Thursday, May 21, 2009

Comparing Apples to...Let's Just Say "The Real Deal"

The HomeATM Blog has spent considerable time in its efforts to "attempt" to educate readers about payments security (and/or the lack thereof) Here's a quick rant on mobile phone security.

iCan't help but cringe (the first time iLaughed) every time I see that iPhone commercial, you know the one that shows somebody entering their credit card iNformation iNto an iPhone.  Are they freaking iNuts? iDon'tGetiT.

Here's why:  When you do that you are entering your valuable credit card iNformation iNto a "BROWSER."  Any guesses as to why they call iT a browser?  iF anyone said: "Because hackers can browse for iNformation on iT" congrats!  So here's my beef: "Where's the Security? 

iUnderstand the hoopla and the fact that there iS a rush to market for applications that enable mobile phones as payment devices, but we (hopefully) already have learned that web browsers ARE NOT SAFE.  Question: What does a mobile phone use?  Yup.  So what iS the only logical conclusion you can come to?  Yup.

Have we learned NOTHING from the errors of our ways?  You don't type your PAN (Primary Account Number) iNto a web browser or iT can be seen by anyone who wants to see iT. 

Case in Point: 
Arecent study by an American security company found that 93 per cent ofmobile devices in the US lack data loss protection and other systems toprevent a data leak. - Source Credant Technologies 11/18/08

So why on earth have we "graduated" (we shoulda been held back) to typing our number iNto a phone.  The security on a phone iS certainly less formidable than Web security.   Slow down people...Haste makes Waste.  Do iT Right. 

As iN the case of the web, payments need to be done "outside the browser" and they need to be done securely.  That said, here iS an example of a "secure" mobile payments application...

1. Plug in the world's first and only PCI 2.0 Certified 3DES, Protected by DUKPT end to end encrypted PIN Entry Device
2. Swipe your credit or debit card (and thus your PAN & Track 2 data on the magstripe) ONE-TIME!
3. Enter your PIN (if applicable) ONE-TIME!   (Repeat with any credit/debit card you'd like to enable in your iWallet) 

The result?  Your sensitive PAN and PIN (and your Track 2 data) is "instantaneously" encrypted "outside the browser space" and henceforth protected by the aforementioned "military grade" encryption.  The cardholder data is NOT  unencrypted until it arrives safely into a secure HSM (hardware security module) at our processing NOC (Network Operations Center).  

Your phone is now "safely and securely" forever enabled as a payments device and your PAN, your Track 2 data and your PIN is NEVER in the you are.    Simply pass along the HomeATM PCI 2.0 Certified PED to a friend or family member and they can also "securely enable" their phone as a payments device. 

But NEVER type your PAN into a browser unless you want to "share the wealth."  We say it is imminently more intelligent to "share the HomeATM PIN Entry Device" in order to enable friends and family to safely transact on their mobile phone. a related (rush to market) story, Intuit, the maker of QuickBooks software for small businesses, is announcing a new service called Intuit GoPayment, (where does it Go?) that will put credit-card processing technology into most cell phones, paving the way for electricians, tow-truck drivers or any other mobile workers who normally depend on sending a bill, collecting a check or sticking to a cash-only model to collect immediate payment.  (Yeah, electricians, tow-truck  drivers, pizza delivery drivers, etc. could also be enabled with our "Don't Go/Stay Secure Payment" application as well.)

But the system does more than just allow mobile workers to collect payment. It also allows users to tap back into their Quickbooks accounts to input different types of information, such as invoicing or estimate information and synchronize it with the Quickbooks data back at the home office.  Yeah, that sounds safe too!

Reblog this post [with Zemanta]

Hacked! Key Bank Technology Used to Secure Internet Transactions...

This is BIG news folks.  Game Changing.  Only the tip of the Iceberg though.  We can't be using web browsers for financial transactions (internet or mobile) because it too dang hackable.  As the article states, money transfer, unsafe, One-Time-Passwords (OTP's) unsafe, Internet Transactions, unsafe, Mobile Phones, unsafe, browsers, unsafe.  As I said, this is BIG news and it all bodes well for HomeATM's theory that financial transactions need to be encrypted outside the browser space...and the only way to do that is with a hardware device.  Period.  It doesn't hurt that HomeATM owns the patent and the worlds ONLY PCI 2.0 Certified PED designed for eCommerce!'s some background...

