An article written two years ago (August 17th, 2007) blasted online banking log-in procedures and still, nothing has changed...even though they mention using true two-factor authentication as a solution way before it got as bad (fraud) as it is today...



Banks are still using the "type" of authentication that hackers love.  What type is that?  You know what the Hellvetica I'm talking about.  The kind you use when you don't swipe!



I thought it might be interesting to "revisit" what was said two years ago in order to demonstrate that online banking has not progressed, while hackers unarguably have.

"A new financial services requirement calling for two-factor authentication should make online banking secure, but one researcher says it's actually making things worse.  At this year's DefCon gathering in Las Vegas, security researcher Brendan O'Connor outlined several scenarios in which online banking has gotten worse, rather than better. Under Federal Financial Institutions Examination Council (FFIEC) guidelines that went into effect at the end of last year, banks are required to provide some form of multifactor authentication of their customers.


That typically means asking the user to provide , something you have (an ATM card), something you know (a PIN) (Editor's Note:  where did "typically" go when  it comes to online banking/online shopping?  Sounds like a "swipe" vs. "type" argument to me...or something you are (a fingerprint scan). (Editor's Note: Been there,  done that


However, O'Connor,found that the new authentication implementations were no better than the traditional user-name and password that were required prior to last year.  (which, BTW is why I always utilize "username" "password" in my rants against typing. 


O'Connor also shared some insight into why, with all these new protections in place, so many phishing sites are still operational today.



FFIEC--what?




Nearly two years ago, the Federal Financial Institutions Examination Council (FFIEC) recommended guidance on authentication for online banking. According to their Web site "The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), and to make recommendations to promote uniformity in the supervision of financial institutions." O'Connor, who isn't an expert on compliance, said that failure to pass an FFEIC audit could make it hard for banks to acquire smaller banks or institutions.
"The guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication," said O'Connor. ." He pointed to the "three strikes--you're out" rule with most Web applications. Guess the wrong password and you're locked out until you get on the phone to someone. "Attackers aren't getting in by guessing, they're getting in by stealing the credentials or tricking the end-user into giving away the credentials." So adding more credentials won't make sites more secure.  (Editor's Note:  EXACTLY!  A user can "type" in 20 credentials and if a keylogger gets a hold of it, or they have malicious code on their computer, or if they type it into a counterfeit bank website, they are screwed.  So authentication isn't the problem.   Typing is!)







The [FFIEC] guidance specifically says that transaction fraud and identity theft are a problem, and it places the blame squarely on authentication I disagree with entire premise 



Editor's Note:  Here Here.  It's the "type" of  "authentication" that creates the  problem.  More specifically...Consumer's "typing" authentication instead of "swiping" to authenticate their online banking session!. 
The trouble with credentials

Choosing the answer to a security question isn't two-factor authentication; it's one factor--it's choosing something that only you know. But is it? O'Connor said it depends on the question. If it's public record data, then an attacker might also know the value of your mortgage or the year you graduated from college. If it's personal information, then pick a good question to answer. O'Connor mentioned Paris Hilton's choice of "What is the name of your pet?" Everyone knows that.



Then there are the oblivious choices, such as "What's your favorite city?" "If your user ID is CubsFan123," said O'Connor, "it's probably Chicago." Likewise, he said if your user ID is NYCgal576 then the answer to "Where did you go to high school?" is probably New York City. 



Editor's Note: Duh!  Ya think?  So, what can we do?  How about encrypting the data so that hackers just find random gobbledygook. "If they were properly encrypted, it would take until the sun burns out for anyone to decode it."





Read "two year old" article in full at CNET





Reblog this post [with Zemanta]

Posted by John B. Frank Monday, August 31, 2009 0 comments

Security still a concern for e-commerce in RP



Smart beefs up security in payment service
By Alexander Villafania - INQUIRER.net



MANILA, Philippines – Buying items online or through mobile phones is still a relatively low activity in the Philippines, even when there is gradual growth in Internet and mobile users.



At present, according to Nielsen Philippines, there are about 20 million Internet Users in the Philippines, mostly in urban areas. Another 70 million are mobile phone users.



While there is huge potential in both the online and mobile world,  fraud and identity theft remain to be barriers to growth of both e-commerce and m-commerce.



Even in countries such as the US, many people are still apprehensive to buy online much less use their mobile phones to make purchases.



A report by US-based ABI Research showed that over 70 percent of those interviewed about mobile transactions are still concerned about security



Continue Reading





From ABI Research:  Mobile Money Security

Challenges and Solutions The security of the mobile channel is perhaps the greatest impediment to the exponential growth of mobile money services worldwide. Consumer perception is that mobile is not safe for personal financial services.



All three mobile delivery options -- SMS, mobile Internet, and downloadable applications -- pose security risks. For mobile money services to fulfil their potential, mobile money service providers must find the proper balance of security and convenience for consumers. What are mobile money vendors and mobile money service providers doing to ensure security? This Brief details specific actions being taken today by leading mobile money service providers and vendors, and makes recommendations for specific actions that need to be taken to ensure security.

Posted by John B. Frank 0 comments

Travel agents fighting United Air fee plan

Bloomberg News



Aug. 31 -- U.S. travel agents are asking Congress to prevent United Airlines from forcing some to pay credit-card processing fees on ticket purchases, saying it may raise costs for travel businesses and millions of customers.



United said in June it was making the change because of transaction expenses that have risen to several hundred million dollars annually. United had planned to begin levying the fees last month, and extended the start date by 60 days.



Some agents will have to absorb the costs when customers buy with Visa Inc., MasterCard Inc., American Express Co. and other cards. Ten states including California and New York bar agents from passing along to consumers the card surcharges, which are usually 2 percent to 3.5 percent of the purchase price, said Paul Ruden of the American Society of Travel Agents.



ASTA wrote to the Congressional sponsors of pending legislation to reauthorize the Federal Aviation Administration on the subject of so-called "back-to-gate" time limits for delayed passenger flights. In the letter, ASTA requested that Congress establish a clearly-defined time limit beyond which passengers who have been subjected to lengthy on-board tarmac delays must be permitted to return to the gate and exit the delayed aircraft. The legislation was reported out of a key Senate Committee last week, and is slated for a vote in both chambers of Congress later this fall.



ASTA wrote to the Congressional sponsors of pending legislation to reauthorize the Federal Aviation Administration on the subject of so-called "back-to-gate" time limits for delayed passenger flights. In the letter, ASTA requested that Congress establish a clearly-defined time limit beyond which passengers who have been subjected to lengthy on-board tarmac delays must be permitted to return to the gate and exit the delayed aircraft. The legislation was reported out of a key Senate Committee last week, and is slated for a vote in both chambers of Congress later this fall.



In the letter, ASTA said:



In the face of continuing delays and the evident lack of concrete efforts on the part of the airlines to create a meaningful solution thereto, and absent a robust reporting mechanism that would compel airlines and airports to report back to the Department of Transportation on their actual progress in implementing the recommendations in the Task Force's [National Task Force to Develop Model Contingency Plans to Deal with Lengthy Airline On-Board Ground Delays (Tarmac Delay Task Force)] final report, we see little hope for real progress in this area without further action from Congress. 


Therefore, we respectfully ask that you establish a clear standard for the airlines to follow. A Congressionally-defined standard will not in itself solve the inexorable problem of chronic flight delays, but it will surely represent an improvement over the current system, in which people are trapped on planes without adequate supplies for hours on end. 




On Nov. 12, 2008, the Tarmac Delay Task Force, on which ASTA held a seat, concluded nearly a year of debate about how to deal with inevitable major flight delays that strand passengers on aircraft for periods up to eight or even 10 hours. Among the Task Force's recommendations was that each airline be permitted to establish its own time limit at each airport for deplaning passengers who have been subjected to lengthy delays. In addition, the Task Force recommended that delayed passengers be provided with "regular and timely information" concerning the reason for such delays.


See full Letter to U.S. Congress

See full Letter to the U.S.Senate



ABOUT ASTA


ASTA's (American Society of Travel Agents) mission is to facilitate the business of selling travel through effective representation, shared knowledge and the enhancement of professionalism. ASTA seeks a retail travel marketplace that is profitable, growing and a rewarding place to work, invest and do business.















Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments

The shifting of consumer behavioral attitude towards a "more secure transaction" such as the one's provided by HomeATM's 2FA 3DES DUKPT E2EE  solution is gaining momentum.  In fact, 44% of consumers are less likely to trust a Web Merchant with their personal data than just one-year ago.  It's only a matter of time before "everyone" realizes that financial transactions must be conducted "outside the browser space." 



