Tuesday, June 16, 2009

Credit Card Processors Fail To Ensure Security For Consumers

Banks and other financial firms that deal with consumer credit card information are lacking proper security measures despite meeting industry standards, according to an investigative report from the Associated Press on Monday.
When it comes to credit card security details, it is up to the banks and other financial firms to ensure that proper precautions are being taken. However, an AP investigation of security breaches dating to 2005 found that rules are “cursory at best and all but meaningless at worst.”
The group gained most of its data from the Open Security Foundation list-serve. What’s more, processors that comply with official Payment Card Industry (PCI) security standards are still susceptible to hacking activity resulting in credit fraud.

“Credit card providers don't appear to be in a rush to tighten the rules,” according to AP investigators. 

They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.”

Editor's Note: Low cost to whom?  Stricter security would take a huge bite out of the profits made from Interchange Fees.  I'd replace "low cost" with "fees."

Here's a Quick Interchange 101 Lesson:

less secure the payment is, the higher the Interchange Fees (higher fees =  higher profits)
The more secure the payment is, the lower the Interchange Rate, (lower fees = lower profits)

Do the math.   It doesn't take a rocket scientist to figure out why credit card providers consider  "fraud to be a cost of doing business."  That was one of my bullet points (5th paragraph) in yesterdays message (box on left)

Put it this way.  If the "gears of the payment system" were truly built on speed, convenience and low cost, then consider the following when it comes to paying online for eCommerce transactions) 

  • I would argue that it is 14-16 times "faster" to swipe your card "once" vs. "manually entering 14-16 digits" of a payment card, followed by a 6 digit expiration date, and finally, the 3 digit CVV code on the back of the card. (One swipe vs. THREE steps and 23-26 numbers is faster agreed?) 
  • Therefore, by definition, it would be at least 3, if not 23-26 times "more convenient" as well.  
  • It's may not be 23-26 times lower the cost, but it is about 100 basis points lower cost to the merchant.  So, I'm not buying the "sand on the gears" analogy.  The story continues:

The AP reported of a massive data breach that took place at a supermarket chain. Hackers installed software on Hannaford's servers that stole critical consumer data that was en route to the banks after making purchases. Two major breaches have taken place since then, both of which involved companies that met PCI standards – Heartland Payment Systems and RBS WorldPay Inc.  WorldPay lost more than 1 million Social Security numbers to hackers.

Avivah Litan, a Gartner Inc. analyst, told the AP that retailers and payment processors have invested more than $2 billion in order to meet PCI standards. The industry claims that about 93 percent of large firms and 88 percent of mid-sized firms in the US are compliant with PCI security standards.

Read the Entire Article

On the Net:
PCI Security Standards
Privacy Rights Clearinghouse
PIN Payments Blog

Source: redOrbit Staff & Wire Reports

Reblog this post [with Zemanta]

Atmel, HomeATM Collaborate, Safe-T-PIN Now PCI 2.0 Certified

The Green Sheet 2.0 :: Newswire
Atmel, HomeATM collaborate, Safe-T-PIN now PCI 2.0 certified
San Jose, Calif., June 15, 2009 -- Atmel® Corporation (Nasdaq: ATML) and HomeATM announced today that the recent Payments Card Industry (PCI) 2.0 certification of HomeATM’s Safe-T-PIN™ is the result of an efficient collaboration between the two leaders on their markets. HomeATM’s Safe-T-PIN, powered by Atmel’s AT91SO25 secure microcontroller, is the first ever Internet Pin Entry Device (PED) to achieve such certification.

Atmel’s AT91SO25 dedicated features and Common Criteria EAL4+ security certification were instrumental in obtaining this first PCI 2.0 certification. This product is offered in a compact BGA144 package which brings high security and extended connectivity in a small footprint. Safe-T-PIN provides secure two factor authentication for e-commerce transactions and secure log-in.

Based on the ARM® 32-bit SecureCore™ SC100 CPU core, Atmel’s AT91SO devices are suited for highly secure systems such as card payment terminals. They achieve an outstanding level of integration of a wide array of peripherals. They feature 256 KB of EEPROM, 100 KB of RAM and 32 KB of ROM, cryptography engines to accelerate DES/TDES, AES, SHA-n, RSA, elliptic curves as well as many flexible interfaces such as USB, SPI, UARTs, GPIOs, magnetic strip and smart card interfaces. All devices are the only ones on the market to be certified Common Criteria EAL4+.

Kenneth Mages, CEO at HomeATM stated, “PCI 2.0 specifications are much more demanding than the previous versions when it comes to protecting a POS system. The choice of Atmel’s AT91SO25 Secure System-On-Chip has been really helpful to speed up and achieve our product certification and to insure our unique E2EE (end to end encryption).”

