Thursday, April 2, 2009

UATP to Accept UKash

UATP, the low cost travel payment network privately owned by the world's airlines, has been looking for alternative payment solutions to provide the global airline industry with access to the lucrative cash market.

Its deal with Ukash will open up air travel to a huge proportion of the world's population that are currently 'unbanked' or without credit or debit cards, as well as those that choose not to make purchases over the internet due to fears of online fraud and identity theft.

UATP, which works with over 250 airlines, is diversifying its product offering as it looks to attract new consumers and maintain demand for air travel in the difficult current economic climate.

Ukash customers exchange cash for a prepaid voucher containing a unique 19-digit number which is then used to pay online. As an online payment method, Ukash provides those without access to bank accounts with a viable, safe solution for spending their money over the Internet and offers a solution to the problem of credit card fraud.

The secure Ukash voucher number is used to pay online, and as it's prepaid the payment is assured to the merchant. No financial details are exchanged with the merchant, making Ukash increasingly attractive to online consumers concerned about data security.

"Working with UATP to offer Ukash to airlines around the world will bring considerable benefits. Carriers now have the option to accept risk-free payments from consumers in countries with low card penetration whilst reassuring their customers that online payments are safe," adds Ukash CEO Mark Chirnside.

"The growth of low cost carriers is putting air travel within reach of many more people so we're delighted to add Ukash to the range of payment methods we can offer our airline partners," comments Ralph Kaiser, CEO of UATP. "We want to remove the barriers to travellers getting online access to the best range of flights and other travel services so adding payment services like Ukash that are prepaid and preserve financial anonymity is a great move forward."

Consumers from across the world can purchase Ukash vouchers online, on mobile or at more than 275,000 stores globally.

About Ukash(TM)

Ukash(TM) is a globally-recognised e-commerce payment method to enable online purchases using cash, providing freedom from credit and debit card fraud, repudiations and charge-backs, and protecting personal identity.

Ukash(TM) is regulated by the UK Financial Services Authority (FSA) and operates as one of the only a small number of Electronic Money Institutions, a status that allows a single maximum online cash payment transaction of up to 500 Sterling pounds/750 euros.

Uniquely numbered Ukash(TM) vouchers are widely available through payment terminals in retail outlets across Europe and South Africa. In the UK, they are also available direct to mobile for Vodafone subscribers and from spring 2009, Ukash vouchers will also be issued online from the company's website in most European territories.

The technology behind Ukash is protected by several patents registered across the Smart Voucher database and functionality and is, as such, protected by Patent Law in all the major economies of the world. Ukash(TM) is a registered trademark of Smart Voucher Ltd.

In 2008, Ukash(TM) established a strategic partnership with South African payments giant Blue Label Telecoms to develop the brand's services.

For more information please visit

Reblog this post [with Zemanta]

Will Hannaford Breach Result in Trial?

Judge to decide if Hannaford data breach should go to trial | Portland Press Herald

The upcoming ruling will determine whether parts or all of the lawsuit against the company will go forward.
By TREVOR MAXWELL, Staff Writer April 2, 2009

PORTLAND — A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.

Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial.

The upcoming ruling will determine whether parts or all of the suit will go forward.

The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?

"These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can."

Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida.

More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.

Continue Reading at the Portland Press Herald

Reblog this post [with Zemanta]

LinkedIn Users Prefer Online 8 to 1 Over Mobile Banking - NetBanker

LinkedIn Users Prefer Online 8 to 1 Over Mobile Banking
By Jim Bruene on 2009/04/01 17:49 Eastern Daylight Time
In a completely unscientific poll of 123 LinkedIn users I conducted about two hours ago, I found they overwhelmingly prefer the online channel over all others when accessing bank transaction data (see notes 1, 2, 3).

I was expecting mobile to be higher. But unless you have a new-generation smartphone and your financial institution supports mobile, it's unlikely to be your first choice. So given that mobile's only been widely available in the United States for about a year, a one-in-ten preference is a strong start. 

I also expected a bit more interest in the other choices: ATM, voice and social network, which only drew 3% of responses in total. Social networks went 0 for 123, showing that it's not yet viewed as a place to review financial data (note 4), at least among LinkedIn users. In a much differently worded poll of Facebook users a year ago, we found that 13% willing to view their bank balance within the social network.

Q. All else being equal, how would you prefer to access bank transaction data?
Source: Netbanker/Online Banking Report poll of 123 U.S. Linked:In users who self-selected to respond to poll while logged in to Linked:In; fielded between 1 and 2pm on 1 April 2009 using in-network polling tool.

1. The question is strictly limited to 75 characters, I couldn't make it as precise as I would have liked. For instance, I would have like to add "assuming its secure" and "your personal" to "transaction data." It's possible some respondents were thinking more about global banking data than their own personal transactions. The poll also displayed "by Jim Bruene, Owner, Online Banking Report" in the lower-left, potentially biasing results.
2. LinkedIn users are given opportunities to respond to polls while logged in to the service. There is no financial benefit to taking the survey, but they do get to see results after taking it.
3. There were significant differences based on demographics, for instance women were almost twice as likely to select "mobile." And zero men, and 4% of women, chose voice call as the preferred method. But due to the small sample size, these demographic breakdowns don't hold much weight. There also appears to be some mathematical errors in the demographic splits, so I'm not going to cite them further until Linked:in cleans up it algorithms.
4. An interesting result, given the poll was conducted within a social network among social network users. Actually, "the branch" beat social networks, drawing one "write-in vote" in the poll comments (it was not one of the five choices). 
5. For more info on mobile banking see our latest Online Banking Report on Mobile Banking 2.0 -- iPhone Edition

Black Hat Researcher Hacks Database Servers

New tool to be unleashed at Amsterdam conference uses SQL injection to gain a foothold into the underlying database server

By Kelly Jackson Higgins - DarkReading

A researcher at Black Hat Europe this month will demonstrate a new hack that uses SQL injection as a stepping stone to take control of a database server.

