, Inc., Receive Department of Justice Clearance to Proceed with Planned Merger

Related articles by Zemanta

• FIS Reports Strong Earnings Growth (pindebit.blogspot.com)


• Informal Chit Chat Opens Window for Metavante Acquisition (pindebit.blogspot.com)


• FIS Ranked #1 in Vendor Matrix by ABI Research (pindebit.blogspot.com)

Biometrics Firm Partners with InterSwitch in Nigeria

LUND, Sweden - (September 8, 2009 PIN Payments Blog) Precise Biometrics has entered into a strategic partnership with Interswitch -- one of the leading African financial solution providers based in Nigeria. The aim is to supply fingerprint recognition with Precise Match-on-Card(TM) to bank applications. The partnership is already engaged in a first project, which will provide license sales at a minimum of EUR200,000 in 2009.



The partnership between Precise Biometrics and Interswitch aims at building and promoting biometric Match-on-Card solutions for the bank segment in Africa. The solutions will initially target Nigeria, which is the largest populated country on the continent with more than 150 million inhabitants.



Nigeria recently decided to replace magstripe bank cards with more secure chip cards, so called smart cards, in order to gradually eliminate fraud related to less secure magstripe cards. The new cards comply with the EMV (Europay, Mastercard, VISA) standard used in the bank industry and the government deadline to replace all magstripe cards with chip-based smart cards is December 31, 2009.



To enable banks to migrate faster, Interswitch has introduced the Verve card into the market. The Verve card has both international and local security features, and through Interswitch's partnership with Precise Biometrics, it also includes fingerprint recognition and Match-on-Card features. These features are used to control a cardholder's physical presence at the moment of a transaction. With fingerprint recognition and Match-on-Card, banks, governments and organizations increase security internally as well as for customers through personal verification and KYE (Know Your Employee).



Mitchell Elegbe, Managing Director and Chief Executive Officer of Interswitch states: "We are pleased to enter into this partnership, as Precise Biometrics is the leading provider of biometric Match-on-Card solutions. We believe that our joint efforts and technological know-how will have great commercial potential in the West African region. The capabilities, security and reliability of the Match-on-Card solution gives us a positive differentiation from biometric solutions that are relying on databases or external servers."



Thomas Marschall, CEO at Precise Biometrics comments: "We are very pleased to have come to an agreement with Interswitch, which will place Precise Biometrics in a prime position to capture the rising biometric opportunities within the financial sector of West Africa. While the strength of the partnership is documented by already being engaged in a project which will provide income for 2009, we have substantial commercial expectations for the partnership in 2010 and onwards."



Precise Biometrics is a market-leading provider of solutions for fingerprint recognition to prove people's identities. With top-of-the-line expertise in fingerprint verification, Precise Biometrics offers fast, accurate and secure authentication of a person.



Its core product, Precise Match-on-Card(TM), adds value to ID, SIM, enterprise and bank cards as well as systems for access control to buildings, computers and networks. Precise Biometrics serves business and government organizations throughout the world and its technology is licensed to close to 100 million users.



For more information, please visit www.precisebiometrics.com or see a presentation



www.precisebiometrics.com/movie.aspx.



For the full version of the press release please click on the link below http://hugin.info/131387/R/1337790/318917.pdf



For more information, contact:



Precise Biometrics AB

Thomas Marschall, CEO

+46 46 31 11 10

+46 734 35 11 10

Email: thomas.marschall@precisebiometrics.com

Don't Say I Didn't Warn You on Dangers of Online Banking!

I've been blogging about the dangers of online banking for quite a while now.  So as more an more people fall victim to phishing attacks, keylogging, DNS Hijacking, SQL Injections, Cloned Bank Websites, etc. you can't say I didn't warn you...



Today I found a "mainstream" article (The Telegraph UK) that sums up my beliefs...specifically..."Don't Type...Swipe!  



Here are some excerpts:



Viruses, spyware, key loggers – the James Bond style vocabulary of the computer hacker is enough to make us paranoid about losing all the money in our bank accounts when we log on to online banking to pay the gas bill.

By Richard Evans - Telegraph UK - Originally Published: 27 Aug 2009

And it's not just an irrational fear. Take one acquaintance of mine. She's hardly computer illiterate – a web designer with programming skills, she keeps her antivirus and other security software up to date religiously. Yet this didn't stop someone hacking into her account and sending himself most of the money she had at the time. A quick look at the online forums confirms that she's by no means the only one to fall for this particular scam.



So is online banking secure? I've spoken to a couple of experts in computer security. Both were happy to bank online themselves, they told me, although they take rigorous precautions to keep the hackers out. But they're experts: what about the rest of us? We don't want to spend our lives keeping up with the latest online threats.

After all, the criminals have economies of scale on their side – they can put a lot of effort into perfecting their malicious software because, once it's ready, they can use the internet to get it onto the PCs of hundreds of thousands of people. So there's a huge underworld industry out there, all busily working out new ways to bypass our firewalls and get at our passwords.



My experts told me that the man in the street can bank safely online, but only if certain conditions are met.

Firstly, if your bank has given you a card reader – a gadget you connect to your computer and insert your bank card into – you are safe.



If you don't have a card reader, look at how you enter your password.



Do you just type it in? That's a gift to the scammers – a simple piece of spyware software called a key logger can record the password and send it off to the fraudsters over the internet.

Fortunately, the banks are getting wise to this. Many have developed websites that make you enter your details using mouse clicks. Although in principle it's possible to write malicious software that tracks this too, it's a lot more work than a simple key logger. Editor's Note:  A little more work won't stop them, besides, as more banks go to this method, more hackers will dedicate their time to developing a mouse click logging program...especially when people start mouse clicking their PINs, as PINs are the "holy grail" for hackers.

If you don't have a card reader and you use the keyboard to enter your whole password, you are depending entirely on your security software – and the hackers only have to be lucky once.

Personally, after seeing what happened to my friend the web designer, I wouldn't take this risk. She got her money back in the end, but only after days of worry and frantic phone calls. And the banks are becoming more and more reluctant to bail out those who have failed to take online security seriously.

When it comes to internet banking, a little paranoia is no bad thing.

Online Banking Fraud Doubled in 2008

How safe is your internet banking? | Dan Hyde, This is Money

Banks love to promote their internet banking's security, but just how safe is it? Find out why Halifax and Abbey customers are most at risk



How safe is your internet banking? Online banking fraud nearly doubled in 2008.



A worrying £52.5m was stolen by sinister hackers tracking the movements of their prey, affecting one in four of all those banking online.  Some customers are still falling foul of 'phishing' schemes – emails that pretend to be from a bank and then direct customers to bogus websites where their passwords are stolen.  But more careful online bank customers are also suffering at the hands of underground hacking technology.

'Keylogging' – whereby a virus tracks every stroke of a password as it is entered – can breach the best of defences on personal computers, and is largely held responsible for the rise in online fraud.

For the ordinary web user, extra-thick internet firewalls and up-to-date anti-virus software is about as much as can be done to fend off this aggressive software.  But improving technology has helped the hackers past these barriers and, to make matters worse, many users still forget or disregard important steps like regular computer checks.



That means the onus falls on the banks to protect their vulnerable customers from internet keylogging rogues – and some are better at it than others.  Expert-led research at Which? Computing magazine showed that Halifax and Abbey internet customers are exposed to the greatest risk of having money stolen from their accounts, while Barclays led the way with its anti-fraud password controls.



Security loopholes - including password entry methods that are dangerously exposed to keyloggers, and unprotected money transfers once a user is logged in - had Abbey and Halifax firmly at bottom of the online security pile.



Barclays, meanwhile, excelled by using both its PINsentry device to generate a random password every time a user logs on, and by asking for more login information than other banks.



Some banks have also begun to use apparatus such as drop-down menus, making keylogging impossible, but this has not yet found its way onto either Abbey or Halifax's sites.



Of course, the flipside is that the once ultra-convenient days of internet banking with just a password are gone for many, replaced by carrying a card machine with keypad round and having to fill in a run of details for each transaction.

keylogging, online banking, PIN Payments Blog, HomeATM

Related articles by Zemanta

• Comment: online banking? No thanks (telegraph.co.uk)

Court Allows Suit Against Bank Based on Poor Online Banking Log-In

I was working on a post I decided to entitle "Don't Say I Didn't Warn You" (upcoming) when this came across the wires.  The PIN Payments Blog will follow this case closely as the ruling will set a precedent, as all rulings do.  This could be a game-changing ruling when it comes to how banks provide authentication.  As I've stated for the past 18 months, Don't Type...Swipe!  This case could result in banks being subjected to the risk, as opposed to their customers which might provide more motivation for them to take the extra steps necessary to securely authenticate their online banking customers with a 2FA 3DES DUKPT E2EE PCI 2.x Certified approach.  





This was first reported by David Johnson's Digital Media Lawyer Blog which spoke a little about the the largest precedential impact. 

"The aspect of the case that may have the largest precedential impact was its decision on the plaintiffs' negligence cause of action. (Fn1) A major basis for their negligence claim was the theory that financial institutions have a common law duty to protect their members' or customers' confidential information against identity theft. While the Court could not find controlling State precedent on point (Indiana law applied), it noted that Indiana courts have held that a bank has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest. The Court then stated, "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Editor's Note:  If Citizens loses this case..."citizens everywhere win".... as banks will be forced to increase the security of online banking.  There is no safer way to authenticate the user than to utilize the same trusted security banks use to dispense cash at ATM's.  HomeATM provides the only 2FA 3DES DUKPT E2EE PCI 2.x Certified Solution  in two hemispheres.  The average phishing attack is $352 and that hasn't yet got the banks moving.  Maybe the threat of losing $100k+ every time one of their online customers fall victim to fraud caused by weak authentication will motivate them to invest $12.00 or so, and protect themselves AND their customers.   We'll keep ya posted!





Finextra: Court allows suit against bank for poor online security

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards.  

A US couple who had thousands of dollars stolen from their online account have been given the go-ahead by a court to sue their bank for failing to provide adequate security.





In 2007 Marsha and Michael Shames-Yeakel fell victim to an ID thief who gained access to their Citizens Financial Bank online account and stole $26,500 from a home equity credit line.  The money was transferred, via a bank in Hawaii, to a financial institution in Austria. The Austrian bank refused to return the funds, prompting Citizens to inform the couple that they would be liable for the loss.



The Shames-Yeakel's refused to pay, leading the bank to report their account as delinquent to the national credit bureaus and threaten to foreclose on their residence. In response, the couple sued the bank on several grounds, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, in the northern district of Illinois.   They also accused the bank of negligence under state law for failing to adequately protect their online accounts.

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access." - US District Judge Rebecca Pallmeyer

The Judge also states: "If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

Thursday, July 30, 2009

Is Logging In with Username/Password "Careless and Negligent?"

I had to bring you an excerpt from a story in today's AsiaOne Business entitled "Credit Card Stolen? Mind the Pitfalls."   I especially liked the quote from the bank that did not want to be named.  (enlarged below)

BANKS in Singapore are standing by their policy of holding customers responsible for transactions made on their lost or stolen cards if they do not report the missing card in time.  Consumers who cry foul may have no leg to stand on, as the policy is stated in the fine print on the contract they have signed.

A check with seven banks and two credit card companies has found that those who hold Singapore-issued cards are liable for any unauthorized transaction made before the loss is reported.



Some, like DBS Bank and Citibank, will at most review cases individually.



One bank that did not want to be named told The Straits Times it was unfair for banks to take the blame and shoulder the cost when cardholders themselves in most cases are careless or negligent. There may also be fraud involved.



So let me get this straight.   The consumer should take the blame because they are careless and negligent.  I wonder when banks will consider typing a "username and password" into a box on their online banking website "careless and negligent."  I wonder when banks will consider using a credit/debit card for an online purchase, by typing their card number into a box on a website "careless and negligent."  

Related articles by Zemanta

• Computerworld: Court allows suit against bank for lax security (boxofmeat.net)


•  


• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)


• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)

Does Western Union Limitation Apply to B2B Payments?

Western Union to compete in the international B2B payments space

Commerical Payments International is reporting that Western Union is getting ready to compete in the B2B payments space.  I'm wondering out loud if the same P2P limitations outlined in the previous post, applies to B2B transfer? 

Western Union to compete in the international B2B payments space

With its acquisition of international B2B (business-to-business) payments provider Custom House, Western Union has placed itself firmly as a competitor in the international B2B payments space. Custom House processes payments originating in seven countries for payout in 120 countries.

This acquisition introduces Western Union to a new market – cross-border payments for small- to medium-sized enterprises (SMEs). The SME segment has become an increasingly important focus for payments providers in recent times as they develop products designed to serve the needs of this previously underserved market.

Western Union estimates that the SME cross-border payments market generates global revenue at least as great as the consumer-to-consumer money transfer market.

Currently, Custom House enables more than 40,000 clients to make payments in over 150 currencies. Its clients range from businesses with a need to pay international staff to firms that want to pay vendors and merchants.

Western Union, Custom House, B2B, P2P

Western Union Limitation Causing Big Problems

US Meltdown Crippling Western Union Money Transfers



7News in Belize is reporting on a little known Western Union limitation.  Namely, what goes out, had to have come in the day before.  This is causing a big problem for people wanting to send money transfers.  In fact, reports say if you don't get there and put in your send request by 8:15 AM, you are out of luck for that particular day....



Have you tried to send money via Western Union recently? If you have, then you’ll know that unless you start lining up, like an hour before the office opens, it’s almost impossible to send money  But why is this? Is it an oppressive monetary policy, low reserves or could it be what the growth economist like to call, “exogenous shocks?” Well, according to the Governor of the Central Bank Glenford Ysaguirre it’s the third: outside factors.

You see, in any one day, Western Union can only send out as much money as it got the day before – and since the US financial meltdown, remittances, meaning money sent from the states, has declined sharply. So, in any one day, all the Western Union agencies across the country only receive something in the range of one hundred thousand US dollars. So that becomes the quota for the following day, meaning the limit of what they can wire out. Spread that $100,000 across 37 agencies countrywide, and it’s not much, meaning that if you get to a Western Union office by 8:15, you’re probably already too late!

It’s a big change; in the past no one had ever heard of a cap on the amount of money that can be sent out; you could visit the office anytime during regular working hours and breezily send the money. But things have changed and it’s been the roughest on those depend on the service for its convenience and speed. But the Governor of the Central Bank told Jacqueline Godwin today that there’s nothing the bank can do.



Glenford Ysaguirre, Governor - Central Bank of Belize

“There is some misinformation out there that the Central Bank has something to do with it because we are restricting Western Union. But no, those are conditions on their licenses from the time the license were issued. So it is not some new condition that has gone into place; it has always been there. It is just that in the past the remittances were sufficient to cover the outgoing demand.  A condition of their license is that they can only sell foreign exchange to the extent that they receive. So their outgoing remittances cannot be more than their incoming. That is to protect and preserve the reserve position of the country.”



Jacqueline Godwin, “So for example if they receive twenty thousand dollars for that day, they cannot give out more than twenty thousand dollars?”



Glenford Ysaguirre, “Yes that is the condition. So I guess with the economic downturn remittances coming from the States actually is on a decline and so they are restricted or limited by that and have to adjusts the outgoing remittances to the same magnitude.



The Central Bank is not here to source US dollars for Western Union remittances. The commercial banks source their own US dollars and they source that through investments coming in from customers or from proceeds from export earnings that goes into the commercial banks and that is also available to the public through the commercial banks. So if Western Union do not have, people have the option of going to a commercial bank and purchasing US dollars based on availability.”  Anecdotal reports are that things have gotten so bad in the states that in some cases Belizean are subsidizing their Belizean American relatives. Ysaguirre says that retired Belizeans living in the States are also drawing down on their savings in Belize. In the meantime, he’d urge those frustrated with the Western Union cash flow constriction to try using the banks since they have greater sources of foreign exchange.

Related articles by Zemanta

• New global rules for bank oversight (financialpost.com)

Web Browsers Exploited by XSS Attacks

Tech Insight: XSS Exposed

Pervasive Web application vulnerability is often misunderstood -- with dangerous consequences

By John Sawyer DarkReading - A Special Analysis for Dark Reading

SQL injection has been getting most of the attention lately, but the average SQL injection attack isn't nearly as sophisticated and difficult to pull off as a well-crafted cross-site scripting (XSS) attack:

XSS affects all victims of a vulnerable Website, stealing their credentials, exploiting their Web browsers, and taking action on behalf of them without their knowledge.

XSS has been the reigning champion of Web application vulnerabilities in the sheer number of applications that house this vulnerability. Like SQL injection, XSS is a flaw caused by a lack of validation of user input. But instead of attacking the Web application or database server directly, the XSS attack hits the Web app's victims and executes malicious code in the victims' Web browsers.



