Wednesday, August 19, 2009

Finovate Startup '09 Demo

Credit Card Scam Raises New Web Security Fears

Alleged credit card scam raises new web security fears

Editor's Note: Browsers Are an Open Book

Everything is relative.  What's new for some is old news for others.  But again, I am gratified that these new "web security" fears are being raised.  We are and have been on the record stating that the web is NOT a safe place to conduct financial transactions...and recent events are pushing others over to our way of thinking. 

Maybe the publicity over this recent indictment will be the straw that breaks the camels back.   Maybe it will be the meteoric rise in malware threats.  (
Threats have increased from 125,000 unique pieces of
malware in 2006 to 1.5 million in 2008 and 1.2 million MORE in the first
half of 2009 alone) 

Maybe it will the realization that when consumers "type" hackers "swipe".  Maybe a giant phishing attack like the recent one on CommonWealth Bank will do it.  Certainly no one can argue that when you combine all the threats "web security" clearly has severe flaws.  Our "goal" is to make that as clear as the credit/debit card data that travels through it.  HomeATM doesn't make the argument to "swipe" vs.  "type" BECAUSE we created our PCI 2.x Certified Swiping Device.  We CREATED the device because we knew that when people "type" hackers "swipe."

In order to "secure" transactions done via the web, they must be conducted "outside" the realm of the open book known as browsers...

The data must be "instantaneously" encrypted and must be transmitted in it's encrypted form via the "Internet" (not the web) which simply serves as a conduit.   Typing is the "cause" hacking is the "effect." 

Consider how a "phishing" attack would be successful if consumers didn't type their username / password or credit/debit card number into a box?  DES DUKPT (derived unique key per transaction) encrypted data  would be useless to them. 

If consumers were mandated to "swipe" vs. "type" there would be no more "phish" in the sea!   Online banking would eliminate phishing completely if they mandated secure two-factor authenticated log-in by replicating the procedure already required for ATM withdrawals.

Again, it is gratifying to see headlines like the one above.  It's only a matter of time before "everyone" realizes "typing" needs to be eliminated.  Browsers are an open book...

An excerpt from an article published by the Guardian:

US companies and law enforcement agencies are facing fresh questions today about the ease with which hackers can penetrate their defenses and make off with vital data about consumers, following the arrest and charging of a Miami man for what is allegedly the biggest credit card scam in history.

Albert Gonzalez, a 28-year-old former informant for the US secret service who helped the authorities track hackers, was charged with conspiring to steal the details of 130 million credit cards. The charge sheet detailed a complex history of online skulduggery in which Gonzalez used three internet aliases: segvec, soupnazi and j4guar17, each marking different stages in his life.

The alleged fraud was perpetrated through devices that could penetrate computer networks, steal card data and send it to servers in the US and Europe, prosecutors say. The acting US attorney general, Ralph Marra, praised the investigators "in tracking down cutting edge hacking schemes committed by hackers working together across the globe"...

Security firms join working group to fight web threats

Wednesday, August 19, 2009

prominent web security companies are joining together to share
information and resources to fight the growing threat of malware on the
Assembled under the IEEE Standards Association, the working group
is called the Industry Connections Security Group (ICSG).

Technologies, McAfee, Microsoft, Sophos, Symantec and Trend Micro are
the initial members of ICSG, which will seek to engage security
vendors, banks, internet service providers, educational institutions
and government agencies to promote better security on the web.

group will develop, document and promote proposals for enhancing
security, toward the goal of producing consensus approaches and perhaps
fueling new IEEE standards.

"We've seen a whole ecosystem develop around threats to computer security," said Jeff Green, ICSG chair and senior vice president of McAfee Avert Labs.

Green said
the security industry has fragmented itself among various siloed
efforts designed to solve very specific problems, such as phishing and
spyware. ICSG would seek to more comprehensively address the security
problems. Threats have increased from 125,000 unique pieces of
malware in 2006 to 1.5 million in 2008 and 1.2 million in the first
half of 2009 alone, according to McAfee.

Reblog this post [with Zemanta]

Bi-Annual Web Hacking Report Released by Releases Bi-Annual Web Hacking Report


An analysis of recent web hacking incidents performed by Breach Security Labs shows that Web 2.0 sites are becoming a premier target for hackers. Based on analysis of recent ‘web hacking incidents of importance,’ Breach Security Labs found that:

• The first half of 2009 showed a steep rise in attacks against Web 2.0 sites. This is the most targeted vertical market with 19% of the incidents.

• Organizations have not implemented proper web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the number 2 “Unknown” attack category.

• Attack vectors exploiting Web 2.0 features such as user-contributed content were commonly employed: Authentication abuse was the 2nd most active attack vector, accounting for 11% of the attacks, and Cross Site Request Forgery (CSRF) rose to number 5 with 5% of the reported attacks.

• Defacements, which combined both Planting of Malware and standard overt changes, remains the most common outcome of web attacks (28%), while Leakage of sensitive information came in 2nd with 26% and Disinformation came in 3rd with 19%, mostly due to the hacking of celebrity online identities.


The web hacking incident database (WHID) is a project dedicated to maintaining a list of web application-related security incidents.

The WHID’s purpose is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web application security incidents.

Unlike other resources covering website security, which focus on the technical aspect of the incident, the WHID focuses on the impact of the attack. To be included in WHID an incident must be publicly reported, be associated with web application security vulnerabilities and have an identified outcome.

Breach Security Labs ( is a WHID project contributor.

For further information about the Web Hacking Incidents Database refer to

Reblog this post [with Zemanta]

Social Networks Number One Target for Hackers

Social Networks Number One Web Attack Target

Dark Reading - Kelly Jackson Higgins - ‎17 hours ago‎

... and social networking sites, according to a new report that logs actual attacks on Web applications. The Web Hacking Incidents Database (WHID) -- which ...

Facebook and Twitter Becoming Top Targets for Hackers

BrickHouse Security Blog - Jimmy Bosch - ‎6 hours ago‎

Recent studies conducted by Breach Security showed that social networking sites were responsible for at least 19% of internet hack attacks in 2009. ...

7-Eleven Statement Regarding 2007 Credit Card Breach

That hundreds
of millions of card numbers could be stolen illustrates the flaws in a
payment system built more for "speed" and "convenience" than security, an Associated Press
investigation found this year.  Although banks and retailers eat the costs of most fraud, consumers bear them indirectly in the form of higher prices.

7-Eleven Statement Regarding 2007 Credit Card Fraud

7-Eleven, Inc. has learned that federal authorities in New Jersey have indicted individuals for the theft of credit and debit card numbers in a computer hacking scheme targeting multiple retailers in a number of separate incidents over the last several years.

The company became aware in late 2007 that a security breach had occurred. The affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007. Steps were immediately taken to contain the security breach and prevent any recurrence.

Upon being notified of the breach, the card companies in accordance with their standard fraud response procedures then alerted the issuing financial institutions regarding the security breach. Each financial institution made its own decision about what appropriate actions to take, including the issuance of new cards or putting card numbers on alert for fraud. These remedial measures were taken in late 2007 and early 2008.

7-Eleven would like to thank the federal authorities for their diligence in pursuing the perpetrators of these crimes. Because this matter is pending, we are not providing further details.

About 7 Eleven, Inc.
7 Eleven, Inc. is the premier name and largest chain in the convenience retailing industry. Based in Dallas, Texas, 7-Eleven operates, franchises or licenses approximately 7,800 7-Eleven® stores in North America. Globally, 7-Eleven operates, franchises or licenses more than 36,400 stores in 15 countries. During 2008, 7-Eleven stores worldwide generated total sales of more than $53.7 billion. For 15 consecutive years 7-Eleven has been listed among Hispanic Magazine’s Hispanic Corporate Top 100 Companies that provide the most opportunities to Hispanics. 7-Eleven is franchising its stores in the U.S., and is expanding through organic growth, acquisitions, and its Business Conversion Program. Find out more online at

Margaret Chabris
7-Eleven, Inc.

Reblog this post [with Zemanta]

PaySafeCard Partners with William Hill

seals partnership with William Hill

  • Online cash solution has linked up with one of
    the UK’s largest bookmakers

  • paysafecard provides William Hill’s customer base with a safe and
    easy way to pay online

London/Vienna 19th August 2009

Alternative payment method provider paysafecard is now live with William Hill, one of the UK’s most popular bookmakers. paysafecard provides secure and guaranteed alternative payment options for William Hill’s online customers.

“We are delighted to have William Hill as a partner,” says David Hunter, CEO paysafecard UK. “The cooperation is an important step for expansion in the UK and throughout Europe.”

Founded in 1934, William Hill is one of the most established names in the gambling industry with 2,300 shops in the UK and Ireland. Based in Gibraltar, William Hill Online serves customers from over 175 countries, offering six languages and 11 different currencies.

The paysafecard voucher enables web-shoppers to make purchases on the Internet in a matter of seconds, without disclosing bank details. Having recently launched in Argentina, paysafecard now operates in 20 countries worldwide.

About paysafecard:

Over the past nine years,
paysafecard have established themselves as Europe’s favourite safe and
easy-to-use alternative prepaid payment method for e-commerce. It is available
in 20 countries worldwide. The smart payment solution is designed for users who
don’t have a credit or debit card or who don’t want to use their credit card for
online purchases and other micro payments on the Internet. Users simply
authorize a payment by entering a PIN code, similar to the system used with
prepaid phone cards. Thousands of e-businesses are benefiting from new customers
by offering this safe and uncomplicated payment solution. paysafecard is
available in £10, £25, £50 and £75 e-vouchers at more than 230,000 outlets
across Europe and South America. In March 2009 the group was awarded ‘Best
Prepaid Company outside the USA’ by the global prepaid industry publication
For more
information, please visit

Where can you use paysafecard?

is welcomed at over 2,700 web shops in the UK and Europe. These include
the largest bingo & betting sites and lottery organisers, telecoms,
games and music download companies.

Here's how it works:


pay in a webshop all you need to do is enter your 16-digit PIN code in
the payment window. If you need to pay larger amounts, you can easily
combine up to ten paysafecards – just enter the PIN code for each card as you need it.
2. Next, click on "Pay", click "OK" to confirm, and the job's done.

Incidentally, you can opt to protect your paysafecard with a secret password which will then have to be entered whenever you make a payment.

More On the "Soup Nazi" (Video)

Soup Nazi Strikes Again...But He's Been Imprisoned Since March 2008

Forrester Looks at Best & Worst Bank Brand Building Web Sites

Best And Worst Of Financial Services Brand Building Web Sites, 2009: Banks

This is the fourth document in the "Best And Worst Of Financial Services Brand Building Web Sites, 2009" series.

Harley Manning, Richard Gans, Rachel Zinser

Executive Summary (This is a document excerpt)

The banking industry features some of the most recognizable brand names
in the US, like Bank of America, SunTrust Bank, U.S. Bank, and Wells
Fargo. But how good are the brand experiences offered by major banks'
Web sites? To find out, we graded the sites of four top brands on how
well they communicate their Brand Image and deliver value to consumers
(Brand Action). Only one site — Wells Fargo — passed both of our brand
tests. To improve the brand experience, banks need to use clear,
unambiguous category names, legible fonts, and consistent elements of
visual design.

Buy Risk-Free

Download and print PDF immediately. Price: US $499

Our Money-Back Guarantee: If you are not completely satisfied, return it for a full refund within three
weeks of your online purchase.

Already a Forrester Client?

Log in to read this document.

Add to cart

Radisson Latest to be Breached


The Radisson Hotel chain is the latest American retail company to
announce it has suffered a significant breach of its computer systems
resulting in the compromise of credit and debit card data.  This couldn't have been Gonzalez the "soup nazi" because he was already in custody at the time of this breach.  Here's the "Open Letter" informing Guests that their credit and debit card numbers were breached 9 months ago...

Radisson Logo.jpg


August 19, 2009

To Radisson®
Hotels & Resorts guests:

values your business and respects the privacy of your information, which is why
we wish to inform you that between November 2008 and May 2009,

This unauthorized access was in violation of
both civil and criminal laws. Radisson has been coordinating with federal law
enforcement to assist in the investigation of this incident. While the number
of potentially affected hotels involved in this incident is limited, the data
accessed may have included guest information such as the name printed on a
guest’s credit card or debit card, a credit or debit card number, and/or a card
expiration date.

recommend that you review your account statements and credit reports closely.
To the extent there is any suspected unauthorized card activity, it should be
reported to the bank that issued your credit card, as well as proper law
enforcement authorities, your state attorney general’s office, or the Federal
Trade Commission.

Please also visit our website at
for instructions on how to receive free credit monitoring for one year.

values guest privacy and deeply regrets this incident occurred. Working with
law enforcement and forensic investigators, Radisson is conducting a thorough
review of the potentially affected computer systems, and has implemented
additional security measures designed to prevent a recurrence of such an attack
and to protect the privacy of Radisson’s valued guests. The company also is
working closely with major credit card suppliers and law enforcement to ensure
the incident is properly addressed.

For further
assistance regarding this incident, please visit Radisson at
or call (866) 584-9255 between 7 a.m. – 11 p.m. CST daily. Radisson is focused on
delivering guest satisfaction and value for our guests and is committed to
doing everything we can to resolve this issue expediently and thoroughly to
reinforce your confidence.



