Thursday, May 28, 2009

"Both Sides of the Mouth Syndrome Syndicated

Information Security Resources , an industry leading "InfoSec" blog shared the BSMS with their readers.   

Both Sides of the Mouth’ Security Analysis

May 27, 2009 by ADMIN · Comment

By John B. Frank, Marketing Strategist with HomeATM ePayment Solutions

It was nice that Javelin Strategy and Research took the time to write about HomeATM in their analysis of Finovate Startup09, but I’m a little confused about something they say in their report.

Maybe a reader might be able to clarify what they mean, because right now I’ve got  a kindova BSMS (Both Sides of the Mouth Syndrome) taste in my - for lack of a better word - mouth.

Why do I say BSMS?

Well, in the first portion of Javelin’s analysis of HomeATM, they say that our Safe-T-PIN device provides (the more secure) card present (vs. the less secure card not present) credit card transaction, and the even more secure PIN Debit transaction.

Here’s their quote:

Launched in April 2009, P2P Safe-T-PIN offers home-based “card present” credit card and PIN debit transactions online using a PCI-certified device attached to a personal computer through a USB port.

Users also could make online purchases by swiping their credit card or debit card and PIN at checkout. The device allows for secure real-time money movement with an option for delayed transactions.

Then, after stating that, the next thing they say is:

There is greater potential for HomeATM as a frequent high-value P2P solution such as a Western Union money transfer than for enabling e-commerce. Many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because of security concerns.

Therein lies my confusion.

First they state that our PCI certified device allows for “Card Present” and “Online PIN Debit” transactions, along with the statement that our device ALLOWS SECURE REAL TIME MONEY MOVEMENT, and then in their next breath they say that many consumers may be hesitant to use that very same PCI 2.0 Certified PIN Entry Device because of security concerns?

Did they possibly mean to imply that many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because they don’t want “improved” security?

Someone help me out here!  I’m not being sarcastic.  I’m being serious. Okay, I admit…I’m being totally sarcastic. But there’s good reason; in fact 117 good reasons. You may have noticed when you first visited the HomeATM site, there was a popup that appeared asking if you would please partake in our survey.

Well, I started the survey yesterday and already have 117 responses, and it doesn’t appear to me that very many consumers may be hesitant to swipe their ATM (or debit or credit) cards on hardware attached to their computer.  In fact, 117 said they would prefer to Swipe their Card and 117 said they would prefer NOT to Type in a Username/Password.

Click below to enlarge and read two questions pertaining to whether individuals would prefer to Type or
Swipe their Card information at a merchant website or Online bank:

The analysis did go on to say that two of the “differentiators” enjoyed by HomeATM is that we provide “end to end encryption” and our device is PCI certified, so I’m still left confused by what they meant about many consumers being hesitant because of security concerns… chime in if you know!

HomeATM Differentiators:

• A HomeATM Mobile device will be available for mobile phones with Web access, allowing transactions on the go
• PCI-certified device
• Hardware-based end-to-end encryption
• 100% acceptance with all bank cards

Author’s Note:  Plus our PCI 2.0 Certified PED also “encrypts” the Track 2 data and utilizes DUKPT key management as an additional layer of security.

HomeATM’s Engineering Team Designed and Manufactures the World’s FIRST and ONLY PCI 2.0 PIN Entry Device Specifically Designed for eCommerce. Our device provides “Card Present” rates on credit cards and “True PIN Debit” Interchange on debit cards as well as secure 2FA authentication for online banking sites and live, “real-time” money transfer from P2P, B2B, B2P, P2B and mobile.

To learn more about our product’s and services click here or email us at:

Stay Informed With RSS Feeds or Email Alerts Here: 

Reblog this post [with Zemanta]

Debit Card Transactions Grow 48%, Credit Cards 12.7% - RBI

Consumers prefer debit cards in slowdown
Consumers prefer debit cards in slowdown
BS Reporter / Mumbai May 29, 2009, 0:28 IST

The number of debit card transactions increased by 48 per cent in financial year 2009, compared to an increase of 12.7 per cent for credit cards in the year. Similarly, debit card volumes grew by 44.6 per cent, whereas credit cards saw a volume growth of 13.7 per cent for the same period, says the Reserve Bank of India’s data.

Sector experts attribute this surge in debit card usage to the ongoing economic slowdown and the cautious attitude towards spending money. Add to this the diminished focus of banks in issuing credit cards.

The pattern is starker in a quarter-on-quarter analysis by Venture Infotek, a transaction management company. Debit card transactions showed an increase of 88.6 per cent, against a rise of 34.5 per cent for credit cards for the March. In value terms, daily transactions through debit cards increased by 73.4 per cent vis-à-vis an increase of 24.8 per cent in credit card transactions.

“This shows the Indian consumer is behaving cautiously. Debit cards bring in the discipline of spending only the money you own. Besides, credit is scarce in a recession and credit card companies are vary of extending credit loosely,” said Piyush Khaitan, Managing Director, Venture Infotek.

The total value and volume of point of sale transactions through credit cards in March has declined by 11.9 per cent and 3.9 per cent, respectively, over April 2008, says the RBI data.

It also shows the number of credit cards in circulation has declined from 28.3 million cards in April 2008 to 24.6 million cards in March 2009. Whereas debit cards have registered an increase of 30.9 per cent, to touch 137.4 million in March 2009.

Emerging Bank Markets in the U.S. 2009

Emerging Bank Markets in the United States 2009

Mintel, March 2009, Pages: 56


Since the last survey that we conducted of the unbanked and underbanked markets, two significant developments have taken place: the financial crisis and the election of President Barack Obama. These two events offer both good news and bad news for those looking to market to the underbanked. On the one hand, those distrustful of the banking system are now even more distrustful. On the other hand, as the majority of unbanked and underbanked consumers are immigrants, this poses a possible opportunity.

Due to problems in the banking industry, banking institutions will need to look towards new revenue streams. Though banks are more risk-averse, there is evidence that the underbanked are not necessarily high risk and are actually careful consumers. Given their population growth rates, it is a huge economic opportunity.

This report includes key information about the growing numbers of unbanked and underbanked consumers:

-What are the demographics of the unbanked and underbanked?
-What are the factors that lead to distrust and/or underuse of banks?
-Which segment(s) has the greatest growth rate?
-What are methods to market to the unbanked and underbanked?

Table of Contents

Reblog this post [with Zemanta]

US ATMs: Rebuilding the Foundation - Aite Report

A New Report From Aite Group
US Bank ATMs" Rebuilding the Foundation

In order to improve the overall ATM customer experience, banks must first make sure their
underlying ATM technology is up-to-date.

Boston, MA, May 28, 2009
– A new report from Aite Group, LLC examines how the ATM channel is
expected to evolve through 2010. Based on interviews with bank ATM
channel executives at 23 of the top 80 U.S. banks by number of checking
accounts, the report prescribes recommendations for banks and vendors
participating in the U.S. ATM market.

as banks embrace the potential to add additional features and
functionalities to ATMs, they realize that they must first update their
underlying technology. In five years, 91% of ATM executives indicate it
will be important or extremely important to their bank's strategy to
create a differentiated ATM experience through customer
personalization. If the foundation is not yet built, banks will not be
able to provide the level of personalization their peers are currently
starting to implement.

"Many banks are currently using outdated ATM technology, and see themselves as lagging behind the competition
when it comes to service at the ATM channel" says Kate Monahan,
analyst with Aite Group and author of this report. "Until updates are
made, service will continue to suffer at the ATM channel and areas of
opportunity for personalization at the ATM, such as marketing to
customers on a one-to-one basis, will not be possible."

This 39-page Impact Report contains 31 figures. Clients of Aite Group's Retail Banking service can
download the report by clicking on the icon to the right.

, ,

Western Union Option to Receive Funds via Online Banking

Press Release Source: Western Union
Western Union Offers Customer Option to Receive Funds via Online Banking at

Service Launched with New Agent, Turkey’s Garanti Bank

ENGLEWOOD, Colo. & ISTANBUL--(BUSINESS WIRE)--The Western Union Company (NYSE: WU - News), a worldwide leader in money transfer services, announced today the launch of a service that allows online banking customers in Turkey to receive money transfers directly into their bank accounts. The service is offered through a new Agent, Garanti Bank, Turkey’s second largest private bank. Online banking customers can also send money from the website at any time to more than 334,000 Western Union® Agent locations in over 200 countries and territories.

