The Bankwatch

Tracking the consumer evolution of financial services

Posts Tagged ‘Security

The ugly side of globalisation | security breach in Spain impacts German credit cards

Courtesy of Finextra.

More than 100,000 German credit cards have been recalled by banks following a suspected security breech at an unidentified Spanish payment processor

Written by Colin Henderson

November 19, 2009 at 09:44

Posted in Uncategorized

Tagged with

ATM Fraud Review | European security agency

Here is a clear review of the current state of ATM fraud in Europe. It summarises the methods in some detail (refer below) as well as the overview of chip cards impact on fraud, and those countries that are not fully EMV compliant yet.

EU agency ‘alarmed’ by rise in cash machine fraud | Finextra

In April 2009, a 33-year-old Microsoft employee, who lives in New York City, stopped in the closest Chase bank to get some cash to pay his barber. When he inserted his ATM card in the machine, he noticed a bit of resistance. The screen said the machine was unable to read his card. So he tried again. But a second time, the machine gave him an error message.
He was about to give up and try another machine, when a thought popped into his head. He had heard about devices that fraudsters attach to the outside of card readers on ATM machines and, though it seemed unlikely, wondered if that was the source of his problem. He tried to pull on the green plastic surrounding the card slot and found that it peeled right off. Behind an extra mirror attached to the machine, he also found a hidden camera positioned right over the key pad, to capture the PIN codes as victim‘s type them in


Written by Colin Henderson

September 7, 2009 at 14:11

Posted in Uncategorized

Tagged with , , , ,

Indian Banks Adopt a Rule all Banks Need | security alterts

India adopts a new rule for Banks [ht Payments news] that should have been voluntarily adopted years ago by all banks everywhere. I have always been a proponent for online alerts, but it makes eminent sense to make "card not present" alerts mandatory.

India’s Mandate re: Stronger Authentication for Card Not Present Use | Payments News

The rules require India’s banks to support two basic capabilities:

  • A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions (e.g., Verified by Visa or MasterCard SecureCode)
  • A system that provides "Online Alerts" to the cardholder for all ‘card not present’ transactions of the value of Rs. 5,000 (about US$104) and above

Written by Colin Henderson

August 2, 2009 at 08:37

Posted in Security

Tagged with , ,

“My mom was right to be skeptical” | scam avoidance advice from Google

The headline "How to Steer Clear of Money Scams" on a Google blog caught my attention. It turns out it is incredibly useful information for people to think about while on the web.

How to identify scams and other schemes

Written by Colin Henderson

July 20, 2009 at 16:45

Posted in Security

Tagged with , ,

A security hole every banker must read

Every banker and security expert must read this. The flow here is common knowledge to security experts already but it really drives home to users how they must be careful about how they approach their password strategies.

The key here is to note how the interconnection takes place between, in this case, gmail and the secondary address, hotmail. The former can be secure yet through innovative ‘social enginering’ the second can open all sorts of doors.

Worthwhile to take the time .. read through and think about your approach.

The Anatomy Of The Twitter Attack | Techcrunch

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at

At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Written by Colin Henderson

July 19, 2009 at 23:29

Posted in Security

Tagged with , ,

6 years is too long for elimination of mag strip debit cards

We were just hit today with a case of fraud that affected my family personally, and it just validates my view that the security of our payments networks is a problem being swept under the carpet.  Every day, all banks contact thousands of customers to cancel their debit card because it was or may have been compromised.  This is a well kept secret, and has not made mainstream press yet.

In our situation we actually were the card compromised, and I know enough about the card usage to narrow down the location of the compromise which is why this one worrys me.  The compromise took place at a merchant, either a restaurant or a sporting goods store.  No ATM was involved so the compromise had to be a parasite POS terminal.

In our case the criminals used an ATM to withdraw cash shortly afterwards.  Incidentally thanks to our Bank for picking up on this event within a few hours and dealing with it.


Chip migration offers hope but only after mag stripe is eliminated, and that is another 6 years off, even though chip cards are now being isued in 2009.  The entire POS terminal fleet in Canada could be replaced quickly if their was a will to do so.

Chip Migration plans | EMV Canada

Interac Association has established migration dates for cards and terminals. Complete card and ABM conversion is required by the end of 2012; complete point of sale (POS) conversion is required by the end of 2015. After 2015, Interac debit magnetic stripe transactions will no longer be accepted at devices in Canada.

and this from Interac

The chip transition timeline

Every Acquirer (or payment service provider) has its own timetable in place for providing chip terminals. In order to ensure a smooth transition, Interac Association has implemented final conversion deadlines that work within merchants’ normal business cycles, so that merchants will be able to transition to chip within the set timeline and with minimum impact.

  • Interac chip cards and terminals are already being rolled out across Canada.
  • Complete migration to chip technology will take several years and the timetable for the introduction of chip will vary from one financial institution, and one service provider to another.
  • All Automated Banking Machines (ABM), point-of-sale (POS) terminals and banking cards across Canada will be upgraded.
  • Magnetic stripe debit card transactions will no longer be accepted at ABMs after December 31, 2012.
  • Magnetic stripe transactions will no longer be accepted at POS after December 31, 2015.
  • Chip cards will continue to carry the magnetic stripe, not only to facilitate the chip transition period, but also to allow cardholders to use their debit cards in other countries that do not use chip technology.

Relevance to Bankwatch:

Chip cards are coming, but the timeline is unacceptably long, out of desire to keep merchants, acquirors and issuers costs down.

In Japan, debit has never taken off.  On the other hand Suica and Pasmo are very popular, and gaining outside the original use of train service only into convenience stores and other small purchase locations.  That includes beer, other alcohol, magazines and movie rentals.

The idea of leaving thousands of dollars in full view with a 4 digit number as the only key is insanity.

suica 250px-Suica

Suica is successful because its handy being a wireless swipe,  and low risk with small amounts stored.

Chip will introduce the security of a non copyable card (we hope), but the 6 year wait in Canada is going to be an unfortunate inconvenience for the thousands that are compromised and have to replace their cards.

Reaearch by Nobuyo Henderson

Written by Colin Henderson

June 20, 2009 at 20:35

Tower Group are right – US financial services firms have lost the battle to protect the personal information of customers

This is a sufficiently provocative headline that I can hardly ignore.

Financial institutions have lost battle to protect customer data – TowerGroup | Finextra

US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients’ data has been, or will be, compromised, according to TowerGroup.

First of all I agree with the headline.  The battle is largely lost;  I would go further, and hesitantly admit what few bankers will, that control over customers information never really existed.  Why do I say that?

Consider how banks have evolved, which is one account type at a time, one service at a time.  Each of those were managed by disparate computer systems, and as new products were added new systems were added. This problem has only been magnified by bank consolidations which added even more disparate systems.

The result is that Joe Customer has ‘files’ located within different systems, each with his own address, and personal information.  In fact he is often Joe C. Customer, or J.T. Customer in those other systems.  Government regulation that forestalled the use of Social Insurance/ National Insurance numbers as identifiers forestalled any common macro identifier for Joe.  The result is that the bank is not sure of Joe is the same in each system or not.  Similar addresses are a clue but hardly definitive.  I will have more to write on this later.

Lets return to the Tower piece in Finextra:

Meanwhile, companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS.

Relevance to Bankwatch:

In other words, the very information that Banks do not fully control nor understand in context of customer identification, is the the same information that cannot be relied on any more.  The conundrum is that is the only information that banks have in place to rely upon.  This is hardly a recipe for success nor customer loyalty, and small wonder that customers accept and promote use of disaggregated financial services, spreading themselves between institutions as their own personal risk mitigation strategy.

Banks are very focussed on transaction security, using chip cards, two factor authentication and the like, but this does nothing for information security.  The Bank that can ever crack this nut by offerring complete information security, such that Joe in our example can feel confident about his financial information not being compromised might just give itself a leadership edge.

Written by Colin Henderson

June 17, 2009 at 08:40

Posted in Security

Tagged with ,

Should the Fed be the 14th payment network, and how would that solve the problems?

President Kohn of the Kansas City Fed speaks at the ECB/De Nederlandsche Bank Conference conference in Frankfurt.  He argues for greater control by the Fed over the payments system.  While his outline of problems makes sense, they also describe the failure of the current system, and the lack of foresight from the existing controls, and its unclear that the proposed solution from them will have any impact other than exacerbating those problems.  The problems he describes are real and more importantly consumer facing.  They are also imho problems that large banks could address given their scale and the opportunity for customer loyalty.  I am thinking of BofA and Wells specifically, but that is for another post.

The Future of Retail Banking and Payments – President Thomas H. Hoenig

In light of the trend toward greater industry concentration and the existence of important payments system externalities, the Federal Reserve should play a larger and more active role in electronic retail payments if it wants to promote the efficiency and integrity of the payments system.

There are two broad categories of problems that he identifies with the payments networks

  1. lack of competitiveness: In 2007 81% of the payments volume went over three networks, compared to 46% just few years earlier.  In addition the number of networks are down from 43 to 14.
  2. integrity of the system(s): He sees single point of failure and prominence of non-banks as issues of concern.  The variety of systems introduce externalities that undermine the entire system.  His example is the continued use of mag stripe and the security implications of not shifting to chip card as the rest of the world has done.

On that last point I would add that the fact of holding on to the mag stripe is influencing the rest of the world with  counter productive results.  For example in Canada banks are issuing cards with stripe and chip which makes no sense.  So long as the stripe exists the flaws associated with strip exist.  But the sheer size of the American market pressures the issuers to continue with stripe for the forseeable future.

Then he makes this statement:

Historically, the Federal Reserve’s role in both checks and ACH reflects a preference to operate within the market rather than as a pure regulator. We are well aware that industries can – and do – quickly develop methods to exploit any regulatory loopholes and avoid the intended outcome. By competing with the private sector on a level playing field, the Federal Reserve can encourage efficiency and integrity from an “on the ground” position.

That statement reads to me as rationalisation of inaction and continuation of the status quo.  His conclusion is that the best form of regulation and solution to the aforementioned problems is to compete with the other networks.

Thus, in my view, the Federal Reserve’s future role in retail payments should be built around its current position in ACH. For example, in its operator role, the Federal Reserve could augment its ACH products and services, with the aim of enhancing competition and safety within the ACH industry.

… … …

Finally, the Federal Reserve could enhance competition in payment card markets by positioning ACH services as an alternative to debit card payment networks.

It certainly is a strategy and we can debate whether government ought to be engaged in payments systems directly, as regulators, or not at all.  All I know is that consumers (and banks) will suffer from the real problems he identified at the outset, and its not at all clear that the Feds 14th network will address those problems at all.  This reads as a recipe for disaster in American payments.  For example the very issue he outlined of underinvestment in security and integrity will only accentuate as the other 13 networks work to compete with the Fed, and protect profits.  Expect continued data leakages, network outages, and identity theft.

Written by Colin Henderson

May 26, 2009 at 10:59

%d bloggers like this: