Thursday, July 30, 2009

Security Researchers: Online Transactions Aren't Safe


If you think you are seeing a pattern over the last two days, about how insecure the internet is, especially when it comes to financial transactions, then you'll also notice that the Paradigm Shift I've been talking about is starting to take shape. 

It's becoming increasingly clear. 

  • Internet Security Broken
  • No Website is Safe
  • Online Transactions aren't safe
  • Use the Internet for browsing, use another device for payments.  
Read more about those bulletpoints in the related articles section below.  In the meantime, there's only one "another device" in the world designed for online transactions to be is PCI 2.x certified.  I think it's the one HomeATM built.  Yup, it is!    Does that mean we can fix web security.  We can when it comes to transactions.  Here's yet another article proving our methodology:

Security researchers: Online transactions aren’t as safe as we thought

Internet security is busted, said researchers at the Black Hat conference in Las Vegas today.


If this sounds familiar it’s because just a year ago, Dan Kaminsky (pictured left) found a flaw in the Internet’s address book, the Domain Name System, where hackers could fool DNS servers into redirecting traffic to bogus sites. The tech industry pulled together quickly to patch the hole and minimize the vulnerability.

The same thing happened here, as Kaminsky rounded up a coalition of companies to deal with a weakness in X.509, a cryptographic system used to create digital certificates. The digital certificates are the way that a web site can verify the identity of a unique users who is visiting the site and wants to do a transaction. It’s a lot like using a passport photo to identify someone standing in front of you. Everyone from Amazon.com to Microsoft uses it in so-called digital handshakes that precede e-commerce transactions.

When Kaminsky walked into the standing-room only auditorium where he talked about the flaws in X.509, he got a lot of applause. You would never know that a day earlier his own personal web site, Doxpara.com, got hacked.

But Kaminsky held the crowd spellbound as he elaborated in great technical detail. Then he got started describing what he called the “crisis of authentication.” He showed that by altering a line in a digital certificate, hackers could fool users into believing that a site is legitimate when it really isn’t.

Businesses have invested hundreds of millions of dollars in the public key infrastructure system that was developed in the 1990s. Now Kaminsky, as well as grad student Len Sassaman (second from right) says we need to reboot the system. Tim Callen, (pictured far right), a vice president at Internet infrastructure authority VeriSign, pretty much agreed.

Continue Reading

RELATED

Separate Machines Needed for Web Surfing and Transactions
Arenowned researcher has stated our case: "The best strategy to defendagainst Clampi is to use separate machines for Web surfing and fundstransfer" - Joe Stewart, one of the world's foremost...
Jul-30 - 2009 | More ->

No Websites, Legitimate or Not Can Be Trusted
Websense: This Past Month in Web ThreatsSTATE OF THE THREAT ABSTRACT:Theconjunction of technologies and the monetizing of hacking have resultedin a web environment where no websites,...
Jul-30 - 2009 | More ->


 

Reblog this post [with Zemanta]

Down on Main Street

Pain on Main Street: A First-Ever Drop in Card-Based Same-Store Sales

(July 30, 2009) As the recession continues to batter merchants of all sizes, small and medium-size retailers are getting hit especially hard, and as a result so are the acquirers that process their card transactions. Indeed, in a development apparently never seen before, same-store sales on Visa and MasterCard for these Main Street merchants were down fully 4.9% in the January through May period, according to research released this week by First Annapolis Consulting. By contrast, same-store sales for these same merchants had climbed modestly, by 1.5%, last year.

To get a picture of the current state of merchant acquiring, First Annapolis surveyed 17 acquirers—nine bank acquirers and eight non-bank processors--that account for more than half of all U.S. card-based payments. Besides the overall decline it discovered, the firm said 17 acquirers reported same-store sales plummeting by more than 10%. Overall, bank acquirers reported a steeper drop in sale-store sales than did the non-banks.

“To put this into perspective, card-based payments have never registered same-store growth declines overall, even in past recessions,” the Linthicum, Md.-based consulting and research firm said in a statement announcing its results...

Continue Reading at Digital Transactions

Reblog this post [with Zemanta]

Malware Numbers Intensify: 92k into 30 Million

PandaLabs announced a multi-year study that examines the proliferation of rogueware into the overall cybercriminal economy.

Click the graphic on the left and prepare to be shocked and amazed.  In 2006 there were less than 740,000 malware samples.  By the end of 2008 there were 15 million.  By the end of June 2009, there were 30 million.  I'm thinking Swiping vs. Typing here.

The report reviews the various forms of rogueware that have beencreated, and displays how this new class of malware has become aninstrumental player in the overall cybercriminal economy.


The study also provides in depth analysis on the increasinglysophisticated social engineering techniques used by cybercriminals todistribute rogueware via Facebook, MySpace, Twitter and Google.

PandaLabs predicts that it will record more than637,000 new rogueware samples by the end of Q3 2009, a tenfold increasein less than a year.

