Wednesday, September 23, 2009

Zeus and Clampi Steal Online Banking Credentials



Earlier I posted about Clampi, an online banking Trojan. Many have called it "The Big One." In fact here is a quote:



"We weren't all that worried about Storm, and we weren't all that worried about Conficker, This one you need to worry about." "The best strategy to defend against Clampi is to use separate machines for Web surfing and funds transfer"



- Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.



Now the PIN Payments News Blog has learned that there's another "online banking" Trojan, called Zeus.  According to SearchSecurity.com
,



A Trojan that steals online banking credentials is proving to be a particularly insidious and successful piece of malware, according to security experts.




Zeus is the "biggest banking Trojan out there," Laura Mather, co-founder and vice president of marketing at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems said during a recent company webcast. "It's the nastiest, most sophisticated Trojan I've ever seen. It's a money-stealing machine."



FYI:  How could it be that Clampi is the "big one" after reading what we both just read about Zeus.  Is is "greek" to you as well?  



The Zeus Trojan has a capability that allows criminals to add fields to the form, such as fields for additional authentication information for a bank website; those credentials are sent back to the criminal, she said. Fraudsters also can alter the display to fool users into thinking all their money is still in their account.



The way Zeus alters a form on a genuine bank website as it's displayed on the victim's computer -- instead of showing an entirely fake banking website --
is one of its most powerful features and sets it apart from other banking Trojans, said Richard Wang, manager of the U.S. research labs at Sophos Plc.




One new Zeus Trojan functionality allows criminals to quickly use stolen credentials, and in some cases, circumvent two-factor authentication. In studying several Zeus variants, researchers at RSA, the security division of Hopkinton, Mass.-based EMC, recently discovered that some criminals were using the Jabber instant messaging open protocol in order to receive stolen information as soon as it was collected from infected computers.



Editor's Translation:  One Time Passwords (OTP's) are received by the bad guys at the same time they are received for the intended recipient, thus OTP's are no longer secure...




"Real-time notification can further online criminals' goals in some cases when certain variations of man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks are launched," RSA researchers wrote. "With such attacks, the online criminal may be acting in real-time as their intended victim logs in to his or her account."



Read the Article in it's Entirety at Search Financial Security.com




Reblog this post [with Zemanta]

Google Search Real-Time Search Results Hack

Freelance Unbound» Blog Archive » Google’s “real-time hack”





Google’s “real-time hack”



The tech world is abuzz with the news that there is a not-so secret URL hack to change a normal Google search string into a near-live search.  Trouble is, the reports all seem to rely on users being able to access a ‘search options’ link on the Google homepage, and then limit searches to the past day. Once you’ve done that you can start tweaking the web address to narrow down your search window.



However, on your behalf, and thanks to a useful post on ReadWriteWeb, the Freelance Unbounds tracked down the relevant URL, and here it is: DISCLAIMER: The PIN PAYMENTS NEWS BLOG has tested the link and although it seems to be fine, remember, it's a link in a browser. If you have any doubts, don't try it!



http://www.google.com/search?hl=en&tbo=1&tbs=qdr:n1,sbd:1&amp



(Editor's Note: I didn't/won't provide the direct link...you will need to copy and paste if you want to try at your own risk!). The article continues....



The crucial timing bit is the qdr:n1  The “n” specifies minutes – the “1″, fairly obviously, specifies 1 of them.

Change this to “s” to switch to seconds. Change the number directly after it to specify how many minutes or seconds you require. For a longer search, change the “n” to “d” for days.   Then all you have to do is add your search string directly after thelast “=” sign. If you’re looking for Freelance Unbound, you’d add freelance+unbound to the end of the URL…



Google Search Real-Time Hack

NACHA to Rewrite Mobile Payments Rulebook

Finextra: Nacha to rewrite rule book for mobile payments

US electronic payment association Nacha is proposing amending its rules to cater for an expected surge in mobile payments processed over the national ACH network.



The proposed rule change would expand the definition of Internet-Initiated Entries (WEB) to include ACH debits authorised and/or initiated via mobile networks.



Nacha says the changes would clarify the entry classifaction standard for mobile payment processing over the ACH network and provide a framework for basic risk management and security procedures.



Continue Reading





Capital One Wins Significant Interchange Tax Victory

Capital One Wins ‘Significant’ Tax Victory on Fees (Update3)

By Ryan J. Donmoyer and Peter Eichenbaum



(Bloomberg) -- Capital One Financial Corp. won a decade-long battle to defer paying taxes on a portion of its transaction income, a decision that affects an estimated $48 billion in fees U.S. credit-card issuers collect each year.



A U.S. Tax Court ruled yesterday that the bank’s income from interchange fees that merchants pay on customer purchases should be regarded as interest subject to tax-deferral rules. The Internal Revenue Service argued the fees are taxable upon receipt.



“This is a significant victory for the industry and a crushing, albeit predictable, defeat for the IRS,” said Robert Willens, founder of Robert Willens LLC, which advises investors on accounting and tax rules. “It’s always better to defer income for tax purposes for obvious reasons. The company has the use of the money it would otherwise pay out in taxes for a longer time.”



Capital One, the third-biggest issuer of Visa Inc. credit cards, is challenging $318 million in taxes and penalties assessed by the IRS for tax years 1995-1999. The verdict may wipe out part of the bank’s liability, although the IRS can appeal.  

“We’re pleased with the decision; however, it’s premature to discuss any details resulting from this ruling,” Tatiana Stead, a spokeswoman for McLean, Virginia-based Capital One, said in an e-mailed statement.  IRS spokesman Dean Patterson declined to comment.

Continue Reading

Reblog this post [with Zemanta]

Fiserve 2 ServeFi(ve) Credit Union Platforms





Brookfield, Wis., Sept. 23, 2009 -PIN Payments News Blog- Fiserv, Inc. (NASDAQ: FISV), the leading global provider of financial services technology solutions and the largest provider of business-driven technology solutions for credit unions, announced today that it has signed five new credit union clients to contracts for its Portico™, OnCU® and CubicsPlus® account processing solutions.



In addition to choosing an account processing solution from Fiserv, representatives from the five credit unions said they look forward to streamlining workflows and driving efficiencies by leveraging a wide range of value-added Fiserv solutions such as Card Services, Virtual Branch® Internet banking, Wisdom™ accounting tools and other best-of-breed products that are integrated with the account processing solutions to create enterprise-wide platforms for growth.



“Our newest clients repeatedly cite our wide range of products and services and the positive experiences of our longer-term clients as key factors in their decision to join the Fiserv family. This feedback is a clear indication that the Fiserv 2.0 initiative is a success for the company and the clients. It is also a signal that our strong commitment to client service is evident to our clients, and our delivery and execution remain the best in the business,” said Jeff Givens, senior vice president and national sales manager, Credit Union Solutions at Fiserv.



Reinforcing the Fiserv core competency in processing services among other areas of expertise, the company’s newest credit union clients include:



Conservation Employees Credit Union with $67 million in assets in Jefferson City, Mo., selected the Portico account processing solution to serve its 6,520 members. Conservation Employees will implement the full suite of Portico modules, including Contact Manager; Cross Sell and Tracking. In addition, the credit union will be adding LoanciergeTM loan origination, eFichencySM document imaging, Wisdom: ALM with Investments; Wisdom: 5300 Call Report Assistant; credit card processing; and Virtual Branch for Internet banking and electronic statements.



Firefighters Credit Union, Indianapolis, Ind., also chose the Portico account processing system as well as Virtual Branch for Internet Banking and bill payment; online ATM and debit card processing; Cross Sell and Tracking for Portico; and Statement Processing from Fiserv. Greater Indianapolis, with $51 million in assets and nearly 7,000 members, wanted to experience continued credit union growth without requiring staff growth and determined that the Fiserv solutions offered the automation and efficiency-boosting tools necessary to achieve their goals.



Memorial Employees Federal Credit Union in Hollywood, Fla., also selected Portico, citing the strength of Fiserv and the fact that the company’s offerings provide the best overall solutions package. The credit union, with $38 million in assets and 8,000 members, was looking to streamline office efficiency, especially imaging and loan processing, when it chose Portico. In addition to the Portico account processing platform, Memorial Employees chose eFichency document imaging; Virtual Branch for Internet banking and electronic statements; and Wisdom.



Organized Labor Credit Union in Modesto, Cal., chose the CubicsPlus account processing solution. With more than $19 million in assets, the credit union wanted to provide its 4,355 members with a solution that was “under one umbrella.” In addition to giving the credit union capacity to process debit cards online, in real-time, the credit union’s investment in Fiserv included Virtual Branch Internet banking and the Wisdom: ALM and 5300 Call Report Assistant modules.



Electric Federal Credit Union in San Jose, Calif., chose the OnCU account processing system from Fiserv. In addition to a full range of OnCU-related modules and services—including audio response and Web design, Electric Federal will be offering its 1,300 members Virtual Branch Internet Banking and Card Services from Fiserv. Ease of use, the reputation of Fiserv, price competitiveness and good references from OnCU clients were cited in the $11 million financial institution’s final choice.



About Fiserv




Fiserv, Inc. (NASDAQ: FISV) is the leading global provider of information management and electronic commerce systems for the financial services industry, driving innovation that transforms experiences for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. For more information, visit www.fiserv.com .



Source: Company press release.
Reblog this post [with Zemanta]

Bill Me Later Coming to eBay - PayPal Blog

Bill Me Later Coming Soon to eBay and Offered through PayPal at Merchant Sites

SBS_cropped

Hi everybody. Sam Shrauger here, PayPal’s vice president of global product strategy.  As Scott Thompson said in his post after eBay acquired Bill Me Later, the opportunity that eBay, PayPal and Bill Me Later have together is nothing short of tremendous. I’m excited to tell you that in the coming weeks we’ll be introducing Bill Me Later on eBay, as well as on other merchant sites through PayPal, beginning with a launch for a limited number of buyers and sellers in the U.S.



Bill Me Later on eBay
: Qualified PayPal customers will be able to use Bill Me Later during eBay checkout. For select sellers, PayPal will automatically add Bill Me Later as a way to pay. Sellers included in the initial rollout will be notified via email by PayPal.



Bill Me Later through PayPal
: Qualified PayPal customers will also be able to use Bill Me Later at thousands of their favorite merchants. After selecting PayPal at checkout, buyers will see Bill Me Later as a fast and secure way to pay, with the added benefit of deferred billing.



Continue Reading Sam's Post at the PayPal Blog

Bankcard Industry Lobbies Congress to Leave Interchange Fees Alone

Summary

The primary story here is not the card industry's standard defense of bankcard interchange fees. It is that Visa and industry trade associations are responding to the clear and present danger that an angry Congress is going to side with merchants by enacting a law to limit interchange fees. Their defense of the fee is that polling of consumers shows a wide majority in favor of charging merchants for accepting cards. But it doesn't address whether current fees are too high and unfairly applied.

Analysis

If Congress enacts a law, the bankcard networks and their issuers could lose billions in revenues, thus forcing higher APRs on cardholders.  It also holds the risk of increasing the industry's exposure in the interchange antitrust lawsuit in Brooklyn.  In effect, a potentially very costly double whammy.  The industry has the better argument vis-a-vis new legislation.  Namely, that price controls invariably backfire, and in this case will screw not only consumers but merchants in lost sales.  Their argument that merchants will pocket any reductions in interchange fees will probably fall on deaf ears, as there is no way to prove it.  Their argument that current interchange practices are fair probably will also fail in Congress.  It's an argument that hasn't succeeded anywhere else around the world.  The latest proof of this is the networks' settlement of the issue in New Zealand in favor of the merchant position.  In the EU, the EC has all but decided that the bankcard industry is a cartel involved in price fixing.  Congress is hearing the same defense that hasn't persuaded foreign governments anywhere.  Visa and MasterCard set interchange fees that they charge to merchant banks, knowing the fees will be passed on to merchants and paid through network settlement systems to issuers.  The fees are nonnegotiable and V & MC don't receive a cent of them.  All they do is collect it for issuers.  In effect, the fee is an issuer fee -- a fee charged by banks.  And nowadays nobody likes banks.  Bottom line: interchange legislation in some disturbing form will happen next year, unless the bankcard industry settles the Brooklyn lawsuit in a way that resolves the issue for years to come.  Put another way, the industry can best prevent legislation via self reform -- a negotiated deal with its adversaries in court.

Raiffeisen Bank Romania orders 190,000 Todos Smart Card Readers





Todos Data System AB LogoRaiffeisen Bank has selected leading eBanking security vendor Todos AB to provide their online customers with the latest in security technology. The choice fell on smartcard reader Todos A200 for more trustworthy and user-friendly eBanking in Romania



PRLog (Press Release)
Sep 23, 2009 – GOTHENBURG, SWEDEN - SEPTEMBER 23 - Raiffeisen Bank Romania has ordered 190,000 Todos A200 smartcard readers. The bank's objective is to increase security for its online customers and, as a result, increase their trust and confidence in eBanking with Todos's advanced technology.



Raiffeisen Bank is one the country's leading banks with more than two million customers. It is a subsidiary of the Austrian Raiffeisen International Bank-Holding AG, which in turn is a fully consolidated subsidiary of Vienna-based Raiffeisen Zentralbank Österreich AG (RZB). RZB operates one of the largest banking networks in CEE, covering 17 Central and Eastern European markets through subsidiary banks, leasing companies and other financial services firms. The group's nearly 62,000 employees service 14.9 million customers via more than 3,200 business outlets.



This is Todos's first order from Raiffeisen Bank Romania, although Todos supplied a sister company, Tatra banka in Slovakia, with the same technology. This gave Raiffeisen a template for their own system and great confidence in Todos's abilities.



Todos A200 - Raiffeisen Bank Romania edition

Raiffeisen Bank wanted to roll out an authentication solution very quickly and Todos was able to deploy a solution within weeks. Despite the speed of the process, Todos still managed to customize the devices with Romanian manuals, menus and the bank's logo.



"Todos's technology brings a new level of trust and security to Raiffeisen Bank Romania," says Bo Emanuelsson, Todos's Sales Director EMEA. "We are very excited to add them as a new client and we look forward to a long and happy relationship with the Raiffeisen network."



"Todos was a natural choice for us considering their impressive work with Tatra banka, amongst others," says Iulian Dascalescu, Procurement Director at Raiffeisen Romania. "This brings a new level of security to Romanian eBanking."

# # #

Todos helps banks create trusted, secure relationships with their customers online. Founded in 1987, Todos designs, develops and supports online security. We have delivered over 18m products to 100+ financial institutions When trust matters, trust Todos.

Reblog this post [with Zemanta]

Companies Struggling with PCI Compliance



Redwood Shores, Calif. and Traverse City, Mich. – September 23, 2009 – PIN Payments News Blog:  Imperva and the Ponemon Institute today announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. In fact, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details.



However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers’ personal information.



The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.



According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $5.6 billion in annual revenue:

  • 71% of respondents do not treat PCI as a strategic initiative, yet 79 percent have experienced a data breach involving the loss or theft of credit card information.

  • 55% of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver’s license numbers, bank account details and other data about people and families.

  • 60% of respondents don’t think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.

“Nobody is in business to be compliant. But there is a silver lining to this survey: if you protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture,” said Shlomo Kramer, Imperva’s CEO.



“Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data,” said Larry Ponemon, chairman and founder, Ponemon Institute. “The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate—many more have not.”

Smaller businesses struggle the most

The survey found that only 28% of smaller companies (501-1000 employees) comply with PCI as opposed to 70% of larger companies (75,000 or more employees).



“Companies devote 35% of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies,” explained Amichai Shulman, Imperva’s CTO. “This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”



“The PCI Security Standards and the card brands must update the PCI-DSS so that it’s risk-based, depending on the system configuration of the complying company. The ‘one size fits all’ approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren’t included in the PCI standards, but provide equal or greater levels of protection,” said Avivah Litan, Vice President and Distinguished Analyst with Gartner Research in a May 2009 report, “Moving Beyond PCI at Visa’s Global Security Summit.”

