Closing out our week's series: "Online Banking is Weak Week" I am providing an online banking log-in example:   But first:



UPDATED: Breaking News: from SC Magazine: A PERFECT way to end the weak! (sic)






Opinion: Take no chances with card security > E-Commerce Security ...





Card companies should be re-investigating secure alternatives, such as PC-based {Chip and} PIN Terminals, where customers securely authorize transactions using their own computers, similar to...("exactly like" HomeATM'S Slim.)

Remember..."Please Enter" translates into "Please Type"  For the record, I am not picking on either bank exemplified below. ALL banks have weak authentication. I only chose Fifth Third because of Bank Technology News article entitled: Is the Genie Out?



















Internet Banking Log In





Here's what you will need to Log In to our Internet Banking and Bill Payment system:



A Fifth Third Bank account with Jeanie® Card access. To access your accounts, please use your card number or social security number as your ID and your associated PIN (Personal Identification Number) as your password.



To learn about Fifth Third's easy-to-use Internet Banking system, please view our online demo.


















 Internet Banking

Internet Banking Help 

















 1)

Enter your ID: 



Please use your Jeanie Card number as your ID.



Forgot your ID?



 2)

Enter your password: 



Please enter your ATM PIN or Internet Banking password.



Forgot your password?





Secure Form 









 For Internet access to all

 your business services

Log In to Fifth Third Direct

 Log In to Fifth Third DirectSM























Then there's the thousands of banks that ask for a simple "username: password" authentication. (now that I think about it, as bad as that is, it's better than "entering"/TYPING!" your ATM PIN or social security number into a box) In this particular example, from Wells Fargo's Online Banking site, they do have a link explaining how to "Improve your Online Safety Skills."



Of course, online banking trojans, such as URLZone, Zeus or Clampi do not really care how skilled you are...heck they really don't even care if you've got the most up-to-date malware programs installed on your computer.



I could go on and on and online banking security is weak, but if the Genie is out and if username and password authentication is useless, and if online banking Trojans are proliferating like bunnies, and if consumers are suing banks for having their online banking log-in credentials stolen and if analysts are saying:


"Multi-factor authentication, as defined under the FFIEC isn't sufficient to meet the environment in" Tom Wills - Javelin Research





Then again, I don't think it takes a rocket scientist, to figure out the not only Houston has, but we all have a problem.



You'll hear the SSL and EV SSL arguments, but they are moot points. There are ways around them. Plain and Simple. If it's done within the browser, you're information is cooked.




Nothing that goes through the browser can be relied upon" Avivah Litan - Gartner

The good news for banks and consumers is that we have a solution available that is ready to go.  The timing really couldn't be better for banks.  Rather than having to come up with something (like another band-aid) to fight the onslaught of malware (5 million new ones cropped up in July, August and September and URLZone cropped up October 1st) the engineers at HomeATM foresaw the events that are currently transpiring...(the web is not safe for eCommerce) and spent the last 7 plus years developing a "outside the net, but inside the box" encryption mechanism, got it patented, and then go the manufacturing cost down to the level where banks could give 'em away. 



But HomeATM wasn't done.  They spent the 18 months getting it PCI 2.x Certified.  Then they got it TG-3 certified.  Still not done.  They also developed a real-time P2P Money Transfer which works with ANY bankcard.  Consumer to Consumer, Account to Account and even a Consumer to Business (online bill pay) application that would work in "real-time".  



  • How big is that?  I invite you to conduct a "real-time bill pay" search on Google.  If you throw out "encyclopedia.com's" 2 results, there are only 10. (11 now, because I just posted about it)




  • By contrast , conduct a google search on "Bill Pay" and you get over 2.1 million. 




  • Now take it a step further.  Google "Online Real-Time Bill Pay" and you will get ZERO results. (1 now, because I just posted about it)  whereas "online bill pay" gets you 962,000. 

Bank of America is running a promotion right now, which states they will give you, the online banking customer $25...hey...(looks like they bumped it to $35 since I posted about it for using their "online bill pay" feature.  You know what that means?  It means, by definition, that they can afford to give away the HomeATM Slim (and save $10)





  • Once equipped with our SLIM, consumers would have no worries/fears about online banking because they would be replicating the same procedure utilized to withdraw cash at an ATM.  (and there would be no skimmer or hidden camera threat) 




  • Once equipped with our device, it would mean that the threat of losing a customer to a competing bank (see 49% of Consumers Worldwide Would Switch Banks if Victim of Card Fraud) would be vastly reduced.




  • It would also mean the chances of customer acquisition from banks with weak (i.e. current) authentication would be vastly enhanced.  (I hope I'm not going to fast for you here...good, then I'll continue...)  




  • It would enable banking customers to conduct real time P2P money transfers

  • It would enable the bank's customers to conduct real time A2A and C2B money transfers


  • It would also mean that customers would be enabled to conduct a more secure "card present" transaction on the web. 

Based on the fact that the web is currently a 100% "card not present" environment, that is a tremendously huge breakthrough in the fight against cybercrime...  Why? Here's two reasons:



CNP Fraud is not only the driving force behind the dramatic rise in credit and debit card fraud. It is also the leading cause of fraud...not only in the UK or China, but the US as well.



Card Not Present Fraud causes MORE than HALF of all card fraud losses in the U.K. yet CNP transactions probably made up less than 10% of all card transactions.










HomeATM's device would eliminate "card not present" fraud by providing customers with a PCI 2.x certified device enabling "card present" transactions to be conducted on the Internet. 


Question:  What happens when "Card Not Present" transactions are replaced with Card Present" ones?  

Answer? " Card Not Present" Fraud is eliminated...Right? 






So what are we waiting for? A 10,000% Increase in Online Banking Trojans? Want more? Take a look at the related articles section below. ALL from THIS week.  (Including Breaking News from SC Magazine:  Again: 







Opinion: Take no chances with card security > E-Commerce Security ...

Card companies should be re-investigating secure alternatives, such as PC-based Chip and PIN terminals, where customers securely authorize transactions using their own computers...

Shoot me an email and I'll show you how your financial institution can get a leg up on your competitors for less money than you are currently spending on acquisition promotions that do NOTHING to protect either your customer or yourself.

As always, feel free to leave any comments, questions or criticisms in the comment form below. (click the title of this post to bring it up if it is not there.)

Enjoy your weekend!




John B. Frank












Reblog this post [with Zemanta]

Posted by John B. Frank Friday, October 2, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers