Video Footages: ATM Skimming!

Be on the lookout for these four tricks and traps

A Handy Way to Foil ATM Skimmer Scams - Thieves continue to place hidden cameras at ATMs to surreptitiously record customers entering their PINs. This previously reported way to stop from being a victim still works against the hidden cameras.

Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Strengths
Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Weaknesses
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Opportunities
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Threats
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

• So, when was the last time you reviewed your security policy?
• Does it take into account new security mitigation techniques?
• Have you adjusted the skills in your business to manage changing attack methods?
• Is security a once-a-year audit activity?

Verizon Infographic: Why PCI Compliance has to be a Business-Wife Priority?

In 2013, only 11.1% of companies were PCI compliant on their initial assessment!

PCI DSS 3.0 – What's New?

Infographic - Summary of the Changes from PCI DSS 2.0 to 3.0

Last month, the PCI Security Standards Council (PCI SSC) officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and auditors will understand how the new mandates will impact organizations.

The effective date of the version 3.0 of the standard will be on January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be best practices for several more months (until June 1, 2015).

Here’s what has changed:

New PCI Guidelines for E-Commerce

New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.

The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.

Securing the Payments Chain

• The guidance offers a checklist of security recommendations and reminders, such as:
• Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
• Regularly test software and applications to detect if card data or other information is being stored unintentionally.
• Evaluate risks associated within e-commerce technology.
• Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
• Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
• Define best practices for online payment application security.
• Implement security training for internal staff.
• Establish best practices for consumer awareness.

Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to: 

• Online injection flaws;
• Cross-site scripting, or XSS;
• Online cross-site request forgery, or CSRF;
• Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
• Weak authentication and/or session credentials; and
• Application and software misconfigurations.

How To Protect From ATM Traps

Avoid Getting Ripped Off at the ATM

Crooks around the globe are using new (and improving) technology to steal your information right at the ATM - and right under your nose. With a variety of devices - from tiny surveillance cameras to look-alike keypads to card readers - these criminals are able to get at your account number, your PIN and really any other kind of details they'd like (even what you look like or the kind of car you drive).

Because these criminals are no dummies, they often target ATMs off the beaten path, in places rarely checked by the network operator or without much traffic or people around. If you must use an ATM in a desolate location, be aware of anything that looks hinky. That scratched up card reader or loose keypad may just be evidence of a planted skimming device. Abandon the machine and try to find another.

Credit: Lam Thuy Vo and Jess Jiang / NPR

Quite a few financial institutions have built mobile apps designed to help you locate ATMs. Consider downloading one (from the financial institution itself!) if you need to find ATMs in out-of-the-way locations.

8-Point Data Security Plan for POS Security

Basic Security Steps for Smaller Merchants

To help retailers address some of those common network vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security and the National Restaurant Association are assisting smaller merchants with basic security steps - steps that address risk mitigation rather than security standard compliance, 

They have developed a list of eight points for POS security. The 8-Point Data Security Plan, as the NRA refers to it, aims to simplify POS security. 

Liz Garner, director of commerce and entrepreneurship at the NRA, says the association is working with organizations like CARDS and PCATS to help restaurants look beyond Payment Card Industry Security standards. "We're trying to educate restaurateurs about security," Garner says. "They just need a simple guide that provides the very basics. PCI is too complex."

Download from here.

Real video footage of what skimmers "see"

"Handy" way to foil ATM skimming

Source from Krebsonsecurity:

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code.

Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

 

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

Recent Survey Reveals Banks Investing More in Emerging Technologies

2012's Top Anti-Fraud Tech Investments


Banks and credit unions say investments in enhanced fraud detection, monitoring systems and customer and member education top their lists for fighting fraud this year.


That's according to BankInfoSecurity's second annual Faces of Fraud survey. A full report on the survey is now available.


More than half of the more than 200 financial institutions that participated in this year's survey say they have increased funding for new fraud technology and personnel.


Top Anti-Fraud Investments


In addition to enhanced detection, monitoring and education, other top anti-fraud investments for banks and credit unions this year include:

• Improved out-of-band verification;
• Enhanced controls over account activities;
• More internal and external audits;
• Improved vendor management practices;
• More anti-money-laundering tools;
• Enhanced dual authorization through different access devices;
• Improved tracking of high-risk customers and members.

Refer here to download the report.

VIDEO: 36 websites selling credit card details shut down

Cybercrime is big business these days, in fact it's an industry


Authorities are taking action against those who are turning cybercrime into such a significant underground industry.


So it's not a surprise to find that criminals are embracing ecommerce. Sophos advised that users will be surprised to discover just how professional and legitimate criminal websites can appear.


The UK's Serious Organised Crime Agency (SOCA), working alongside the FBI and the US Department of Justice, has announced that it has seized the domain names of 36 websites used to sell stolen credit card information.


For instance, watch the following video to see footage of a website that was selling stolen credit card details.

How to minimize the risk and impact of Identity Fraud?

Tips to minimize the risk of identity fraud

Javelin Strategy & Research recommends that consumers follow a three-step approach to minimize their risk and impact of identity fraud.

Prevention

1. Keep personal data private - At home, at work and on your mobile devices, secure your personal and financial records in a locked storage device or behind a password. Of those consumers who knew how the crimes were committed, nine percent of all identity fraud crimes were committed by someone previously known to the victim in 2011.
   
   Avoid mailing checks to pay bills or to deposit funds in your banking account. Use online bill payment on a secure Internet access (not a public Wi-Fi hotspot) instead and direct deposit payroll checks.
   
   
2. Be social, be responsible - While social networks are popular, be careful about publicly exposing personal information that is typically used for authentication (full birthdate, high school name). This applies to all social networks.
   
   
3. Use mobile devices responsibly - Mobile devices are a treasure trove of information for fraudsters. The "always on" functionality of mobile devices provides fraudsters with new avenues for securing information. Be sure of the applications you download, the data you share over public Wi-Fi and where you leave your devices.
   
   
4. Ask questions - Before providing any information on mobile phones, social media sites and transactions sites, question who is asking for the information? Why do they need it? How is the information being used? If volunteering information, ask yourself if you have more to gain or more to lose by sharing personal and unnecessary details.

Detection

1. Take control - In 2011, 43 percent of fraud was first detected by the victims. By monitoring accounts online at bank and credit card websites, and setting up alerts that can be sent via e-mail and to a mobile device, consumers can more quickly detect if they are a victim of identity fraud and stop it early.
   
   
2. Learn about methods to protect your identity - There is a wide array of services available to consumers who want extra protection and peace of mind. These include credit monitoring, fraud alerts, credit freezes and database scanning.
   
   Some services can be obtained for a fee and others at no cost. These services can detect potentially fraudulent information from credit reports, public records, and online activity that are difficult to track on your own.

Resolution

1. Report problems immediately - Work with your bank, credit union or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts.
   
   A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.
   
   
2. Take any data breach notification seriously - If you receive a data breach notification, take it very seriously as you are at much higher risk according to the 2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier.
   
   If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer or closely monitor your accounts directly.

Top Skimming Trends to watch in 2012

2012: Year of the Skimmer

Fraud losses linked to card skimming are quickly hitting epidemic proportions. So what are the top card-skimming trends financial institutions and financial-services providers should be on the lookout for in 2012? Industry experts weigh in to offer their domestic and global perspectives.

The top six trends to watch:

• ATM attacks;
• Network hacks;
• Crime rings aiming for retail;
• Skimming at self-service points of sale;
• International fraud migration; and
• EMV in the U.S.

ATMs: The No. 1 Target

In 2011, debit fraud losses for the first time outpaced losses associated with credit fraud. The reason for tipping of the fraud-loss scales: skimming.

ATM Skimming

ADT Security Solutions in early 2010 estimated financial losses per ATM-skimming incident averaged $30,000. Now, as the average loss to ATM skimming has jumped $20,000, it's clear card fraud and skimming are increasing. And the industry can expect more fraud losses in 2012 as global crime rings enhance their networks and improve their techniques to exploit lingering magnetic-stripe technology.

ATMs are typically the last to be upgraded from a hardware perspective.

More Network Hacks

Institutions and retailers need to focus more attention on locking down their networks. Now that more networks and systems are connected, as institutions and businesses work to achieve enterprise-level data management, they increase their risk of exposure. If a system is compromised, fraudsters can easily access every server, POS device, ATM, PC and network that's connected to that system.

The widespread deployment and use of common and well-known operating systems, such as Windows, compounds the problem. Fraudsters know how to get in, and with evolving malware, it's getting easier for them to wage successful attacks.

Advances in wireless communications also will reap greater skimming crime rewards in 2012. Network security holes aside, skimming schemes themselves will become easier, as wireless communications and Bluetooth technology have made it increasingly easier for fraudsters to remotely transmit card data once it's been skimmed.

Crime Rings Aim for Retail

Pointing to 2011's skimming breaches at Michaels and Save Mart/Lucky Supermarkets, open communication between retailers and card issuers kept fraud losses and card compromises in check. Once the fraud starts to occur, it just makes everyone's job easier when the retailers take a transparent and proactive approach.

Those attacks have illustrated how critical the need for retailers to invest in real-time fraud monitoring is. The incidents also prove retailers have an incentive to move toward the Europay, MasterCard, Visa standard. At least 50 percent of the card-present fraud is charged back to the merchants. They are now motivated to make a move to EMV because they won't see those chargeback charges. And there is more authentication with the chip, so that will help fraud as well.

A Security Soft Spot

As the Lucky's breach and countless others that target self-service payments devices, including pay-the-pump gas terminals, prove, any terminal that accepts credit and debit cards will be targeted by fraudsters. Even ATM vestibule doors, which read debit swipes for entry, are compromised with ease.

But despite the fact that EMV and anti-skimming measures have displaced ATM attacks in those markets, ATM fraud continues. During the last six months of 2011, Europe saw upticks in low-tech ATM-fraud schemes, such as cash-trapping. Cash trapping, like it sounds, prevents bills from being dispensed. European ATM deployers are addressing the trend with physical ATM inspections and investments in enhanced tampering-detection technology.

Geo-Blocking and International Backlash

Despite innovative moves to curb card fraud in Europe, skimming remains a global problem. Even as fraud migrates and different global regions progress in their adoption of EMV, losses associated with skimming continue to escalate.

This year, more fraud migration and increasing losses, especially in the United States. Part of that migration will be spurred by steps European countries are taking to shut off mag-stripe acceptance as a way to reduce financial losses associated with skimming.

Migrating Fraud

The United States can expect skimming to increase. Why? Fraud will migrate from other parts of the world, where card security is more sophisticated.

Compliance with EMV in western Europe and parts of central and eastern Europe over the last five to 10 years initiated the migration of fraud. Now that EMV is the standard in neighboring Mexico and Canada, hits to U.S. card issuers and acquirers will be substantially higher. Card fraud linked to skimming will be the catalyst.

EMV in the U.S

Movement toward EMV compliance, to address growing card fraud, is not far off for the United States. Visa and MasterCard have both issued soft dates for a U.S. movement toward EMV. MasterCard set an April 2013 deadline for all U.S. ATMs to be EMV compliant; and Visa announced compliance dates of 2013 and 2015 for U.S. merchants.

Last week, Visa provided EMV guidance and suggested EMV adoption best practices for U.S. merchants and card issuers.

In 2013, the responsibility for fraud losses will shift from the EMV card issuer to the acquirer. Given that stipulation, 2012 will see an increase in EMV activity.

Insider Scams and Fraud a Growing Trend

Teenager Sentenced for Card Skimming

A 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald's restaurant in Olympia, Wash. This insider scam highlights a card fraud trend the industry needs to watch.

This case highlights just how easy it is for insiders to perpetrate card fraud, especially in a retail environment. Even if we protect the ATMs and POS devices, insider fraud like this will take place due to the ease with which criminals can get their hands on the appropriate devices. This is an industry that clearly needs an elegant and innovative solution (not EMV) that can at least make it an order of magnitude harder for skimmers to succeed.

Transactions Monitored

In the McDonald's incident, the teen's card-fraud scheme was foiled before exceeding $13,000 in losses after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald's when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts.

The credit union found one commonality: All of the compromised cards had been used at the same McDonald's. McDonald's management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.

The teenager used the stolen card numbers, which he collected with a handheld skimming device, to buy gift cards at retail stores such as Walmart and Toys R Us, according to a news report. With the fraudulently purchased gift cards, he allegedly bought about $13,000 worth of merchandise that he later sold on Craigslist and eBay for profit.

The purchases the teenager made included iPads, computers, video game systems and digital cameras, according to the Thurston County Prosecuting Attorney's Office.

The teen has been in custody since Nov. 16, after his parents refused to post bail. On Monday, he pleaded guilty to two juvenile counts of forgery and two juvenile counts of identity theft. As part of his sentence, the court has asked that he pay restitution to the victims whose cards were compromised.

The investigation is ongoing because other suspects may be involved.

How Thieves Steal Your Credit Card Data?

Some tips to avoid Identity Theft and stealing of your credit card.

Background

These days, thieves only need a minute, sometimes a second, to pilfer your credit card data.

This year criminals hacked, phished or skimmed their way into the systems of Sony, marketing firm Epsilon, Citibank and even security expert RSA, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.

Identity theft and cyber fraud cost Australia a whopping $8.5 billion every year. One in five Australians will be hit and it's getting worse every day.

The most common schemes are simpler than you think. Let's take a look at the most common ways thieves pilfer your credit card information.

Suspect 1: The Waitress At Your Local Cafe

Mode Of Operation:

When it's time to pay the waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that.

While you're scraping the last of the chocolate cake from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week.

Known Whereabouts:

The data-stealing waitress has been known to moonlight as a bartender, sales assistant or at any place where she can take your credit card out of sight.

Suspect 2: The Toy Store Trio

Mode Of Operation:

Sally, Simon and Greg walk into a toy store. Sally and Simon roam the aisles, while Greg waits in line to check out. When Greg is at the register, Simon comes running up to the shop assistant, screaming that his wife has fainted.

As Sally and Simon distract the shop assistant, Greg switches the credit card reader at the register with a modified one of his own.

For the next week, the shop assistant unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal.

Known Whereabouts:

The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.

Suspect 3: The Petrol Prowler

Mode Of Operation:

The Petrol Prowler parks her car in front of a petrol station off the highway. It's late. There's no one around except a sleepy shop assistant at the register inside. The Petrol Prowler attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to a laptop close by.

The Petrol Prowler pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days.

Known Whereabouts:

The Petrol Prowler installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.

Suspect 4: Harry the Hacker and Phishing Phil

Mode Of Operation:

Harry the Hacker installs malware - a type of software that damages or infiltrates a computer or network - onto a legitimate website with low security. The malware instantly downloads onto your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer.

Phishing Phil uses malware to go after your laptop. He sends emails with attachments that promise dancing kittens or some other bait. When the user opens the attachment, malware instantly downloads onto the computer and leaves confidential information vulnerable.

Phil also sends emails from a familiar sender with a link to a contaminated website that installs malware onto your computer. Some malware, called spyware, allows Phil to capture every keystroke including passwords to your financial accounts.

What Happens To Your Information?

Mode Of Operation:

So what happens to these pieces of data when they're in no-good hands? They get sold.

The waitress, trio or Petrol Prowler may be able to sell each swipe for $20 to $40 a pop. Harry the Hacker and Phishing Phil could get $5 to $10 a card and often sell the information online at the eBay of credit card activity.