Continue Dark Reading

Related articles by Zemanta

• Critical Cross-Site Scripting Vulnerability Hits Twitter (techie-buzz.com)


• RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence (techcrunchit.com)

11 Charged in Minnesota Cloned Card Scheme

Nearly a Dozen Charged in Counterfeit Credit Card Scheme in Minnesota



KSTP TV - Minneapolis, Minnesota



Prosecutors have charged eleven people in an elaborate, counterfeit credit card scheme. Eight of them are in custody. Federal investigators are still looking for the other three defendants.



According to the criminal complaint, between July 2008 and April 2009 the group is accused of purchasing the personal information of Capitol One Bank customers from an online source in the Ukraine, who illegally profited from the sale.

It says the group then used the information to create counterfeit credit card accounts, withdrawing more than $652,205.49 from more than 170 ATMs throughout the Twin Cities.

Investigators says in some instances, the stolen money was converted into cashier checks and used to purchase vehicle parts or vehicles with salvaged titles. Those vehicles were then shipped to Nigeria, where un-named co-conspirators sold them at an inflated price.



Investigators say the defendants recruited Nigerian residents living in Minneapolis to buy pre-determined cars at auto auctions. They were given money to buy the cars and allowed to keep whatever was left over.  They are also accused of getting some of the same people to create bank accounts so they could deposit high-dollar fraudulent checks and then withdraw the cash the following day.



The defendants are each charged with one count of bank fraud and one count of access device fraud.  If convicted, the defendants face up to 30 years in prison on the bank fraud count and 10 years on each access device fraud count.



In related news, Finextra is reporting that European security agency Enisa is calling on banks and law enforcement agencies in EU member states to raise awareness of cash machine safety issues following an alarming 149% rise in ATM attacks in 2008.



More on this story: http://www.finextra.com/fullstory.asp?id=20448

Nigeria's InterSwiitch Selects Gemalto

Nigeria’s InterSwitch Selects Gemalto’s Complete Strong Authentication Solution to Secure their e-Payment Services

Scalable solution offers security and convenience to all banking customers

Amsterdam, The Netherlands, September 7, 2009 – Gemalto, the world leader in digital security, today announced that InterSwitch is deploying its complete Ezio strong authentication solution to secure their e-payment services in Nigeria. InterSwitch is a leading provider of secure electronic payment solutions in Nigeria and comprises 25 member banks. Gemalto supplied its Ezio Strong Authentication Server and acted as server integration partner. The company also delivers EMV card readers and unconnected tokens, all customized with InterSwitch’s visual corporate identity. With Gemalto’s scalable solution, InterSwitch enables banking customers to perform secure e-transactions either using their EMV card and reader or a token.

Ezio enables InterSwitch member banks to enhance security for e-commerce by replacing static passwords with strong authentication. Users can pay their bills and taxes or buy airline tickets in a more secure and convenient manner, by authenticating themselves with a One-Time-Password using the device. They can also access online banking services, such as fund transfer, with increased security.

“We launched our EMV migration program with Gemalto and the company has proven a reliable partner,” commented Mitchell Elegbe, Managing Director, InterSwitch. “This success contributed to creating a strong business relationship and this is why we selected Gemalto for our strong authentication program”.

“Gemalto is proud to supply InterSwitch with an easy-to-use, end-to-end solution that enables users to buy and sell over the Internet, confident that their personal details are private and protected,” added Jacques Seneca, executive vice president of the Security Business Unit for Gemalto. “With our scalable solution, users get the device that is perfectly tailored to their needs.”

About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries.

Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.

Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM) in mobile phones, smart banking cards, smart card access badges, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto’s software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit www.gemalto.com.

The Truth Hurts (the Bottom Line)

The Star Tribune ran a story yesterday about a regional bank in Minneapolis (TCF) which is handing out pre-addressed postcards to their customers to send in to Congress opposing the the reduction of Interchange Fees for retailers. They insist that consumer pricing will go up if the bill passes.



This is a bad move. They are flirting with disaster.  The disaster they are flirting with is two-fold.  One, if I'm a business owner who is unhappy with Interchange, I go to another bank.  Interchange represented 22% of TCF Banks revenue last quarter.  TCF cannot exactly be considered a non-biased entity.  Fees would increase, but it would be the banks who would increase their fees to make up for the fees lost to a lower interchange. 

As a consumer, it's the following quote from TCF spokesman Jason Korstange which would have enticed me to go to another banking institution with my business. 

