In a new report titled "The Impact of Online Personal Finance Offering: The Good, the Bad, and the Ugly", TowerGroup analyst George Tubin finds the capabilities of new non-bank online personal finance web sites are of interest but raises concerns about whether the sites have "adequate fraud prevention capabilities to protect both the consumer and the bank from account takeover and identity theft."   » Continue Reading

In a post titled "Attacks on NFC mobile phones demonstrated", Dancho Danchev writes for ZDNet on last week's presentation by Collin Mulliner at the EUSecWest conferece in London.

ING DIRECT has announced that it has partnered with Trusteer to become the first US bank to offer Trusteer’s Rapport consumer Identity Theft protection software free to all of its customers.   » Continue Reading

The latest U.S. results of the Unisys Security Index find that Americans are more concerned than they were seven months ago about national security issues and health epidemics and are increasingly concerned about financial security issues and worries about identity theft.   » Continue Reading

Accenture has announced that it has opened a new facility at its research and development technology lab in Sophia Antipolis, France, dedicated to innovation in the rapidly growing global payments industry. The facility, called the Accenture Payments Innovation Showcase, focuses on original research and development in all facets of the payments business, including mobile communications and other point-of-sale technology, bank-to-corporate connectivity, processing, process models, biometrics, regulation such as the Single Euro Payments Area (SEPA) initiative, and security.   » Continue Reading

Two important new books about security - and payments security in particular - arrived on my desk this week.

The first book - the second edition of Ross Anderson's Security Engineering - provides fascinating insights into all of those things that are often overlooked when designing secure systems. Anderson provides a comprehensive survey of the issues, the nature of successful attacks, with serious recommendations on how to simply do better across a range of security applications. This is a big book - not exactly suited for reading on the beach - but important nonetheless! Rated 4.5 out of 5 stars by Amazon.com reviewers.

The second book - Zero Day Threat by Byron Acohido and Jon Swartz - provides real insights into the threats that attackers are exploiting to gain the necessary information to take over online banking, PayPal, brokerage, and other accounts. If "know your enemy" makes sense to you, then you'll find Zero Day Threat of great interest. Zero Day Threat is 5-star rated by Amazon.com reviewers.

Both of these books have just been added to the first page of the Payments News Bookstore on Amazon.com.

Brian Krebs writes for his Security Fix blog at the Washington Post about changes to the banking code in the UK that stress that online banking customers have the responsibility to keep up-to-date anti-virus, anti-spyware, etc. software installed on their computers - and wonders why more US banks don't make available hardware tokens to secure online access (the way PayPal optionally does).

Nearly 90 percent of Americans say they feel safe online despite the rising tide of spyware, phishing and other badware threatening Internet users, according to a new poll sponsored by StopBadware.org, a consumer protection initiative aimed at combating dangerous software.   » Continue Reading

The Federal Trade Commission has announced that TJX has agreed to settle charges that it engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that TJX implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. Full details available here.   » Continue Reading

Jaikumar Vijayan writes for Computerworld about last week's announcement by Visa of new payment application security mandates. "Basically, they require any company that accepts payment card transactions to ensure that all third-party payment applications they use to store, process or transmit cardholder data comply with a set of minimum security requirements from Visa."

Aite Group has published a new report titled "Mobile Banking Security: The Black Cloud Attached to the Silver Lining" that it says "investigates security vulnerabilities for mobile banking, both now and in the near future, focusing on the methods that are being deployed to mitigate risk over this emerging channel."   » Continue Reading

Taking on an expanded role, the PCI Security Standards Council has announced that it has also assumed responsibility for the PIN Entry Device (PED) Security Requirements that were previously administered under the auspices of JCB, MasterCard International and Visa International.   » Continue Reading

The PULSE EFT Association has launched its annual nationwide effort encouraging consumers to review and practice safety tips when using their ATM/debit cards. New to the network’s ATM/Debit Card Safety Awareness Month campaign this June is an increased focus on privacy and fraud protection.   » Continue Reading

Javelin Strategy & Research has announced new report titled "Mobile Banking Security: The Call for Technology Standards and Proactive Security Messaging" (PDF).   » Continue Reading

Sarah D. Scalet writes for CSO Magazine about the Payment Card Industry - Data Security Standard (PCI-DSS) standard - calling it "corporate America's most ambitious effort yet to prove that it can self-regulate."

RSA has announced "an expanded Payment Card Industry Data Security Standard (PCI DSS) Solution portfolio, a suite of products and services that help enable customers to answer the most challenging IT security technology challenges associated with the PCI DSS. As part of the RSA PCI Solution, RSA also announced a new blueprint for promoting compliance by discovering data and infrastructure, assessing risk, enacting remediation and ensuring sustained controls."   » Continue Reading

Robert Westervelt reports for SearchSecurity.com on comments made by First Data's Chief Information Security Officer Phil Mellinger regarding the Payment Card Industry Data Security Standards (PCI DSS) in which he calls for "an overhaul to eliminate subjectivity and ease restrictions to get more merchants to meet the standard."

Elena Malykhina blogs for Information Week about what banks and their partners are doing to secure mobile banking services.

Javelin Strategy & Research has published a new report on data breaches - examining consumer attitudes and the TJX security issue. The study concludes that "77% of consumers intend to stop shopping at merchants that suffer from data breaches. Retailers and merchants are viewed by 63% of consumers as the least secure when protecting consumer’s data, compared with processors (16%), card networks like Visa or MasterCard (5%) and issuers (5%). When little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault. However, 85% will reward merchants who are perceived as security leaders with increased purchases."   » Continue Reading

Evan Schuman reports for eWeek's Channel Insider on more details about the recent TJX payment card data breach.

Jenn Abelson reports for the Boston Globe on the TJX data breach reported earlier - saying the breach involved "at least 45.7 million credit and debit card numbers" stolen over a period of several years. The data was provided by the company in a 10-K annual report filing with the SEC yesterday.

Diana Ransom writes for the Wall St. Journal about the techniques one should follow to minimize the chances of identity theft by electronic means - especially if you're using a wireless router in your home or business.

VeriFone has launched a new payment security web site at www.secureretailpayments.com. "VeriFone developed this web site to help retailers better understand the confusing set of payment industry standards. The web site includes white papers, links to industry standards, news updates and information about VeriFone products."

Massachusetts Attorney General Martha Coakley has announced that "her office is leading a multi-state civil investigation into the recently disclosed security breach at TJX Companies. The Consumer Protection Division of the Attorney General's Office is investigating the breach, which was disclosed last month by the Framingham-based company, and particularly what security measures the company took to protect consumer information."   » Continue Reading

Joris Evers of CNET News.com interviews RSA president Art Coviello during this week's annual RSA Conference being held in San Francisco. Coviello comments that "if you look at the three biggest Internet banks in the country, they way they have responded to the FFIEC recommendation for having strong authentication in online transactions, each one is using a different type of RSA technology."

Eight data security companies have announced the formation of The Payment Card Industry Security Vendor Alliance – (PCI SVA). According to the group, "PCI SVA will assist members of the payment card industry and the PCI Security Standards Council -- composed of merchants, banks and point-of-sale vendors – in educating the business community on the requirements and business value of the Payment Card Industry (PCI) Data Security Standard, a global benchmark intended to improve security throughout the entire payment card transaction process."   » Continue Reading

Entrust has announced the launch of a new, five dollar one-time-password (OTP) hardware security token along with news that Expedia will become the first company to deploy the new Entrust token.   » Continue Reading

James C. McGrath and Ann Kjos of the Payment Cards Center of the Federal Reserve Bank of Philadelphia have published a conference summary report for a conference held at the bank last September.   » Continue Reading

The Massachusetts Bankers Association said today that "several banks across the Bay State have reported incidents of fraud due to the recently disclosed data breach by the TJX Companies. The fraudulent use of debit and credit card data has thus far been used to make purchases in Florida, Georgia, and Louisiana in the U.S., and Hong Kong and Sweden overseas."   » Continue Reading

The TJX Companies yesterday announced that "it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions."   » Continue Reading

TowerGroup reports that enterprise security today has become an everyday concern from the corner office to the boardroom -- and financial services institutions are finding it increasingly difficult to manage security in-house and asserts that now is the time for financial institutions to consider outsourcing the IT portions of security.   » Continue Reading

The Federal Deposit Insurance Corporation's latest quarterly Supervisory Insights newsletter features an article titled "Incident Response Programs: Don't Get Caught Without One". From the abstract: "A security incident can damage corporate reputations, cause financial losses, and foster identity theft, and banks are increasingly becoming targets for attack because they hold valuable data that, when compromised, allow criminals to steal an individual's identity and drain financial accounts. To mitigate the effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs). This article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs."

Thomas J. Smedinghoff writes us with news about a new paper he's written titled "Where We're Headed — New Developments and Trends in the Law of Information Security" that's available online. Smedinghoff is a partner at the law firm of Wildman Harrold, in Chicago, and a member of the firm's Privacy, Data Security, and Information Law Practice. In the paper, he writes that "three legal trends are rapidly shaping the information security landscape for most companies." These include a continuing expansion of the duty to provide security, the emergence of a legal standard for compliance - a definition of "reasonable security", and the imposition of a duty to warn.

Symantec and VeriSign have announced plans to deliver "security solutions to combat the growing threat of consumer identity theft and fraud on the Internet." Symantec plans to offer support for the VeriSign Identity Protection (VIP) Authentication Service, which allows consumers to utilize one-time passwords to protect their online identity.   » Continue Reading

EMC has announced it has completed the acquisition of RSA Security. EMC also announced it has signed a definitive agreement to acquire Network Intelligence, a privately-held company in the security information and event management market. EMC says "the acquisition of RSA and Network Intelligence joins market leaders which together will create the new information security division of EMC."   » Continue Reading

Visa USA and the U.S. Chamber of Commerce have announced their assessment of the five leading causes of data security breaches and offered immediate, specific prevention strategies for each.   » Continue Reading

CSO Magazine has released the results of the 2006 E-Crime Watch survey, revealing a decline in security events, yet an increase in the financial and operational losses caused by such electronic crime incidents.   » Continue Reading

Ross Anderson of the University of Cambridge (UK) Computer Laboratory has made available his book "Security Engineering" (PDFs - by chapter) for download onlline. Anderson's book is an important reference to many aspects of designing and operating secure systems and it's great that he and his publisher are making it available online.

Paul Korzeniowski writes for Investor's Business Daily about "identity-based encryption" - a new approach that simplifies the management of encryption keys by using something like an email address (an identity) as the basis for a public encryption key. Korzeniowski reports that Ferris Research did a cost comparison between the IBE and PKI approaches and found that an IBE system costs one-fourth as much to operate as a traditional PKI-based approach.

From Bank Technology News: "If best practices are indeed what the U.S. banking industry seeks with regard to online security, they'll likely find some of the answers across the pond. The irony is that U.K. banks, whose cultures are inherently more formal and ultra-conservative, are taking a much more open approach to online security and the challenges that they face than U.S. banks."

The Federal Financial Institutions Examination Council (FFIEC) has released an updated Information Security Booklet (PDF), which replaces the booklet issued in December 2002. The Information Security Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. The FFIEC also released an Executive Summary (PDF) that contains a high-level synopsis of each of the 12 booklets and describes the handbook development and maintenance processes.

It's official, EMC this afternoon announced that it is acquiring RSA Security in an all-cash transaction valued at slightly less than $2.1 billion.   » Continue Reading

Andrew Ross Sorkin and John Markoff report for the New York Times that RSA Security is in the late stages of negotiating a sale of the company - with EMC reported as one of the potential bidders to acquire the company.

