Tuesday, July 28, 2009
July 28, 2009
Researchers Try to Stalk Botnets Used by Hackers
By JOHN MARKOFF - NY Times
Researchers at Sandia National Laboratories in Livermore, Calif., are creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of rogue programs known as botnets.
Botnets are used extensively by malicious computer hackers to steal computing power from Internet-connected computers. The hackers harness the stolen resources into a scattered but powerful computer that can be used to send spam, execute phishing scams or steal digital information. These remote-controlled “distributed computers” are difficult to observe and track.
Botnets may take over parts of tens of thousands or in some cases even millions of computers, making them among the world’s most powerful computers for some applications.
“When a forest is on fire you can fly over it, but with a cyberattack you have no clear idea of what it looks like,” said Ron Minnich, a Sandia scientist who specializes in computer security. “It’s an extremely difficult task to get a global picture.”
To stalk the botnets, Mr. Minnich and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers.
The researchers said they hoped to be able to infect their digital petri dish with a botnet in October and then gather data on how the system behaves. One of the challenges will be in tricking the botnet components into believing they are running in the open Internet.
Continue Reading at NY Times
RSA® Conference Survey Reveals Disparity Between Security Needs and Technology Purchases
Email and Mobile Security Top the List of Threats, but Spending is Earmarked Elsewhere
RSA Conference 2010
SAN MATEO, Calif.--(AllPayNews.com)--RSA® Conference (www.rsaconference.com), the world’s leading information security conferences and expositions, today released the results of a recent survey of security professionals regarding the critical security threats and infrastructure issues they currently face, including those exacerbated by the current economic climate. The study, “What Security Issues Are You Currently Facing?,” includes responses from nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures within their respective organizations.
The study indicates that even though practitioners are most concerned about email phishing and securing mobile devices, technologies addressing these needs are at risk of being cut from IT budgets. Seventy-two percent of respondents indicated a rise in email-borne malware and phishing attempts since Fall 2008, with 57% stating they have seen an increase in Web-borne malware. Concerns about zero-day attacks and rogue employees as a result of layoffs were cited by 28% and 26% of survey respondents, respectively
When asked about the top security and organizational challenges they expect to face in the next 12 months, 57% of respondents cited budgetary constraints; 44% cited employee education as a major concern and 40% called out lost or stolen devices.
The survey also asked what technology investments will likely be bypassed or curtailed due to spending freezes and budget cuts. Given the above information, however, the survey illustrates that even though employees are seeing increases in email- and Web-borne malware and phishing, IT budgets are not being sufficiently allocated to defend against these issues.
Specifically, the survey demonstrates that even though 72% of respondents have seen a rise in email-borne malware and phishing, 8% still plan on cutting money that would previously be earmarked to attempt to mitigate those risks. Even more alarming is that 40% of respondents admitted that securing lost or stolen devices – like the iPhone or Blackberry – is a top concern in the coming year, yet 15% of those surveyed will be reducing spending in this area.
“It is very disconcerting to see that while the trends and the experience of security professionals point to web and email-borne malware as the biggest threat, companies are cutting messaging and web security budgets,” said Andreas Antonopoulos, Senior Vice President and Founding Partner at Nemertes Research. “Companies tend to focus too much on the spectacular attacks (zero-day and organized crime) versus the mundane but extremely costly attacks (phishing and malware). Security controls should be driven by risk/reward calculations that soberly evaluate the impact on the business, rather than sensationalist media reports. Security professionals know where the real threats are but often find it difficult to quantify and explain the risks to senior management.”
In an attempt to uncover the impact of the recent Facebook and Twitter phishing attacks that have received extensive media coverage over the last several months, RSA Conference asked respondents how their organizations were affected. The survey found that while 84% of respondents allow the use of these tools, only a mere 3% were seriously affected by the attacks. Conversely, 73% said that their organization was not impacted at all and 24% indicated they were somewhat affected.