Here's a snippet from Network World:



Network World - Consumers are increasingly interested in doing business with companies they know and trust while avoiding the criminal elements that stalk the Internet.



In fact, 60% of online shoppers abandon their carts at some point during their shopping experience, mostly due to fear of identity theft (Sherpa Marketing Study, 2006), and almost half (44%) say they're less likely than they were just a year ago to trust a Web merchant with personal data (Yankee Group Study, 2008). As the climate of trust erodes, consumers are more sensitive than ever.


Continue Reading (Don't Be Insecure)







Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments






HomeATM: "Inevitably For Our Own Good"







Here's an excerpt from an article written by Rhodi Mardsen which unequivocally states the reality of what it takes to secure online banking and credit/debit card transactions conducted online.  It's the economy typing stupid! Don't Type: Swipe!



HomeATM encrypts the card details so that hackers only find "random gobblygook" and manufactures the "only device" designed for eCommerce to be PCI 2.x Certified.   We did it because "it's for your own good."  The shift towards everyone using a HomeATM to conduct secure transactions and online banking continues...




There is a worldwide standard (the PCI-DSS) that any companies dealing with cardholder information are obliged to sign up to, but many security experts have pointed out that it's possible to tick all the PCI's boxes and still be insecure. The offence allegedly committed by Gonzalez is as vivid an illustration of that as one can imagine.



For once, this lapse in online security has nothing to do with us, the general public. We're guilty of all manner of stupidity when it comes to our personal financial security – writing down PIN numbers on Post-it notes, using the word "password" as our password (or typing "anything" into online banking sites or merchant checkout) just because we are "instructed to.")  – but in this case there's nothing we could have done, save for withdrawing entirely from the 21st century and using cash instead.
So what should these companies be doing to protect us? Graham Cluley, (sounds like he has one...Clu that is) from internet security firm Sophos, has expressed his disbelief that our card details aren't encrypted when they're stored, so that hackers just find random gobbledygook. "If they were properly encrypted," he says, "it would take until the sun burns out for anyone to decode it."

Editor's Note:  HomeATM believes that they shouldn't even be stored.  This is why HomeATM instantaneously encrypts the card details (including the Track2 data).  By doing so the Internet Retailers (IR) never store it, in fact never even handle it. This provides three distinct benefits.  1.  It  keeps the data safe, 2.  instantaneously places the IR within the realm of  PCI compliance and 3. protects the IR from significant fines which would be levied against them by V/MC in the event of a breach.  Those are three pretty significant benefits...but first, we have to eliminate typing. 


But it's not just the companies storing our details that need to shape up. The 130 million stolen credit card numbers would be of no use to anyone if they couldn't be used to buy stuff. Any masterminds wouldn't have been the ones picking a card number and using it to buy soft furnishings on eBay; they'd sell the numbers on to other criminals in blocks of a few thousand. But eventually, someone would pretend to be you and use your money, because it's still disconcertingly easy to do.



Online shopping is a click-happy cinch, but with that convenience comes risk; if you can tap out your 16-digit number, expiry date and a supposed "secret" three-digit number on the back of your card to book a flight to the South of France, so can anyone else.
"We may balk at the idea of carrying around an additional device (of the kind Barclays customers now have to use for online banking) to enter our PIN every time we make a credit card purchase online, but when these kind of measures are inevitably introduced, we'll have to grin and bear it. It's for our own good, after all.
As for the likes of Alberto Gonzalez, they're talented individuals capable of writing sophisticated software that can detect weaknesses in even the strongest computer defences. Indeed, such characters frequently find themselves with job offers in the industry following their release from prison. But after a 35-year stretch, technology is likely to have marched on a bit too far for anyone to catch up. Marched on so far, one would hope, that our money would finally be safe from marauding cybercriminals. Fingers crossed.
Source: Independent

Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments

<p/> Credit-card companies track your purchases to make sure you and they aren't scammed


Sunday,  August 30, 2009 3:42 AM
THE COLUMBUS DISPATCH
Pat Kastner | Dispatch illustration



At noon, you use your credit card to pay for gas at a station in Columbus. An hour later, your card has been used to buy a $1,500 computer -- at a store in Moscow.



Before the charge is approved, a sophisticated computer-monitoring system thousands of miles away raises a red flag, denies the charge and keeps you from becoming the victim of a crime -- all in a matter of seconds.



Such technology used behind the scenes to thwart criminals has become the norm in the ever-evolving, techno-savvy and secretive world of credit- and debit-card security.  It's a world filled with sophisticated and well-organized bad guys determined to steal your identity and card information -- and equally determined card issuers and networks bent on stopping them.



The card industry includes financial institutions such as Huntington and JPMorgan Chase, which issue credit and debit cards that are serviced by electronic payment networks. The two biggest are Visa and MasterCard.  Discover and American Express also issue and service credit cards.



At stake in their combined fight against criminals is billions of dollars. Identity theft netted crooks about $48 billion in 2008 in the United States, a 16 percent increase over 2007, according to Javelin Stategy & Research.





Of this total, about $22 billion was realized from fraud connected to existing cards.



Most cardholders have zero liability for fraudulent activity, so the fraud is likely to cost them mainly time and inconvenience.   Editor's Note: So that balance between security and convenience is what again?...and whose convenience?  It seems to me that if $22 billion worth of fraud creates "monetary loss" and "time and inconvenience" for consumers, that we need to re-evaluate that balance.  Yes?  That's without considering the fact that consumer privacy is past-tense now that every purchase is "tracked."  Why not process (E2EE) transactions the "right" way instead?





Instead, the card industry and merchants are on the hook for all those billions, which is quite an incentive to limit their losses. The card industry doesn't like to discuss the details of how fraudulent card activity is monitored and detected.  "If they became public, they wouldn't be effective. It would only aid the fraudsters," said American Express spokeswoman Lisa Gonzalez.



Continue Reading at Columbus Dispatch

Posted by John B. Frank 0 comments

ARA concerned at RBA review of interchange regulation > Inside Retailing

Eftpos interchange fees cannot be consistent with debit card fees according to the Australian Retailers Association.



The ARA and the Australian Payment Merchants Forum (AMPF) say they are concerned at a Reserve Bank of Australia proposal to subject Eftpos interchange fees to the same regulation as Visa and MasterCard's debit cards.



Chairman of the AMPF and ARA executive director, Russell Zimmerman, said interchange fees were typically paid by merchants to card issuers to fund the costs of cardholder benefits. But the RBA's suggestion would increase the cost of Eftpos transactions for all Australian retailers.



"Currently, Visa and MasterCard interchange fees are regulated to be an average of 12c per transaction but it's difficult to understand why card issuers should receive 12 cents for each Eftpos transaction.



"Debit cards are a mature product and the cost of processing transactions using Eftpos is minimal. In fact in New Zealand, whose banking market is dominated by the major Australian banks, debit card payments at retailers do not attract any interchange fee.



"Consumers, who use less costly payment instruments, including Eftpos cards, effectively subsidise consumers paying with more costly payment instruments like scheme-branded credit and debit cards. The RBA's latest proposal will price every debit card payment at the highest existing rate," Zimmerman said.



Continue Reading










Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments

VisaNet Says Brazil Antitrust Agency Suspends Exclusivity Ban - Bloomberg.com

VisaNet Says Brazil Antitrust Agency Suspends Exclusivity Ban

By Laura Price



(Bloomberg) -- Cia. Brasileira de Meios de Pagamento, the credit-card payment processor known as VisaNet, said Brazil’s antitrust regulator suspended a ban on exclusivity imposed by the Justice Ministry.



SDE, as the antitrust arm of the Justice Ministry is known, started a probe against VisaNet, Visa International Service Association and Visa do Brasil Empreendimentos Ltda on Aug. 6. The antitrust unit said VisaNet created exclusivity by requiring businesses to use it to be able to accept cards carrying the Visa logo.



Cade, as the antitrust regulator is known, suspended the preventive measure taken earlier this month by SDE until Cade judges the case for possible anti-competitive practices, VisaNet said in a statement to Brazil’s securities regulator late yesterday. Cade is due to judge the case on Sept. 16, VisaNet said.














Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments







Momentum Payment Systems Announces Mobile Payment Processing with New iPhone Application







Merchants of Momentum Payment Systems can now process credit and debit card transactions through its secure network by employing an iPhone, iPod Touch or T-Mobile G1 over Wifi or 3G wireless connections.



Addison, TX (PRWEB) August 31, 2009 -- Momentum Payment Systems, www.MomentumPayments.com, a leader in the electronic payment processing industry, proudly announces the Momentum Payment Systems iPhone Mobile Application.



Small business merchants, independent contractors and mobile merchants now have the ability to utilize Momentum's payment processing solutions without the need for hardware processing equipment or a dedicated internet line.



The application is currently available through Momentum's sales team and is set up via a one-time installation process through a web browser. Upon installation the application icon is available on the home screen of the device for convenient future use.





With the application, merchants can type the card information into the phone and the credit and debit card transactions are processed as "card-not-present" or "offline-debit" payments.



Receipts can currently be emailed to the cardholder however future enhancement plans include the ability for the merchant to print a receipt instantly.



"We've always been dedicated to creating customized payment processing solutions to fit the needs of each business," said Vice President of Operations Robel Sebany. "We've always wanted to provide our merchants with access to a payment processing option as portable as their business and with the growing technological advancements of these mobile devices it is a great opportunity to reach that goal."



About Momentum Payment Systems



Momentum Payment Systems, LLC is a fast growing merchant acquirer that specializes in providing small and medium-sized businesses throughout the United States with comprehensive electronic transaction processing solutions. Momentum distributes and installs point-of-sale equipment and offers traditional credit and debit card processing services as well as processing for ATM cards, gift and loyalty cards, prepaid cards, EBT, checks and e-commerce solutions. Momentum also proudly offers 24 hour technical support.

For further information, please visit Momentum Payment Systems online at www.MomentumPayments.com



###
Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments






From: BitPipe.com


and Search Security.com



The State of Cybercrime: Today's Real Cybercriminals


sponsored by TippingPoint




































Premiered: 
28 Aug 2009
Language: 
English













































































ABSTRACT:



The Internet is a rough neighborhood. How well is your organization
policing your part of the Internet? Online fraud is pervasive and those
that are behind online fraud are using sophisticated techniques to
target financial and personal information.



This videocast provides an
overview of current trends affecting organizations, what enables online
fraud, what are some of the barriers, and suggestions for what
organizations should do to combat the problem.



Key points of emphasis
include:


  • How new threats and emerging trends in online fraud affect many organizations.

  • How to establish an effective Network Neighborhood Watch Program at your company.

  • How policy and globalization issues combat online fraud and steps you can take to protect your organization.





Speaker: Jerry Dixon

Director of Analysis, Team Cymru










Jerry
Dixon is currently the director of analysis for Team Cymru, he also
serves as InfraGard's vice president for Government Relations. He is
the former executive director of the National Cyber Security Division
(NCSD) & US-CERT, of the Department of Homeland Security.



During
his time at Homeland, Dixon led the national effort to protect
America's cyber infrastructure and identify cyber threats.



Dixon also
served as the deputy director of operations for the U.S. Computer
Emergency Readiness Team (US-CERT).



Dixon was instrumental in creating
US-CERT, which serves America as the 24x7x365 cyber watch, warning, and
incident response center that protects the cyber infrastructure by
coordinating defense against and response to cyber attacks. He led the
initial development of US-CERT's capabilities for analyzing and
reducing cyber threats and vulnerabilities, disseminating cyber threat
warning information, and coordinating incident response activities
across federal, state, local government agencies, and private sector
organizations, making it Homeland Security's primary element of cyber
preparedness and response.





BROWSE RELATED

VIDEOS



Fraud Protection | Internet Security | Network Security | Security Best Practices


View All Resources
sponsored by TippingPoint

Posted by John B. Frank 0 comments








The PIN Payments News Blog is now also available on Zimbio under the Wikizine:





ePayments News













Or, continue to read the advertisement

free version here at:


www.HomeATMBlog.com




or





www.PINDebit.blogspot.com


Posted by John B. Frank Sunday, August 30, 2009 0 comments











Here's an excerpt from an article written by Rhodi Mardsen which unequivocally states the reality of what it takes to secure online banking and credit/debit card transactions conducted online.  It's the economy typing stupid! Don't Type: Swipe!

HomeATM encrypts the card details so that hackers only find "random gobblygook" and manufactures the "only device" designed for eCommerce to be PCI 2.x Certified.   We did it because "it's for your own good."  The shift towards everyone using a HomeATM to conduct secure transactions and online banking continues...





There is a worldwide standard (the PCI-DSS) that any companies dealing with cardholder information are obliged to sign up to, but many security experts have pointed out that it's possible to tick all the PCI's boxes and still be insecure. The offence allegedly committed by Gonzalez is as vivid an illustration of that as one can imagine.





For once, this lapse in online security has nothing to do with us, the general public. We're guilty of all manner of stupidity when it comes to our personal financial security – writing down PIN numbers on Post-it notes, using the word "password" as our password (or typing "anything" into online banking sites or merchant checkout) just because we are "instructed to.")  – but in this case there's nothing we could have done, save for withdrawing entirely from the 21st century and using cash instead.


So what should these companies be doing to protect us? Graham Cluley, (sounds like he has one...Clu that is) from internet security firm Sophos, has expressed his disbelief that our card details aren't encrypted when they're stored, so that hackers just find random gobbledygook. "If they were properly encrypted," he says, "it would take until the sun burns out for anyone to decode it."


Editor's Note:  HomeATM believes that they shouldn't even be stored.  This is why HomeATM instantaneously encrypts the card details (including the Track2 data).  By doing so the Internet Retailers (IR) never store it, in fact never even handle it. This provides three distinct benefits.  1.  It  keeps the data safe, 2.  instantaneously places the IR within the realm of  PCI compliance and 3. protects the IR from significant fines which would be levied against them by V/MC in the event of a breach.  Those are three pretty significant benefits...but first, we have to eliminate typing. 



But it's not just the companies storing our details that need to shape up. The 130 million stolen credit card numbers would be of no use to anyone if they couldn't be used to buy stuff. Any masterminds wouldn't have been the ones picking a card number and using it to buy soft furnishings on eBay; they'd sell the numbers on to other criminals in blocks of a few thousand. But eventually, someone would pretend to be you and use your money, because it's still disconcertingly easy to do.



Online shopping is a click-happy cinch, but with that convenience comes risk; if you can tap out your 16-digit number, expiry date and a supposed "secret" three-digit number on the back of your card to book a flight to the South of France, so can anyone else.


"We may balk at the idea of carrying around an additional device (of the kind Barclays customers now have to use for online banking) to enter our PIN every time we make a credit card purchase online, but when these kind of measures are inevitably introduced, we'll have to grin and bear it. It's for our own good, after all.


As for the likes of Alberto Gonzalez, they're talented individuals capable of writing sophisticated software that can detect weaknesses in even the strongest computer defences. Indeed, such characters frequently find themselves with job offers in the industry following their release from prison. But after a 35-year stretch, technology is likely to have marched on a bit too far for anyone to catch up. Marched on so far, one would hope, that our money would finally be safe from marauding cybercriminals. Fingers crossed.

Source: Independent











Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments



Fraud Schemes  Evolving Payments Instruments







While some of the latest schemes borrow from scams
past, today’s fraud schemes are as sophisticated as banks’ most
advanced payments systems. And stopping them is still a challenge.




By
Maria Bruno-Britz - Bank Tech





Payments: Facing the Challenges

Evolving Fraud Schemes Keep Pressure on Evolving Payments Instruments
Retail Payments Risk Forum Collaborates to Fight Payments Fraud
The SEPA Direct Debit Scheme and the Payment Services Directive Pose Challenges and Opportunities

Name a payment method and there is probably some scheme to defraud it.



Since the Chinese introduced paper money,
banks have been concerned about fraud. More than a thousand years
later, payments fraud continues to haunt banks, consumers and
businesses.


"Fraud is still rampant," comments Paul Sussman, VP with First
Manhattan Consulting in New York. "The majority of businesses over $1
million in revenue are going to be exposed to payment fraud, and almost
every bank is being hit by fraud today.



From simple "Dumpster diving" to organized crime rings that rely
on complex computer programming, fraud scams grow in sophistication to
match the evolution of payment forms. "Fraud trends continue to
evolve," notes Douglas Twining, director of fraud services for
Cleveland-based KeyBank ($99 billion in assets)....



click box to continue reading this or other articles...







Posted by John B. Frank 0 comments



Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today.




"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.



The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud. The Threat



The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.



Continue Reading at Bank Info Security



Special Alert from the FDIC:  (whom I think needs to learn more about our 2FA 3DES DUKPT E2EE PCI 2.x HomeATM)













Special Alerts






















SA-147-2009

August 26, 2009



















TO: CHIEF EXECUTIVE OFFICER
SUBJECT: Fraudulent Electronic Funds Transfers (EFTs)
Summary:
The Federal Deposit Insurance Corporation is aware of an increased
number of fraudulent EFT transactions resulting from compromised login
credentials.






