Wednesday, December 9, 2009

SPVA Looking for Two Board Members

Election Day

After a successful whirlwind trip to CARTES, we’re settling in but still just as busy on the home front. The SPVA continues to build momentum as new members come onboard, our technical working groups prepare to release their first whitepapers, and…drumroll…it’s time for us to elect two candidates to the SPVA board of directors.

For some quick background, the SPVA board is comprised of five directors. Three seats belong to the founding members (VeriFone, Ingenico and Hypercom), and the other two are open to a representative of our general members and a representative of our associate members.

So who will it be? We have to keep you in suspense until January 6, when the results of the election are made public. Right now, the call for candidates is out, and we’re anticipating strong nominees to emerge over the course of the next few weeks.

I’ll also take this opportunity to mention again that it’s never too late to join SPVA. Take a look at some of the benefits, and if you act quickly, you may be able to run for a 2010 board seat. And if you’re already a member and wondering what else you can do to help (besides voting, of course), I’d ask that you help us spread theword about SPVA. The larger our membership base, the stronger we’ll be.

Our plates are full in 2010, so have your say in our strategic direction, policy formation, administration and all matters regarding SPVA’s work scope and mission.

Don’t forget. Only our members are eligible to run for the board and cast a ballot. And as always, please feel free to contact me if you have any questions.

Good luck to all the candidates…

Reblog this post [with Zemanta]

Top Internet Threats for 2010 - Online Banks Beware

CA Report: Fake Security Software, Search Engines and Social Networks 2009's Top Internet Threats

CA "State of the Internet 2009" Report Analyzes Top Internet Threats; Researchers Predict Online Threats for 2010

ISLANDIA, N.Y., Dec. 9 /PRNewswire-FirstCall/ -- The latest State of the Internet 2009 report issued today by CA, Inc. (Nasdaq: CA) states that the most notable 2009 online threats were rogue/fake security software, major search engines, social networks and Web 2.0 threats. The report, based on data compiled by CA's Global Security Advisor researchers, compiles trends from the first half of 2009. CA security researchers also offer predictions for the top Internet threats for 2010, including an increase in "malvertising" and the potential for another big computer worm outbreak like Conficker.

"Cybercriminals have made a business out of conducting attacks on the most popular online destinations because they promise the highest payoff," said Don DeBolt, director of threat research for CA's Internet Security Business Unit. "Cybercriminals keep up with trends, major events, holidays, and the like, and focus on where they'll get the biggest returns. Search engines, like Google and Yahoo, or social networking sites, like Twitter or Facebook, have the mass appeal to attract these criminals. In addition to Internet security software, the best weapon against today's threats is education, so that consumers know what to look for when they are conducting activities online."

CA researchers tracked the following trends in 2009:

  • Rogue or Fake Security Software: Software that poses as legitimate Internet security software but is actually malware has experienced a significant surge in popularity. In the first half of 2009, CA added detection for 1,186 new variants of Rogue security software, which is a 40% increase compared to the last half of 2008.

  • Search Index Poisoning: Google is a frequent target of online threats. Attackers employ sophisticated search engine optimizations to manipulate search engine rankings and poison users' search results, which direct them to compromised Web sites that can cause malware infections.

  • Social Networks/Web 2.0: Popular online communities, blogs and social media sites, such as YouTube, MySpace, Facebook and Twitter, are highly targeted. Financially motivated organized groups are among the aggressive attackers, creating hundreds of bogus profiles to perform various tasks, including distributing malware, spamming and stealing users' online identities to perpetrate further cybercrime. Win32/Koobface is an example of a worm propagating through social networking sites. It uses the affected user's login credentials to send messages to the user's list of connected friends and family. In 2009, CA ISBU discovered more than 100 components and mutated strains belonging to the Win32/Koobface family.

  • Identity Theft: Attacks targeting online credentials allowed attackers to distribute further cybercriminal activities, such as email address harvesting for Spam bots, sweeping FTP accounts for web infection and attributing to social network worm propagation, like Win32/Koobface. Stealing Trojans accounted for 23% of the most prevalent malware infections in 2009.

  • Cybersquatting and typosquatting: Malicious Web sites that masquerade as legitimate, reputable sites deceive users into undertaking transactions or activities in which they divulge sensitive data.

  • Mac OS X Threats: Security threats have come to the Mac. In 2009, CA ISBU has added 15 intelligent signatures detecting Mac OS X threats. The most prevalent being OSX/Jahlav.

"Malware doubled in 2009 and the ability to purchase bots and other malicious programs online is becoming more prevalent," DeBolt continued. "It is a cat and mouse game. Cybercriminals are evolving along with the malware community and are constantly looking for new vulnerabilities to exploit, from online banking to search index poisoning."  While spam and phishing scams are still on the rise, the breakdown for how malware was distributed in 2009 was dominated by the Internet at 78 percent, followed by email (via attachments or phishing) at 17 percent, and finally removable media (such as USB drives, digital photo frames, etc.) with 5 percent.

CA forward looking online security predictions for 2010:

  1. Search engine optimization exploits and malicious advertising (Malvertising) will increase as a means to distribute Malware.

  2. Another big computer worm like Conficker is likely. The increasing popularity of web-based applications and discovery of critical zero-day vulnerabilities, especially for new operating systems such as Windows 7 and Google Chrome, present good opportunities for a new worm outbreak.

  3. Threats to Web 2.0 technologies such as social networks will continue to grow.

  4. Denial-of-Service attacks will increase in popularity as a means to make a political statement. Popular websites like Twitter and Facebook are likely to fall victim once again.

  5. Banking Trojans: These Trojans manifest as banking-related threats orchestrated to steal users' identities for financial gain.

  6. Malware actors will focus on the 64 bit and Apple platform.

About the CA 2009 State of the Internet Security Report

The CA 2009 State of Internet Security report is intended to inform consumers and businesses of the newest and most dangerous Internet threats, forecast trends and provide practical advice for protection. The analysis provided is based on incident information from the CA Global Security Advisor team, submitted by CA customers and consumers from January to June 2009, as well as publicly available information. For the full CA 2009 State of Internet Security report, please visit

The CA Global Security Advisor Team delivers the around-the-clock, dependable security expertise, offering trusted security advice to the world for more than 16 years. Providing a complete threat management resource, CA's Security Advisor Team is staffed by industry-leading researchers and skilled support professionals. CA Global Security Advisor is available at It offers free security alerts, RSS feeds, PC scans and a regular blog updated by the worldwide team of researchers. CA's entire portfolio of threat-related products for home, small and medium businesses, and enterprises are updated and protected by the CA Global Security Advisor team.


CA Internet Security Business Unit (ISBU) is a unit of CA, Inc. dedicated to the development, marketing and support for CA anti-malware products. The products include a full range of enterprise, SMB and home / home office Internet security software. The products are backed by CA's Security Advisor research team and have received major industry certifications. CA ISBU products are also offered by more than 10,000 resellers and OEM partners including leading Internet Service Providers (ISPs) and Independent Software Vendors (ISVs). The products are currently licensed for use on more than 70 million PCs worldwide. For more information, please visit

(Logo: )

About CA

CA (Nasdaq: CA), the world's leading independent IT management software company, helps customers optimize IT for better business results. CA's Enterprise IT Management solutions for mainframe and distributed computing enable Lean IT -- empowering organizations to more effectively govern, manage and secure their IT operations. For more information, visit

Connect with CA


Copyright © 2009 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. CA does not provide legal advice. Neither this document nor any software product referenced herein shall serve as a substitute for the reader's compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, etc. (collectively, "Laws")) referenced herein. The reader should consult with competent legal counsel regarding any such Laws. Nothing in this material shall be deemed a warranty, express or implied. This material is not intended to give legal, tax, accounting or other professional advice. If such advice or other expert assistance is required, the services of a competent professional person should be sought.

Press Contact
Jessica Cassady
CA, Inc.
(202) 513-6306


Acculynk Announces Jelly Belly as Newest PaySecure Merchant

Jelly Belly Candy CompanyImage via Wikipedia

Famed Candy Company Provides Online Shoppers the Security of (Alternative/Software) PIN Debit with PaySecure

Editor's Note:  I say alternative/hybrid PIN Debit because a genuine PIN Debit transaction, by Visa/MC rules REQUIRE that the card be swiped in order to capture the PVV and PVKI located on the magnetic stripe.  Therefore, by definition, there is no such thing as "software" PIN Debit, it is simply an alternative to genuine secure PIN Debit
.  (See: Updated: Acculynk: Where's the PIN Offset and PVV)

ATLANTA--(PIN Payments News Blog)--Just in time for the holidays, Acculynk announced today that Jelly Belly Candy Company, maker of gourmet jelly beans, candy corn and 100 other sweets since 1898, now offers PaySecureTM. Shoppers can get great deals on last-minute gifts and stocking stuffers at Jelly Belly while enjoying the security and convenience of using their debit card with PaySecure.

“We see a good amount of debit volume come through our website, but until PaySecure, we never knew of a payment method that would give consumers the option to enter their PIN to authenticate their online debit card transaction,” said Jason Marrone, Ecommerce Marketing Manager at Jelly Belly. “With PaySecure, our shoppers now have a choice of how they pay with their debit card, and we know from experience that greater payment choice drives additional online sales.”

PaySecure brings the familiarity and convenience of (alternative) PIN debit to the Internet with a software-only service that requires no consumer redirection, enrollment or new passwords. If a consumer’s debit card can be used with a PIN and is in Acculynk’s network of participating issuers, the patented, graphical PaySecure (pop-up) PIN-pad appears right over the merchant checkout for the secure option of PIN entry using the consumer’s mouse. (Editor's Note: If you have JavaScript enabled)

“Current usage is demonstrating that 1 out of every 2 consumers are choosing to enter their PIN with PaySecure when presented the option,” said Ashish Bahl, CEO of Acculynk. “Consumers are telling us that they are excited about the choice to use (software/hybrid) PIN debit with PaySecure, that they like the security we provide and that the payment experience is familiar and convenient.”

The Jelly Belly partnership helps Acculynk meet growing consumer requests for merchants in specific verticals. “The addition of such a well-known candy brand like Jelly Belly helps us cater to consumers looking for a variety of unique gifts for holidays and special occasions,” said Bahl.

Jelly Belly joins Acculynk’s growing list of online merchants, which includes, Ace Hardware Outlet, AirTran, J.J. Buckley and ShoppersChoice. The company has announced partnerships with 6 EFT networks to date. In November, EFT network ACCEL/Exchange announced its commercial roll-out of PaySecure, enabling the Internet PIN debit payment method across its eligible base of issuers.

About Jelly Belly

The family owned candy manufacturer has been in operation since 1898 and is currently run by the fourth, fifth and sixth generations of the candy empire. Known for decades for making Candy Corn, the company came into worldwide prominence with the creation of Jelly Belly® jelly beans after Ronald Reagan was seen eating them on the presidential campaign trail in 1980.  The company currently makes 99 flavors of Jelly Belly beans, the largest selection on the market, plus 100 other gourmet candies including jells, gummies, chocolate-covered treats, and seasonal sweets for the major holidays. Headquartered in Fairfield, Calif., the company's gourmet confectionery delights are sold throughout the US and in over 50 international markets. For more information, visit

About Acculynk

Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. For more information, visit



Danielle Duclos, 678-894-7013

Director of Marketing

Reblog this post [with Zemanta]

Last Day to Register for Alternative Payments 101 - TDG PHENX


Last Day to Register!

To celebrate our new on-demand learning service, all registrants for Alternative Payments 101 will receive
FREE 30 day on-demand access to the webinar,
valid until January 12, 2010!

Why Alternative Payments?

You are a merchant seeking to reach a customer that you don't have access to today: the under-banked

You are a financial institution seeking incremental payments revenue securely through a trusted online banking portal

You want to understand why PayPal has 150 million customers and how it could affect your business or FI

You want to see what former AOL'er Steve Case is up to with Revolution Money

Maybe you want a career in alternative payments...


December 10 2009
Alternative Payments 101

This two-hour session gives participants an introduction to the world of alternative payments (it's no longer about credit or debit anymore, folks...)

We will examine some established and emerging players in the alternative payments space, review current metrics on alternative payments, discuss market predictions and examine the various risks and opportunities these alternative payments pose to the financial institution and payments processor.

This session will even demonstrate some of these payments in action, including:
  • Bill Me Later

  • PayPal

  • Tempo / DebitMan

  • eBillMe

  • Google Checkout

  • NACHA's Secure Vault Payments

  • Green Dot Financial

  • Western Union

  • Amazon Payments

Who should attend?

  • Senior management

  • Product managers

  • e-Commerce management

  • Financial institution executives

  • Operations management

  • Card processing professionals

1:30 - 3:30PM Eastern

$159. per line

How does it work?

Register online shop -- we accept all cards and PayPal.

One day prior to the session, you will receive an email with a webinar hyperlink, dial-in instructions and information on how to download the presentation the day of the webinar. 

If you are planning on having multiple locations dialing in and participating, you will need to register them separately -- a webinar link is valid for one workstation and one dial-in access.
Any questions, don't hesitate to email us at or tweet us @tdgphenix or call at 615-373-5486

Keystroke Logging Eliminated by HomeATM

In an article written for Compare and Save they talk about Keystroke Logging, the practice whereby a hacker uses malware to monitor their victim's computers in real time and records each keystroke. 

Comes in handy for long as we keep on typing our supposedly "sensitive" information into boxes at websites.  For instance, type in your credit card number and the keystroke logger has it.  Type in your expiration date...ditto.  Type in your 3 digit CVV and voilla, you hand it to the hackers. 

They have their fingers in everything and we use ours to literally provide it for them on a silver platter. 

So, why are we typing when that's the problem?  I've said it before and I'll say it again.  If someone is going to "swipe" your credit card/debit card numbers should you be the one doing the swiping? 

They also talk about site spoofing.  (cloned websites)  Again, HomeATM protects the consumer (and the merchant) from site spoofing because they wouldn't be "typing" anything into a cloned website's box.  The bad guys would get 3DES DUKPT encrypted gobblygook.  They want to see the numbers...not what they would get if we started swiping our own card details.  It's only a matter of time...before everyone realizes how very simple this idea is.  In fact, it's so simple, we moved away from writing our numbers into boxes on a piece of paper at a retail store to swiping our card in a credit card terminal in 1978.  So why did we go back in time for the web?  I love the idea that HomeATM has the only PCI 2.x certified PIN Pad designed for eCommerce use in the world.  In time, so will everyone else!  In the meantime, watch what happens this Christmas season.  The hackers have waited all year for this.  For them, it's the most wonderful time of the year.

Here's the short article from Compare and Save....

'Keystroke logging' targets credit card customers

08 December 2009 12:27:23

Swipe Don't Type and Keystroke Logging is Stopped Dead in it's Tracks as there's nothing to Log

Advanced computer hacking techniques used for credit card fraud have been exposed by a new report.

Tech website said that sophisticated financial fraudsters are attempting to capture customers' personal data ahead of the busy Christmas online shopping period.

'Keystroke logging', where a hacker can use malware to monitor their victims' computers in real time, was identified as a common gateway for fraud.

Card criminals are also setting up convincing-looking transaction screens which duplicate the look of well-known shopping websites in order to extract account numbers and passwords from users.

This technique is known as 'site spoofing'.

Figures from IMRG and Capgemini suggest that yesterday (December 7th) was the biggest online shopping day of the year so far. According to the report, sales during the busiest hour for transactions (13:00 to 14:00) were 21% higher than the equivalent hour in 2008.


Reblog this post [with Zemanta]

Almost Half of US Banks Leave Customers Unprotected

From Finextra: 

US banks failing to protect online customer interaction - Javelin Nearly half of large US banks are leaving themselves unprotected against hijacking of online customer data, according to Javelin Strategy & Research.

Javelin analyzed the home and log-in page security at the top 24 US financial institutions, for SSL/TLS or EV-SSL encryption, which it says are critical for guarding against compromise by insertion of incorrect links or information. 

Editor's Note:  Technically, SSL is lame and EV-SSL can be compromised, but not using it is essentially the same as allowing hackers an inside view to authentication credentials.  This is NOT acceptable.  It's time to two factor authenticate without the typing.  It's time to require online banking log-in by swiping the existing card and entering the existing PIN using existing bank rails.  Banks trust it to disperse cash in non face-to--face authentication at an ATM.  HomeATM replicates that process.  Swipe Card,Enter PIN.

The research shows that 46% of the firms have an opportunity to more fully protect "contact us", "help", or other interaction pages against criminal hijacking.

Furthermore, one in five sites uses easy-to-guess authentication information such as date-of-birth, e-mail addresses, and ZIP codes while just one in four requires users to choose a new password longer than six digits.

Continue Reading at Finextra

Reblog this post [with Zemanta]

Disqus for ePayment News