Thursday, September 24, 2009

Black Market Values You...But For How Much?

What Are You Worth On The Black Market?

September 24, 2009 by ADMIN · Comment

From The CCCNews Team

Ever wondered how much your online identity is worth to a cyber criminal? A new tool from Symantec Corp. will perform the calculation for you.

The Norton Online Risk Calculator, unveiled within a microsite to coincide with the launch of Norton 2010, calculates your net worth on the black market by asking a few questions about your personal Internet use.

It takes a few minutes to answer the questions, after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

The main point isn’t to promote software or instill fear, but to spread awareness on cyber crime, said Marian Merritt, Internet security advocate for Symantec.

IT pros can use the consumer-oriented tool to educate employees in their office, as well as advocate Internet security to their family and friends. “IT is in that unique position of bridging both worlds,” said Merritt.

It’s unlikely the average consumer would read an Internet Security Threat Report, she added, but a simply illustrated example might get the same point across. “It’s shocking how little value criminals place on your credit card,” she said.

IT pros themselves might also benefit from a refresher on cyber crime. “Sometimes those who think they know the most can be even more at risk than others who admit they don’t know much and therefore are very cautious,” said Merritt.

Even those who consider themselves experts in IT tend to take shortcuts when it comes to online security because they think they aren’t at risk, their information isn’t really that valuable or they don’t realize how much work it takes to recover a stolen identity, she explained.

IT pros might be familiar with concepts of the underground criminal economy and may even know a self-proclaimed hacker or two, but they may not realize the extent to which cyber crime has grown over the past several years, she said.

Cyber crime is now larger than the international drug trade, Merritt pointed out. Nearly 10 million people have reported identity theft in the U.S. over the last 12 months and one in four households have already been victimized, she said.

Not only is the rate of growth surprising, but how easy it is for criminals with no technical skills to convert themselves into cyber criminal businesses overnight, she said. Build-your-own botnet kits and spam engine systems trade on the black market for about $500, Merritt pointed out.

Cyber crime is well reported in the IT space, but the message doesn’t often reach the general public, according to Merritt. “You turn on the news and they are talking about capturing drug dealers going across the border, but they rarely show a hacker in handcuffs,” she said.

Michael Calce, who did make popular news headlines back in 2000 for a series of DDoS attacks that brought down major Web sites including Yahoo, eBay and Amazon, is one exception. His 56-charge conviction gained further notoriety due to the fact that he was only 15 years old at the time.

The former hacker is now making an effort to rebuild his reputation as a “white hat” and spreading the message on cyber crime and Internet security. The Internet is broken, threats are exploding and IT community needs to join forces to fix it, warned Calce at the IT360 conference last April.

In a post-conference interview, Calce summed up his main message for those who were unable to attend the event. “We’re trying to get a message across that we need to do something about this. Government agencies need to step in, us — the white hat community — need to step up our game because this is a very serious issue that is starting to explode,” he said.

One of the main problems, according to Calce, is that the Internet was never intended to become a commercial tool. “We have to rebuild certain protocols and basically get a new concept of how the Internet should be with computer security in mind. There’s a serious lack of fundamental securities when it comes to the Internet,” he said.

Calce’s message also addressed consumers. Individual Internet users are increasingly becoming targets, he pointed out. “It’s people putting their lives online that is starting to make the difference … when you put that into perspective, that everybody’s life is now online, you can see that they’re becoming targets, whereas ten years ago this wasn’t really the case,” he said.

The best practice for the non-techie is to constantly update software and do some reading, according to Calce. “People are always on Google anyways — type up Internet security, see what you can figure out. It can definitely be beneficial to your future because the way technology is headed, sooner or later, everybody is going to need to know the fundamentals of security,” he said.

Calce suggested average Internet users look at security as a whole. “You may be attempted by hackers, you may be logged by your ISP, you may be this, you may be that … there’s so many factors to factor in. The fact is, you have to expect the worst-case scenario,” he said.

Mistakes Internet users continue to make include forgetting to renew their security software subscriptions, not keeping operating system patches up to date and failing to use the latest version of their Internet browser, Merritt pointed out.

Users may also believe they have a comprehensive Internet security package, when in fact, all they are using is anti-virus software without firewall and intrusion protection, said Merritt. Children are easy targets and further increase the risk, especially through their use of peer-to-peer networks.

But even users who do everything right can find their personal information compromised. The biggest security hole problems that lead to this generalized risk for consumers are massive data breaches that occur at institutions like banks, universities, major retailers and credit card institutions, said Merritt.

The best protection against this further threat is to sign up for a credit card monitoring service and regularly review your credit report, Merritt suggested. Institutions may or may not be required to notify consumers about a breach, she pointed out.

Symantec is introducing real-time, reputation-based security technologies in its latest lineup of Norton consumer products. The new protection model, available in Norton Internet Security 2010 and Norton AntiVirus 2010, is called Quorum.

The addition of Quorum allows Norton to detect 80 per cent of the threats within that one per cent that previously remained undetected, according to Lana Knop, principle product manager for Symantec. The new Norton packages, available online and through retailers in the U.S. on Sept. 9, are coming to Canadian retail locations by the end of September.

One in five users who go online will become a victim of some form of cyber crime, she pointed out. Knop put it into perspective by comparing the rates to street crime.

“Every four and a half minutes, a crime is committed on the streets of Los Angeles. Every three minutes, a crime is committed on the streets of Washington, D.C. In New York, a crime is committed every two minutes … every three seconds, a crime is committed on the net,” she said.

Control Computer Crimes News provides a complete view of the information security world, we empower our readers to gain all the relevant information they need to safeguard their organizations, homes and meet business goals. CCCNews provides IT security professionals a forum where they can learn from their peers’ experiences, analysts’ findings, and vendors’ knowledge to gain from others’ expertise.

has 3 distinguished publications: The
CCCNews Newsletter - published 3 times a week since June 2005. Total number of issues 700+, subscribed by 85000+ constituents. Visit to view past issues. CCCNews Magazine - started in June 2009 for all Information Security related issues including news, analysis, events, education, security tips, and much more. The first issue was downloaded by over 102000 people in first week. Finally, there is the CCCNews Website ( is a comprehensive website/portal for IT Security related topics.

Reblog this post [with Zemanta]

Senator Withdraws Internet Gambling Health Care Funding Idea

A US Senator decided to drop ("not gamble on") a thoughtful plan to fund health care through taxing Internet gambling, as lawmakers linked to vested gaming interests objected at linking the two proposals.

As quickly as the hopeful concept was introduced, it vanished (all bets are off) Tuesday as Senator Ron Wyden dropped his amendment funding health care subsidies from revenues collected by regulating Internet gambling. (it wasn't in the cards)  Wyden's proposal last week to use tax money from online gaming to help pay (chip-in)  for low-income family health costs had brought encouragement to two causes, as online casino supporters and health care advocates felt Wyden had tied together two causes dear to the US public.

But Wyden's representatives told The Hill that Wyden decided to pull the attachment, as he did not want to increase any controversy already facing the health care package.

Continue Reading at Online Casino Advisory

Reblog this post [with Zemanta]

Tips to Reduce Chance of Online Business Banking Fraud

Los Altos, Calif., Sept. 24, 2009 -PIN Payments News Blog- Guardian Analytics, a provider of fraud prevention software for the financial services industry, is advising businesses on the risks of Internet banking, and how they can protect their companies from becoming a victim of online banking fraud.

The need for businesses to examine their online business banking practices has never been more important.

In August alone, the FDIC, NACHA - The Electronic Payments Association, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) all published alerts warning about rising Internet threats to businesses. Analyst firm Gartner issued a report on the issue in August, and last week the Senate Committee on Homeland Security and Governmental Affairs held a special hearing to discuss cybercriminals targeting small- and medium- sized businesses. Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., have also started drafting legislation to address this as well as other cyber security issues, and is working to bring public and private organizations together to spearhead the initiative.

"In the last several weeks, business banking fraud has become a dominant discussion point in the financial and security industries," said Avivah Litan, VP and distinguished analyst at Gartner. "With cybercriminals circumventing strong authentication and using sophisticated reconnaissance on accounts during the attacks, increased fraud awareness has never been more important."

Terry Austin, Guardian Analytics CEO, provides the following advice to entrepreneurs to protect their companies against online banking fraud:

  1. Be aware of your financial rights: If your business becomes the victim

    of online business banking fraud, you have fewer rights than you do as

    an individual. Regulation E of the Federal Electronic Funds Transfer

    Act requires banks to reimburse consumer fraud victims within 10 days

    of a fraud report, but it does not protect businesses the same way it

    protects individual accounts
    . Ask your bank what their policies are on

    protecting business accounts.

  2. Ask your bank to increase investment in protection technologies: Your bank's online account platform is only as secure as the technology  behind it. 

    Ask your bank if they have a proactive online banking fraud

    monitoring system in place to detect suspicious account activity and

    how they are responding to the recent alerts. Despite increased

    regulations, many financial institutions still have not implemented the

    technologies beyond authentication that are necessary to fight today's

    sophisticated threats.

  3. Update your anti-malware software and firewalls: Not keeping your

    anti-malware and firewalls updated is a huge risk for anyone, and even

    more so when it could jeopardize your businesses' entire financial

    health. Still, know that your business can fall victim even with

    updated computer security protection.

  4. Monitor for irregularities and missing funds: It is imperative for any

    business to always be on the lookout for anything abnormal occurring in

    its account/s. Many banks offer transaction alerts so customers can be

    notified of important account activity, so ask your bank about this


  5. Educate your financial managers on the threats: Forward the latest

    advisories on to whoever manages your online business banking accounts.

    If anyone needs to know about the threats, it is the person closest to

    your online banking account/s, whether that is the CEO, CFO, or


    About Guardian Analytics

    Headquartered in Los Altos, Calif., Guardian Analytics is focused on the prevention of online account fraud. The company's real-time risk management approach to fraud detection, forensics and risk monitoring is built on strong analytics and predictive models of individual behavior. Leading financial services institutions rely on Guardian Analytics to protect individual account assets and the integrity of their online channels. Founded in 2005, Guardian Analytics is privately held with venture funding from Foundation Capital. For more information, please visit .

    Source: Company press release.

Reblog this post [with Zemanta]

Useless Bank Promos

Banks often give out cash or gifts for joining with them and trying out their  online banking, checking or savings accounts. 

Here's a list of a few of them...none of which protect the integrity of their consumers online banking credentials.  Why not give them something

With the increasing threats to online banking credentials, it's time to start giving away something that not only protects their customers, but protects the bank, eliminates phishing and eliminates the myriad threats ranging from
A(ccount takeover) to Z(eus) ...and all threats in between.  If it's good enough to be trusted to instantly dispense is surely good enough to authenticate the online banking customer.

There's only one device that can authenticate log-in without compromising the users online banking credentials.  That device is a personal SwipePIN device from HomeATM. 

It works the same way as accessing cash at an ATM.  Swipe the card, enter the PIN.  Only difference is since it's done in the privacy of one's own Home...I sincerely doubt there would be any skimming devices to capture the Track 1 and Track 2 data.  Probably not any hidden camera's to record the PIN strokes either.

Easy as 1:2:3!  Banks Issue Card.  Banks Issue PIN.  Banks Issue Card/PIN Reader.  The fact that we manufacture the only PCI 2.x Certified PIN Entry Device designed for eCommerce authentication /financial transactions on the planet is rather exciting. 
After all...if your online banking credentials are going to be swiped, shouldn't you be the one doing the SwipePIN?

Here's some of the offers I grabbed from Bro!

Bank of America $100 Checking Account Promotion

Get $100 free when you open a checking account at Bank of America.
Amboy Direct $50 eSavings Account Promotion

Get $50 when you open an eSavings account at Amboy Direct.
Flagstar $100 Checking Account Bonus

Get $100 when you open a checking account at Flagstar Bank.
ING Direct $50 Checking Account Bonus

Get $50 when you open a checking account at ING Direct.
Comerica Bank $230 Checking Account Promotion

Get $230 when you open a checking account at Comerica Bank.
WT Direct $150 Savings Account Bonus

Get $150 when you open a savings account at WT Direct.
Free Sharp LCD TV Bonus at Irwin Union Bank for a CD

Get a Sharp LCD TV free when you open an 11 month CD at Irwin Union Bank.
Chase Free $100 Business Checking Promotion

Get $100 free when you open a business checking account at Chase Bank.
PNC Bank Virtual Wallet Free $75 Promotion

Get $75 free when you open a Virtual Wallet account at PNC Bank.
Harleysville National Bank Free $75 Checking Account Bonus

Get $75 free when you open a checking account at Harleysville National Bank.
WT Direct Free $75 Savings Account Promotion

Get $75 free when you open a savings account at WT Direct.
Chase Bank Checking Account Free $100 Promotion

Get $100 free when you open a checking account at Chase Bank.
WaMu Free $100 Checking Account Promotion

Get $100 free when you open a checking account at WaMu.
Umpqua Bank Free $120 Bank Account Promotion

Get $120 free when you set up automatic transfers at Umpqua Bank.
American Eagle Credit Union $100 Checking Bonus Get $100 when you open a checking account at American Eagle Credit Union.
Bank of the West $100 Checking Account Bonus Get $100 when you open a checking account at Bank of the West.
Investors Savings Bank Free $100 Checking Account Bonus Get $100 when you open a checking account at Investors Savings Bank with direct deposit.
PNC and National City Free $75 Checking Account Bonus Get $75 when you open a checking account at PNC or National City.
Lockheed Federal Credit Union Free $150 Checking Account Bonus Get a up to $150 when you open a checking account at Lockheed Federal Credit Union.
USAA Bank Free $100 Checking Account Promotion Get a up to $100 when you open a checking account at USAA Bank.
WesBanco Free $100 Checking Account Promotion Get a up to $100 when you open a checking account at WesBanco.
HomeStreet Bank Free $215 Checking Account Promotion Get a up to $215 when you open a checking account at HomeStreet Bank.
Bank of America Free $75 Checking Account Promotion Get a $75 when current BofA credit card customers open a checking account.
SECU Credit Union Free $150 Checking Account Promotion Get a $150 when you open a checking account at SECU Credit Union.
Neighborhood Credit Union Free $100 Checking Account Promotion in Dallas Texas Get a $100 when you open a bank accounts at Neighborhood Credit Union.
FBOP Banks Free $160 Checking Account Promotion Get a $160 gift cards when you open a checking account at FBOP Banks.
National Bank of Kansas City $50 Free Checking Account Promotion Get a $50 Lowe’s gift card when you open a checking account at National Bank of Kansas City.
Best Bank Deals April 2009 The best rates on savings accounts and CDs for April 2009.
Key Bank Free GPS Checking Account Bonus

Get a Garmin GPS system free when you open a checking account at Key Bank.
PNC Bank and National City Free $75 Checking Account Bonus

Get $70 free when you open a checking account at PNC Bank or National City.
Marquette Bank Free $75 Checking Bonus in Chicago

Get $75 free when you open a checking account at Marquette Bank.
Dollar Bank Free $100 Checking Account Bonus

Get $100 free when you open a checking account at Dollar Bank.
Compass Bank Free $100 Checking Account Bonus

Get $100 free when you open a checking account at Compass Bank.
HSBC Bank Free $75 Checking Account Bonus

Get $75 free when you open a checking account at HSBC Bank.
M&T Bank Free $100 Checking Account Bonus

Get $100 free when you open a checking account at M&T Bank.
WaMu and Chase Free $100 President’s Day Checking Account Bonus

Get $100 free when you open a checking account at Chase or WaMu this President’s Day.
Discover Bank Free $50 CD Bonus

Get $50 free when you open a CD at Discover Bank.
Sterling Savings Bank Free $101 Checking Account Bonus for West Coast

Get $101 free when you open a checking account at Sterling Savings Bank.
Tower Federal Credit Union Free $125 Checking Account Promotion in Maryland

Get $125 free when you open a checking account at Tower Federal Credit Union.
Bryn Mawr Trust Company Free Apple 8 GB iPod Touch Checking Account Bonus in Pennyslvania

Get a free Apple 8 GB iPod Touch when you open a checking account at Bryn Mawr Trust Company.
Provident Bank Free $123 Checking Account Bonus

Get $123 when you open a checking account at Provident Bank.
Sun National Bank Free $100 Checking Account Bonus in New Jersey

Get $100 when you open a checking account at Sun National Bank.