The
Federal Deposit Insurance Corporation (FDIC) is alerting financial
institutions that provide Web-based payment origination services for
business customers to increased reports of fraudulent EFT transactions
resulting from compromised login credentials. Over the past year, the
FDIC has detected an increase in the number of reports and the amount
of losses resulting from unauthorized EFTs, such as automated clearing
house (ACH) and wire transfers. In most of these cases, the fraudulent
transfers were made from business customers whose online business
banking software credentials were compromised.



Web-based
commercial EFT origination applications are being targeted by malicious
software, including Trojan horse programs, key loggers and other
spoofing techniques, designed to circumvent online authentication
methods. Illicitly obtained credentials can be used to initiate
fraudulent ACH transactions and wire transfers, and take over
commercial accounts.


These types of malicious code, or "crimeware," can
infect business customers' computers when the customer is visiting a
Web site or opening an e-mail attachment.

Some types of crimeware are
difficult to detect because of how they are installed and because they
can lie dormant until the targeted online banking session login is
initiated. These attacks could result in monetary losses to financial
institutions and their business customers if not detected quickly.



Financial
institutions and technology service providers can refer to the
following guidance for additional information on authentication and
information security for high-risk transactions:





FFIEC Guidance Authentication in an Internet Banking Environment

Authentication in an Internet Banking Environment Frequently Asked Questions

FFIEC Information Security Examination Handbook - PDF 866k (PDF Help)

FFIEC Retail Payment Systems Examination Handbook

and

FDIC Guidance on Mitigating Risks from Spyware

Consumers who want to learn more about computer security and online scams can find additional information at http://www.fdic.gov/consumers/consumer/guard/index.html and http://www.onguardonline.gov/topics/overview.aspx.


Businesses and local government agencies can find cyber security resources at http://www.us-cert.gov/.


Information
about cyber-fraud incidents and other fraudulent activity may be
forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550
17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted
electronically to alert@fdic.gov.
Questions related to federal deposit insurance or consumer issues
should be submitted to the FDIC using an online form that can be
accessed at http://www2.fdic.gov/starsmail/index.asp.


For your reference, FDIC Special Alerts may be accessed from the FDIC's website at www.fdic.gov/news/news/SpecialAlert/2009/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.

Posted by John B. Frank Saturday, August 29, 2009 0 comments



Online Banking's Innate Security Flaws

Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.



Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online
banks we looked at. It asks for three pieces of information to confirm
a customer’s identity.

"As each entry is typed in full, this makes the
information vulnerable" to a simple keylogger, a virus that sits on a
computer and tracks every keystroke with the aim of collecting
passwords.






The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct,
Halifax and HSBC have no visible security controls for money transfers,
so if a banking session is hijacked, a criminal can enter the amount
they want to.



Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer.  Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.




Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.

Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.


Editor's Note:  PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator.  By contrast, HomeATM utilizes 2FA for log-in, but  it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.  




Which? would you rater have at your bank?



41% of Americans Say No to Online Banking Citing Security Fears15 Jun 2009 by jfrank@homeatm.net (John B. Frank)  

"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security ...
HomeATM - http://pindebit.blogspot.com/ 















Reblog this post [with Zemanta]

Posted by John B. Frank 0 comments

Financially strapped boost payment alternatives

Debit cards are fast becoming the payment instrument of choice for U.S. consumers. According to Visa Inc., the value of purchases made using Visa-branded debit cards in 2008 surpassed dollars spent using Visa credit cards for the first time. For many consumers who have made the switch, there may be no turning back.

Read entire story

Posted by John B. Frank Friday, August 28, 2009 0 comments


A Review of the Types and Trends of Data Breaches Involving Financial Institutions

August 28, 2009 - Linda McGlasson, Managing Editor




There have been 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year.



In reviewing these 46 incidents (see interactive timeline w/details of each breach), one finds goods news and bad, according to ITRC executive director Linda Foley.




The good news, Foley says, is that, based on percentages,
financial institutions consistently have lower percentages of data
breaches than other organizations. "This means they're doing a better
job of controlling and protecting their data," she says.



The bad news is when financial institutions - or their
third-party service providers -- are breached ... it's big. Example:
the Heartland Payment Systems
breach, which resulted in the compromise of 130 million credit and
debit cards. Financial data -- bank account numbers, social security
numbers, and other personal identifying information - is invaluable to
hackers, and its loss is costly to consumers.


Continue Reading at Bank Info Security

Posted by John B. Frank 0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers