J - Smart Card News

Transcription

J - Smart Card News

Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sm
& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card
y News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Iden
• Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity New
Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sma
& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card
July/August 2012
Volume 21 • Number 7
Smart Card & Identity News
Smart Cards, SIM, Payment, Biometrics, NFC and RFID
www.smartcard.co.uk
5 • RTA NOL Card Wins Best
Prepaid Card
More Problems With EMV
Terminal (in)Security and
How to Control Somebody
else’s Phone via NFC
6 • Competitive landscape shifts as
EPOS market continues recovery
This last month has seen more attacks on the terminals that are used to
make electronic payments and mobile phone devices that can be used to do
just about anything including electronic payments.
9 • When Users, Admins and
Applications go to War
In the case of EMV POS terminals and ATMs a Cambridge University team
(Mike Bond, Omar Choudary, Steven Murdoch, Sergei Skorobogatov and
Ross Anderson) has published their results on flaws in the implementation
of unpredictable numbers (i.e. can’t be pre-determined by an observer such
as a random number sequence) as part of the authentication protocol which
could lead to unauthorised payments.
In the case of mobile phones which are increasingly being used to both make
and receive electronic payments Charlie Miller from Accuvant Labs has
demonstrated the weaknesses in implementing the NFC software stack in
mobile phones that may even allow the hacker to take control of the phone.
12 • Tackling the Geolocation Cookie
Imperative
Continued on page 4….
©2012 Smart Card News Ltd., Rustington, England. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, optical, recording or otherwise, without the prior permission of the publishers.
Our Comments
Dear Subscribers,
As you get older you start to think more about
the meaning of life cycles and how much
attention we give to the birth of a new project
and how little attention we pay to objects as
they reach what should be their expiry date.
Smart Card & Identity News
Published monthly by
Smart Card News Ltd
Patsy Everett
Head Office: Smart Card News,
Gratwicke House, 10 East Street,
Littlehampton, West Sussex, BN17
6AW
Telephone: +44 (0)1903 734677
Website: www.smartcard.co.uk
Email: [email protected]
Editorial
Researcher– Patsy Everett
Researcher – Patsy Everett
Technical Researcher –
Dr David Everett
Production Team – John Owen,
Lesley Dann, Adam Noyce
Contributors to this Issue – RBR
London, Paul Kenyon, Ramsés Gallego
Photographic Images –
Dreamstime.com
Printers – Hastings Printing Company
Limited, UK
ISSN – 1755-1021
Disclaimer
Smart Card News Ltd shall not be liable
for inaccuracies in its published text.
We would like to make it clear that
views expressed in the articles are those
of the individual authors and in no way
reflect our views on a particular issue.
All rights reserved. No part of this
publication may be reproduced or
transmitted in any form or by any
means – including photocopying –
without prior written permission from
Smart Card News Ltd.
What do you do when your phone or tablet gets old? Do you put it
into a cupboard or perhaps it gets handed down through the family
in some sort of pecking order. How about all the information that is
stored on the device, contact lists and probably even user name and
passwords even if vaguely disguised.
It's so easy we always talk about securely getting secret information
onto a device in the first place but we never discuss how to get it off
when we have finished with it. Information security specialists with
ISO 27001 in hand may well be up to speed but I don't think that's
got as far as the average user. How many people do you know that
consciously attend to the termination of old devices. Of course it
does extend into industry, we often hear of computers being
scrapped with a wealth of information still left on the hard disk. But
the mobile phone is worse, very few people actually think about the
value of the data they have stored on their device and if you worry
about phones you should probably be paranoic about what people
store on their tablets.
To start, just imagine I had your phone in my possession for 24
hours and I could read and copy anything stored on the phone or
SIM card. Still not worried? Then also assume that I can run any
program on the device that currently exists and also probably take
advantage of user names and passwords that are pre-stored by the
app to stop you having to keep entering the authentication data.
Now you should be starting to get worried.
Those that remember the early PCs that often worked entirely off
floppy disks will also remember the famous Norton Utilities,
guaranteed to recover lost data on your disk drive. The reason it
worked of course is that when you delete a file in any computer
system it doesn’t actually remove the data, it just sets a flag to tell the
operating system that this memory can be re-used. If you actually
want to delete data you have got to overwrite it in such a way that
there is no residual trace. Would you believe it but this is actually
quite difficult to do.
How many people do you know that run programs to delete the
contents of memory or disk drive? Such programs have to write
patterns of 1’s and 0’s many times to remove all trace of the data.
Anything less and clever programs can recover the data.
© Smart Card News Ltd
Smart Card & Identity News • July/August 2012
2
The PC market is of course quite mature and there are programs designed specifically to remove all trace of
stored data (I would be suspicious of the free ones), but on a mobile phone you may find it more difficult.
Our lead article this month has been looking at problems of software implementation in both POS terminals and
mobile phones. But actually the problem is far worse than we have so far described. Malware is really a big
problem on mobile phones, particularly Android which have about 60% of the market.
The thing is that there is no simple solution, there is no silver bullet that can just magically fix the malware
problem. The problem is likely to continue for some time and yet more and more people are relying on their
mobile phone for the management of sensitive data. We often talk amongst friends at the dinner table and I can
tell you that none of our security friends use their mobile phones for making payments or doing electronic
banking. This may not be the world according to Visa and Mastercard but we have a gap and I’m just holding off
until somebody finds a way of fixing it!
Patsy.
Contents
Regular Features
Lead Story - More Problems With EMV Terminal (in)Security. . . . . . . . . . . 1
Events Diary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
World News In Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5, 8, 10, 14
Industry Articles
Competitive landscape shifts as EPOS market continues recovery . . . . . . . . 6
When Users, Admins and Applications go to War . . . . . . . . . . . . . . . . . . . . . 9
Tackling the Geolocation Cookie Imperative . . . . . . . . . . . . . . . . . . . . . . . . 12
Events Diary
September 2012
25-26 – Cards & Payments - Paris, France http://www.efma.com/index.php/networking/conferences/overview/EN/2/45/1-IPLBJ
October 2012
02-04 - Prepaid Summit: Europe 2012 - Prague, Czech Republic - http://www.vrl-financialnews.com/cards--payments/cards-international/events/prepaid-summit-europe-2012.aspx
02-03 - ATM Security 2012 - London, UK - http://www.rbrlondon.com/atmsecurity
04-05 - Cards & Payments Summit Europe 2012 - London, UK http://www.commercialpaymentsinternational.com/events/detail/the-commercial-cardspayments-summit-europe-2012/
10-11 - Mobile Payments - Copthorne Tara Hotel, London, UK - http://www.smionline.co.uk/events/overview.asp?is=8&ref=4069
Source: www.smartcard.co.uk/calendar/
3
…. Continued from page 1
The thing is which of these is more important to the security fraternity or more particularly the payments
industry. Both pieces of work are pretty smart but which one, either, both or none might actually lead to serious
security breaches?
I still can’t believe that people don’t get it, in the world of smart cards or more precisely the secure chip or
element the security of the chip has never really been the big problem, it’s the terminals and that includes mobile
phones that cause the real problems. So often people explain to me how it’s the cryptography, whatever you do
don’t use Triple DES or 1024 bit RSA. If it hasn’t got 4096 bits it just can’t be long enough. I’ve never forgotten
the story told to me by a famous mathematician who many years ago posted an innocuous blog (yes, blogs have
been around for ages in the academic world) explaining tongue in cheek his difficulty in writing a program to
factorise numbers. He published a 512 bit number (carefully chosen as the product of two large primes, there’s
the clue this happened in the late 70’s a little after RSA was first published) in the blog and asked if somebody
would mind factorising the number for him. Of course nobody succeeded but a surprisingly large number had a
go!
I feel the same way about security hardened integrated circuit chips, no back bedroom buddy is going to read out
the contents of memory on his PC but many seem to imagine they can. Now I appreciate there are specialised
reverse engineering laboratories and universities that may be able to reverse engineer the chip and even
aggregated shared computing resources that might be able to factorise large numbers but these are not the sort
of attacks that are really going to damage a modern commercial system unless you can be sure you can defraud
the system without getting caught. I really can’t imagine Cambridge University doing that because they are
making a totally different point more about the fact that you don’t get perfection in information systems and that
the service providers, in this case the banks shouldn’t make such claims. But make mistakes in the terminal
protocol and/or implementation and now you move into the world of the back bedroom hackers which is a
much more likely attack surface.
The Cambridge University attack is based on the observation that many ATMs implement a poor calculation of
Unpredictable Numbers (UNs) which are used in the EMV protocol as evidence of freshness, i.e. the transaction
is happening now and wasn’t pre-calculated earlier. In particular what they have demonstrated is that if you can
collect from a genuine card a set of ARQC (Authorisation request message from card to Issuer which is
cryptographically protected by a secret key in the card and shared by the Issuer) messages with enough UNs to
match one that will be generated by the ATM then you can fool the system with a fake card. So for example if
the target ATM only generates 4 UNs you would just need to pre-collect 4 ARQC messages from a genuine card.
This data collection does of course require the user to go to a bogus POS terminal where the terminal sets about
collecting all these ARQC messages without the customer becoming suspicious.
In addition when collecting these ARQC messages it will be necessary to pre-set the core parameters such as the
amount of the transaction and the date. All this information is then loaded into the fake card which will set out
to fool the system by playing one of these pre-stored ARQC messages. Note it is not a replay attack because as
far as the Issuer is concerned these messages have never been previously used. The ARQC does also include an
Application Transaction Counter (ATC) which increments every transaction or more precisely every time the
terminal does a Generate AC request to the card to get the ARQC. However the Issuer is only likely to detect a
repeat transaction counter, for operational reasons he will have to allow with some gaps in the transaction
counter sequence.
It is not really in doubt that this form of attack is possible and arguably the ATM manufacturers have been
careless in their implementation of the protocol or at the very least the certification test conditions are
inadequate. However the claim in the paper from the Cambridge team that ‘We can now explain at least some of
the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards
cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit’ is to say the
least misleading. A more realistic statement would be that ‘it is possible that EMV cards could be cloned but is
the least likely of the possible error scenarios’. However where I would agree with the Cambridge team is over
the software integrity of the POS terminals. This is not only difficult to achieve but is difficult to measure and
even more difficult to maintain in any form of uncontrolled environment. You might argue that a mobile phone
falls into this category rather neatly.
4
The beauty of the Blackhat conference is that the researchers actually demonstrate what you always thought was
possible and quite often things you didn’t imagine were possible. This year in Las Vegas has been no exception
and perhaps of particular interest to us is some work undertaken by Charlie Miller of Accuvant Labs on the
vulnerability of NFC implementations in mobile phones using Android (Android 2.3.3) and MeeGo (1.2
Harmattan PR1.2) OS’s as examples.
Charlie describes how to fuzz (don’t you love this word) the NFC software protocol stack for the Samsung
Nexus S and the Nokia N9. Then he goes on to describe how he can see for these devices what software is built
on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF
content sharing, one can force some phones to parse images, videos, contacts, office documents, and even open
up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take
control of the phone via NFC, including stealing photos, contacts, even sending text messages and making
phone calls. He concludes that the next time you present your phone to pay for your cab, be aware you might
have just gotten owned.
This to me is a far more serious statement about software integrity. Every day we are using mobile phones and
are integrating them into our way of life including electronic banking and payments. If you can’t trust the
software then you have a problem. I suspect your first reaction is to assume that the correctness of the software
comes by default and that you only need to worry about malware. The problem is in fact far more inherent
particularly when you can’t trust the core platform by those who try to get it right long before the hackers try to
take over.
History is full of problems with the software right the way back to the software compliers which produce the
code that actually runs on the target device. All ideas of Code walk through’s and Common Criteria evaluations
are important but there is absolutely no proof of software correctness. Next time you use your phone just think
of all that code all from different sources in which you have no real participation. It is a subject we will come
back to but let Charlie at least alert you to a problem that is not going to be solved any time real soon. The
answer for those that are impatient is in the question ‘in any system what can you actually trust’?
Dr David Everett, SCN Technical Researcher.
World News In Brief
RTA NOL Card Wins Best Prepaid
Card
FIME Opens NFC Mobile Test
Laboratory in Seoul
The Unified Card (NOL) of the Roads & Transport
Authority (RTA) has recently won the Best Prepaid
Card in the Middle East Award as part of the
Middle East Smart Card Awards; which is the
Middle East's only exclusive award program for
banks, payment systems and smart cards.
FIME announced its expansion in Asia with the
opening of its NFC mobile test laboratory in Seoul,
South Korea. The rapid growth of the NFC mobile
market in South Korea and an increase in FIME's
Korean customer-base are the key driving factors
behind FIME's decision to open its Seoul
laboratory. FIME will work with mobile device
manufacturers and network operators to provide
integration testing and certification services,
ensuring that NFC-enabled handsets are fully
interoperable and compliant with industry standards
and EMV payment specifications prior to market
release.
Mattar Al Tayer, Chairman of the Board &
Executive Director of RTA, expressed his delight
to see NOL Card, feted with this coveted Award,
finishing ahead of other competitive cards from
banks and leading financial institutions in the
region.
"NOL card is both safe and difficult to counterfeit
as it is aligned with approved international
standards. The design of the card, which is made by
several manufacturers, has been tailored to meet
future requirements of the electronic payment
systems and account for the possibility of adding a
variety of uses that go beyond using mass transit
systems.
Pascal Le Ray, General Manager, commented:
"With 20 million Koreans predicted to own an
NFC-enabled handset by the end of this year, it is
evident that South Korea is quickly becoming a
global leader in the development and deployment of
NFC mobile technology."
5
Competitive landscape shifts as EPOS market
continues recovery
By RBR London
A total of 1.68 million programmable electronic point-of-sale (EPOS) terminals were shipped to retailers and
hospitality operators around the world in 2011, according to new research by London-based strategic research
and consulting firm RBR (www.rbrlondon.com/retail). By the end of the year, almost 11.2 million terminals
