16th April 09 Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.

 

"The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used," said Michael Callahan, Credant's senior vice president.

 

"The fraudsters appear to have realised that each HSM (hardware security module) at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg," he added. 

 

According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.

 

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.

 

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

 

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

 

"Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so
ensuring their cardholders are safe from this new type of hacking exploit," he added.

For more on the weakest link in the ATM chain story: http://tinyurl.com/c8uag9

For more on Credant: http://www.credant.com or contact Yvonne on 020 71832 832

 

ENDS

Published: 15 April 2009
Written by NStinchcombe
Read more: PIN cracker situation a result of weak security practices says Credant

Pitney Bowes Business Insight has launched a new-generation software solution – MapInfo Crime Profiler™ - that introduces new crime analysis efficiencies and capabilities for hard-pressed police forces across the country.

Windsor, 16 April 2009 – In recent years, crime analysis and mapping has become an essential tool for effective law enforcement – not only to aid detection rates, but also to support operational efficiency and effectiveness, management reporting and other enterprise-wide tasks. MapInfo Crime Profiler™ automates much of the statistical legwork that sits behind crime analysis and visualisation, allowing users to perform sophisticated analyses more quickly and easily through an intuitive dashboard interface. MapInfo Crime Profiler™ is expected to play a major role in helping improve policing effectiveness in the UK. Three UK police forces have already invested in the solution.
Published: 15 April 2009
Read more: Pitney Bowes Business Insight launches fully automated crime analysis and visualisation solution

15 April 09 The fact that Twitter has been hit by as many as four worms over the Easter weekend highlights the need to include the code audit and security process in the software development cycle, says Fortify Software, the application vulnerability specialist.

"Media reports have made much about the author of what appears to be the first generation of Twitter worms, but they appear to have missed the point that these are actually basic cross-site scripting (XSS) security problems," said Barmak Meftah, Fortify Software's senior vice president of products and technology.

Published: 14 April 2009
Written by NStinchcombe
Read more: Multiple Twitter worms shows need to incorporate security into program code development

The Majority of Organisations expect to increase spending on Information Security

London, UK 14th April 2009 - A survey by Infosecurity Europe has found that spending on Information security is likely to increase according to 55% of the 1010 respondents they asked and 34% expected their spending to remain the same as last year. Only 8% expect minor reductions of less than 5% of last years spending and 2% expect significant reductions of more than 5%. This contrasts significantly with overall spending on IT as 36% of respondents expect minor reductions from last years IT Spending and a third expect to see major reductions compared to last years IT Spending. A fifth expect overall IT spending to be higher than last year and 10% expect their overall IT spend to be the same as last year.

Published: 13 April 2009
Written by NStinchcombe
Read more: IT Security Gets a Boost as Survey Shows Spending Up

9th April 09 - Fortify, the application vulnerability specialist, says that research from Gartner - which predicts a surge in the Software-as-a-Service (Saas) email in the next three years - may be a little off the mark, once companies realise the IT security implications of email outsourcing.

"There is nothing intrinsically wrong with SaaS-driven email, but companies need to be very careful to verify the service they are using has the required security technology and processes to meet regulatory compliance issues, as well as the infrastructure required to meet the needs of any organization," said Rob Rachwald, Fortify's Director of Marketing.
Published: 08 April 2009
Written by NStinchcombe
Read more: Fortify says email SaaS predictions may be wide of the mark
  1. Smaller Companies Are Just As Likely To Be Hacked According To Business Crime Reduction Centre
  2. Infosecurity Adviser says US Internet crime report recommendations applicable to the UK
  3. Storage-as-a-Service Solutions Bridge Digital and Physical Information Management at InfoSecurity Europe
  4. telent installs the Customer Information and Security System for Corby’s new railway station
  5. Fortify Software Delivers Governance to Software Security and Brings Security Assurance to Third Party Software