This page has moved to a new address.

ROAM DATA Payment Industry News Focusing on Mobile Payments

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("http://www.blogblog.com/rounders/corners_main_bot.gif") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("http://www.blogblog.com/rounders/corners_main_top.gif") no-repeat left top; padding:10px 0 0; } #main3 { background:url("http://www.blogblog.com/rounders/rails_main.gif") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("http://www.blogblog.com/rounders/corners_cap_top.gif") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("http://www.blogblog.com/rounders/corners_cap_bot.gif") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("http://www.blogblog.com/rounders/icon_arrow.gif") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } p.post-footer { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body p.post-footer { border-bottom-color:transparent; } p.post-footer em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("http://www.blogblog.com/rounders/corners_prof_bot.gif") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("http://www.blogblog.com/rounders/corners_prof_top.gif") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("http://www.blogblog.com/rounders/icon_profile.gif") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("http://www.blogblog.com/rounders/corners_side_top.gif") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("http://www.blogblog.com/rounders/corners_side_bot.gif") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("http://www.blogblog.com/rounders/icon_arrow_sm.gif") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("http://www.blogblog.com/rounders/corners_cap_top.gif") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("http://www.blogblog.com/rounders/corners_cap_bot.gif") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Sunday, October 31, 2010

RSS FEED MOVING

This RSS Feed is moving to feed://mcommerce.roamdata.com/?feed=rss2. Kindly update your reader ASAP. For now, both feeds are active.

Labels:

miiCard Announces Strategic Relationship with Yodlee to Deliver Digital Passports

Tags » Yodlee  » Comments (0)

miicard_logo_140px.pngmiiCard has announced that is soft launching a new digital identity solution for the financial services.

Powered by Yodlee,the miiCard Digital Passport enables consumers to prove “they are who they say they are” online, in real-time; enabling them to buy financial products completely online for the first time, in a fashion that meets Anti-Money Laundering laws, Know Your Customer regulations and the Proceeds of Crime Act standards.
The company hopes to eliminate the "often cumbersome and always time consuming need for offline proof of identity before a financial product can be purchased."

View the original article here

Labels: , , , , , , , ,

First Data and VeriFone Collaborate on Data Security Solution

Tags » First Data Corp., Verifone  » Comments (0)

first data logo 140px.pngverifone_logo_140px.pngFirst Data and VeriFone have announced they are working together to offer a VeriFone edition of the First Data® TransArmorSM solution to U.S. multi-lane and petroleum merchants. This will enable businesses using VeriFone’s MX 800 series of devices, Secure PumpPay and the Ruby point-of-sale (POS) solutions to take advantage of a complete security solution combining VeriFone’s VeriShield encryption along with tokenization technology from RSA.


View the original article here

Labels: , , , , ,

PCI Security Standards Council Releases Version 2.0 of the Security Standard

Tags » PCI Security Standards Council  » Comments (0)

PCI_Council_logo_140px.pngThe PCI Security Standards Council (PCI SSC) has announced version 2.0 of the PCI-DSS and PA-DSS standards. Reflecting input from the Council’s global stakeholders, this latest version does not introduce any new major requirements, but does modify language of the standard in order to clarify the meaning of the requirements and make understanding and adoption easier for merchants.


View the original article here

Labels: , , , , , ,

Ixaris Partners with Apigee to Create API Platform for Payment Application Development

Tags » Prepaid Cards  » Comments (0)

ixaris_logo_140px.pngIxaris has announced a partnership with Apigee to create an industrial-grade API platform for enterprises and developers creating payment applications on Ixaris Opn (pronounced ‘open’).

Ixaris Opn is a platform that allows developers, businesses and financial institutions to rapidly create payment applications. Unlike similar platforms such as PayPal X, Ixaris Opn allows developers to create and run their own global payment applications using open loop virtual or physical cards under the Visa and MasterCard schemes.

View the original article here

Labels: , , , , , , , ,

Boston Fed Survey Shows Americans Can Be Choosy About Their Payment Methods

Tags » Credit Cards, Debit Cards, Prepaid Cards  » Comments (0)

survey_graphic_140px.png"A sizable and growing minority of American consumers who once possessed a credit card no longer have one," says the Federal Reserve Bank of Boston’s Consumer Payments Research Center. Surveys done over the last two years indicate that the “discard rate,” the percentage of consumers who have abandoned that method of paying for purchases, grew from 14% in 2008 to 16.5% in 2009. In contrast, the discard rate among Americans for prepaid cards was 27.5%. Debit cards were about 5%.

These figures were announced in the 2008 Survey of Consumer Payment Choice (SCPC), annual study by the Boston Fed that is available to the public for free.


View the original article here

Labels: , , , , , , , , ,

Chasing the E-Invoicing Dream: New Glenbrook Research Report

Tags » Glenbrook  » Comments (0)

GP Logo Horizontal-140px.pngCompanies of all sizes have adopted accounts payable (AP) solutions, yet new IAPP-TAWPI and Glenbrook research reveals that e-invoicing benefits remain elusive. The vast majority of business (of all sizes) report that less than 20% of incoming invoices are eInvoices. Benefits realized thus far are modest compared to the e-Invoicing's potential. Learn more about the findings and purchase the report on Payments Views.


View the original article here

Labels: , , , , , ,

Mobey Forum Reaches Landmark Representing More Than 25% of Banking Customers Globally

Tags » Mobey Forum  » Comments (0)

mobey-forum-logo_140px.pngMobey Forum has announced that it has reached the impressive milestone of its members now collectively representing more than 450 million banking customers globally. "The association attributes increasing membership enquiries to the market’s growing desire to deliver mobile financial services to end-users."


View the original article here

Labels: , , , , , , , ,

Enterprise Data Storage Reaches for the Cloud

Mike Prieto, Vice President and General Manager, Storage Works Division, HP Asia Pacific and Japan in conversation with Geetaj Channana about the ways to curtail information explosion.

Q:What are the three ways of curtailing information explosion in an organisation?

A: In terms of optimisation and data reduction – thin provisioning, deduplication and tiering are the three ways to manage the explosive data. Thin provisioning is the ability of the system to distribute data to a large number of users to be used efficiently.

It is more like a debit system, rather than employees having 1 GB of available storage, they have a 100 MB, and as they use that 100 MB you are given more as you require. The clear benefit of thin provisioning is that it gives you reduction in disk space.

With de-duplication you reduce the requirement of disk capacity. Tiering enables you to organise the data requirements that you have and push it to various devices. This has the ability to optimise the data that you need in various scenarios. The benefits are in the form of management and automation.

Q: Unstructured Data – how to we solve the mess?

A: It is one of the biggest problems in storage. We have various products that specialise in handling unstructured data. They enable you to manage that, together with de-duplication and disk to disk backup.

Q:What according to you are the biggest challenges for storage virtualisation?

A: From my perspective the biggest challenge is around the planning and understanding of what-its-going-to-take-to-get-there. It needs to be well thought out.

The real benefit will be in virtualising an infrastructure end-to-end. You must not treat virtualisation in silos. Most organisations work on the server piece and forget about the rest.

You are going to get the best ROI when you have an end-to-end virtualised infrastructure. That’s where we can really help. We can provide this service to help you virtualise everything. We have IP in all areas including desktops, servers etc. to help organisations get there.

Q:What approaches should be taken while adopting a hybrid model with the cloud for storage?

A: It is a hard question to answer. There is no straight answer to this. You may have to go case by case. You may typically go with a consulting organisation to help you – it will depend on the size of the organisation and the number of data centres they have.

You would want the best returns from the investments that you have made in hardware by virtualising it – this is the underline while planning and assessing the systems.

You would also need to classify the application with the kind of service levels that you need with them. It needs to be well thought out. It leads me back to the question that you asked me about storage virtualisation challenges.

This is one of them – of being able to understand the service levels of applications in the application layer. You must understand which are the mission critical apps, tier 2 apps, etc. before you virtualise.

Q:How have the backup policies changed with the advent of cloud and virtualisation?

A: It is a very good question. Am not sure about India, but in certain countries in the APJ region, I can tell them that it is a risk and opportunity at the same time.  I see customers are still not addressing data processing well enough.

I am seeing customers who have made a significant investment in hardware in SAN technology for example to find out later on that there is no data protection strategy in place in the system. This is a huge risk.

With virtualisation you have the ability, but it is still not enough and you need a good DR strategy in place. It is important that you answer the questions of Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Some of the first questions that need to be answered are: how critical is your data and how fast do you need it back. The next step is to figure out the technology that you may want to invest in. Virtualisation and cloud add to the choice.

Q:How important is de-duplication? Where should it be on the storage roadmap of the organisation?

A: I think de-duplication has gone from nice to-have to a must-have in an organisation. It is critical in terms of being one of the key pillars of the enterprise converged infrastructure strategy. The four pillars of this strategy are Platform Convergence, Storage Optimisation, Virtualisation and Management.

De-duplication is a key part of storage optimisation. It has become a necessity from being a luxury.

Q: Please tell us more about your Store Once product.

A: There are different technologies today for de-duplication. From a regional branch where you have a single node, to a regional office that has a few nodes to a data centre with many nodes you may need different technologies for de-duplication.

You may have to do the de-duplication process again and once you go from one site to another, depending on the technology. Store Once on the other hand allows you to do de-duplication from one location for all the nodes.

This technology has been developed from the ground up by HP Labs. It is a single software design that reduces complexity end-to-end. It runs on all our disk-to-disk backup products available in the market.

Q:Any final thoughts?

A: I would like to make a couple of key points here. Firstly, we are leading the charge in terms of breaking down the boundaries between server storage and network.  We have got devices now that are purposefully built for Virtual Desktop Infrastructure (VDI).

We are seeing a lot of demand. Though a lot of people are not adopting it they are showing a lot of interest in it. We have recently finished a big installation in Korea.

We are also driving very hard on industry standard hardware. We have a lot of products that are based on the x86 platform that makes management a lot more easier. This helps in bringing the costs down substantially.

Cross-posted from CTO Forum

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

SEPA - Beyond Theory Into Practice

Tags » SEPA  » Comments (0)

sepa_logo_140px.pngThe European Central Bank has published the seventh in a series of progress reports on the Single Euro Payments Area (SEPA) (PDF). The bank reports in on progress over the last two years and provides guidance on the way forward in multiple areas -- SEPA Credit Transfer (SCT) and SEPA Direct Debit (SDD), Cards, eSEPA (online payments), security, infrastructure, migration, and governance of retail payments and cash services.


View the original article here

Labels: , , ,

First Data Adds Emerging Payments Support to Compass Platform

Tags » Emerging Payments, First Data Corp.  » Comments (0)

first data logo 140px.pngFirst Data and CardinalCommerce have announced that online merchants using the First Data Compass platform to seamlessly accept and process emerging payments transactions through services like PayPal Express Checkout. In addition to streamlined processing, merchants are also able to easily combine order management, customer service and reporting of each emerging payment type within their core business.


View the original article here

Labels: , , , , , ,

Zero Trust Security – The Cultural Discussion

There is a great motto on the SR-71 Blackbird flight crew badges, “In God we trust, all others we verify.” 

John Kindervag of Forrester Research has written a paper titled ‘No More Chewy Centers: Introducing The Zero Trust Model Of Information Security’ that takes this motto into the information security realm. 

The premise of this paper is what if you treat everything as untrusted on your network, internal or external?  This paper is a great read and is worth the cost to obtain a copy.

This concept may sound a bit extreme and, for some, may even seem an odd approach.  But you have to ask yourself, can you really trust all of your users?  And that is exactly the point John is making. 

He points to 26 data security breaches in the first half of 2010 that were the result of “trusted” personnel deliberately or accidentally releasing information. 

John’s advice, if you cannot trust your users, then you need to treat them and their network traffic as untrusted.

As a security professional, this approach sounds appropriate given today’s computing environment.  However, as a former senior IT executive, I have to say it sends chills down my spine. 

For what this approach requires is that you tell your employees that they cannot be trusted. 

If that does not scare the daylights out of you, it will sure scare it out of your human resources executives and probably a few, if not all, of the rest of your senior managers.

Then there is the process of selling such an approach.  And let us face it; it will be quite a sales job to get such an approach sold to senior management. 

To exacerbate this process, surveys of senior managers portray security professionals as being too technical and cannot explain why security is necessary in business terms. 

With that sort of disconnect, the concept of Zero Trust is going to be almost impossible for most security professionals to sell to their organizations. 

In my opinion, the only way such an approach will ever be implemented is if it is suggested and driven by senior management, not IT or information security.

Then there is the fact that Zero Trust is not going to totally solve the security problem.  Remember my mantra, security is not perfect. 

Zero Trust is only going to minimize risk, but it is likely to minimize it to the absolute minimum it can be reduced. 

Senior managers are going to be skeptical about spending the money it will take to get to this level. 

However, for the financial institution and health care industries, the cost will be worth the peace of mind. 

Other industries will likely struggle with justifying the expense.  But in the end, I think this is probably the only route to as secure an environment as one can have.

In a future post, I will discuss the technological ramifications of Zero Trust.

Cross-posted from PCI Guru


Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Visa Opens World’s Leading Payments Network to Independent Developers

Tags » Authorize.net, CyberSource, Visa  » Comments (0)

visa_logo-140px.jpgVisa has announced a number of enhancements to the Authorize.Net Developer Center, a resource that enables "independent developers to create applications supporting electronic payments and related services for major payment networks including VisaNet." The Developer Center builds on Authorize.Net’s existing platform, which Visa acquired as part of the purchase of CyberSource earlier this year.

Besides an improved developer program, what's new here is a PCI-friendly card acceptance technique called the Direct Post Method. "Because customer billing data posts directly to Authorize.Net without touching the merchant server, the merchant can retain control over the receipting experience without incurring PCI DSS overhead."


View the original article here

Labels: , , , , , , ,

Mobile Photo Bill Pay

Tags » Bill Payment, Mobile Technology  » Comments (0)

mitek_logo_140px.pngMitek has announced a new app that lets users pay bills with their smartphone camera.

After establishing online-bill-payment arrangements as part of their banking account, users of Mobile Photo Bill Pay can initiate e-bill-payment sessions on their smartphones, then simply snap photos of the bills they want to pay, verify the payment information and click on the app's "PAY" button.
The app eliminates the hassle of users setting up information for individual payee accounts because Mitek technology extracts the data from the photo image and automatically provides it to the financial institution's bill-processing system in the required format.

View the original article here

Labels: , ,

Headline News - October 22, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Labels: , ,

How Many Aunt Sally Years Does Your Network Have?

If you've been doing PC tech support for your friends or family, you've probably noticed that for some of them, no matter what you do to protect them, they keep getting infected over and over again.

For some people I support, I removed administrative privileges from their account, installed an A/V, an antispyware, made sure Windows Update is active, etc. and still, they keep getting infected.

I'm not talking about people downloading illegal games and cracks, I'm talking about the typical Aunt Sally and Uncle Joe: people who only have a basic understanding of computer security and who know nothing about social engineering, drive-by downloads and the latest Acrobat exploit.

When they see a popup saying their computer is infected, they can't make the difference between a fake message and a real one and they click on the "clean up" button. They are normal people and probably behave the same as those working and browsing on your enterprise network.

On average, the people I know will have their computer infected once a year (at least). If we extrapolate to a corporate network of a thousand computers where the machines have an average of three years of age, that makes a whopping 3000 "Aunt Sally/Uncle Joe" years of browsing, receiving emails and using untrusted USB sticks.

Hundreds of bots are available for rent in .mil, .gov and other high value domains. Thousands of strategic systems have been infected with the Stuxnet worm.

Are all of them poorly managed corporate systems? I doubt it. But malware keeps getting past protection mostly because of end user behavior.

Is your network differently or better protected? Probably not.

No matter if these attacks are targeted Advanced Persistent Threats (APT), linked to a cyberwar, or just a simple generic Zeus/SpyEye infections, the fact is that malware is installed, is remotely controlled and the organization is not aware of it.

This not FUD, it's a fact that our flagship product, ECAT, allows us to verify each time it is used to assess a network.

Governments are starting to be aware of this and are looking for ways to control the situation. The corporate world is further behind and seems to wait for tangible proof before taking action.

For most of them, the only thing they need now to get that proof is to simply take a deep look at their systems' integrity.

Let's hope they won't wait too many more "Aunt Sally" years before they do!

Cross-posted from Silicium Security

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , ,

Smart Grid Deployment and Identity Management

This paper is the author's personal opinions on the role that identity management will play in the utility industry as smart grid evolves across North America.

Utility- Home Energy Controller

One significant portion of smart grid is the interaction between the home energy controller and the utility. 

The home owner may choose to allow the utility to monitor appliance, air conditioner, electric heater and gadget events in the home and potentially to control some of them (e.g.  downing an air conditioner in a peak load to trim the peak load and avoid a grid brownout).

This requires identity management to authenticate between the home energy controller and the utility's home management system potentially every few minutes.  Most of the current deployments set a uid (uniform identification) and password in place allowing the application to log on to the local data store in the home. 

I believe that this approach is not secure from the customer's perspective since passwords are easily obtainable through a variety of different methods.  I also believe that over the next several years, privacy litigation against utilities will force the utility to adopt a more rigorous method of authenticating to the home.

I foresee the use of digital certificates issued by the utility to the home owner's energy controller and then to use web services to authenticate to the device. This means that utilities must get in place a solid PKI infrastructure and also deploy access control that is highly available.

Home Owner - Utility Interaction

The home owner will either use software supplied by enterprises like Google or use the utility's own portal software or combinations thereof to communicate with the utility. 

Further, I also foresee that in the future  energy controller bought in the store will be installed by third parties who will then help the home owner create their account and interface the controller with the utility.

Further, the home owner will want to assign different authorization rights to their family members allowing them different control over the home energy management system. 

Finally, many families will be delegated administration rights for different family members (e.g.  elderly people may delegate some or all of their privileges to their caregivers).