FirstBank Free iPod Shuffle Checking Account Bonus

Get a free iPod shuffle when you open a checking account at FirstBank.

Metropolitan National Bank Free $200 Checking Account Bonus

Get $200 when you open a Checking account at Metropolitan National Bank.
HSBC Bank Free PowerCost Monitor Checking Account Bonus

Get a free PowerCost Monitor when you open a Checking Plus account at HSBC Bank.
Sovereign Bank Free $100 Checking Account Bonus

Get $100 when you open a checking account at Sovereign Bank.
Bank of America Free $50 Checking Account Bonus

Get $50 when you open a checking account at Bank of America.
Compass Bank Free $150 Checking Account Bonus

Get $150 when you open a checking account at Compass Bank.
Signal Financial FCU Free $101 Checking Account Bonus in Washington DC

Get $101 when you open a checking account with direct deposit at Signal Financial FCU.
Wainright Bank Free $200 Checking Account Savings Bond Bonus

Get a $200 US Savings Bond when you open a checking account with direct deposit at Wainright Bank.
PNC Bank Free $75 Checking Account Bonus

Get $75 when you open a checking account with PNC Bank.
TD Ameritrade Free $100 Savings Bonus by Suze Orman

Suze Orman and TD Ameritrade are offering a $100 bonus when you fund a new TD Ameritrade Savings account.

Wells Fargo Introduces Mobile Banking Money Transfer...Be Careful!

Wells Fargo & Co. has launched a service ...application ...that allows customers to transfer money to each other.  Here's how it works!  You "type" in your username and password, then simply cross your fingers that either Zeus or Clampi  (Online Banking Trojans) are not present on your computer.   Then you "type" in your buddy's "bank account number"  and he crosses his fingers for the same reason.  Finally you make a transfer and cross your fingers that you don't lose $1000 a day thereafter!  Customers can transfer up to $1,000 daily!(Subsequent transfers can be made from mobile devices by logging onto and following the prompts, or by going online.  Oh phun! 

First Clampi...then Zeus...

The best strategy to defend against Clampi is to use separate machines for Web surfing and funds transfer" said Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks. "It's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."

Editor's Note:  The HomeATM which plugs into your USB port in milliseconds IS a separate machine.  Ask your bank to give you one free so you don't have to buy another computer...

More from Wells Fargo: More and more Americans are using mobile devices for banking, and we want to be there for our customers where and when they need us... (Editor's Quip: How about being there for them when they Log-In?) — whether they are waiting in line at a store or traveling by bus,” Arah Erickson, vice president and head of retail mobile banking, said in a statement. The bank doesn’t charge for the service but mobile carriers’ text messaging and web-access charges may apply...yeah and the hackers usually cost you some dough as well.

Wells Fargo (NYSE: WFC) is based in San Francisco...Zeus and Clampi reside in personal computers. And yes, I'm being and have been playfully sardonic. Let's see what Zeus has to say...

There is an online banking Trojan out there that is bypassing up-to-date anti-virus programs as much as 77% of the time, according to security company Trusteer. The Zeus Trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It is the most prevalent financial malware on the web, Trusteer says. (Editor's Note:  Others say it's Clampi

According to Trusteer: "When we set out to measure the efficiency of anti-virus products in the wild against Zeus, we had no idea what kind of results we would get," said Amit Klein, CTO of Trusteer and head of the company’s research organization. "The findings, that up-to-date anti-virus programs were only effective at blocking Zeus infections 23 percent of the time, are disturbing.

This is bad news for consumers and banks, since the vast majority of Zeus infections are going unnoticed."

(Editor's Note:  Hence "crossing of the fingers") 

About Zeus

Zeus is a financial malware. It infects consumer PCs, waits for them to type their username and passworrd when they log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in in real time.   Yes..."real time" meaning OTP's (one-time-passcodes) are even problematic as the bad guys get them the same time you do and can log-in and cash out.

Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc.  Translation: Zeus can modify web pages from the genuine bank's servers in the user's browser.  Of course,  if you didn't type it...they couldn't swipe it!  

Oh...and if you are adamant about making sure you stay up to date with the latest Anti-Virus Software, take a graphic look at how much that helps!

Full report is here (PDF)

Reblog this post [with Zemanta]

Aegenis Founder, Chris Mark Talks about PCI Compliance in Shift4 Video

Las Vegas, Sept. 24, 2009 -PIN Payments News Blog- Shift4 Corporation, a leading developer of enterprise payment solutions, today announced the release of a video interview with Chris Mark of The Aegenis Group on YouTube at , which vets the security of Shift4's 4Go with SafeSwipe™ solution with the DOLLARS ON THE NET™ payment service for fast, reliable and secure electronic transaction processing.

"PCI compliance is a bear. In my mind, simply by using 4Go they have reduced the need for PCI compliance and many, if not all the requirements. I know how painful PCI compliance and achieving compliance can be; 4Go removes that pain. So 4Go, in a lot of respects, makes the process more efficient, more effective, certainly makes it less painful and removes much of the risk," stated Chris Mark, CEO and co-Founder of The Aegenis Group.

As a recognized leader in training and consulting around data security in the Payments industry, The Aegenis Group has more experience training on the Payment Card Industry Data Security Standards (PCI DSS) than any company in the world. Contracted with PCI SSC as worldwide trainer of Qualified Security Assessors (QSA), The Aegenis Group trained over 1,300 QSAs in 2007 and contracted with major Payment Card Brands to train all major acquirers and merchants.

According to Chris Mark, financial institutions like banks and acquirers can also benefit from Shift4's 4Go security solution: "When we talk about PCI compliance, the acquirers have to rely upon their merchants to not only validate compliance once, but they have to have confidence that merchant is in a state of compliance in perpetuity. The challenge we know that is not the case, it is extraordinarily hard to maintain a secure environment in perpetuity. Shift4's 4Go solution removes the risk to the acquirer. If the merchant does not have the data, there simply will not be a data compromise; the acquirer will never be fined. So in my mind, the best risk mitigation strategy for an acquirer is to gently lead their merchants to a solution like 4Go."

Shift4's 4Go with SafeSwipe is Payment Application Best Practices (PABP) certified and Payment Application Data Security Standard (PA-DSS) validated. Shift4 Corporation received validation from the Payment Card Industry Security Standards Council™ for compliance of 4Go and Enhanced Micros Drivers with the Payment Application Data Security Standard. PA-DSS is a PCI Council-managed program that can help software vendors develop secure payment applications and ensure their payment applications are compliant with PCI DSS. Shift4's 4Go and enhanced interface drivers for Micros 3700, 8700 and 9700 Point-of-Sale (POS) systems are PABP validated and grandfathered under the PA-DSS.

"Shift4 appreciates the kind words from Chris Mark in acknowledgement of the Real Security benefit of our 4Go technology. As a world-renowned leader in the payment security, The Aegenis Group continues to educate businesses raising security awareness which helps merchants protect their brands. We are certainly proud of all of our security products including 4Go, i4Go and Tokenization, which together go a long way to reducing the burden of compliance and to simplifying PCI," said Dave Oder, President and CEO, Shift4 Corporation.

Used with Shift4's DOLLARS ON THE NET payment service, 4Go SafeSwipe removes all useable personal credit card data at the POS terminal, in back-office data storage and during all data transport. 4Go SafeSwipe technology is the first solution of its kind in the payment processing industry. It works by securely encrypting transaction data at the point of sale -- replacing any potentially useful data with "faux data" that cannot be used by anyone outside the system. Any logs that may have been left on inadvertently, any logs that traditionally log cardholder data or any logs associated with unsupported legacy systems are protected by this faux data, which means useable data is never retained in the POS device or the merchant's system.

To view the entire Chris Mark interview visit YouTube at .

About The Aegenis Group

The Aegenis Group is comprised of a suite of business units all dedicated to increasing the security of the payments infrastructure; Aegenis Consulting, Aegenis Publishing, and the Society of Payment Security Professionals. Aegenis Consulting specializes in strategic consulting, training, and market development assistance for companies in and around the payment card industry. Aegenis Publishing proudly offers eLearning courses and is the publisher of Secure Payments, the quarterly publication of the Society of Payment Security Professionals. The Aegenis Group also founded and manages the Society of Payment Security Professionals, a community whose objective is to provide individuals and organizations involved in payment security with the opportunity to share information and access education and certification opportunities. Society members come from a variety of businesses including card brands, merchants, acquirers, issuers, ISOs, and more. For more information about The Aegenis Group, please contact us at

About Shift4 Corporation

Shift4®, a leading developer of secure financial transaction processing software and services, provides web-based, real-time enterprise payment solutions for leaders in the hospitality, retail, food services, auto rental and eCommerce markets. Through connectivity to most major processors, DOLLARS ON THE NET provides both high-speed and low-cost authorizations and settlements for credit, debit, check, private label and gift card transactions. DOLLARS ON THE NET also includes the ability to access, review and edit transactions prior to settlement, as well as a searchable, 24-month archive of transactions for reporting and chargeback defense. For more information, please contact our sales department at (800) 265-5795 or visit .

Source: Company press release.

Reblog this post [with Zemanta]

Does Weak Online Banking Log-In Make the Bank Liable for Losses Incurred when Fraud Occurs?

I felt compelled to share this article from  Kelly Jackson Higgins.   As followers of this blog are aware, I believe it is a no-brainer that banks should utilize the HomeATM device to authenticate online banking sessions.  Banks give away grills, toasters, space heaters, radios, DVD players, oscillators, $100,  (the list goes on and on) to get customers to enroll in their more profitable online banking programs, and none of the aforementioned does anything to protect their customers.   HomeATM's device would no only protect them, but as this article hypothesizes, might wind up protecting the banks. 

