Wells Fargo Offers Online Banking Tips for Fraud Prevention to Keep Holidays Happy

SAN FRANCISCO--(BUSINESS WIRE)--To kick off the holiday shopping season, Wells Fargo (NYSE: WFC) is offering tips to help consumers shop safely, whether in person or online.



Before I share it, let me explain the reason for doing so in the first place.  Instead of providing myriad tips on how to protect your sensitive data, there's only one that works.  Don't Type ANYTHING you want to keep private into a box on ANY website. 



“We want to remind shoppers that there are ways to protect themselves,” said Lisa H. Robinson, senior vice president, Wells Fargo Internet Services Group.  Editor's Note:  Yes there are.  But you won't find a bullet-proof solution from the recommendations below.  I'm not singling out Wells Fargo.  I'm talking Username: Password: here...



“Traditionally, the day after Thanksgiving is one of the busiest shopping days of the year and marks the kick-off of the holiday season.” Customers braving the crowds to shop over the Thanksgiving holiday should remember these tips before heading out the door:

• Take the paperless route with online banking: The 2009 Identity Fraud Survey Report from Javelin Strategy & Research shows that some thieves still do it the old-fashioned way—by stealing bank or credit card statements from the mailbox. Reduce your risk of stolen mail by picking up mail promptly and switching to online statements.


• Monitor your activity: Financial institutions such as Wells Fargo use sophisticated systems to track purchasing and transaction habits so irregularities can be flagged. Register for email or mobile alerts so you can stay informed.

According to Forrester Research Inc.'s independent report, “US Online Holiday Retail Forecast, 2009,” analysts expect online retail sales to reach $44.7 billion during the months of November and December 2009, an eight percent increase over 2008. If you’re logging on to shop, keep these tips on hand:

• Protect your computer from malware: Crooks are getting smarter with phishing and malware scams. Make sure your computer has the most up to date virus prevention and don’t download any attachment or plug-in without ensuring it is from an authorized site. When making purchases, be sure the website address starts with “https://...” The “s” helps ensure that your information will be passed along in a secure manner.
  
  
  
  Well that's easier said than done.  Based on recent reports that  "50% of American's don't even know what phishing is" telling them to protect their computer from malware,  which, by the way, should be named Mal-every-ware...because it is...is a tall order.  Especially since some online banking trojans, such as Zeus, evade detection from even the most up-to-date anti-virus programs.  Why not simply "ELIMINATE" the threat of Phishing ENTIRELY.  Swipe, Encrypt, Transmit and there's nothing to phish phor. 
  
  
  
  Oh...and that last part about Https?  It should be  htt"bs" because SSL is flawed...(see related articles below)  (or Google SSL Flawed)
  
  
  
  


• Don’t believe in offers that seem to good to be true* No one wants to be cynical during the holidays, but if something seems too good to be true, it probably is. Watch out for email scams or suspicious messages and report any that may pose to be from your financial institution and report those that try to look like your financial institution to your bank or credit card company.
  
  
  
  *Unless you see one that says:  Open an online banking account with Wells Fargo and we'll provide you with a FREE HomeATM PCI 2.x Certified PIN Pad so you can sign on to your online banking session the same trusted way you access cash at an ATM...cause I guarantee the bad guys wouldn't want to send you something that will hurt their ability to steal your hard-earned money.
  
  
  
  


• Be careful what you share: Unless you initiated the interaction, do not provide sensitive financial information over the Internet or phone, including Social Security numbers, passwords, personal identification numbers (PINs) or account numbers.
  
  
  
  


• Editor's Note:  That's weird.  In order to open a Wells Fargo online banking account you have to "TYPE IN" your "sensitive financial information" into a browser.  (including your Social Security number AND your Card Number)  See Screen Shot below of Wells Fargo online banking log-in page.  To be fair, they did say "unless you "initiate" the interaction...although hundreds of security experts would disagree.  What if it was a phishing attack that incorporated a cloned website?  What if your PC had an online banking trojan.  Here's my holiday tip.  Never Type...anything sensitive into the browser space.
  
  
  
  
  
  
  • Editor's Note:  OR...simply tell your bank that you want a PCI 2.x Certified PIN Entry Device so YOU can Swipe your card information instead of the bad guys doing it.  Sure it will cost your bank money, but it will save them more.  Unlike the hundreds of "useless banking promotions" you see now and which cost the bank more than what giving away our device would.  So tell your bank to "bite the bullet" and provide a "bullet proof" solution for online banking security.  Call it HAAS.  (Hardware As A Service)
    
    
  
  

“Education and awareness are important tools to make sure this really is the most festive time of the year,” said Teddy De Rivera, executive vice president, Wells Fargo Internet Services Group. “Whether customers are shopping online or off, keep the following steps in mind to make sure accounts stay problem-free.”

• Check your list twice: Review your account activity regularly, especially during big shopping trips. Enroll in mobile banking to check your balance and transactions while on the go, or check your purchase activity online as soon as you get home. Sign up for transaction alerts on your debit or credit card which will notify you of transactions over your threshold.


