With news coming out of Washington that the U.S. economy, as measured by the gross domestic product (GDP), fell by 6.1% for the first quarter of 2009, it looks like the Great Recession isn’t going away anytime soon.
In addition, with unemployment inching up toward 10% and home foreclosures still on the rise, a jump in credit card fraud is the last thing that American consumers need, but that’s exactly what they’re getting.
As Credit and Debit card scam artists are becoming more brazen and more creative, U.S. credit card holders are growing more anxious.
According to a 2009 survey by Unisys Security Index, approximately 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud. More than two-thirds surveyed said they are extremely concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.
Unisys adds that credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned; 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.
So how can credit card holders protect their cards and their money? (Hint, one of the devices on the left "Stops Hacking"... the other one "Causes It"
Rest assured, both are deadly to hackers.
So how do you protect cardholder data when conducting online transactions? There's only one secure way to do it. Albeit, there's a lot of articles published that recommend the following to conduct secure online transactions: Here's a direct quote from one of them:
"When online, use only secure sites, especially when using your credit card online. Be sure to check the URL of the site’s purchase page as well, which will always read “https” if it is secured."
The fact is, that statement is not even close to being entirely true. "https:// has already been demonstrated to being insecure and subject to hack attacks" And because it's already been compromised, you will never know whether or not your transaction is secure irregardless of whether it reads http:// or "https" Therefore, I'd strongly advise you to "scratch that advice." Simply put...it's httbs://
See the pic on the right? (click to enlarge and take a look at the address)
I blogged about the hole in "https" a while back. I think I called it "httbs" at that time too. Yes, I checked and I did...way back on January 2nd...in a post entitled: Browsers and -Commerce Don't Mix.
As I've stated numerous times on this blog, there is only "one" way to secure your cardholder data when shopping online. Via a hardware device. If you want to protect your cardholder data, then you MUST keep your cardholder data OFF the web. It cannot be typed, it cannot be mouse clicked, it cannot be cut and pasted. It cannot be on the web...period.
In order to do it "outside the browser space: you'll need to Swipe your card in a 3DES end to end encrypted magnetic stripe reader which hopefully, then encrypts ALL the track 2 data. To secure the transaction with another layer, you could add two-factor authentication (2FA) by entering your PIN, which should also be end to end encrypted. To protect your data even more, experts recommend the use of DUKPT key management which assigns a unique key "each" transaction. The value is that if a hacker were to somehow breach their way through all that security, they would only have access to "ONE" transaction.
There's only "ONE" company in the world who manufactures a PCI 2.0 Certified magnetic card reader WITH PIN Entry Device for eCommerce. That'd be HomeATM.
That's it. So...remember, don't type, swipe. If you can see it on your screen, then so can the bad guys.
There's myriad ways for them to do that. Here's a select few: zombies, worms, malware, malicious code, DNS Hijacking, Click Jacking, Key-logging, Memory Scraping, Screen Scraping, Cloned Websites, Data Hijacking, Remote control access, etc. etc. etc. Remember the line from Field of Dreams? If you build it they will come? Here's one to remember for the web: If you type it, they will swipe it.
Question: If your cardholder data is going to be "eventually" swiped anyway, shouldn't you be the one doing the "SwipePIN?"