[SecurityRatty] tag: payment

Credit Card Protections Abroad

Fri, 10 Oct 2008 06:59:08 +0000

When you pay by credit card in a restaurant, have you ever wondered what they do with your card when they take it from you to collect payment? Although you may trust the restaurant, there’s still the possibility the waiters can write your credit card and verification number down and sell the info later.

Apparently in the UK and other European areas, this is not the case. Ira Winkler at the RSA blog recently wrote about an experience traveling and noticing other credit card customs and security -

If you are at a restaurant and pay with a credit card, they bring over a system and swipe your card in front of you. Additionally, all the credit card readers I came in contact with assumed that credit cards were smart cards with readable chips. This adds another level of security, and PINs were required as well. When I was in The Netherlands a few months ago, I couldn’t even use my American credit card on the ticket machines for their train system.

With all of the credit card fraud going on, I wonder when the US will finally get its act together and follow the European credit card security measures.

Read the full article here.

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store

Thu, 09 Oct 2008 20:00:00 +0000

just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

A Diverse Portfolio of Fake Security Software - Part Eight

Tue, 07 Oct 2008 03:21:00 +0000

In the spirit of "taking a bite out of cybercrime", here are the latest fake security software domains, typosquatted and already acquiring traffic through a dozen of malware campaigns redirecting to most of them :

antivirus-scanner-online.com (67.205.75.14)

archivepacker.com (78.157.142.111)
winpacker.com
xh-codec.net

securedownloadcenter.com (89.18.189.44)
winupdates-server.com
browserssecuritypage.com
megatradetds0.com

quickscanpc.com (78.159.118.144)
clickchecker6.com

gensoftdownload.com (91.203.93.25)

online-av-scan2008.com (66.232.105.232)
anothersoftportal09.com
bigfreesoftarchive.com
celebs-on-video-08.com
celebs-on-video-2008.com
cleansoftportal2009.com
hot-p0rntube.com
hot-porn-tube-2008.com
hot-porn-tube2008.com
hot-porn-tube2009.com
justdomain08.com
new-porntube-2008.com
online-av-scan2008.com

s0ftvvarep0rtal.com
s0ftvvareportal.com
s0ftvvareportal08.com
s0ftwarep0rtal08.com
softportalforfun.com
softportalforfun08.com
softportalforfun2008.com
softvvareportal.com
softvvareportal08.com
softvvareportal2008.com
trustedsoftportal06.com
trustedsoftportal2008.com

antivirus-online-08.com (89.187.48.155; 218.106.90.227)
anti-virus-xp.com
anti-virus-xp.net
anti-virusxp2008.net
antimalware09.com
antivirxp.net
av-xp08.net
av-xp2008.com
av-xp2008.net
avx08.net
axp2008.com
e-antiviruspro.com
eantivirus-payment.com
ekerberos.com
online-security-systems.com
xpprotector.com
youpornzztube.com

sp-preventer.com (92.241.163.32)
spypreventers.com

u-a-v-2008.com (92.241.163.31)
uav2008.com

power-avcc.com (92.62.101.57)
power-avc.com
pvrantivirus.com

m-s-a-v-c.com (92.62.101.55)
ms-avcc.com
ms-avc.com

wav2008.com (92.241.163.30)
wiav2009.com
win-av.com
windows-av.com
windowsav.com

You know the drill.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Credit-card security standard issued after much debate

Tue, 30 Sep 2008 20:00:00 +0000

The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, today issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization.

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Visa to develop e-payment applications for Android, Nokia phones

Fri, 26 Sep 2008 00:00:00 +0000

Consumers will receive what Visa calls 'near real-time' notification of purchase activity, based on parameters they set up.

Forever 21 discloses card data theft

Mon, 22 Sep 2008 00:00:00 +0000

Almost 99,000 payment cards used by customers at discount retailer Forever 21 may have been compromised between 2004 and 2007, the company disclosed last week.

Almost 99,000 Credit Cards Compromised In Data Theft In Forever 21 Retail Stores

Thu, 18 Sep 2008 15:20:19 +0000

Payment cards used by customers of several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004. Forever 21, a discount retailer company based in Los Angeles, have been notified by the U.S. Department of Justice in Boston on Aug. 5. There was no explanation [...]

Achieve PCI Compliance with Novell Sentinel"

Thu, 18 Sep 2008 09:00:00 +0000

(Source: Novell) Security trends and hacking techniques are continually changing, and the Payment Card Industry Data Security Standard (PCI-DSS) continues to evolve. To stay ahead of these trends and prove compliance, your organization needs a powerful solution for collecting and monitoring user activity.

Retail security: Knee-jerk standards compliance isnt enough

Wed, 17 Sep 2008 20:00:00 +0000

NEW YORK -- Businesses certified to be compliant with the Payment Card Industry Data Security Standards (PCI DSS) keep suffering data breaches, but the problem may be more with the way businesses address the requirements than with the PCI standard, experts told an Interop http://www.networkworld.com/news/2008/091808-interop-people-security-threat.html gathering.