Monday, August 25, 2008

Online Travel Numbers Grow

This year US travel sales booked online will reach $105 billion, up 12% from 2007 according to
According to the graphic, illustrated on left, it will continue to grow.

eMarketer forecasts that US online leisure and unmanaged business travel sales (including airline, hotel, rental car, vacation package, intercity rail and cruise) will reach $105 billion. Furthermore, from 2007 to 2012, sales will increase at an 11.6% average annual rate. Even though online travel sales are growing, fewer travelers are booking their trips online.

"The fact that fewer travelers are booking online is not due to economic concerns—online travel bookers are an affluent demographic—it is caused by frustrations related to the planning and booking capabilities of online travel agencies," says Jeff Grau, senior analyst at eMarketer and author of the new report, US Online Travel: Planning and Booking. "This, in turn, is spurring a renewed appreciation for the expertise and personalized services offered by traditional travel agents."

In other words, online travel sites are steering customers back to offline travel agents—a complete turnaround of what has been happening in the category for the last decade.

"Not so long ago industry observers cast traditional travel agents as has-beens," says Mr. Grau. "Perhaps this has helped them to focus on what they do best: provide travel expertise and personalized service." Customer dissatisfaction with online travel agencies (OTAs) stems specifically from unfriendly booking engines and navigation tools. With few points of differentiation, OTAs have a hard time building customer loyalty and have driven travelers right into the open arms of traditional travel agencies—and new online competitors.  "Mired in old technology, the OTAs have failed to keep pace with a newer and more innovative breed of travel Websites built around user-generated content," says Mr. Grau.   Online travel communities are emerging to carry the torch of innovation.

"In addition, a new breed of matchmaking travel sites is bringing traditional travel agency talent online," says Mr. Grau. "Sites like Zicasso and Tripology help travelers to exotic locales find travel agents tailored to their interests and needs."

World's Largest Hotel Chain Hacked - 8 Million at Risk

Eight million people at risk of ID fraud after credit card details are stolen by hotel chain hackers

Security breach: A Best Western Hotel in Amsterdam

Up to eight million people are at risk of ID fraud after a hacker breached the security system of the world's largest hotel chain.  An Indian hacker broke into the IT system of Best Western Hotel Group and stole personal details of everyone who has stayed there in the past 12 months.  The details, which included home addresses, phone numbers, place of employment and credit card details, were sold on through an underground network controlled by the Russian Mafia.

The information is thought to be worth up to £2.8billion. Experts say that if it falls into the wrong hands it could spark a 'major crimewave'.   'They've pulled off a masterstroke here,' said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.

He added: 'There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare.  'The Russian gangs who specialise in this will have been exploiting the information from the moment it became available. In the wrong hands, there's enough data there to spark a major European crimewave.'  

Best Western became aware of the theft on Thursday night. It instantly disabled the log-in account from which the information was stolen, but not before the details of millions of people had been removed.   Tim Wade, head of marketing for Best Western in Britain, said it was 'unlikely' the thieves got details of every booking in Europe because of the way their system worked. He added: 'We are investigating further and working with our credit card partners to ensure the interests of our guests are protected.'  Last night a statement on the Best Western website said it did not believe British customers had been affected.

Fraud Takes A Toll on Bay Area

Fraud has taken it's toll on the Public Transportation Industry which has seen a flurry of actvity regarding recent hacks on their RFID based card programs. 

First there was the Oyster Card Hack in London,  followed by  the Massachusetts Bay Transportation Authority's "Charlie Card." which was hacked by 3 MIT students.  ("Sorry Charlie...You'/ve Been Hacked!") Now it appears that the RFID based FasTrak, I-Pass and E-Z Pass Tollway systems are easily hackable as well.   

Here's a story published in MIT's Technology Review:

Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA  Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

By copying the IDs ­­­of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. But this would require changes by MTC. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll.

There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.