All of this requires:

Robust identity management system to provision the assets and applications to the home ownerIntegration with B2B infrastructureAllow for easy log on using things like voice recognitionFine grained authorization

Electric Vehicle Management

I foresee several areas where identity management would be important in leveraging a smooth customer interaction with the utility.  This included:

Vehicle identity registration systems with the utility - likely involving issuing a digital certificate to the carUtility identity federation with credit card companies and energy suppliers (e.g. Chevron, Exxon, Shell, etc.)Utility federation with parking garage owners who offer electric vehicle rechargingPossible federation with electric vehicle car manufacturersPossible use of registering the vehicles in an energy saving program IF it turns out that battery recharging on numerous vehicles significantly loads the grid (the jury is still out on this)

SCADA Home/Commercial Electrical Generation Authentication

As the home and commercial users begin to generate electricity and want to connect to the gird to sell it back to the utility, I foresee the following:

Need to identify and register the devices with the utility - likely will involve in the future the ability to install a digital certificate on the energy generating device or the device that connects the energy generating device to the gridAuthentication of the devices to the grid

"Smart Grid"

As smart transformers, power line monitors and feeder automation devices and software are deployed on the SCADA systems, this will require the following identity management infrastructure:

Registration of all devices in a central LDAP store from the authoritative sourcesAuthentication of the devices by either the HMI in the control room and/or an identity management access control systemIdentity management for personnel and third parties who will be working and interacting with the devices and their software

Operations

I foresee a significant shift in the future to what happens in a utility's operations control centre and it's IT operations.  The integration of the home and the digitization of the networks using TCP/IP means that:

Enterprise incident management must now integrate formerly separate IT and SCADA change management systems into oneMonitoring systems need to be significantly improved from stem to stern (i.e. the home with its appliances and gadgets all the way through to utility corporate and utility SCADA systems)Network architecture will need to be significantly upgraded and will require more numerous internal DMZ zones to limit utility risk of someone able to penetrate to the SCADA systemSecurity operations must now be moved out of IT and Facilities and into the control room to actively monitor and manage all security to watch for physical and logical penetrations

Operations concern me the most when considering smart grid.  While the software sales people and utility marketing people are making the most of "smart grid", I don't think many utilities have considered the operational impact, organizational reorganization and security requirements required.

Summary

This brief paper outlines, at a high level, the challenges of deploying smart grid for a utility from an identity management and operational perspective.  Many state and provincial legislation is forcing utilities to take on home or commercial generated power without thinking through the security, operations and identity implications. 

Concurrently, I believe that many senior utility managers are "hopping on board" the smart grid bandwagon without knowing the true infrastructure, operational costs and enterprise reorganization.

What most does not realize is that with the digitization of the SCADA network to TCP/IP communication AND the deployment to the home requires extremely tight integration between IT and SCADA. 

Those utilities that figure this out early will be the winners while those who don't may open themselves, unknowingly, to significant security holes.

About the Author

Guy Huntington is a learned and burned identity management and security consultant.  He has led a utility identity management program, participated in a utility security assessment, integrated physical and logical security and rescued several large Fortune 500 identity projects.  His white papers can be read at http://www.authenticationworld.com/papers.html.  He can be reached at guy@hvl.net or 1-604-861-6804.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Federal Reserve Releases Report on College Credit Card Agreements

Comments (0)

Fed.gifThe U.S. Federal Reserve Board has released a report to congress on College Credit Card Agreements that contains payment and account information about more than 1,000 agreements between credit card issuers and institutions of higher education or affiliated organizations that provide for the issuance of credit cards to students. The Board also launched an online database with additional information such as the terms of these agreements.


View the original article here

Labels: , , , , , , ,

PayPal X Innovate 2010 Developers Conference

Tags » PayPal  » Comments (0)

PayPal_logo-140px.jpg At its PayPal X Innovate 2010 developer conference today, PayPal unveiled "new technologies and partnerships that will allow people to change the way they pay – accessing their digital wallets from more devices to shop, browse and pay anytime, anywhere."

PayPal Announcements:

Partner Announcements: Ustream is providing a live video feed from both days of the PayPal X Innovate 2010 conference, including all general conference sessions as well as live interviews from the show floor with executives, speakers, developers and attendees.

Glenbrook's Russ Jones has his reactions from the first day of the conference posted in Payments Views.


View the original article here

Labels: , , , ,

Visa Reports Fiscal Fourth Quarter and Full-Year 2010 Financial Results

Tags » Visa  » Comments (0)

visa_logo-140px.jpgVisa has announced financial results for its fiscal fourth quarter and full-year 2010 which ended September 30, 2010 with GAAP net operating revenue for the quarter of $2.1 billion, an increase of 13% over the prior year and driven by "strong contributions across all revenue categories, in particular data processing and international transaction revenues." GAAP net operating revenue in the full-year was $8.1 billion, an increase of 17% over the prior year.

Some quarterly highlights: Payments volume growth, on a constant dollar basis for the three months ended June 30, 2010 on which fiscal fourth quarter service revenue is recognized, was a positive 14% over the prior year at $802 billion. Payments volume growth, on a constant dollar basis, for the three months ended September 30, 2010, was a positive 14% over the prior year at $828 billion. Cross border volume growth, on a constant dollar basis, was a positive 16% for the three months ended September 30, 2010. Total processed transactions, which represent transactions processed by VisaNet, for the three months ended September 30, 2010, totaled 12.1 billion and were a positive 16% increase over the prior year. A conference call replay, presentation and more detailed operational performance data are available online.

View the original article here

Labels: , , , , , , ,

Headline News - October 27, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Labels: , ,

Headline News - October 26, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Labels: , ,

Seven Ways to Combat Scareware

You may have seen this before, it goes like this: a pop-up pops and it looks like a window on your PC. Next thing a scan begins.

It often grabs a screenshot of your “My Computer” window mimicking your PCs characteristics then tricking you into clicking on links.

The scan tells you that a virus has infected your PC. And for $49.95 you can download software that magically appears just in time to save the day.

From that point on if you don’t download and install the software, your computer goes kooky and pop-ups will invade you like bedbugs in New York City.

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking on links and download their crappy software.

Information Week reports those behind a new fake antivirus software have added a new social engineering element — live support agents who will try to convince potential victims that their PCs are infected and that payment is the cure.

The rogue software comes equipped with a customer support link leading to a live session with the bad guy.

Real scammers on the other end of chat have the ability to offer live remote access support instructed by support to click a link initiating remote access to their PC. 

Once connected remotely, the scammer can potentially retrieve documents to steal your identity.

Another new twist on the scam involves a popup in the form of a browser with a warning that looks like what your browser may present to you when you visit a page that might have an expired security certificate, malware warning or be a potential phishing site.

The page is usually red with a warning: “Visiting This Site May Harm Your Computer” then it provides you with a link, button or pop-up that gives you the option of downloading security software or to update your browsers security.

The software is sometimes known as “AntiVirus2010” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2010” or something like “Security Toolkit”.

These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

Protect yourself:

#1 Use the most updated browser. Whether Internet Explorer 8, Chrome or Firefox, download the latest and greatest. At least download whatever security updates there are for your exiting browser.

#2 Usually by default, a pop-up blocker is turned on in new browsers. Keep it on. No pop-ups, no scareware.

#3 If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way.

#4 Never click links in pop-ups.  If the pop-ups are out of your control, do a hard shutdown before you start clicking links.

#5 Persistence counts. Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of.

#6 Employ the most recent versions of anti-virus and keep it set to automatically update your virus definitions.

#7 Never click on links in the body of a “WARNING” webpage that is suggesting to download updates for your browser or suggesting to download security software. Just hit the little red X in the upper right corner.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , ,

Password Management in the Enterprise

Preface: I am not on the payroll for any vendor. This is not a paid endorsement/advertisement. I am simply sharing what I have found in my research in the Enterprise password management space.

Password management is an essential part of every organization’s security program. Even if you have a well implemented single sign on (SSO) solution, your employees will still need to remember and use passwords for new external websites.

The demands we put on our employees to remember more and more passwords, and to make those passwords more and more complex, have become unmanageable.

Consider all the rules we ask our employees to follow:

Passwords must be at least [X number] characters longMust include special characters, capitals, numbers, etcChange your passwords every [X number] of daysUse a different password for every systemDo not use a predictable pattern in your passwordsDon’t write your passwords down anywhere

These demands usually lead to one of two results. Either the users will write passwords down (often in a text or Word document on their computer’s desktop) or they ignore the rules and reuse passwords between systems.

Some of our more technical and security savvy users will go find a tool like Password Safe (or one of the many others like it) which does a wonderful job of giving the users a safe place to put passwords, but is very clunky in an Enterprise environment.

These types of tools do not accommodate passwords that need to be shared between users, and do not allow integration with Active Directory, or role based permissioning. And when an employee leaves the organization, those passwords are lost, potentially leaving the employer in the lurch.

There are several products that attempt to work in this space, but most of them offer SSO type functionality. While there is certainly a place for that in some organizations, it requires a very significant amount of back-end configuration by the IT department. And whenever a new application gets added there needs to be configuration changes to support it.

What I want is a tool that works like Password Safe, allowing users to create and manage all their own passwords with little to no interaction from IT, but still allows centralized management and ease of deployment. After looking through dozens of tools, I have found that Thycotic software’s Secret Server meets all of my needs.

The technology really is pretty simple. The system can tie into Active Directory for authentication and group memberships.

By default, users have their own secure area where they can create as many system passwords (which this system calls “secrets”) as they want. They can either create secrets just for their own use or they can assign permissions to other users or groups in the system.

Secret Server allows users to create auto-launcher links within the secrets. These launchers will open a web browser, SSH or Remote Desktop connection to a system with the username and password pre-populated.

More, the system can be configured so that the password is not even visible if there is a launcher available. I can give you access to sign in with my account without you ever actually knowing my password.

Secret Server can also be used to automatically change passwords on a predetermined schedule. So if you don’t want to have to log into that server every 90 days to change your password, you can tell Secret Server to do it. Then when you need the password you just log in and get it.

Secret Server is not perfect. It’s got a sizable price tag. The UI leaves something to be desired, and some of the administration configuration can use a little work.

But overall it’s a powerful tool that provides users with a real option for saving their passwords in a secure location, eliminating the need to memorize dozens of 8+ character complex passwords.

In a world where security is continually becoming more onerous for our users, this tool can help stem that tide just a little bit.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , ,

Putting the Cyber in Cyber Warfare

Analyzing the security field for a while now, I have seen the naysayer comments about cyber warfare. In a real war, you can’t kill with Denial of Service attacks.  

Or, you can’t shut down the power grid through the internet.

Well, putting all the fluff aside, how would cyber attacks be used in war time?

Right now we just see a lot of cyber espionage, nation states stealing information from other nations. Not that this is a little thing that can just be ignored.

According to Sun-Tzu in the Art of War, “Thus it is said that one who knows the enemy and knows himself will not be endangered in a hundred engagements.”

But what most people don’t realize is that in a military conflict, cyber warfare is just another tool in the tool chest. It will be folded in with other forms of electronic warfare.

On the Military channel a while back they interviewed a Commando Solo pilot.

He mentioned that during Desert Storm, they completely owned Iraq’s communication, radar, SAM and advanced warning systems.

They were able to hide American troop movement by removing them from their systems, and placing fake decoy units into the system.

Electronic warfare specialists coordinated with Special Forces ground troops to subvert every form of Iraqi communication.

An Iraqi officer would pick up the phone and a Special Forces operator would answer.

It got so bad, that Iraqi’s no longer trusted radio and phone communication to troops, so they started hand writing commands and delivering them in vehicles.

The US responded by simply blowing up the vehicles.

Systems do not have to be connected to the internet to be susceptible to cyber warfare. Many modern communication systems run on TCP/IP, the same protocol that the internet uses. 

When TCP/IP was created, security was not a big concern, so phone systems based on TCP/IP are just as susceptible to the same protocol level vulnerabilities as computer systems.

Also, systems not connected to the internet are still vulnerable to cyber warfare if someone walks into the facility and installs a virus or a back door into the system.

Or, if a USB drive infected with SCADA attacking Stuxnet is plugged into a computer inside the isolated network…

The Russians combined cyber warfare tactics with physical warfare during the Russia-Georgia conflict.

When utilities and communication systems go down during a large natural disaster, chaos ensues.

We are one of the most technologically advanced nations in the world, yet look how long it took to get aid to New Orleans during Katrina.

When communication systems and utilities go down during a military conflict the outcome is very deadly indeed.

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , ,

Electronic Fund Transfer Act Shifts Risk to Banks

Article by Richard L. Santalesa

Just a step below widows and orphans on the sympathy scale, at least when it comes to ripoffs and theft, sit school districts, boards and local municipalities.

And in a era of tight budgets, when school districts are robbed of tax monies from halfway around the world via ACH/wire fraud, state and federal politicians take notice.

After the Duanesburg Central School District in upstate New York, a district with 1,000 students and an annual budget of approximately $15 million, suffered a brazen cybertheft of $3 million in December 2009, which eventually left the school district potentially on the hook for over $400K of un-recovered funds (details about the Duanesburg cybertheft here and here and here), the District approached State officials on the issue (here) and then federal representatives, including Senator Schumer.

While the New York Senate passed S7323/Foley earlier this year, which would have established a "School District Financial Security Task Force" with a mission to "develop guidelines for school districts to protect school district funds deposited with banks and other financial institutions from adverse consequences such as theft and cyber-theft," NY Governor Patterson vetoed the bill, apparently on fiscal grounds.

However, up at the federal level Senator Schumer recently picked up the district's mantle to introduce S.3898, a bill "to amend the Electronic Fund Transfer Act to treat municipalities and school districts as consumers for certain purposes under that Act," as codified at 15 U.S.C. §1693a, and to require the Board of Governors of the Federal Reserve System to issue final rules on defining "municipality" and "school district" for purposes of section 903 [codified at 15 U.S.C. §1693a] of the EFTA.

Boiled down, S.3898 essentially modifies FDIC Regulation E implementing portions of the EFTA to extend the $50 limitation of loss from ACH/wire fraud currently covering individual consumers to school districts and municipalities.

Notably in a Senate still dominated by 57 democrats, Senator Schumer stands as S.3898's sole sponsor headed into a lame-duck session of Congress that is likely to see the House, and possibly the Senate, change hands. (InfoLawGroup partner David Navetta recently also commented on S.3898's prospects at BankInfoSecurity.com here.)

The Security Landscape

While dismay and outrage at cyberthefts has built steadily, many felt that a Rubicon of sorts was finally crossed in 2010 as the use and reach of the Zeus Trojan built to a crescendo.

Indeed, the FBI announced less than two weeks ago, on Oct. 1, that it broke a multi-country cybertheft ring that had been using Zeus Botnets in various attempts to steal $220 million from accounts.

Before the FBI disrupted the ring it nevertheless managed to abscond with $70 million. (See FBI Nat'l Press Office, Oct. 1, 2010, "International Cooperation Disrupts Multi-Country Cyber Theft Ring" here; see also "How the Fraud Works", here).

In response, months before Schumer's introduction of S.3898, an alphabet soup of federal and state agencies, including the U.S. Secret Service, Financial Services Information Sharing and Analysis Center (FS-ISAC), New York State Intelligence Center (NYSIC), New York State Police, and New York State Office of Homeland Security, released on March 12, 2010 a Cyber Security Advisory entitled Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks, available here.

The March 2010 Advisory contains a series of best practices, including enterprise recommendations, user recommendations, financial institution recommendations for users, and financial institution specific recommendations.

The Takeaway

It's still too early to tell whether S.3898 represents a true push by Congress to shift the risk of loss in such ACH/wire fraud scenarios from school and municipalities onto the banking community, or is merely a warning shot across the bow of the banking industry designed to spur the industry into battening down ACH hatches.

In my view the latter is more probable, at least at this time - given Congress' preoccupation with other fiscal matters, the lame duck session around the corner, and the fact that Senator Schumer's name alone appears as the sole sponsor, despite his individual prominence.

However, the banking industry is certainly taking notice and promising to work towards a satisfactory compromise.

Cross-posted from InfoLawGroup

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Glenbrook's Russ Jones at PayPal X Innovate 2010

Tags » Glenbrook, PayPal  » Comments (0)

PayPalX_logo-140px.pngGlenbrook's Russ Jones will be at PayPal X Innovate 2010 in San Francisco October 26-27. He's speaking in a session entitled "Commercial Payments: Challenges and Opportunities for Developers", and will be posting his reaction to the conference on our sister blog Payments Views. If you are attending PayPal X Innovate and want to say hello, .


View the original article here

Labels: , , , ,

Glorifying the Attackers and Prosecuting the Victims

With all the media noise about Stuxnet, cyber war and cyber terror, I proposed taking a closer look at how we relate to the players.

Whether uber hackers or PLO terrorists;  are we glorifying  the attackers at the expense of  prosecuting the victims?

In data security  I don’t subscribe to utilitarian ethics  (which attempts to balance the benefit versus the damage of an act) and can lead to the ends justifying the means.

For data security and compliance – I recommend  the “Ten commandments” approach – if it’s not ethical to steal data then it’s never acceptable to steal data  – neither as an employee, contractor, consultant or hacker.

I  read a short article by the Chazon Ish (who passed away in 1953 and is well known for both his saintliness and extreme breadth of knowledge).

He speaks about the importance of distinguishing between the attacker and the victim.   He explains how we must carefully tread the line of understanding who is the attacker and who is the victim. 

Basic morality dictates showing compassion to the victim and and harshness to the attacker.  

Therefore – how terrible it is when we mistakenly reverse the roles and show compassion to the attackers and penalize the victims!

Translated to the world of security and compliance – we can understand that a basic component of data security in the workplace, is an ethical approach where we maintain a clear identification of who is the malicious attacker and deal with him in an uncompromising and harsh way. 

The vast majority of employees are not malicious attackers and there is no reason to penalize them as long as they comply with the company’s acceptable usage policy.

On the other hand, there is no ethical basis to treat an attacker with compassion.

Like Sun Tzu wrote in “The Art of War” - ”When you lay down a law, make sure it is not disobeyed”.

Cross=posted from Israeli Software

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Dr. InfoSec's Quotes of the Week (012)

RSA on Patching

"Unlike IT systems, users cannot be patched and will always be vulnerable to manipulation and infection..." -- Uri Rivner, head of new technologies, identity protection and verification at RSA

On the Smart Grid

"The more proliferation there is of intelligent metering and energy usage, the more opportunities there are for attackers..." -- Heath Thompson, CTO at metering company Landis+Gyr

Sykes on Communication

"The security of corporate information will stand or fall by the ability of the organisation’s various functions to communicate clearly and effectively with one another. It takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides..." -- Richard Sykes, PwC Governance Risk and Compliance Leader

On the Need for a Security Collective

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk..."  -- Scott Charney, Corporate VP of Trustworthy Computing at Microsoft

On Security Hampering Productibity

"The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity. That said, there are a lot of very, very silly URL blocking and email policies in place out there that *do* impact productivity, *don't* increase security and *do* encourage users to bypass IT systems..."  -- John Pescatore, VP Gartner Inc.

On Stuxnet-like Weapons

"A cyberweapon like Stuxnet threatens nation-states much more than it threatens a non-state actor that could deploy it in the future. In short, like every other major new weapons system introduced since the slingshot, Stuxnet creates new strengths as well as new vulnerabilities for the states that may wield it..."  -- Caroline B. Glick, writing for The Jerusalem Post

Cross-posted from Dr. Infosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , ,

Attacking an Unpatched Windows 2008 Server

Microsoft cannot stress enough the importance of keeping your systems patched. And yet, server systems tend to drift from best practice, for several reasons:

The patch may fail the application that the server is running The patch will require reboot, which may cause unwanted downtimeIt's simply a hassle

But non-patched systems are a great target for an attacker. Even if the attacker doesn't gain permanent access to the network, he/she can cause nasty Denial of Service (DoS) on an unpatched server.

Here is the attack scenario

We will use a Windows 2008 target for this demonstration. The Win2008 is a good example because even if it was released in 2008, and we now have the R2 version, a lot of companies are just starting to implement it.

The attack is based on two well known vulnerabilities of Win2008 based on SRV2.SYS driver. In Metasploit, these exploits are know as:
ms_09_050_smb2_negotiate_pidhighms_09_050_smb2_session_logoff

Both are Denial of Service type of attacks, so we'll use them without a payload.

To use these exploits, just fire up the msfconsole and type:

msf > use exploit auxiliary/dos/windows/smb/ms_09_050_smb2_negotiate_pidhigh
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > set rhost (Target IP address)
msf auxiliary(ms_09_050_smb2_negotiate_pidhigh) > exploit

You can do the same with the second exploit.

Here is the end result from a Metasploit command line point of view.

And here is the end result from a Windows 2008 Console point of view.

Conclusion

Although this is just a demo type of exploit, it provides an excellent example of what happens to an unpatched server. Imagine that this was the web server running your Web Site.

Now go and patch your systems!

Cross-posted from ShortInfosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Headline News - October 28, 2010

Tags » Payments News - Headline News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Labels: , ,

ATMs for sale and Skimming

I started looking on E-bay and found plenty of new and used ATMs ranging from $500-2500 but quickly determined I didn’t want to pay $300 for shipping.

Next was Craigslist, where anyone can rent out an apartment, buy a boat, get an erotic massage and buy an ATM.

I quickly found an ad from a bar north of Boston. They were selling pool tables, Budweiser neon signs and an ATM.

After my hacker played with the manual, got it working and determined it was worth the financial risk, we loaded it on my trailer, paid $750 (down from a grand) and brought it home and put it in my garage.

My hacker comes over to my garage, manual in hand, all giggly, like hackers sometimes do and says “Watch this”.

He punches the master codes to access the machines data on a device called an eprom and hundreds of credit and debit card numbers just start falling all over the floor.

A few days later a TV producer friend of mine came over and we devised an evil plan to scam millions of $$ from unsuspecting suckers and then spend the rest of our lives hopping from island to island and buying a villa in Sicily.

But my wife said “NO”. 


View the original article here

Labels: ,

VeriFone and RSA to Deliver Integrated End-to-End Encryption / Tokenization Service

Tags » End-to-End Encryption, Verifone  » Comments (0)

RSA_logo-140px.pngverifone_logo_140px.pngVeriFone and RSA have announced a partnership to market an integrated offering combining their respective end-to-end encryption and tokenization solutions for secure card processing. The new offering, branded VeriShield Total Protect, will provide a consistent, consolidated approach to protecting payment card data from end-to-end, both pre- and post-authorization.


View the original article here

Labels: , , , , , , ,

AT&T Launches Multi-Partner Direct Mobile Billing Trial

Tags » BOKU, Danal, Zong  » Comments (0)

AT&T-logo-114px.png BilltoMobile (announcement), BOKU (announcemnet), and Zong (announcement) are all working with with AT&T to provide direct mobile billing payment services to AT&T’s wireless subscribers – enabling customers to charge digital content purchases made online directly to their existing wireless service account.

This is the second direct mobile billing agreement with a major carrier that BilltoMobile has announced this year - the company announced a similar integration with Verizon in March - and the first for BOKU and Zong.


View the original article here

Labels: , , , , , ,

On The Frontlines: Cloud Computing in Government

Trezza Media Group released the latest installment of it's "On The Frontlines" series of government technology reports.

The "On The Frontlines" Publications are dedicated to showcasing the positive progress and best practices of the Federal Government Agencies and their strategic partners in meeting the goals of their Mission Programs and supporting the men and women who work on the frontlines.

This issue, Cloud Computing in Government, features the Trends and Best Practices on Cloud Computing in Government.

In this special report, you'll be able to read and view:

Cover Story on Cultivating a "Cloud-First Culture" Cloud Drivers with Government Leaders from GSA-OSD & NASA AmesAn in-depth Interview with Chris Kemp, CTO, NASAViewpoints Column-Economic Gains in the Cloud-Kevin Jackson, NJVCClear Visions of Future Cloud Formations with Subject Matter ExpertCloud Computing Resource Center Section

My personal thanks goes out to Mr. Tom Trezza Jr, Mr. Jeff Erlichman and Mr. Jim Flyzik for affording me the opportunity to contribute to this informative publication. 

GSA Awards Eleven US Federal IaaS Contracts  

According to Federal News Radio, GSA awarded eleven vendor spots in the first Federal cloud infrastructure-as-a-service award.

The winners were:

Apptis Inc. partnered with Amazon Web ServicesAT&TAutonomic Resources partnered with Carpathia, Enomaly and DellCGI FederalComputer Literacy World partnered with Electrosoft, XO Communications and Secure NetworksComputer Technology Consultants partnered with Softlayer, Inc.Eyak Tech LLCGeneral Dynamics Information Technology partnered with CarpathiaInsight Public Sector partnered with MicrosoftSavvis Federal SystemsVerizon Federal Inc.

Under the BPA, each of the vendors will have to go through the certification and accreditation (C&A) process at the moderate level under the Federal Information Security Management Act (FISMA). 

GSA will run the C&A process through the Federal Risk and Authorization Management Program (FedRAMP)

After they complete FedRAMP certification, all of these offerings will be available on the Apps.gov website. 

Cross-posted from Cloud Musings

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Bank Executive Survey: The Return of Pessimism

Tags » Banking Industry  » Comments (0)

survey_graphic_140px.pngThe vast majority of bank executives are not confident that financial reform will be effective in detecting the broad risks to the financial system and preventing or reducing the threat of future taxpayer-funded bailout, according to Grant Thornton LLP’s 17th Bank Executive Survey, conducted in conjunction with Bank Director magazine.

When asked about the recent Dodd-Frank legislation, most bankers said that the provision that would impact their bank the most was the creation of consumer protection agency (73%). Bankers also were concerned that interchange fees paid by merchants and retailers to banks that issue debit cards would be set by the Federal Reserve in an amount that is “reasonable and proportional” (71%).

View the original article here

Labels: , , , ,

Credit Card Offers Are Needlessly Confusing; New Law Brings Some Improvement

Tags » Credit Cards  » Comments (0)

crl_logo_140px.pngA new study by the Center for Responsible Lending (CRL) finds that "credit card offers have grown increasingly complicated since 2000, when Congress required issuers to start disclosing pricing information on credit card offers. But instead of providing clarity to consumers about the true cost of their credit cards, issuers responded to this mandate by adding a confusing array of numbers to their offers."


View the original article here

Labels: , , , , , ,

Facebook Privacy Progress and Pitfalls

Facebook Gets Tough on Email Scams

In a positive move, Facebook filed lawsuits recently against the scammers hitting its site and its users.

The three lawsuits filed name people and a company and accuse them of tricking Facebook users into visiting internet marketing websites.

In one of the scams, they created fake "dislike" buttons that then hijacked the user's account and sometimes their money.

There was a fake "Facebook Gold Account" offering slick features but really just took their data and sold it.

A reminder to us all that when something seems to good to be true, it probably is!

Source: "Facebook sues over free gift card,'dislike' button scams", Robert McMillan, MacWorld, October 21, 2010.

Facebook Breach Raises Questions on Capitol Hill

There are 500 Million Facebook users.

The Wall Street Journal reported that your information was being transmitted to marketing firms.

In response, U.S. Representatives Edward Markey (D-Mass) and Joe Barton (R-Texas), sent a letter to Facebook CEO, Mark Zuckerberg.

The WSJ noted an excerpt from that letter which expressed concerns that  "third-party applications gathered and transmitted personally identifiable information about Facebook users and those users' friends."

The letter requests that Mr. Zuckerberg provide information such as: 

1.  how many people were affected

2. when Facebook knew about it, and

3.  permanent changes Facebook will make to prevent further issues.

Source: "More Questions for Facebook", Wall Street Journal, Geoffrey A. Fowler, October 18, 2010.

Facebook Falls Short When it Comes to Child Predators

Fox News did an investigation researching how well Facebook handles and blocks child predators.

Once they completed their research, they showed 2 Facebook executives, the screens they found that show predators are getting through to kids.

The researchers found that by entering "PTHC" which is shorthand for Pre Teen Hard Core, they were shown graphic images.

There is a database of words and terms that has been created by the National Center for Missing and Exploited Children. 

This database can be accessed by programs like Facebook to alert them anytime a cybercreep is using terms or words that are clearly linked to child predator activity.

The Fox News research found child pornography as well. Facebook is committed to reviewing and enhancing their filters.

This is a complex issue and you cannot make Facebook the bad guy here.

You are your kid's first line of defense. Be active on your kid's page. Keep their profile secure. Monitor their wall and friends' list.

Source: "Facebook Falls Short In Blocking Pedophiles", Fox News, October 21, 2010.

Cross-posted from Fortalice

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Labels: , , , ,

Sears Expands Payment Methods to Support Installment Payments

Tags » Merchants Payments Coalition, Sears  » Comments (0)

sears_logo_140px.pngSears has added yet another new payment option to its existing suite of financing solutions – the Sears Monthly Payment Plan. The new plan offers a more controlled form of borrowing for shoppers who want to avoid unexpected finance charges. The basic terms are 48 equal payments on purchases over $750, with APRs as low as 12.99%, subject to credit approval. Financing is provided by GE Money Bank.


View the original article here

Labels: , , , , , , ,

Bank Fees Rise to Record Numbers According to Bankrate's 2010 Checking Study

Tags » Banking Industry  » Comments (0)

bankrate_logo_140px.pngA new study released by Bankrate, Inc. shows that the costs of checking account fees have risen again this year to an all-time high. ATM fees leapt 5% from 2009, overdraft fees increased 3%, monthly fees for non-interest accounts increased 40%, monthly fees for not maintaining a minimum balance on an interest checking account increased almost 4%.


View the original article here

Labels: , , , , , ,

Headline News - October 25, 2010

Tags » Payments News  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Labels: , ,