Companies that take a strategic approach to PCI compliance have fewer data breaches

The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27% of companies believe that PCI-DSS compliance is positively contributing to their organizations’ security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.

Imperva’s recommendations to consumers, businesses and the PCI DSS Council

To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.

For PCI-DSS Council

  • Have a compliance logo for consumers. Today, companies can’t articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. As a consequence, companies cannot leverage their investment in PCI compliance to gain competitive advantage.

  • Modify compliance needs for larger and smaller companies. Smaller companies need to have a modified standard that takes into account different environments and security needs.

Consumer recommendations Look for PCI compliant companies—In general, companies that were compliant suffered fewer breaches. Although compliance doesn’t guarantee perfect security, it helps the odds.



Business recommendations


  • Use PCI to bring about a broader, more effective security program.

  • Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.

  • Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security—and compliance—will suffer.





For more information



Listen to Imperva’s Chief Security Strategist Brian Contos interview Dr. Larry Ponemon in a podcast or download the transcript.



About The Ponemon Institute



The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. Visit the Ponemon Institute at www.ponemon.org.

About Imperva



Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

# # #

Voltage Security First to Combine Encryption, Tokenization and Data Masking in Single Platform to Reduce PCI Audit Scope

Provides Widest Set of Data Protection Options With Most Rapid Deployment

LAS VEGAS, NV--(Marketwire - September 23, 2009) - PCI SSC 2009 Community Meeting -- Voltage Security, Inc. (www.voltage.com), the global leader in end-to-end data protection, today announced it has extended Voltage SecureData™ by adding tokenization and data masking capabilities to the existing encryption functionality, enabling the end-to-end protection of data, such as credit card numbers, in applications and databases. These additions make Voltage SecureData the most comprehensive end-to-end data protection solution available, giving customers the widest choice of protection options to simplify implementation, reduce PCI audit scope and lower costs.







Now, when combined with Voltage SecureMail and Voltage SecureFile, all supported by Voltage's common stateless key management approach, these solutions together form the first true end-to-end data protection platform with a single developer interface, common policy framework and centralized stateless key management.



"The addition of tokenization and data-masking allows customers to significantly reduce the likelihood of an expensive data breach while lowering overall PCI compliance costs, without adding to their IT administrative burden," said Mark Bower, vice president of product management at Voltage Security. "Voltage can now meet the most common use cases for online and offline data protection, with true stateless key management. This is something no other tokenization or encryption solution can do."

Voltage Data Breach Index





According to a recent Mercator Advisory Group Report, enterprises now spend, on average, more than $6.65 million to recover from a single data breach.(1) "A data breach could kill a company," notes Mercator principal analyst George Peabody, "but tokenization and encryption are two technologies that enable a merchant to mitigate the risk of breach."



Voltage SecureData now includes encryption, tokenization, data de-identification and masking for protection for all types of structured and unstructured data. This includes primary account numbers (PANs), Social Security Numbers (SSNs), national insurance numbers, driver's license numbers, birth dates, files, images and other types of sensitive and private information. And, as part of the Voltage End-to-End Data Protection platform, all of these capabilities are supported by a unified architecture that offers a single developer interface, centralized administration for system configuration, policy management and key management.



Examples of how customers can harness the power of Voltage SecureData include: -- End-to-end encryption of sensitive card data for authorization and settlement within payment systems



  • Encryption and/or tokenization of card data stored in databases and used by business applications, such as resolving charge-backs, or for post- settlement processes

  • Data masking and data de-identification for test and outsourced environments -- including packaged applications like Oracle E-Business Suite, PeopleSoft, Siebel, J.D. Edwards and Baan, reducing risk of inadvertent exposure of sensitive information

  • Voltage customers enjoy these benefits and more: -- Reduced PCI audit scope, costs and impact. Voltage SecureData provides  production-ready data protection in 60 days or less.

  • Avoidance of brand-damaging, costly breaches. Enterprises can move beyond compliance to provide data protection across mainframes, open systems, embedded devices, and mobile platforms

  • Lowered IT administration burden and overhead. Unlike traditional data protection solutions, Voltage SecureData supports existing infrastructure,  IT processes and policies and requires very little administration time.



Tokenization




Tokenization protects against data breaches by replacing primary account numbers (PANs) and other sensitive data with a different value, a "token." The PANs and matching tokens are stored in an encrypted database, and the organization uses the token, instead of the PAN, to process and record transactions within its own systems. If hackers gain access to those systems, they only receive meaningless tokens and are unable to sell or use customer information.



In addition to improving data security, tokenization helps to limit the scope of a merchant's PCI audit and outsource liability in the event of a data breach -- an appealing combination to cost-conscious merchants, according to the Mercator Advisory Group. Recently, the amount of regulation related to data protection has risen dramatically, with 44 states passing breach notification laws, the Fair and Accurate Credit Transactions Act (FACTA) and new privacy stipulations within the Health Information Technology for Economic and Clinical Health Act (HITECH). Analysts have reported that the amount large merchants have had to spend to achieve PCI compliance has increased dramatically over time.



One of the biggest contributors to those rising costs is the expense of PCI audits. However, when an application or database uses tokens instead of actual account numbers, that system generally falls outside of the scope of a PCI audit. As a result, organizations that use Voltage SecureData tokenization capabilities can reduce the size and expense of their audits.