“We rely on the real world experiences of security practitioners to develop the educational programming and the agenda at RSA Conference,” said Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conference. “This survey not only serves as a benchmark for the industry and a vehicle to learn from one another, but also provides insight into the issues that may become the content focus of RSA Conference 2010.”
For more information and to see additional survey results, please go to: https://365.rsaconference.com/blogs/rsa_conference_blog.
About RSA Conference
RSA Conference helps drive the global information security agenda with annual events in the U.S., Europe and Japan. Throughout its 19-year history, RSA Conference consistently attracts the world’s best and brightest in the field, creating opportunities to learn about information security’s most important issues through face-to-face and online interactions with peers, luminaries and emerging and established companies. As information security professionals work to stay ahead of ever-changing security threats and trends, they turn to RSA Conference for a 360-degree view of the industry. RSA Conference seeks to arm participants with the knowledge they need to remain at the forefront of the information security business. More information on events, online programming and the most up-to-date news pertaining to the information security industry can be found at www.rsaconference.com.
RSA and the RSA Conference logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. All other marks are trademarks of their respective companies.
Alex Kirschner, 415-591-8421
Are PIN debits coming soon to e-commerce transactions?
by Neil Moncrief on July 28, 2009
In a blog post written by Neil Moncrief of CreekFinancial, he writes about PIN Debit for eCommerce transactions. He makes a couple key points, which I have emboldened in red. The one point he misses out on, is the difference between "perceived" security and "authentic" security. I'm sure you've heard the term: "perception" is reality, but I can guarantee you that "perceived" security and reality can be and this case are, completely dissparate.
Every so often, I’ll have an e-commerce client ask me “Will I ever be able to accept PIN-based debits online?” Although many companies have tried to devise a solution, I never seriously believed it would happen.
After all, how could a consumer enter a 4-digit PIN from a personal computer and still meet the high encryption standards required for Payment Card Industry (PCI) compliance? (Editor's Note: They Cannot)
Nevertheless, the topic is resurfacing again, and online PIN debits may finally be just around the bend.
The primary reason e-commerce merchants want to accept PIN debits is the savings. As I explained in this article I posted several months ago, brick-and-mortar merchants with high-dollar average sales can save considerable amounts by requesting PIN numbers from customers.
But the PCI rules requiring that the debit card be swiped through a magnetic card reader and that the PIN number be encrypted have kept online merchants from participating. (Editor's Question: What has changed?)
In her June 2009 article for Transaction Trends magazine, Julie Ritzer Ross profiles software and hardware developers that are on the leading edge of finding a workable solution. PaySecure, from Atlanta-based Acculynk, is currently being tested by some of the largest players in the debit network business: ACCEL, NYCE, and Pulse. PaySecure’s software will place a floating “keypad” on a shopper’s screen, receive the PIN, scramble and encrypt it, and then pass it along to the appropriate network.
Hardware developer, HomeATM ePayment Solutions, recently introduced Safe-T-PIN, a small and inexpensive USB PCI 2.x certified card reader with integrated PIN Pad, that allows consumers to swipe their own credit cards (and securely enter their PIN) while shopping online.
Editor's Note: HomeATM's system does not need to be "tested" since it 100% replicates the existing PIN Debit transaction done in the brick and mortar world. In fact it has been "tested" by the Payment Council Industry, (Visa, MasterCard, Discover, AMEX and JCB) and is PCI 2.x certified. HomeATM also recently went through a TG-3 audit and has been told they will receive their certification imminently. After going through both the PCI 2.x certification process and a TG-3 PIN Audit, HomeATM becomes the first and only eCommerce payments company in either hemisphere to be certified by one or the other...and we have BOTH.
When this technology finally does make its way into the homes of America’s shoppers, it will be a day for merchants to celebrate. It’s rare that something comes along that benefits business owners more than consumers or credit card companies. And with the struggles of the past year, it’s about time merchants caught a break!
Read the Entire Article at the Creek Financial Blog
Aite Report Says There Is No Easy Cure for Threats to Card SecurityEditor's Note: The three biggest problems according to this article (and the facts) are as follows: 1. Malware, 2. Card Cloning and 3. CNP Transactions. The web is the most dangerous place to conduct transactions and we do it by "typing" our card numbers into a box. Think about it. How stupid is that?