It doesn't matter who wins or loses this case.  What matters is that there IS a loser.  The way banks do it now,  the only winners are the bad guys...

Couple's Lawsuit Against Bank Over Breach To Move Forward Case raises questions about banks' liability in breach of customers' online accounts

Sep 23, 2009 | 03:27 PM By Kelly Jackson Higgins


A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.

An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account.

The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.

The bank has held the couple responsible for the money that was stolen after an attacker used their online banking credentials to secure a loan on the account, first depositing it in the couple's business bank account, then wiring it to a bank in Hawaii, and then to a bank in Austria. By the time the couple reported the fraud to Citizens Financial, there was no way to retrieve the money from the Austrian bank, which refused to return it.

Experts are split over whether the couple has a chance of winning the case. But either way, the lawsuit has raised the thorny question of whether a bank should be held liable if a customer's account is breached.

In the court opinion (PDF) obtained by Wired, the couple maintains that Illinois-based Citizens Financial Bank "failed to guard access to Plaintiff's account with adequate security features at the time of the theft," with only a user name and password rather than a more secure multifactor authentication method. They argued the bank should have offered them token authentication.

The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."

But whether the lawsuit holding the bank responsible for the couple's loss will stand up in court is unclear. John Pescatore, vice president and distinguished analyst at Gartner, says he doesn't expect the couple to win the case. "I don't see that this has much chance of succeeding. The real issue is the user's responsibility to protect their passwords, just as it is the car driver's responsibility to protect the car keys. If you leave the keys in the ignition and someone steals your car, suing the car manufacturer for negligence isn't going to work," Pescatore says.

And the argument that the bank should have offered two-factor authentication is moot, he says, because regulation from the Federal Financial Institutions Examination Council (FFIEC) only calls for "risk-based authentication" and doesn't specify it as two-factor authentication. (Editor's Note:  That is strictly a legal defense, not a common sense one)

Plus, consumers for the most part have resisted tokens and stronger authentication, while banks for the most part have avoided forcing the issue and "eaten" losses from account breaches, Pescatore says. (Editor's Note:  Maybe back in 2006 they may have resisted, but I'd bet my bottom dollar that today it would be welcome)  In fact, in a PIN Payments News Blog survey, almost 75 out of 100 people said they would "PREFER IT." (click graphic below to enlarge)

"It's not going to be simple to prove negligence of the bank," he says. "And if they [the attackers] got their banking passwords, they probably got a lot of [their] other passwords, too."

Bruce Schneier, meanwhile, argues that the customer should not be held responsible for this type of bank account breach. "The banks don't want to be liable," Schneier says. "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."

Schneier, who also blogged about the case yesterday, says banks should have to follow the same type of rules as credit-card companies when it comes to customer losses from a breach.

The ruling, meanwhile, did grant the bank's motion for a summary judgment on other charges by the couple, including one that sued the bank for reporting the couple's account as delinquent and for leaving out information in its reports.

And a similar lawsuit was filed late last week by Sanford, Maine-based Patco Construction against Ocean Bank after the company's bank account there was pillaged by cybercriminals earlier this year for $588,000, according to a report by The Washington Post. The company alleges that the bank didn't do enough to protect its account.

Reblog this post [with Zemanta]

Gemalto Sets Up Payment Card Personalization Facility in Indonesia

GemaltoImage via Wikipedia

Aiming to service Indonesian banks, better protect their payment card customers and introduce new value-adding applications and services

Amsterdam, The Netherlands and Jakarta, Indonesia - Sept. 24, 2009 -PIN Payments News Blog:  Gemalto, the world leader in digital security, today announced that it will inaugurate its first personalization center in Indonesia before the end of the year. The new facility will enable Gemalto to locally support financial institutions in their EMV migration. Gemalto will act as an end-to-end service provider, from card manufacturing through to fulfillment. Value-added services include inventory management and express card personalization with same day shipment. The personalization center achieved MasterCard and Visa certifications in less than six months.

Drawing on its 20 years of local presence, Gemalto has been playing an integral role in the Indonesian financial industry. Gemalto will utilize its global infrastructure, common to all Gemalto personalization centers worldwide, to provide local banks with a one-stop shop for their EMV migration program. The facility is ideally suited to meet further market requirements by developing applications for mobile contactless payment and online banking.

Tan Teck Lee, President, Gemalto Asia, remarked: "We are dedicated to providing more secure and more convenient financial payment solutions to our customers in Indonesia and the region. This new facility will also allow us to assist in the deployment of advanced capabilities such as secure online banking and mobile NFC services for instance."

In addition to providing direct, local support for business continuity plans, it will allow Gemalto to offer faster and more cost-effective ways of delivering its world-renowned smart payment solutions and services. The center also re-enforces existing relationships with local partners by providing a greater range of diversified services at even closer proximity.

About Gemalto

Gemalto (Euronext NL 0000400653 GTO) is the world leader in digital security with 2008 annual revenues of €1.68 billion, and 10,000 employees operating out of 75 offices, research and service centers in 40 countries.

Gemalto is at the heart of our evolving digital society. The freedom to communicate, travel, shop, bank, entertain, and work—anytime, anywhere—has become an integral part of what people want and expect, in ways that are convenient, enjoyable and secure.