Visa USA has announced an agreement with Verified Identity Pass, Inc. to offer discounted memberships for Clear, Verified ID's Registered Traveler Program, to select Visa Signature and Visa Traditional Rewards cardholders. According to Visa, "Clear members receive fast access through security checkpoints by verifying their biometric information in specially-designed Clear lines, enabling time-pressed travelers to quickly move through long lines and experience a more hassle-free travel experience."   » Continue Reading

MasterCard has announced it is partnering with the Fraternal Order of Police to deliver a "multifaceted program to educate business owners about how to stop fraud before it happens, protect cardholder data and deliver peace of mind to their customers. The program is aimed at furthering collaboration on data security throughout the payment system and helping merchants keep cardholder data safe and secure."   » Continue Reading

CyberSource has announced the launch of a new service enabling eCommerce merchants to process electronic payments without the risk of storing or even handling sensitive account information. With CyberSource's Payment Data Management, CyberSource, not the merchant, manages sensitive customer information such as credit card numbers and related transaction data. CyberSource handles and stores all payment data on behalf of the merchant in security-certified processing centers that connect directly with the banking network. As a result, consumer payment information is safer, merchant risk decreases, and merchant compliance with card association security rules can become simpler and faster.   » Continue Reading

Barclays has announced it is launching a "new online anti-fraud initiative and becoming the first bank to offer free anti-virus software to its customers. Customers will also be offered an innovative text message service notifying them of new payees on their online account, helping to cut occurrences of fraud attacks."   » Continue Reading

The Cyber Security Industry Alliance (CSIA) has released the results of its semi-annual survey dedicated to measuring the American public's confidence in the security of the nation's digital infrastructure.   » Continue Reading

New Edge Networks has announced it is tightening privacy and security on bankcard transactions through new network interconnections to Chase Paymentech Solutions LLC. The new connections provide end-to-end compliance with Payment Card Industry (PCI) security standards.   » Continue Reading

Joris Evers writes for CNET News.com about an update to the Payment Card Industry (PCI) Data Security Standard, expected this summer based on comments from Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International.

Ed Sutherland reports for InternetNews.com that US consumer concerns about online banking security is slowing the growth of online banking.   » Continue Reading

RSA Security has announced that it has acquired PassMark Security, a privately held company based in Menlo Park, that "delivers robust software-based authentication to millions of users worldwide, through some of the largest consumer-facing financial institutions."   » Continue Reading

In a press release today, Redspin, an independent auditing firm based in Carpinteria, CA, suggests that the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into the ATM network environment - because of other changes that were typically made concurrently with the triple DES upgrades.   » Continue Reading

New York Times reporter John Markoff covers recent research by a group of European computer researchers who have demonstrated inserting a software virus into RFID tags.   » Continue Reading

Australia-based Fraud Management Technologies has announced FraudAlert, a new software or hosted solution designed to reduce the rate of increasingly sophisticated online fraud while protecting the convenience and ease of use of online banking and retailing.   » Continue Reading

The Independent Community Bankers of America and Microsoft have announced they are teaming up to help community banks manage the security of their technology infrastructures and battle emerging security risks.   » Continue Reading

Brian Krebs of the Washington Post reports in his Security Fix blog about how various hotel key cards are having their magnetic stripes re-encoded by fraudsters for use as bank cards.

Phishing is already passé among global cybercriminals - according to Tom Zeller Jr.'s article "Cyberthieves Silently Copy as You Type" in Monday's New York Times.   » Continue Reading

The Federal Trade Commission has announced that CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law.   » Continue Reading

Mark Rasch writes for SecurityFocus about a recent lawsuit in Minnesota (PDF) in which a victim who was included in a data breach of a financial service provider's 550,000 customer database sued the company for breach of contract, breach of fiduciary duty and negligence.   » Continue Reading

Joseph Pellicciotti reports for the Northwest Indiana Times on a new presentation available online from the FDIC. Titled "Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams", the presentation is designed to educate consumers about the steps they can take to protect themselves from identity theft and what they can do if they've become victims.

