ePayments Blog

Showing posts with label Avivah Litan. Show all posts

80% of Phishing Attacks Use Hijacked Websites

Posted by John B. Frank Thursday, May 28, 2009 0 comments

I've blogged about this subject plenty of times over the last year, and my concern is specifically targeted towards the inherent weaknesses in the username/password systems used with online banking. If a consumer is tricked/phished into providing their username/ password, then the phisher is successful.

The average phishing attack results in a loss of $350 to a bank.

According to research firm,Gartner, banks, online payment organizations and other financial institutions are bearing most of the financial cost of phishing attacks. (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers) "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

Guess what? The HomeATM "SafeTPIN" device would not only eliminate "phishing attacks" but it would also eliminate the threat of "cloned cards," "cloned bank sites", AND provide "True 2FA." for online banking customers.

HomeATM provides a very simple cure to this maliciousness. Use a PCI 2.0 certified SwipePIN device and require online banking users to swipe their bank issued card and enter their bank issued PIN. The data is encrypted and is NEVER in the clear. So, in the event a consumer is tricked into swiping and entering their PIN, as opposed to typing in their log-in credentials, the phisher has nothing.

And nothing is something banks should want phishers to have.

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites - DarkReading

More Than 80% Of Phishing Attacks Use Hijacked, Legitimate Websites
New research from the Anti-Phishing Working Group shows how phishers are better covering their tracks -- and what to do when phishers compromise your Website

May 27, 2009 | 04:23 PM
By Kelly Jackson Higgins
DarkReading

It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Continue Dark Reading

Full Story

Wyndham Hotel Hack Followup

Posted by John B. Frank Thursday, February 19, 2009 0 comments

Here's a follow-up to the Wyndham Breach

It seems that the criminals not only were able to get guest names, credit card numbers and expiration dates, but they also were able to steal the data from the card's magnetic stripe, Wyndham said. That magnetic stripe information contains Track 1 and Track 2 data including the (CVV) code, "which is critical if the thieves want to make fake credit cards, according to Avivah Litan, an analyst with Gartner Research."

"That's the hot information," she said. "You can sell that information for much more on the black market." CVV codes were also taken in the high-profile Heartland Payment Systems and The TJX Companies credit card thefts.

When fraud is perpetrated using fake cards that include the CVV codes, the banks are responsible for the charges;

When they are able to obtain only the card numbers and expiration dates -- for example,online transactions NOT DONE by HomeATM -- then the retailer is responsible for the charges.

"The banking industry is all up in arms whenever bank stripe data is stolen," Litan said.

As posted in "DumbPhoneded" the retailers should be up in arms everytime a transaction is conducted without the Track 2 data being swiped. Not only are they paying up to 100 basis points more, but in the face of increased fraud, they could lose their product and lose the money they thought they got for it. Call that a double whammy, no cheese.

Full Story

Will PIN Debit Become HomeATM's "Signature" Product?

Posted by John B. Frank Wednesday, April 30, 2008 0 comments

Here's an interesting excerpt from American Banker in which they talk about PIN Debit vs. Signature Debit. The setting is restaurants, however, the point is still valiantly made why PIN Debit is the better of the two types and has a strong future as an Internet Payment Mechanism.

Mr. Rasori said VeriFone's research indicates that between 50% and 70% of all meals at sit-down restaurants are paid through signature debit transactions, which are significantly more expensive to the merchant than PIN debit payments.

According to Mr. Luria of Wedbush Morgan, the difference in transaction costs, depending on the restaurant's arrangement with its acquirer, can be "an order of magnitude." The typical transaction fee is 2.5% for a signature debit transaction and 1% for a PIN debit transaction. "These transactions are priced differently because of the risk," he said.

"A 'PIN card-present transaction' is the lowest-risk transaction you can do — that is why it is priced at the lowest level. For a signature debit or credit transaction, there is higher risk and higher pricing."

However, Mr. Rhodes' position assumes that the difference in transaction fees is matched by the difference in risk. Some industry analysts doubt that this is really the case.

Avivah Litan, a vice president with Gartner Inc., said that despite consumers' stated preference for PIN transactions, banks have been creating incentives for signature debit ones. "There are two reasons why banks like signature better," she said. "One is that they generate revenue through higher fees. Second, if a signature is forged, they can charge the amount of the transaction back to the merchant, but if a PIN is stolen, the bank is on the hook."

Mr. Bergeron says that in the long run he is not worried about efforts by banks to push signature debit over PIN debit. "Banks realize that increasing the size of the overall market is more lucrative than trying to squeeze extra fees out of a fixed market that faces increasing numbers of competitors," Mr. Bergeron said.

"One thing you can be sure of: Banks will always find a way to make money from handling transactions. The biggest issue for them is market share, so the more creative they can be in expanding the use of their cards, or the number of transactions they process, the better off they will be."