Data Masking



In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. That means companies must address quality assurance, test, application development, and outsourced systems -- not just production systems.



Voltage SecureData which already provides dynamic data protection for production systems now also provides the widest range of data masking and data de-identification options for non-production data and outsourced environments while preserving geographic and statistical relationships in the data. In addition, customers can take advantage of application metadata and automated masking rules for packaged applications such as Oracle E-Business Suite, PeopleSoft, Siebel, JD Edwards and Baan.



Voltage SecureData Masking is powered by Solix Technologies, Inc. (www.solix.com), a leading provider of enterprise data management solutions used by large enterprise customers to manage business critical data.



Technology Innovations for End-to-End Data Protection




Several technological innovations make it possible for most customers to deploy secure data end-to-end in just weeks. First, Voltage Format-Preserving Encryption (FPE) enables data values to be encrypted while retaining their original length and format. In other words, a 16-digit credit card number is replaced with an encrypted value of the same length and structure, and, as a result, organizations do not need to make time-consuming modifications to applications or database schema. Second, Voltage Identity-Based Encryption (IBE) uses simple common identities, such as an email address, as public keys, eliminating the need to store and manage keys, dramatically reducing administrative burden.



Pricing & Availability



Voltage SecureData Tokenization and Data Masking solutions are available in October with starter kits for production applications from $65K.



About Voltage Security



Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization, masking and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureFile™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.



As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.



Voltage Identity-Based Encryption, Voltage Format-Preserving Encryption, Voltage SecureMail, Voltage SecureFile, Voltage SecureData and the Voltage Security Network (VSN), are registered trademarks of Voltage Security, Inc. All other trademarks are property of their respective owners.



(1) George Peabody, Mercator Advisory Group: "Merchant Security, Tokenization and the Fairy tale of Outsourcing PCI," March 2009.

Reblog this post [with Zemanta]

First Data and RSA Team on Tokenization





First Data and RSA Team Up To Provide Layered Security That Protects Merchant Card Data and Brand Equity

First Data® Secure Transaction ManagementSM Service Leverages Encryption and Tokenization Technology from EMC’s Security Division to Reduce Risk and Cost Associated with Processing Card Data and PCI Compliance
Atlanta, GA and Bedford, MA— First Data, a global leader in electronic commerce and payment processing services, and RSA, The Security Division of EMC (NYSE: EMC) have teamed up to provide a new service called First Data® Secure Transaction ManagementSM, which is engineered to enable merchants to secure payment card data and remove it from their environment while allowing access when needed. The new First Data Secure Transaction Management service, offered exclusively by First Data and powered by the RSA SafeProxy™ architecture, is designed to dramatically reduce the cost and complexity of complying with the Payment Card Industry Data Security Standard (PCI DSS).



By using the First Data Secure Transaction Management service, payment card data is encrypted at the time it is captured by the merchant's existing point-of-sale application and remains encrypted until it is securely delivered to the First Data authorization switch where decryption occurs. Once authorized through the switch, the card number is replaced by a "token" value that cannot be linked back to the original card data, but otherwise behaves like a card number. This enables the merchant to eliminate card numbers from various business applications without the need for costly application or point-of-sale hardware modifications. When needed, merchants can access the original card number through a secure vault that First Data maintains for controlled authorized look-ups. This outsourced service helps merchants to reduce the risks associated with the loss of cardholder data, avoid fines, and help prevent the loss of brand equity and trust.



"The increasing need for data protection and the growing complexity of PCI DSS compliance are driving merchants to evolve their business strategies for securing customers' sensitive information," said Robert Vamosi, security/risk & fraud analyst for Javelin Strategy & Research. "Organizations that can employ a layered approach to data security, one that capitalizes on the inherent advantages of encryption, tokenization and other technologies, will be well positioned to protect card data and reduce the scope of PCI compliance."



The First Data Secure Transaction Management service is powered by the RSA SafeProxy™ architecture, which employs a unique combination of tokenization, advanced encryption and public-key technologies that are engineered to provide merchants with the capability to eliminate credit card data from their environments without loss of business functionality or massive rewrites of applications.



"Payment card data protection and PCI compliance are some of the most significant challenges that our merchant customers face today. Addressing these challenges is both complex and costly," said Michael Capellas, chairman and chief executive officer of First Data. "The simplicity of integrating encryption with tokenization through the First Data Secure Transaction Management service dramatically redefines how merchants of all kinds manage and protect their customer payment data."



"To comply with the PCI DSS and reduce risk, organizations need security controls built into their infrastructure, and not bolted on," said Art Coviello, executive vice president, EMC Corporation and president, RSA, The Security Division of EMC. "Rather than addressing security risks by deploying disparate point controls throughout their infrastructure, First Data Secure Transaction Management provides organizations with a simplified and scalable solution that helps radically reduce management complexity and costs."

About First Data
First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries. For more information, visit www.firstdata.com.

About RSA
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.



RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.



Supporting Resources:

Michael Capellas and Art Coviello Discuss New Alliance

Reblog this post [with Zemanta]

SpiderLabs to Deliver Briefings at SecTor





Members of Trustwave's SpiderLabs to Deliver Briefings at SecTor



CHICAGO (September 23, 2009) -PIN Payments News Blog- Security experts from Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world, will deliver several briefings at SecTor in Toronto, October 5-7, 2009. The presentations will be delivered by members of SpiderLabs, the advanced security team at Trustwave responsible for incident response and forensics, penetration testing and application security.



Nicholas J. Percoco and Jibran Ilyas will present, Malware Freakshow, which will review the intricate details of three very interesting types of malware found during real-life forensic investigations. Ranging from simple to very complex, the malware discovered during these investigations are advanced software written by very skilled developers.



Trustwave's SpiderLabs has found that skilled malware developers are shifting their attack vectors from broad attacks compromising as many targets as possible to targeted attacks against specific point-of-sale (POS) systems and specific environments. Despite the varying degrees of difficulty to implement the malware, the end result of each attack is the theft of confidential data leading to significant fraud and business loss for the organizations where it was found. These new malware attack vectors are now categorized as cybercrime and the complexity in their propagation, control channels and data exporting properties will be discussed and demonstrated during the presentation.



Jon Rose, from Trustwave's SpiderLabs, will present, Deblaze – A Remote Method Enumeration Tool for Flex Servers, which will examine Flex technology and its inherent security risks.



As the Web evolves, Flex technologies provide businesses with faster, better and sleeker Internet applications. Flex is being deployed with increasing regularity without proper understanding of the security risks involved during implementation. As these new types of Internet applications gain a larger base within businesses, attackers also shift their focus towards subverting these technologies for financial gain.



Trustwave's SpiderLabs, one of the few groups with working knowledge and experience testing Flex technologies, have developed a testing tool called Deblaze. Deblaze ensures that the proper controls are in place to prevent unauthorized access to application functionality and data. This talk demonstrates how to use Deblaze, discusses the emerging security risks posed to Flex servers, and covers mitigation techniques.



SpiderLabs' Chris Pogue will present, Sniper Forensics – Changing the Landscape of Modern Forensics and Incident Response, which will look at live analysis tools and techniques to target only the systems that are part of a breach.



Rather than imaging tens of hundreds of terabytes after a breach and loading those images onto forensic software, live analysis tools and techniques allow incident responders to gather and review volatile data and RAM dumps using proven theories to target only the systems that are part of the compromise.



By using sound logic and data reduction based on forensic evidence extracted from live analysis, incident responders can introduce accuracy and efficiency into their casework at a level not available through any other means. Pogue will share tips, tools and techniques, and provide real-world examples of how live analysis can help change the landscape of modern forensic investigations, reduce the time spent on cases and increase accuracy.



"The experience and expertise of our advanced security team will teach attendees how to maintain an effective security posture against a multitude of different threats and how to properly respond to each," says Robert J. McCullen, chairman and CEO of Trustwave. "It's clear that attackers aren't slowing down; by sharing our findings businesses will understand the effectiveness of a layered security approach to protect their organization and the data it stores." About Trustwave

Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com/.

Reblog this post [with Zemanta]

Trustwave Accredited in MasterCard's Point of Sale Terminal Security



Chicago, Sept. 22, 2009 -PIN Payments News Blog- Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world, has been certified to perform compliance evaluations against MasterCard’s Point of Sale Terminal Security (PTS) program. Trustwave is one of a few approved laboratories worldwide.



MasterCard’s PTS program is applicable to the hardware portion of the Point-of-Sale (POS) terminal and applies to applications that transmit card data across an open Internet Protocol (IP) or wireless connection. Payment terminal manufacturers seeking PTS compliance validation engage a firm such as Trustwave to perform an evaluation similar to that of a penetration test to verify that the POS conforms to standards set forth by MasterCard.



The objective of the security evaluation program for IP-enabled POS devices is to ensure the necessary level of protection for transaction and cardholder data at merchants that use equipment that support the TCP/IP protocol suite. The security evaluation verifies that POS devices meet relevant requirements in terms of confidentiality, integrity and communicating parties’ authentication. This security program complements existing security programs at MasterCard that already address merchants or POS terminals like the Payment Card Industry Data Security Standard (PCI DSS) and PCI PIN Entry Devices (PED).



“Protecting the payment application landscape from malicious attacks is just one aspect of credit card security to which merchants must adhere,” says Robert J. McCullen, chairman and CEO of Trustwave. “Trustwave had to pass a skills test and secure its testing lab in order to gain approval to perform evaluations on compliance. We are very proud to have been certified by MasterCard and are happy to offer it as a service to our customers.”



About Trustwave

Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com .



Source: Company press release.

Reblog this post [with Zemanta]

U.S. Largest Credit Unions




America's Largest Credit Unions

Ranked by total assets and how many members.



In total assets, these top 50 credit unions account for $228 billion of the $825 billion in U.S. credit unions. In members, the top 50 account for 19 million of the 90 million memberships.



Credit unions have become a major force on the financial landscape of America. Until recently, many members looked to credit unions just for auto loans. Now a much wider range of financial needs is being met, including mortgages, refinancing, credit cards, online bill payments, ATM services, and more. Expansion to underserved parts of the community is having an impact. Credit union employment now exceeds 258,000!



Top 50 by Assets




















































1. Navy Federal Federal Credit Union

Merrifield, VA. $36.4 billion in assets.
2. State Employees Credit Union

Raleigh, NC. $16.7 billion in assets.
3. Pentagon Federal Credit Union

Alexandria, VA. $13.0 billion in assets.
4. Boeing Employees Credit Union

Tukwila, WA. $8.6 billion in assets.
5. Schoolsfirst Federal Credit Union

Santa Ana, CA. $7.8 billion in assets.
6. The Golden 1 Credit Union

Sacramento, CA. $6.0 billion in assets.
7. Alliant Credit Union

Chicago, IL. $5.9 billion in assets.
8. Suncoast Schools Federal Credit Union

Tampa, FL. $5.9 billion in assets.
9. American Airlines Federal Credit Union

Ft. Worth, TX. $5.3 billion in assets.
10. Security Service Federal Credit Union

San Antonio, TX. $5.1 billion in assets.
11. America First Federal Credit Union

Ogden, UT. $4.6 billion in assets.
12. San Diego County Credit Union

San Diego, CA. $4.5 billion in assets.
13. Digital Federal Credit Union

Marlborough, MA. $4.5 billion in assets.
14. Kinecta Federal Credit Union

Manhattan Beach, CA. $4.2 billion in assets.
15. Patelco Credit Union

San Francisco, CA. $4.1 billion in assets.
16. Star One Credit Union

Sunnyvale, CA. $4.1 billion in assets.
17. Alaska USA Federal Credit Union

Anchorage, AK. $3.8 billion in assets.
18. Citizens Equity First Credit Union

Peoria, IL. $3.8 billion in assets.
19. Vystar Credit Union

Jacksonville, FL. $3.7 billion in assets.
20. ESL Federal Credit Union

Rochester, NY. $3.6 billion in assets.
21. Pennsylvania State Employees Credit Union

Harrisburg, PA. $3.3 billion in assets.
22. Wescom Central Credit Union

Pasadena, CA. $3.2 billion in assets.
23. Bethpage Federal Credit Union

Bethpage, NY. $3.2 billion in assets.
24. Desert Schools Federal Credit Union

Phoenix, AZ. $3.2 billion in assets.
25. State Farm Federal Credit Union

Bloomington, IL. $3.2 billion in assets.
26. Randolph-Brooks Federal Credit Union

Live Oak, TX. $3.1 billion in assets.
27. Police & Fire Federal Credit Union

Philadelphia, PA. $2.9 billion in assets.
28. Delta Community Credit Union

Atlanta, GA. $2.9 billion in assets.
29. Lockheed Federal Credit Union

Burbank, CA. $2.8 billion in assets.
30. Mountain America Federal Credit Union

West Jordan, UT. $2.8 billion in assets.
31. United Nations Federal Credit Union

Long Island Cit, NY. $2.8 billion in assets.
32. San Antonio Federal Credit Union

San Antonio, TX. $2.7 billion in assets.
33. Teachers Federal Credit Union

Farmingville, NY. $2.7 billion in assets.
34. Ent Federal Credit Union

Colorado Springs, CO. $2.6 billion in assets.
35. Bank Fund Staff Federal Credit Union

Washington, DC. $2.6 billion in assets.
36. Onpoint Community Credit Union

Portland, OR. $2.6 billion in assets.
37. Hudson Valley Federal Credit Union

Poughkeepsie, NY. $2.5 billion in assets.
38. Redstone Federal Credit Union

Huntsville, AL. $2.4 billion in assets.
39. Addison Avenue Federal Credit Union

Palo Alto, CA. $2.2 billion in assets.
40. Visions Federal Credit Union

Endicott, NY. $2.2 billion in assets.
41. Dfcu Financial Federal Credit Union

Dearborn, MI. $2.1 billion in assets.
42. Coastal Federal Credit Union

Raleigh, NC. $2.1 billion in assets.
43. Eastman Credit Union

Kingsport, TN. $2.0 billion in assets.
44. Wings Financial Federal Credit Union

Apple Valley, MN. $2.0 billion in assets.
45. Bellco Credit Union

Greenwood Village, CO. $2.0 billion in assets.
46. First Technology Credit Union

Beaverton, OR. $1.9 billion in assets.
47. GTE Federal Credit Union

Tampa, FL. $1.9 billion in assets.
48. Mission Federal Credit Union

San Diego, CA. $1.9 billion in assets.
49. State Employees of Maryland Credit Union

Linthicum, MD. $1.9 billion in assets.
50. Teachers Credit Union

South Bend, IN. $1.9 billion in assets.