Olivier Debelleix, Atmel’s Marketing Manager for Embedded Security commented, “Our AT91SO products for secure systems have been used in many POS applications that have been certified towards previous versions of the PCI standard. HomeATM’s PCI 2.0 certification demonstrates our products help to cope with the increasing demand for embedded security.”

About Atmel

Atmel is a worldwide leader in the design and manufacture of microcontrollers, advanced logic, mixed-signal, nonvolatile memory and radio frequency (RF) components. Leveraging one of the industry's broadest intellectual property (IP) technology portfolios, Atmel is able to provide the electronics industry with complete system solutions focused on consumer, industrial, security, communications, computing and automotive markets.

© 2009 Atmel Corporation. All Rights Reserved. Atmel®, Atmel logo and combinations thereof, and others are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. ARM® and others are registered trademarks or trademarks of ARM Ltd. Other terms and product names may be trademarks of others.

About HomeATM

HomeATM owns a global patent for secure Internet PIN based transactions. Leveraging our E2EE PCI 2.0 PED certified solution, a merchant or remitter can move funds from their bank account or open loop/closed loop payment card in real-time. Utilizing HomeATM's patented solution with a bank issued card alleviates the burden for merchants to address fraud issues as HomeATM leverages the issuing bank's KYC/AML (Know Your Customer/Anti-Money Laundering) protocols. No other payment solution serves Person-to-Person, Business-to-Consumer, Business-to-Business, and Mobile Payments with the speed, security and cost-effectiveness of HomeATM. HomeATM is EMV ready and already enjoys strategic relationships with Cardinal Commerce and UATP.

For further information on Atmel’s Secure System-On-Chip family, go to: http://www.atmel.com/dyn/products/devices.asp?family_id=700 .

For more information about HomeATM’s product, visit www.homeatm.net .

Source: Company press release.

, , ,

Weak Security = Credit Card Hacks

Weak security enables credit card hacks


Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.

The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.

It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.

Continue Reading

Introducing NetPay from Noteworthy Medical Systems

Noteworthy Medical Systems introduces NetPay

Phoenix, June 16, 2009 -- Noteworthy Medical Systems, Inc., a leading provider of connected healthcare technology solutions for the ambulatory sector, announced today the release of NetPay, a web-based application that integrates with NetPracticePM(TM) to enable physicians' offices to collect all patient payments at the point of service when patients are still in the office.

Delinquent and uncollectible patient accounts are an increasing reality in today's healthcare practices. With the changing costs of healthcare, patients are bearing responsibility for more of their healthcare costs, meaning physicians must collect more from their patients. Physicians typically receive payment for services directly from health insurance carriers; this third-party payer model does not address delinquent patient accounts.

Powered by mPay Gateway, NetPay electronically collects deductibles, out-of-pocket patient payments and co-pays before the patient leaves the office. The software captures patient payment authorization at the point of service for automatic and immediate collection of patient balances upon receipt of a remittance advice from the patient's insurance -- typically 30 days later. This occurs without the practice ever sending a bill to the patient. According to John Wallace, senior vice president for mPay Gateway, "NetPay speeds the patient payment and collection process -- saving practices time and money -- by actually preventing the overdue and uncollectible patient accounts that are so costly. We have seen practices cut their patient payment receivables in half using the mPay Gateway product."

Integrating the NetPay application with NetPracticePM simplifies implementation and the time to go live. "We're excited to offer this much-needed functionality to our NetPracticePM clients as part of our NetTools productivity suite," said Dianna Santillanes, product manager for Noteworthy's practice management software. "It integrates seamlessly into NetPracticePM and simplifies the whole payment process. It brings unprecedented benefits to all our customers."

About mPay Gateway, Inc.

mPay Gateway develops financial technology products and services to support healthcare's complex and unique payment environment. mPay Gateway empowers healthcare providers with a single-source payment solution that enables collections from patients regardless of the patient's third party payer affiliation. mPay Gateway is a PCI certified acquiring card processor. For more information, visit www.mpaygateway.com .

About Noteworthy Medical Systems, Inc.

Noteworthy Medical Systems, Inc., is a privately held company founded in 1996 that offers a comprehensive suite of tools to effectively manage and facilitate care in the ambulatory setting. Noteworthy's sophisticated applications support doctors' offices as well as provide the technology to connect physicians, hospitals and healthcare communities for improved care and communication. For more information, call 877.891.8777 or visit www.noteworthymedical.com .

Source: Company press release

Interchange Wars

Two More Congressional Bills Aim at Interchange Regulation

(Digital Transactions) U.S. Sen. Richard Durbin’s introduction this week of a Senate companion to U.S. Rep. John Conyers Jr.’s Credit Card Fair Fee Act of 2009, along with a little-noticed bill introduced last month in the House, bring to three the number of interchange bills pending in the Democrat-controlled Congress. And while the bill from Conyers, the Michigan Democrat who chairs the House Judiciary Committee, has received most of the publicity (Digital Transactions News, June 8), the bills from Durbin and U.S. Rep. Peter Welch, D-Vt., may represent the more serious threats to the bank card status quo.

The Welch bill, H.R. 2382, would ban the card networks from setting higher interchange rates for premium cards than for non-premium cards. Welch’s bill also would overturn many of the networks’ longstanding rules to prevent merchants from discriminating against card-using customers.

And Durbin’s bill, S. 1212, revives the idea of federal payment-system judges to oversee interchange rate setting between merchants and the card networks. Conyers first proposed payment judges in his original draft last year, and Durbin, the Senate majority whip, followed suit in his chamber. They dropped the idea during the legislative process. Under Durbin’s new bill, the U.S. attorney general and the chairman of the Federal Trade Commission would appoint three judges who would oversee a rate-setting process that would kick in if merchants and networks couldn’t reach voluntary agreements on interchange after three months of negotiation.

Continue Reading at Digital Transactions

Credit Card Issuers Slashing Card Balances

June 16, 2009
Credit Issuers Slashing Card Balances

The banks were bailed out last fall, the automobile companies last winter. For Edward McClelland, a writer in Chicago, deliverance finally arrived a few days ago.

Mr. McClelland’s credit card company was calling yet again, wondering when it could expect the next installment on his delinquent account. He proposed paying half of his $5,486 balance and calling the matter even.

It’s a deal, the account representative immediately said, not even bothering to check with a supervisor.

As they confront unprecedented numbers of troubled customers, credit card companies are increasingly doing something they have historically scorned: settling delinquent accounts for substantially less than the amount owed.

The practice started last fall as the economy worsened. But in recent months, with unemployment topping 9 percent and more people having trouble paying their bills, experts say this approach has risen drastically.

They say many credit card issuers have revised internal guidelines to give front-line employees the power to cut deals with consumers. The workers do not even have to wait for customers to call and ask for a break.

“Now it’s the card company calling you and saying, ‘Let’s talk turkey,’ ” said David Robertson, publisher of the credit industry journal The Nilson Report.

Only a few creditors are willing to confirm the practice. Bank of America and American Express say they decide on a case-by-case basis whether to accept less than the full balance. Other card companies refuse to discuss the subject, but their trade group, the American Bankers Association, acknowledges that settlements are becoming more common.

The shift comes as the financial services industry finds itself losing some of its legendary power. A credit card reform bill that makes it harder to raise rates on existing balances and prevents certain automatic fees flew through Congress and was signed by President Obama in late May.

Borrowers still have a crushing amount of debt to deal with, however.

Revolving credit, a close approximation of credit card debt, totaled $939.6 billion in March. The Federal Reserve reported that 6.5 percent of credit card debt was at least 30 days past due in the first quarter, the highest percentage since it began tracking the number in 1991. The amount being written off was also at peak levels....

Continue Reading at the New York Times

European Retailers Hit Visa with Antitrust Lawsuit

Is House of Card's Falling In on Visa? 

Visa Europe Faces Antitrust Complaint From Retailers (Update2) - Bloomberg.com
Visa Europe Faces Antitrust Complaint From Retailers (Update2)
By Peter Chapman and Matthew Newman

(Bloomberg) -- Visa Europe Ltd., operator of the largest payment-card network in the 27-nation European Union, faces a formal antitrust complaint from EuroCommerce, a group representing retailers.

A transaction fee paid by retailers, which is set by Visa and its member banks, breaks EU antitrust rules, EuroCommerce, whose members include Carrefour SA and Tesco Plc, said in an e- mailed statement today. The so-called interchange fee is paid by the retailer’s bank to the bank that issued the customer’s card.

“The Visa interchange fee procedure is completely unfair,” said Xavier Durieu, secretary general of EuroCommerce, in the statement. “Retailers are forced to pay for a range of services from which they do not benefit. Bank rates are the only services which retailers, even the largest ones, are not able to negotiate.”

Visa Europe already faces charges sent in April by the European Commission, the EU’s antitrust regulator. The company’s fee guidelines may prevent competition among Visa-issuing banks and drive up the costs for businesses accepting credit cards, the commission said. Companies can be fined up to 10 percent of annual sales for antitrust violation.

Continue Reading at Bloomberg News

, , , , , , ,

Metavante Becomes First European Processor to Offer MasterCard rePower

Press Release News | Home

LONDON - (Business Wire) Metavante Technologies Limited, one of Europe’s leading providers of prepaid and debit card outsourcing, today announced the first live implementation of MasterCard® rePower™, the point-of-sale reload service for MasterCard® and Maestro® prepaid cards in Europe. The announcement was made today at the Prepaid 09 Conference and Expo in London, sponsored in part by MasterCard and Metavante.

MasterCard rePower leverages the extensive MasterCard merchant infrastructure through its acquiring partners to deliver a European network of top-up locations for prepaid MasterCard and Maestro cards. Metavante has been working closely with MasterCard and will be the first processor in Europe to complete the implementation which will service Advanced Payment Solutions’ (APS) range of prepaid card programmes. A leading European prepaid card provider, APS outsources the processing of all of its card programmes to Metavante.

Speaking about the implementation, Rich Wagner, chief executive officer of APS said, “We have been a processing customer of Metavante since launch and are delighted with their ability to move quickly to bring new products and services to market. MasterCard rePower will make it quick and easy for our customers to top up their prepaid cards.”

Commenting on the implementation, John Yeomans, president of Metavante Technologies Limited said, “This is a major step forward for the prepaid card industry. One of the most significant hurdles for any issuer in providing customers with high utility prepaid products is the provision of widely available reload points. MasterCard rePower allows our card issuers and programme managers to do just that, and the return on investment of their card programmes is likely to improve as a result.”

Yeomans continued, “The implementation of MasterCard rePower is yet another demonstration of the leading role we play in the prepaid market. MasterCard rePower is the latest in a long line of technology and service innovations that we have rolled out for the benefit of our card issuers and programme managers and their cardholders.”

About APS

Advanced Payment Solutions Ltd (APS) is a leading European prepaid card (http://www.mycashplus.co.uk/) provider and employs one of the most experienced prepaid card teams in the industry. APS’ primary offer is the cashplus prepaid Gold MasterCard®, a personalised, embossed, Chip and PIN prepaid MasterCard card. Find out more about APS at www.apsgroup.com.

About MasterCard Worldwide

MasterCard Worldwide advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes approximately 21 billion transactions each year, and provides industry-leading analysis and consulting services to financial-institution customers and merchants. Powered by the MasterCard Worldwide Network and through its family of brands, including MasterCard®, Maestro® and Cirrus®, MasterCard serves consumers and businesses in more than 210 countries and territories. For more information go to www.mastercard.com.

About Metavante Technologies Limited

Metavante Technologies Limited (www.metavantetechnologiesltd.com) is a leading European debit and prepaid card payments processor. Providing both licenced processing software and fully outsourced processing solutions, Metavante Technologies Limited has clients in over 30 markets across the EMEA region. On 10 January 2008 Metavante Technologies Limited, formerly Nomad, was acquired by Metavante Technologies, Inc. (NYSE:MV), the U.S.-based parent company of Metavante Corporation (www.metavante.com). Metavante Corporation delivers banking and payments technologies to approximately 8000 financial services firms and businesses worldwide. Metavante products and services drive account processing for deposit, loan and trust systems, image-based and conventional cheque processing, electronic presentment and payment, outsourcing and payment network solutions including the NYCE Network, a leading U.S. ATM/PIN debit network.

Metavante Technologies Limited is a subsidiary of Metavante Corporation, which is the principal subsidiary of Metavante Technologies, Inc. Metavante and NYCE are registered trademarks of Metavante Corporation.

All other trademarks are the property of their respective owners.

NFL Doesn't Want Your Bets

NFL Doesn't Want Your Bets - WSJ.com
Some of the National Football League's founders were gamblers. The league draws more wagers in the U.S. than any other sport. It recently authorized its teams to sell their logos to state lotteries. But when it comes letting states expand sports betting, the NFL has made its position clear: Not now, not ever.

The NFL, which says it will earn $8 billion in revenue this year, is threatening to file a lawsuit against the state of Delaware, where the supreme court unanimously concluded last month that parlays -- bets on the outcome of two or more events -- are constitutional, opening the door, as early as this fall, for the state to host what would be the first legal sports books outside of Nevada.

View Interactive

See an interactive graphic showing a state-by-state look at U.S. gambling laws.

Experts on gambling say the decision could have a domino effect. Last month, New Jersey Gov. Jon Corzine threw his weight behind a federal lawsuit that could pave the way for legalized sports betting in Atlantic City and a spokesman for Pennsylvania Gov. Edward Rendell says he's following the suit with "keen interest."

Delaware Gov. Jack Markell, who announced the plan in March, says the games could bring in as much as $55 million in tax revenue and would help cover the state's projected $800-million budget shortfall for the fiscal year that begins July 1. The governor says he has received several letters from NFL Commissioner Roger Goodell as well as a surprise visit from an NFL representative, who met him in a hallway at the capitol last month and, he says, "urged me not to go forward with this."

The league is considering filing a lawsuit, depending on which types of sports betting Delaware decides to offer.