The model may be applied further in Turkey and in other markets around the world.

“Western Union continues to drive industry innovation to meet a growing demand for convenient, reliable online services,” said Hikmet Ersek, Executive Vice President and Managing Director for Europe, Middle East, Africa, Asia Pacific. “This is the first time a Western Union customer in Turkey will be able to choose between the traditional method of receiving cash at an Agent location and having funds sent directly into his bank account, without having to go to a physical location or talking to a call center.”

Ali Fuat Erbil, Executive Vice President of Garanti Bank, said: “Garanti Bank is known for its dynamic business approach and commitment to technological innovation. We have achieved many firsts in Turkey and are delighted to be part of using the Internet to bring a new level of convenience and efficiency to our customers.”

The service is aimed at busy people who do not have time to visit an Agent location and is available 24 hours a day, seven days a week. Customers can send and receive funds using their online Garanti Bank accounts by following a few simple steps. The Western Union Money Transfer® service is available at more than 4,000 Agent locations in Turkey through Ziraat Bank, Turkish Post, Finansbank, ING Bank, Denizbank, Fortis, Türkiye Finans and TBank.

About Western Union

The Western Union Company (NYSE: WU - News) is a leader in global money transfer services. Together with its Orlandi Valuta and Vigo branded money transfer services, Western Union provides consumers with fast, reliable and convenient ways to send and receive money around the world, as well as send payments and purchase money orders. It operates through a network of more than 379,000 Agent locations in over 200 countries and territories. Famous for its pioneering telegraph services, the original Western Union dates back to 1851. For more information, visit

About Garanti Bank

Established in 1946, Garanti Bank is Turkey's second largest private bank with assets reaching in excess of $63 billion as a result of its customer centric approach and innovative culture. As a universal bank with leading presence in all business lines, Garanti serves to over 8 million customers in corporate, commercial, SME, and consumer segments offering fully integrated financial services through its 9 financial subsidiaries that include payment systems, pension, leasing, factoring, brokerage and asset management. Committed to its customers, Garanti with over 16,000 employees operates an expanding distribution network comprising more than 730 branches including five foreign branches and four international representative offices, more than 2,600 ATMs, an award-winning call center and an Internet and mobile bank utilizing its state-of-the-art technology. Garanti supports its extensive branch network with centralized operations, exceptional data warehousing and management reporting systems, and the efficient use of alternative delivery channels. Garanti’s wide product variety combined with custom-tailored solutions is a key competitive advantage in its success as Turkey's largest lender providing more than $44 billion in cash and non-cash loans. For more information, please visit

Reblog this post [with Zemanta]

LifeLock Fraud Service Ruled "Ilegal"

Judge Rules LifeLock’s Fraud Alert Service Illegal

In a decision that has privacy advocates and others scratching their
heads, a federal judge has ruled that LifeLock has been
breaking California law for years by placing fraud alerts on its
customer’s credit profiles.

The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services — a
standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly.

Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling “dramatic and unexpected.”

“It causes a real shift in the industry,” he told Threat Level.

The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation’s three credit reporting bureaus. Experian claimed LifeLock is trying to “game the system” of fraud alerts to make a profit.

LifeLock, a controversial company that gained notoriety for publishing its CEO’s Social Security number in advertisements
charges $120 a year to consumers to place fraud alerts on their credit profiles, among other services. The company also offers a $1 million guarantee to reimburse the expenses of any customer who suffers losses from identity theft while subscribed to LifeLock.

Continue Reading at WIRED

Reblog this post [with Zemanta]

Stolen Credit Card Data Published in Blog

Stolen credit card data published in blog | The Australian
Blair Speedy | May 29, 2009
Article from: The Australian

VICTORIAN police are investigating a massive identity fraud involving the personal details of thousands of Australians that have been available on an internet blog site for more than a month.

The data, discovered by The Australian, includes thousands of Visa, Mastercard and American Express numbers, including expiry dates, together with home addresses, phone numbers and email addresses.

The list was posted on a free blogging site, where it was copied by search engine Google as part of its routine cataloguing of internet sites on April 21.

Victoria Police Sergeant Dave Spencer said the list appeared to have been collected from a number of sources before being sold to criminals.

"Lists like this come up for sale on the internet, and this is basically the end product of skimming and hacking of ATMs and other point-of-sale systems," Sergeant Spencer said.

, , , , ,

80% of Phishing Attacks Use Hijacked Websites

I've blogged about this subject plenty of times over the last year, and my concern is specifically targeted towards the inherent weaknesses in the username/password systems used with online banking. If a consumer is tricked/phished into providing their username/ password, then the phisher is successful.

The average phishing attack results in a loss of $350 to a bank.

According to research firm,Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Guess what? The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers.

HomeATM provides a very simple cure to this maliciousness. Use a PCI 2.0 certified SwipePIN device and require online banking users to swipe their bank issued card and enter their bank issued PIN. The data is encrypted and is NEVER in the clear. So, in the event a consumer is tricked into swiping and entering their PIN, as opposed to typing in their log-in credentials, the phisher has nothing.

And nothing is something banks should want phishers to have.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites - DarkReading

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites
New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

May 27, 2009 | 04:23 PM
By Kelly Jackson Higgins

It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Continue Dark Reading

Reblog this post [with Zemanta]

Gartner Says Expect Jump in Mobile Payments Users

Jump in mobile payments users this year - Gartner
The number of people around the world making payments using their mobile phones is set to soar from 43.1 million in 2008 to 73.4 million this year, a 70% rise, according to analyst house Gartner.

By 2012, the company predicts the number of people making m-payments will hit 190 million - more than three per cent of total mobile users - as it becomes "mainstream."

However, security concerns, an inadequate 'ecosystem' and undefined areas in banking regulations remain challenges for the technology.

Continue Reading at Finextra

, , , , , ,

New Worm Could Attack 1000's of Twitter Users

Twittercut website spreads malicious links as page views rapidly increase

Dan Raywood | May 27, 2009
A new worm that could attack thousands of Twitter users has been detected.

PC Tools has detected a new scam that claims to drastically increase a user's Twitter followers by using a website called Twittercut. It takes advantage of the current trend of amassing Twitter followers in order to capture users' Twitter account details and self-propagate.

Twitter users may see a tweet in their stream that reads ‘OMG I just got over 1000 followers today from'. Once they click on this, the link takes them to a fraudulent Twitter website requesting their login and password details. It then sends out this tweet to all of their followers and directs users to a dating website, with the aggregate number of views resulting in affiliate revenue.

Continue Reading at SC Magazine

Reblog this post [with Zemanta]

Use PIN Debit at Gas Stations

I wrote about this last June, but it's making news again, so I thought I'd throw out a reminder.  Use your PIN when you purchase gas otherwise gas stations can put up to a $150 hold on your checking account resulting in overdraft charges. 

Here's a video from KATV 7 in Little Rock, Arkansas. 

ACH Network Should Compete with Debit Card Networks Says KC Fed Chief

Kansas City Fed Chief Espouses ACH for Debit Card Processing
(May 27, 2009) The Federal Reserve Banks should adapt the automated clearing house network to compete directly with private-sector networks for debit card processing, the head of the Federal Reserve Bank of Kansas City said this week. “The Federal Reserve could enhance competition in payment card markets by positioning ACH services as an alternative to debit card payment networks,” said Thomas R. Hoenig, president of the Kansas City Fed, in remarks delivered on Monday at a retail-banking conference held by the European Central Bank in Frankfurt, Germany.

Hoenig said he isn’t proposing the Fed issue cards or run its own card network. But he said the U.S. national banking regulator could “add enhancements” to the ACH that would allow the nearly ubiquitous network, which reaches virtually every bank in the U.S., “to become an alternative to running transactions over card networks.” He pointed to decoupled debit cards, in which banks issue debit cards that link to deposits held at other banks, as an example of the sort of adaptation he favors.

Continue Reading at

, ,

Disqus for ePayment News