Wednesday, July 1, 2009

More on the Spider and the Fly

As I stated in an earlier post: Yesterday it was a lot safer to enter (type) your card number into a box at an Internet Retailer's checkout cart.   Today, not so safe...tomorrow, look out.   Here's an article which articulates much of the same....

Fraud has evolved and so must consumers
Fraud has evolved and so must consumers

01 July 2009 04:15:00
Fraud has evolved and so must consumers
Arm yourself with the knowledge to prevent becoming a fraud victim

Fraud is changing - and if consumers want to avoid being victims, they need to be alert in new ways.

Motivated by recession and armed with new techniques and sophistication, those who commit fraud with plastic cards are switching tactics and going international.

“Fraudsters are becoming increasingly savvy,”
says Cifas, the UK's fraud prevention service. "The economic slowdown and fraud go hand in hand."

In a document titled Fraud: The Facts 2009, published this month by Apacs, the UK payments association and responsible for raising awareness of card fraud in the UK through Card Watch, were recent statistics showing how fraud trends, and the way fraud is carried out, have changed over the past 12 months.

Apacs said it had found that the methods fraudsters are using to commit their crimes are also changing.

Continue Reading

India Rules Banks Liable for Forged Signatures

Should Banks be Liable for Fraudulent Internet Transactions as Well?

I almost couldn't believe my eyes when I read a recent ruling (they called it a landmark judgment) stating that Banks in Maharashtra are now liable for any transactions involving forged signatures. The ruling stated the following:
"cases involving fraudulent signatures highlight a deficiency in the service provided by banks, and adds that the bank will have to compensate the affected party for any loss from such a transaction."  
Wow!  Can you imagine if US courts issued a similiar mandate?  Wouldn't  you 100% agree (okay maybe 81.4%) that logging into online banking with a "username and password" is "a deficiency" in a service provided by banks?"

It would seem more blatant if banks had a low cost option available to them which enabled them to utilize two-factor authentication, the same way they ALREADY do for ATM access!  

Considering the fact that they have "already" issued the cards and "already" issued the PINs, it seems to me there is a "glaring deficiency" in "not issuing" the card reader and PIN entry device in order to enable secure 2FA log-in.   Especially considering that the cost is less than 5% of a "single" phishing attack 

While I'm on the subject, can you imagine the repurcussions if banks were ruled liable for any transaction done via a deficiency involving an internet transaction? (typing someone elses card numbers into a box on a merchant checkout website is not efficient) 

One of the repurcussions is that there would be millions of HomeATM's devices out in the street within 6 months of any such ruling.  Why wait for courts to decide?  Why not do the right thing without government intervention?  I would further point out
that there are only two types of debit, PIN and Signature.   If a web transaction is conducted without  a PIN, then what type is left?  And how is entering a debit card number into a box any different than forging a signature? 

Here's the article from a site called "Money Control" in India.  Banks now liable for transactions using forged signatures

In a landmark judgment by the Maharashtra Consumer Commission, banks will now be held responsible for any transactions using forged signatures. CNBC-TV18's Neha Pandey reports.

Banks in Maharashtra will now have to be more alert in their daily cash transactions. Passing an order in a case involving a forged signature on a financial instrument for the first time, the Maharashtra State Consumer Commission has taken banks to task. The order charges banks of negligence for carrying out a transaction involving such a forgery.

The order says banks will be held responsible for transactions involving forged signatures. The commission says that cases involving fraudulent signatures highlight a deficiency in the service provided by banks, and adds that the bank will have to compensate the affected party for any loss from such a transaction.

This landmark judgement was passed in a case filed against Bank of Baroda, where the bank honorred forged cheques worth Rs 1 lakh from a company's account to one of its employees. Experts say that usually such cases go in the bank's favor. The order also instructs the bank to compensate the affected party with the entire amount, along with a 9% interest.  Wow, talk about a paradigmly shifting moment in time!

Reblog this post [with Zemanta]

Nyce Study on Consumer Internet Purchases

Industry Research - NYCE

2008-2009 Consumer Internet Purchase Study

This primary research study surveyed 2,608 consumers regarding their behaviors and preferences related to Internet purchases. NYCE commissioned Analytica Inc. to perform the study in late 2008 and early 2009. The findings demonstrate that security when shopping online remains a significant concern for many consumers

The study came to the following conclusions:

To drive consumer Internet purchases, security concerns must be addressed.
  •  In fact, it was the top recommendation when consumers were asked what would cause them to be interested in  using a system to make Internet purchases.

  • 20.2% of consumers that had never purchased on the Internet and 17.3% of consumers that purchased infrequently said, “make it secure.” They went on to describe the importance of protection from fraud and identity theft and their need to be reassured about the system’s security.

  • The following response is characteristic of a prevailing attitude: “I would need to know how they are going to keep my information safe,” rather than being satisfied with simply being told that the method is safe.
Editor's Note:  That being the case, here's how HomeATM does it.  We replicate the brick and mortar experience for online shopping.  You swipe your card, (we encrypt the Track 2 data) and enter your PIN (which is also instantaneously encrypted, and then transmitted 100% end-to-end-encrypted all way to the card brands/issuers processing center.  There is nothing safer.  Guaranteed 

To view key findings from the study, click here.

Forecast: Cloudy, with Reigning Hackers

'Mafiaboy': Cloud Computing Will Cause Internet Security Meltdown - DarkReading
'Mafiaboy': Cloud Computing Will Cause Internet Security Meltdown
Notorious black-hat hacker warns that cloud-based computing will be "extremely dangerous," and explains how he got into hacking at age 15

Jun 30, 2009 | 05:31 PM
By Kelly Jackson Higgins

Reformed black-hat hacker Michael Calce, better known as the 15-year-old "mafiaboy" who, in 2000, took down Websites CNN, Yahoo, E*Trade, Dell, Amazon, and eBay, says widespread adoption of cloud computing is going to make the Internet only more of a hacker haven.

"It will be the fall of the Internet as we know it," Calce said today during a Lumension Security-sponsored Webcast event. "You're basically putting everything in one little's going to be a lot more easy to access," he added, noting that cloud computing will be "extremely dangerous."

"This is not the last you're going to hear of this," he said.

Paul Henry, security and forensics expert for Lumension, says cloud computing, indeed, will open up new avenues of risk. "We haven't even handled the fundamentals of [securing it] in our existing environments," Henry said during an interview after the Webcast. "Now we're going to push it up to the cloud?"

Continue Dark Reading

, , ,

Good News for Swipers, Bad News for Typers

June 2009 web security, spam, viruses and phishing highlights
HelpNet Security posted the following regarding recent findings and analysis of Spam, Viruses and Phishing and the effect they are having on web-security.  Good news for swipers, bad news for typers.  To visit HelpNet Security, click here

Web security: Analysis of web security activity shows that 58.8 percent of all web-based malware intercepted was new in June. MessageLabs Intelligence also identified an average of 1,919 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 67 percent since May.

Spam: In June 2009, the global ratio of spam in email traffic from new and previously unknown bad sources was 90.4 percent (1 in 1.1 emails), reflecting no change since May. Spam levels for Q2 2009 averaged 88.7 percent compared with 74.5 percent for Q1 2009.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 269.4 emails (0.37 percent), an increase of 0.06 percent since May. In June, 10.4 percent of email-borne malware contained links to malicious sites, an increase of 3.4 percent since May. Virus levels for Q2 2009 averaged 1 in 297.4 malicious emails compared with one in 1 in 281.2 in Q1 2009.

Phishing: One in 280.4 emails (0.36 percent) comprised some form of phishing attack, almost no change since May. When judged as a proportion of all email-borne threats such as viruses and Trojans, the number of phishing emails had increased by 6.4 percent to 96.1 percent of all email-borne malware threats intercepted in June. Phishing levels for Q2 2009 averaged 1 in 321.4, compared with 1 in 290.4 for Q1 2009.

Source: June 2009 MessageLabs Intelligence Report

Top 5 Botnets and 5 Steps to Avoid

The Top 5 Botnets and 5 Steps to Prevent Your Computer from bot-icipating.

According to the latest MessageLabs Intelligence Report, botnets areresponsible for over 83% of all spam. Here's a list of the Top 5 Botnets... (compiled by Net

Cutwail - 45% of all Spam

The largest and most powerful botnet is responsible for 45% of allspam. With between 1.5 and 2 million active bots, Cutwail was perhapsthe largest botnet in history at its peak. "Cutwail's recovery to one-third of its original levels, after only afew hours, highlights the progress spammers have made since the McColoshutdown in November," said Paul Wood, MessageLabs Intelligence SeniorAnalyst, Symantec. "Spammers have learned the importance of having abackup for command and control channels."

Mega-D - 9.3%

Sounding more like a performance enhancing supplement than a botnet, this was the top botnet at the start of the year, but has been steadilydecline to the point that it is now responsible for only 9.3% of spam. However, it'sstill one of the hardest working botnets in terms of spam per bot perminute.

Xarvester - 0.2%

Should be called X-Harvester, because although it was one of the major botnets of the year, it has drastically reduced in size and output, and now  is responsible for sending out 0.2% of spam.

Donbot - 3.2%

A top 5 botnet in size and output, it's been less active in recent months sending out 3.2% of spam

Grum and Rustock - 10%

These newer (but very large) botnets are a wildcard. Combined, they'reresponsible for over 10% of spam, but their activity is hard topredict: both send spam in bursts, with Rustock often going throughperiods of zero activity.

Source: June 2009 MessageLabs Intelligence Report.
Reblog this post [with Zemanta]

Disqus for ePayment News