 "We're taking all the risk associated with whether or not these people have the money on these cards," said TCF spokesman Jason Korstange.

Say what Jason?  Obviously you are speaking about TCF debit card, as credit cards don't "have money on them."   So what exactly is the risk that TCF is taking?  Let's analyze:  There are two types of debit transactions.  PIN andSignature.  Certainly there is no risk if it is a PIN Debit transaction, because if there is no money, the transaction is declined.  No money, no transaction, no risk. 



Therefore It must be a "Signature Debit" transaction of which he speaks.   So let's investigate "all the risk." If it is a Signature Debit transaction and there is no money in the account, it "used to be" declined.  However, banks such as TCF realized that they could derive $38 Billion Dollars in overdraft charges by intentionally approving a non-sufficiently funded debit transaction and charge a $35 overdraft fee.  As the NY Times so aptly put it:

"Not many people would knowingly pay more than $35 for a cup of coffee. But far too many people are getting saddled — with no warning — with outsized bills for minor purchases, under a euphemistically labeled "overdraft protection program" that most major banks have adopted over the last 10 years.  Before that, most banks would simply have rejected debit transactions, without a fee, when the card holder’s account was empty. Now, they approve the purchase and tack on a hefty penalty for each transaction."

Of the two types of debit transactions, (PIN vs. Signature) one is 15 times more likely to result in a fraudulent transaction.  It's no coincidence that it happens to be the same one banks attach rewards in order to attract more users/customers.  Now why on earth would they want to attract more people to use a card that is 15 times more likely to result in a fraudulent transaction.  Two reasons: Higher Interchange Fees and Overdraft Charges. Interchange represented 22% of TCF Banks revenues last quarter, it would be interesting to find out how much "overdraft charges" earned TCF. 



So where's the risk associated with whether "these people" (sounds rather condescending) have money on these cards?  You can fool some of the people some of the time...but you're not even close with this one.  The only risk I see is that you will lose customers by insulting their intelligence.



Here's a snippet from Chris Serres of the Star Tribune, in Minneapolis

Sep. 5--If you walk into a TCF Financial Corp. branch these days, there's a good chance you'll be encouraged to sign up for a cause dear to the bank's bottom line.



In an unusual move, the Wayzata-based regional bank late last month began handing out thousands of postcards to its customers. The cards urge members of Congress to oppose legislation that could reduce the billions of dollars in so-called interchange fees that retailers pay to banks.



Along with the postcards -- pre-addressed to members of Congress -- TCF bank tellers are handing out a signed letter from the bank's CEO Bill Cooper, warning that consumers will end up footing the bill if retailers are able to avoid the fees. "If this legislation passes," Cooper warns, "your costs will go up."



Historically, the topic of interchange fees hasn't aroused much passion among consumers. Many people don't even realize that every time they swipe their plastic, stores pay an average of 1.8 percent of the purchase amount to the bank that issued the credit or debit card.



But with nearly $50 billion in fees at stake, companies on both sides of the debate are getting creative in an effort to influence Congress. 7-Eleven, home of the Slurpee, has been circulating placards of its own in support of the legislation and has a goal of collecting more than 1 million signatures. Though TCF has no such goals, the bank reportedly gathered 10,000 signed postcards in its branches within a week.



Three bills on the fees

There are currently three pieces of legislation related to interchange fees winding their way through Congress. None of them would eliminate the fees entirely but, taken together, they could severely limit the amount banks collect. A bill introduced earlier this summer would enable retailers to join together to negotiate with Visa and MasterCard, the credit card networks that set the interchange fees.



The income from interchange fees has grown dramatically in recent years as consumers use their plastic to pay for a much wider variety of items. Retailers also claim the card networks have raised their fees on certain cards. Last year, retailers paid $48 billion in interchange fees, up from $16.6 billion in 2001, according to the National Retail Federation.



The banks argue that such fees are necessary, because they incur significant risk when offering credit and debit cards. The banks also provide a service by ensuring the money flows to the retailer immediately with each card transaction. "We're taking all the risk associated with whether or not these people have the money on these cards," said TCF spokesman Jason Korstange.



A spokeswoman for the Electronic Payments Coalition, a trade group that has been leading the campaign against the legislation, said she is unaware of any financial institution other than TCF gathering signatures on the issue.