• Be aware of your surroundings: Cover the pin pad when you enter your pin number. Do not repeat sensitive financial information where it could be overheard.


• Ensure you're protected in case of loss or theft: Wells Fargo guarantees that its customers will be covered for 100% of the funds in their Wells Fargo account in the unlikely event that someone you haven’t authorized removes those funds through Wells Fargo Online^® or Wells Fargo Business Online^®. Customers are responsible for protecting their password and account information and for providing prompt notification of an unauthorized transaction. Customers can visit https://www.wellsfargo.com/privacy_security/online/guarantee for how the guarantee works.


• Ensure your cards are covered: Wells Fargo cardholders are also protected by the built-in WellsProtect^® program, which provides zero liability if a card is ever used without the customer’s permission when promptly reported.


• Know your credit report: Review your credit report at least once a year, looking for suspicious or unauthorized transactions. You can get a free credit report once a year from each of the three major credit bureaus at the AnnualCreditReport web site.

Wells Fargo’s Fraud Information Center (https://www.wellsfargo.com/privacy_security/fraud/) located on Wells Fargo’s public web site provides fraud prevention tips for all shoppers to learn about fraud and take action to ensure that the New Year starts off right by taking some simple precautions.



Wells Fargo maintains multiple layers of security to protect customers, their accounts and their information. Wells Fargo's layered approach to online security extends beyond a unique username and password, 128-bit encryption for online banking, bill pay, a powerful firewall, technology updates, and continuous surveillance. Wells Fargo uses a combination of front-end and back-end controls (https://www.wellsfargo.com/privacy_security/online/protect), and continuously evolves its security activities in response to the changing environment as well as customer needs.



About Wells Fargo & Company



Wells Fargo & Company is a diversified financial services company with $1.2 trillion in assets, providing banking, insurance, investments, mortgage and consumer finance through more than 10,000 stores and 12,000 ATMs and the Internet (wellsfargo.com) across North America and internationally.

Related articles by Zemanta

• Closing Out Online Banking Security is Weak Week...with a Bang (pindebit.blogspot.com)


• Online Banking Doomed Unless We Start Swiping vs. Typing! (pindebit.blogspot.com)


• Critical Flaw in SSL Found, Software Makers Scrambling for Band-Aid! (pindebit.blogspot.com)


• Man-In-the-Middle Vulnerability For SSL and TLS (it.slashdot.org)

Citibank China Opens Hi-Tech Banking Branch in Shanghai

Image via Wikipedia

Shanghai, November 25, 2009 – Citibank (China) Co. Ltd. (“Citibank China”) opened a new high-technology sub-branch in Xintiandi, Shanghai today designed to provide a unique customer service experience among banks in China. The sub-branch was opened at a ceremony attended by Mr. Jonathan Larsen, Citi’s Head of Consumer Banking & Global Cards, Asia Pacific, Mr. Andrew Au, Chief Executive Officer of Citi China, and Mr. Anand Selva, Country Business Manager of Consumer Group, Citibank China



Mr. Jonathan Larsen said, “The opening of this high-technology sub-branch in Shanghai marks a new era for retail banking in China. We believe it will provide Citibank customers with a superior banking experience, and its opening reflects our intent to be the most innovative, customer-focused international bank in China.”



Mr. Andrew Au said, “Citi is committed to continued investment in our network around China, and this includes deepening our presence in the cities in which we already operate. We are delighted to be opening this world-class sub-branch which is helping to redefine how banks interact with customers in China.”



The Citibank Xintiandi sub-branch has been designed to cater to the changing needs and lifestyles of Citibank customers. Key attributes of the new sub-branch include:

• Wi-Fi enabled – the sub-branch is first Citibank outlet to be fully Wi-Fi enabled, allowing customers to go online while inside the outlet using their mobile devices (laptop, cell phone, PDA, etc).


• Internet kiosks – dedicated and state-of-the-art complimentary kiosks are available for customers to browse the Internet.


• Touch screens – a number of interactive touch screens are available that enable customers to easily view at their own leisure Citibank’s latest product and service offerings, latest news relating to Citibank, and a range of other information at the touch of a finger.


• Live interactive video phones – customers seeking additional expert opinion in relation to a particular financial need have the ability to consult with Citibank China specialists at another location on a real time basis using video phones.


• Wallboard screens and Tablet PCs – wall board screens ensure an uncluttered working environment and a more interactive customer service experience allowing customers to see everything their personal banker sees. In addition, wireless tablet computers provide added convenience, mobility and flexibility during customer interactions.


• Interactive multimedia – High resolution LCD TV integrated media contents of CBN news, latest Citibank product & service posters and text lively updated via centralized media content management system.


• Soft phones – the sub-branch uses wireless phones for all staff while providing complimentary use of mobile phones for its customers.

The new sub-branch will also be Citibank’s first retail outlet in China to be submitted for LEED (Leadership in Energy and Environmental Design) certification. LEED is an internationally recognized green building certification system, providing third-party verification that a building was designed and built using strategies aimed at improving performance across all the metrics that matter most: energy savings, water efficiency, CO2 emissions reduction, improved indoor environmental quality, and stewardship of resources and sensitivity to their impacts.



Environmentally-friendly aspects of Citibank’s Xintiandi sub-branch include:

• Materials: all carpet at the sub-branch is LEED certified and recycled wooden material has been used for interior finish.


• Water efficiency: water efficiency equipment has been installed to reduce water consumption at the sub-branch.


• Fresh Air: an additional fresh air system has been installed to improve indoor air quality.


• Lighting efficiency: through a 15% reduction in lighting power density and using energy efficiency bulbs, power consumption relating to lighting is expected to fall by 40%.


• Equipment: more than 80% of the equipment used at the sub-branch meets or exceeds the Energy Star standard.

The new Xintiandi outlet is a full service one, providing foreign currency and RMB products and services. Like all other Citibank retail outlets in China, the new outlet offers both Citibank and Citigold services. Customers using the Citibank service, which requires a minimum balance of RMB80,000, will be provided with a choice of a comprehensive range of services to manage their wealth. Services provided include savings, deposits and investment products (including Premium Accounts, Structured Investment Accounts and QDII products); ATM/debit cards; mortgage loans in multiple currencies; insurance products designed to protect, grow and transfer wealth; unsecured personal loans and remittance services. Customers can also conduct their banking at their convenience through the multiple electronic channels such as online banking, mobile banking, 24x7 phone banking and fax banking.



The outlet also features a Citigold Service Center, designed to provide leading wealth management services. The Citigold offering, which requires a minimum balance of RMB500,000, is distinguished by factors that include:

• Dedicated relationship managers supported by a team of product specialists


• Personalized banking products and services


• Access to award winning global research, market outlook, latest financial developments and dedicated information channels


• Unique proprietary tools such as Citigold Financial Needs Analysis


• Membership rewards and privileges


• Citigold customers also benefit from Citi’s global presence with worldwide Citigold VIP recognition, courtesy access to world wide Citigold centers, overseas account opening referral, overseas emergency cash up to USD10,000, overseas Citigold preferential FX rate and fee charge, worldwide toll-free home connection service hotline and Citigold International SOS Healthcare Services, etc.

The Xintiandi outlet houses 12 retail banking professionals including Citigold Relationship Managers and Personal Bankers, trained and certified to provide premium banking services. It is located at Unit F, No. 222, Ma Dang Road, Xintiandi, Shanghai.



Citibank’s high technology sub-branch comes shortly after the launch of its new mobile banking capability in China. The new service, known as Citi Mobile, is the first to be offered by an international bank in China, and allows customers to access online banking services using their mobile phone anytime, anywhere.

100,000 Cards Being Replaced After Car Park Hack in Auckland

More than 100,000 credit cards are being replaced as a result of thieves hacking into payment machines at the Downtown carpark in central Auckland.   Auckland IT consultant Steven Ellis yesterday said service desk staff at ASB Bank told him that his new credit card was one of more than 100,000 Mastercard and Visa cards banks were replacing because of the scam.



Last night, Bankers' Association chief executive Sarah Mehrtens said everyone who used a credit card or debit card at the Auckland City Council-owned carpark would have it replaced.  She said she did not know how many people were affected.



ASB, Westpac Bank - which is investigating the fraud - Mastercard and Visa are refusing to reveal the scale of the problem.



Continue Reading

Tony Wai's card details were used fraudulently

to buy goods worth $900 in Arizona.

Photo / Richard Robinson

 

 

Related articles by Zemanta

• In Australia, Curbs on Credit Card Fees Backfired (nytimes.com)


• Visa/MasterCard Telemarketing Scam Uncovered (pindebit.blogspot.com)

Payments Fraud Reduction Key Driver for Adoption

Smart Card Alliance Study on EMV/Chip in Brazil and Mexico Finds that Payments Fraud Reduction is Top Driver for Adoption Organizations to host webinar to discuss findings

November 25, 2009 Reducing payments fraud is the top driver for issuers and acquirers to adopt EMV/chip in Brazil and Mexico, according to a new study from the Smart Card Alliance Latin America (SCALA), produced in participation with Visa Inc., available for sale today. Other important findings: respondents are also driven to adopt EMV/chip cards in order to position themselves as innovators and technology leaders, and they all expect to have 100 percent of their credit and debit card portfolios migrated to EMV/chip within one to five years.  SCALA and Visa commissioned First Annapolis Consulting to survey issuers and acquirers in Brazil and Mexico on the current state of EMV migration and the long-term growth of the EMV market. The resulting report, “EMV Migration Study and Market Analysis on Mexico and Brazil,” is available for purchase by both Smart Card Alliance members and non-members by visiting http://www.smartcardalliance.org/pages/publications-scala-emv-market-study.  The organizations will host English, Portuguese and Spanish language webinars on the study findings.  The English language webinar will take place on December 1st at at 11:00 A.M. eastern standard time, while the Portuguese and Spanish webinars will take place on December 8th at 11:00 A.M. eastern standard time and 12:00 P.M. eastern standard time, respectively.  Registration for the webinars is available at http://www.smartcardalliance.org/pages/publications-scala-emv-market-study.   “With the global payments industry migrating to chip technology for credit and debit cards, it’s important to understand the drivers and best practices for implementation. Mexico and Brazil are ideal markets to study, as they are well on their way to full migration,” said Edgar Betts, associate director, Smart Card Alliance Latin America. “The number of respondents that said fraud reduction is the main driver for adoption was overwhelming; almost all survey respondents claim a marked reduction in overall fraud rates, particularly with domestic counterfeit fraud. We also found it exciting that the respondents see contactless, loyalty programs, and multiple applications as a natural evolution for the cards.” In addition to the detailed review of the adoption drivers, the report also reviews implementation considerations, migration strategies, business impact and evolution for Brazilian and Mexican issuers and acquirers. The study forecasts the size of the EMV/chip market in Brazil and Mexico through 2015, including chip cards, point-of-sale terminals and transactions. “Visa has been spearheading the migration to EMV/chip worldwide as a solution to prevent fraud, especially card skimming, but also as a great platform for added services,” said Jurgen Wassmann, head of emerging products and channels for Visa Latin America and the Caribbean. “In the markets where issuers, acquirers, merchants, brand networks, industry groups and the government collaborate, EMV/chip adoption efforts have accelerated the fastest.” The study reports results from surveys and interviews with 13 issuers and acquirers in Mexico and Brazil, which captured perspectives from a wide variety of organizations that had direct experience with implementing EMV/chip cards. The study addresses these questions and more: What were the key factors influencing the adoption of EMV/chip cards and EMV-compliant merchant terminals for issuers and acquirers in Mexico and Brazil? What challenges were encountered during the EMV/chip migration process? How are organizations leveraging EMV/chip technology to improve performance, introduce new products and services, and capture new market opportunities? What is the "next wave" in the evolution of the EMV market? What is the business impact of EMV/chip adoption for issuers and acquirers? What is the EMV/chip market size in Mexico and Brazil through 2015? For more information on “EMV Migration Study and Market Analysis on Mexico and Brazil” and webinar from SCALA and Visa, please visit http://www.smartcardalliance.org/pages/publications-scala-emv-market-study. About the Smart Card Alliance Latin America (SCALA) The primary mission of the Smart Card Alliance Latin American chapter is in line with the overall goal of the Alliance: to stimulate the understanding, adoption, use and widespread application of smart cards.  The Alliance plans to use specific projects such as bilingual education programs, market research, advocacy, industry relations and open forums to keep Latin American chapter organization members connected to industry leaders and innovative thought. About the Smart Card Alliance The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.  Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought.  The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America.  For more information please visit http://www.smartcardalliance.org. About Visa Inc. Visa Inc. operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 200 countries and territories. For more information, visit www.corporate.visa.com. About First Annapolis First Annapolis is a management consulting firm focused on the financial services industry, with specialties in merchant acquiring, electronic commerce, credit card issuing, commercial card and  private label card programs, and mortgage banking.  With over 50 professionals, First Annapolis specializes in advising clients on strategic and tactical matters across all major payment products and services including credit cards, deposit access products, and commercial payment vehicles. First Annapolis brings an unparalleled level of expertise in traditional and emerging payment market segments.  For more information, visit www.firstannapolis.com. ### Contact: Deb Montner, Montner & Associates, 203-226-9290, dmontner@montner.com

Related articles by Zemanta

• Smart Card Alliance Study on EMV/Chip in Brazil and Mexico (pindebit.blogspot.com)


• EMV Chip Cards Expected for Upscale U.S. Cardholders (pindebit.blogspot.com)

2009 Computer Crime and Security Survey Out Next Week

CSI's Annual Crime and Security Survey will be released December 1st in conjunction with this Webcast. 



Respondents reported significant jumps in the incidences of:


Financial fraud:  19.5 percent, over 12 percent last year (avg: $450,000)

Malware Infection:  64.3 percent, over 50 percent last year;

Denials of Service:  29.2 percent, over 21 percent last year,

Password Sniffing: 17.3 percent, over 9 percent last year); and

Web site Defacement: 13.5 percent, over 6 percent last year.



CSI Computer Crime & Security Survey Webcast

Date: Tuesday, December 1, 2009

Time: 11AM PT/ 2PM ET

Duration: 60-minutes



The CSI Computer Crime & Security Survey is the world's most widely quoted research on computer crime. This webcast, moderated by CSI Director Robert Richardson, will feature survey project leader and CSI senior editor Sara Peters, who will discuss the findings of the 2009 Survey and what they mean.  



Peters will discuss the incidence of unauthorized access, attack sources and types, the financial impact on organizations and actions taken. She will also discuss the economic decisions organizations make regarding computer security, and the way they manage the risk associated with security breaches. The presentation will also present some findings from the premium version of the survey report, generally only available to CSI members.





Featured Speakers

Sara Peters, Senior Editor, CSI

Senior Editor Sara Peters joined the Computer Security Institute in 2005, taking on a security beat that includes both policy issues (like Web vulnerability disclosure legislation and the compliance in the cloud) and technological issues like virtualization and browser security). Additionally, Sara founded the CSI Working Group on Web Security Research Law and authored the group’s inaugural report. Prior to her work in information security, she served as associate director of communications at Princeton University's School of Engineering and Applied Science, writing and editing their quarterly magazine. She began her reporting career in a small newspaper chain after graduating from Rutgers University with a B.A. degree in journalism.

Robert Richardson, Director, CSI

Robert Richardson has served as Director at CSI since 2003, having worked IT in various capacities for twenty years. He's given keynote presentations on three continents, often speaking about the CSI Computer Crime and Security Survey. Prior to CSI, Richardson served as Senior Editor of CMP's Communications Convergence magazine for two years and has contributed to magazines and Web publications such as Ziff-Davis Internet Computing, BYTE, Network Magazine, and Small Business Computing. Based outside Philadelphia, he occasionally serves as an adjunct teacher of computer science at Swarthmore College.

VeriSign to Present at Two Tech Conferences

SOURCE: VeriSign, Inc.

Nov 24, 2009 16:15 ET

VeriSign to Present at the Credit Suisse Annual Technology Conference and the Barclays Capital Global Technology Conference

MOUNTAIN VIEW, CA--(Marketwire - November 24, 2009) - VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services, announced that Mark McLaughlin, president and chief executive officer, will speak at the Credit Suisse 2009 Annual Technology Conference in Phoenix on Tuesday, December 1 at 9:00 a.m. (MST). Additionally, Brian Robins, chief financial officer, will speak at the Barclays Capital 2009 Global Technology Conference in San Francisco on Tuesday, December 8 at 4:30 p.m. (PST). During the presentations, recent company performance and business initiatives will be discussed. Both presentations will be available via live webcast at http://investor.verisign.com. Replays of both webcasts will also be available at http://investor.verisign.com after the events for a limited period of time.



About VeriSign

VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.

Nobody Knows About This

By Diane Bartz and Jim Finkle via Reuters

Cyber breaches are a closely kept secret

WASHINGTON (Reuters) - Cybercriminals regularly breach computer security systems, stealing millions of dollars and credit card numbers in cases that companies keep secret, said the FBI's top Internet crimes investigator on Tuesday.



For every break-in like the highly publicized attacks against TJX Co (TJX.N) and Heartland Payment (HPY.N), where hacker rings stole millions of credit card numbers, there are many more that never make the news.



"Of the thousands of cases that we've investigated, the public knows about a handful," said Shawn Henry, assistant director for the Federal Bureau of Investigation's Cyber Division. "There are million-dollar cases that nobody knows about."



Companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to the FBI at all. In other cases they wait so long that it is tough to track down evidence.



"Keeping your head in the sand on filing a report means that the bad guys are out there hitting the next guy, and the next guy after that," Henry said.



He said the cybercrime problem has gotten bigger over the past three years because hackers have changed their attack methods as companies have tightened up security.

"It's absolutely gotten bigger, yes, absolutely," he said.

That is because the Internet is rapidly growing as a tool for commerce. As it does, consumers and companies alike are exposing valuable data such as business plans, credit card numbers, banking information and Social Security numbers.



"There are hundreds of billions of dollars that traverse the Internet," he said.



DESPERATELY SEEKING EASIER TARGETS



Cybercriminals are now looking beyond large companies, which in the past 10 years have bolstered security on their networks using products from software companies including Symantec Corp (SYMC.O), McAfee Inc (MFE.N) and Trend Micro Inc (4704.T). Cisco Systems Inc (CSCO.O), International Business Machines Corp (IBM.N) and Websense Inc (WBSN.O) also sell products to protect computer networks.



Instead criminals are attacking small and medium-sized companies that don't have the inclination, money or expertise to prevent cybercrime.



They also target corporate executives and other wealthy public figures who it is relatively easy to pursue using public records. The FBI pursues such cases, though they are rarely made public.

On November 4, the FBI warned of major fraud cases involving the theft of online banking credentials belonging to small and medium-sized businesses, local governments and school districts.

In this case, as in others, people hired through work-at-home schemes were used to move the money overseas.



A similar approach was used in a scheme that defrauded the Royal Bank of Scotland's (RBS.L) RBS WorldPay of more than $9 million. A group, which included people from Estonia, Russia and Moldova, has been indicted for compromising the data encryption used by RBS WorldPay, one of the leading payment processing businesses globally.



The ring was accused of hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. More than $9 million was withdrawn in less than 12 hours from more than 2,100 ATMs around the world, the Justice Department has said.



Henry said that it was relatively inexpensive to pull together a cybercrime organization.



Some groups consist of a core of just about a dozen people -- including strategists, hackers and programmers -- who can get started with a budget of a few thousand dollars to set themselves up with computers and broadband access.



When they are ready to launch an attack, they might hire hundreds more people who help them launder the money. Known as "money mules," these people are often found through "work-at-home" schemes, where they are hired to cash checks for a few thousand dollars, keep a percentage and send the rest back to the core group.



"I think that there are people who are ignorant completely and others who have their head in the sand," said Henry.



Editor's Note:  I respectfully agree!

Related articles by Zemanta

• Police: ATM Hackers Took £5m In Global Fraud (news.sky.com)


• Hackers indicted for 12-hour ATM attack that netted $9 million (scientificamerican.com)


• Crime ring that hit 280 cities' ATMs at once busted (boingboing.net)

Online Banking Doomed Unless We Start Swiping vs. Typing!

PC World has an excellent article regarding Online Banking Trojans which are becoming increasingly more sophisticated.  As regular followers of this blog are well aware, I've long proclaimed that HomeATM can virtually "ELIMINATE" the threats posed by phishing.  When it comes to online banking trojans, they are simply data mining programs.  

What data would there be to mine if online banking customers were empowered with the same technology used to access cash at an ATM...i.e. Swipe their bank issued card and enter their bank issued PIN with a PCI 2.x certified PIN Pad?  The short answer is that we instantaneously encrypt the log-in session using 3DES/DUKPT encryption.  As the data NEVER enters the browser, there's nothing to "browse."  Encrypted data is useless.  The only problems ATM users experience are related to skimming devices and hidden cameras, neither of which is a threat to a HomeATM user who logs on to their online banking session in the safety and privacy of their own home. 

What they "don't" talk about is that online banking community uses SSL to secure the session and there are flaws in SSL which have the industry scrambling to put a band-aid on.  Later with the band-aids.  It's time to revamp the whole system.  In Europe, they are increasingly using hardware devices to authenticate the online banking session.  (see related article below, Todos delivers 20 Millionth eBanking Security Product)





Oh...and don't forget what the Editor in Chief of Bank Technology News recently proclaimed:  Online Banking is Dead - Bank Technology News Editor-In-Chief



Here's the article from PC World: 

Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded.



Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions. Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program.

Greater Sophistication

Banking attacks today are much stealthier and occur in real time. (Translation: One-Time Passwords are at risk) Unlike keyloggers, which merely re­­cord your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.

According to Finjan, a so­­phisticated URLzone process lets criminals preset the percentage to take from a victim's bank account; that way, the ac­­tivity won't trip a financial institution's built-in fraud alerts. Last August, Finjan documented a URLzone-based theft of $17,500 per day over 22 days from several German bank ac­­count holders, many of whom had no idea it was happening.



But URLzone goes a step further than most bank botnets or Trojan horses, the RSA antifraud team says. Criminals using bank Trojan horses typically grab the money and transfer it from a victim's account to various "mules"--people who take a cut for themselves and transfer the rest of the money overseas, often in the form of goods shipped to foreign addresses.



URLzone also seems to detect when it is being watched: When the researchers at RSA tried to document how URLzone works, the malware transferred money to fake mules (often legitimate parties), thus thwarting the investigation.

Silentbanker and Zeus

Silentbanker, which appeared three years ago, was one of the first malware programs to em­­ploy a phishing site. When victims visited the crooks' fake banking site, Silentbanker in­­stalled malware on their PCs without triggering any alarm. Silentbanker also took screenshots of bank accounts, redirected users from legitimate sites, and altered HTML pages.



Zeus (also known as Prg Banking Trojan and Zbot) is a banking botnet that targets commercial banking accounts. According to security vendor SecureWorks, Zeus often focuses on a specific bank. It was one of the first banking Trojan horses to defeat authentication processes by waiting until after a victim had logged in to an account successfully. It then impersonates the bank and unobtrusively injects a request for a Social Security number or other personal information.



Zeus uses traditional e-mail phishing methods to infect PCs whether or not the person enters banking credentials. One recent Zeus-related attack posed as e-mail from the IRS. Unlike previous banking Trojan horses, however, the Zeus infection is very hard to detect because each victim receives a slightly different version of it.

Clampi

Clampi, a bank botnet similar to Zeus, lay dormant for years but recently became quite active. According to Joe Stewart, director of malware research for SecureWorks, Clampi captures username and password information for about 4500 financial sites. It relays this information to its command and control servers; criminals can use the data immediately to steal funds or purchase goods, or save it for later use. The Washington Post has collected stories from several victims of the Clampi botnet.



Clampi defeats user authentication by waiting for the victim to log in to a bank account. It then displays a screen stating that the bank server is temporarily down for maintenance. When the victim moves on, the crooks surreptitiously hijack the still-active bank session and transfer money out of the account.  Editor's Note:  If people would STOP TYPING their username and passwords to log-in and replaced the authentication with a Card Swipe and PIN Entry (which ensures you are on the genuine online banking website) then this threat would be eliminated as well. 

Defending Your Data

Since most of these malware infections occur when victims respond to a phishing e-mail (which we eliminate) or surf to a compromised site, SecureWorks' Stewart recommends confining your banking activities to one dedicated machine that you use only to check your balances or pay bills.



Good News People!  The HomeATM PCI 2.x Certified PIN Entry Device IS A SEPARATE AND DEDICATED MACHINE which online banking customers can use to:

1. Log In (Genuine Two Factor Authentication)

2. Check Balances

3. Pay Bills

4. Conduct Real-Time Money Transfers

5. Conduct Secure Online Transactions with Credit and Debit Cards.



Alternatively, you can use a free OS, such as Ubuntu Linux, that boots from a CD or a thumbdrive. Before doing any online banking, boot Ubuntu and use the included Firefox browser to ac­­cess your bank site.



Editor's Note:  That seems like a tremendously huge pain in the ass.  I thought the financial industry was focusing on "convenience."  Besides...as reported last week on this blog... 50% of American's don't even know what phishing is, so what percentage are going to know how to use or boot up with a Ubuntu thumbdrive?   I would venture a guess that close to 100% of Americans know how to swipe their card and enter their PIN.



Most banking Trojan horses run on Windows, so temporarily using a non-Windows OS defeats them, as does (TEMPORARILY) banking via mobile phone.  (I say temporarily, because when hackers set their sights on mobile banking, smart phones use browsers, which is the root of the problem in the first place.  Think outside the browser...think encryption "inside the box."

The key step, however, is to keep your antivirus software current; most security programs will detect the new banking Trojan horses.  Editor's Note:  Even if you have the most up to date Anti-Virus programs installed, Zeus bypasses detection 77% of the time.  So...that ain't happening.

There is an online banking Trojan out there that is bypassing up-to-date anti-virus programs as much as 77% of the time, according to security company Trusteer. The Zeus Trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It is the most prevalent financial malware on the web, Trusteer says. (Editor's Note:  Others say it's Clampi) 

According to Trusteer: "When we set out to measure the efficiency of anti-virus products in the wild against Zeus, we had no idea what kind of results we would get," said Amit Klein, CTO of Trusteer and head of the company’s research organization.



"The findings, that up-to-date anti-virus programs were only effective at blocking Zeus infections 23 percent of the time, are disturbing".



This is bad news for consumers and banks, since the vast majority of Zeus infections are going unnoticed."

Related articles by Zemanta

• Online Banking's Ticking Time Bomb... (pindebit.blogspot.com)


• 93% of Internet Users Shoud Ditch Online Banking (pindebit.blogspot.com)


• Todos Delivers 20 Millionth eBanking Security Product (pindebit.blogspot.com)


• Closing Out Online Banking Security is Weak Week...with a Bang (pindebit.blogspot.com)


• Quote of the Day: Inside the Browser is Perfect Place for Criminals to Be... (pindebit.blogspot.com)


• Online Banking Fraud in the UK Hits a New High (pindebit.blogspot.com)


• What "Type" of Problems Can HomeATM Solve? (pindebit.blogspot.com)


• Online Banking Trojans Infesting the Web (pindebit.blogspot.com)


• Windows and Online Banking, Like Oil and Water (pindebit.blogspot.com)


• Online Banking Report from FBI (pindebit.blogspot.com)


• Wells Fargo Introduces Mobile Banking Money Transfer...Be Careful! (pindebit.blogspot.com)


• Garlik's UK Cybercrime Report 2009 Released (pindebit.blogspot.com)


• Online Banking Provide Opportunity to Rebuild Trust Between Banks and Consumers, Says MasterCard CFO (pindebit.blogspot.com)


• How Banks Can Be Serious Players in P2P Payments (pindebit.blogspot.com)


• Online Banking is Dead - Bank Technology News Editor-In-Chief (pindebit.blogspot.com)

Ignify Becomes First and Only Mid-Market eCommerce Platform to Achieve PCI Compliance for the PA-DSS Standard

LOS ANGELES - (BUSINESS WIRE) - Ignify, a global provider of eCommerce, ERP and CRM solutions and services, today announced that Ignify eCommerce 4.0 (the company's flagship platform) which has been deployed in hundreds of large online storefronts has become the industry's first and only mid-market eCommerce solution to achieve PCI Security Standards Council (PCI) compliance for the Payment Application Data Security Standard (PA-DSS). This achievement ensures Ignify eCommerce customers the highest level of protection against fraud and data theft by passing PCI's strict standards against storing sensitive data including magnetic stripe, CVV2, or PIN numbers for online transactions.



"We are very pleased and proud to have earned PCI's compliance for data security," said Pankaj Kumar, chief technology officer for Ignify. "Fraud remains the number one security concern for online retailers as techniques for misappropriating secured customer data becomes ever more sophisticated. Ignify's ability to conduct online transactions without ever needing to store sensitive information like credit card or PIN numbers offers our retail partners and the customers they serve a strong sense of comfort."



PCI's PA-DSS standard is the organizations managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.



"From its inception, Ignify eCommerce has been designed with data security as a top priority and this acknowledgement from the PCI Security Standards Council reflects our continued commitment to our customers," added Ignify's Director of eCommerce Operations, Ranjit Goray.



Ignify eCommerce 4.0 is an end-to-end online storefront and business commerce platform. This leading solution offers several refined features including: advanced heuristic fraud detection, real-time reporting and Google analytics, and a unique marketing & promotions module allowing administrators and marketing staff to deliver promotions, edit coupons and mark discounts all on-the-fly from a simple easy to understand dashboard. In addition, Ignify eCommerce 4.0 is the leading online web store and e-commerce solution for Microsoft Dynamics ERP and has been deployed at over 200 sites including: McDonalds Corporation, Aerosoles, Giant Bicycles and the Atlanta Falcons and Dallas Cowboys NFL teams among many others.



About Ignify



Ignify is a privately-held ISO 9001 certified company focused on the mid-market and enterprise business space for ERP, CRM and eCommerce implementations. The company provides design, consulting and implementation services for ERP, CRM initiatives for mid-market and enterprise businesses. Ignify is a Top-tier Microsoft Gold Certified partner ranked in both the Microsoft Dynamics Inner Circle and the Microsoft Dynamics Presidents Club in 2009. Ignify offers a comprehensive set of Business to Business (B2B) and Business to Consumer (B2C) eCommerce solutions for increasing online sales while lowering overall operation costs. Ignify has offices in Los Angeles, Silicon Valley, Nashville, Chicago, Toronto, Manila, Pune and Bangalore.

For more information, visit www.ignify.com or call 888-446-4395.

Visa/MasterCard Telemarketing Scam Uncovered

Hey there PIN Payments News Blog readers...Just a heads up for everyone regarding the latest in Visa fraud. Royal Bank received this communication about the newest scam. This one is pretty slick since they provide YOU with all the information, except the one piece they want..



Note, the callers do not ask for your card number; they already have it!  Probably because you "typed" it into a box on some website...(couldn't resist :-)



Anyway, this information is worth reading.. By understanding how the VISA & MasterCard telephone Credit Card Scam works, you’ll be better prepared to protect yourself. One of our employees was called on Wednesday from ‘VISA’, and I was called on Thursday from ‘MasterCard’.



The scam works like this:

Person calling says – ‘This is (name), and I’m calling from the Security and Fraud Department at VISA. My Badge number is 12460, Your card has been flagged for an unusual purchase pattern, and I’m calling to verify. This would be on your VISA card which was issued by (name of bank). Did you purchase an Anti-Telemarketing Device for $497.99 from a marketing company based in Arizona ?’ When you say ‘No’, the caller continues with, ‘Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?’ You say ‘yes’.



The caller continues – ‘I will be starting a Fraud Investigation. If you have any questions, you should call the 1- 800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6 digit number. ‘Do you need me to read it again?’

Here’s the IMPORTANT part on how the scam works – The caller then says, ‘I need to verify you are in possession of your card’. He’ll ask you to ‘turn your card over and look for some numbers’. There are 7 numbers; the first 4 are part of your card number, the last 3 are the Security Numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the last 3 numbers to him. After you tell the caller the 3 numbers, he’ll say, ‘That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?’



After you say no, the caller then thanks you and states, ‘Don’t hesitate to call back if you do’, and hangs up. You actually say very little, and they never ask for or tell you the card number.. But after we were called on Wednesday, we called back. Within 20 minutes to ask a question. Are we were glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of $497.99 was charged to our card. We made a real fraud report and closed the VISA account. VISA is reissuing us a new number. What the scammers want is the 3-digit PIN number on the back of the card. Don’t give it to them. Instead, tell them you’ll call VISA or Master Card directly for verification of their conversation.



The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you’re receiving a credit; however, by the time you get your statement you’ll see charges for purchases you didn’t make, and by then it’s almost too late and/or more difficult to actually file a fraud report.



What makes this more remarkable is that on Thursday, I got a call from a ‘Jason Richardson of MasterCard’ with a word-for-word repeat of the VISA Scam. This time I didn’t let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening. I dealt with a similar situation this morning, with the caller telling me that $3,097 had been charged to my account for plane tickets to Spain , and so on through the above routine.



It appears that this Is a very active scam, and evidently quite successful.

Pass this on to all your family and friends



Niki Laxamana

Detective Constable (99739)

Toronto Police Service Fraud Squad – Corporate Section

40 College Street, 3rd Floor

Toronto, Ontario Canada M5G 2J3 B:

(416) 808-7344 F: (416) 808-7302

Related articles by Zemanta

• What "Type" of Problems Can HomeATM Solve? (pindebit.blogspot.com)


• Visa Wins $150k eCommerce Chargeback Case (pindebit.blogspot.com)


• EMV Chip Cards Expected for Upscale U.S. Cardholders (pindebit.blogspot.com)


• Another Major Credit Card Security Breach Feared (pindebit.blogspot.com)


• Study Finds Credit Card Companies Con Consumers and Small Businesses (pindebit.blogspot.com)