Continue Reading at The Wall Street Journal

, , , ,

Strong Authentication focus of Cartes 2009

ContactlessNews | Strong authentication focus of Cartes 2009
Strong authentication focus of Cartes 2009

CARTES & IDentification 2009 is turning the spotlight on strong authentication. Exhibitors will present solutions for meeting today’s security needs in the field of the Trusted Internet. The theme of the fight against cybercrime will also be addressed.

The IDentification trade show will be held alongside CARTES and will bring together players offering solutions and technologies related to biometrics, securing of documents and transactions, authentication, physical and logical access control, cryptography, RFID, as well as electroni government procedures.

Following on from the United States, Russia is the focus of CARTES & IDentification in 2009. Use of cards has become more widespread over recent years and deployment of equipment at point of sale is accelerating. The Russian exhibitors present will demonstrate the sector’s dynamism.

The conference will also look at contactless payments becoming a reality in France. The interest and enthusiasm generated by NFC over recent years has concentrated on the possibility of transferring credit and debit cards to mobile phones to make contactless payments. However, the complexity of setting up standardized and secure NFC systems, as well as the need for the various players to agree on the service model, has delayed a wide-scale launch of contactless payment in France. 

, ,

PULSE: How to Fight Financial Fraud and IDT

PULSE’s Awareness Month Equips Consumers to Fight Financial Fraud and Identity Theft

June is PULSE ATM & Debit Card Safety Awareness Month

HOUSTON--(BUSINESS WIRE)--As a follow-up to its ATM and debit card safety tips released earlier this month, today PULSE made available recommendations to combat financial fraud and identity theft.

Even in today’s increasingly digital world, where electronic transactions and online banking are commonplace, many individuals continue to utilize paper statements and documents in connection with financial services. Both formats can provide avenues for criminals to take advantage of unknowing consumers.

“Debit and other electronic payments have become a part of our everyday lives, but it is still a good idea for consumers to take precautions with their payment cards, financial statements and other private information,” said Steve Sievert, PULSE senior vice president. “By adopting these practices, consumers have a better chance of avoiding financial fraud and identity theft.”

Important steps that can help you prevent or minimize fraud losses, and reduce your chances of being a victim of identity theft, include:

  • * Monitor your accounts frequently for suspected fraudulent or unauthorized activity.
  • * Shred all financial documents and records before disposing of them.
  • * Never use your PIN as a password.
  • * Destroy unused or expired debit, ATM and credit cards.
  • * Remove mail promptly from your mailbox.
  • * Match receipts to monthly billing statements.
  • * Memorize PINs, passwords and Social Security numbers.
  • * Use longer, more complex passwords and PINs, and change them periodically.
  • * Sign all debit and credit cards immediately upon receipt.
  • * Notify account providers of address changes in advance.
  • * Immediately report a lost or stolen card and any unauthorized activity on any account.

PULSE assists financial institutions in protecting debit cardholders by providing safety materials and statement inserts, and by sponsoring the debit awareness site, www.DebitFacts.org. The site features a new video about ATM safety precautions, in recognition of ATM & Debit Card Safety Awareness month, and provides further details about how you can maximize the value of your debit card, keep your finances safe and secure, and manage your money for every stage of life.

For additional information on protecting your debit card and your financial information, visit www.pulsenetwork.com/safety. To follow DebitFacts.org on Twitter, visit www.twitter.com/debitfacts.


PULSE is one of the nation’s leading ATM/debit networks, currently serving more than 4,500 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services (NYSE:DFS). The network links cardholders with more than 289,000 ATMs, as well as POS terminals at retail locations nationwide. The company is also a valued resource for industry research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulsenetwork.com.

Is Cell Phone Safest Way to Bank Online? In a word, No!

Safest Way to Bank Online? Your Cell Phone
Here's an article which essentially says, everybody knows how to steal information from PC users, but cell-phones aren't breached as much, so your chances are better if you use a cell phone for online banking.  I had to chuckle and couldn't help but think that the equivalent of what they are saying is thus:

"When you leaves your keys in your ignition, the likelihood of your car being stolen is higher than if you put them in your glove compartment...so put them there."  The statement may be true, but putting your keys in your glove compartment probably isn't a good idea either. 

At the end of the day, if you type, the bad guys can swipe.  So convincing me to use my cell phone for online banking is, well, a hard cell.

Here's an excerpt from the article:

So you want to bank safely online? Then ditch your computer and make the transaction via your cell phone instead.

Using a mobile handset for this most sensitive online act might sound counterintuitive, given that phones are prone to being lost or stolen, but your cell phone might actually be safer than your computer for paying bills or checking your statement online.

Some phone malware does exist, and examples tend to make headlines due to their novelty. But the main threats to online security, such as keyloggers, Trojan horses, and other data-stealing software, don't exist for phones--yet.