7/29/2009 - Credit Union Times
By Marc Rapport
"There’s no vaccine against card data security breaches in the United States, and the prognosis for this persisting ailment shows there is no fast cure, according to a recent report, which also said it would cost an estimated $100 billion to fix card security in the U.S.
What was that line Clinton used to win the presidency? "It's the economy stupid!" Well here's my version...It's the "typing" stupid! Can I get anymore simplistic? Yes, I can name that tune in three words: "Swipe...Don't Type!"
That’s according to a new report released by research and advisory firm Aite Group. The report, “Card Data Security: In Search of a Technology Solution,” which is based on survey responses from 29 individuals (most of whom head up risk management for North American issuing banks or payment processors), focused on what the respondents thought were today’s biggest card security problems, the responsibilities of stakeholders and possible card security solutions.In fact, there is NO DIFFERENCE between taking cash out of an ATM (Swipe Your Card, Enter Your PIN) and what HomeATM does. The banks seem to trust that the consumer is present when they authorize the spitting out of $20 bills. Want to take security one-step further? HomeATM has already engineered and has available an EMV version to our PCI 2.x Certified SafeTPIN.
What did surveyors find as the most viable remedies for card security issues? One promising solution, a shift from magnetic stripe cards to EMV architecture (the use of smart cards), may never come to fruition.
The report stated that a decision to make the use of smart cards a standard practice is five to seven years away–or may never take place at all. Editor's Note: So why even try? We lost. Fraud is a part of the costof doing business right?. It's that same mentality that caused theproblem in the first place. Want to get rid of fraud? Get rid ofsignature debit and make the switch to PIN debit.
“With the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure, this may be the case,” Aite Group’s Nick Holland said of the survey participants’ predictions that standardized EMV architecture may never be a reality in the U.S.
However, out of the three biggest threats to card security–malware, counterfeit card fraud and CNP fraud–counterfeit card fraud is the only problem that an EMV architecture shift could solve. There are other promising solutions to all three problem areas, the report said."
Editor's Note: Yeah, there is. For example, 1. Malware won't affect transactions that are immediately encrypted when they are swiped. What was that line Clinton used? It's the "economy" stupid. Well here's my version...It's the "typing" stupid.
2. A counterfeit (cloned) card won't work if you require two factor authentication for web purchases. Swipe (what you have) your card and Enter (what you know) your PIN. For those who argue that credit cards don't have PINs? Our patent pending "PIN Your Card" technology can assign PINs to credit cards.
3. CNP fraud would be eliminated by morphing the "Card Not Present" environment (i.e. the Internet) into a card present one. There is no difference between a consumer swiping their own card in the safety of their home vs. swiping their card at an unattended kiosk or gas pump.
Card Data Security: In Search of a Technology Solution
WhileEMV architecture could mitigate card fraud, it does not address allsecurity concerns and is not likely to be implemented in the near-term.
Boston, MA, July 2009– A new report from Aite Group, LLC reveals stakeholder perceptions ofcurrent card data security issues, an overview of theirresponsibilities and a look at what is required to fix card datasecurity. Based on in-person interviews conducted by Aite Group with 29heads of risk management and other bank executives, the report providesinsights from key decision-makers in the card payments risk andsecurity realm.
Thereis no arguing that card data security is a major concern tostakeholders, and one that urgently needs to be addressed, but the EMVroute is not a given for the United States. While many agree thatswitching the industry to EMV smartcard architecture would go a longway in mitigating card fraud, few see the transition occurring withinthe next few years, if at all.
Survey respondents believe the greatest threats to the card industry are malware, counterfeit card fraud and CNP fraud," says Nick Holland,senior analyst with Aite Group and author of this report. "Since a moveto EMV architecture would only address counterfeit card fraud, AiteGroup recommends the establishment of a pan-network panel to study cardsecurity issues and identify alternative technologies to reducevulnerabilities."
Acculynk has gotten Shazam to agree to a pilot for their Card Not Present PIN Debit application. Kudos to them. I must say that they have had a less arduous path than HomeATM because we replicate the brick and mortar "true" PIN Debit experience. You know, the one where you swipe your card and enter your PIN. You know...how you do it when you are at an ATM. It is our belief that a hardware device is "required" and we've had to undertake the arduous task of engineering and designing a low cost consumer based Point of Sale device and get it PCI 2.x certified.
Why did we have to do that? Because PIN Debit technology doesn't exist when the card is not swiped. A TRUE PIN Debit transaction MUST be swiped. Case in point, see if you can find a "Card Not Present" PIN Debit rate at either Visa or MasterCard's website.
Can't find it? Then it is an alternative payment. It's a verient of PIN Debit. The part that personally makes me uncomfortable is that Acculynk's system requires you to do business on the web by "typing" your card number into a box.
Until you "type" your number into a box, their technology won't know if it's a debit card so that the "pop-up" er..."floating" PIN Pad can appear on your screen. I've talked about the risks inherent with that in the past, so I won't go into it, but suffice it to say, that we at HomeATM thank Acculynk for their hard work in making specific inroads towards getting alternative PIN Debit on the web. It lays the foundation for the day financial institutions, merchants, etc. understand that "there is no substitute" for PIN Debit.
SHAZAM to Pilot Internet PIN Debit Technology
EFT network will partner with Acculynk to test Internet PIN debit service
DES MOINES, Iowa--(BUSINESS WIRE)--SHAZAM, an innovator of electronic funds transfer (EFT) services for 33 years, has agreed to test Acculynk’s PaySecure Internet PIN debit service. SHAZAM will conduct a pilot program where interested SHAZAM financial institutions can participate in testing the latest in Internet PIN debit technology. The pilot program will help gauge consumer acceptance of using a debit card with a PIN when making online purchases.
“We are always seeking new and innovative ways for our community financial institutions to effectively compete in the market,” said Mike Hollinger, President and CEO of SHAZAM.
With the PaySecure software, consumers enter their PIN on a graphical PIN-pad at the merchant checkout, and only need their existing debit card and PIN to complete the transaction. (Editor's Note: They don't necessarily "need" their card, they just "need a card number"...which is then, once again, "typed" into a box on a merchant's website) There are no hardware devices, passwords, enrollment, or redirection to another website for payment. (see "Both Sides of the Mouth Syndrome) or "It's the Typing Stupid!"
“PaySecure is one of those rare emerging payment methods that satisfy the needs of consumers, merchants, and financial institutions,” said Ashish Bahl, CEO of Acculynk. “PaySecure helps issuers retain and grow their debit revenue stream, merchants decrease transaction processing expenses, and consumers reduce signature-based debit card fraud. We are pleased that SHAZAM recognizes the value PaySecure brings and has chosen to pilot our service.”
SHAZAM is the fifth EFT network to publicly announce an agreement with Acculynk. “Interest in PaySecure has only increased as consumer payment preferences shift to debit,” said Bahl. “External market factors have made our value proposition even more compelling, particularly to financial institutions, networks, and merchants seeking a way to leverage this growth in debit card usage.”
“As we’ve done for 33 years, SHAZAM will evaluate and support emerging technology that makes sense for community financial institutions,” stated Hollinger. “Their needs continue to be our primary focus.”
The SHAZAM network was founded in 1976 and is one of the last remaining member-owned and -controlled EFT networks and processors in the industry. SHAZAM provides EFT services to more than 1,500 community financial institutions in 30 states. SHAZAM offers ATM processing, Visa® debit and Debit MasterCard® national debit products, card authorization services, merchant processing, automated clearing house (ACH) services, and information security solutions. SHAZAM is endorsed by 15 community financial institution trade organizations and bankers' banks. For more information, visit http://www.shazam.net/.
Acculynk secures online transactions with a suite of software-only services that are backed by a powerful encryption and authentication framework protected by a family of issued and pending patents. Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. For more information, visit http://www.acculynk.com.