Wednesday, October 7, 2009

Malware Economy is Thriving

Last week I did a post entitled:  Game Over: Hackers Win! 

Dennis Fisher of a security blog by Kapersky Labs says it ain't over til it's over! 

He also says the bad guys are doing great and the good guys aren't...(sounds over to me)


TORONTO -- The legitimate economy may be in rough shape right now, but the same cannot be said for the underground economy. Malware authors and botmasters are thriving, experts say, with some online criminals charging as much as $3,500 for their attack toolkits.

But don't be intimidated by the high price point. That's a premium product. More basic exploit kits can be had for as little as $100. But even at that price, the attackers are doing just fine, thank you.

"The bad guys are doing really great," said Roy Firestein of Digital Defence, speaking in a session on modern crimeware toolkits at the SecTor 2009 conference here. "How are the good guys doing? Not so good."

Continue Reading 

Reblog this post [with Zemanta]

More On the E-Mail Hijackings

Internet security experts are warning millions of email users not to get caught with their pants down and change their passwords immediately.

Following an apparently effective scam that harvested thousands of Hotmail login identifications and posted them online, Microsoft and other email providers are telling account holders to be safe and to change their login information as soon as possible.

Password information for Hotmail (Microsoft), G-Mail (Google), Yahoo, America OnLine (AOL), Earthlink and Comcast accounts were also posted in the online listing that was taken down shortly after it appeared but was certainly up long enough for those with criminal intent to copy the information.

Microsoft, Google and Yahoo said they are working with customers to recover any hijacked accounts.

Reblog this post [with Zemanta]

Google Doodle Bar Code

What's up with the Google Doodle today? It's the Bar Code Logo because today is the 57th anniversary of the Invention of the Bar Code...

In other news, Google is offering advice on "strong passwords". (The Password is: Oxymoron!) Here's a snippet from Information Week:

Passwords remain the primary means of online authentication, despite their shortcomings. (Editor's Note: Read that again!)

By Thomas Claburn InformationWeek

October 7, 2009 03:14 PM

It's National Cybersecurity Awareness Month and Google would like to remind you to choose strong passwords for your online services. Coincidentally, several thousand users of Windows Live Hotmail, along with some users of Gmail and Yahoo Mail, are in need of new passwords.

SANS Internet Storm Center handler Adrien de Beaupr is advising users of Hotmail, Gmail, and Yahoo Mail to change their passwords following the exposure of several thousand Hotmail credentials on a Web site over the weekend. According to Microsoft, the exposure was likely result of a phishing scam. And reports indicate that some Gmail and Yahoo Mail account information was also revealed.

Anyone who may have entered account information in a phishing site should pick a different password right away.

Continue Reading

Reblog this post [with Zemanta]

Zeus Online Banking Trojan Webinar Infected with...Zeus!

According to a story from Brian Krebs, a company produced a webinar on the online banking password stealing Trojan Zeus and was then targeted by the Zeus keepers:

"On Sept. 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the stealth and sophistication of Zeus, a data-stealing Trojan horse program that organized thieves have used in a string of lucrative cyber heists this year.

A week later, Silver Tail learned that Zeus had infiltrated its own network defenses.

Silver Tail founder Laura Mather said she believes her company was targeted by criminals wielding Zeus specifically because of the recent webinar, which spotlighted the myriad ways in which Zeus can defeat online banking security measures. Still, she said the incident shows this family of malware can be a threat to any business - even security companies.

Continue Reading at Brian Krebs Security Fix

The Zeus-themed webinar that Silver Tail believes prompted this attack is long, but well worth a watch for anyone involved in defending networks. The ThreatExpert blog also recently published an excellent (yet far more technical) deep-dive on Zeus."

Reblog this post [with Zemanta]

Operation Phish Fry

According to KTLA: Operation Phish Fry (shouldn't it be Phry?) "netted" a bunch of Egyptian Phishermen. 

"Dozens of people are under arrest in Southern California, Nevada, North Carolina and Egypt in a major crackdown against identity theft.

The FBI has launched "Operation Phish Fry" to bust an identity theft ring that has victimized thousands of people.

Laura Eimiller, an FBI spokeswoman in Los Angeles, says about 100 arrests are expected - many of them in the Los Angeles area. Eimiller says the suspects are accused of running a "phishing" scheme that used computer intrusion and fraud to obtain personal information that allowed them to withdraw money from bank accounts.

"Phishing" scams often involve fake e-mails that direct victims to a bogus Web site where they are asked to update personal information, such as passwords and account numbers.

The LA Times Blog is reporting that 100 have already been arrested and 53 have already been indicted. 

The federal indictment, which is due to be unsealed today, names 53 indicted suspects as well as 47 non-indicted co-conspirators from Egypt, said Laura Eimiller, the FBI spokeswoman.

Reblog this post [with Zemanta]

Aussies Fall Victim To Retail EFT-POS Skim-Scam

Skimmers are usually placed on ATM's but now it looks like they are moving to the point of sale terminals.  Kind of makes a case for purchasing online from a device you can trust, like your very own HomeATM SLIM! 

A GLOBAL crime gang has struck in Perth with a new card skimming fraud phenomenon that fleeces bank accounts from point-of-sale EFTPOS machines.

Fraudsters have stolen hundreds of thousands of dollars from thousands of Perth cardholders in an EFTPOS scam.

Police say they have received "substantial information" regarding machines being used to "skim" credit and debit cards of details - including PIN numbers - throughout the metropolitan area. WA Police today issued a state-wide alert after receiving dozens of complaints reporting missing money after transactions from EFTPOS machines at shops, including fast food outlets, since Monday.

They have revealed few details of the devices or investigation - citing "operational sensitivities" - but say the devices have compromised EFTPOS point-of-sale machines.  Until now, police have only been aware of automatic teller machines skimming scams, whereby criminals obtain bank account and PIN details after fitting secret card-reading devices to ATMs and hidden mobile phone cameras to record bank customers entering their secret PIN number.

Retailers have been asked to contact police if they suspect their EFTPOS machines have been tampered with. People are being advised to check their bank statements to ensure all withdrawals are legitimate and to contact police if they have concerns.

A Perth woman says she has lost $3,500 from her bank account...

Reblog this post [with Zemanta]

Fiserv to Deliver E-bills to Financial Institution Websites for Progress Energy Florida

Fiserv announced today that Progress Energy is extending the use of eBill Distribution to the electric utility's Florida region. The agreement with Progress Energy is an expansion of the existing relationship between Fiserv and the Fortune 500 energy company which serves customers in the Carolinas and Florida. Fiserv already provides eBill Distribution to Progress Energy customers in the Carolinas, as well as walk-in bill payment services in all three states. Now, Progress Energy customers in the Carolinas and Florida can receive their Progress Energy bill at any of the more than 3,000 financial institution websites in the Fiserv network.

Here's their Press Release:

Fiserv to Deliver E-bills to Financial Institution Websites for Progress Energy Florida

- Expansion of e-bill delivery channel allows company to meet more customers online for bill viewing and payment -

Brookfield, Wis., October 7, 2009 -PIN Payments News Blog- Fiserv, Inc. (NASDAQ: FISV), the leading global provider of financial services technology solutions, today announced that Progress Energy  is extending the use of eBill Distribution to the electric utility's Florida region. The agreement with Progress Energy is an expansion of the existing relationship between Fiserv and the Fortune 500 energy company which serves customers in the Carolinas and Florida. Fiserv already provides eBill Distribution to Progress Energy customers in the Carolinas, as well as walk-in bill payment services in all three states. Now, Progress Energy customers in the Carolinas and Florida can receive their Progress Energy bill at any of the more than 3,000 financial institution websites in the Fiserv network. According to financial industry analyst firm Javelin Strategy & Research, banks and credit unions represent the fastest-growing channel for viewing and paying bills online, making eBill Distribution a natural

complement to offering paperless options at

eBill Distribution from Fiserv enables companies like Progress Energy to offer paperless electronic bills, commonly known as e-bills. E-bills replicate the same information as the traditional paper bill, but are securely delivered to a financial institution or billing company Website instead of a physical mailbox. Customers who receive e-bills can schedule a specific date on which their bill will be paid and take advantage of features such as email reminders.

By eliminating the mailed statement, consumers can take a small, simple step toward the reduction of paper use, thereby preserving the environment. According to a 2009 Fiserv-sponsored study conducted by The Marketing Workshop and Harris Interactive, 58 percent of consumers cite the protection of the environment as a key reason to receive e-bills and turn off the corresponding paper bill.

According to the same study, 41 percent of current online banking users indicated plans to pay more bills online at their financial institution's Web site in the coming months. Progress Energy's commitment to paperless billing can allow the company to capitalize on this trend and provide customers additional billing options. As a testament to this commitment, Progress Energy Carolinas recently collaborated with Fiserv to educate consumers to turn off their paper bills and begin receiving e-bills through their financial institution. This campaign resulted in a 206 percent e-bill adoption rate increase, and encouraged Progress Energy to extend the bank channel e-bill delivery option to its Florida customers.