I was working on a post I think I'll call "Comparing Apples to "Let's Just Say" The Real Deal" and I saw this (as I said)  "GAME CHANGING" news come across the wires.  Since it related directly to the post I was writing, I thought I'd take a time out and post this one first in order to create a perfect segway. 

Think there is such a thing as a secure transaction done "over" the internet?  Think mobile phones are secure for financial transactions?  Think again.  Think Different!

Financial Transactions must be done (and ENCRYPTED) "outside the browser space!" PERIOD.  Here's an excerpt from an article released less than 30 minutes ago by PC World:

Investigators Replicate Nokia 1100 Online Banking Hack - Business Center - PC World

A Nokia 1100 mobile phone has been used to break into someone's online bank account, affirming why criminals are willing to paying thousands of euros for the device.  See my post: I'll Give You $10k for Your Nokia 1100 

Using special software written by hackers, certain models of the 1100 can be reprogrammed to use someone else's phone number and receive their SMS (Short Message Service) messages, said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan.

The Nokia 1100 hack is powerful since it undermines a key technology relied on by banks to secure transactions done over the Internet.

Banks in countries such as Germany and Holland send a one-time password called an mTAN (mobile Transaction Authentication Number) to a person's phone in order to allow, for example, the transfer of money to another account.

Since the Nokia 1100 can be reprogrammed to respond to someone else's number, it means cybercriminals can also obtain the mTAN by SMS. (Editor's Note: OTP's are overrated!)

Cybercriminals must already have a person's login and password for a banking site, "but that's easy" since millions of computers worldwide contain malicious software that can record keystrokes.

Editor's Note:  Well a publication besides the PIN Payments News Blog that states getting a person's login and password for a banking site is easy.  It took a that it's done, I say: "That Was Easy!  Need I say more about why HomeATM engineered the worlds first and only PCI 2.0 certified PED designed to conduct financial transactions "outside the browser space" (for any web enabled device...including mobile phones)  I think I do.  You the end of the day when the smoke clears, you'll see it how we see it.

Continue Reading at PC World

Reblog this post [with Zemanta]

Hearing on Heartland Class Action Lawsuits Next Week

Banking / Finance News
Source: Bankinfosecurity
Complete item:

A federal judicial panel will hear arguments next week on whether to consolidate the class action lawsuits brought against Heartland Payment Systems (HPY) by financial institutions. The Judicial Panel on Multidistrict Litigation in Louisville, KY will hear the arguments next Wednesday, according to Benjamin Johns, one of the lawyers representing the class action suit from the law firm of Chimicles Tikellis, Haverford, PA.

"These cases tend to be long and drawn out - there have been multiple class action suits filed in New Jersey and in Texas," says Johns. Two class action suits have been filed by Chimicles Tikellis, (New Jersey Filing PDF) (First Bankers Trust PDF), and a third class action suit was also filed in Texas against Heartland by Lone Star National Bank, Pharr, TX. (Lone Star Filing PDF)

As first reported on Jan. 20, Heartland, the sixth-largest payments processor in the U.S., revealed that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud.

Since then, a growing number of banking institutions have stepped forward to announce that their customers were among those affected by the breach.

About the Lawsuits

Johns says that generally multiple class action suits are consolidated and heard in one court. "Nothing of substance has happened before this," he says. "The court, once it hears the argument, will take anywhere from a month or two to release its ruling on where the suit will be heard."

Motions have been made to hear the case in Florida, Texas and New Jersey US district courts, says Johns.

There are three types of class action suits being brought against Heartland: the financial institutions' class action suits; consumer cases; and also some securities fraud class action suits have been filed by Heartland's investors. Johns says there are a total of 30 suits filed against Heartland in various federal courts.