Vice President & Chief Operating Officer

Hotels & Resorts

Reblog this post [with Zemanta]

Ghosts in the Machine: Future Threat

I thought this to be an interesting article and wanted to share some excerpts.  I've blogged about hardware tampering in the past, (see "Terminal Disease Boosts Fraud") and made mention that one of the benefits of using our tamper-proof PCI 2.x certified device in the privacy of one's own home is the peace of mind in knowing that your PIN number is NOT going to be captured by a rogue PIN Pad...

Anyway, this threat is nowhere near the threat created by "typing" vs. "swiping."  

Until the big brains in the financial industry stop being so stubborn and come to terms with how dumb typing credit/debit numbers into a box on a website is, (and call for the "elimination" of typing)  I wouldn't worry too much about this threat.  It's so much easier to use a malicious "soft"ware approach than start tampering with "hard"ware.

Ghosts in the Machine: Attacks May Come From Inside Computers

Information Management Online, August 19, 2009

Shane Kite

The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.

Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va.

Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice.

According to the Cyberspace Policy Review released by the White
House in May, "documented examples exist of unambiguous, deliberate
subversions" of the IT supply chain. While counterfeit products have
created "the most visible" problems to date for hardware, the global
nature of IT manufacturing has made subversion of computers and
networks through supply chain sabotage via subtle hardware or software
manipulations, more feasible.

enforcement in Europe uncovered a scam late last year whereby criminals
had rigged credit card readers installed at Tesco and other retail
outlets there with what was essentially a tiny cell phone that was
capturing all the PINs from customers who used their cards on the
readers in stores and sending the data through Pakistan; though its
ultimate destination remains unknown. Criminals often choose nations
with porous security or limited digital forensics practices to route
their booty.

"What was interesting
about this is that some portion of it really was a supply chain
corruption," said Scott Borg, director and chief economist (CEO) at the
U.S. Cyber Consequences Unit (US-CCU), an independent, non-profit
research institute. Borg's work on securing IT supply chains was cited
in the president's cyber policy review.

Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says.

Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."

Reblog this post [with Zemanta]

Fast Facts On World's Most Famous Hacker

In an article written by Claire Suddath at Time Magazine, they profile "Master Hacker: Albert are their "fast facts:"

Fast Facts:

  • The 28-year-old lives in Miami, Fla.

  • Has operated under the Internet handles "Segvec," "Soupnazi," and "J4guar"

  • Charged with hacking into retail and card processing computers to steal 130 million credit and debit card numbers between 2006 and 2008. The compromised companies include Heartland Payment Systems, 7-Eleven, two unnamed national retailers and Hannaford Brothers, a regional supermarket chain

  • Gonzales had previously been indicted — once in May 2008 and again in August of the same year — for allegedly stealing 40 million credit and debit cards from companies including OfficeMax, TJ Maxx, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW and Dave & Buster's

  • Arrested in New Jersey in 2003 while working as an administrator on the underground 4,000-member website, a site on which hackers swapped stolen credit card information

  • After his arrest, he began working with Secret Service agents on something called "Operation Firewall," in which Gonzalez — operating under the handle "CumbaJohny" — convinced Shadowcrew members to join his virtual private network (VPN) that was secretly monitored by federal agents. In October 2004, 28 hackers were arrested through the operation, although federal agents claim Gonzalez tipped off some of the suspects, helping them to sidestep authorities|

  • After the sting, Gonzalez changed his nickname to "Segvec" and moved to Miami, where he allegedly started a new identity theft ring called "Operation Get Rich or Die Tryin'"

  • According to the Aug. 17 indictment, Gonzalez teamed up with two Russian programmers to hack into corporate computer networks and install "malware," or malicious software, that allowed them to steal data

  • Heartland Payment Systems, which processes credit-card data for over 250,000 businesses, accounts for most of the 130 million numbers cited in the New Jersey indictment. The company has so far spent $12.6 million in legal costs and fines associated with the security breach

  • The government is seeking forfeiture of Gonzalez's Miami condo, his BMW, a firearm, a currency counter and nearly $1.7 million in cash

  • Gonzalez's lawyer, Rene Palomino Jr., has so far refused interview requests regarding the matter and has issued no comment

Quotes about:

"I always thought he was Russian."

— An unnamed member
of the underground identity theft community, saying that no one
realized that 'CumbaJohny' and 'Segvec' were the same person. (, Aug. 5, 2008)

"This guy worked very, very hard at something he was very good at."

— Assistant U.S. Attorney Erez Liebermann of the Justice Department's New Jersey branch (Newsday, Aug. 17, 2009)

"He's here on U.S. soil. That was his big flaw. If he were anywhere else, he's not going to jail.'"

— Dan Clements, president of CardCops, which tracks stolen credit-card data online. (The New York Times, Aug. 18, 2009)

Reblog this post [with Zemanta]

ONO! Huge Security Hole on the Web

Trusteer Warns of Huge Security Hole on the Web

80 Percent of Web Users are Vulnerable to Attacks that Exploit Flaw in Adobe Flash and Acrobat Software

NEW YORK-- Trusteer, the customer protection company for online businesses, reported today that two weeks after Adobe released a critical patch for Flash and Acrobat Reader nearly 80 percent of Internet users are still vulnerable to attacks that exploit these vulnerabilities. These findings are based on more than 2.5 million users of the Rapport browser security service. This may be the biggest security hole on the Internet today, since 99 percent of Internet users are using Flash in their browsers (

A report released today by Trusteer found that among the 2.5 million Internet banking users in North America and Europe protected by its Rapport security service, 98.8 percent have Flash active in their browser. From this sample, 80 percent were running outdated and unpatched versions of Flash, while 84 percent were running a vulnerable version of Acrobat. The full report is available at

From a security avoidance standpoint Flash and Acrobat are the ultimate platforms for distributing malware. Targeting vulnerabilities in these applications is extremely efficient since it enables criminals to target 99 percent of Internet users. By comparison, targeting vulnerabilities in Internet Explorer only reaches approximately 65 percent of Internet users. While Firefox-based attacks only reach 30 percent.

“Adobe is facing some major security challenges and one of its biggest hurdles is its software update mechanism. For some reason, it is not effective enough in distributing security patches to the field,” said Mickey Boodaei, CEO of Trusteer. “Given the lack of attention this situation has received to date, it appears that few people understand the magnitude of the problem. We recommend that all enterprises and individuals install the latest Flash and Acrobat updates immediately.”

About Rapport

Rapport from Trusteer is a lightweight browser plug-in plus security service that acts like a vault inside the browser and prevents redirection of user information to fraudulent websites. It protects personally identifiable information (PII) and Web pages from unauthorized access and theft while users are accessing sensitive Web sites. Trusteer also offers in-the-cloud reporting services where unauthorized access attempts detected by Rapport are analyzed by fraud experts who provide actionable intelligence to financial institutions.

About Trusteer

Trusteer enables online businesses to secure communications with their customers over the Internet and protect PII from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects users' PII even if their computer is infected with malware including Trojans and keyloggers, or is victimized by pharming or phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit

Marc Gendron PR
Marc Gendron, 781-237-0341

Reblog this post [with Zemanta]

Malware Aimed at Stealing Bank Log-In Credentials Growing

More on "Typing" is the Cause...Hacking is the Effect. 

You cannot create large-scale secure transaction systems "on the web"...they must be done "outside the web and outside the realm of the browser space.  Continue with the SNAFU "type" systems currently in place and hackers will continue to breach consumers account numbers and bank log-in details. 

According to data compiled by PandaLabs, the number of users affected by malware designed for identity theft has increased 600% so far this year with respect to the same period in 2008. Most of these are Trojans, but there are also many examples of phishing, worms, spyware, etc.

Just as an example, PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats every day. Of these, 71% are Trojans, mostly aimed at stealing bank details or credit card numbers as well as passwords for other commercial services.

Between January and July 2009 we received 11 million new threats, some 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51% of new Trojans that we received at PandaLabs in 2007.

Hackers have also been busy exploring new channels for propagating threats as well as new sources of revenue. With malware samples, which previously targeted -almost exclusively- users’ online banking information by getting them to enter their user name and password in a spoof bank website, potential victims are now taken to any platform or online site in which their bank details may be stored or where they might have to enter them.

Continue Reading at Help Net Security News

Reblog this post [with Zemanta]

MasterCard vs. Visa: Dueling Compliance Philosphies

MasterCard vs. Visa: Dueling Compliance Philosophies

Written by David Taylor

August 18th, 2009

Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

People don’t seem to “get” MasterCard. For most of the last 4 years,
MasterCard has been criticized for their apparent willingness to let
Visa play the “bad guy” who issues fines to acquiring banks (and,
through them, to merchants), who extends the PCI standards to
application vendors (through PABP, now PA-DSS) and who generally takes
the heat for PCI.

Now MasterCard is taking what can only be called a “get tough” policy,
issuing larger fines and, most significantly, forcing both Level 1 and
Level 2 merchants to use assessors rather than take on the task of
self-assessment. But still, merchants, banks, processors and service
providers aren’t happy with MasterCard. They just can’t seem to get a
break. After numerous conversations with companies on the receiving end
of MasterCard’s “get tough” efforts, I think there are some
philosophical issues that need to be highlighted...

Continue Reading at

Reblog this post [with Zemanta]

Disqus for ePayment News