"Progress Energy is at the forefront of meeting its customers at their point of preference when it comes to viewing and paying bills, and Fiserv is proud to be a partner," said Jardon Bouska, president, Biller Solutions, Fiserv. "Whether it is educating consumers about the benefits of e-bills and serving them through the bank channel or providing access to convenient retail and agent locations for walk-in based payments, we will continue to help Progress Energy leverage billing and payment touch points and ensure positive customer interactions."

Since 2000, Fiserv and Progress Energy together have delivered valuable billing and payment options for Progress Energy customers. In addition to powering Progress Energy's electronic billing and payment channels, Fiserv makes available to all Progress Energy customers the ability to pay bills in-person at more than 16,000 retail agent sites, such as convenience stores, grocery stores, drug stores, and retail shipping and postal stores.

Fiserv offers a robust portfolio for optimizing bill pay touch points to maximize profitability, including electronic and paper bill production and distribution, on-demand and recurring bill payment (via agent, web, IVR and walk-in channels) as well as e-lockbox and remittance processing.

About Fiserv

Fiserv, Inc. (NASDAQ: FISV) is the world leader in information management and e-commerce systems for the financial services industry, driving innovation that transforms banking for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. More on Fiserv at, and examples of award-winning innovation are listed at

# # #

New Report Out on Bank Overdraft Fees

This report from the folks at Responsible Lending purports that Bank's have basically engaged in abusive practices in order to maximize overdraft fee revenue. 

It also explains why some banks have recently decided to cut back on the amounts they charge for overdraft fees.

Click the graphic on the right to read their harsh conclusion.

Viewer Warning:  If you are a banker, some of the recommendations contained in this report may be disturbing! 

To think that they actually have the tenacity to call it Overdraft Protection is amusing.  

Responsible Lending Report on Bank Overdraft Fees

Reblog this post [with Zemanta]

Online Banking Fraud in the UK Hits a New High

There is a disturbing trend going on.  The hackers steal our username and passwords and banks respond by telling us to "type" more information into a box on their online banking website.  I don't get it.  There's a website in the U.K. designed to help people fight the fight against online banking fraud called:  

Here's what they have to say. 

The three essential steps to protect your computer are:

  • Use anti-virus software and keep it up-to-date on a regular basis.

  • Install and learn how to use a personal firewall.

  • Download the latest security updates (or patches) for your web browser and operating system.

Oh really?  As I mentioned yesterday, a report by Trusteer says that Zeus, an online banking Trojan which steals your online banking credentials,  bypasses up-to-date anti-virus software 77% of the time.  So if you want to feel 23% protected, by all  means listen to their advice.  Firewalls are like locked windows.  Hackers just break the glass to get in.  The latest security updates are nothing more than an admission that browsers are not safe.  Why would you need weekly "security" updates if the browser was secure in the first place. 

There's only one way to authenticate an online banking customer.  Think ATM.  Think dispersal of cash in real time.  Why is that system trusted by banks?  Because the security behind the authentication works.  Why not 100% replicate that process for online banking log-in?  Exactly...why not?

Here's more on the 55% growth in online banking fraud during the first 6 months of the year.  Prediction.  When the report comes out on the growth of online banking for the second 6 months, it will be bigger than the first 6 months. Mark my words...or at least these three words:  Zeus, Clampi, urlZone.

Jeremy Kirk, IDG News Service

Wednesday, October 07, 2009 7:40 AM PDT

Online banking fraud in the U.K. has risen to the highest level in at least three years, according to industry figures released Wednesday.

Online banking fraud increased 55 percent to £39 million (US$62.4 million) in the first six months of the year compared to the same period a year ago, said Financial Fraud Action U.K. (FFA), formerly known as APACS. FFA collects data reported by U.K. financial institutions.

FFA attributed the rise to sophisticated malicious software programs that infect vulnerable consumer computers. FFA also counted 26,000 phishing sites, which are fraudulent Web sites designed to trick people into divulging their log-ins and passwords.

The rise in banking fraud comes as U.K. banks have taken more rigorous measures to combat online fraud. While U.S. banks often only require a log-in and password to get access to online banking, U.K. banks often have several more steps.

