Friday, October 23, 2009

Online Banking's Ticking Time Bomb...

In a story published today in FierceFinance IT, they take a look at the fact that the bad guys are focusing their efforts at online banking.  Here's the article,  along with some of my comments on why it's happening and how it can be prevented.  

Bottom line.  Based on the fact that online banking customers are instructed to "key in" (type) their online banking credentials, the online banking industry is a ticking time bomb. 

The only explosive growth the online banking community will see (unless they provide a genuinely secure authentication procedures) is that of the online banking Trojans...which are designed to completely drain accounts and completely destroy any trust associated with online banking.     

October 23, 2009 — 8:53am ET | By Jim Kim

Cyber thieves have been targeting banks in more and more creative ways, usually involving retail customers, but the really big thefts are victimizing small government accounts. A customer of M&T Bank, a small bank with 650 branches in the mid-Atlantic region, was victimized recently to the tune of $479,000. The Cumberland County Redevelopment Authority Staff alerted the bank last month that it couldn't access its online banking site.

Apparently, the issue was a virus that allows for keystroke capture.

Let's "key" in on that for moment, shall we?  The "Key Word" here being "keystroke capture."  Let me oversimplify this.  What procedure does online banking mandate for online banking customers to log-in to their account.  Is it by "keying" (typing) in their username and password?  It is, isn't it?

Consumers type their username, their password (and more often now, in a lame attempt to add an additional layer of security, some banks require their customers to "key" in other information, such as a mother's maiden name, the make of their first car, etc.

But the fact remains...if the online banking customer has a virus that allows for keystroke capture, then it doesn't matter if banks require their customers to "key in" (type) the answers to 100 questions, does it?  It will ALL BE CAPTURED.  Wouldn't it? Make sense?  It does, doesn't it? 

Back to the story...

"At the time of the incident, the customer was using a bank-issued ACH house token, which was designed to protect against unauthorized access, specifically from keystroke logging fraud attacks. Obviously, it didn't."

Which is why we created our SLIM eliminates typing, thus keystroke logging (and phishing) enabling online banking customers to Swipe their Bank Issued Card and Enter their Bank Issued PIN to authenticate themselves.  We utilize "existing bank rails" to authenticate the user.  (If that process sounds familiar, it is because it's the same process used to access cash from an ATM.)  100% seamless transition.

The story continues...

The stolen funds were transferred to accounts set up by the hacker, using names of LLCs and individuals, at 11 domestic financial institutions. So far, more than $100,000 has been recovered.  

Editor's Note:  Guess what.  The SLIM would also "prevent" any stolen funds from being transferred "anywhere" ...until the online banking consumer demonstrated "intent" to "authorized" the transfer by "Swipinig their Card" and "Entering their PIN" a second time!  Talk about doubly protecting the consumer.


To review: If somehow (for instance, a pre-existing infection from Zeus, Clampi or the urlZone banking Trojans) the bad guys were able to get into an online banking customers account, they "WOULD NOT" (let me state that again) "WOULD NOT" be able to transfer funds "ANYWHERE"  (let me state that again) "ANYWHERE"...UNLESS THE BAD GUYS HAD THE CONSUMERS BANK ISSUED CARD AND THEIR BANK ISSUED PIN. 

Therefore, we eliminate keystroke logging, we eliminate phishing, and we eliminate the threat of unauthorized money transfers to money mules.  Sounds elegant and sounds like a great online banking promotion.  Get a free SLIM.  We'll even put your bank's logo on it.  Where can your bank get them? Email me:

The story continues:

In addition, the Washington Post reports that Bullitt County, Kentucky lost $415,000 to criminals using malicious code on the county treasurer's computer. The program diverted the funds via transfer to more than two dozen so-called "money mules." Editor's Note:  Did I mention that our log-in procedure is "Bullitt Proof!  (safer than ATM access because there is no threat of skimmers, hidden camera's or "card trapping") 

Read more:

Reblog this post [with Zemanta]

American Express Profit Down 21% Y2Y

American Express CompanyImage via Wikipedia

American Express Thursday said its profits had fallen 22 per cent in the third quarter to $632 million dollars compared to the same period last year...a better result than analysts had expected...

NEW YORK, October 22, 2009 -- American Express Company (NYSE: AXP) today reported third-quarter income from continuing operations of $642 million, down 25 percent from $861 million a year ago. Diluted earnings per share from continuing operations were $0.54, down 27 percent from $0.74 a year ago.

The third quarter results included a $180 million ($113 million after-tax) non-recurring benefit associated with the company’s accounting for a net investment in consolidated foreign subsidiaries (discussed in more detail later). Excluding that benefit, adjusted diluted earnings per share from continuing operations were $0.44.

Net income totaled $640 million for the quarter, down 21 percent from $815 million a year ago. Diluted per-share net income of $0.53 was down 24 percent from $0.70 a year ago. Excluding the non-recurring benefit mentioned above, adjusted diluted per-share net income was $0.43.(2)

  • Consolidated revenues net of interest expense declined 16 percent to $6.0 billion, down from $7.2 billion a year ago.