were in operation.
Shipment activity during the year surpassed the level seen in 2008 – the last year before the full impact of the
global economic crisis was seen – but was still below the 2007 record of 1.72 million units.
Global progress obscures regional variation
North America is once again the world’s largest EPOS region; shipments rose 17% in 2011 to 503,000 as the
economy recovered and companies gradually resumed their expansion and replacement programmes. Activity
remains below pre-crisis levels, however.
Asia-Pacific is now the second largest region. Growth of just 6% in 2011 was partly due to a decline in the
Japanese market, which had a difficult year following the tsunami and nuclear accident in March. Asia-Pacific
is however the only region where shipments have grown in each of the last three years.
Western Europe was the only region to shrink, with shipments down 5% as the region’s economy
deteriorated, and customers wary of replacing existing units and generating little new business. The
performance was disappointing across the region, with only three countries seeing any growth.
The other regions – Latin America, central and eastern Europe (CEE) and the Middle East and Africa (MEA)
– all grew by more than 20%, yet together they represented just 16% of global shipments.
Programmable EPOS Shipment Growth 2010-2011, by Region
50%
40%
41%
30%
29%
20%
23%
17%
10%
0%
‐10%
6%
‐5%
Western
Europe
Central &
Eastern
Europe
North
America
Latin
America
Asia‐Pacific Middle East
& Africa
Source: Global EPOS and Self-Checkout 2012 (RBR)
6
M&A activity among vendors reshapes competitive landscape
IBM is by a wide margin the world’s largest supplier of programmable EPOS terminals. In 2011, the
company accounted for 20% of global shipments.
In April 2012, Japan’s Toshiba TEC announced that it would buy IBM’s Retail Store Solutions division –
the company’s point-of-sale hardware, software and services business. At a worldwide level, Toshiba TEC
itself had a 5% share of EPOS shipments in 2011 – although the majority of its sales were to clients in its
home market – giving the combined entity a quarter of the global market.
NCR moved up to second place in 2011 with a share of 11%, thanks to its acquisition of Radiant Systems,
whose EPOS hardware is used mostly in the hospitality and leisure segments. HP and Wincor Nixdorf were
close behind in third and fourth place respectively.
Suppliers’ Shares of Programmable EPOS Shipments Worldwide, 2011
IBM
20%
Others
35%
NCR
11%
DigiPoS
HP
3%
10%
Micros
3% Posiflex Toshiba TEC Wincor Nixdorf
9%
4%
5%
Source: Global EPOS and Self-Checkout 2012 (RBR)
Mobile technology to complement, rather than replace, fixed EPOS
At a global level, EPOS shipment numbers are expected to increase by 7% in 2012 – slightly slower growth
than in 2011, reflecting the challenging economic backdrop. In the longer term, new technologies represent
the major threat to growth. Mobility is currently the hottest topic in retail, and it will affect almost every
aspect of the industry, including EPOS. Recent years have seen deployments of mobile EPOS technology
for various purposes, including queue-busting at peak times in large-format stores, providing a better oneto-one service in speciality retail and enhancing at-seat service in restaurants and bars.
In most cases, new devices are being used in addition to existing EPOS terminals, rather than instead of
them. Nevertheless, a more substantial shift away from fixed EPOS will be seen in high-touch retail, for
example in fashion. Initially, the biggest deployments will be in North America: fixed EPOS shipments to
the US general merchandise segment are forecast to start falling in 2014.
Between 2011 and 2017, the global installed base of programmable EPOS terminals is forecast to increase
by a CAGR of 4%. In the fast-growing economies of Latin America, CEE, Asia-Pacific and MEA, retailers
and hospitality operators – both international and domestic – have ambitious expansion plans. With them
comes a boom in the usage of EPOS technology, with growth averaging 10% per annum in these markets.
RBR is a strategic research and consulting firm with three decades of experience. It specialises in the areas of
cards, payments and automation in the banking, retail and hospitality sectors. Based in London, RBR serves
clients across more than 100 countries worldwide through premium research reports, consulting, newsletters
and events.
7
World News In Brief
Fujitsu Launches New Chip for
High-Frequency RFID Tags
Fujitsu Semiconductor Limited announced the
MB89R112, a chip for high-frequency RFID tags
that includes 9 KB of FRAM storage. The FerVID
Family uses ferro-electric memory, or FRAM, for
fast write speeds, high-frequency rewritability,
radiation tolerance, and low-power operation.
Fujitsu Semiconductor has responded to this need
with the MB89R112 chip for RFID tags, which
includes a serial interface SPI and 9 KB of memory
capacity, an amount not found in any competing
product for the HF band. The MB89R112 is
designed as a near-field passive RFID that complies
with the industry standard ISO/IEC 15693. The
product was made available in sample quantities in
August.
NFC Keychain for iPhones and
Android Devices from China RFID
China RFID (DAILY RFID) has released latest
NFC tag-03 in a keychain form to read with
iPhones and android devices. This NFC keychain is
easily carried to bring NFC payment, such as
mobile payment and loyalty services.
The NFC keychain can help to deploy any kind of
near field communication service, such as mobile
payment, mobile ticketing and loyalty services. And
it ensures high security between the information
exchange and payment processes. This ISO 14443
tag supports encryption, it reads and write protected
by password.
Heartland Payment Systems CSO
Named Information Security
Executive of the Decade
John South, chief security officer at Heartland
Payment Systems has won the inaugural
Information Security Executive (ISE) of the Decade
Central Award from T.E.N. -- Tech Exec
Networks, Inc., a national technology and
information security executive networking and
relationship-marketing firm. The recipient of the
ISE Central 2011 Award, South was selected from
six previous ISE Award winners in honour of
achieving the highest distinction in advancing the
security industry in the region.
South was honoured for his industry stewardship,
including his leadership of industry organisations to
fight cybercrime. He currently serves on the Board
of Directors of the Financial Services Information
Sharing and Analysis Centre (FS-ISAC), the only
industry forum for collaboration on critical security
threats facing the financial services sector. He also
serves on the Board of Advisors of the Payment
Card Industry Security Standards Council (PCI
SSC) to help strengthen security standards and
protect cardholder data against threats worldwide.
MasterCard and Deutsche Telekom
Unite in European Partnership on
Mobile Payments
MasterCard and Deutsche Telekom announce a
European partnership to enable consumers to use
their mobile phones as a convenient and secure way
to pay.
The first consumer roll-out will take place in Poland
later this year. Also this year German consumers
will be introduced to mobile payments, initially in a
trial with mobile phone tags and cards, continuing
into the first half of next year with a mobile wallet
service which will also be open to other issuing
banks and partners. Deutsche Telekom will issue
the MasterCard products via its subsidiary company
ClickandBuy, the owner of an e-money licence.
Products will also be launched in other European
markets.
The fact that the mobile wallet will be realized in
the environment of the SIM card of the
smartphones brings considerable benefits to the
consumer: not only is the payment transaction
secure, but the consumer has continuous and
complete transparency and control because each
transaction is confirmed via a text message.
Skrill Agrees to Buy paysafecard.com
Skrill, a European online payment provider and
majority owned by Investcorp, has announced that
an agreement has been reached for the 100%
acquisition of paysafecard.com Wertkarten AG, an
Austrian provider of prepaid vouchers that enable
consumers to shop online. This strategic acquisition
will transform Skrill's offering for both merchants
and end-users by combining a digital wallet service
with prepaid solutions available in 31 countries. The
acquisition, which is subject to regulatory approvals
being obtained.
8
When Users, Admins and Applications
go to War
By Paul Kenyon, COO, Avecto
Poor privilege management damages productivity. But do organizations
even know it is happening?
Paul Kenyon
When the power of administrators managing Windows application privileges crashes
head-on into the needs of employees, the results are rarely pretty but, paradoxically,
almost always hidden from sight.
It’s not over-dramatic to describe the arena in which this to and fro plays out as a silent ‘battlefield’ that can be
described using one of two scenarios.
The first is not as universal as in the past but there will still be many organizations, especially small enterprises, in
which it will still hold sway; a standard user asks to access a local or network application that requires adminlevel privileges (legacy applications often assume such permissions as an uncomplicated demand) and is given it
without question.
With these privileges granted that user has just armed his or herself with a huge amount of power, both for good
and ill, which looks uncomplicated until the user strays beyond his or her level of competence.
The potential for users to generate security problems by installing, removing or fiddling with applications as they
please is now accepted as risky in ways that require far less explanation than would have been the case even half
a decade ago. Nevertheless, while the world has moved on from the insecure mindset of old this has ended up
creating a problem almost as significant as the one being solved; controlling risk by locking down applications,
and shutting off privilege escalation completely using Windows 7 and Vista User Account Control (UAC).
Under this second scenario, networks don’t grind to a halt – application privileges aren’t required for all
interactions - but there is now growing evidence that they slow down in ways that admins don’t always see, or
perhaps care to see. Network users are now interrupted with occasional UAC application dialogs for which they
have no authorization, blocking their work and productivity to an extent that is difficult to estimate in terms of
its harm to business.
The issue is surprisingly little discussed – employees are rarely asked for their views on using company networks
and privilege escalation is pretty abstract for most workers – but privilege management vendor Avecto made an
interesting start with a recent survey examining the usually mysterious effects of over-restricting and
mismanaging privileges.
The questionnaire of 1,000 UK employees discovered a hidden toll on both employee and company alike, with
almost one in five people believing they had missed a deadline at some point as a result of being denied full
access to an application, and over a quarter convinced IT departments were not giving them the access to the
applications necessary to do their jobs.
As to the support burden, 17 percent said they had called IT to request admin rights around three to five times
per year, which probably represents an underestimate of the problem – many employees will only call IT as a last
resort, preferring to suffer in silence. One in twenty mentioned contacting IT up to an energy-sapping 10 times a
year.
Admin rights are invariably withheld for security reasons and you can see why. An astonishing 16 percent said
they would be tempted to do the dirty on former employers by using admin credentials to access sensitive data.
Former employees attempting to come through the back door is no urban myth either; more than one in five
said they knew people in their organization who had attempted to breach IT security policies, most likely by
downloading and installing non-approved applications or copying and removing company data.
“We always knew that there would be a significant impact on businesses if they mismanage user admin rights
9
through security breaches, people accessing data after they leave, or expensive help desk calls. This survey also
reveals the impact on individuals”, commented Avecto chief operating officer Paul Kenyon after reading the
results.
If these experiences are as common as they appear to be, it paints a depressing picture of network life in many
organizations. Employees are stymied by inscrutable rules that probably haven’t been explained and which
encourage them either to suffer in productivity-damaging silence or find risky ways around the controls. Admins,
meanwhile, can be oblivious to the issue while still fielding an inconvenient level of admin support requests.
Money and time is wasted while, conversely, money is not being made.
Admins need security and certainty about what users can and can’t do; employees need speed, simplicity and
above all as few interruptions to their workflow as possible. Can these apparently conflicting needs be
reconciled?
As already alluded to, the problem lies at the heart of Windows (and all established desktop operating systems),
whereby users are divided into either ‘standard ‘or ‘admin’ accounts which define which applications, tasks and
scripts can be run and under what circumstances.
A solution is to manage this through a privilege management layer that bolts into Windows Active Directory,
assigning privileges to applications based on defined security policies and ‘least privilege’. With this admins can
transform the way network users relate to applications. Employees can be allowed to run chosen apps without
interruption, without being given unlimited admin rights as part of this process, and even offered the possibility
of requesting applications on-demand. Users are given only the minimum privileges they need and whitelisting
can be used to lock down unmanaged alien applications from running at all.
If this offers a way out, admins should still heed the hidden warning that lies buried inside Avecto’s employee
survey results. Simply designing application policies from an admin perspective risks miscalculating how
employees actually use and access applications.
To doge this pitfall, a good privilege management system must also have a research or ‘discovery’ mode able to
provide data on how applications and users are interacting with one another. It is essential to build application
policies after studying the way applications are actually used (and perhaps abused) rather than from an idealistic
template based on deceptive generalizations.
Privilege management used to be seen as just another optional management layer but its benefits are finally
starting to be appreciated as core to the usability, productivity and security of Windows applications. Employees
and the administrators supporting them should be able to see applications as allies in a battle not the site of a
fruitless civil war.
World News In Brief
Mozilla Gains Global Support for a
Firefox Mobile OS
Industry support is growing behind Mozilla's plans
to launch a new fully open mobile ecosystem based
on HTML5. The operating system, which Mozilla
has confirmed will use its Firefox brand, will power
the launch of smartphones built entirely to open
Web standards, where all of the device's capabilities
can be developed as HTML5 applications.
Mapping to key Firefox footprints around the
globe, leading operators Deutsche Telekom,
Etisalat, Smart, Sprint, Telecom Italia, Telefonica
and Telenor are backing the open Firefox OS as an
exciting new entrant to the smartphone
marketplace. They have also identified the potential
of the technology to deliver compelling smartphone
experiences at attainable prices.
Device manufacturers TCL Communication
Technology (under the Alcatel One Touch brand)
and ZTE announced their intentions to
manufacture the first devices to feature the new
Firefox OS, using Snapdragon processors from
Qualcomm Incorporated, the leader in smartphone
platforms. The first Firefox OS powered devices are
expected to launch commercially in Brazil in early
2013 through Telefonica's commercial brand, Vivo.
10
Ingenico and Chase Paymentech
Bring EMV, NFC and POS Payment
Options to U.S. Customers
Ingenico announced today that Chase Paymentech
has selected Ingenico's new generation Telium
iCT250 point-of-sale (POS) terminal for sale to
merchants in the United States.
With the Telium iCT250, Chase Paymentech
merchants can securely accept transactions
presented by EMV chip card, NFC-enabled mobile
phones, contactless cards, and traditional magnetic
stripe cards.
Both companies closely collaborated to conclude
the Class A certification of Ingenico's iCT250
hardware and application on Chase Paymentech
Solution's Tampa (PNS) processing platform using
their proprietary UTF message format.
The new Telium based iCT250 terminal, available in
the U.S. and Canada, was designed to meet the
requirements of Visa's Technology Innovation
Program (TIP) and the key elements outlined in
MasterCard EMV Roadmap in the U.S. The
terminals clear backlit graphic display on a colour
screen and backlit keypad allows easy transaction
reading in any lighting conditions and clear signage
to promote the merchant's brand.
Atmel Next-Generation LF RFID
Transponder Provides