One reason is that TCF relies more on fee income than many of its rivals. TCF's interchange revenue from customer card transactions represented 22 percent of its revenue in the most recent quarter. That translates into about $25 million for the quarter.



Continue Reading

Related articles by Zemanta

• Debunking debit card rewards programs (money.cnn.com)

FIS and Metavante Receive DoJ Clearance to Proceed with Merger

Fidelity National Information Services, Inc. and Metavante Technologies, Inc., Receive Department of Justice Clearance to Proceed with Planned Merger

• Press Release


• Source: Fidelity National Information Services, Inc.


• PIN Payments Blog
  
  

JACKSONVILLE, Fla. and MILWAUKEE, Sept. 3 /PRNewswire-FirstCall/ -- Fidelity National Information Services, Inc. (NYSE: FIS - News) and Metavante Technologies, Inc. (NYSE: MV - News) today announced that the companies have received clearance from the U.S. Department of Justice to complete their proposed merger without conditions. Completion of the merger remains subject to receipt of FIS and Metavante shareholder approvals, and other customary closing conditions.





FIS will hold a special meeting of its shareholders on September 4, 2009 to vote on the issuance of FIS common stock in connection with the merger of Metavante into a wholly owned subsidiary of FIS, and to vote on the issuance of approximately 16 million shares of FIS common stock to affiliates of Thomas H. Lee Partners, L.P. and Fidelity National Financial, Inc. in connection with the equity investments in FIS to be made by those parties coincidentally with the completion of the merger. FIS shareholders of record as of June 29, 2009, will be entitled to vote at the special meeting. Metavante will also hold a special meeting of its shareholders on September 4, 2009 to vote on the approval of the merger agreement. Metavante shareholders of record as of June 29, 2009, will be entitled to vote at the special meeting.



FIS and Metavante expect the merger to close during the fourth quarter of 2009.



About Fidelity National Information Services, Inc.



Fidelity National Information Services, Inc. (NYSE: FIS - News), a member of the S&P 500 Index, is a leading provider of core processing for financial institutions; card issuer and transaction processing services; and outsourcing services to financial institutions and retailers. FIS has processing and technology relationships with 40 of the top 50 global banks, including nine of the top 10. FIS is a member of the S&P 500 Index and has been ranked the number one banking technology provider in the world by American Banker and the research firm Financial Insights in the annual FinTech 100 rankings. Headquartered in Jacksonville, Fla., FIS maintains a strong global presence, serving more than 14,000 financial institutions in more than 90 countries worldwide. For more information on FIS, please visit www.fidelityinfoservices.com.



About Metavante



Metavante Technologies, Inc. (NYSE: MV - News) is the parent company of Metavante Corporation. Metavante Corporation delivers banking and payments technologies to approximately 8,000 financial services firms and businesses worldwide. Metavante products and services drive account processing for deposit, loan and trust systems, image-based and conventional check processing, electronic funds transfer, consumer healthcare payments, electronic presentment and payment, outsourcing, and payment network solutions including the NYCE Network, a leading ATM/PIN debit network. Metavante (www.metavante.com) is headquartered in Milwaukee. Metavante and NYCE are registered trademarks of Metavante Corporation, which is the principal subsidiary of Metavante Technologies, Inc.

	Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough
	By ANITA RAMASASTRY
	Friday, September 4, 2009

Debit card users often feel safe because their cards are PIN-protected. But recent events show that, like credit cards, debit cards can be compromised, when the databases of large retail merchants or card processors are hacked.(Editor's Note:  Clarification...she's talking about the PAN, (Primary Account Number)  not the PIN.  Like Credit Cards, "Signature Debit Cards can be easily hacked.   All you need is the PAN.  The PIN provides an additional layer of security, which is why Signature Debit cards are 15 times more likely to be fraudulent than PIN Debit Cards)




In late August, the U.S. Department of Justice issued indictments in what is, to date, the largest data breach in the United States – with over 130 million credit and debit card numbers compromised. (Editor's Note:  When PIN"s get hacked, there will be an exponentially greater fuss)  Albert Gonzalez, 28, of Miami, Florida, and two unnamed co-conspirators allegedly used an intricate hacking techniques to break past computer firewalls and gain access to this confidential information, as well as to intercept packets of data that were being transmitted in real time.

