Friday, June 5, 2009

Credit Card Fair Fee Act Introduced by House

Updated: D-Day for Visa/MC?

Legislationseeking to tighten rules on so-called "interchange fees" levied bycredit card companies could hurt transaction processors like TotalSystem Services Inc. and First Data Corp. if it becomes law, a MorganKeegan & Co. analyst said in a research note Friday.

The legislation would yield a mixed bag of results for various otherplayers in the credit card industry, with potentially significanteffects on payment networks like Visa Inc. and MasterCard Inc. as wellas "acquiring banks" like Global Payment Systems Inc., analyst RobertDodd said.

"While we believe the prospect for interchange regulation is real -though far from certain - we believe the impact on the sector would bemixed, generally positive for acquirers and modestly negative fornetworks," Dodd wrote.
(Continue reading at Forbes)

Is this the beginning of the end of the "fee ride" given to Visa and MasterCard? 

Has the Dynamic Duo(poly) finally met their match?  

Have Merchants finally seen a "bill" loaded with "Interchange Fees" that they actually like? 

Stay tuned to find out the answers to these and other duo-processing (due processing) questions, as the Federal Government takes on Visa, MasterCard for Round Two. 

First it was the consumers crying foul...

This time it's the merchants who are claiming they have been hacked, oops, let's change that to: this time it's the merchants who "get to go to the line" and shoot their Interchange "Fee Throws."  

They say things happen in three's, so after Visa and MasterCard lose Round Two, Round 3 might involve companies such as HomeATM.  

Why HomeATM?  Because, we offer the world's ONLY PCI 2.0 certified terminal with PIN Pad specifically designed for eCommerce use.  Even though our process cannot "get hacked," (because our data is never in the clear) we still  "jumped through their (PCI) hoops" certified, and thereafter, we get "slapped" on the wrist most every time we try and get the to the (shopping) "basket" on the web.  We've been told that Visa will NEVER allow PIN Debit on the web...which I find hard to believe, based on the recent gaffes in "card not present" security. (or the lack thereof)  Put another way...

Online (PIN) Debit for online shoppers is more secure, yet the duo(poly) pushes credit and "offline" debit transactions because of the higher interchange rates. (including the EFT networks pushing the infamous, "Card Not Present PIN Debit" solution offered by a competitor.) 

  • Higher interchange exists because there is higher risk
  • Lower Interchange exists because there is lower risk
  • Sotware PIN Debit ("Card Not Present PIN Debit Interchange") does NOT exist!!  

At the "rate" they are going, (or should I say at their going rate?) I don't see how the dynamic duo(poly) could argue there's a "free market" when it's obviously nothing but a "fee market."  Of course, we'd prefer to work "with" Visa than against them. That said, I must say: "Balls in their court...but we "got game!"

U.S. bill could help merchants cut credit card fees | U.S. | Reuters
U.S. bill could help merchants cut credit card fees
Thu Jun 4, 2009 3:53pm EDT

By John Poirier

WASHINGTON (Reuters) - Merchants and retailers would be able to negotiate with banks to reduce costs associated with credit card purchases, according to legislation introduced on Thursday by lawmakers in the U.S. House of Representatives.

The measure, called the Credit Card Fair Fee Act, focuses on the so-called interchange fee that restaurants, service stations and other stores pay banks for credit card-related purchases.

Merchants and some lawmakers have complained that merchants and retailers have been blocked from being able to negotiate a fee structure with credit card networks Visa Inc and MasterCard Inc, whose members are banks.

Visa and MasterCard set the fee structure and control almost three-fourths of the volume of transactions on general purpose cards. American Express Co and Discover Financial Services have their own systems.

Store owners and retailers have also complained that banks collude to set the fee structure and block them from being able to negotiate lower fees, even going as far as calling the practice anti-competitive.

Critics have said those fees are passed on to consumers.

Visa and MasterCard have said merchants and retailers do have the opportunity to negotiate lower fees.

"This legislation will give merchants a seat at the table in the determination of these fees," said House Judiciary Committee Chairman John Conyers in a statement.

"It is not an attempt at regulating the industry and does not mandate any particular outcome. This bill simply enhances competition by allowing merchants to negotiate with the dominant banks for the terms and rates of the fees."

Continue Reading at Reuters

Reblog this post [with Zemanta]

Windows XP ATM's Can Steal Your PIN

I blogged about this yesterday, (Malware Allows Complete Control Over ATM) but it's still big news today, so here's a refresher excerpt from today's iTWire:

iTWire - Windows XP cash machines can steal your PIN
Technology news and Jobs arrow Information Technology News arrow Windows XP cash machines can steal your PIN
Windows XP cash machines can steal your PIN E-mail
by Davey Winder | Friday, 05 June 2009

It is bad enough that the bad guys constantly try and phish your financial data via email and fake websites, now cash machines are getting in on the act.

The Trustwave SpiderLabs, an outfit that deals with everything from ethical hacking through to incident response and security forensics, is warning that the bank cash machine network is at risk from a malware attack that collects PIN numbers.

The SpiderLabs team reports that it has been able to perform an analysis of the malware, which had been discovered on compromised East European cash machines running Windows XP.

The malware was able to capture the magnetic stripe data from the private memory space of transaction-processing applications that were installed on these compromised ATMs, along with PIN codes for good measure.

Continue Reading

, , , , , , ,

Yet Another Online Banking Threat - Fake Digital Certificates

Virus and Spyware - New Fake Banking Cert Attacks In Play - eWeek Security Watch
Editor's Note: It dawned on me that I could devote this entire blog to stories about how insecure online banking is, but since we can fix it, I'll stay with the HomeATM PIN Payments Blog. Here's yet another serious threat, this time it's fake digital certificates, that HomeATM would eliminate with our PCI 2.0 Certified SafeTPIN device. Swipe Bank Issued Card, Enter Bank Issued PIN, and you're authenticated. And the data is encrypted and is NEVER in the clear. Keep It Simple indeed.

New Fake Banking Certificate Attacks In Play

Researchers with security training experts SANS Institute have reported the emergence of a new wave of attacks seeking to take advantage of trust in online banking sites and digital certificate e-banking security programs.

The involved attacks target customers of Bank of America, asking targets to click through from e-mail borne links to URLs where they are asked to upload new digital certs to protect themselves when e-banking.

Of course, once an end user has clicked on one of the links on the phony BoA pages they are instead infected with malware.

As SANS expert G.N. White highlights in a blog post on the topic, technologically savvy users may be even more likely to fall for the campaigns as they specifically target people who are to some extent educated about, and aware of, digital certs and the role they play in protecting e-banking applications.

At the same time, the example White touts in his post actually tips its own hand by warning users not to worry if after clicking on its links they receive any computer warnings about "potential scripting violations."

How industrious.

Continue Reading at eWeek

, , , , , , , ,

Should Banks Use Twitter?

Banks using Twitter need to proceed with caution, experts say
By Marcia Savage, Features Editor, Information Security magazine |

Editor's Note:  This story is yet another reason why banks should discard the blatantly obsolete username | password login process and replace it with a secure two factor authentication end to end encrypted login.  They are two-thirds of the way there.  They issue a card, they issue a PIN, now they need to issue their online banking customers a card processing terminal which enables their users to Swipe their bank issued card, enter their bank issued PIN and voilla, all these potential threats are eliminated.  Since HomeATM designed, patented and manufactures the world's first and only PCI 2.0 certified PIN Entry Device, made specifically for online eCommerce use, the terminal of choice is a no-brainer.   So if banks want to eliminate phishing entirely (no data means no phish) cloned websites, DNS Hijacks, the threat spoken about below, etc. then who are they gonna call?  There's no place like HomeATM!  Here's an excerpt from the latest threat faced by online banking article:

"Banks are jumping onto the Twitter bandwagon but experts say financial institutions need to consider the fraud risk and other security issues associated with the micro-blogging site and other social networking services.

Bank of America, Wells Fargo and ING DIRECT are among the many financial institutions using Twitter for marketing, customer service, community outreach, and other activities. According to a recent study by Williams Mills Agency, an Atlanta-based public relations firm serving financial services, financial institutions of all sizes, including community banks and credit unions, are using Twitter to communicate with consumers.

