Tuesday, September 1, 2009

Review: False Layer of Security = Insecurity

This is the "Type" of Security That Will Empty Your Bank Account



Excerpts from the Economic Times



All one needs to do to make an unauthorized transaction from your card is to steal three security details,  namely your card number, card expiry date and 3-digit or 4-digit card verification value (CVV) number.  But now some banks are requiring a fourth step..."typing" a password.  (Why don't they just ask you to type in your social security number.  Only you know that right?  LOL)  The point is, you can type all you want...it doesn' make it safer, in fact the opposite is true...it just means you have to jump through more hoops to make a purchase.  Where's the convenience?  (I stopped looking for security long ago.  Why? 

 Because banks are still instructing you to "type!" your personal information into boxes in a browser. How dangerous is that?  Pretty dangerous based on yesterdays headline from Gartner which simply states:  Online Banking Dangerous!   Why?  Well, besides keylogging, just click on the box on the left to enlarge and see what has happened to the state of the malware threat from Janaury to July. Besides, it's clear from the paragraph below that the purpose of this "added layer of non-security" is to provide a false sense of one and to PIN the fraud liability on the consumer!
This is what bankers have to say on the subject:



1.   If the wrong password is entered as part of this extra authentication, the bank informs e-commerce merchant and if the merchant still goes ahead with the transaction, it becomes merchant’s liability



2.  
On the other hand, if the password is correct even if customer disputes the transaction, it is still a customer’s liability.”




(Hmmm...interesting.  It appears that from now on, fraud is now either the merchants liability or the consumers.  Didn't see a scenario where it was the banks, did you?
)  Stumped? Here's what does the new security layer implies for you as a cardholder. Editor's Note: It's no accident they wrote: "Implies"... (vs. Provides...because all it provides is the hacker the fourth layer of information to prove to the bank it's not them hacking into the account.)







“From the cardholders’ perspective, (Editor's Translation: "perception") another layer of protection gives a lot more comfort in terms of security for the online transactions using credit/debit cards . (reality: another layer of this type of non- protection simply provides another way for hackers to intercept financial data, whether it be via malware (see malware growth chart above right) keylogging, phishing, XSS, etc.



Though it will also mean you may have to go through another step to complete your transaction online (the extra step is only there to determine whether banks hold the merchant or consumer is liable for the fraud)  but doing that (from the banks perspective) is always better than having to deal with fraud and face the risk of losing your hard earned money,” says Basant Shroff, associate director, financial services — advisory services, Ernst & Young.




Editor's Note:



This is what I have to say on the subject



This is such Bullcrap!
  Adding another false layer of "bullcrap protection" will "only" provide a bullcrap "false sense of security" 



Adding another bullcrap step which they say will get rid of the bullcrap fraud actually provides hackers with "ANOTHER OPPORTUNITY" to steal your money. 



C'mon people!  Read between the lines on this one.  It's 100% BS..  Let me sift through the stink here. 
Consumers have fears about security, so they are cajoled, no scratch that, "fooled" into thinking online shopping is more secure because banks added another layer of "Emperor's Clothing." 



So, in reality, the only thing they have provided here is yet another step for hackers to steal passwords under the "false pretense"  of "enhanced security." 



Question:  If it's truly safer, then why have they covered their butt by stating that if the password is correct, (it doesn't matter if you dispute the transaction)...you are liable!   If it was truly secure, then they would assume liabiility! 



Talk about stanky!...open the windows, turn on the fan, spray some air freshener, scratch that, call in the fumigator!  This is Smoke and Mirrors,  plain and simple.


As per RBI figures, Indian banks lost out on almost Rs 37 crore in 12,959 credit card fraud cases reported last year.



(Editor's note:  Hence the introduction of a "third new layer" of authentication designed to shift bank  liability to merchants and consumers in a most "shifty" way. 



According to the article, "Some banks, in fact, have gone a step ahead creating the security wall."   (Editor's Note:  Wait til you read this one.  Are you strapped to your chair?  Because I almost fell out of mine when I read the folowing. 



For instance, while generating 6-digit PIN as an additional security layer at ICICI Bank, you are also asked to type a message, known as personal assurance message. (PAM).



(Editor's Note: Add an S to be beginning of that word and you'll find out how the bad guys will phish your PAM silly) This PAM is known only to you.
  (Editor's Note: Are they joking?  For how long?  Here's for how long.  Until you "type" it into a box somewhere....!)



When you type your credit card number on the merchant’s website, "IT" will take you (what/who will take me?) to the bank’s website to complete the transaction, where you need to "type" in the PIN, explains a ICICI Bank spokesperson.  
Editor's Note:  This is beyond bullcrap, it borders on insane.  What's so hard to understand that it's the stupid typing of their passwords, usernames, card numbers, this new "PAM" garbage, etc. that is the root of the problem.  So the NEW system now asks you to type, even more of your information into boxes and double/quadruple your chances of getting hit by fraud.



Another question:  What is this "
IT" that takes me to the bank's website?  It "IT" the web browser?  Is "IT" an API that simply takes you to another website?  There is NO WAY anyone could know whether or not they are being redirected to a legitimate versus a cloned bank website.



This is their idea of the future of ecommerce?  To increase risk by creating more steps which require more typing?





Why is that so "puzzling" for supposedly "learned" people to understand that the problem IS the typing?  See blog post entitled: "It's the Typing Stupid"



Suppose that after you "type" your credit card number on the merchants website, you are "redirected" to a "cloned bank website?"  Hackers can do this in one of many ways.  And how would you know?  The cloned website looks authentic.   The "https" says it's authentic.  (for those who think that still means anything) Maybe it will display their EV SSL certificate!    Ooops, nevermind.  Those were exposed last week. 



Anyway, once you get to either the bank website, you follow the bank instructions and "type" in your PIN.   Even if you ARE on the "legitimate" website, hackers can steal whatever you type.   If you are on a cloned bank website guess what happens after you "type" your PIN?  Did you say your bank account gets emptied.  Correct you are.



Now what?  You have to try and get your money back right?  Well, here's the bad news...according to this article, and I quote:
"if the password is correct and even if customer disputes the transaction, it is still a customer’s liability.”
  Oh...now I get it.  They just shifted the responsibility of the loss from the bank onto the consumer. So, I guess this post is directed at consumers:   "If you expect a secure eCommerce transaction, you won't "type" anything into the browser.  It's really not that hard to understand.  Is it?   If it is, take a look at some of the related articles below.





How Can HomeATM's Technology Help? 
HomeATM is proud to offer consumers the immediate availability of our PCI 2.x Certified SafeTPIN, a personal credit/debit card reader that keeps your credit card information and identity completely safe when you’re banking or shopping online. Simply plug the SafeTPIN into your computer’s USB port, (no software or driverss needed) visit your favorite online banking site and swipe your card and enter your PIN exactly like you would at an ATM.  There is no safer way to log in to your online banking account.  When it comes to shopping, just visit your favorite shopping site, swipe your credit card and the SafeTPIN scrambles and 3DES encrypts the user’s track2 data  before it reaches the user’s computer or Internet providing instant protection from malicious software attacks. 



HomeATM provides complete End to End Encryption (Zones 1-4) for Track2 data. (to the Card Brands) PIN Debit transactions via HomeATM provide 100% "Zone 1 through Zone 5" (including Card Brands) End to End Encryption.



Regarding our PIN Debit transactions...there is not an ePayment method that is safer.  Period.  The ONLY PCI 2.x PIN Entry Device designed for eCommerce in either hemisphere.  With HomeATM's solution, the consumer will NEVER TYPE.  HomeATM has a pending patent on assigning PIN's to credit cards via our PIN MY Card application.    

Disqus for ePayment News