When a credit or debit card is used, the card numbers are stored  (Editor's Note:  Therein lies the problem...if merchants didn't "store it" or "handle it" as is the case with a HomeATM transaction, the hackers have nothing to hack) so that the information can be transmitted back to your bank for withdrawal of funds or billing to your statement. Companies are required by various regulations and industry rules to have security measures that will safeguard sensitive customer data. However, hackers can and will try to outsmart the best security measures. (Outsmart this:  With no data stored or handled, what can hackers hope to achieve?)

In this column, I will discuss the recent security breach and some of its implications and costs. While the arrest of the alleged hacker is important, it remains to be seen whether this action will be an effective deterrent to others. Moreover, after-the-fact arrests are not enough: There needs to be a renewed focus on security standards within the card industry.  (Editor's Note:  When it comes to eCommerce, fraud is exponentially worse.  Card NOT Present Fraud is the leader.  So, if you want to eliminate Card NOT Present fraud, you must eliminate the "Card NOT Present" environment.  How do you do that?  It's simple  Swipe vs. Type and voilla! you've got yourself a "Card Present" transaction.   Make Sense?  You bet it does.)  



The Recent Indictment



In late August, the Acting U.S. Attorney for New Jersey announced an indictment against Gonzales and his two unidentified co-conspirators. The three are charged with a scheme involving five corporate data breaches, including the single largest reported data breach in U.S. history. The scheme is believed to constitute the largest hacking and identity theft case Justice has ever prosecuted.



According to the indictment, 130 million credit and debit card numbers, together with account information, were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J.; 7-Eleven, Inc.; Hannaford Brothers Co., which operates grocery stores in Maine and Massachusetts; and two other, unidentified corporations.



Between October 2006 and May 2008, Gonzalez is alleged to have acted with his two coconspirators to select large corporations, and identify security vulnerabilities, both by in-person observation and by online investigation. For example, according to the indictment, Gonzalez and an individual identified only as "P.T." would visit the retail locations of their potential victim companies, seeking to identify the type of checkout machines and card readers they used.



The indictment alleges that, after this reconnaissance was completed, the three conspirators would upload information to servers – which served as hacking platforms – that were located in New Jersey and several foreign countries. The three conspirators allegedly used the servers first to store information critical to their hacking schemes, and then to launch their attacks. Through these attacks, the indictment alleges, they installed "sniffers" that conducted real-time interception of credit and debit card data being processed by the corporate victims' servers.



As noted above, the results were staggering: Reportedly, more than 130 million card numbers were stolen.



Is Our Data Secure? (Editor's Answer:  Not until it is no longer stored, handled and if it's end-to-end-encrypted during tranmission)





We have a strong legal structure that kicks in after an infraction; both federal regulations and card industry rules provide consumers with great protections if someone steals their card or card numbers. (Editor's Note:  I would  eliminate the word "great")

But it is still a headache (I would replace "headache" with "extremely inconvenient")  for the consumer to report false charges and get them erased, make sure money fraudulently transferred from bank accounts is replaced, and procure replacement cards. Moreover, such breaches are costly to companies and banks, and the costs get passed on to cardholders in the form of higher fees, interest rates and the like.

That raises a pressing question: Can more be done to prevent this kind of hacking activity?

Editor's Note:  In a word, YES.

Continue Reading

Tim Hortons Adds MasterCard PayPass for U.S. Stores

Following the announcement that Whataburger has added MasterCard PayPass at its U.S. locations, MasterCard Worldwide has announced that Tim Hortons is now accepting MasterCard PayPass at its more than 400 U.S. locations.

In addition to accepting traditional magnetic-stripe cards, Tim Hortons now enables its U.S. customers to make their purchases by simply tapping their MasterCard PayPass card or device at checkout, for faster transactions, greater payment flexibility and less time spent waiting in line.



Tim Hortons first began accepting MasterCard PayPass in many of its 3,000 stores in Canada.

With MasterCard PayPass, Tim Hortons customers simply tap their PayPass-enabled MasterCard card or device on a PayPass-accepting reader at check-out.



MasterCard PayPass also does not require customers to sign receipts for purchases under $25, further speeding up the transaction.



Continue Reading at QSRWeb

Related articles by Zemanta

• MasterCard Interchange Rates (pindebit.blogspot.com)


• Sports Authority Adds MasterCard PayPass Contactless Acceptance (paymentsnews.com)


• Whataburger to Accept Contactless MasterCard PayPass Payments (paymentsnews.com)