Atmel Corporation announced the production
availability of a low-frequency (LF) RFID
transponder device, the Atmel ATA5577M1330CPP. Ideal for applications in building access control
systems, industrial automation, consumer and
industrial segments, and as tokens, key fobs or
transponders, this new device offers designers the
ability to develop more flexible, high-performance
tag devices.
The new device provides a broad range of data rates
from RF/2 to RF/128 (64kBit/s to 1kBit/s at
125kHz), modulation and a variety of coding
schemes including ASK, FSK, PSK, Manchester,
Bi-phase and NRZ. The Atmel-patented digital
Analogue Frontend Register (AFE) enables the
chip's analogue front end circuitry to adapt to the
transponder and reader system for maximum
performance. The ATA5577M1330C-PP is the only
device on the market where the analogue behaviour
can be tuned in a closed and sealed transponder for
increased performance. By eliminating the need to
open the transponder for tuning, the on-chip AFE
register helps simplify the design and production
process significantly.
Survey Discovers Some Companies
Lose 75% of their Security Devices
Millions of pounds are being wasted every year
recovering and replacing lost physical
authentication tokens as IT professionals admit the
on-going management costs are huge as users
frequently lose them. That's the findings of a survey
recently conducted by SecurEnvoy, who found that
a staggering 12% of companies waste 'months',
every year, recovering and replacing lost physical
security tokens. The survey was conducted amongst
300 IT security professionals in London.
An additional 10% revealed they waste weeks every
year in management time chasing and replacing
physical tokens, 13% lose days while a lucky 16%
were able to contain this to a matter of hours.
Tokens are obviously frequently being lost, when
you look at a typical 12 month period it was galling
to find that 7% of companies were losing tokens at
a shockingly high rate of between 51% and 75%,
14% at between 26% and 50%, 13% between 11%
and 25% and 32% of companies recorded 10% of
lost tokens. You really do have to admire the
commitment of the 3% of respondents who
confessed that between 76% and 100% of all
physical tokens in their organisation were being lost
every year! When you think each token has an
overhead cost - averaged at GBP 50 per token,
that's a lot of money to write off.
Anderson Zaks Gains Approval to
Provide a 'Transaction Ready'
Payment Service with Next
Generation PIN Pads
Anderson Zaks has announced its new payment
solution working with next generation PINpads that
incorporate contactless payment facilities. The
company has combined its PCI DSS compliant
RedCard managed service with Ingenico's IPP 300
range of encrypted PINpad terminals to offer a
service that is 'type approved' for all acquirers
(banks). This fully integrated solution will enable
merchants to quickly install a secure payment
solution that is compliant with regulatory
requirements, without formal accreditation.
11
Tackling the Geolocation Cookie Imperative
By Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, Six Sigma Black
Belt Certified, international vice president of ISACA
Ramsés Gallego discusses the new EU cookie legislation and the effect this will
have on companies that provide location-based services.
If you are involved in designing, maintaining or managing a web site, then you should
have noticed a new EU-wide amendment to the law as it relates to web browser cookies
and consent.
Ramsés Gallego
While much has been written about the failure of many portals to adhere to the new
cookie rules—which became law in the EU member states at the end of May—the
reality is that all EU sites, no matter how large or small, will eventually have to adhere to
the new rules.
Some sites will be better placed to amend their cookie administration than others, but my observations suggest
that the new rules will be a potentially major headache for those portals that make use of location-based
(geolocation) information on their visitors.
In a nutshell, the EU rules mandate that the placement of cookies onto the user's device requires consent from a
user unless they are "strictly necessary" for a service requested by the user. It appears that an exception to the
rule will be narrowly interpreted by the Information Commissioners Office (ICO) in the UK, allowing shortlived cookies, for example, that permit Internet users to shop online easily and quickly.
The UK's ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit,
a user-impact assessment and an action plan.
Geolocation and the New Legislation
Geolocation is a discipline that is firmly on the modern Internet-savvy business agenda, as it can bring
tremendous marketing rewards to the site concerned, in the form of geo-marketing activities, targeted-messages,
and so on. The introduction of the new cookie legislation presents a number of risks to portals that use
geolocation. These risks can potentially outweigh the rewards because the site is required to interpret a lot of the
data on the user “in the clear”, including location, time and web-browsing habits.
Therefore, organisations need to be cautious when embracing mobility and all the features that come with it, and
include mobile devices within their corporate security strategy and integrate the devices within the business asset
management programme.
The issue here is that a growing number of mobile devices have corporate information stored on them and are
used for enterprise activities.
The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given
set of Web pages is being tracked/recorded.
This directive is here to stay and its implications and resulting implementations pose difficulties from a security
perspective. Many of the ways a business will implement the required advisories will involve the use of intrusive
messages that advise users about the privacy policy—and some sites will not let further browsing take place until
the user has explicitly accepted the required conditions. This necessary approach will be difficult for businesses
that strive for user-friendly experiences on the web to accept.
However, implementing the EU cookie directive on a secure and effective basis is needed, as the data involved
are both high-risk and personal. Sensitive data that could be leaked typically include information on gender, age
and other attributes that could allow your “digital persona” to fall into the wrong hands, including Internet
marketers.
12
This leads us neatly into the privacy aspect of the new legislation. - As a result of the Internet, we have few
barriers and few secrets. Many think that is now cool to post where we are, what we are doing, with whom,
when and even why. In fact, according to an April 2012 survey conducted by global IT association ISACA,
32% of individuals in the US are using location-based services more now than they did 12 months ago
(worryingly, 43% don’t read the agreements associated with location-based apps, so most aren’t sure of the
information they’re providing to organisations).
Clearly, organisations need to address how they are gathering location-based information and what they do
with it. This business security process is about defining a security posture around classification of information,
data collection practices, etc., that can identify a person's present location—and equally important, past and
future locations. Organisations must clearly indicate the methods of collection, the retention policies, and
when—and how—the information will be destroyed.
The costs of not complying
Failing to comply with the new EU cookie directive will certainly have ramifications such as cost, as well as
legal and reputational consequences. And, whilst the financial implications can leave a big impact, the cost of
reputational damage is likely to be far greater. The concept of privacy, when dealing with personal information,
centres on the individual's trust in an organisation and its information systems. It is that trust that allows us—
as individuals—to make a judgement call on whether we are happy to release the kind of information that we
do to that organisation.
Unfortunately, we have seen several examples recently with recognised brands suffering data/information
breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must
communicate the technical and organisational mechanisms they have in place to protect user information—
such as encryption, processes and procedures.
How to comply with the directive
Businesses using geolocation applications and methods of data collection have a responsibility to behave
ethically and protect the consumers’ information and rights. And, whilst there are clear differences in how the
US, Europe and other regions of the world treat the explicit consent of their Internet user, businesses around
the world should provide opportunities to opt-in—not by default, but with an explicit consent from the user.
Companies also need to include geolocation data as one of the priorities within their audit governance strategy.
The definition of governance, by the way, is "setting strategic direction, and achieving corporate goals,
ascertaining that risks are managed and that resources are used responsibly." The governance of geolocation
data should be addressed using these facets of the definition.
ISACA can assist greatly in the planning process that is central to the task of meeting the EU cookie directive’s
governance requirements. Earlier this year, the association released the COBIT 5 framework (available as a free
download at www.isaca.org/cobit.) COBIT 5 is created for business and IT professionals. Its guidance helps
enterprises to bridge the gap between IT control requirements, technical issues and business risks. Just this
month, ISACA published COBIT 5 for Information Security, which provides additional guidance on the
enablers within the COBIT framework and equips security professionals with the knowledge they need to use
COBIT for more effective delivery of business value.
The bottom line is that, if properly governed, geolocation is a tool that can be very effective for both
consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties.
13
World News In Brief
American Express Announces U.S.
EMV Roadmap
American Express announced its network roadmap
to advance EMV chip-based contact, contactless
and mobile payments for all merchants, processors
and issuers of American Express-branded cards in
the U.S.
American Express will work alongside other
industry participants to drive interoperability across
the U.S. and other countries and support chipbased technology for chip and PIN, chip and
Signature, contactless and mobile transactions.
American Express plans to begin issuing EMVcompliant cards in the U.S. in the latter half of 2012
and by April 2013, processors must be able to
support American Express EMV chip-based
contact, contactless and mobile transactions.
Bootable USB Flash Drive Allows
Secure Remote Working
Cryptzone announces the release of AppGate
MOVE (My Own Virtual Environment), a USB
flash drive that provides a portable and robust way
to access information and applications securely
from virtually any computer. As the secure bootable
USB works independently of the host device's
operating system, the risk from malware infection is
eradicated.
Working in combination with an AppGate Security
Server, this USB flash drive is a bootable device that
contains a full operating system, the AppGate
client, a web browser, a Microsoft compatible
Office Suite email client, and other applications
required to complete daily tasks. MOVE does not
rely on, or use the operating system on the
computer, and it executes in a secure and trusted
environment regardless of the configuration. In
addition, MOVE includes an encrypted partition for
user data, so it does not use local PC hard drive
meaning no trace or residue is left when the session
to the AppGate server is closed.
Jamie Bodley-Scott, Account Director for Systems
Integratorsat Cryptzone says "With more
organisations offering occasional home working,
MOVE is a perfect low-cost option, providing
trusted access to corporate information from an
untrusted computer at home or in a public space.
MOVE allows people to work securely because the
configuration of the PC is irrelevant and untouched.
This is important from a security policy viewpoint."
Kerry Brown, Whitfield Diffie and
Steve Marshall Join Cryptomathic's
Technical Advisory Board
e-Security solutions provider Cryptomathic has
appointed industry experts Kerry Brown, Whitfield
Diffie and Steve Marshall to its new Technical
Advisory Board. The selection of Brown, a serial
entrepreneur, inventor and partner of
Cryptomathic; Diffie, a world renowned
cryptographer and security specialist, and Marshall,
former Chair of the UK Cards Association Card
Security Group and security expert at Barclays;
deliver a wealth of expertise to provide guidance
that will further advance Cryptomathic's cuttingedge security technology.
With over 25 years' experience, Cryptomathic is a
leading provider of security solutions to businesses
across a wide range of industry sectors including
finance, technology, digital rights management, and
government.
Peter Landrock, Executive Chairman and Cofounder of Cryptomathic, comments:
"Cryptomathic is dedicated to embracing
innovation and investing in the future of the
security industry. The renowned experience and
knowledge of these individuals across a range of
markets and regions will be invaluable as we
continue to deliver the next generation of security
solutions and retain our role as a market innovator.
Their decision to team up with Cryptomathic
demonstrates their recognition and appreciation of
our company and its values."
ICO Shows its Teeth
Organisations are learning the hard way of the
consequences of mishandling people's information,
and others need to heed the lessons the
Information Commissioner, Christopher Graham,
warned at the launch of the ICO's 2011/12 annual
report.
The Commissioner's comments came as the ICO
imposed a civil monetary penalty (CMP) of GBP
150,000 on the consumer lender, Welcome
Financial Services Limited (WFSL), after the loss of
more than half a million customers' details.
14
Information Commissioner, Christopher Graham,
said: "Over the past year the ICO has bared its
teeth and has taken effective action to punish
organisations many of which have shown a cavalier
attitude to looking after people's personal
information.
"This year we have seen some truly shocking
examples, with sensitive personal information,
including health records and court documents,
being lost or misplaced, causing considerable
distress to those concerned. This is not acceptable
and today's penalty shows just how much
information can be lost if organisations don't keep
people's details secure.
Today's penalty was issued after WFSL's
Shopacheck business lost two back-up tapes which
contained the names, addresses and telephone
numbers of their customers in November last year.
The tapes have never been recovered.
Twenty Percent of Australians Hit by
Identity Theft
An Australian Debt Study report conducted by
Veda reveals that 20% of Australians have either
had their identities stolen or personal / financial
details accessed illegally.
"Identity crime is a thriving industry in Australia,
with the Australian Bureau of Statistics estimating
the cost of personal fraud to consumers at $1.4
billion dollars a year. Whilst credit card fraud is a
common form of identity crime, many people do
not realise that with only a small amount of
personal data, an identify thief could take out a
second mortgage on a house, or open up a new line
of personal credit and purchase items in their name
or under a false identity, "Matthew Strassberg, a
Veda senior advisor told the Sydney Morning
Herald.
Slow Start for New Travel Smartcard
The new Leap travel smartcard in Ireland is
experiencing a low take up six months after it was
introduced at a cost of more than Euro 55 million.
Figures obtained by the Irish Independent reveals
that "just 6% of all 500,000 daily Dublin Bus
journeys, 7% of the 90,000 Luas trips and 10% of
the 100,000 work day journeys on Irish Rail Dart
and commuter services are made with the prepaid
card, according to National Transport Authority".
Direct to Bill to Drive Mobile
Content Monetisation
Telefonica Digital today unveiled plans to leverage
the billing relationships it has with its customers
globally to help drive the monetisation of mobile
content. Telefonica sees the ability to pay for digital
goods and services via a mobile phone bill as a key
way of driving downloads of paid for content,
particularly in developing markets where credit card
penetration is low.
Through its Digital unit, Telefonica now has global
framework agreements in place to offer direct to bill
payments with Facebook, Google, Microsoft and
Research In Motion (RIM). It has started to roll out
the capability in Europe and plans to have it live in
14 of its operating businesses globally by year end.
Direct to bill offers a simple and convenient way
for customers to purchase goods, particularly virtual
goods, via their mobile phone. Whether they are
buying an app, mobile game or making an in-app
purchase, direct to bill enables the customer to
simply charge the payment to their phone bill or
prepaid credit, avoiding the need to use a credit
card.
Global Smart Card Market to Hit $7.3
Billion by 2017
In a new report from Companies and Markets
(http://www.companiesandmarkets.com) - Smart
