Recent Rash of Breaches Heightens Need for "Secure" Internet PIN Transactions
HomeATM ePayment Solutions, a leadingprovider of secure hardware and software solutions, today announced theirnewest product, Safe-T-PIN™, has been Payments Card Industry (PCI)PIN Entry Device (PED) 2.0 certified.
The Safe-T-PIN point of sale device,manufactured by HomeATM, is the first ever Internet PED to achieve suchcertification. Safe-T-PIN™ providessafer and more secure two factor authentication for e-commerce transactions andsecure log-in.
The pocket-sized Safe-T-PIN™ is a ready to use USB “plug and play” device, thatrequires no user software installation and works with any operating system orbrowser. The device provides users with the added convenience ofswiping their cards versus keying in their numbers (Swipe Don’t Type™), and will work with any bank,card processor, and currency.The significance of this product is that the end to end security ofconsumer financial transactions on the web is now assured through the use of standard financial industryand military grade encryption combined with dual authentication, and is now availableand affordable for consumers worldwide.
HomeATM’s mission from it’s inception was to design,build and deliver an affordable POS device thatbrought End-to-End-Encrypted (E2EE) security and thus lower fees tomerchants and consumers alike.
The Safe-T-PIN™ also allows authorized secure person-to-person (P2P) moneytransfers in real-time. “We are proud of our engineering teamand extremely excited to provide a cost-effective solutionto those who can least afford fraud and risk,” said Ken Mages, CEO.
"The Safe-T-PIN™ exponentiallyreduces the likelihood of a breach and provides the dual authenticationsolution that e-tailers and money remittance companies have been seeking inorder to fill the current fraud/security void in secure transactions on theweb. HomeATMis already in advanced discussions with several Fortune 100 companies and thiscertification will certainly result in expediting those talks.”
HomeATM owns a global patent for secure Internet PIN basedtransactions. Leveraging our E2EE PCI 2.0 PED certifiedsolution, a merchant or remitter can move funds from their bank account oropen loop/closed loop payment card in real-time. Utilizing HomeATM’spatented solution with a bank issued debit or credit card alleviates theburden for merchants to address fraud issues as HomeATMleverages the issuing bank’s KYC/AML (Know Your Customer/Anti-Money Laundering)protocols. No other payment solution serves P2P,Business-to-Consumer (B2C) Business-to-Business (B2B), and Mobile Payments withthe speed, security and cost-effectiveness of HomeATM. HomeATM isEMV ready and already enjoys strategic relationships with Microsoft,Cardinal Commerce and UATP
For further information please visit: www.HomeATM.netor www.HomeATMblog.com or contact Mitchell Cobrin, COO mcobrin@HomeATM.net or514-207-5000
Thursday, March 19, 2009
ATMs At Risk
Targeted attack on ATMs raises the bar -- as well as concerns -- about security of cash machines
By Kelly Jackson Higgins DarkReading
Cracking automatic teller machines isn't new: ATMs have been rigged with sniffers, spoofed with cloned cards created from successful phishing attacks, and even physically blasted open by explosives. But a new, sophisticated attack that inserted information-stealing malware on ATM machines has raised the bar on just what determined criminals can and will do to steal banking information and money.
The latest ATM hack came to light yesterday after Sophos revealed its discovery of a Trojan that had been specially crafted to steal information from users of Diebold ATM machines. Diebold in January had issued a security update for its Windows-based Opteva ATMs, some of which it said had been physically broken into and infiltrated with the Trojan software in Russia.
"We immediately notified our customers globally of the malware risk and sent a precautionary software update," a Diebold spokesperson says. "We were made aware of the isolated incident in Russia in the January time frame. The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise. "
The attackers (those dogs) were well-versed in the software internals of the ATM machines. "It's fascinating that the hackers went to this extent...they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before.
"This is not something the average hacker on the street would have access to," he adds. "They need physical access to the ATM -- they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. "
HomeATM doesn't use software. It's Plug and Play. In order to gain access, a fraudster would have to break-in to a user's home...but it's tamper-proof, so that wouldn't do them any good either. So, I think it's "safe" to say that, well...HomeATM's are NOT at risk.
It's unclear just how the attackers got such inside access to the machines, but security experts say it represents a whole new attack vector for bank machines, and that this incident may be only scratching the surface. "There could be many other ATMs under this type of malicious and hidden Trojan," says Kim Singletary, director of OEM and compliance solutions for Solidcore Systems.
In its security update to ATM machine customers, Diebold said the attackers had been caught and that an investigation was under way. Once the bad guys obtained access to the internals of the ATM machines, they were able to implant the malware and intercept sensitive data, the company says. The risk of such an attack increases when the Windows administrative password is compromised or if the built-in firewall is disabled, for instance.
The Fraud Practice Releases their Semi Annual Guide on eCommerce Alternative Payments
RED BANK, N.J. --(Business Wire)-- Alternative payments represent only a fraction of e-commerce total sales today but according to Javelin Strategy and Research, an independent consultancy focused solely on the financial services and payment industries, about 1/3 of all online retail transactions ($268 billion) are predicted to be alternative payments by 2013. The explosive growth of alternative payments can be attributed to consumer and regional preferences. In these economic times, it is now more critical than ever that e-merchants understand and offer payment choices based on consumer and regional preferences.
