Tuesday, August 4, 2009

The Internet Can be Utilized to Transmit Encrypted Data

But the Web is NOT a Safe Place with which to Conduct Transactions...
Many people use the terms Internet and World Wide Web (aka. the Web) interchangeably, but in fact the two terms are not synonymous. The Internet and the Web are two separate but related things.


How are they Different ?

The term Internet evolved from Inter-Networking.It is a massive super-network of millions of networks built all acrossthe globe. It actually represents the overall network infrastructurecomprising of Fibre optic cables, routers, switches, gateways,computers among other network constituents. Every node(computer) oninternet is accessible by every other node connected to the Internetand that’s how Internet is primarily used for communication andInformation sharing.

There are some well defined Internet protocols for performingseveral purposes such as data transfer, remote access, informationsharing using Internet. ‘World Wide Web’ employs Hyper Text Transfer Protocol(HTTP)to facilitate Information sharing on Internet. In other words, ‘Web’ issimply an Information sharing model, built on top of the internet.

In simpler words
World Wide Web’ (WWW) or simply ‘Web’ is basically a subset of Internet. It represents the largest sub-network on Internet, which employs HTTP protocol and lets us  (and hackers) access information published  (or typed) on a Webpage via a software called a Web browser.

That said, it's just a matter of time before EVERYONE realizes the web is not a safe place to conduct financial transactions.. The same is true for online banking authentication.   When you "type" primary card numbers or passwords, what you type can be accessed by the bad guys...

For those who missed it, I am republishing a post regarding the danger online banks face when it comes to losing customers due to
inadequacies of their authentication and the web itself.

It's just a "matter of time" before EVERYONE realizes that the Web was not built for eCommerce and that if they stay on course, there will be a train wreck the magnitude of which has not been seen.

The banks have another choice...get on board the "gravy train" HomeATM can provide and open up a whole new world (wide web) of security for their customers and enchance their image, their bottom line and their branding strategy all at once.

You don't have to be a "seer" (or read "between the lines") anymore, to realize that the web is broken. You can simply read the headlines.
Websense, in their new research report, pulls no punches when they state:


"The conjunction of technologies and the monetizing of hacking have resulted in a web environment where no websites, legitimate or not can be trusted."

Half of Banking Customers Hit by Card Fraud Change Banks



One in Five Hit by Card Fraud in Past Five Years:
ACI Worldwide Survey

HALF (49%) Would Consider Changing Banks Following Card Fraud...22% "Would" Change Banks!

Editors Note: Wow, if I was a financial institution offering "online banking"that headline would haunt me 24 hours a day until I figured out a wayto either change it or use it to create an opportunity for my onlinebank to flourish.

My first thought would be: "If 50% would consider "changing banks AFTER" they get hit by card fraud/onlinebanking/phishing fraud, how many would consider "changing banks" to"AVOID" getting hit?

And to which competitor would they go?

I'd conclude that if they "left because of insecurity" they would probably "come on board BECAUSE of security."

Soif I wanted to open a portal for dissatisfied online banking customers,I would use a uniquely positioned product to ensure my customerssecurity. I'm thinking Swipe vs. Type here. Then I would think...howmany potential customers could my bank procure by "guaranteeing" onlinesecurity? Research would determine if it was millions or only"Hundreds of Thousands." I think I made my point. If not, thenthere's always this:




"Fraud reduction isone area where financial institutions are able to take decisive andpositive action to reduce losses and enable them to protect their image and retain the trustof their customers."

  • Protect Your Customer...in fact "Enable Them"
  • Protect Your Image...in fact "Enhance It"

Considering the drastic rise in cybercriminal activity, especially activity aimed at financial institutions, I would think that thekey to any online banking branding strategy would be about protectingthe customer from phishing and malware and protecting, better yet,enhancing the financial institutions image. Those two principalsshould drive any strategy.

Sincebanks cannot control whether their customers visit a malware infestedwebsite, they have to find another way to protect both themselves andtheir customers from malware. The "other way" is to require theircustomers to Swipe vs. Type. As I've said in the past, two of thethree steps are already done by the bank. They issue the card, theyissue the PIN, the last remaing issue is a device that reads the cardand the PIN. The best choice is a PCI 2.x certified PIN Entry Devicedesigned for eCommerce use.

It'sthe fastest and familiar way to securely authenticate their user and byeliminating "typing" you eliminate the threats from malware andphishing. These days, it's all about security. The web is NOTsecure. Therefore financial transactions need to be conducted"outside" the browser space.

However,for the sake of argument, let's assume those principals are not adheredto. Assume that banks are willing to take the risk that theirclients' online banking information will get phished, that it's "just acost of doing business." The game has changed. When 50% of consumerssay they might change banks if they (or somebody they know) experiencedcard fraud it's not just about phishing anymore. It becomes a muchmore serious problem.

Iwould think that banks might be less willing to take on the risk thathalf of their customers will jump ship. That very real threat is onethat HomeATM can eliminate as well. We don't operate within thebrowser, we operate without. We simply utilize the Internet as the"conduit" whereby the encrypted cardholder information is channeled. It cannot be unencrypted until it reaches an HSM.

Phisherscan't phish if consumers don't type. If online banking consumers aregoing to switch banks anyway, why not have a strategy to "swipe them"off their feet?

Ihave to seriously ask...when will a bank "connect the dots" and offertheir customers the only PCI 2.x and TG-3 certified personal e-bankinglog-in device in two hemispheres. It is a no brainer. Guarantee theirsecurity.

What is the guarantee? That your customers data is safe and therefore your customer is safe.

Ourdevice would render phishing useless by requiring secure 2FA login(swipe card/enter PIN) With our device it doesn't matter what malwareis on the computer, it wouldn't be able to steal username/password databecause that data is NOT typed in anymore. It might very well still beon the PC, but it's no longer used for logging in. Typing has beeneliminated and without typing, the bad guys can't steal your customer'scard numbers. Eliminate typing and you also eliminate the threat of keyloggers, cloned bank websites, counterfeit cards AND losing yourvaluable customer to a competitor.


Twofactor 3DES DUKPT End to End Encrypted PCI 2.x and TG-3 CertifiedMilitary Grade security... used for securing online banking log-in,money transfers, conducting more secure online transactions and thusenhancing your bank's image...all for $12 a pop? Yeah...So get aheadof your competition by simply connecting the dots! Your almostthere...2 outta 3 ain't bad, but 3 outta 3 is better.

NEW YORK, July 28, 2009 (GLOBE NEWSWIRE) -- ACI Worldwide, Inc.(Nasdaq:ACIW), a leading international provider of electronic paymentssoftware and solutions, today announced that its global card fraudsurvey revealed that 18 percent of consumers questioned have beenvictims of credit or debit card fraud in the past five years.

Theresearch, of more than 2,400 consumers across eight countries, alsofound that if an individual or someone they knew was hit by card fraud,22 percent would change financial institutions, and a further 27percent would consider changing financial institutions.

In the light of these findings, and the continued commitment byfinancial institutions around the world to protect their customers fromcard fraud, ACI Worldwide has launched its Guide to "Stopping CardFraud in its Tracks," with contributions from Nationwide BuildingSociety, to provide advice to fraud managers in banks to help combatcard fraud and protect their customers.



Editor's Note: In the US andUK 27% or 1 in 4 people have been toasted by card fraud. Replace thetoaster with a PCI 2.x certified PED. And give them away! Cause youcare! The money will come! In fact, last time I checked (in April)the American Bankers Association said:


Banksthat demonstrate a keen understanding of customer needs and put forthcapabilities that align with them can differentiate themselves fromcompetitors, command higher pricing, and become the provider of choice for deposit-rich market segments. Successful banks will develop programs that demonstrate industryunderstanding, critical product capability, and communicate commitment.”


The survey highlights some wide variations in fraud trends aroundthe world. In the US and UK, 27 percent of respondents have been hit bycard fraud in the past five years, compared to only seven percent inDubai, eight percent in Germany and 15 percent in Australia, China andSingapore.

When it comes to customer attitudes to card fraud, a fifthof the respondents said they are not confident their financialinstitution can protect them, with this number rising to over a thirdin China.

What's more, almost half of respondents said that they would changebanks, or at least consider it, if they or someone they knew was hit bycard fraud.


Editor's Note: Okay, nowif I'm in the banking industry and I read this, I wouldn't be hauntedanymore. I would be excited. Because I would see a HUGE opportunityto capitalize on these consumer behavioral attitudes. If Half wouldchange banks (even if it was just someone they knew who was hit by cardfraud) that means I have the opportunity to "lure" them to my financialinstitution.

Did I just say lure? I did. You can "Phish" for online banking customers by eliminating...phishing.

HomeATM'sOnline Banking program would would keep banking customers safe andsecure and attract dissatisfied customers who leave their banks. It'ssimply a branding strategy. You brand your bank as the most secureonline banking system available. And you secure it with a PCI 2.x andTG-3 certified system. And you "give them away" with a smile on yourface. Because it empowers you, protects your customers, enhances yourimage and will make you money!

Pete Corrie, head of financial crime at Nationwide Building Society,comments: "The number of card payments globally has increaseddrastically over the past few years and, consequently, the wholeindustry has seen associated fraud levels go up.

David Nussenbaum, vice president and product line manager at ACIWorldwide, adds: "The international research we have conducted showsthat although card fraud trends vary around the world, it is still apersistent problem for banks. In order to protect themselves and theircustomers against potential fraudulent attacks, financial institutionsare looking for ways to implement effective anti-fraud strategies,while maintaining efficiency and keeping costs to a minimum. We believethat our Guide will provide some useful and practical advice."

The ACI Worldwide research on card fraud was conducted during July2009 in Australia, Brazil, China, Dubai, Germany, Singapore, the UK andthe USA surveying a total of 2,408 respondents. To download the ACIWorldwide Guide to 'Stopping card fraud in its tracks', go to www.aciworldwide.com/stopcardfraud.









Reblog this post [with Zemanta]

Researchers Insecure BIOS Rootkit' Pre-loaded in 60% of Laptops


via ZDNet

LAS VEGAS — A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service — called Computrace LoJack for Laptops— contains design vulnerabilities and a lack of strong authentication that can lead to “a complete and persistent compromise of an affected system,” according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Computrace LoJack for Laptops, which is is pre-installed on about 60 percent of all new laptops, is a software agent that lives in the BIOS and periodically calls home to a central authority for instructions in case a laptop is stolen. The call-home mechanism allows the central authority to instruct the BIOS agent to
wipe all information as a security measure, or to track the whereabouts of
the system.

For it to be an effective theft-recover service, Ortega and Sacco explained that it has to be stealthy, must have complete control of the system and must be highly persistent to survive a hard disk wipe or operating system reinstall.

“This is a rootkit. It might be legitimate rootkit, but it’s a dangerous rootkit,” Sacco declared. The research team stumbled upon the rootkit-like technology in the course of their work on BIOS-based malware attacks. At last year’s CanSecWest security conference, the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts.

[ SEE: Researchers demo BIOS attack that survives hard-disk wipe ]


Reblog this post [with Zemanta]

Typing vs. Swiping is Tantamount to Swimming in Shark Infested Waters

Malware Statistics for July - NetSecurity.org

Cybercriminals arefocusing on finding new vulnerabilities in the most popular softwarewith the aim of exploiting them to achieve their goal – infectingcomputers with one or, more often than not, several malicious programs.Secondly, cybercriminals attempt to hide their activity so that iteither passes unnoticed, or seem to be resulting in minimal damage tothe infected machine.

"All this makes surfing the Internet without a fully-patched operatingsystem or an up-to-date antivirus solution tantamount to swimming inshark-infested waters – and this applies to even the most experiencedusers."

Graphic Depicts Countries where most attempts to infect computers via the web were recorded:



Reblog this post [with Zemanta]

PayPal's Black Monday

Evan Schuman writes about yesterday' "worldwide" PayPal outage in StorefrontBacktalk. 

PayPal Outage Monday Points Out Centralized Processing Weakness
Written by Evan Schuman

August 4th, 2009

Forsomewhere between one and five hours on Monday (Aug. 3), e-tailexecutives get a harsh reminder from EBay how they are all potentiallyone coding error away from millions in lost revenue.

EBay’s PayPal group went dark worldwide for all users for an hour Monday, starting at about 1:30 PM (New York time). Many users were unable to make purchases for a much longer period, until the final users were restored by about 6:30 PM.

The Wall Street Journal quoted EBay spokesperson Anuj Nayar as saying that the cause of the outage was an “internal network hardware issue” and that EBay was “looking into how to address our affected merchants.”...

Melissa Hathaway Logs Off as Cyber-Security Tsar/Czar


According to CBR Online, President Obama has lost the acting cyber tsar he appointed just six months ago to head his new White House office of cybersecurity.  According to media reports in the US press this morning, Melissa Hathaway has resigned for personal reasons. The top cybersecurity aide apparently plans to return to the private sector.

Breaking the story, The Wall Steet Journal noted that ‘the resignationhighlights the difficulty the White House has had following through onits cybersecurity effort.’ This is despite US intelligence officialsgrowing increasingly concerned about Chinese and Russian cyberspiessurveilling American infrastructure and military networks.

Hathaway was a former consultant at Booz Allen Hamilton. She came in as a cyber coordination executive for the director of national intelligence.  It was widely expected that she would eventually be named as Assistant to the President for Cyberspace, a position recommended when the Center for Strategic and International Studies commission said Obama needed create a National Office for Cyberspace, headed by a direct report.

Hathaway has chaired the National Cyber Study Group (NCSG), a senior-level inter-agency body and is recognized as being instrumental in developing the Comprehensive National Cybersecurity Initiative (CNCI).

Reportedly Hathaway had become dismayed by the slow pace of the appointment process and had not felt empowered enough to drive through some of the changes she had expected to have been made.

Read the Full Article



Reblog this post [with Zemanta]

Heartland's Q2 Shows Effects of Breach


Heartland swings to Q2 net loss as cost of data breach mounts

Last year's data breach (Editor's Note: Technically it was this year, since they announced during Obama's inauguration last January) at Heartland Payment Systems continues to prove costly, with the vendor incurring related pre-tax expenses of $19.4 million in the second quarter, contributing to a net loss for the three months.

The $19.4 million in various expenses, accruals and reserves comes on top of $12.6 million in costs in the first quarter attributable to the massive data breach, which saw malicious software in the firm's processing system potentially compromising the card data of millions of people.

Of the $32 million for the six months, $22.1 million, relates to fines imposed by the card brands in April 2009 against the company and its sponsor banks and a settlement offer made.

Continue Reading at Finextra

Reblog this post [with Zemanta]

Disqus for ePayment News