December 15, 2010

Smart Cards, Smart Phones and a Cashless Society

Smart Phones Help Fight Bank Fraud

As more people carry the devices, technology firms are creating better security checks for bank transactions.

December 9, 2010

Technology Review - A simple phone call or text message could have saved Mark Patterson nearly $350,000. The money was stolen from his company's bank account last year by cybercriminals based in Eastern Europe. Patterson discovered the fraud six days after it had begun, when the bank sent notice that a fraudulent $9,000 transfer to an account in California had failed to complete.

A startup security firm, DUO Security, hopes to offer a better way to secure banking transactions, by routing the information used to confirm a transaction through to a second device: a smart phone. The company has developed apps for a variety of smart phone platforms to create a separate channel between a bank and its customer to verify a transaction. Customers receive the details on their phone and approve transactions with a single touch.
"You push a button on your computer, you receive a notification, and you push a button on your phone, and that is it," says company cofounder Jon Oberheide. "We don't really want to overwhelm the user with options."
Patterson's company was a victim of the Zeus banking Trojan, a money-stealing software program used by cybercriminals to hijack victims' online banking sessions and pay out large amounts of money to intermediaries known as "money mules," who transfer the funds overseas. "It's been a very stressful year and a half," Patterson told attendees at the CyberCrime 2010 Symposium in Portsmouth, New Hampshire, last month.

Defenses against Zeus and other programs like it are few. Criminals routinely test the latest version of their code against antivirus software. Capturing a username and password during an online banking session is simple, which is why banking regulations no longer allow only a single factor (a password) to secure online transactions.

Because the criminals have control over the banking customer's computer, even a second factor--such as another temporary passcode--often fails. Zeus and other Trojans modify bank transactions in real time, sending funds on to money mules but displaying a page that makes it appear that the money is going to a legitimate payee. In fact, any security measure that uses the same communications channel between the PC and the bank can be corrupted by attackers who have compromised the device. DUO Security uses encryption to verify that the communication is going to and from a device that the user has registered.

Allowing the user to actually see the transaction before confirming it is key, says Avivah Litan, a fraud analyst at Gartner.
"We have been advocating transaction verification for a long time," she says. "We call it 'sign what you see.'"
DUO Security is not the first to focus on the phone. Firms such as RSA, Entrust, and PhoneFactor use similar techniques for verifying transactions via a mobile phone. However, many products merely issue a passcode, an approach that is still vulnerable to Trojans. Zeus's developers are known to have circumvented the issuing of a text message passcode on Symbian and BlackBerry devices by using the Trojan to ask victims to install an app on those devices; the malicious app forwards the SMS code to the attackers, who can then complete the transaction.

DUO Security has focused on making the technology simple to integrate with banking websites, requiring the addition of only a few lines of code. Customers don't have to enter in codes, and banks don't have to run specialized hardware in their network or significantly modify their site. The company's hope is that by making it simple enough, a wider audience will adopt the technology.
"We think we can really expand where multifactor [authentication] is offered, where multifactor could be offered [to secure] your Facebook account, your Twitter account," Oberheide says. "These things might seem trivial to you, but you could have that extra protection without the headaches that traditionally go along with multifactor authentication."

Will That be Mobile or Plastic?

August 2, 2010

MobileGive.us - My wife kind of freaked out over the new TV Commercial for Chase Bank. It shows a newlywed couple on their honeymoon…in bed…doing the unthinkable.

They were gleefully opening the cards they had received from their wedding guests and using their mobile phone to take photos of the checks…and instantly depositing them in their bank account electronically. Gasp. What is this world coming to?

Mobile donations and now mobile banking? According to Mercatus LLC, a mobile finance consulting firm, more than half of U.S. consumers, and almost 80 percent of those between the ages of 18 and 34, will use mobile financial services within five years.

But we’re not stopping there. We can now use our mobile phones to make purchases.

Visa and MasterCard are cashing in as people abandon cash and paper checks for cards and electronic payments, which now account for more than half of U.S. consumer purchases, according to the Nilson Report.

Interchange fees on credit and debit cards exceed $40 billion a year and average about 1 percent to 2 percent of every transaction. Afterall, “Visa is everywhere you want to be,” of course…so is your phone.

So is it any surprise that the phone carriers are looking for another way to get into our pocket? Even if they have to–yikes–hold the competition’s hands to do it. Yes, AT&T and Verizon Wireless are planning a big move into wireless electronic payments, a sector currently dominated by PayPal, Visa, MasterCard and American Express. Bloomberg reports that
“A trial in the Atlanta area would be the carriers’ biggest effort to spur mobile payments in the U.S. and supplant more than 1 billion plastic cards in American wallets.”
The system will allow people to complete their purchases in stores with just a wave of their smartphones. Retailers who pay a small percent of each credit card transaction to Visa or MasterCard may be ready to help the new venture if it will mean a reduction in their fees.

The truth is, Cellular carriers need to find more ways to make money in the U.S. as their subscription growth slows. Sprint-Nextel, AT&T, Verizon Wireless and T-Mobile have about 275 million customers among them. Each levies charges on data transfers and video services, but at some point these will cap out as well. And the heated competition among the carriers pushes down prices as customers shop for the least expensive plans.
“Mobile payments are the logical next step for consumers,” said Mark Siegel, a spokesman for Dallas-based AT&T.
Read More...

No comments:

Post a Comment