Tuesday, December 1, 2009

2009 Banking Identity Safety Scorecard: Banks Achieve Milestones in Prevention and Debit Card Guarantees but Fall Short in Alert Offerings





Research and Markets



Javelin’s 2009 Banking Identity Safety Scorecard ranks banks and credit unions on their customer-facing identity fraud Prevention, Detection and Resolution™ capabilities. Leveraging the nation’s most comprehensive study on identity fraud, Javelin updates the Prevention, Detection and Resolution™ criteria each year to show specific ways that individual financial institutions (FIs) can increase customer safety and loyalty through enacting comprehensive security measures and by partnering with account holders to fight identity fraud. Javelin uses a combination of mystery-shopper calls (averaging 6.2 per institution) and extensive website research to score the leading 25 U.S. FIs by gross annual deposit volume against relevant Prevention, Detection, and Resolution™ criteria; collectively this study represents approximately 50% of the U.S. market in 2009 by dollar value of deposits, according to the FDIC.



Financial institutions made significant strides in prevention, jumping 27 percentage points from last year, and also slightly improved in detection and resolution capabilities. With six new banks entering the top ten in overall rankings this year and seven new banks leading the pack in prevention, smaller banks have raised the bar in prevention, the most weighted safety area of the identity safety scorecard.



Primary Questions



  • How can banks and credit unions benchmark their efforts to battle against a $48 billion U.S. identity fraud problem?

  • Which financial institutions rank highest against Javelin’s customer-facing Prevention, Detection and Resolution™ criteria?

  • What type of account protection capabilities should banks and credit unions implement to increase customer safety through Prevention, Detection and Resolution™?

  • Within the U.S. banking industry, where is banking safety the strongest and where is it most vulnerable?

  • Which customer safety features will most differentiate financial institutions in the future?

  • Which key recommendations should banks prioritize to ensure customer safety?



Methodology





This study measures FIs based on customer-involved ID fraud capabilities that were selected based on Javelin’s annual Identity Fraud Survey Report, other consumer surveys that assess consumer propensity to adopt particular safety features, and ongoing dialog with industry experts. This report used phone-based mystery shopper investigations, as well as Javelin’s review of websites from the 25 selected financial institutions chosen for inclusion in the survey. Javelin selected these methods to ensure accurate findings that address all facets of customer security. The data was collected during August,

September and October 2009.



Using the mystery shopper approach, researchers called each bank or credit union’s customer service representative (CSR) in online banking, mobile banking, fraud prevention, and general customer service, requesting an experienced specialist. Researchers explained that they were consumers concerned about identity theft and had several specific questions about the FI’s identity theft prevention, detection, and resolution capabilities. In some cases, numerous customer service representatives were required to complete the survey, and whenever Javelin’s research specialists had reason to doubt the knowledge of a CSR the call was terminated and the process was repeated. The total quantity of required CSRs (on a per-FI basis) was recorded, along with the CSR’s name or employee number, when available, as well as the date and time of the call.



The required number of calls ranged from 4 to 7, with the average being just over six calls (6.2) to ensure reliable results. For an FI to receive credit for having a security feature the service must satisfy specific criteria; the service must be provided without a fee, except for selected criteria (credit reports and monitoring, partnerships with security vendors, and next-day replacement of debit card). In cases where a service is not provided to all of the FI’s customers, credit is given if the service

is provided to the majority of the customer base with a personal banking relationship.

FIs were scored according to their Prevention, Detection and Resolution™ capabilities.



The prevention category was weighted more heavily than detection and, in turn, more heavily than resolution, due to the greater potential cost savings associated with stopping fraud before it happens.1 Future versions of this report will build upon this research incorporating new capabilities and technologies as they become available.



Prevention:



FIs had the potential of scoring 45 points for prevention-related features, earning points for the following criteria: anti-phishing e-mail policies online, the prohibition of the use of the full Social Security number via phone, Internet, or mail transactions, the option to turn off paper statements, partnering with security vendors, the existence of multi-factor online and telephone authentication, mutual online authentication process online, having an extended validation certificate online at the user homepage (EV SSL), mobile banking access, review and release of suspicious transactions via online and mobile channels,

offering offline-only authentication for new accounts, mobile banking access without online banking sign-up, security education and tips for online and offline activities, vishing education, and offering user-defined limits (UDLAPS) on transaction size, card-not-present, and overseas transactions.



New scoring criteria for the 2009 prevention category included being able to enroll in mobile banking without online banking sign-up and providing a password manager (e.g., Trusteer or IDVault). Providing a password manager is a critical component for customer security because it prevents users from entering their login or password credentials at a fraudulent site.



Points were given for security information regarding online and offline activities that was readily accessible on the FI website. The preventative, educational tips must have been fairly easy to find and in a convenient place to keep consumers informed, thus keeping security top-of-mind. The same goes for partnering with security vendors – the link or information to do so must have been in a prominent location on the website.



Detection:



FIs surveyed had the potential or scoring 35 points for services that help customers detect identity theft and fraud. FIs earned points for offering the ability to order and pay for credit reports, credit monitoring services through the website, and for SMS and e-mail alerts. Account-related alerts included transaction size, online (CNP) purchases, overseas transactions, balance level alerts, online transfers, wire transfers, adding a new bill payments payee, new account setup, and statement notification. E-mail alerts that notify users of changes to their personal information included changes to PINs, login

passwords, physical addresses, e-mail addresses, and phone numbers, as well as the addition or subtraction of registered users.



Both SMS and e-mail notifications protect the safety of accountholders and give consumers warning about potential fraudulent activity, thereby assisting financial institutions, issuers, and consumers in the fight to reduce costs by mitigating fraud.



With half of all fraud being discovered by the fraud victims themselves (51%)2 and the cost of fraud equalling $48 billion in losses,3 it is critical to empower consumers to self-detect and self-monitor their accounts. This year, credit monitoring services and the ability to order and/or pay for credit reports were separated into two different categories, allowing FIs to receive more points for credit detection. Javelin recommends that customers review their credit information regularly, ensuring that all the accounts listed are their own.4 The importance of credit monitoring and being able to access credit information prompted the separation and increased scoring opportunities by FIs in this area.



Resolution:



FIs had the potential to earn 20 points for identity theft resolution capabilities. FIs earned points for offering 24-hour, seven day- a-week account suspension, providing immediate access to funds not compromised by an identity fraud attack, providing a dedicated resolution team (or outsourcing to ITAC), access to identity theft assistance online and over the phone, a 48-hour follow-up policy from CSRs, a zero-liability policy for funds lost to fraud by online banking, wire transfers, checks, and debit card transaction (by signature, PIN, or online), for next-day availability of stolen funds (provisional credit), and for providing a data breach resolution plan. No new scoring criteria was modified or added this year.



Other Surveys Incorporated:



Consumer data from Javelin’s annual Identity Fraud Survey was also used in this report. The survey is conducted each year using computer-assisted telephone interviewing (CATI) via random-digit dialling (RDD). The total number of respondents was 4,784 in 2008; 5,075 in 2007; 5,006 in 2006; 5,003 in 2005; 5,004 in 2004; and 4,000 in 2003. The survey targeted respondents based on representative proportions of gender, age, and income compared to all U.S. adult consumers. For questions answered by all 4,784 respondents, the maximum margin of sampling error is +/- 1.4% at the 95% confidence

level.



For questions answered by all 487 identity fraud victims, the maximum margin of sampling error is +/- 4.4% at the 95% confidence level. For questions answered by a proportion of all identity fraud victims, the maximum margin of sampling error varies and is greater than +/- 4.4% at the 95% confidence level. Additionally data was taken from a report on data breaches published in 2008. The report collected data from an online survey of a random-sample panel of 441 data breach victims in May 2008. The overall margin of sampling error is ±4.67 percentage points at the 95% confidence level.



Data was also taken from a Javelin report on personal finance management published in June 2009. This report used data from a survey collected from executives with each of the seven online-banking platform vendors.



Additional information was solicited during interviews with executives from the vendors, banks and credit unions and web-based start-ups. To evaluate products, Javelin asked each vendor to answer nearly 125 questions that delved into the availability of specific features and functionality.



The report also included data collected online from a random-sample panel of 2,714 respondents in March 2008 from Javelin’s report on mobile banking security standards. The survey targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Overall margin of sampling error is ±1.88 percentage points at the 95% confidence level.



Finally, data was taken from the 2008 Financial Alerts Forecast, which was based on data collected online from several different surveys:



  • A random-sample panel of 2,350 respondents in March 2008. The overall margin of sampling error is ±2.86 percentage points at the 95% confidence level.

  • A random-sample panel of 3,367 respondents from August 2008. The overall margin of sampling error is ±1.70 percentage points at the 95% confidence level.

The surveys targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Secondary data from public sources such as the U.S. Census Bureau and the Bureau of Labour Statistics was incorporated into the forecast.



A sample for this product is available. Please Login/Register to download this sample.

Ordering: Order Online - http://www.researchandmarkets.com/reports/1134411/









Reblog this post [with Zemanta]

More on Radiant Systems Breach and Analysis from Gartner





Last week I blogged about seven restaurants filing a lawsuit against Radiant Systems after the recent breach. (Radiant Systems Sued Over Data Breach - Million$ $ought)



Here's some more on the subject:  The overview below is from Wired and the analysis is from Avivah Litan, distinguished analyst at Gartner...

"Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.



The restaurants, located in Louisiana and Mississippi, have filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.



The suit alleges that the system stored all of the data embedded on the bank card magnetic stripe after the transaction was completed — a violation of industry security standards that made the systems a high-risk target for hackers. Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant’s Aloha POS system."
Continue Reading at Wired



Meanwhile,  Gartner has published an analysis of the Radiant Systems/ComputerWorld breach and ramifications thereof:



Lawsuit Highlights the Hidden Risks of PCI 'Compliance'

A lawsuit serves as a reminder that card-accepting businesses can be held liable for Payment Card Industry security compliance failures, even when they have been told their vendors or service providers are fully compliant.



X

News Analysis

Event

On 23 November 2009, a law firm representing seven restaurants in Louisiana and Mississippi announced that it has filed a class-action lawsuit against Radiant Systems, an Alpharetta, Georgia-based maker of point-of-sale (POS) systems, and Computer World Inc., a Scott, Louisiana-based POS system distributor. The suit alleges that Radiant Systems and Computer World sold the restaurants Aloha POS systems that were incorrectly described as compliant with Payment Card Industry (PCI) related security standards, despite having been informed by Visa that they were not. The suit further alleges that these systems and related poor business practices contributed to major data security breaches that resulted in multiple cases of identity theft and some of the restaurants being fined by credit-card issuers or required to submit to forensic audits.

Analysis

Gartner is not a law firm, and makes no judgment as to the merits of this or any other lawsuit. However, these allegations — whether or not they are ultimately upheld in court — point to serious, long-standing problems with the PCI compliance process. Card brands such as Visa and MasterCard typically send alerts about noncompliant products or services to their member banks, not to card-accepting businesses and other direct purchasers of these technologies. For this reason, it is unfair for the card brands and processing companies to penalize end users who are unaware of problems with the technology. POS system purchasers — particularly small businesses — cannot be expected to be experts in the credit card processing certification process, especially when they don’t necessarily have access to the communications surrounding the process.

Merchants are ultimately responsible for validating vendors' and service providers' claims, but the card brands should implement proactive awareness programs when they know that vulnerable payment technologies are in active use. They should also provide standard contract language that card-accepting businesses can insert into contracts with vendors or service providers to ensure that their products or services are compliant with PCI-DSS or PA-DSS, and that forces the vendors or service providers to assume liability for breaches resulting from deficiencies in their hardware, software or processes.

Recommendations

Card-accepting businesses:

Card brands:

  • Communicate alerts directly and proactively to card-accepting companies, and issue guidance to these companies on how to manage contracts and liability issues with technology and service suppliers.