The person who buys the information verifies it and then sells it to a person who creates fraudulent credit cards with your account information attached to it. The card maker then sells it to other criminals who buy goods such as stereos or baby formula and sells them to regular consumers.

Identity Theft: How To Avoid It

1. Set up mobile alerts for your phone if your financial institution provides the feature. That way, you can be aware of unusual activity as quickly as possible.
   
   
2. Regularly monitor your accounts online, so you can identify fraudulent transactions faster.
   
   
3. Avoid public computers. Don't log onto your email if your bank corresponds with you there. One idea is to set up an email account just for your finances and then only check it from safe locations.
   
   
4. Avoid doing business with unfamiliar online vendors. Stick to established merchants and websites.
   
   
5. If your information has been compromised, notify your financial institutions immediately and also inform the police what has happened.

PCI Council issues PCI tokenization compliance guidance

PCI tokenization document mirrors the Visa Best Practices for Tokenization

Using tokenization technology to eliminate credit card data can reduce the scope of a Payment Card Industry Data Security Standard assessment, but merchants must be careful to avoid many pitfalls associated with the technology, according to a new report issued today by the PCI Security Standards Council.

The long-awaited PCI DSS Tokenization Guidelines outline how tokens can be used in merchant systems and ways to properly deploy the technology, which substitutes tokens in place of primary account numbers (PANs) to limit the movement of cardholder data in the environment. A properly deployed system in certain merchant environments can “potentially” reduce the merchant’s effort to implement PCI DSS requirements, according to the report.

The tokenization document mirrors the Visa Best Practices for Tokenization report, which was issued last summer. Tokens used within merchant analytical systems and payment applications may not need the same level of security protection.

Security of Transport Contactless Smart Cards

It is possible to sniff data but what can thieves do with it?

Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too?

Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats.

The pickpocket issue garnered media attention in December, when a CBS affiliate in Memphis, Tenn., followed a man who was able to swipe credit card information from unsuspecting passers-by. Using an off-the-shelf card reader that he bought online for less than $100 and a mini laptop, the man was able to obtain credit card numbers, expiration dates and some cardholder names.

But that is likely as far as a thief will get, experts say. It is possible to use a contactless reader to pick up information from a card on the subway or in an elevator, but it is unlikely that he could use the information to go on a shopping spree.

That is because the account number and other information obtained from a contactless card is not enough to complete a financial transaction. Unlike magnetic stripe cards, most contactless payment cards use a dynamic element to authenticate each transaction.

Things to look out for:

• Transaction security - MAC across the transaction and on data (digitally signed)
• Internal abuse and insider job/attacks
• Mixed modes (used for many things, loyalty, credit card, door access, etc.)
• Design issues e.g. key mgt (not public key) and weak crypto

Encryption levels can also dictate a card’s vulnerability. If a card’s encryption uses a weak algorithm or no encryption at all, the information may be easily read.

Advanced techniques for extracting a card’s encryption key are possible, but they typically require the physical possession of the card and access to highly specialized equipment.

For unencrypted air interfaces, data can be read by off-the-shelf readers and then programmed into a different physical card. Then an attacker could use the stolen card information to perform transactions that are identical to those performed by the legitimate card. In the case of payment cards, however, this process is complicated by the use of additional security mechanisms such as dCVCs.

Known cases and attacks:

• HK Octopus cards
• NETS CashCard

Past demos: Examples

• Virtual pick-pocketing on contactless cards in Paris, on Cartes exhibition in 2005
• Youtube movies
• ePassport attack demos

Interesting countermeasures

There is actually one way to protect against undesired interrogation of a RFID card. Cardlab has a patented RFID jam switch which distort the RFID signal when interrogated. The owner simply taps or bend the card to turn off the jammer and the card is able to communicate. It is effective it's cheap and it gives the consumer just that real feel of security he needs in order for him to trust the technology.

• Response from PayPass
• Protection sleeves e.g. from Identity Stronghold
• PIV cards

If it’s a dual-interface government PIV card, the thief could obtain the cardholder’s unique identifier, or CHUID, a number that uniquely identifies an individual within the PIV system, according to experts with Exponent, a Menlo Park, Calif.-based engineering and scientific consulting firm. The remaining chip information would only be accessible via the contact interface so it is not at risk from such attacks.

Refer here or here to read relevant / further details.

Guidelines to keep your money safe

How to protect your money?

Your card, your PIN and other banking passwords are the key to accessing your money electronically. So it's important that you keep them secret. Following these guidelines will keep your money safe.

Protection your card

- As soon as you receive your card, sign it on the back using a ball-point pen.
- Carry your card whenever you can, and regularly check that you still have your card.
- Never give your card to someone else, even friends or family.
- Remember to retrieve your card whenever you use it.
- Cut up any expired cards and dispose of the pieces securely.

Loss, theft and other fraud risks

You need to tell your bank immediately, if:

1) your card is lost or stolen,
2) someone else has used your card, or
3) you think someone has discovered your PIN or banking passwords.

If you don't, you may be held responsible for losses that occur as a result of you not telling your bank sooner.

Protecting your PIN or password

- Memorise your PIN or password straight away and destroy any bank letters or correspondence that it's included in.
- If you need to record your PIN or password somewhere, make sure it's disguised and kept well away from your card.
- If you select your own PIN or password, make sure you change it regularly, say every two years.
- Never tell anyone your PIN or password, not your friends, family or retailers.
- Never enter your PIN in an electronic banking terminal that looks suspicious, does not look genuine or looks like it's has been modified.
- Make sure no-one watches you as you enter your PIN or password at an ATM, EFTPOS terminal, using Telephone Banking or Online Banking.
- If you do select your own PIN or password, don't choose something that is going to be easy to guess, for example: part of the number printed on your card, an old PIN or password, consecutive numbers, repeated numbers, a numeric pattern, your date of birth, phone number or drivers licence number.
- Tell your bank straight away, if your PIN notification arrives damaged in the mail. If your PIN or password changes without you requesting it or if you've requested or are expecting one, that hasn't turned up.

Safe Usage

- Always check your account statements and contact your bank straight away if there are any transactions you don't recognise regardless of the amount.
- Be careful when providing your card details over the phone or internet.
- Always exercise caution when viewing emails claiming to be from your bank. Your bank would never ask you to click on a link in an email, nor would your bank will ask for your account information or login details by email.
- Before travelling provide your bank with your travel itinerary so your bank doesn't unnecessarily interrupt your trip with security questions.
- When travelling, be aware of card security and keep your belongings safe at all times.
- Avoid using ATMs in poorly lit areas.
- Due to your bank security measures, you may experience a delay or inability to perform some transactions in some overseas locations. If this occurs, please contact your bank using the number on the reverse of your card.

Chargebacks

- If an unauthorised transaction or error has been made, in some cases your bank can charge it back to the merchant.
- In order for your bank to reverse the transaction, you need to report the transaction to your bank and provide them the details they need.
- You have 90 days from the date of the transaction to request a charge back, otherwise your bank may not be able to reverse the transaction.

Visa Pushes for Dynamic Authentication

The Answer to Card Fraud?

Visa recently announced the launch of its Technology Innovation Program, designed to eliminate eligible merchants from the annual requirement to validate their compliance with the Payment Card Industry Data Security Standard. The program, which takes effect March 31, aims to fuel dynamic data authentication through the continued deployment of EMV chip terminals in all parts of the world except the U.S.

What is 'Dynamic Authentication'?

The concept of dynamic authentication is intended to promote the use of a dynamic variable that will be included as part of each transaction that flows through the payment system. And the notion is that if there is a dynamic variable that accompanies that transaction that changes with every transaction, then that information cannot be used in the future to replay a transaction for fraudulent purposes. So, the notion of dynamic data is very powerful in that, again, each transaction would be unique. EMV chip, in particular, promotes the transmission of dynamic data by generating a cryptographic message that accompanies the transaction, and thereby makes that transaction dynamic.

Refer here or here to read more details on this initiative.

New Authentication Guidance

Draft Puts More Responsibility on Banks

A preliminary draft of new online authentication guidance from the Federal Financial Institutions Examination Council puts greater responsibility on the shoulders of financial institutions to enhance their security and prevent fraud.

The FFIEC has yet to formally unveil its long-awaited update to 2005's authentication guidance, but a December 2010 draft document entitled "Interagency Supplement to Authentication in an Internet Banking Environment" was reportedly distributed to the FFIEC's member agencies.

While it's likely that this draft will be amended before the final release of the new guidance, the current document calls for five key areas of improvement:

•Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;

•Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;

•Layered security controls to detect and effectively respond to suspicious or anomalous activity;

•More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;

•Heightened customer education initiatives, particularly for commercial accounts.

Risk Assessments

Risk assessments are addressed first in the draft, leveling some criticism at banking institutions for not being diligent about regular assessments.

The document says risk assessments should include regular reviews of internal systems, analyzing their abilities to:

•Detect and thwart established threats, such as malware;

•Respond to changes related to customer adoption of electronic banking;

•Respond to changes in functionality offered through e-banking;

•Analyze actual incidents of security breaches, identity theft or fraud experienced by the institution;

•Respond to changes in the internal and external threat environment.

Authentication for High-Risk Transactions

The FFIEC's definition of "high-risk transactions" remains unchanged. But the supplement does acknowledge that, since 2005, more consumers and businesses are conducting online transactions.

Layered Security

Layered security includes different controls at different points in a transaction process. If one control or point is compromised, another layer of controls is in place to thwart or detect fraud. Agencies say they expect security programs to include, at minimum:

•Processes designed to detect and effectively respond to suspicious or anomalous activity;

•Enhanced controls for users who are granted administrative privileges to set up users or change system configurations, such as defined users, users' privileges, and application configurations and/or limitations.

Effectiveness of Authentication Techniques

Part of the layered security approach, the draft suggests, should include stronger device identification, which could include use of "one-time" cookies to create a more complex digital fingerprint of the PC by looking at characteristics such as PC configuration, Internet protocol address and geo-location.

Although no device authentication method can mitigate all threats, the supplement says, "the Agencies consider complex device identification to be more secure and preferable to simple device identification."

The need for stronger challenge questions is also noted, as yet another layer institutions can use to authenticate and identify a device and a user.

Customer Education and Awareness

As part of the effort to educate consumer and commercial customers about fraud risks and security measures, the draft states financial institutions should explain what protections are and are not provided under Regulation E. The drafted guidance also suggests banking institutions offer:

•An explanation of under what circumstances and through what means the institution may contact a customer and request the customer's electronic banking credentials;

•A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;

•A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk;

•A listing of institutional contacts for customers' discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Stronger Fraud Detection

Beyond the supervisory expectations, the draft guidance includes an appendix that discusses the current threat landscape and compensating controls, including anti-malware software for customers, as well as transaction monitoring/anomaly detection software.

Similar Guidance in Australia?

Well - I am not sure, if we have something like Federal Financial Institutions Examination Council (FFIEC) or similar council in Australia. Until, we find the answer for the question, we should start using the available guideliness available.

Dynamic Authentication - Visa Technology Innovation Program

New Technology Innovation Program is All About Secure Transactions

A move toward EMV can help merchants cut their security compliance costs

That's the message from Visa Inc., which last week announced the launch of the Visa Technology Innovation Program, which is designed to eliminate eligible international merchants from annual validations of their compliance with the Payment Card Industry Data Security Standard.

The goal: to encourage merchants to move toward dynamic data authentication, which EMV chip technology makes possible.

In order to qualify for the Technology Innovation Program, international merchants in EMV markets must prove that at least 75 percent of their transactions are EMV chip transactions. They also must validate previous compliance with the PCI-DSS, and they cannot have a breach of cardholder data history on their records. The program takes effect March 31.