Editor's Note:  If some phone malware already exists, do you really believe that when the "masses" start using phones to online bank the hackers won't focus on ways to breach that technology?  If keyloggers can steal PII (personal identification information) because users "TYPE" using a keyboard, don't you think they can do the same when you "pick n peck" information into your phones handset?  Let's be realistic here.  What's the common denominator between a PC and a Phone.   If you said they both use web browsers, then you'll understand why data needs to be entered and encrypted "outside" the browser space.  HomeATM has a device that does exactly that for the PC and HomeATM has also engineered a device that will do it for smart phones.

"The risk of being infected on a mobile phone is tiny in comparison [with a PC]," notes the security firm Sophos in its annual threat report.

Cell phones dodge malware because they run many different operating systems. 
Security experts agree that crooks stand to steal much more by investing their time in writing a new Windows virus that is capable of infecting millions of PCs than in constructing a Trojan horse that can target only a certain type of phone.  (Editor's Note:  Watch how quickly that will change as people trade in the cell phones for "Smartphones."  By the way,
the prediction is that Smartphone sales worldwide will surge.  See chart on left)  In fairness, the article does go on to point out that it's only speaking about "for now." Not the future...

Android Danger

But that may change. Google is hard at work on its Android phone OS, and iPhones make their way into more and more pockets and purses daily. So while phone OS consolidation holds great promise for better apps and services, it could also make phones more of a target.(for hackers)

The fact that little mobile malware exists does not mean that cell phones are completely safe, of course. Banking and payment systems require passwords and/or PINs, so someone can't just pick up your phone and start transferring money out of your account. (Editor's Note:  Unless the obtained the PAN and the PIN via phishing, smishing or some yet to be developed hack) But there's still plenty of personal information that someone could obtain through your phone.

Phishing--the other big threat to online financial security--may be even more dangerous for phones than for computers.
If you read e-mail on a smart phone, you'll see phishing messages. And whereas on the desktop both Internet Explorer and Firefox employ built-in antiphishing protections, mobile browsers do not.

"You don't have all the antiphishing toolbars" for a mobile browser, says Dave Jevans, chairman of the Anti-Phishing Working Group. Also, some rare attacks twist the traditional phishing message to target mobile phones. Dubbed "smishing" or "vishing" for their use of SMS messages or VoIP systems, such scams may send a phone a text message containing a warning about a credit card account. If you call the number included in the message, an automated VoIP system prompts you to enter your credit card number, for example.

If mobile banking and personal payments catch on, phone-specific risks with malware and phishing may go up as well.
(Editor's Note:  "may go up?") "The expectation is that we will see more malicious applications on devices," says Samir Kumar, group product planner for mobile communications business with Microsoft. But for now, he says, the greatest danger arises when phones are lost or stolen.

Read the Complete Item Here, read how we secure smart phones for financial transactions below:
Attach and Swipe One-Time, Your Smartphone is Forever Enabled as a Secure Payments Device!

Financial Services Have Lost Balttle Over PII (Personally Identifiable Information)

Can Financial Institutions win the war?  Yes...If they arm their users with "weapons of mass phishduction."  PII is out...but PIN is SAFE at Home.
NEEDHAM, Mass., June 16 /PRNewswire/ -- A new research report by TowerGroupdeclares that the financial services industry has lost the battle toprotect consumers' personally identifiable information (PII) data.TowerGroup's George Tubinpoints out that in light of the loss or theft of hundreds of millionsof data records containing PII, the financial services industry mustconsider the ramifications of past, present and future data losses.

The report indicates that despite significant US media attention,increased state legislative demands, negative customer reaction andsubstantial costs associated with consumer data loss, millions ofcustomer data records continue to be lost or stolen every month.

Financial institutions must now assume that all of their clients' andprospects' personal information has been compromised or will be. Over100 data breach incidents containing millions of data records werereported in just the first four months of 2009

Recent instancesinclude hackers accessing a Federal Aviation Administration system andthe theft of laptops from the Dezonia Group. Compromised PII has acrippling impact on businesses and consumers.

"While greater access to customer data is key for businesses toimprove customer relationship management and business processes, therewill always be repercussions, including the possibility of personaldata landing in the hands of the wrong parties," said George Tubin,Senior Research Director for Financial Information Security atTowerGroup. "However, while the battle to protect data has been lost sofar, TowerGroup firmly believes that the war can be won."

TowerGroup recommends the following guidelines for financialservices institutions to curb the use of compromised PII to commitfinancial fraud:

  • Assume that traditional accountinformation such as a client or prospect's name, social securitynumber, address, telephone number, date of birth and account balanceare useless as authentication factors. Instead, consider usingknowledge-based authentication and one-time passwords delivered viaShort Messaging Service (SMS).  Editor's Note:  How about a 2FA (two-factor-authentication) device enabling users to swipe their card (something they have) and enter their PIN (something they know) mirroring ATM use access?
  • Implement an integrated,cross-channel fraud prevention strategy that detects and diagnosespossible use of fraudulently obtained PII in real time and across allbusiness practices.
  • Continually evaluate and evolvefraud prevention approaches because smart fraudsters constantly changetheir means and tactics for breaking security systems and stealingdata.
TowerGroup recommends that, concurrently, government regulatorsimplement meaningful data breach prevention requirements and penaltiesthat compel businesses to actually protect data. Until legislative andregulatory bodies implement these penalties, data loss incidents willpersist and worsen. Highly effective and usable data loss preventionpractices and technologies are readily available to all businesses butare grossly underutilized.

The TowerGroup Research Note titled "Protecting PersonalInformation: We Lost the Battle, Can We Win the War?," is available tomembers of the press for review. To request a copy of or to arrange aninterview with Mr. Tubin, please contact Lisette Kwong at 212-642-7753 or lisette.kwong@edelman.com.

The research report may also be purchased online at the TowerGroup Store via credit card by using this link: http://store.towergroup.com/index.asp?PageAction=VIEWPROD&ProdID=656.

About TowerGroup: TowerGroup is the leading research andadvisory services firm focused exclusively on the financial servicesindustry. A respected source for trusted information and advice,TowerGroup brings many of the world's leading financial institutions,technology companies, and professional services firms a deeperunderstanding of the business and technology issues impacting theirorganizations. Headquartered near Boston in Needham, Massachusetts, and with offices in North America and Europe, TowerGroup serves a global client base.

Visit www.towergroup.com for more information.
Lisette Kwong
Edelman for TowerGroup

SOURCE TowerGroup

Reblog this post [with Zemanta]

Online Bill Payment Households to Increase to 63 Million - Forrester

US Electronic Bill Payment And Presentment Forecast, 2009 To 2014
Preparing For The Rise Of The Biller-Direct Generation - Forrester Research

This is the first document in the "2009 US Online Banking And Bill Payment Forecast" series.

by Edward Kountz
with Vikram Sehgal, Benjamin Ensor, Courtney Tincher

Executive Summary (This is a document excerpt)

Between 2009 and 2014, the total number of US online bill payment households will increase from 48 million to 63 million. Despite the early gains of direct billers, Forrester believes that bill consolidators like banks have a slight advantage in a maturing market. Nevertheless, bank eBusiness executives must secure this edge through cultivation of solid bill payment relationships with young affluents and other young adults, who are significantly more likely than the average online user to pay via billers' sites. eBusiness executives must also invest in tools supporting the shift from a focus on adoption alone to one that encourages activation and repeat usage.
By 2012, consolidators’ share of the online bill payment market willsurpass direct billing by merchants for the first time, according toForrester.

Here's their press release:
Jun 16, 2009, 8:00 a.m. EST

Forrester Forecast: 63 Million US Households To Pay Bills Online By 2014

Banks Must Cultivate Relationships With Young, Affluent Consumers To Retain Market Lead

CAMBRIDGE, Mass., Jun 16, 2009 (BUSINESS WIRE) -- The number of US households paying bills online will grow from 48 million this year to 63 million by 2014, according to a new forecast by Forrester Research Inc. /quotes/comstock/15*!forr/quotes/nls/forr (FORR 25.07, +0.26, +1.05%) . The 5.4 percent compound annual growth rate reflects a maturing market where growth rates will shrink in the years ahead, but it also reflects a market that is not yet saturated. The top-line, five-year forecast is available to Forrester RoleView(TM) clients; subscribers to Forrester's ForecastView receive more detailed forecast data.

Forrester sees a shift in the online bill payment market as more consumers turn to banks and bill payment consolidators like Yodlee and Corillian because of several factors, including: the convenience of having multiple bills aggregated at a single Web site, the elimination of bill payment fees, and innovative marketing efforts to drive adoption. By 2012, consolidators' share of the online bill payment market will surpass direct billing by merchants for the first time.

Young consumers -- especially young affluent consumers -- will be a key battleground among financial services firms as the market matures. To date, this generation has shown less of an interest than older consumers to use aggregators such as banks for their online bill payment.

"eBusiness executives at banks need to work to establish earlier and stronger bill payment relationships with young affluents and other young adults," said Forrester Senior Analyst Edward Kountz. "To strengthen their position and better support these customers, banks need to add more payment options, deploy online and mobile alerts with greater visibility, and continue to hammer home the message that online bill payment is free."

The Forrester report "US Electronic Bill Payment And Presentment Forecast, 2009 To 2014" is currently available to Forrester clients and can be purchased directly at http://www.forrester.com/go?docid=54120.