Editor's Note:  More steps are futile.  I've got a business associate that says banks understand the security risks, but I disagree and what follows is proof that they just don't get it!  Here's an exercise in futility by NatWest:

For example, NatWest -- owned by the Royal Bank of Scotland Group -- requires customers to "type" (enter) their birth date plus "type" (enter) a unique four digit code.  During the second step, a person is prompted to enter ("type") enter some digits of a separate four-digit PIN (Personal Identification Number), which is not the same as the person's ATM card.  Then, the Web site asks the user to ("type") enter "another password", but only specific parts of it, such as the second, fourth and seventh letter. NatWest asks for a different combination every time. If you fail to log in successfully, the account can't be accessed online.

Nonetheless, most bank security measures are defeatable if a person falls victim to a phishing scam and sends a fraudster their authentication credentials.  Editor's Note:  When consumers type, the information they type is fair-game to the hackers.  It doesn't matter if you instruct the consumer to type the 4th letter of every 5th word in War and Peace or every 7th letter of every 14th word in Genesis.  Typing is the problem. 

Reblog this post [with Zemanta]

SPVA Announces New President

Former Technology Executive to Lead Secure POS Vendor Alliance

New president Steven Hughes provides more than a decade of experience

to rapidly-growing global payment security organization

ATLANTA – October 7, 2009 – The Secure POS Vendor Alliance (SPVA), a non-profit business organization founded by Hypercom (NYSE: HYC), Ingenico S.A. (EURONEXT: ING) and VeriFone (NYSE: PAY) is pleased to announce that it has named Steven Hughes, formerly executive director for the Oracle Applications Users Group (OAUG), as its president. In his new role, Hughes will focus on strategic direction, membership development and act as liaison among the three founding board members. Hughes leads a newly-installed team of SPVA staff who will service SPVA’s growing membership base.

“Steven brings valuable skills and a track record of success in global membership expansion and retention,” said Christophe Dolique, SPVA Chairman and EVP, Global Marketing & Transaction Services at Ingenico. “At this stage of SPVA’s development, I could not think of a better individual to manage our efforts to focus the card payments industry on compliance.”

The SPVA launched in April 2009 to foster widespread compliance of existing security standards to protect cardholder information and defend merchants and acquirers against security breach. Its aim is to simplify compliance efforts, diminish the chaos and confusion often associated with standardization and reduce costs for all stakeholders. Hughes was selected by the SPVA board due to his success in growing the OAUG into one of the largest independent user groups in the world, among other accomplishments.

“I look forward to growing the SPVA into the premiere organization for facilitating a common understanding and acceptance of various security requirements and standards,” said Steven Hughes, SPVA president. “With the strong leadership team already in place, I am confident this objective can be attained.”

SPVA has experienced rapid growth since its launch at the ETA show in Las Vegas with prominent industry leaders joining, including Atos Worldline, Heartland Payment Systems, Moneris Solutions, Radiant Systems, Inc. and Witham Laboratories. Membership is open to all vendors that develop secure POS payment systems or have products or solutions that interact with secure POS payment devices such as retailers, acquirers and banks.

To learn more about the SPVA, visit


About Secure POS Vendor Alliance ( The Secure POS Vendor Alliance (SPVA) is a non-profit organization that works with the multiple stakeholders of the payment value chain. Its aim is to develop an end-to-end security framework and to enhance security elements of payment solutions which protect cardholder information and defend merchants and acquirers against security breaches, while helping reducing fraud and lowering risk for all electronic payment stakeholders.

About Hypercom ( Global payment technology leader Hypercom Corporation delivers a full suite of high security, end-to-end electronic payment products and services. The Company's solutions address the high security electronic transaction needs of banks and other financial institutions, processors, large scale retailers, smaller merchants, quick service restaurants, and users in the transportation, petroleum, healthcare, prepaid, unattended and many other markets. Hypercom solutions enable businesses in more than 100 countries to securely expand their revenues and profits. Hypercom is a founding member of the Secure POS Vendor Alliance (SPVA) and is the second largest provider of electronic payment solutions and services in Western Europe and third largest provider globally.

About Ingenico (

Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,500 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. Ingenico generated pro-forma revenue of €780M in 2008.

About VeriFone Holdings, Inc. (

VeriFone Holdings, Inc. (“VeriFone”), a global leader in secure electronic payment technologies, provides expertise, solutions and services for today with a migration strategy for tomorrow. VeriFone delivers solutions that add value to the point of sale, resulting in improved merchant retention and the generation of new sources of revenue for its partners and customers. VeriFone solutions are specifically designed to meet the needs of vertical markets including financial, retail, petroleum, government and healthcare.

Disqus for ePayment News