Ross Anderson, a professor of security engineering at Cambridge University, in the U.K., says that "very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them."  Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. "One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it's too late and they get attacked," he says.

Bruce Schneier, chief security technology officer at BT, based in Mountain View, CA, says that it is too easy for companies to get away with lousy computer security. "Honestly, the best way is for the transportation companies to sue the manufacturers," he says. "Then they'll think twice about selling shoddy products in the future."

Sepa Clarifies Sepa Cards Framework with new Q&A

European Payment Council clears up Sepa for Cards confusion

The European Commission and the European Central Bank have welcomed a document published by the banking industry-backed European Payment Council that paves the way for a competitive single market for card payment card schemes by 2010.

The document, which takes the form of a Q&A, clarifies key aspects of compliance with the Sepa Cards Framework (SCF) for payment card schemes and banks, as well as the conditions for geographical coverage of card schemes within the Euro zone.

In particular, it rules that any national card scheme can be deemed to be compliant with the SCF if the cards it issues are technically and commercially capable of being accepted everywhere in the Sepa territory. Earlier interpretations of the Framework appeared to imply that a card scheme could only be deemed SCF-compliant if it covered all 31 Member states.

The ECB and Commission had expressed fears that such an interpretation would create a "de facto monopoly" for Mastercard's Maestro debit card system and had been encouraging banks to set up an alternative scheme in competition.

The ECB had become particularly concerned about moves by some banking associations to ditch domestic schemes in favour of internationally-accepted programmes by MasterCard and Visa.

The new guidance from the EPC clarifies the situation and makes it clear that the Sepa provisions for cards will allow many - possibly national and regional - schemes to develop into 'SCF compliant' schemes.  Nonetheless, the Commission warns that work is still needed by the EPC to develop a full set of technical standards allowing any card to be used, for payments in euro, potentially anywhere in the Sepa area.

"This is a precondition for the expansion of existing domestic debit card schemes across the Sepa countries, for the emergence of (a) new European card scheme(s), for pan-European processing and certification, and for market consolidation," says the Commission in a statement.

"More competition would be very welcome," the Commission continues. "The success of new initiatives will depend crucially on banks not simply selling the national debit card scheme to the existing schemes."

The European Payment Council's Q&A.

Gartner's Avivah Litan on PCI Version 1.2

In an article pubished in ComputerWorld last week, Avivah Litan, distinguished analyst at Gartner shared her thoughts on the summary of changes of PCI 1.2. 

Here they are:

The new version is a "definite improvement" on the existing PCI standard, said Avivah Litan, an analyst at Gartner Inc. But, she added, the PCI council appears to have missed a chance to introduce some other long-needed changes. 

According to Litan, one of the biggest issues with the PCI standard is that it makes very little distinction between networks belonging to large companies that process large volumes of card transactions and those belonging to businesses with much smaller transaction volumes. In large, complex network environments, it's often hard to say what exactly is covered by PCI and what isn't, she said. The standard, Litan claimed, allows for too much interpretation and leaves it entirely to PCI assessors to determine the scope of what needs to be protected.

Moreover, the standard is targeted primarily at e-commerce systems and isn't always clear on how the requirements should be applied in highly distributed brick-and-mortar environments, Litan said. For instance, many retailers continue to connect servers at each of their stores to systems in other locations but thus far, at least, the PCI standard has provided little guidance on that risky practice.

Litan said there also is considerable ambiguity surrounding the requirements for third-party service providers, such as call centers that might be processing cardholder data on behalf of retailers. "What are your obligations," she asked, "if you are taking in card numbers and phone numbers and entering them into systems that are not yours?"

Another key missing element is guidance on how end-to-end encryption of cardholder data would affect a company's compliance obligations, Litan said.

To Litan, the new version of the standard would have been an ideal opportunity for the PCI council to have incorporated language clarifying such issues. "The questions that come up every day are not addressed at all by this upgrade," she said. "This is just really more of tinkering around the edges."

Disqus for ePayment News