Domain: banktech.com
Stories and comments across the archive that link to banktech.com.
Comments · 7
-
Links on how to scam chip and pin
EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).
http://krebsonsecurity.com/201...
http://www.telegraph.co.uk/new...
http://krebsonsecurity.com/201...
-
Re:why even use ActiveX?Excerpt from "Korean Bank Rolls Out Online Service," October 10, 2001, Bank Systems & Technology http://www.banktech.com/showArticle.jhtml?article
I D=14701736Internet banking applications for consumers typically use Secure Sockets Layer, or SSL. Instead of SSL, mandatory Korean government standards call for Internet banking applications to use the 128-bit SEED security protocol announced in 1999. "At that time, ITAR International Traffic in Arms Regulations was restrictive and DES Data Encryption Standard was not reliable for security," said Joo-won Jung, senior researcher at INITECH, Seoul, South Korea. "So SEED was developed and used as Korea's mandatory cipher."
Guess they're going to have to dust off those Java implementations. -Ivan
SEED (not an acronym) typically operates through an ActiveX plug-in for Internet Explorer, the predominant browser software. Although Java and Netscape implementations of SEED exist, [Korean] banks prefer to secure their sites with ActiveX. -
2006 compliance
Citibank just recently starting offering Digipass tokens to its business customers and I believe may have extended the program to all of its online banking customers to meet 2006 compliance. 2 factor authentication seems to be more prevalent in Europe as US banks have been slow to add this measure of security, which is why the FFIEC issued a mandatory compliance. Now with a deadline looming, US banks, especially those using tokens as their 2 factor method like E*Trade and Citibank, may be sent back to the drawing board. Although no method is foolproof, bad publicity alone may make these banks add further measures to ensure online security.
-
Re:Diabold makes ATMs as wellHere is what I found:
Bank of America has completed the task of outsourcing the servicing of its ATM network, signing a seven-year deal with Diebold to take over the maintenance of 10,000 machines. The agreement covers maintenance service in the western United States, plus existing contracts previously awarded to Diebold in the eastern United States.
I guess machines were made (hopefully) by somebody else, Diabold is doing only maintainance. On the other hand, who knows what kind of maintainance they will do -
Re:Hmmm...
Actually, no, they don't pay for it. The merchants that were defrauded pay for it
You're right that banks don't directly cover the costs of all fraudulent transactions. In some cases (usually "card not present" transactions), it's the merchants. But to say that banks aren't paying for credit card fraud is just wrong.
Bank and credit card fraud rose 20% last year, costing British banks £505m
[US] Banks lost $788 million to credit-card fraud in 2004. And $822 million in 2003.
This is an expensive problem for banks; they have large incentives to solve it.
-
Re:Untested? Perhaps
Signing a contract with a handwritten signature has a stronger legal standing than other means of indicating acceptance. There had to be a special law passed to make digital signatures equivalent to handwritten ones in the US.
Note that a core requirement for a digital signature to be strongly valid is that a record is made of the transaction- both parties know not just when the transaction occured, but also who the other party was. That is not the case with shrinkwrap or typical click-thru. -
Re:If you want it open...then open must be.....
...understood. Notice the use of "proprietary" and "open" below.
excerpted from:
http://www.banktech.com/story/coverStory/BNK200208 07S0018
"That, in turn, has been facilitated by a move away from proprietary OS/2-based platforms and toward open Windows NT- and IP-based platforms. Almost all legacy ATMs run on OS/2, explained Dove's Hayes. "IBM is withdrawing support of OS/2. The industry is moving to Windows NT as the new standard for ATMs."