There are five banks and credit unions named as plaintiffs in the New Jersey filing: Amalgamated Bank, New York, NY; Matadors Community Credit Union, Chatsworth, CA; GECU, El Paso, TX; MidFlorida Federal Credit Union, Lakeland, FL; and Farmers State Bank, Marcus, IA. All the institutions say they have had to re-issue "substantial" numbers of credit and debit cards because of the Heartland breach. Johns says thus far no other financial institutions have been named to the suit, but that doesn't mean others won't be joining.

"We've talked to a lot of banks and credit unions and gathering their information," Johns says. "Once the cases are consolidated we'll be making a determination of who will be added to consolidated complaint."


Reblog this post [with Zemanta]

PCI Looks Into Cloud Security

Credit card council looks into cloud security

Cloud Security Alert By Tim Greene , Network World

Cloud security is enough of a potential problem that it’s being investigated by the group that sets standards for protecting credit card data.

The Payment Card Industry (PCI) Council has set up a task force to examine cloud computing services to figure out what unique exposure credit card data faces if stores, restaurants, hotels and the like relegate their card information to a provider.

The council, which has issued data security standards that businesses that process credit card transactions must follow in order to be PCI compliant, is looking more closely at cloud computing because its members are using the technology more.

“As a result, the Council is evaluating various options to address more formally, with our participating organizations, how cloud computing applies to the current requirements of the PCI Data Security Standard and where we take the DSS in the future,” the council says in an e-mail reply to questions about its plans.

The PCI council has ongoing revision cycles of its standard in order to keep personally identifiable data as private as possible and minimize the number of data breaches. The council is also taking a closer look at virtualization as a possible threat vector that should be separately addressed by the standard, although the council says the current standard might cover it.

Continue Reading at Network World

Barclays Employee Sentenced for Stealing £455,000 from Lloyds Chairman

Source: Finextra: Barclays worker jailed for stealing £455,000 from Lloyds chairman

I guess that's smarter than stealing from the chairman of your organization?  According to Finextra, a Barclays worker has been sentenced to three years in prison for helping to steal £455,000 from the account of Victor Blank, chairman of rival bank Lloyds.

According to press reports, Anthony Webster, 23, worked as a client executive at Barclays Premier Bank in Moorgate, London in 2007 when Blank's account was raided. 

Southwark Crown Court was told that he acted as the inside man for an organised crime gang, which stole the money from Blank's savings account through bogus transfer requests, with forged signatures, sent by fax.  The money has not been recovered, with some of it sent overseas.

Continue Reading at Finextra

Personal Finance Startup Rudder Exposes Customers Data

Source: Finextra
Complete item:

Houston-based personal financial management start-up Rudder has inadvertently exposed the private account details of hundreds of individuals to other users of the site.

Daily account updates sent to two percent of Rudder's active users also provided a direct link through to the accounts of hundreds of other subscribers, where visitors could view balance updates and transaction information relating to personal bank accounts, credit cards and bill payments.

Rudder says that in total 732 accounts were compromised, but that no bank user names, passwords, addresses or other personal identity-based information were exposed.

In a statement posted on its site, Rudder says: "This issue was not the result of a data breach, but due to a software issue in our program that generates emails. It is important to know that Rudder has "read only" access to your account balances and transactions and we do not store account credentials like user names, passwords, or your personal information like name, address or social security number."

As a precautionary measure, the company says it will be offering a free identity-theft service to all compromised Rudder members.

Finextra verdict Competitors such as Mint and Wesabe might be rubbing their hands with glee at the prospect of picking off defecting Rudder subscribers, but this security lapse reflects badly on the entire sector. Mint for one has recently been talking about charging commercial third parties for access to aggregated anonymous consumer spending data. Like Rudder, Mint doesn't store names or account numbers - and there's no danger of individual account compromise - but subscribers might revolt at the idea that details of their personal spending habits are being sold on to the private sector.


Reblog this post [with Zemanta]

National Archives Breach Exposes SS#'s from Clinton Administration

Data Breach with National Implications ~ DogReader
The National Archives is privy to a wide range of sensitive information. It is the nation’s official record keeper. Now the National Archives has had a security breach that has far reaching, national implications:

“The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures, congressional officials said Tuesday.”

link: Sensitive data missing from National Archives

This security breach goes beyond the possibility of identity theft. Among the data could be sensitive data that foreign nations would covet. One wonders whether security procedures included data encryption so that the hard drive data had additional security.

The amount and nature of the data remains undetermined to a point. There is a question as to whether this hard drive was “accidentally” misplaced. Surely the security protocols and procedures at the National Archives are stringent enough that hard drives just don’t become lost in the system somewhere.

Catherine Forsythe


Obama Eager to Sign Credit Card Bill

Obama ready to sign credit card bill: White House | Reuters

WASHINGTON (Reuters) - President Barack Obama looks forward to quickly signing a credit card reform bill passed on Wednesday by Congress, the White House said.

"Obviously this has been something the president has championed," White House spokesman Robert Gibbs said, adding the bill contains "important" protections for consumers.

Reblog this post [with Zemanta]

Credit Card Holders "Be Wary of SMiShing"

Credit card holders 'should be wary of "SMiShing" threat'
Smishing, where fraudsters use text messages to target victims rather than the internet, is on the rise, according to one group. 

Credit card holders are being warned by the fraud prevention squad Cifas to watch out for the fraud method.  The smishing trend comes as banks and other financial services providers increasingly contact customers by text message.

HM Revenue and Customs (HMRC) has also warned that fraudulent text messages have been sent to victims asking for financial information.  Similarly this was because HMRC has been using text messages to contact people, a fact which fraudsters have exploited.

According to UK payments industry association Apacs, fraud where the card is not present amounted to £328.4 million in 2008. This is an increase of 13% since the previous year.

Richard Hurley, Cifas communications manager, said: "While the rest of us are reining in our behaviour as a result of the recession, the increase in facility takeover and online frauds demonstrates clearly that fraudsters are simply redirecting their efforts."

More on SMiShing (from Wikipedia)
Similar to phishing,
smishing uses cell phone text messages to deliver the "bait" to get you
to divulge your personal information. The "hook" (the method used to
actually "capture" your information) in the text message may be a web
site URL, however it has become more common to see a phone number that
connects to automated voice response system.

The smishing message usually contains something that wants your
"immediate attention", some examples include "We’re confirming you've
signed up for our dating service. You will be charged $2/day unless you
cancel your order on this URL: www.?????.com."; "(Name of popular
online bank) is confirming that you have purchase a $1500 computer from
(name of popular computer company). Visit www.?????.com if you did not
make this online purchase"; and "(Name of a financial institution):
Your account has been suspended. Call ###.###.#### immediately to
reactivate". The "hook" will be a legitimate looking web site that asks
you to "confirm" (enter) your personal financial information, such as
your credit/debit card number, CVV code (on the back of your credit
card), your ATM card PIN, SSN, email address, and other personal
information. If the "hook" is a phone number, it normally directs to a
legitimate sounding automated voice response system, similar to the
voice response systems used by many financial institutions, which will
ask for the same personal information.

This is an example of a (complete) smishing message in current
circulation: "Notice - this is an automated message from (a local
credit union), your ATM card has been suspended. To reactivate call
urgent at 866-###-####."

In many cases, the smishing message will show that it came from
"5000" instead of displaying an actual phone number. This usually
indicates the the SMS message was sent via email to the cell phone, and
not sent from another cell phone.

This information is then used to credit duplicate credit/debit/ATM
cards. There are documented cases where information entered on a
fraudulent web site (used in a phishing, smishing, or vishing attack) was used to create a credit or debit card that was used halfway around the world, within 30 minutes.

Reblog this post [with Zemanta]

Bank Mistakenly Deposits $10M & NZ Couple Go on the Run

A bank in New Zealand  mistakenly deposited NZ$10m (£3.85m) – 1,000 times the requested amount – into a NZ couples business bank account.

The temptation to not be honest apparently was too much. After withdrawing NZ$6m the couple disappeared from a service station they ran inRotorua, about 150 miles south of Auckland.   According to Media in the country suggested they may have fled to Korea or China, and police have asked Interpol for help.

Thebank, Westpac, which has reportedly recovered NZ$4m, said it was"pursuing vigorous criminal and civil action to recover the sum ofmoney stolen".  TheNew Zealand Herald reported a bank spokesman as saying human error wasresponsible for the mistake and that the bank was reviewing itsprocedures. The paper named the couple as Leo Gao and his girlfriendCara Young.

Continue Reading at "The Guardian"

Reblog this post [with Zemanta]

Scammers Use iTunes to Drain Bank Accounts

Source: myfoxny
Complete item:

It's a huge scam that's so sneaky you may not even know you've been hit till it's too late. Victims across the country are complaining they've been left holding the bag for iTunes charges they never made. They blame cyber-scammers who use financial information and iTunes as a weapon to drain their accounts. It's a widespread scam that's unfolding across the country but it's still unclear how it's being pulled off.

But ultimately scammers use iTunes to funnel cash from a victim's bank account, PayPal or credit card.

"I panicked, I was absolutely freaking out!" says Kimberly Pullis, from Naples, Maine, who discovered mysterious charges popping up in her iTunes account that she says she didn't make.

Daniel Buergo of Long Beach, Calif., says he spotted mysterious charges too that immediately posted to his bank account, "It makes me feel pretty down and out, upset, disgusted, of course you don't feel safe."

The high-tech scam has claimed victims from New York to California. At the heart of it all is Apple's wildly popular iTunes. Victims say it starts with an unexpected e-mail for purchases they never made. That's how Rachel Katz from Manhattan found out, "I got two emails thanking me for my purchase."

But by the time victims get the e-mail receipt it's usually too late. The receipts appear to be legitimate, and come from Apple, generated by the user's iTunes account. The receipts show purchases for iTunes electronic gift certificates and charges that hit checking accounts, credit cards or PayPal depending on what the user has linked to his or her iTunes account.

Many alleged victims say they've been nailed with $100 worth of charges, usually in the form of two electronic iTunes gift certificates valued at $50 each. But on blogs and complaint boards, some victims say they've been hit for much more. In some postings, victims claim fraudulent charges in the hundreds and even thousands of dollars.

"In this economy a hundred dollars to some people is a huge amount of money," says Kimberly Pullis, who says she had a hundred bucks sucked right out of the PayPal account she has registered with iTunes.

But Rachel Katz's case in New York City seems to be the most unusual; she says the gift certificates charged to her iTunes account were billed to a total stranger's PayPal account. She only found out about it after the fact when what appears to be a legitimate iTunes receipt popped up in her inbox. She makes an interesting analogy about the alleged fraud: "They just had a party in my house, they paid the bill for their own liquor, and I only know it happened because I got an invitation to the party after it was over."

When Kimberly Pullis searched for other victims she found tons of people with new postings generated almost daily.

"I have read online Web site after Web site, blog after blog, where it has happened to thousands of people, out thousands of dollars," she says. If the postings popping up online are legitimate victims, then the scammers are making out like cyber bandits, racking up quite a bill on the backs of innocent victims.

Victims tell Fox 5 News that they either find it impossible or have a whole lot of trouble getting the charges removed. Kimberly Pullis says she tried fighting the charges with Apple, but customer service told her to deal with PayPal. She says PayPal tells her the charges appear to be valid, deal with Apple.

In Daniel Buergo's case, he disputed the charges with his bank, but he says his bank is pointing at Apple and in the middle of it all, Daniel is getting no where. He says what he learned from his bank is making it difficult to fight the mysterious charges.

"I found out that having my banking or credit card information in iTunes actually gives them authorization for future purchases," he says.

As of today, Daniel says his bank has offered to temporarily remove the charges while it investigates, but warns they may be put back if the fraud cannot be proven. The problem is Daniel is not sure how to prove the fraud, and he says Apple isn't helping.

Victims say they are stuck between endless finger pointing: Apple customer service reps blame the financial institution and identity theft, and the financial institution customer service rep blames Apple. When Kimberly Pullis finally gave up on the customer service reps at Apple and PayPal, she says she decided she might as well just use the gift codes that she supposedly bought. But when she tried to redeem them she was in for another shocker.

Reblog this post [with Zemanta]

Disqus for ePayment News