Approximately 35 million computers are newlyinfected with rogueware each month...

Cybercriminals Earn $34 million dollars per month on rogueware
Background: The History of Malware Growth

Malware has rapidly increased in volume and sophistication over in the past several years. The graph below illustrates the malware landscape from 2003 to 2006 over which the total number of malware samples doubled every year:

Barely five years ago, just 92,000 total malware strains existed; by the end of 2008, there were approximately 15 million. At the conclusion of this study in July 2009, PandaLabs detected more than 30 million malware samples in existence.

The reason behind this vast increase in malware is clear: money. In 2003, banking Trojans quietly emerged on the scene. These malicious codes, designed to steal online banking credentials, now rank among the most common forms of malware. Every day, we see new variants that have evolved technologically in order to evade the security measures banks have implemented.
Click either Graphic to Enlarge and Read




Reblog this post [with Zemanta]

Separate Machines Needed for Web Surfing and Transactions

A renowned researcher has stated our case:

"The best strategy to defend against Clampi
is to use separate machines for Web surfingand funds transfer"


- Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.


"Using Windows, it's too dangerous todo transactions on the same machine you do for Web surfing," he says."You can't have any crossover between them."

Editor's Note:  Looks to me likethe message we've been trying to get out for 15 months is finallygetting out.  When one of the world's foremost authorities on web security says the only way to protect against Clampi is to use too separate machines,  we agree 100% .  After all, it was HomeATM who has stated unequivocally since day one, that people should use "separate machines" for Web surfing and financial transactions. That's why we created ours.  The fact that it is PCI 2.x and TG-3certified only strengthens the case for using it.    You surf the webon one machine (the PC) and conduct financial transactions on another. (our SafeTPIN device)

DarkReading

LAS VEGAS -- BLACK HAT USA 2009 -- A security researcher has discovered a Trojan that is designed to extract account data from as many as 4,600 of the world's most popular and wealthy businesses.

In "one of the largest and most professional thieving operations on the Internet," a Trojan called Clampi (also known as Ligats, llomo, or Rscan) has spread across Microsoft networks in a worm-like fashion, and may already have infected hundreds of thousands of corporate and home PC users, according to SecureWorks researcher Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.

"We weren't all that worried about Storm, and we weren't all that worried about Conficker," Stewart says. "This one you need to worry about."



The Trojan uses PsExec -- a popular, lightweight Telnet replacement tool that lets one system execute processes on other systems -- and a sophisticated process of encryption and packing to hide its origins and targets. So far, Stewart says, the Trojan appears to be targeting 4,600 Websites, of which he has identified approximately 1,400 in 70 countries.

Those 1,400 sites include some of the most popular and financially lucrative companies in the world. "This thing is like the Dun & Bradstreet of the underground hacking world," Stewart says. "It's attacking the sites with the most users and the most money." Among the industries being targeted are banks, credit card companies, stock brokerages, insurance, retail, advertising networks, and utilities.


Clampi is operated by a "serious and sophisticated organized crime group from Eastern Europe" and already has been implicated in numerous high-dollar thefts from banking institutions, Stewart says. "This attack is not being sold underground," he says. "You can't buy a Clampi kit like you can for other Trojans."

Clampi generally can avoid detection by antivirus software, and it even has the ability to discover which AV software a PC is using and take steps to avoid it, Stewart says. Enterprises currently can block Clampi with an intrusion prevention system, but Stewart says he doesn't expect that defense to last very long before the Trojan adapts.

The best strategy to defend against Clampi -- and other attacks that use a similar approach -- is to use separate machines for Web surfing and funds transfer, Stewart says. "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them." 


Read the Entire Article at Dark Reading

MasterCard Shares Rise after Reporting Strong Earnings




Photo
NEW YORK (Reuters) - MasterCard Inc, the world's second-largest credit card network, reported better-then-expected quarterly earnings Thursday as it raised fees charged to banks and cut expenses, sending its shares up 7 percent.

"It is a question of cost control," said Robert Dodd, an analyst at Morgan, Keegan & Co. "Marketing and advertising expenses were much lower than I expected."

The company's larger rival, Visa Inc, also reported better-than-expected quarterly earnings on Wednesday, helped by lower expenses.

But MasterCard Chief Financial Executive Robert Selander said the downturn in consumer spending would make it difficult for the company to meet its target of average annual revenue growth of 12 percent to 15 percent in the period 2009-2011.

"We don't expect the economic slowdown across the world will improve until sometime next year," Selander said in a conference call with analysts.

MasterCard's second-quarter net income was $349 million, or $2.67 per share, compared with a loss of $747 million, or $5.70 per share, a year earlier.  

Excluding special items, earnings were $2.67 a share, topping analysts' average forecast of $2.43, according to Reuters Estimates.

Expenses declined 13 percent to $722 million, excluding special items, as the company trimmed advertising and marketing spending by 36 percent and reduced personnel and administrative costs.  Continued...

Reblog this post [with Zemanta]

No Websites, Legitimate or Not Can Be Trusted

Websense:  This Past Month in Web Threats

STATE OF THE THREAT ABSTRACT:


The conjunction of technologies and the monetizing of hacking haveresulted in a web environment where no websites, legitimate or not canbe trusted.


Is Logging In with Username/Password "Careless and Negligent?"

I had to bring you an excerpt from a story in today's AsiaOne Business entitled "Credit Card Stolen? Mind the Pitfalls."   I especially liked the quote from the bank that did not want to be named.  (enlarged below)

BANKS in Singapore are standing by their policy of holding customersresponsible for transactions made on their lost or stolen cards if theydo not report the missing card in time.  Consumers who cry foul may have no leg to stand on, as the policy is stated in the fine print on the contract they have signed.

Acheck with seven banks and two credit card companies has found thatthose who hold Singapore-issued cards are liable for any unauthorizedtransaction made before the loss is reported.

Some, like DBS Bank and Citibank, will at most review cases individually.

One bank that did not want to be named told The Straits Times it wasunfair for banks to take the blame and shoulder the cost whencardholders themselves in most cases are careless or negligent. Theremay also be fraud involved.

So let me get this straight.   The consumer should take the blame because they are careless and negligent.  I wonder when banks will consider typing a "username and password" into a box on their online banking website "careless and negligent."  I wonder when banks will consider using a credit/debit card for an online purchase, by typing their card number into a box on a website "careless and negligent."  

Viruses, Malware and Botnet Zombies at an all time high


Editor's Note: Financial Transactions CANNOT be done on the web because the "wicked web" hackers  weaved have made it unsafe.  HomeATM is "hands down" doin' it right, by doin' outside the browser. 

You would think the information below would alarm people.  You would think the information below would paint a picture that the web is not safe.  You would think that.  Wouldn't you? 



The conjunction of technologies and the monetizing of hacking haveresulted in a web environment where no websites, legitimate or not canbe trusted.
Spam volumes have increased 141 percent since March, continuing the longest streak of increasing spam volumes ever, according to McAfee's Q2 Threats Report. The report also highlights the dramatic expansion of botnets and the threat from Auto-Run malware.

  • The number of viruses sent over email has increased by 300 per cent in the last three months, according to Network Box. 
Analysis of Internet threats in July 2009 shows the number of viruses is at its highest so far this year, peaking at around 12 viruses per customer per hour.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed McAfee’s first quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

  • McAfee researchers also found that, over the course of 30 days, Auto-Run malware had infected more than 27 million files. 
Auto-Run malware, which exploits Windows’ Auto-Run capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making Auto-Run the number one piece of malware detected around the world.


Botnets (also called zombie armies or drone armies) are networks of compromised computers infected with viruses or malware to turn them into “zombies” or “robots” – computers that can be controlled without the owners’ knowledge. Criminals use the collective computing power and connected bandwidth of these externally-controlled networks for malicious purposes and criminal activities, including, inter alia, generation of spam e-mails, launching of Distributed Denial of Service (DDoS) attacks, alteration or destruction of data, and identity theft.

  • Fourteen million additional computers have been turned into botnets or this quarter.
  • That averages to more than 150,000 computers infected every day, or 20 percent of the personal computers bought daily (Source: Gartner 2009).
As the number of bots continues to grow, malware writers have begun to offer malicious software as a service to those who control botnets. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus - an easy-to-use Trojan creation tool - continue to make the creation and management of malware even easier.
I hate having to "type cast"...but anyone and everyone who types their card numbers into a box on a website will have those numbers swiped.

If Your Card Data is Going to Be Swiped, Shouldn't You be Doing the Swiping?






Reblog this post [with Zemanta]

Visa 3Q Net Up 73% On IPO Gain; Volume Drops 5%

Article - WSJ.com
BOSTON (Dow Jones)--Visa Inc.'s (V) fiscal third-quarter profit soared 73% from a year ago, as investment income and reduced expenses offset a slowdown in consumer spending.

In 4 p.m. New York Stock Exchange composite trading on Wednesday, the company's shares were at $66.78.On the heels of the results, investors pushed the stock down to $66 in after-hours trading.

The San Francisco-based company also reiterated its view that net revenue growth this year will be in the high single digits and at the lower end of the 11% to 15% range in 2010. The company said it expected earnings per share to grow at more than 20% through 2010 and predicted annual free cash flow of over $1 billion during this period.

Visa reported net income in the third quarter of $729 million, or 97 cents a class A common share, compared with $422 million, or 51 cents per class A common share, a year earlier. Excluding a one-time gain related to the sale of an equity stake through an initial public offering, net income totaled $507 million, or 67 cents per class A common share.

Its results beat analysts' estimates of net income of 64 cents a class A common share, according to Thomson Reuters.

Continue Reading at Wall Street Journal



Reblog this post [with Zemanta]

Disqus for ePayment News