Gemalto delivers on the growing demands of billions of people worldwide for mobile connectivity, identity and data protection, credit card safety, health and transportation services, e-government and national security. We do this by supplying to governments, wireless operators, banks and enterprises a wide range of secure personal devices, such as subscriber identification modules (SIM), Universal Identity Circuit Cards (UICC) in mobile phones, smart banking cards, smart card access badges, electronic passports, and USB tokens for online identity protection. To complete the solution we also provide software, systems and services to help our customers achieve their goals.

As the use of Gemalto's software and secure devices increases with the number of people interacting in the digital and wireless world, the company is poised to thrive over the coming years.

For more information please visit

Reblog this post [with Zemanta]

Merchant Services Firm Launches $150 Million Acquisition Plan

AmericaOne CEO to Direct New Company

San Jose, California, September 23, 2009
– PIN Payments News Blog – A team of veteran merchant services executives backed by over $150 million in private funding is setting out to expand  a new company by acquiring independent sales organizations that provide payment card processing services in the U.S. and Canadian markets and the merchant card processing portfolios of financial institutions.

International Payments Corporation (IPC), the new San Jose-based company, is directed by David McMackin, a 15-year merchant services professional and President and CEO of AmericaOne Merchant Services, Incorporated.

“While some merchant services acquirers are sitting on the sidelines in today’s uncertain economy, IPC has a planned series of acquisitions well underway,” says McMackin. “IPC is  targeting medium-sized merchant services companies that provide credit, debit and other transaction processing services for merchants and will announce its first acquisition soon.”

IPC and its private equity partners believe the current economic environment provides unique expansion opportunities for companies that have the capital and can successfully engage and deploy it.  In addition to purchasing card portfolios from its target acquisitions, IPC will be partnering with select merchant services companies by providing growth capital and sharing its propriety technologies and techniques that have proven to increase account sales and merchant retention.  The plan is designed to help keep talented owners and executives from the acquired companies onboard by partnering with them and sharing the future growth and profits of the company.

Over the last fifteen years, McMackin has been developing and implementing proprietary systems for managing merchant services businesses. IPC’s new acquisitions will benefit from innovative sales training, management and support tools designed to be easily integrated and scalable to fit any size business.  These tools will facilitate   growth while maintaining very low attrition rates.”

Company Contact

Steven Lipp

International Payments Corporation


International Payments Corporation (IPC) is a national merchant services company that delivers secure, scalable and reliable payment processing solutions to small- and middle-market businesses, large corporations, governments, financial institutions and independent sales organizations. IPC processes electronic payments between buyers and sellers, utilizing virtually any payment devise or form of electronic payment, including credit and debit cards, checks, and gift cards. IPC currently provides service in the United States with more than 20 partner/regional sales teams. For more information, visit

Female Online Buyers More Likely to Cut Back Spending - eMarketer

Women More Cautious About Spending

Female online buyers have become more likely than males to cut back on their spending because of economic pessimism. Almost one-half expect to spend less online. Full Article

BofA and JPMorgan Chase to Reduce Overdraft Fees (Wells Fargo too)

Kudos to JPMorgan who also announced it will end the practice of maximizing penalties by processing the largest purchase a customer makes first, draining accounts faster and creating the potential for multiple fees on smaller purchases.  

Update: Wells Fargo joins in Cutting Overdraft Fees - NYTimes

Banks' retreat on overdraft fees won't stave off legislation - MarketWatch

By Marshall Eckblad

NEW YORK (MarketWatch) -- The bank industry's signs of retreat on account fees may not satisfy Washington lawmakers, some of whom say they're pushing ahead with broad restrictions on fee policies at banks.

Bank of America Corp. /quotes/comstock/13*!bac/quotes/nls/bac (BAC 17.66, +0.16, +0.91%) and JPMorgan Chase & Co. /quotes/comstock/13*!jpm/quotes/nls/jpm (JPM 45.50, +0.44, +0.98%) , the two largest U.S. by assets, said this week they are reducing overdraft fees. Some regional banks, including Toronto-Dominion Bank /quotes/comstock/13*!td/quotes/nls/td (TD 63.95, -0.44, -0.68%) , PNC Financial Services Group Inc. /quotes/comstock/13*!pnc/quotes/nls/pnc (PNC 45.98, -0.88, -1.88%) and Fifth Third Bancorp /quotes/comstock/15*!fitb/quotes/nls/fitb (FITB 9.98, +0.13, +1.32%) , are also planning to change some of the ways they charge fees.

House Financial Services Committee Chairman Barney Frank (D-Mass.) said in an interview that he supports the moves by Bank of America and JPMorgan Chase. But Frank said he will still push forward with legislation requiring changes in overdraft policies at banks. The Federal Reserve is also considering strict curbs on overdraft fees that could be finalized later this year.

The policy change by the two giant banks "confirms that it's doable," Frank said. "No one else will be able to argue that it's too burdensome."

A spokeswoman from Senate Banking Committee Chairman Christopher Dodd's office (D-Conn.) said the senator is still moving forward with legislation.

Rolling back fees poses a high-stakes dilemma for banks.

The industry earned $39.5 billion from service charges on deposits last year, according to data from the Federal Deposit Insurance Corp. Fees for everything from ATM usage to balance transfers accounted for about 25% of the industry's total revenue, and are welcome as banks wrestle with losses from the the nationwide housing depression and severe U.S. recession.