Top 50 by Membership




















































1. Navy Federal Federal Credit Union

Merrifield, VA. 3,194,292 members.
2. State Employees Credit Union

Raleigh, NC. 1,498,062 members.
3. Pentagon Federal Credit Union

Alexandria, VA. 864,803 members.
4. The Golden 1 Credit Union

Sacramento, CA. 694,836 members.
5. Security Service Federal Credit Union

San Antonio, TX. 681,353 members.
6. Boeing Employees Credit Union

Tukwila, WA. 588,755 members.
7. America First Federal Credit Union

Ogden, UT. 484,291 members.
8. Suncoast Schools Federal Credit Union

Tampa, FL. 471,441 members.
9. Schoolsfirst Federal Credit Union

Santa Ana, CA. 400,721 members.
10. Digital Federal Credit Union

Marlborough, MA. 370,309 members.
11. Desert Schools Federal Credit Union

Phoenix, AZ. 364,261 members.
12. Pennsylvania State Employees Credit Union

Harrisburg, PA. 350,812 members.
13. Alaska USA Federal Credit Union

Anchorage, AK. 348,933 members.
14. Vystar Credit Union

Jacksonville, FL. 347,123 members.
15. Wescom Central Credit Union

Pasadena, CA. 340,620 members.
16. Mountain America Federal Credit Union

West Jordan, UT. 319,361 members.
17. Redstone Federal Credit Union

Huntsville, AL. 304,825 members.
18. Municipal Credit Union

New York, NY. 301,068 members.
19. ESL Federal Credit Union

Rochester, NY. 298,288 members.
20. Patelco Credit Union

San Francisco, CA. 297,626 members.
21. GECU Credit Union

El Paso, TX. 281,983 members.
22. Randolph-Brooks Federal Credit Union

Live Oak, TX. 278,971 members.
23. Citizens Equity First Credit Union

Peoria, IL. 261,360 members.
24. Teachers Credit Union

South Bend, IN. 254,871 members.
25. San Antonio Federal Credit Union

San Antonio, TX. 248,548 members.
26. State Employees of Maryland Credit Union

Linthicum, MD. 245,115 members.
27. Alliant Credit Union

Chicago, IL. 234,003 members.
28. Kinecta Federal Credit Union

Manhattan Beach, CA. 228,439 members.
29. Arizona Federal Credit Union

Phoenix, AZ. 224,865 members.
30. Hudson Valley Federal Credit Union

Poughkeepsie, NY. 214,769 members.
31. American Airlines Federal Credit Union

Ft. Worth, TX. 212,362 members.
32. Eastern Financial Florida Credit Union

Miramar, FL. 206,744 members.
33. GTE Federal Credit Union

Tampa, FL. 203,376 members.
34. San Diego County Credit Union

San Diego, CA. 201,254 members.
35. Tinker Federal Credit Union

Tinker Afb, OK. 196,717 members.
36. Ent Federal Credit Union

Colorado Springs, CO. 193,449 members.
37. Keesler Federal Credit Union

Biloxi, MS. 191,474 members.
38. Onpoint Community Credit Union

Portland, OR. 191,006 members.
39. Teachers Federal Credit Union

Farmingville, NY. 189,227 members.
40. Coastal Federal Credit Union

Raleigh, NC. 187,790 members.
41. Kern Schools Federal Credit Union

Bakersfield, CA. 187,385 members.
42. Bellco Credit Union

Greenwood Village, CO. 186,978 members.
43. Grow Financial Federal Credit Union

Tampa, FL. 186,348 members.
44. Virginia Credit Union, Inc. Credit Union

Richmond, VA. 185,718 members.
45. Community America Credit Union

Kansas City, MO. 184,042 members.
46. Founders Federal Credit Union

Lancaster, SC. 183,968 members.
47. Delta Community Credit Union

Atlanta, GA. 181,259 members.
48. Truliant Federal Credit Union

Winston-Salem, NC. 181,191 members.
49. Wright-Patt Credit Union

Fairborn, OH. 172,822 members.
50. North Carolina Local Government Federal Credit Union

Raleigh, NC. 170,523 members.


* Based on December, 2008 data.

Largest U.S. Banks

United States' Largest Banks

The following list shows the largest banks in the U.S., as of May 30, 2008.

The assets are listed in millions of dollars.



































Rank

Name (city, state)

Consolidated

assets

1.

Citigroup (New York, N.Y.)

$2,199,848

2.

Bank of America Corp. (Charlotte, N.C.)

1,743,478

3.

J. P. Morgan Chase & Company (Columbus, Ohio)

1,642,862

4.

Wachovia Corp. (Charlotte, N.C.)

808,575

5.

Taunus Corp. (New York, N.Y.)

750,323

6.

Wells Fargo & Company (San Fransisco, Calif.)

595,221

7.

HSBC North America Inc. (Prospect Heights, Ill.)

493,010

8.

U.S. Bancorp (Minneapolis, Minn.)

241,781

9.

Bank of the New York Mellon Corp. (New York, N.Y.)

205,151

10.

Suntrust, Inc. (Atlanta, Ga.)

178,986

11.

Citizens Financial Group, Inc. (Providence, R.I.)

161,759

12.

National City Bank (Cleveland, Ohio)

155,046

13.

State Street Corp. (Boston, MA)

154,478

14.

Capital One Financial Corp. (McLean, Va.)

150,608

15.

Regions Financial Corp. (Birmingham, Ala.)

144,251

16.

PNC Financial Services Group, Inc. (Pittsburg, Pa.)

140,026

17.

BB&T Corp. (Winston-Salem, N.C.)

$136,417

18.

TD Bank North, INC. (Portland, Maine)

118,171

19.

Fifth Third Bankcorp (Cincinatti, Ohio)

111,396

20.

Keycorp (Cleveland, Ohio)

101,596

21.

Northern Trust Corp. (Chicago, Ill.)

77,480

22.

Bancwest Corp. (Honolulu, Hawaii)

74,808

23.

Harris Financial Corp. (Wilmington, Del.)

69,172

24.

Comerica Incorporated (Dallas, Tex.)

67,167

25.

M&T Bank Corp. (Buffalo, N.Y.)

66,085

26.

Marshall & Ilsley Corp. (Milwaukee, Wis.)

63,432

27.

BBVA USA Bancshares, Inc. (The Woodlands, Tex.)

59,953

28.

Unionbancal Corporation (San Fransisco, Calif.)

57,933

29.

Huntington Bancshares, Inc. (Columbus, Ohio)

55,985

30.

Zions Bancorporation (Salt Lake City, Utah)

53,597

Source: Federal Reserve System, National Information Center.

Disqus for ePayment News