Recommended Reading

"Where Does End-to-End Encryption for PCI End?" — U.S. payment processors are introducing proprietary end-to-end encryption services to their retailer customers in an attempt to strengthen security for card data in transit. By Avivah Litan



"Using Tokenization to Reduce PCI Compliance Requirements"
— “Tokenization” of cardholder data can be used to reduce the scope of PCI compliance audits, but the available products and services are still limited and immature. By Avivah Litan and John Pescatore



(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

Veritec to Offer Consumers Secure Prepaid Debit Cards Issued from Kiosks



This Program Provides Secure Prepaid Cards to Consumers in Retail and Other Locations



GOLDEN VALLEY, Minn.--(BUSINESS WIRE)--Veritec, Inc. (OTCBB: VRTC.OB), a developer of mobile banking debit card solutions and a pioneer and developer of proprietary two-dimensional matrix technology, today announced that its subsidiary, Veritec Financial Systems, Inc. (“VTFS”), entered into a memorandum of agreement with Cities in Touch (“CIT”) of Hot Springs, Arkansas to integrate VTFS’ mobile banking software platform with CIT’s ATM and debit card issuing kiosk systems.



VTFS markets and sells prepaid card programs and provides back-end prepaid card processing services on behalf of Security First Bank to card sponsoring organizations. VTFS markets its prepaid card programs under its MTC and Blinx On-Off brands. In addition to serving as an ATM machine, CIT’s kiosk systems enable consumers to securely cash checks, pay bills, transfer money and obtain pay day loans. By integrating VTFS’ and CIT’s respective systems, consumers will benefit by being issued secure reloadable debit cards that may be used at most ATM machines and when making retail purchases. VTFS’ debit cards are more secure than cash in that consumers will be able to turn their debit cards “on” and “off” with their mobile phones.



“Veritec is very pleased to enter into this agreement with Cities in Touch,” said Van Tran, Executive Chair of Veritec. “CIT provides convenient as well as special and important services to members of our community, and Veritec is able to help these consumers by providing a reloadable and highly secure financial product that is a better and safer alternative to cash.”



“Veritec’s prepaid card products and services will enable CIT to be in a position to offer new and exciting products and services to its customers,” said Randy Dodd, President of CIT. “It has also provided CIT with a service that helps us reduce the need for keeping a significant amount of cash in our kiosks and this helps make CIT’s operations and the kiosk owners’ operations more secure.”



The parties expect to conclude the terms of a definitive agreement during the month of December, 2009.



About Veritec, Inc., VTFS and Security First Bank



Veritec, Inc. is a pioneer and developer of proprietary two-dimensional matrix technology. The company’s portfolio of products includes its proprietary VeriCode® and VSCode® 2D matrix symbology solutions, BioID - VSCode® multi-purpose card solutions, and suite of products known as PhoneCodes™ for delivering electronic tickets, coupons and gift cards to mobile devices (www.veritecinc.com). Veritec Financial Systems, Inc. is a wholly owned subsidiary of Veritec, Inc. VTFS develops and licenses mobile banking debit, gift and prepaid card solutions and serves as a third party processor to banks for debit card transactions on the company’s mobile banking platform (www.vtfs.com). Security First Bank of Fresno, California is a California commercial bank authorized to engage in the commercial banking business. Deposits are insured by the FDIC up to the applicable limits of the law (www.securityfirstfresno.com).



About Cities in Touch



Established in 1996, Cities in Touch is a Hot Springs, Arkansas company. CIT’s goal is to furnish a state of the art kiosk which houses an ATM and provides bill payment, wire transfers, check cashing, payday advance, prepaid phone, wireless PIN, wireless recharge, prepaid debit cards and advertising, all in one unit that can be installed in a user friendly atmosphere, offering all of these services through the technology of a touch screen monitor. CIT’s ability to provide information through public access terminals offers resources for people everywhere, anytime. We customize ads, logos, animations and graphics. CIT is, in effect, a partner with the merchant for the full term of an agreement and therefore has a financial interest in the success of every Kiosk/ATM terminal. Our software has been designed in-house and allows us to write plug-ins to adapt to most environments. We pride ourselves in being a total turn-key company with the ability to build our own enclosures and provide the hardware, software and other peripherals that can take a project from start to finish (www.citiesintouch.com).



Reblog this post [with Zemanta]

ATM, Debit & Prepaid Forum Sessions Available for Purchase

17th Annual ATM, Debit & Prepaid Forum



Rewind ATM, Debit & Prepaid Forum 2009





“The topics this year were very diverse and covered many relevant topics.

I didn’t want to miss any sessions.”

Jill Weber, ATM Network Manager, Citizens Bank



On October 18-20, 2009, more than 650 payment industry players gathered in Las Vegas for the 17th Annual ATM, Debit & Prepaid Forum. We are sorry that you were not able to attend this year.  Based on feedback from conference attendees, the quality of information presented by speakers, the level of detail, the industry expertise, the depth and breadth of information was unparalleled!




Here’s your chance to access twenty-two sessions
* from the 17th Annual ATM, Debit & Prepaid Forum in webcast format. The webcasts of 22 conference sessions are available for purchase for only $99.






To preview the session webcast, click here.



To purchase the webcast package, click here.





Click here for a preview of the session webcast:

KEYNOTE ADDRESS:

Creating a Framework for Payments Innovation




Dominic Venturo, Chief Innovation Officer

Retail Payment Solutions,
U.S. Bank





These webcasts provide you with audio, and the accompanying session slides, plus the interactive Q&A at the end of the sessions.



Purchase NOW!


*Only sessions with speaker authorization are available for purchase. Individual sessions are not available for purchase. All 22 sessions are sold as one webcast package for $99.

Cardinal Commerce Hires New Executive



MENTOR, Ohio, Dec. 1, 2009 (GLOBE NEWSWIRE) -CardinalCommerce, the worldwide leading enabler of payment brands, today announced the hiring of Charles R. Vojtas, an IT veteran with front line retail eCommerce and mobile Commerce experience. Vojtas will serve as CardinalCommerce's Vice President of Design and Development.



Charles Vojtas brings over 13 years of Information Technology experience and expertise and has held key positions including Manager of Corporate Development and Director, Development at Footlocker.com/Eastbay. His hands-on experience within the eCommerce retail world in design and development, quality control, mobile commerce implementations and overall eCommerce strategy have allowed him to successfully establish a proven track record of success in the direct to consumer marketplace.



Mr. Vojtas will be responsible for managing the ongoing development of Cardinal's product suite including: Cardinal Centinel(R), the worldwide leading technology which enables over 25 eCommerce payment brands through one integration; Cardinal MAX, the mobile platform allowing merchants to expand into mobile commerce, banking, marketing, and payments; and 2IDENTIFI, authentication solutions for financial institutions.



All Cardinal platforms have experienced significant growth in 2009.



"The experience and knowledge that Mr. Vojtas brings to his role is timely with the current and expected growth all of our products and services," said Michael A. Keresman, III, Chief Executive Officer, CardinalCommerce. "We welcome Mr. Vojtas on board and look to strengthen all of our offerings as a result."



Charles Vojtas stated: "First, I'm truly grateful to have worked for a company like footlocker.com/Eastbay.



"I learned Customers demand security, payment options, and portability. Now, at Cardinal, I recognize the tremendous growth potential for our eCommerce and mobile commerce platforms with CardinalCommerce solutions delivering on all three, providing easily integrated tools to answer these demands. I am particularly excited about the opportunity I will have to engage companies directly, partnering with them to integrate these solutions, and seeing the benefit it will bring to their platforms and to their Customers."



About CardinalCommerce




CardinalCommerce Corporation is the global leader in enabling authenticated payments, secure transactions, and alternative payment brands for both eCommerce and mobile commerce.



Cardinal Centinel(R)* enables payment brands such as Verified by Visa, MasterCard(R) SecureCode, Amazon Payments, Bill Me Later(R), ClickandBuy(R), Cred-Ex(R), Ebates, eBillme, eLayaway, Google Checkout, Green Dot(R) MoneyPak(R), JCB J/Secure, Mazooma, Moneta(R), MyECheck, NACHA(R) Secure Vault Payments (SVP), OneTouch Online Purchasing, paysafecard, PayPal, RevolutionCard, SafetyPay, TeleCheck(R), Ukash, and more to a network of thousands of merchants and merchant service providers.



Our mobile commerce platform, Cardinal MAX, makes it simple for retailers to sell and market products through the mobile channel. Cardinal's proprietary and easily deployable technology provides consumers, merchants, credit/debit card issuers, and processors the ability to conduct authenticated Internet, wireless and mobile transactions safely and securely. Our bank authentication platform, 2IDENTIFI, offers authentication solutions for financial institutions and processors.



Headquartered in Cleveland, Ohio, with facilities in the United States, Europe, and Africa, Cardinal services a worldwide Customer base. For more information, visit www.cardinalcommerce.com



Reblog this post [with Zemanta]

Tiger Woods Car Accident Exploited by Hackers



Cybercriminals plant poisoned webpages which install malicious Trojan horse

Here's the Warning from Sophos:



IT security and data protection firm is warning computer users keen to read the latest developments in the story about the Tiger Woods car accident that they may be walking straight into a trap set by hackers.



Sophos discovered that hackers were not slow to take advantage of the breaking news story, and by early Saturday morning had created webpages which claimed to contain video footage related to the incident, but that were really designed to spread dangerous malware.



By using content related to the top golfer's mysterious car accident and his alleged relationship with New York party girl Rachel Uchitel, the cybercriminals have made their attack timely and ensured that it will feature high up in search engine results, increasing the chances of unsuspecting victims visiting the site.



"The Tiger Woods story has been one of the top news stories around the world this weekend, and search engine statistics show that many people have been hunting for developments via the web. Hackers don't waste any time jumping on the coat-tails of a hot news story like this, in their attempt to infect as many computer users as possible," said Graham Cluley, senior technology consultant at Sophos. "Foolhardy internet users who believe they are about to watch video footage related to Tiger Woods's current troubles may find the website is trying to surreptitiously install a Trojan horse onto their computer, handing control over to cybercriminals."



Sophos notes that if computer users do visit the poisoned webpages, a malicious Trojan horse known as Troj/Proxy-JN can be installed on their computers, allowing hackers to relay spam via the victim's PC without their knowledge.



"This is a threat both for home users and companies. Many people may return from the weekend and use their office PCs to find out the latest news this morning - only to have their computers silently infected," continued Cluley.





More information about this threat, including images of an infected webpage, is available on Graham Cluley's blog


Reblog this post [with Zemanta]

Leading Keynote Speakers Highlight MRC’s 2010 e-Commerce Payments and Risk Conference







Bill Kurtis, Wayne Best and Bob Carr to Address Global Electronic Commerce Leaders



(Seattle, WA—December 1, 2009) The Merchant Risk Council (MRC) is excited to announce the Keynote Speakers for the MRC’s 2010 Annual e-Commerce Payments and Risk Conference at the Wynn Las Vegas Resort on March 16-18, 2010.



Wayne Best, economist from Visa, Inc. will deliver the opening keynote address, while Bob Carr, founder and CEO of Heartland Payment Systems and Bill Kurtis, investigative reporter and television personality, provide the conference’s closing keynote speeches.



“We are thrilled to have Wayne, Bob and Bill join us in Las Vegas for our annual conference,” said Tom Donlea, MRC Executive Director. “These speakers, as well as the other scheduled conference presenters, will give our attendees a panoramic view of the issues that most affect e-Commerce security and profitability.”



The 2010 Annual Conference and MRC Platinum Meeting will include more than 50 speakers and panelists, 40 unique sessions, and more than 45 payment and risk industry exhibitors – all delivering unique and valuable insight and information on the growth, diversity and risks associated with global online payment trends and strategies, managing and reducing chargebacks, identifying global cyber threats, and utilizing the newest fraud prevention tools.



“The electronic commerce industry is becoming increasingly diverse,” said MRC Board Chairman, Tom Sullivan, Sr. Director, Global Payments & Risk, Expedia, Inc. “There are so many new players providing products and services that are fundamentally changing how the world communicates and does business.” Sullivan adds, “The MRC conference has evolved into the premier annual event, where a wide variety of e-Commerce and multi-channel merchants share payments, security and fraud best practices.”



Over the past decade, the MRC has evolved from a select group of merchants, networking about online fraud prevention, into the world’s foremost organization dedicated to educating the industry on issues relating to e-Commerce risk and payments. The 2010 Annual Conference unites the world’s top internet and multi-channel merchants, credit card brands, electronic payment processors and providers, risk management providers, law enforcement agencies and various consultants and educators in discussing how to make shopping on the internet easier, safer and more efficient for all involved.