About ForecastView

ForecastView is a syndicated subscription service that provides access to up to 40 forecasts across North America and Western Europe. Clients receive detailed forecast data and important market metrics that they will not get through research reports alone. In addition, they also have unlimited Inquiries with a forecast analyst. Forrester analysts employ a unique methodology that includes deep, consumer demand-side data along with supply-side metrics from proprietary company and industry sources. ForecastView forecasts provide insights into the development of online, mobile, and emerging technology markets. More information about ForecastView is available at http://www.forrester.com/consumerdata/forecastview.

About Forrester Research

Forrester Research, Inc. /quotes/comstock/15*!forr/quotes/nls/forr (FORR 25.07, +0.26, +1.05%) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, consumer insight, consulting, events, and peer-to-peer executive programs. For more than 25 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit www.forrester.com.

(C) 2009, Forrester Research, Inc. All rights reserved. Forrester is a trademark of Forrester Research, Inc.

HomeATM Press Release

HomeATM 1 of 9 companies selected by Finovate Audience to Demonstrate Financial Innovations


Swipe Don't Type!

PRLog (Press Release)
Jun 16, 2009 – (PIN Payments News Blog) HomeATM Showcases it's Person to Person Money Remittance at FinovateStartup09


HomeATM ePayment Solutions conducted a live, on-stage demonstrationof its real time person-to-person (P2P) money transfer product at theFinovateStartup09 conference in San Francisco.   HomeATM was one of 9companies selected by the audience to present at the FinovateStartup 09conference, which showcases demonstrations of technology innovation inbanking and financial services.  

HomeATM's on-stage demo was actually a real time money transferusing HomeATM's PCI 2.0 certified SafeTPIN PIN Entry Device.  The liveonstage demonstration was conducted by HomeATM COO, Mitch Cobrin andJohn B. Frank.  To see the live demonstration online, please visit: http://HomeATMBlog.com where it is located in the left sidebar.

HomeATM transactions are simple, fast and easy for purchasesmillions of consumers make every day,” said John B. Frank, VP of Salesfor the company.  We were honored to be selected by the audience andexcited to present our technology to the banking community attendingFinovateStartup 09.”

HomeATM provides consumers, online retailers and financialinstitutions with the most secure way to conduct e-Commercetransactions available.  Our SafeTPIN is the world's first and only PCI2.0 certified PIN Entry Device designed specifically for eCommerceuse." said Frank.  

In addition to real-time money transfers, HomeATM's SafeTPIN PINEntry Device 100% replicates the 2FA (two-factor authentication)process utilized by ATM's.  "Banks issue the card, banks issue the PIN,now banks have the opportunity to issue a PCI 2.0 Certified Card Readerand PIN Entry Device.  

"With our 2FA fob, consumers swipe their card, (something theyhave) and enter their PIN (something they know) and there is not a moresecure way to log-in to online banking websites," Frank continued. "Banks will be happy to know that HomeATM has created a product with aprice point that affords banks to give away our device as a promotionalitem."  It completely eliminates the threats created by phishing,cloned websites and DNS hijacking, among other threats," said Frank.  

The cardholder data is instantaneously encrypted inside our deviceand the PIN is end-to-end encrypted, thus the data is never in theclear, preventing phishing completely.  "If consumers don't type,phishers can't swipe," Frank continued, "It really is as simple asthat."

Banks distributing HomeATM's SafeTPIN receive recurring revenue from HomeATM transactions.

FinovateStartup is organized by Online Financial Innovation a banktechnology research firm based in Seattle, Washington.  Selectcompanies have seven minutes on stage for a demonstration of their bestproducts or services. Categories include: money transfer, alternativepayments, mobile banking, bank/lending platforms, person-to-person(P2P) lending, bill payment, B-to-B financial services, financialsecurity, Web 2.0 investing, online PIN debit and next-generationonline banking platforms.

About HomeATM

HomeATM engineered and now manufactures the "first and only" PCI2.0 Certified PIN Entry Device specifically designed for eCommerce.  Itprovides users with secure two-factor authentication (2FA) for securelog-in and enables the user to securely purchase goods online byswiping their credit card or debit card and entering their PIN. HomeATM uses 3DES end-to-end encryption and utilizes DUKPT keymanagement to protect the cardholders valuable data.  By swiping,instead of typing card information, consumers are protected fromimminent dangers lurking on the web, including, but not limited to:malicious code, key-loggers, screen-scrapers, bots, malware, etc. HomeATM also provides real-time money transfers with it's proprietaryapplication.    For more information, please visit The HomeATM Blog at:http://PINDebit.blogspot.com

# # #

Reblog this post [with Zemanta]

Disqus for ePayment News