Continue Reading at MarketWatch

Reblog this post [with Zemanta]

JPMorgan Chase "Bold"ly Goes Where No V/MC Issuer Has Gone Before...

On Wednesday, J.P. Morgan Chase& Co.'s Chase Card Services plans to formally launch four cards aimed at small-business owners, including a charge card that would require customers to pay in full every month:  From Reuters:

NEW YORK, Sept 23 (Reuters) - JPMorgan Chase & Co (JPM.N), the second-largest U.S. bank, launched a charge card for small businesses on Wednesday, entering a market long dominated by American Express Co (AXP.N).

In addition, the bank launched three new credit cards for small businesses -- offering rewards, cash back and large credit limits. The new cards come at a time when small businesses have experienced great difficulty obtaining new credit.

Unlike credit cards, charge cards have to be paid in full at the end of every month, reducing the risk of defaults at a moment when credit card losses are at record highs in the United States.  The new charge card, called Ink Bold (is the TH silent?) is the first charge card from JPMorgan Chase or from any other Visa Inc (V.N) or MasterCard Inc (MA.N) issuer.

Continue Reading


Reblog this post [with Zemanta]

Visa and MasterCard Each Fined $2.6 by Hungary's GVH

BUDAPEST (Dow Jones)--Hungary's competition authority, the GVH, ruled that Visa (V.N), MasterCard (MA.N) and the country's top commercial banks formed an illegal bank card interchange-fee cartel, it said on Thursday and levied a combined 1.91-billion-forint ($10.42 million) fine on MasterCard (MA), Visa Inc. (V) and seven commercial banks for setting commission rates and thus limiting competition.

The agreement between the bank card companies and the commercial banks struck in 1996 led to a unified charge retailers paid on bank card use, the GVH said in a statement. "This commission rate is one of the most important factors of competition among the banks providing point-of-sale bank card terminals," the GVH added.

Visa and MasterCard were fined HUF477 million each, (about $2.6 million) and the banks are to pay a HUF954-million fine in total.

The seven banks fined are:

  • OTP Bank Nyrt.(OTP.BU), Hungary's biggest bank by market share

  • Budapest Bank Zrt., owned by GE Money Bank, part of General Electric (GE)

  • MKB Bank Zrt., majority owned by Germany's Bayerische Landesbank AG

  • CIB Bank Zrt., owned by Italy's Sanpaolo Intesa (IMI

  • Erste Bank Zrt., the local arm of Austria's Erste Bank AG (EBS.VI)

  • K&H Bank Zrt., part of Belgium's KBC Group NV (KBC.BT)

  • ING Bank Zrt., the local unit of Netherlands-based ING Bank NV.

"We concluded that the financial institutions under investigation, by creating a uniform interchange-fee structure, ... and by maintaining and supporting such a free structure, inhibited competition," Toth said.  "Therefore competition between the two card firms and the card-accepting banks was distorted and limited," Toth said.

GHV imposed a total fine of HUF 968 m on seven banks as follows:

Budapest Bank , a unit of General Electric via GE Money Bank, HUF 188 m, OTP Bank , the country's largest lender, HUF 281 m, MKB B ank, majority owned by Germany's Bayerische Landesbank AG, HUF 84 m, CIB Bank , a unit of Italy's Intesa Sanpaolo, HUF 91 m, Erste Bank HUF 107 m, K&H Bank , a subsidiary of Belgium's KBC, HUF 127 m and ING Bank HUF 90 m.

The competition authority distributed fines based on the interchange fees received by the banks between 2004 and 2007 and also their market share in 1996 and presently.

Authority's Web site:

The responsibilities of the Authority

The Hungarian Competition Authority (Gazdasági Versenyhivatal - GVH; its English name used in the early years of operation was Office of Economic Competition) was established by Act LXXXVI of 1990 on the prohibition of unfair market practices, and started its operation on 1 January 1991. The enactment of the prohibition of anticompetitive behaviour and the setting up of the authority was motivated by the will of protecting the freedom and fairness of competition.

The Competition Act, which is currently in force, is Act LVII of 1996 on the prohibition of unfair and restrictive market practices. The Act entered into force on 1 January 1997. Besides the provisions on competition, the Act determines the legal status of the Authority and regulates its basic structure and operation, further, the procedures, which it conducts. By Hungary's accession to the European Union, the GVH became a member of the European Competition Network that consists of the national competition authorities of the EU Member States and the DG Competition of the European Commission. As from the same time, the GVH is required to apply EC competition law under certain conditions.

The task of the GVH in relation to the fairness and freedom of competition is to enforce the competition rules for the benefit of the public in a way, which increases long-term consumer welfare and competitiveness at the same time. Furthermore, it promotes competition in general and, where no competition exists on the market, the GVH endeavours to create competition and promotes appropriate state regulation to be put in place.

The activities of the GVH in connection with the safeguarding of competition rest on the following three pillars. 1) competition supervision proceedings - the enforcement of the national and the Community competition law; 2) competition advocacy - the GVH tries to influence state decisions; 3) competition culture - the objective of the GVH is to contribute to the development of competition culture by the dissemination of knowledge about competition policy, in order to raise public awareness of competition issues, and by the promotion of the development of competition-related legal and economic activities of public interest.

Beyond the safeguarding of competition, the GVH fulfils other law enforcement tasks provided by other legal acts such as the Trade Act.

Disqus for ePayment News