ID Analytics and PassMark Security have announced a partnership to bring the power of authentication and identity risk scoring to online banking and e-commerce. The combined offering will help more companies determine the risk associated with each log-in and safeguard legitimate customers from identity fraud while transacting online.   » Continue Reading

Microsoft's Bill Gates keynoted today's RSA Conference by focusing on Microsoft's vision for a more secure online future. Included in that future is a "trust ecosystem" that engenders trust and accountability between people and businesses online.   » Continue Reading

Peter Pollack writes for Ars Technica on his views of the newly announced VeriSign VIP service - both pro and con.   » Continue Reading

VeriSign has announced the launch of VeriSign Identity Protection (VIP), a program designed to "help provide identity protection for consumers who conduct business online." VeriSign said that VIP is supported by several online companies including PayPal, eBay and Yahoo!. In addition, SanDisk has announced plans to support VIP by manufacturing and distributing OATH compliant USB mass-storage and trusted flash devices and Motorola plans to enable this technology on consumer mobile devices.   » Continue Reading

Bill Husted writes from tomorrow's Atlanta Journal-Constitution about what a difference a year has made to suburban Atlanta-based ChoicePoint.   » Continue Reading

Svea Herbst-Bayliss reports for Reuters on the credit card security breach by the Boston Globe that was reported earlier this week.   » Continue Reading

Tracey Vispoli, vice president, Chubb & Son, cautioned bankers about the potential costs associated with a security breach at a recent American Bankers Association conference.

"For many financial institutions, a network security breach involving the release of confidential customer information is not a matter of if, but when. It's time for financial institutions to further tighten their data security controls and to prepare for the potentially significant financial cost of this risk."

Robert Guth reports for the Wall St. Journal on a new banking industry initiative called the Financial Institution Shared Assessments Program expected to be announced today to guard customers against security breaches.

Eric Dash reports for the New York Times on the "vastly different approaches" being taken by Visa and MasterCard in marketing their security initiatives to consumers and merchants.   » Continue Reading

Unisys has announced their view of the top trends affecting the banking industry in 2006.   » Continue Reading

RSA Security has announced that Japan Net Bank and Sumitomo Mitsui Banking Corporation have selected RSA SecurID strong authentication tokens to better protect online banking customers in Japan. Japan Net Bank will be the first to deliver two-factor authentication tokens to over one million online banking customers.   » Continue Reading

The Federal Trade Commission has announced that ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.   » Continue Reading

Visa International has released the results of new global survey of consumer attitudes concluding that the theft or loss of personal and financial information is the No. 1 concern of consumers worldwide (64 percent). A media backgrounder on the survey results (PDF) is available online.   » Continue Reading

Eric Dash reports for the New York Times on efforts by Visa and MasterCard to create a private group that would set new industrywide security standards.

Javelin Strategy & Research has released its second annual Online Banking Safety Scorecard which ranks 28 banks on their consumer-facing online identity fraud prevention, detection and resolution capabilities with respect to how well the banks protect consumers and allow consumers to protect themselves.   » Continue Reading

MasterCard has announced several new merchant-related initiatives: incentives for merchants to adopt MasterCard SecureCode payer authentication, free network vulnerability scans of merchant systems, and new education for merchants on security and data protection issues. MasterCard has also launched a new merchant website focused on security at www.mastercardsecurity.com.

Forrester's Martha Bennett has written a new research report titled "Online Banking Security: Give Customers More Control And Reassurance" saying that banks are failing to take into account the customer's needs with their approaches to online banking security practices.   » Continue Reading

Patrik Jonsson writes for the Christian Science Monitor about the potential risks to customer and bank data associated with banks offshoring certain jobs.   » Continue Reading

Simson Garfinkel writes for CSO Magazine on techniques to securely protect data - and let you sleep at night.

All of the following approaches protect the data in the database against both outside attackers and malicious insiders. That's because these tactics work by either eliminating or scrambling sensitive information so that it no longer poses a security risk.