Those scheduled to participate in the 2010 Annual e-Commerce Payments and Risk Exhibit Hall include: Accertify, American Express, Bill Me Later, Chase Paymentech, ClearCommerce, CyberSource, Digital River, Discover, Ethoca, Experian, 41st Parameter, GlobalCollect, iovation, JCB, Kount, LexisNexis, Litle & Co., Quova, Retail Decisions, RSA, Trustwave, Verifi and Vindicia.



For registration or exhibition information for this conference, or to receive MRC membership information, please visit the MRC’s website at www.merchantriskcouncil.org.



About the Merchant Risk Council



The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally. The MRC leads industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable.



Today, with the power of its member-base, the MRC is the leading trade association for managing payments, preventing online fraud and promoting secure e-Commerce. The MRC is dedicated to working with e-Commerce and multi-channel merchants, payment processors, credit card issuers, credit card companies, alternative payment providers, risk management experts, and law enforcement to make the Internet a safer and more profitable place to conduct business.



The MRC Board of Directors and Advisors includes: Accertify, Apple, Chase Paymentech, CyberSource Corporation, Dell Inc., Discover, Expedia Inc., Gap Inc. Direct, GlobalCollect, Linden Lab, Microsoft, Neiman Marcus Direct, PayPal, Trustwave, Visa Inc. and Wal-Mart.



The MRC is headquartered in Seattle, Washington.



CLICK HERE for Information and Registration for the MRC's 2010 Annual e-Commerce Payments and Risk Conference

March 16-18, 2010 at Wynn Las Vegas




# # #





Fiserv Believes Visa Cardholders are a Vertical Market



Fiserv, Inc.now offers the new vertical-format Visa card - an innovative design option that displays all card information vertically rather than horizontally.  According to  Fiserv, this "breakthrough look" supposedly captures cardholder interest and provides a new way to showcase an issuer's logo.  Newer, but not new. (see Garanti's version below right)



Fiserv Takes an Innovative Turn on Visa Cards

New vertical format captures cardholder attention




Brookfield, Wis., December 1, 2009 - Fiserv, Inc. (NASDAQ: FISV), the leading global provider of financial services technology solutions, now offers the new vertical-format Visa(R) card ? an innovative design option that displays all card information vertically rather than horizontally. This breakthrough look captures cardholder interest and provides a new way to showcase an issuer's logo.



"Fiserv is continually innovating to deliver product and service enhancements that help clients differentiate their card offerings and grow transaction volumes," said Jorge Diaz, division president, Output Solutions, Fiserv. "Our clients are looking for creative ideas that stimulate card activation rates. Vertical cards have visual uniqueness to attract cardholders and encourage increased usage."



The vertical cards are one of several innovations from Fiserv. Others include:

  • The Card Collection(TM) is an exclusive offering of 78 card designs that reflect a broad range of lifestyle themes, money motifs and regional images. Pay-as-you-go ordering eliminates inventory carrying expense and risk of obsolescence.

  • MyCardCreation(SM) makes it simple and affordable for cardholders to create cards with their own pictures on them.

  • Contactless Cards can speed up checkout and maximize convenience by enabling a cardholder to simply hold the card near a terminal or tap the terminal instead of swiping the card.

"The key to increasing transaction revenue is giving cardholders the kinds of cards they'll reach to use over and over," said Diaz. "Fiserv continues to add equipment, processes and technology to provide innovative solutions - like the exciting new vertical cards - to please cardholders and help our clients achieve their card program goals."



Output Solutions from Fiserv is a leading provider of business-critical communications to the financial services, healthcare, telecommunications, investment services and retail markets. Fiserv offers the industry's most complete and secure card-production services, including design, production, embossing, personalization and encoding capabilities. Reinforcing the company's core competency in payments, Output Solutions was ranked first in the last three Madison Advisors Print Industry Best Practices Studies, when measuring the business practices associated with the manufacturing and delivery of personalized documents such as statements, transaction confirmation and checks for print/mail and electronic delivery.



About Fiserv

Fiserv, Inc. (NASDAQ: FISV) is the leading global provider of information management and electronic commerce systems for the financial services industry, driving innovation that transforms experiences for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. For more information, visit www.fiserv.com.







#   #

Reblog this post [with Zemanta]

Chase Bank phish

Today the top phishing scam that we are seeing in the UAB Spam Data Mine is attacking Chase Bank customers. Its part of the old Avalanche phishing scheme that has lately been seen primarily spreading Zbot trojans.



(Update: Scroll to bottom - Chase spam now replaced with "Ally Bank" spam)



The attack starts with an email similar to this one:







The attack began actually late on November 28th, when we saw 1,030 copies of the phishing email with these website names used:



chaseonline.chase.com.vsmidome1.co.uk

chaseonline.chase.com.vsmidome1.org.uk

chaseonline.chase.com.vsmidome2.co.uk

chaseonline.chase.com.vsmidome2.org.uk

chaseonline.chase.com.vsmidome3.co.uk

chaseonline.chase.com.vsmidome3.org.uk

chaseonline.chase.com.vsmidome.co.uk

chaseonline.chase.com.vsmidome.org.uk



The attack continued throughout the 29th (the UAB Spam Data Mine saw 11,320 copies on the 29th), adding many more website addresses:



chaseonline.chase.com.feccxz.co.uk

chaseonline.chase.com.feccxz.me.uk

chaseonline.chase.com.feccxz.org.uk

chaseonline.chase.com.ficcxz.co.uk

chaseonline.chase.com.ficcxz.me.uk

chaseonline.chase.com.ficcxz.org.uk

chaseonline.chase.com.fihlxz.co.uk

chaseonline.chase.com.fihlxz.me.uk

chaseonline.chase.com.fihlxz.org.uk

chaseonline.chase.com.fikcxz.co.uk

chaseonline.chase.com.fikcxz.me.uk

chaseonline.chase.com.fiklxz.co.uk

chaseonline.chase.com.fiklxz.me.uk

chaseonline.chase.com.fiklxz.org.uk

chaseonline.chase.com.gerchkx.co.uk

chaseonline.chase.com.gerchkx.me.uk

chaseonline.chase.com.gerchkx.org.uk

chaseonline.chase.com.gercxkx.co.uk

chaseonline.chase.com.gercxkx.me.uk

chaseonline.chase.com.gercxkx.org.uk

chaseonline.chase.com.gercxxx.co.uk

chaseonline.chase.com.gercxxx.me.uk

chaseonline.chase.com.gercxxx.org.uk

chaseonline.chase.com.gerhhkx.co.uk

chaseonline.chase.com.gerhhkx.me.uk

chaseonline.chase.com.gerhhkx.org.uk

chaseonline.chase.com.vsmidome1.co.uk

chaseonline.chase.com.vsmidome1.org.uk

chaseonline.chase.com.vsmidome2.co.uk

chaseonline.chase.com.vsmidome2.org.uk

chaseonline.chase.com.vsmidome3.co.uk

chaseonline.chase.com.vsmidome3.org.uk

chaseonline.chase.com.vsmidome.co.uk

chaseonline.chase.com.vsmidome.org.uk

chaseonline.chase.com.yurbzc.co.im

chaseonline.chase.com.yurbzc.com.im

chaseonline.chase.com.yurbzc.im

chaseonline.chase.com.yurbzc.net.im

chaseonline.chase.com.yurbzc.org.im

chaseonline.chase.com.yurtzc.im

chaseonline.chase.com.yuvtzc.co.im

chaseonline.chase.com.yuvtzc.com.im

chaseonline.chase.com.yuvtzc.im

chaseonline.chase.com.yuvtzc.net.im



The attack is still spamming like crazy this morning (we had 3,000+ copies as of 8 AM), but there have been no new domain names added, yet . . .



The website is a series of progressively more complicated questions which the phisher uses not just to steal your money, but to gain deep insight into your identity. Here are the series of questions:



















For some reason today the phisher has decided that if he uses thousands of unique subject lines we're not going to realize its all the same phish.



We've counted 666 possible subject lines so far (coincidence?) with a large number of possible variants to these. For each of the below, there are also variants of the subject line which have:



message id: RND

message ref: RND



where the RND is a random number. The message ID or message ref can be enclosed in square brackets [], angle brackets <>, or paranthesis ().



There is also a variant of each followed by "- Ref No. RND", as well as a version ending in a period and a version ending in an exclamation point.





An email sample:









Followed by the webpage series:













Disqus for ePayment News