"SQL injection becomes a stepping stone to the real target: the operating system," says Bernardo Damele Assumpcao Guimaraes, an IT security engineer based in London. "I will focus on exploiting SQL injection in a Web application to get control over the underlying OS," in addition to the database software, says the researcher, who goes by the surname Damele .

SQL injection is a popular attack vector in Web applications, (Editor's Note:  450,000 Attacks PER DAY!) mainly because it's one of the most common flaws found in these apps. Web application SQL injection attacks typically target client browsers, infecting them when the victim visits a compromised Website. Another SQL injection attack is on the database itself, via a Web application carrying that vulnerability.

But Damele's new hack kicks SQL injection up a notch, using it as a first level of attack to gain control of the database server itself, as well as any systems connected to it. That includes other servers in the same LAN, plus the data in the database itself. His attack goes after MySQL, Microsoft's SQL Server, and PostgreSQL running on Windows or Linux servers. "[This] possible scenario of attack for a SQL injection is the most overlooked and [under]researched," he says.

In one attack demo, Damele will show how to exploit a buffer overflow flaw in the database software by injecting valid SQL code. He has a few other attacks up his sleeve for Black Hat, too: "I will demonstrate other possible techniques to exploit other Windows design flaws to escalate privileges via a SQL injection," he says. "The idea is to take advantage of some of the design weaknesses of the database management system, and combine it with [weaknesses] in the programming development of the Web app to execute arbitrary code, upload binary infection files, and carry out also buffer overflow exploitation."  

Editor's Note:  Again I have to ask...when peoples PIN's are eventually obtained due to inherent weaknesses in ALL software, who has the liability?  Cause it's going to be one helluva'n expensive breach...who pays the bill? 

The consumers? No, they just get to go through two weeks of hell...

The merchants? They'll lose their cost of goods bought with the fake transactions, but, I don't think that hackers will be wasting their time buying goods when they can go straight to the ATM and get CASH. 

If they go straight to the ATM's the banks lose the cash, but then do they go after the EFT Networks to get it back?  It'll be one mell of a hess when it (or, I suppose in "fairness" I should say) "if" it happens...

Continue "DarkReading"

Reblog this post [with Zemanta]

Well This Makes Me Feel Better

Battling against online fraud is an "escalating war," according toKatherine Hutchinson, senior director of global risk management forPayPal.

Every time companies set up a new roadblock to combat the problem,the fraudsters eventually find a way to work around the new obstacle.The arms race then ratchets up again over some other weakness in creditcard payments.

At the Web 2.0 Expo Internet conference yesterday in San Francisco,Hutchinson painted a bleak portrait of the combat.

Boiler rooms filledwith fraudsters who try to gain access to credit card numbers using avariety of means from phishing e-mails to computer keystroke monitoringto software that guesses credit card numbers, (Editor's Note:  OR PINS) sometimes accurately,sometimes not, zombies, malware, bots, viruses, remote takeovers, DNS Hijacking, the list goes on and on...and on. 

Hutchinson had a few interesting points to share about fraud rates,based on the countries where the transactions originate.

Lowest risk:
1. Austria
2. New Zealand
3. Taiwan
4. Norway
5. Spain

Highest risk:
1. Ukraine
2. Yugoslavia (curious, since the country doesn't exist anymore)
3. Lithuania
4. Egypt
5. Romania 

Posted By: Verne Kopytoff (Email) | April 01 2009 at 03:11 PM

Reblog this post [with Zemanta]

Payment Industry Swallows Its Own Tail

The following post , "Payment Card Industry Swallows it's Own Tail" is courtesy of Anthony Freed - Financial Editor of Information Security Resources.  I've gotten to know Anthony a little bit via the blogging community and have come to enjoy his unique style of writing. (he's a REAL journalist...while I'm aware of the fact that I'm just a third rate blogger...okay...I digress...fourth-rate! (And to those who would disagree I would simply ask... c'mon be nice...fifth-rate is a little harsh on me, is it not?:-) Anyway..., Mr. Freed wrote an article (which I'm sure you'll be able to find posted at a multitude of respected websites today)about on the recent House of Representative's Committee hearings on payment card security.  Personally...I abide by the belief that the Payment Card Industry Security Council does exponentially more good than bad, and after having personally met Bob Russo, I have no doubt he is on a mission to fully protect payment card data.  He's got a tough job.  There are a multitude of hackers, and they work 24/7/365...(unless it's leap year). Coincidentally, the only time I've ever posted the picture (above left) was the last post (On to the Next Breach) I covered from Anthony.  Based on the title of THIS POST...I had to use the same graphic.  Here's Anthony's article...

Payment Card Industry Swallows Its Own Tail

By Anthony M. Freed, Financial Editor

PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.

Why the dire prognosis?

Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.

But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.

The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.

Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.
First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.

Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their being listed as in good standing with the council at the time of the breach.  From
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
Visa (V) echoed this sentiment in an interview with
“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming - or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”
To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.
“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with “This is PCI enforcement as usual: They’re making the rules up as they go.”
This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.

Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all.  From
Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”
Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.
Is it any wonder that the future of PCI DSS is in question?

And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?

Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.”  Also from
“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”
This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.

It’s all uphill now.

During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.

I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.
I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.

That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate everyone concerned.
PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

Reblog this post [with Zemanta]

Disqus for ePayment News