  • Consolidated provisions for losses totaled $1.2 billion, down 13 percent from $1.4 billion a year ago.

  • Consolidated expenses totaled $3.9 billion, down 17 percent from $4.7 billion a year ago, reflecting in part the results of the company’s reengineering initiatives.

At the end of the quarter, the company’s tier-one risk based capital ratio was 9.7 percent. Its tier-one common risk based ratio was 9.7 percent, which compared favorably to the regulatory benchmark(3) of 4 percent.

The company's return on average equity (ROE) was 11.7 percent, down from 27.8 percent a year ago. Return on average common equity (ROCE), was 10.4 percent, down from 27.6 percent a year ago.

“Our results showed further progress in navigating through the most difficult economic environment in decades,” said Kenneth I. Chenault, chairman and chief executive officer.

Supporting Materials

    Reblog this post [with Zemanta]

    Visa Inc. Reschedules Fiscal Fourth Quarter and Full-Year 2009 Financial Results

     Visa Inc. Reschedules Fiscal Fourth Quarter and Full-Year 2009 Financial Results

    SAN FRANCISCO, Oct. 22 /PRNewswire-FirstCall/ -- Visa Inc. (NYSE: V) will report its fiscal fourth quarter and full-year 2009 financial results on Tuesday, October 27, 2009.
    The results will be included in a press release, with accompanying
    financial information, which will be released shortly after the close
    of the market. The results will also be posted on the Visa Investor
    Relations website.
    Visa's executive management team will then host a live audio webcast beginning at 5:00 p.m. Eastern Time (2:00 p.m. Pacific Time)
    to discuss the financial results and business highlights. This is a
    time change from what was previously announced by the Company.
    All interested parties are invited to listen to the live webcast at A replay of the webcast will be available on the Visa Investor Relations website for 30 days.
    About Visa: Visa operates the world's largest retail electronic payments network providing processing services and payment
    product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron,
    Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world's largest global ATM
    networks, offering cash access in local currency in more than 170 countries. For more information, visit
    Victoria Hyde-Dunn, Investor Relations
    Visa Inc.
    Tel: +1 415 932 2213

    Will Valentine, Media Relations
    Visa Inc.
    Tel: +1 415 932 2564

    SOURCE Visa Inc.
    Victoria Hyde-Dunn, Investor Relations, +1-415-932-2213,, or Will Valentine, Media Relations, +1-415-932-2564,, both of Visa Inc.
    SOURCE  Visa Inc.

    $336 Million Credit Card Fee Settled Approved by US Judge

    * Overcharges alleged on foreign currency transactions

    * Class-action lawsuit began eight years ago

    * "Astonishing" 10.1 million claims filed, judge says

    By Jonathan Stempel NEW YORK, Oct 22 (Reuters) - In a victory for credit cardholders who travel internationally, a U.S. federal judge gave final approval on Thursday to a $336 million settlement of a lawsuit accusing banks and credit card groups of conspiring to overcharge consumers on foreign currency transactions.

    The class-action settlement won preliminary approval in November 2006. It covered holders of U.S.-issued MasterCard or Visa credit cards or debit cards and Diners Club credit cards who made foreign transactions between 1996 and 2006 and also required card companies to improve their fee disclosures.

    Judge William Pauley of the U.S. District Court in Manhattan called the settlement of the eight-year-old lawsuit "fair and reasonable." Final approval was delayed while the details of the claims procedure were worked out.

    "An astonishing 10,075,834 claims were filed," Pauley wrote.

    Visa Inc (V.N) and MasterCard Inc (MA.N), which run the largest card networks, were among the defendants. Visa spokesman Will Valentine declined to comment. MasterCard and a lawyer for the cardholders did not immediately return requests for comment.

    Bank defendants in the case included Bank of America Corp (BAC.N), Citigroup Inc (C.N), HSBC Holdings (HSBA.L) (HBC.N) and JPMorgan Chase & Co (JPM.N).

    Credit card companies often assess fees of about 3 percent when they convert transactions made in non-U.S. currencies into dollars. Lawyers for the cardholders have said the actual cost of such conversions is about one-quarter of one percent.

    Pauley wrote that, while the cardholders believed that $1.1 billion of fees were at issue, there was a strong chance they could recover little or nothing had they gone to trial.

    He also said the improved disclosures make it easier to compare conversion fees.

    "This settlement includes significant changes in the practices by the major banks, which cannot be ignored," he wrote in his 44-page order.

    The accord comes as Congress considers whether card reforms slated to take effect in February should be implemented sooner. Many consumer groups have complained that the industry is jacking up rates and fees in advance of the changes.

    The case is In re Currency Conversion Fee Antitrust Litigation, U.S. District Court, Southern District of New York, No. MDL-1409. (Reporting by Jonathan Stempel; editing by Andre Grenon)

    Reblog this post [with Zemanta]

    Disqus for ePayment News