If you have ever used Obopay or even social networking site Facebook, chances are that you have interacted with your mobile phone with these sites in some manner with your phone.  Obopay, is a little more obvious, but you receive text notifications when you send or received money on your mobile.  Facebook sends text messages to your registered mobile phone number for you to validate your account, Obopay also uses multi-factor authentication to validate the user of its website using a phone call and spoken code, or a text with a message and a code that need to type in a webpage. This is called Out-of-Band Authentication and your bank may have implemented something similar for its Internet banking.

Yesterday, I researched and implemented text notifications when you perform an Reload or Add Money transaction on our issuing platform to your prepaid card using an interface to a SMS Gateway. Check it out below: I’m using my Nokia E71 here.

I received a MSR505c Card Reader/Writer in the mail today. I use and have a need to create test cards that have magstripes for a variety of purposes; The main one being a way to test/demo our issuer based products from Point-of-Sale (POS) systems and payment terminals.

I thought I create a short screencast to show how this works, which is provided below:

Some considerations to note:

It is extremely easy to "clone" a payment card using a device such as this, and the entry point from a cost and availability perspective is low (~$300 range). In a follow-up blog post, I’ll write about Maktek’s MagneSafe and MagnePrint products to detect card cloning at a magstripe level.

Since becoming an Obopay user, I’ve noticed that very recently that they have implemented a multi-factor authentication for transactions initiated from their mobile website.  I needed to pay $2.14 to a friend who picked up a lunch for me yesterday: Monday is $1.00 Maid-Rites :)  When sending the money I received the following (see picture on left) screen, and my phone rang shortly after - requiring me to type in my obopay PIN to complete the transaction.  Very well done!  I know that Chase uses a similar process (out of band verification) for its Internet banking. Authentify is a company that provides a service like this — please leave a comment below if you know of any others.  Also - if you noticed in the picture I’ve updated my Nokia E51 to a Nokia E71 - a very nice phone - (I really missed the QWERTY keyboard)

I guess it has been almost two years now, that a news story and security researcher blog post, pointed out a vulnerability in certain types of ATM Machines. The vulnerability relates to "PCI requirement #2 - Do not use vendor-supplied defaults for system passwords and other security parameters" with a few brands of ATM machines ( generally the smaller standalone ATM’s you see in convenience stores and sold by ATM ISO’s and their agents ) whose service manuals were accessible online, and ATM operators failing to setup the ATM’s in a secure manner.  I remember googling and finding the default passwords and instructions for these. With the service manual and passwords, a person was able to reprogram the value of the ATM cassettes. telling the ATM Machine that the $5 cassettes had $20’s and doing a withdrawal

Today - Wired notes that the first bust for ATM Reprogramming Scan netted its first two arrests.

It took a high-speed chase and some gunplay, but two men in Lincoln, Nebraska, are the first to face felony charges for using default passcodes to reprogram retail cash machines to dispense free money.

Jordan Eske and Nicolas Foster, both 21, are in Lancaster County Jail pending an October 1st arraignment. They’re each charged with four counts of theft by deception, and one count of computer fraud, for allegedly pulling cash from privately owned ATMs at four stores in the area. The pair allegedly reprogrammed the machines to believe they were loaded with one-dollar bills instead of tens and twenties. A withdrawal of $20 would thus net $380.