Since becoming an Obopay user, I’ve noticed that very recently that they have implemented a multi-factor authentication for transactions initiated from their mobile website.  I needed to pay $2.14 to a friend who picked up a lunch for me yesterday: Monday is $1.00 Maid-Rites :)  When sending the money I received the following (see picture on left) screen, and my phone rang shortly after - requiring me to type in my obopay PIN to complete the transaction.  Very well done!  I know that Chase uses a similar process (out of band verification) for its Internet banking. Authentify is a company that provides a service like this — please leave a comment below if you know of any others.  Also - if you noticed in the picture I’ve updated my Nokia E51 to a Nokia E71 - a very nice phone - (I really missed the QWERTY keyboard)

I picked up a copy of Bruce Schneier’s  "Schneier on Security" this week, I’ve read quite of few of his other books and enjoy how he challenges security practices and conventional wisdom.  The very first book I read from him to help me understand encryption techniques related to payment systems was Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition also known as the cryptography Bible and later Practical Cryptography for a brief refresher. I’ll likely post a review and comment on any payment systems related topics in this book, but I first need to finish my current read: The Snowball: Warren Buffett and the Business of Life.

Scott Fendley writes a good post on Check Fraud and Information Security at the SAN’s Internet Storm Center Handlers Diary after watching Catch Me If You Can which is inspired off of Frank Abagnale Jr.  early life of thievery and deception.

We have developed interfaces to external 3rd party check authorization providers as well as developed a local check authorization module which is a blacklist based on a bad check subscription service, and velocity checking.  But many of Scott’s steps to reduce risk based on his research are not as much based on accepting checks, as much as being the check writer, and are not all logical controls but preventative and detective procedures to reduce risk of check fraud. Some good points here.

Also:

Frank’s Book The Art of the Steal is a good read and add this [SAN's Internet Storm Center Handlers Diary] to your RSS Feeds and regular reading if you are a security manger/analyst.

According to CNet and a few Visa Press Releases:

• Visa and U.S. Bank to Launch Visa Mobile Money Transfer Pilot

• Visa and Nokia Working Together to Deliver Payment Applications for Next Generation Mobile Devices

• Visa to Develop Mobile Payment-Related Services for Android Platform

We see a P2P like money transfer service for card and mobile phone holders:

Under a pilot program with U.S. Bank, which is scheduled to begin by the end of the year, Visa will offer mobile money transfers from one Visa cardholder’s account to another. A U.S. Bank Visa cardholder would use a Web browser on their phone to access funds and transfer it directly to the recipient’s account. The recipient could then withdraw the funds from an ATM machine, or use the money to make purchases.

and working will cell phone manufactures Google Android Platform.

The Visa-Android deal calls for Chase Visa cardholders to use their Android phone for not only transferring money, but also to receive real-time email alerts when transactions happen on their Visa account, receive offers from merchants, and view images on Google maps to find the location of those merchants who are offering the specials. The Google-Visa deal is expected to begin sometime by the end of the year.

and we begin to see the merging between the card and a phone as a contact-less payment vehicle at the point-of-sale.

The Nokia 6212 classic includes integrated Near-Field Communications chipsets (NFC) which lets the mobile device behave like a contactless payment card, where consumers simply wave it within a few inches of a special point of sale reader to complete a Visa transaction. Nokia and Visa first demonstrated NFC technology in December 2005 with the launch of the first large scale NFC trial in the United States at the Phillips Arena in Atlanta.

Andy and I meet with Randy San Nicolas to talk about Card Management in a short minicast.

We reference these diagrams:

Randy’s Blog www.prepaidenterprise.com was inspired by this minicast

Intro & Exit Song: Honcho Graham From Birmingham by Josh Woodward

Standard Podcast [16:30m]: Play Now | Play in Popup | Download

Blogs and email links

Andy’s : www.andyorrock.com

Dave’s : www.paymentsystemsblog.com

Randy’s: www.prepaidenterprise.com
email  : podcast@paymentsystemspodcast.com

I guess it has been almost two years now, that a news story and security researcher blog post, pointed out a vulnerability in certain types of ATM Machines. The vulnerability relates to "PCI requirement #2 - Do not use vendor-supplied defaults for system passwords and other security parameters" with a few brands of ATM machines ( generally the smaller standalone ATM’s you see in convenience stores and sold by ATM ISO’s and their agents ) whose service manuals were accessible online, and ATM operators failing to setup the ATM’s in a secure manner.  I remember googling and finding the default passwords and instructions for these. With the service manual and passwords, a person was able to reprogram the value of the ATM cassettes. telling the ATM Machine that the $5 cassettes had $20’s and doing a withdrawal

Today - Wired notes that the first bust for ATM Reprogramming Scan netted its first two arrests.

It took a high-speed chase and some gunplay, but two men in Lincoln, Nebraska, are the first to face felony charges for using default passcodes to reprogram retail cash machines to dispense free money.

Jordan Eske and Nicolas Foster, both 21, are in Lancaster County Jail pending an October 1st arraignment. They’re each charged with four counts of theft by deception, and one count of computer fraud, for allegedly pulling cash from privately owned ATMs at four stores in the area. The pair allegedly reprogrammed the machines to believe they were loaded with one-dollar bills instead of tens and twenties. A withdrawal of $20 would thus net $380.

Andy and I recently persuaded our new colleague (and resident expert on Issuing, among many other thing) : Randy San Nicolas to start a blog.  Well he did and he wrote his first post.  Check it out at http://prepaidenterprise.typepad.com/ and soon to be:  http://www.prepaidenterprise.com/

We also did a short "mini-cast" on the Payment Systems Podcast on the topic of Issuing Card Program Management, I’ll post that as soon as I can get it produced.

Welcome Randy!

Episode #2 is live - we cover quite a few topics that were started off my a consumer experience went wrong, Also, we do not come in stereo in this one, left channel only, I think it was a configuration mistake on my part.  Enjoy ! and send feedback or comments or questions to podcast@paymentsystemsblog.com

Payment Systems Podcast episode #2
Date: 8/28/2008

Intro & Exit Song: Patiently Dying by elision

1)  Frustrations with Returns
2)  Payment System Transaction types with Return vs. Reversal vs. Void
3)  Return Authorization
4)  Switching non-Payment Transactions
5)  MethCheck
6)  Dave on Customer Services practices
7)  OboPay Experiences - www.obopay.com
9)  Watching the Payment Process - CVV2 experiences - Cvv2 requsted over chat!
10) ATM, Debit & PrePaid Show/Expo
11) VMWare ESXi

 

 Standard Podcast [40:04m]: Play Now | Play in Popup | Download

Blogs and email links

Andy’s : www.andyorrock.com
Dave’s : www.paymentsystemsblog.com
email  : podcast@paymentsystemspodcast.com

While on the "A Perfect Fit: Understanding the PCI Security Standards" Webcast this morning.

There were a few things that I took note of that are worth repeating:

1. PCI Compliance (Fines, Dates, etc) is enforced by Card Associations/Brands and their Acquirers not the PCI Council.
2. There was a neat chart that depicted the relationship between the different standards: