Friday, October 10, 2008

Credit Card Processors to Ban WEP in 2010

Credit card processors finally get clue, will ban WEP
By Jacqui Cheng

* Related: Study: stores put customer data at risk with poor WiFi security practices

Companies that accept major credit cards will be barred from using WEP for their WiFi security, but not until mid-2010. The rule is part of new security standards defined and released this week by the Payment Card Industry Security Standards Council, which is made up of companies like Visa, MasterCard, American Express, and Discover. The sad thing is that WEP—which can be cracked in as little as two minutes—is still widely used in the old and decrepit point-of-sale systems used by many retailers; the new rules should help move along the long-overdue adoption of tighter security in credit card processing.

As part of the new Data Security Standard (DSS) agreement, retailers that accept credit cards from PCI council members may not implement new wireless payment systems that use WEP after March 31, 2009. For those that already have wireless payment systems in place, they must stop using WEP for security as of June 30, 2010. The council notes that the reason for this change is "to emphasize using strong encryption technologies for wireless technologies, for both authentication and transmission."

WEP's hackability has been widely known since 2001, and has been blamed for the largest incident of consumer data theft in history. TJX, parent company of discount retailers T.J. Maxx and Marshalls, disclosed last year that hackers had stolen data covering over 45 million credit and debit cards over an 18-month period. In addition to pilfering over 45 million—and possibly as many as 200 million—credit card and debit card numbers, the hackers were also able to obtain other personal data from over 450,000 customers. This included driver's license numbers and Social Security numbers.

Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, "one of the weakest protocols for wireless data encryption." Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP. The firm observed that the large majority of the stores involved in the survey maintain stronger security of their physical property than their wireless routers, showing that retailers are still slow to take data security seriously.

Banning WEP is a long overdue move, and had the industry been faster to recognize the insecure nature of WEP, the TJX incident may never have happened. It's unfortunate that laggards will have until the middle of 2010 to drop WEP, as it unnecessarily puts customer data at risk for data theft.

Further reading:

* Found via Wi-Fi Net News: New Credit Card Processing Rules Kill off WEP (in 2009)

Reblog this post [with Zemanta]

Shell Offers Cardholders 38 cents per Gallon Savings

Shell cardholders save money on gas

New Shell Platinum MasterCard Holders Save at the Pump and Beyond

Shell Oil Products US has launched its proven "Double Rebate" promotion for new card members of the Shell Platinum MasterCard(R) from Citi for purchases made both at the pump and everywhere MasterCard is accepted between now and January 4, 2009. Consumers who open a new Shell Platinum MasterCard account will be eligible to receive 10% rebates on Shell gasoline purchases, which can mean an average savings of 38 cents per gallon at $3.82 a gallon, and 2% rebates on all other purchases for the first 60 days after receiving their card.

"The 'double rebate' promotion is intended to demonstrate to consumers how they can lower the cost of driving without sacrificing the quality of their fuel. We believe new cardholders will agree the everyday value extends beyond the promotional period," said Carolyn Yapp, Shell US card and payments manager.

This promotion also will benefit Shell-branded wholesalers and retailers by driving more traffic to sites and increasing usage of the Shell Platinum MasterCard, which has a zero transaction fee for site operators. It will be supported with national print and online advertising, local co-op advertising and local store marketing as well as point-of-purchase (POP) materials, including pump toppers, pole signs, building signs and register toppers. In addition to the new credit card promotion, Shell retail sites will continue to feature messaging reinforcing the Shell "Passionate Experts" campaign.

The Shell Platinum MasterCard was the first gasoline rebate program of its kind and since 1992, offering the following everyday benefits to cardholders:

* 5% rebates on Shell gasoline purchases
* 1% rebates on all purchases everywhere else
* Rebates automatically credited to cardholders' statements towards future Shell gasoline purchases
* No annual fee for the first year, waived thereafter with nine or more Shell gasoline purchases a year
* Online account management
* "Lost Wallet Service" and more

Consumers can apply for the Shell Platinum MasterCard online at , via phone at 1-877-MY-SHELL and at Shell-branded stations nationwide. To find locations near you, go to .

Reblog this post [with Zemanta]

Stolen Card Info Plummets to $2.50 in Black Market

Prices for stolen information plummet > Identity > Breaches & Exposures > News > SC Magazine Australia/NZ
Prices for stolen information plummet

By Dan Raywood
Oct 10, 2008 9:48 AM

The black-market price for stolen credit and debit card details has dropped to as little as US $1.50, according to a newspaper investigation.

In an investigation by the Sydney Morning Herald, it was found that that almost anyone on the internet can buy stolen payment card details for as little as US $1.50 (for Australian details), and US $2.50 American and English cardholder information.

For credit card accounts in Britain and the United States, the cybercriminal salesmen claim to be able to bypass some of the latest anti-fraud protection, including Verified by Visa. And free samples of the stolen data are available, although key information is kept hidden to preserve its resale value.

The hackers also offer a surprising level of detail about their victims, such as a customer's bank account number, mother's maiden name, Social Security number, date of birth, driver's license number, as well as answers to security questions.

Yuval Ben-Itzhak, chief technology officer with Finjan, said: “Our research team spotted this not inconsiderable trade in stolen payment card data back in the late spring...At that time, however, the going rate was around US $15 a pop, so the rate has clearly fallen, perhaps because of the glut of this kind of data being sold on the internet.”
Reblog this post [with Zemanta]

Should Companies Interact with Consumers on Social Networks?

Image representing Facebook as depicted in Cru...Image via CrunchBase
Consumers Await on Social Networks - eMarketer
Consumers Await on Social Networks
OCTOBER 10, 2008

Befriended and poked by companies

Nearly six out of 10 Americans who use social media interact with companies on social media Websites, according to a September 2008 study by conducted by Opinion Research Corporation for Cone.

The researchers found 85% of social media users thought companies should interact with their consumers through social media, at least when needed.

“Americans are eager to deepen their brand relationships through social media,” said Mike Hollywood, director of new media at Cone, in a statement. “It isn’t an intrusion into their lives, but rather a welcome channel for discussion.”

Extent that Companies Should Have a Presence in Social Media* According to US Adult Social Media Users, by Gender, September 2008 (% of respondents in each group)

Cone is a brand marketer that counts social networking among its capabilities, so its enthusiasm is understandable. But a growing number of retail e-commerce companies agree, judging by an August 2008 study conducted by Vovici Corporation for Internet Retailer.

Nearly four out of 10 online merchants surveyed used social networks. Of those, nearly one-third said they had a page on Facebook, and more than one-quarter said they used each of MySpace and YouTube.

Social Networking Sites on Which US Online Retailers Maintain a Page, August 2008 (% of respondents)

Reblog this post [with Zemanta]

Disqus for ePayment News