Friday, January 16, 2009

Largest Drop in Card Balance Payments Ever

According to credit card balance payments saw their largest drop ever, from October to November.  (Guess December's data hasn't arrived yet...) - News - Wallet Squeeze
The amount that consumers pay on their monthly credit card balances dropped like a rock in November to a record low. Generally cardholders, including those who pay the minimum due and those who pay the full balance off each month, pay on average, about 18% to 20% of their monthly outstanding balances.

During October cardholders paid 18.42% of their balances which collapsed to 15.96% in November,
Clearly, the credit squeeze that began in mid-Septembertrickled down much faster than expected. The impact of job losses cannot be understated. In December, the number of unemployed persons increasedby 632,000 to 11.1 million and the unemployment rate rose to 7.2%. Since the start of the recession in December 2007, the number of unemployedpersons has grown by 3.6 million, and the unemployment rate has risen by2.3 percentage points.

June 08:     19.54%
July 08:       19.54%
August 08:  19.21%
Sept. 08:     18.57%
Oct 08         18.42%
Nov 08:       15.96%

 Related articles by Zemanta
Reblog this post [with Zemanta]

People Spending More (Time) on the Web

eMarketer reports that the recession may be contributing to increasing usage of the Internet among leisure time activities. 

Of course, by the same token, one could argue that the recession, which has cause many job losses, could "reduce" the percentage of "leisure time" spent online, as people would be an additional 10 hours per day of leisure.

That would equivocate to needing to spend an additional 3 hours per working day (15 hours per week) online in order to retain the 30% level that US Internet users are now at.   When looking at the chart on the right, I'd be interested in hearing theories behind the 72% spike in usage from 2006 to 2007. 

Internet Users Spending Even More Time on Web - eMarketer
(click to read entire story)

"According to eMarketer, US adults are not world leaders in spending leisure time online. That distinction goes to Internet users in China, who spent 44% of their leisure  time on the Internet in 2008, according to TNS Global. The company found that Americans ranked fifth worldwide, at 30% of leisure time spent online virtually tied with Italy (31%), Spain and Australia (29% each)."  (Click Graph on Left, To Enlarge)

In a related article, from "The Guardian" in the U.K states:

The study also found that many activities which we traditionally did in our spare time are now being done online. Three-quarters of Britons have used the internet for banking in the past month and two-thirds have also paid bills online. Seventy-five per cent of British respondents had read news online in the past month, while 62% had checked the weather. More Britons (55%) had watched a video clip on sites like YouTube than had listened to audio (44%) or participated in an online auction (39%). Social networking sites had been visited by 37% of people, while 32% had downloaded music.

Seven per cent of Britons called themselves bloggers, with 16% saying they had "viewed or contributed" to a blog, compared with 88% of Chinese respondents.

The poll of more than 27,500 people in 16 countries found that housewives in the UK spend 47% of their leisure time on the web, compared with 39% for students and 32% for the unemployed. Globally, the average across all occupations was 29%.

Of the 16 nationalities surveyed, Scandinavians seemed the least inclined to while away their free time in front of the computer - Danes spent an average of 15% of their non-work hours on the net, with Swedes at 18% and Norwegians at 22%.

Arno Hummerston, managing director of TNS Global Interactive, said: "If our leisure time is so precious, then why do we on average spend almost a third of it using the internet? We believe it is because we are making more efficient use of our valuable time, specifically by using the internet - thereby allowing us to fit more into our lives...

Reblog this post [with Zemanta]

Gaza Cease Fire Trojan Shows No Sites Are Safe From Attack

On Monday, in a post entitled "Gaza Strip(s) PC of Financial Data" I talked about a new(s) attack. "Using mainstream news headlines regarding recent events in Gaza, it lures people to a site that appears to be CNN.   The bad news is, it isn't's a clone, and there is nothing which clearly indicates that you've been duped."  It then downloads a trojan which sweeps your hard drive looking for data relating to financial institutions.

In a post, earlier this month, (E-Commerce and Browsers Don't Mix)  I talked about browser weaknesses.  With the emergence of these two "new attacks" (the other one being "in-session phishing"...see "Phishing 2.0 - PAN Fried,  not even 15 days into the New Year, it's becoming clearer that financial transactions  need to be done outside the browser space.

Last night, I noticed that Gartner's Avivah Litan did an analysis on the Gaza Cease-Fire Trojan.  Based on the title  of her post, (and her bullet point, both of which I outlined in yellow) it's safe to assume that she feels along the same lines as we do, regarding the weaknesses inherent in web browsers. 

Here's her analysis...

Avivah Litan
VP Distinguished Analyst
Potomac, MD USA
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, identity theft, fraud detection and prevention applications and other areas of information security and risk. She also covers payment systems and financial flows in the business-to-consumer and business-to-business markets.

A new trojan attack shows that seemingly "safe" Web sites can be used in financially targeted attacks. Enterprises need to take a layered approach to these attack vectors, which mostly lie outside their control.

On 7 January 2009, the RSA FraudAction Research Lab discovered a trojan attack, identified as the Cease-Fire Trojan Attack, that used phishing e-mail supposedly offering Al Jazeera video on CNN of the war in Gaza to divert recipients to an imposter news Web site. Recipients who clicked on a "video" link were told they need to update their media players to run the video. When they tried to do so, a "Secure Sockets Layer (SSL) stealer" trojan was downloaded to their desktops.

"The trojan resides in the end user's Web browser, waking up when SSL encryption is invoked via the HTTPS protocol typically used for online financial transactions such as payments and banking. The trojan then tracks the user's keystrokes to steal transaction information."

RSA reports that it shut down the attack, which was staged at a registrar in China, and that it discovered and took down a second wave of attacks — staged on five other domains on 9 January — within four hours. 


Trojans delivered via phishing attacks are certainly not a new phenomenon, and security providers report that the frequency of these attacks is increasing rapidly. This particular attack is significant because it offers a clear demonstration of:
  • A comparatively new type of combined phishing/trojan attack that uses social engineering to prey on sympathies and interests (in this case, promising graphic images of war)
  • An attack using brands (for example, those of news organizations) that attackers rightly believe are less likely to be the targets of phishing attacks than financial service providers and therefore less likely to take proactive action against them
  • Criminals' ability to place programs inside browsers, making it possible to bypass the security protections offered by SSL encryption and by strong authentication techniques going through a user's browser
It is important to note that RSA shut down this attack as a public service, and that there is no guarantee that security providers will perform such services in the future. Enterprises must take action to protect themselves and their customers, clients, partners and other stakeholders against attacks of this type.


Enterprises that store customer information, financial accounts, transaction information or other sensitive data:
  • Recognize that customer account credentials can be compromised and that many criminal attack vectors are outside your domain and your control.
  • Deploy a layered security strategy that includes fraud detection, stronger user authentication and out-of-band transaction verification for high-risk transactions.
  • Deploy browser-based "on demand" desktop security services to your customers, because these can, when used in conjunction with better local browser rules and recognition of high- assurance certificates, help to protect customers accessing your Web sites.

Internet infrastructure and security providers:
  • Consider pooling your resources and launching a joint phishing/malware detection and site-takedown service that can be offered on a pro bono or as-needed basis. This approach would make it possible to quickly block attacks against real or fictitious brands that are detected in the course of normal "cybersurveillance" services, even if no specific financial incentive to do so exists.

Reblog this post [with Zemanta]

Disqus for ePayment News