Card Technologies and Global Markets - Market
Research Report, shows the smart card market is
growing at an amazing pace.
In 2011, 6.2 billion smart cards were shipped. It is
estimated that smart card shipments are forecast to
reach 6.8 billion in 2012 and 11.1 billion in 2017,
increasing at a compound annual growth rate
(CAGR) of 10.3% from 2012 to 2017. In dollar
figures, the smart card market was at $4.7 billion in
2011. It is expected to reach nearly $5.1 billion in
2012 and $7.3 billion in 2017, at a CAGR of 7.4%.
This study is an extensive collection and analysis of
market data that defines and explains how the smart
card industry is developing and what its prospects
are in the long term (2012 to 2017). The study
includes the market findings of smart card projects
implemented worldwide and also encompasses
smart card usage and its acceptance by the public.
15
Gemalto Machine Identification
Module First to Achieve ISO/TS
16949
Gemalto's new automotive-grade Machine
Identification Module (MIM) is the first to achieve
highest level ISO/TS 16949 certification for stateof-the-art production processes plus a suite of
assurances for superior quality products. Gemalto's
auto-grade MIM is used by mobile operators,
automotive manufacturers and original equipment
manufacturers to identify individual vehicles,
encrypt M2M communications and ensure secure
global connectivity for applications such as smart
vehicle systems, eCall emergency solutions and
vehicle telematics.
With ISO/TS 16949 certification, Gemalto autograde MIMs can be tracked and traced during
vehicle production, installation and throughout
lifetime driving for up to 15 years. Gemalto
provides the ability to quickly identify specific
MIMs within 48 hours. These highly robust
qualities are crucial to proper risk management in
the automotive industry where vehicles and critical
components are often warranted for life.
Aussie-first Innovations Make
Banking Simpler
The Commonwealth Bank has made it possible for
more Australians to embrace mobile banking on
more devices, unveiling a number of new
innovations to its industry-leading and world-first
social payments app CommBank Kaching.
CommBank Kaching is now available on Google
Android powered smartphones while Apple
iPhones get an Australian first - Bump payments
that allow money to be exchanged or a payment to
be made by tapping two phones together.
Commonwealth Bank also announced it will launch
CommBank Kaching for Facebook later this year,
making it possible for customers to do all their
banking without ever leaving Facebook.
"We're making banking simpler and more
convenient. As promised, we're giving Android
users access to Kaching which will particularly
appeal to the youth market who are using Android
more and more," said Andy Lark, Chief Marketing
and Online Officer, Commonwealth Bank.
Telefonica and Visa Europe Form
Strategic Relationship
Telefonica Digital and Visa Europe announce they
have agreed a wide ranging strategic partnership to
drive new business opportunities within mobile
commerce across Telefonica's European footprint.
The agreement will see both companies co-invest in
the development of innovative products and
services in areas such as mobile wallet, contactless
payments (NFC), acquirer services for mobile point
of sale, and merchant offers.
Telefonica is committed to striking wide-ranging,
open partnerships with a range of companies in
order to develop the best possible mobile
commerce services. In addition to Visa Europe, it
has recently formed partnerships with Sybase and
Giesecke and Devrient.
Ingenico Starts Local Production of
Payment Terminals for the Russian
Federation
Ingenico has announced the start of its production
of payment terminals based on the Telium 2
platform in a Russian factory.
The decision has been made after an in-depth
analysis of the Russian payment market in terms of
volume potential and structure, combined with an
economic study of the benefits of manufacturing in
the Russian Federation.
The Ingenico terminals will be produced at the Jabil
factory, located in the Tver Region, near Moscow.
The factory is equipped with the latest modern and
high-tech production lines, enabling the
manufacture of up to 500,000 units from the
Ingenico product range. The flexibility of the
manufacturing architecture allows for quick
adjustments according to current market
requirements - both in quantitative terms, and in the
range of configurations.
Vigitrust Announces Master
European Reseller Agreement with
Verizon
To help its European customers achieve PCI DSS
(Payment Cardholder Information Data Security
Standard) compliance, VigiTrust has teamed with
Verizon to expand its IT Security & Compliance
offering to include QSA (Qualified Security
Assessor) services. Vigitrust will now offer its
16
customers Verizon's full portfolio of QSA services,
including PCI DSS security project initiation,
compliance remediation, compliance validation and
certification as well as compliance project
management and maintenance.
The Verizon 2012 Data Breach Investigations
Report found that 96% of the breach victims
investigated were not PCI DSS compliant when
they were last assessed (or were never actually
assessed or validated). The importance of PCI DSS
compliance is therefore clear - but Vigitrust also
believes that for best security practice, gap analysis,
remediation work & QSA assessments should be
completed independently, to prevent a QSA from
evaluating their own work. By teaming with
Verizon, Vigitrust is able to offer its customers a
single interface to both best security practice, and
full service assessment.
Morpho's new eco-friendly 100%
paper SIM
Morpho (Safran group) has announced that its new
environmentally-friendly SIM card SIMply Green, is
a paper card made entirely of wood fibres
(conforming with EN 13432 and FSC-certified
wood). The smart card is biodegradable,
compostable and recyclable, reflecting the
commitment of Morpho - and most of its
customers - to supporting environmental
protection.
The new cards have successfully passed extensive
testing for milling, punching and embedding to
prove that their eco-friendly material does not
compromise the expected functionality of a SIM.
Optical personalisation of the card is possible with
dark backgrounds. SIMply Green is compatible
with all handsets available on the market.
The first volumes of SIMply Green have already
been delivered to a well-known European mobile
network operator.
NanoMarkets Sees Thinfilm/Printed Battery Powered
Products Surpassing $6.5 billion by
2016
Industry analyst firm NanoMarkets latest report
titled, "Thin-Film and Printed Battery Markets 2012" claims that by 2016, the value of products
shipped that are powered by thin-film/printed
batteries will reach $6.5 billion.
Smartcards present a compelling market for thinfilm and printed battery firms as both Bank of
America and e-Bay now offer powered smartcards
that have the ability to significantly reduce today's
massive monetary losses due to credit card fraud.
This sector is dominated by Solicore for now but
NanoMarkets fully expects to see other firms
making a strong play for the market. By 2016, the
value of smartcard products containing thin-film
and printed batteries will be around $960 million.
White Paper Reveals the Hidden
Controls Holding Back Mobile
Wallet Development
Mobey Forum's latest white paper 'Mobile Wallet:
The Hidden Controls' takes a step into the future
and considers the external forces that will dictate
how consumers and merchants engage with mobile
wallet technology during their day-to-day activities.
The paper defines and analyses a series of 'hidden
control points', which map the commercial
battlegrounds where stakeholders will vie to
influence both acceptance and adoption of mobile
wallet technology.
Amir Tabakovic, Head of Market Development at
PostFinance and Chair of the Mobey Forum Mobile
Wallet Task Force comments: "As the first wave of
mobile wallet solutions start to appear, the market's
attention remains fixed on mobile wallet apps and
the devices where they reside. We think this is
unbalanced - the mobile wallet ecosystem is highly
complex and its component parts are
interdependent. The market's failure to adequately
consider the external forces influencing the mobile
wallet is preventing the technology from fulfilling
its full potential."
The paper will be of interest to merchants, banks
and financial institutions, mobile network operators,
handset manufacturers and operating system
providers. To download the 'Mobile Wallet: The
Hidden Controls' white paper without charge, visit
www.mobeyforum.org.
GlobalPlatform Welcomes Diebold as
Latest Member
GlobalPlatform has announced Diebold,
Incorporated as its latest Observer Member.