When considering alternative payment options, more often than not, merchants are limiting their discussion to ACH, PayPal, Amazon and Google Checkout. In fact, there are a number of payment options and a rapidly growing number of service providers offering them. The Fraud Practice's Guide to Alternate Payments identifies 8 categories of alternative payment solutions with over 100 service providers offering their services globally. The categories include credit card payments, ACH & bank payments, payment aggregators, credit-term providers, cash alternative providers, advertising/promotional providers, mobile payment providers and invoicing payment providers.
Not all alternative payment options will produce the same results. Determining the right alternative payment options for your company means evaluating payment options based on regional support, consumer preference, customer base and return on investment (ROI).
Regional Support: There is no one payment option that is equally effective in all regions worldwide. Credit cards are accepted worldwide but while they have dominated the US and Western European eCommerce markets, they have not shown the same dominance in emerging markets such as Africa, South America, Asia and Eastern Europe. In Germany credit cards are present and used, but they are not the preferred payment method.
In these markets a merchant needs to support other payment options otherwise they will be limiting their potential customer base to only a small fraction of the overall population.
Customer Base: The best alternative payment option has little value if the supported customer base isn't large enough to warrant the effort to integrate and support it. Evaluating a customer base should be done on two levels, potential and current. Consider China, 93% of the 1.3 billion person population has access to direct debit while according to China Daily there were just over 100 million credit cards in circulation in China as of June 2008.
Return on Investment (ROI): The reasons why a merchant may implement alternative payments vary from access to markets, cost reduction, easier supportability to consumer preference. In a majority of cases, merchants are able to show a favorable ROI on integrating alternative payments in a timeframe that is more tactical than strategic. This is primarily attributed to increased sales from new consumer populations, lower costs than traditional credit cards and better fraud protection.
The Fraud Practice has created the Guide to Alternate Payments (http://www.fraudpractice.com/altpay.html) to help merchants, service providers and financial institutions make more informed decisions on which alternative payment solutions and providers they should be considering. A Guide to Alternative Payments is a prepared research document, 60 pages in length, intended for organizations looking to gain an understanding on eCommerce alternative payment options. The Guide also includes easy-to-understand reference tables on regional service providers (over 100 service providers), preferences and capabilities. Readers should expect to gain: An introduction to the types of solution options available and the service providers that offer them An in-depth understanding of the market dynamics, vertical market preferences, regional preferences and reasons to implement these services A discussion on emerging markets where alternative payments are flourishing A general introduction to the capabilities and services provided by the major players in each of the 8 solution option groups Merchants may also consult The Fraud Library, which contains valuable information for merchants seeking information on fraud prevention techniques and eCommerce payments.
About The Fraud Practice The Fraud Practice (http://www.fraudpractice.com) is a privately held US LLC based in Red Bank, New Jersey. The Fraud Practice provides consulting services on eCommerce payments, fraud prevention and credit granting. Businesses throughout the world rely on The Fraud Practice to help them build and manage their fraud and risk prevention strategies. Utilizing best practices and leveraging key partnerships, our team of industry and technical experts offer customers a single source for learning how to design, deploy, review and integrate fraud prevention practices in their business processes and solutions.
David Montague is the founder and President of The Fraud Practice and has spent the last fourteen years working in the eCommerce space, and is well respected for his business knowledge and thought leadership. His background includes an in-depth application of innovative solutions for preventing business to business and business to consumer e-commerce fraud. Prior to founding The Fraud Practice he held positions as the Director of Risk Solutions at CyberSource Inc. and National Principal at IBM Global Services.
Official 2008 cardfraud figures show chip and PIN continuing to drive fraudsters onlineor to those cards not yet reliant on PIN protection to authorisepayments.
ITPro.com By Miya Knights, 19 Mar 2009 at 14:07
Themain driver for growth in card fraud is on those transactions withoutchip and PIN protection, the main UK payment industry body, Apacs said today, as it released its fraud figures for 2008.
Card-not-present (CNP) fraud losses increased by 13 per cent overthe last year to now account for 54 per cent of all card fraud losses.This also amounts of a rise in CNP fraud of 243 per cent between 2001to 2008.
Editor's Note: In addition to providing e-consumers with the ability to transact in a dually-authenticated manner, (What they have/Card, What they Know/PIN) HomeATM also reduces fraud by transforming CNP transactions into Card Present (CP) transactions. The end result? CP transactions cost less to process, PIN costs less to process. Why? Because they are MORE SECURE!. How Secure? PCI 2.0 PED secure!
But Apacs said this reflected the growing popularity of shoppingonline, which relies on CNP payments, and providing a lucrativealternative to criminals forced to look for alternatives with theadoption of chip and PIN.
It added that tackling CNP fraud was an industry priority, as itcontinues to encourage cardholder and retailer take-up of secure onlinepayment systems that help prevent online shopping fraud, such asMasterCard SecureCode and Verified by Visa.
Overall, card fraud losses total £609.9 million, online bankingfraud losses £52.5 million and cheque fraud losses £41.9 million.
Online banking fraud losses grew 132 per cent on 2007 levels, duemainly to an increase in phishing, Apacs said. At the same time, onlinebanking customers without sufficient security protection areincreasingly being targeted by malware attacks.