Types of information shared on Twitter by financial institutions include promotions, replies to followers, personal finance tips, links to industry news, community event news, and personal comments on mundane topics like the weather, the study showed. William Mills looked at 1,176 "tweets" posted by 63 financial institutions in March.

However, banks moving into social networking should proceed with caution, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm. Jegher wrote earlier this spring about social networking risks for banks.

The biggest threat, he said, is fraudsters pretending they are a particular bank on Twitter or Facebook in order to steal online banking credentials. For example, a fraudster posing as a bank on Twitter could respond to a customer's question about an account problem by asking for account passwords, Social Security numbers, and other sensitive information. Unsuspecting customers, thinking they're on a legitimate bank Twitter page, could be duped.

"I see that as a huge risk – the social engineering of information out of people," Jegher said. "All it takes is a couple pieces of information and the fraudster can start piecing things together."

Continue Reading at
(registration required)

, , , ,

That Was Stupid! $10k If You Can Hack This...Ooops!

Startup: We'll give you $10,000 if you can hack into our CEO's email.  Oops!  Already?

June 2nd:

A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.

The company is in fact so confident in its approach that it’s currently offering $10,000 rewardto the person who breaks into the CEO’s email. To make things eveneasier, they have in fact provided his user name and password (CEO at; Mustang85).

The catch? Aspired participants would have to figure out a way tointercept the 3 digit PIN send over SMS/phone call required for loggingin :

“ is offering $10,000 to the firstperson that breaks into our CEO’s email account…and to make thingseasier, we’re giving you his username and password.  There’s just onecatch: to access a email account, the account’s ownermust receive a verification call on his pre-registered phone number. Soeven though you have our CEO’s username and password, you still havesome work to do because you don’t have access to his telephone.”

48 Hours Later... Ooops!
June 4th:

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO’s e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail usingpersistent cross-site scripting (XSS) vulnerability and are nowclaiming the bounty.

[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set upthe attack by sending an e-mail to the company’s CEO DarrenBerkovitz.   When he opened the e-mail, the team exploited an XSS flawto take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz’s task that’s due on June 26. Robert McMillan reports that Berkowitz confirmed the authenticity ofthe calendar entry but StrongWebmail has not yet confirmed thecompromise or pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail’s XSS problems on Twitter.
Reblog this post [with Zemanta]

Nightline: Billions Snatched in Credit Card Theft

Nightline produced a story on Credit Card theft, which ran the night before last.  The story told of the billions of dollars stolen by fraudsters, but in my humble opinion, they left an important part of the story by the wayside.  

When fraudsters attack, who gets hurt the most...  Here's a quick excerpt from their story, followed by exactly what I mean by "who gets hurt the most."

Thieves Snatch Billions in Credit Card Identity Theft Scams - ABC News

'Nightline' Tracks Hackers in Underground Identity Theft Chatrooms; How to Protect Yourself


Foryears, crimes have followed the same age old mantra: wrong place at thewrong time. For someone to commit a crime against someone else, theyhad to be physically in the same area. But that's no longer the case;it's now easier than ever to be victim of a crime, particularlyidentity theft, without even realizing it.

Identitythieves snatch tens of billions dollars a year through credit cardfraud, either outright, or by selling your card information to othercrooks across the globe. The perpetrators come from a loosely organizedinternational underworld working beyond the reach of the law andwithout limits.

"They can sit in an apartment in Kiev ... andsteal your identity and you're going to be in a world of hurt," saidDan Clements, founder of Card Cops, a company that has been trackinghackers who buy and sell people's identities. "They blatantly ... tradecredit cards. They trade social security numbers. They trade debit cardpin numbers."

Card Cops has been tracking hackers' activity fora decade. Crooks from all over the world meet in Internet chat rooms,in what almost looks like an underground stock market. "Credit cardsare commodity items," Clements said. "They can go for as little as $2or $3 for a regular credit card. If you have a platinum card, it may befor $10 or $20. It's big business. They make a lot of money. There arepeople here that claim to make $20,000 to $30,000 a month selling theseresources in these chat rooms."

The chat rooms operate like acommodity floor, where information is openly traded, and the hackerswho carry out identity theft usually live in another part of theworld.  "It's a global market," Clements said. "It's like a bazaarwhere you can buy anything at any time."  The Card Cops should know:They entered the business of protecting consumers and merchants fromidentity theft because many of them were scammed themselves when theyworked together at another Internet company.
To help understandhow fast a thief can siphon money from an account, ABC Newsexperimentally opened a Visa account. It only took 15 minutes before ahacker got hungry "

We had a hit from a retailer inMassachusetts," said Clements. The culprit used the credit card numberto buy Dominos Pizza. "So there is your charge for $39.76. It lookslike some kid might have found the card in this chat room and decidedto buy his buddies pizzas."

Continue Reading at ABC News

Editors' Note:  Regarding that $39.76.  Somebody lost $40 bucks.  Who was it? ABC News didn't take the hit...they are protected by the "Zero Liability" program...introduced by Visa...who also didn't take the hit.  Oh, and the bank that issued the card?  They didn't take the hit either. 

That leaves...Dominos, who got screwed out of not only their $39.76, (and as much as I'd prefer
not to call this the "domino effect" it is what it is) but they also got screwed out of the cost of the cheese, the sauce, the sausage, the onion, the mushroom, the pizza box, the labor and payroll involved in making the pizza, the gas to deliver the pizza etc. 

At the end of the day, they lost $40 plus an additional $20+ bucks.  So it's easily a $60 hit. 

There are several groups that have stood up to fight high interchange fees, but here's a suggestion.  Rather than bitch and moan about Interchange, start doing a little b&m'ing about the fact that Visa is pushing a less secure product (signature debit has up to a 15 times higher fraud rate than PIN Debit) which, not coincidentally, also carries a higher interchange fee.  Why would Visa's Signature product be the least secure of the two types (PIN & SIG) of debit products?  

I would make it a point to ensure that argument was all over the House Bill introduced yesterday.  (Credit Card Fair Act Introduced by House)

So the Big Question is simply this:  If Visa stands to "lose nothing" and Visa stands to "make more money" by pushing a "less secure" (Signature Debit) payment product, why on earth  would they be interested in pushing a more secure (PIN Debit) payment product? 

The short answer is "they wouldn't." 

So then the next Big Question becomes: Why is
PIN Debit outpacing Signature Debit by a nearly four to one margin
Have the merchants finally realized that there are virtually no chargebacks involved with PIN Debit and Interchange Rates are signifcantly lower?  Or have consumers become more savvy?  You tell me.  I'd love to hear your comments.      

Reblog this post [with Zemanta]

PIN Debit Growth Nearly 4 Times Higher than Signature Debit

Amid Recession, PIN Debit Growth Far Outpaces Signature

Editor's Note:  I don't see the connection between the recession and PIN Debit usage at all.  In fact, quite the opposite.  Think about it.  Visa and MasterCard attach rewards to "signature" debit, therefore, in a recession, you would think that consumers would want the rewards and SIGNATURE would be outpacing PIN.

Sure, I see the debit over credit recession connection, but cannot digest the PIN over Signature in a recession propaganda.  Now, had the article made the argument that consumers are becoming more wary, (is undesensitized a word?) about payments security, and thus are choosing PIN over SIG, I'd have to wholeheartedly agree.

But, according to research, released yesterday by the Pulse EFT Network, PIN Debit grew nearly four times the rate of signature debit between July and December which is when the recession kicked in.  Here's a blurb from DTN...

This, from John Stewarts' Digital Transactions:
"While the recession is making an impact on consumer spending generally, PIN debit card usage is faring considerably better than that of signature debit.

PINdebit transactions by consumers grew 15% between July and December, theperiod during which the economic downturn began making itself felt,nearly four times the rate of growth for debit transactions securedwith a signature, according to research released on Thursday by the Pulse electronic funds transfer network.

Thestudy, conducted for the Houston-based network by consulting firmOliver Wyman Group, also found that fraud rates on debit cardtransactions are falling; that usage of debit cards for bill payments,including online PIN-less payments, is registering significant numbers;and that awareness of a wide range of alternative-payment methods isvery high among bank card executives. Also, the study shows steadilyrising adoption by banks of mobile-banking technology.

Continue Reading at Digital Transactions

Reblog this post [with Zemanta]

Disqus for ePayment News