Thursday, December 31, 2009

FBI Warns: Use a Separate Machine for Online Banking

Wow, what a great headline!  Talk about getting that last punch in before the bell sounds.  I didn't expect to hear this news until 2010.  But we got it in while 2009 is still around.  Cool. 

The fact that the FBI and the American Bankers Association effectively admitted the need for a separate/dedicated piece of hardware for online banking is wonderful news! 

Believe me when I tell you that this is the most significant news of the year for a company the likes of HomeATM...of which there is none.

Why?  Because it just so happens that our PCI 2.x Certified PIN Entry Device IS a "separate machine" dedicated to protecting online banking credentials.  Therefore, HomeATM can save everyone the cost of purchasing a dedicated PC for online banking.

For that matter, it also is a separate machine dedicated to encrypting and thus securing ALL  financial transactions conducted over the web, not just online banking sessions. 

So...while I call the announcement "cool," USA Today is calling it an "extraordinary warning."  What exactly is that warning?   It's a version of the same one that the folks at HomeATM have been preaching over the last 18 months.  Unfortunately the FBI and ABA are NOT YET warning people that ALL financial transactions MUST be conducted outside the browser space.  Either they are not privy to the realities, or they are taking the easy way out and saying, go buy another PC or Apple to use "exclusively" for online banking.  I disagree.  If people are still using the browser to bank online,  then we've got a problem.  It WILL NOT to solve the problem.  I've got a perfect acronym for:  SNAFU. 


Problem: Web Browsers Cannot be Trusted.  Period.  End of Story.  (well not really, cause I'm still typing)  Thus, it only makes complete 100% Logical sense that financial transactions must be conducted outside the browser space

:  Use a Separate machine which PREVENTS any financial information from EVER entering the browser "space" by encrypting the cardholder data inside the box,  outside the browser space.  So, while I disagree that a new PC will solve the problem, do I agree on the need for a "separate" machine?  Hell Yeah! 

I not only agree but I've been repeating that advice "week in and weak authentication out" for over a year. 

So, no, it doesn't seem "extraordinary" to me that the FBI and American Bankers Association have jointly issued this warning.  What IS extraordinary, is that retailers lost $191 BILLION to fraud, online banking is dying a slow death, consumers are losing trust in eCommerce and we are STILL Being Told to TYPE card numbers and username/ passwords into boxes located in browsers. 

So, it looks like 2010 is the year of separate machines for online banking.

Maybe the payments industry will realize that they need a separate "dedicated" POS machine designed for all consumer use for all eCommerce activity.  Maybe I can help some people in the payments industry see "the light." 

For starters...Instead of ponying up $800-$1200 for a dedicated separate PC which does NOT encrypt ANYTHING,

How does $25 sound?  Sounds great, but what exactly does $25 get you?  How about ...

  • A dedicated separate machine for online banking.  One which uses existing bank rails, existing bank cards and existing bank issued PINs to authenticate the user.  (Replicating the same trusted process utilized by Banks to dispense cash from ATM's, without the threat of skimminig devices or hidden cameras)   But that's not all this PCI Certified Device does. $800 to $1200 won't buy you that.

  • $25 bucks will afford you military grade 3DES DUKPT End to End Encryption (inside the dedicated machine) at the maghead  meaning that NONE of your cardholder data EVER enters the browser space.

  • That same $25 will provide consumers with a device that enables real-time instant money transfer from ay bankcard to any bankcard, any bank to any bank.   

  • Oh, and that same $25  will save you $775-$1175 off the cost of a dedicated PC, a PC which, by the way cannot do any of the aforementioned.  (ever see a PCI certified PC?)

  • Last, but not least, $25 will provide "consumers" with the same technology that retailers have paid thousands of dollars for, mainly, a Point of Sale Device with a Built-In PIN Pad.   

Just to be clear, so there is NO confusion out there, HomeATM manufactures the ONLY POS device "in the world," designed for eCommerce, with a built-in PCI 2.x Certified PIN Pad providing the consumer with: 

  • Genuine Two Factor Authentication which 100% eliminates the threat posed by phishing.

  • True End to End Encryption, (not a buzzword, we 3DES/DUKPT encrypt the PIN from Zone 1 all the way through Zone 5 which is V/MC themselves)

  • Authentic/Conventional PIN Debit capability capturing the both the PVV and PVKI from the magstripe

  • 100% Replication of Card Present Transactions conducted at Brick and Mortar locations. (otherwise we wouldn't have been PCI Certified would we) which has the potential to eliminate "Card Not Present" Fraud. (etc. etc. etc.)

I will close out this year wondering when people in the financial industry are going to pull their head out of their @$$ and admit that we need to do the same thing for the web as we do in the brick and mortar world, which is swipe the card and enter the PIN.  Maybe it will happen in 2010.  It's good to see we reached an important milestone, (the FBI/American Banker's Association joint warning admitting that a separate hardware device is needed) BEFORE 2009 ended...albeit we just got it in before the bell. 

HomeATM overcame a tremendously huge hurdle.  They were able to design and manufacture a POS device with a built-in PIN Pad that doesn't cost thousands, even hundreds of dollars.  We've got the cost down to the point whereby banks could literally give them away to consumers AND make a return on their investment.  You see, each device earns revenue for the issuing banks.  So every time a consumer swipes their card and/or enters their PIN they make residual income.   Every time a consumer instantly transfers money with our unique "real-time" P2P program, they earn residual income.  Every time a consumer logs in using our device, they save money off losses attributed to phishing. 

So what's the problem?  If you are in the payments industry, you've probably already figured it out.    If you are not in the payments industry, I've got a little secret to share with you.  The problem lies within the picture below.


Cutting processing costs in half might sound like a wonderful solution to the average person, but not in this industry.  It is the problem.  Why you say?  Simple...

The money (savings) would come out of the pockets of banks, the EFT Networks and V/MC, which I call the Cardtels.  So, they feel it is in their best interest to prevent that from happening.   It doesn't matter that PIN Debit is the most popular AND SECURE payment option available.  They (the Cardtels) tried (and did) to keep PIN debit out of retail locations for years, until Constantine and Cannon represented Wal*Mart and other retailers in an anti-trust lawsuit that wound up costing the V/MC $3 plus billion dollars.  That really didn't matter.  They probably earned $4 plus billion during the eight years it took to get to the Supreme Court house steps, the location of which compelled them to settle "out of court."  

  • You see, it doesn't matter that fraud continues to rise at record levels. 

  • It doesn't matter that "Card Not Present transactions" are responsible for more than 50% of all fraud even though it only constitutes about 10% of all transactions.

  • It doesn' matter that people card numbers are being stolen left and right

  • It doesn't matter that retailers lost $191 BILLION dollars to fraud in 2008.

What DOES matter, is that the Cardtels keep their profit.  So even though our device would mean the end of the threats posed by phishing, keystroke logging etc. (both of which are responsible for a huge percentage of identity theft cases) and even though it would significantly reduce the costs of fraud for business cardholders and Internet Retailers, the problem is that a more secure transaction, comes with a price tag.  A lower one.

So...instead of conventional means to making purchases online, which, again is: Swipe your Card, Enter Your PIN, we have seen hundreds of "alternative payment schemes" flood the market.  The kicker is that, ironically, those very same alternative payment schemes have claimed about 30% of the revenue that used to be earned by the Cardtels. 

Our job, in 2010 is to get the Cardtels to see that the device "they certified" can be positioned to take back some of the 30% of revenue lost to alternative payment schemes...schemes, which by the way, ADD to the cost of fraud. 

Suffice it to say that 2010 will be a very interesting year....I look forward to it.  Until then, Happy News Year and thanks to all of you who have visited, followed and told others about the PIN Payments News Blog.  We've had 10 times the hits in 2009 than we did in again, thank you.

Oh...I almost forgot about the article I was referring to when I started a swipe at the Cardtels.  Here's a snippet from the story published by USA Today.  Wired has one too.  Here's the Link: Feds Warn Small Businesses to Use Dedicated PC for Online Banking

FBI Issues Extraordinary Online Banking Warning

A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches and non-profits has prompted an extraordinary warning.

The American Bankers Association and the FBI are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.

The reason: Cybergangs have inundated the Internet with "banking Trojans" — malicious programs that enable them to surreptitiously access and manipulate online accounts. A dedicated PC that's never used for e-mail or Web browsing is much less likely to encounter a banking Trojan.

And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers.

ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time.

"Criminals go where the money is," says Avivah Litan, banking security analyst at Gartner, a technology consulting firm. "The reason they're going here is the controls are antiquated, and a smart program can often get the money out."

Internet-enabled ACH and wire transfer fraud have become so acute that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, has gone public about the scale of the attacks to bring attention to the problem. The FBI, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued warnings in the past two months.

The FBI says it has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million — and successfully made off with $40 million.

The victims are mostly small to midsize organizations using online bank accounts supplied by local community banks and credit unions, FBI analysis shows. "The bad guys are still out there breaking into customers' computers," says Steven Chabinsky, deputy assistant director of the FBI's Cyber Division.

Banking and tech security experts say many more cases of ACH and wire transfer fraud are going unreported mainly because the attacks are new and there are no laws setting forth the rights of online business account holders, the way consumer-rights laws protect accounts held by individuals. The result: Many cases end in civil disputes in which small businesses often lose.

"Our nation's legislators are not doing their job in affording the same protections for business account holders that they do for consumer account holders," says Litan.


U.S. Merchants Lose $191 Billion to Fraud - Lexis Nexus

Retailers are bearing the brunt: New report suggests what they can do to fight back

January 2010

By M.V. Greene -

U.S. merchants are taking some hard punches from retail fraud. In 2008, they incurred losses of $191 billion industry-wide from identify theft, stolen merchandise and lost interest and fees associated with chargebacks, according to a report from LexisNexis Risk Solutions.

Addressing the problem requires aggressive action on the part of the three primary victims of retail fraud: merchants, financial institutions and consumers.

Some key findings of the 2009 LexisNexis True Cost of Fraud Benchmark Study include:

• Total merchant fraud losses are nearly 10 times those incurred by financial institutions.

• Merchant fraud losses are more than 20 times the cost incurred by consumers.

• One in five U.S. merchants experienced an increase in unauthorized transactions associated with identity fraud in 2008.

• Credit card transaction crimes continue to rise sharply, but alternative payments are starting to represent a troubling new source of losses for large merchants.

• Retail merchants need more education and improved industry standards to address the cost of fraud.

LexisNexis Risk Solutions developed the study with Javelin Strategy & Research to examine how U.S. retail fraud affects the interdependency of merchants, financial institutions and consumers across multiple sales channels, says Jim Rice, director of market planning, retail markets, for LexisNexis Risk Solutions.

Merchants absorbing burden

More than half of industry-wide fraud losses in 2008 came from unauthorized transactions and fees and the interest associated with chargebacks.Financial institutions bore about $11 billion in hard losses, and consumers $4.8 billion. The survey attributes the remaining $75 billion to retailers’ additional costs associated with lost and stolen merchandise.  The extent to which retail merchants are absorbing the costs associated with fraud relative to financial institutions and consumers is “striking,” says James Van Dyke, founder and president of Javelin Strategy & Research.

“We weren’t completely surprised that merchants are paying more than half of the share of the cost of unauthorized transactions as compared to financial institutions. But we were very surprised that it was 90-10.”

Identity fraud, defined as the misuse of personal information for financial gain, represented 52 percent of total merchant losses among fraud types, according to the survey, a clear indication that “identity fraud and the exposure of merchants to identity fraud is continuing to increase,” Rice says. “From a trend perspective it is an increasing issue for merchants and has been growing across the board for all varieties of merchants.”

Contributing to the identity fraud conundrum is a shift in the methods consumers use to pay for goods and services. While credit card crimes continue to rise — nearly half of fraudulent transactions for all merchants are linked to credit cards — consumers also are relying on alternative, or “card-not-present,” shopping methods, creating a new source of losses for merchants.

Continue Reading at

Businesses Truly Have Full Liability on Debit Fraud

In the last post I mentioned that many banks have adopted a zero-liability policy for PIN Debit, Signature Debit and CNP  transactions.  Not so if you are a business.  Here's a snippet from story written by Laura Ruane published in Tallahassee's Business Matters regarding the Sanibel-Captiva Islands Chamber of Commerce and their experience with debit card fraud. 

Sanibel & Captiva Islands Chamber of Commerce learns debit card protection lesson

The Sanibel-Captiva Islands Chamber of Commerce lost $32,000 to debit card fraud and the losses were not covered.

Last fall, the islands chamber discovered about $32,000 in unauthorized purchases when its outside accountant did a routine monthly reconciliation of the checking account.  Further inquiry showed that data from the chamber's debit card was "skimmed," and used to create another card. No one knows where or exactly when this occurred; however, small, hard-to-detect skimming devices have been used at gas station pumps, automated teller machines and restaurants.

In the case of the islands chamber, Edison National Bank declined to cover the loss. The chamber has since parted ways with the bank.  Bank policy is to disclose to business applicants that having a debit or credit card in the company's name "is unlike a natural person having a debit card," said Robbie Roepstorff, Edison National president.  That's not to say the bank wouldn't cover a business' credit or debit card-related loss, Roepstorff said: "We never like to say never."  (didn't they just say never twice?  Nevermind...)

Businesses, however, aren't afforded the same protections by law from these losses as are individual consumers."There's an assumption businesses are more sophisticated than consumers, (Editor's Translation:  Consumers are Dummies) and are less likely to need protection," said Nessa Feddis, senior vice president with the American Bankers Association.

Most Debit Cards Now Have Zero Liability

In an article published at, they talk about the shift to Zero-Liability for PIN, Signature and CNP Debit purchases.  Debit surpassed credit usage and now, in an attempt to provide "equal footing" many banks now offer ZL for debit cards as well.  This is a necessary step if banks want to see continued growth with debit card usage, especially online.  Here's their story, published last month:

Debit card users now more protected from fraud, study says

By Andrea Leptinsky


The 25 institutions below all have zero liability policies for debit cards, meaning that consumers are not responsible for any fraudulent charges made on the cards, according to a new Javelin study:

  • Banco Popular

  • Bank of America

  • Bank of the West

  • BB&T

  • Capital One

  • Chase

  • Citi

  • Citizens

  • Comerica

  • Fifth Third

  • Golden One

  • HSBC

  • ING

  • M&I

  • M&T

  • Navy Federal CU

  • PNC

  • Regions

  • Sovereign

  • SunTrust

  • Synovus

  • TD Bank

  • U.S. Bank

  • Wells Fargo

  • Zions

Zero liability policies, introduced a decade ago to protect credit cardholders from fraudulent purchases, have expanded to the point where all 25 of the nation's largest banks and credit unions offer it to debit card users as well.

Javelin Strategy & Research's 2009 Banking Identity Safety Scorecard says the top financial institutions now all offer the protection to cover PIN, signature, and card-not-present purchases. It's the first time that's happened, and Javelin calls the discovery a "major milestone for the industry" because it finally puts debit cards on equal footing with credit cards when it comes to fraud protection.

"Customers of these institutions can have increased confidence that their debit card purchases will be fully protected from fraud," says Mary Monahan, Managing Partner and Research Director for Javelin.

Exposure to fraud has long been an issue when it comes to debit cards. In the '70s, the federal Truth in Lending Act law was amended to limit an individual's liability for fraudulent charges on a credit card to $50. Beginning about a decade ago, as Internet fraud caused consumers to shy away from using their credit cards, issuers voluntarily expanded the protection to include the first $50, too. zero liability policies were slower to come for debit cards, but the Javelin research indicates they have now caught up.

Additionally, all of the top banks also offer next-day replacement of lost or stolen debit cards.

"Consumers don't just want to be protected by others, they want involvement in protecting their money and identity," said James Van Dyke, president and founder of Javelin. "Inventive criminals continually update their methods, and banks must do the same."

Among some of the additional measures taken by banks to protect your finances:

  • All of the country's top financial institutions are offering anti-phishing e-mail education online, a figure that has doubled over the last year.

  • Banks have finally stopped using Social Security numbers for authentication purposes. Instead, more verifying practices have been put in place to keep track of and protect your identity.

  • Nearly nine out of 10 banks have made available third-party security vendors for online safety for their customers. Banks have teamed with companies such as McAfee and Symantec to make sure their banking services are protected online.

Javelin’s 2009 Banking Identity Safety Scorecard uses Web site research and mystery-shopping methods to score identity fraud protection, detection and resolution capabilities at the nation's largest banks and credit unions. The 25 institutions surveyed represent half of all U.S. consumer checking accounts, Javelin says.

Online Shoppers More Satisfied Than Ever Before

Customer Satisfaction with E-Retail Rebounds, Sets New High for Online Holiday Shopping

Amazon Raises the Bar;,, Most Improved, According to ForeSee Results

ANN ARBOR, Mich.--(BUSINESS WIRE)--Customers of the largest online retailers are more satisfied than ever according to ForeSee Results’ annual report on holiday shoppers. The ForeSee Results E-Retail Satisfaction Index (U.S. Holiday Edition) surged 7 percent to 79 on the Index’s 100-point scale, a new all-time high. Websites for Macy’s, SonyStyle, The Gap, The Home Shopping Network and had the greatest increases in satisfaction year over year, with all five registering increases of 10 percent or more.

“Even in this tough economic climate, e-retail continues to be the bright spot in a dark environment and last year’s declines are proving to be the anomaly,” said Larry Freed, president and CEO of ForeSee Results. “But those gains aren’t necessarily shared across the board. These are the biggest retailers on the web, and they’ve got the ability to invest in the web channel and even meet the price points that consumers are looking for in this economy. Smaller and midsized e-retailers may not be so lucky.”

Amazon scores 87 and leads the pack again, improving 4% since last year and setting a new high-water mark for the Index. Eleven e-retailers scored over 80 (generally considered the threshold for excellence in studies using this methodology), and none scored below 70. Several companies made huge jumps in score, and the most improved among them include (+13% to 79), (+10% to 76) and (+10% to 76).

The annual Top 40 E-Retail Satisfaction Index from ForeSee Results and FGI Research uses the patented methodology of the American Customer Satisfaction Index (ACSI), which was developed at the University of Michigan and is a proven predictor of consumer spending. The study quantifies that a highly satisfied online shopper is 65% more likely to purchase online, 44% more likely to purchase offline, 70% more likely to recommend, and 49% more likely to return than is a dissatisfied shopper.

The report includes an analysis of what website elements would have the most impact on overall satisfaction if improved. For most companies, improving price (either actual prices or consumers’ perceptions of price) topped merchandise and functionality as a customer priority, though priorities differ from company to company.

“It’s no surprise that price is priority this year. It’s a reflection of these difficult economic times,” said Kevin Ertell, Vice President of Retail Strategy at ForeSee Results. “But simply cutting prices isn’t necessarily a business model for success, so prioritizing website improvements that customers value most is an absolute necessity.”

Company Name  








AGGREGATE SATISFACTION   74   79   5   6.1% Inc.   84   87   3   3.6%
Netflix Inc.   84   86   2   2.4%
QVC Inc.   79   83   4   5.1%
Apple Inc.   78   82   4   5.1%
Cabela’s Inc.   NA   82   NA   NA
Avon Products Inc.   77   81   4   5.2%
J.C. Penney Co. Inc.   76   81   5   6.6%   78   81   3   3.8%
L.L. Bean Inc.   78   80   2   2.6%
Systemax Inc.   77   80   3   3.9%
Victoria’s Secret Direct   76   80   4   5.3%
Costco Wholesale Corp.   72   79   7   9.7%
Dell Inc.   73   79   6   8.2%
Macy’s Group Inc.   70   79   9   12.9%
Musician’s Friend Inc.   NA   79   NA   NA
Nordstrom Inc.   74   79   5   6.8%   78   79   1   1.3%
Williams-Sonoma Inc.   74   79   5   6.8% Inc.   75   79   4   5.3% Inc.   72   78   6   8.3%
HP Home & Home Office Store   76   78   2   2.6%
Target Corp.   75   78   3   4.0%
Best Buy Co.   73   77   4   5.5%
Blockbuster Inc.   72   77   5   6.9%
Office Depot Inc.   72   77   5   6.9%   70   77   7   10.0%
Staples Inc.   77   77   0   0.0% Inc.   70   76   6   8.6%
Gap Inc. Direct   69   76   7   10.1%
HSN   69   76   7   10.1% Inc.   69   76   7   10.1%
OfficeMax Inc.   70   75   5   7.1%
Redcats USA   73   75   2   2.7%
Sears Holdings Corp.   70   75   5   7.1%
Toys ’R’ Us Inc.   NA   75   NA   NA
Circuit City Stores Inc.   69   73   4   5.8%
The Neiman Marcus Group Inc.   69   73   4   5.8%





To download the free report, visit

About the ForeSee Results E-Retail Satisfaction Index (US Holiday Edition)

The fifth annual holiday online satisfaction report is based on a survey of over 10,000 visitors to the top 40 e-retail websites according to sales revenue as reported by Internet Retailer’s Top 500 Guide. Survey responses were collected by FGI Research’s Smart Panel. The study measured satisfaction among shoppers who visited the site, regardless of whether or not they ultimately executed a purchase online, which provides insight into the performance of retail websites as research and purchase channels. ForeSee Results used the methodology of the University of Michigan’s American Customer Satisfaction Index (ACSI) to determine the scores. The ACSI is the national standard for customer satisfaction and has been proven to have a direct link with stock prices and other measures of financial performance.

About ForeSee Results

As the leader in online customer satisfaction measurement, ForeSee Results captures and analyzes online voice of customer data to help organizations increase sales, loyalty, recommendations and website value. Using the methodology of the University of Michigan’s American Customer Satisfaction Index (ACSI), ForeSee Results identifies the improvements to websites and other online initiatives with the greatest ROI. With over 40 million survey responses collected to date and benchmarks across dozens of industries, ForeSee Results offers unparalleled expertise in customer satisfaction measurement and management. ForeSee Results works with more than 110 retail clients in the United States alone.

ForeSee Results (, a privately held company, is headquartered in Ann Arbor, Michigan and has offices in London and Vancouver.

About FGI Research

FGI Research is a leading provider of market research and information solutions that improve the speed, accuracy and impact of business decisions. By combining proven research methods, trusted online sample, and advanced analytics and communications, FGI delivers to end users and marketing research firms immediate and actionable information to decision makers throughout their respective enterprises. FGI offers a premier suite of online research solutions under the SmartPanel™ family of specialty and proprietary custom research panels. For additional information, visit

Disqus for ePayment News