Diebold, has a particular focus on advances in
mobile financial services.
17
UBPS to Acquire and Consolidate
Three Business Payment Companies
Universal Business Payment Solutions Acquisition
Corporation (UBPS) has announced that it has
entered into definitive agreements to acquire
Electronic Merchant Systems, Jet Pay LLC and AD
Computer Corporation.
UBPS will acquire the three companies in a
transaction valued at approximately $179 Million. If
approved by the regulators and company's
stockholders the business combination is expected
to close early in the fourth quarter of this year.
Smart Card Alliance Launches 'EMV
Connection'
Payments industry stakeholders now have a website
dedicated entirely to helping with the United States'
upcoming move to EMV chip technology - EMV
Connection. The site, launched by the Smart Card
Alliance, provides up-to-date information on the
status of EMV migration, along with tutorials and
educational resources that will assist with migration.
"Now that the payment brands have announced
their roadmaps to accelerate EMV adoption in the
United States, we've taken the initiative to develop a
dedicated website where industry participants can
get information about the fundamentals of EMV,
and how the migration from magnetic stripe cards
to EMV chip technology is progressing in the
United States," said Randy Vanderhoof, executive
director of the Smart Card Alliance.
The EMV Connection site is laid out so that all
major EMV stakeholders-issuers, merchants,
payment processors/acquirers and consumers-can
easily find valuable information like frequently
asked questions, white papers, videos, slideshows,
and links to other EMV resources that will best
help them travel their own unique EMV migration
path.
Man in the Mobile Attacks Single out
Android
Trusteer reported the first SPITMO (short for
SpyEye in the mobile) attack targeting banking
customers on the Android platform. Recently
Trusteer discovered the first Tatanga-based man in
the mobile (MITMO) attack as well as new
SPITMO configurations which are targeting
Android mobile banking users in Germany, the
Netherlands, Portugal and Spain. With nearly 60%
of the market and a reputation for weak app
security, it's no surprise that Android has become
the preferred target for financial malware.
Like previous attacks, both the SPITMO and
Tatanga MITMO variants target Windows users on
the web and use a web injection in the desktop
browser to lure them into installing a fake security
application on their phones. The fraudsters claim
this application is required by the bank as a new
layer of protection, and that 15 million bank
customers around the world are already using it.
In most attacks, if the victim is using an operating
system other than Android the malware informs the
user that no further action is required. However, for
all Android users, the desktop component of the
MITMO attack requests the victim's phone number
and notifies them that a link for downloading the
security application has been sent (via SMS) to their
mobile device. The user is directed to install the
fake application from this link and enter the
activation code provided by the malware. Certain
attacks also request that BlackBerry users download
the application, but it does not actually install on
these devices.
Once installed, the mobile malware captures all
SMS traffic, including transaction authorisation
codes sent by the bank to the victim via SMS, and
forwards them to the fraudsters. This enables the
criminals to initiate fraudulent transfers and capture
the security codes needed to bypass SMS-based outof-band authorisation systems used by many
European banks.
Intel and ASML Reach Agreements
to Accelerate Key Next-Generation
Semiconductor Manufacturing
Technologies
Intel Corporation today announced it has entered
into a series of agreements with ASML Holding
N.V. intended to accelerate the development of
450-millimeter (mm) wafer technology and extreme
ultra-violet (EUV) lithography totalling Euro 3.3
billion (approximately $4.1 billion). The objective is
to shorten the schedule for deploying the
lithography equipment supporting these
technologies by as much as two years, resulting in
significant cost savings and other productivity
improvements for semiconductor manufacturers.
18
Oberthur Technologies to Open
Service Centre in Canada
Oberthur Technologies announces it has finalised
plans to open a secure service centre in Ottawa,
Ontario, Canada. The 1,400 m2 facility will enable
the personalisation of secure devices and
documents (including magnetic stripe and EMV
cards as well as SIM cards and identification
credentials) for customers throughout Canada.
"Oberthur Technologies' proven global ability to
meet customer needs in the payment, telecom and
ID markets coupled with the booming Canadian
demand in these key segments are at the centre of
our decision to open a facility in Canada," said
Martin Ferenczi, Managing Director of the
Americas Region at Oberthur Technologies.
ISACA Combine Two Worldrenowned Conferences into One
Event
With many organisations facing increased monetary
and time pressures, ISACA has responded by
combining two of its major conferences. The threeday, inaugural event, taking place 10-12 September
in Munich, Germany, will unite its European
Computer Audit, Control and Security (CACS) and
its Information Security and Risk Management
(ISRM) conferences in one convenient setting.
The highly interactive event will provide attendees
the opportunity to interact with speakers and peers
to discuss today's IT-related topics. Sessions
include: Audit Practices That Make an Impact,
Improving IT Audit Performance, Securing Data,
Solving IT and Business Issues, and IT Risk and
Exposure Management. Delegates will be able to
select the most appropriate sessions to address their
needs in lively sessions, interactive panel
discussions, hands-on participation and case studies
from a variety of industries. The event also will
include sessions at the end of each day, where
speakers will review the day's topics and answer
questions.
CRI and Discretix Sign Developer
Agreement for DPA
Countermeasures
Cryptography Research, Inc. (CRI) and Discretix
announce they have entered into an agreement
enabling Discretix to develop products
incorporating Differential Power Analysis (DPA)
countermeasures for use by licensees of CRI's DPA
patents. Discretix is a provider of field-proven
content protection and embedded security solutions
for mobile applications.
"Discretix CryptoCell with DPA countermeasures is
a certification-ready semiconductor IP platform for
the secure element market. Including DPA
countermeasures into this product and other
enhanced Discretix offerings will help our
customers achieve the required certifications at
minimal cost and effort," said Asaf Shen, VP
marketing, IP products of Discretix.
DPA is a form of attack that involves monitoring
the fluctuating electrical power consumption of a
target device and then using statistical methods to
derive cryptographic keys and other secret
information from that device. Strong DPA
countermeasures are important for securing mobile
devices, bank cards, pay television systems, secure
identity products, secure storage media, anti-tamper
products and other electronic systems and
components. Many of the world's leading security
standards require that devices be protected against
DPA and related attacks.
HID Global Ships Over 150 Million
eID Solutions
HID Global has announced the company has
shipped over 150 million high-technology eID
(electronic ID) solutions to governments for citizen
IDs around the world. The company's management
team and employees, along with local political and
business officials, are celebrating this milestone in a
special ceremony in Ireland.
Smartcard News Subscription
Smart Card & Identity News is an independent
international newsletter. Our Key industry topics are
smartcards, biometrics, cryptography, identity
management, RFID, Mobile and payments.
Within these industries we cover technological
advances, security breaches, new products, personnel
changes, contracts and company take-overs. We also
include opinion pieces and technical tutorials from
the industry’s leading experts.
To subscribe please contact us on +44 (0)1903
734677 or email [email protected], subscription
can also be purchased on Amazon by searching for
“Smart Card & Identity News”
19

J - Smart Card News

Transcription

Similar documents

KNIT SMART STEPHANIE PEARL-McPHEE

October 2014

our faculty hiring brochure

Datasheet Pelton - Global Hydro Energy

Look. Donʼt touch.

Pimp my Ride!!

Web of Objects Project Results at a Glance

5) Stakeholder meeting 160530 Security aspects related to smart

DOWNLOAD Refinery29`s featured products

smart healthcare consumer