Thursday, June 30, 2011

Fed Eases back limit on Debit Card Swipe Fees

OLBB has been following the Durbin Amendment that was scheduled to go into effect July 21st which will limit the amount banks can charge retailers for Debit Card transactions. Yesterday the Fed decided to change the limit from 12 cents to 21 cents (banks are currently charging 44 cents).  Some additional incentives would allow the fee to go as high as 24 cents. More importantly the go live date was delayed back to Oct 1.

The new date gives the banks time to continue challenging the new law and prevent or soften it further. Since the impact of this is big on retailers, banks and consumers we will continue to follow and post on this as it progresses. For more details look at our previous posts on this subject in the Archive section of this blog.

Thursday, June 23, 2011

USAA Adds Security Zone Stamp to Help Against Phising Attacks

Online bank USAA has added a new feature to its email correspondence with its bank customers. The stamp will be located in the upper right corner of every email and identify your first name, last name and last 4 of your account number to help you determine if an email was legitimately sent from the sender and is not a hoax trying to glean your information or passwords. The stamp looks like the image shown below:


I applaud any bank for continuing to improve Online Security, even with small changes. USAA states that all bank emails will carry this stamp by August. Adding the stamp makes it harder for the less sophisticated Phisher to succeed which seems to be the intent. While the more sophisticated hackers can easily duplicate this stamp. This would require a targeted attack with a hacker discovering the last 4 of your acct number which they could get by getting access to one of these emails.

Given the recent breaches such as the major email provider Epsilon it is certain possible. This seems like the perfect time to remind online users of the basic security rules regarding potential Phising emails.

1. Cardinal Rule: Never click on a link from an unsolicited email. If for example USAA sends you an email, you know that you can simply go to USAA.com directly or through an existing bookmark.
2. Remember that a bank or financial institution will never call, email or contact you to ask for your password or other authentication credentials.
3. Keep Your Antivirus Software Up To Date
4. Use Anti-Spyware software
5. Keep your operating system, Internet browser up to date. If you are still using IE6 you are asking to be hacked.
6. Use a personal firewall on your computer
7. Do not use public computers for sensitive transactions, computers that are shared by kids who may infect your system with spyware. When in doubt mobile devices are a good option.

There are other measures that can be taken but these basics are a good start.

Learn more about phising at this government site

Thursday, June 16, 2011

PayPal Mobile Check Capture Supplements Your Bank's Lack of Features

Do you wish your bank offered the ability to deposit checks by taking a picture of it through your smart phone for that occasional paper check you get a few times a year? You are not alone. While paper check usage is drastically dropping, most people get a few checks a year in the mail or from a personal friend or family member that are a hassle to deposit.

Currently only 9 banks in the US offer this feature and many more banks still don't even have a mobile banking application.

The 9 banks at the time of this writing who offer Mobile Remote Deposit Capture (deposit check with a smartphone) are USAA, Chase, PNC, State Farm, Charles Schwab, Digital Federal Credit Union, Randolph Brooks Federal Credit Union and WV United Credit Union. Some of these banks offer only iPhone while others such as USAA offer Android and Blackberry versions as well.

Fortunately, there is a way to use PayPal to supplement the lack of this feature from your bank to save a trip to your bank or even worse having to mail the check. PayPal offers this feature in its mobile app that then can be linked to your checking account and transferred. The PayPal app was first released for iPhone and Blackberry about a year ago but in May it was finally released for Android addressing just about all smart phone users except WIndows Phone 7. Although the total time to receive the funds may take up to a week it is acceptable for most scenarios.

To make it work just download your PayPal mobile app from your mobile platform's app store or marketplace. Then sign up for for your PayPal account if you don't already have one and link your bank account to your PayPal account.

Friday, June 10, 2011

2011 Shaping Up to be Bad Year for Online Security Breaches

With the year only half over it has been a bad start for big security breaches. The latest is Citi, announcing this week that a major breach of customer account information has occurred. We don't know the extent of the damage yet completely it has been reported to be about 200,000 credit card customers but apparently Citi waited a month before disclosing the breach to its customers.

The security breaches this year go beyond consumers being compromised and extend deep into our nation's security. This is mainly due to a big breach at RSA Security owned by EMC.

The big breaches have been coming so often that it is easy to forget. Here is a recap so far for 2011:


Reported in Feb - Nasdaq, malware on their network, damage unknown but critical to the exposure of the US economy 



March 17 - RSA,  even the big security company who plays a role in securing the US government and most of the top companies in the US had their network breached by the use of a phising email. Information regarding RSA Secure ID tokens was compromised. This now calls into question the long term effectiveness of this defense. Specifically RSA dual factor authentication algorithms may have given attackers a way to defeat the protection.  Other breaches summarized below such as L-3 and Northrop Gruman were believed to be related to this breach.


April - Epsilon, over 40M email addresses exposed (blogged about on OLBB here),

April 19th - Sony PlayStation Network - personal data and credit card information of tens of millions, shutting Network down for almost a month

May 21 - Lockheed Martin, the biggest provider of information technology to the US government including F-22, F-35 and other weapon systems. Actual damage not disclosed, but critical to the security of the US since it holds many military secrets. China is the main suspect.

May 26 - Northrop Grumman, shuts down its remote access to its network, damage unknown but it was described as a significant and tenacious attack on its information network.

May - L-3 Communications - major attacks due to the RSA Security compromise, details not known

June - Google Gmail, hundreds of emails compromised through a phising attack, significant because it involved US government officials. China main suspect.

Reported in June but hacked in April or May - Citi, ~200M credit card accounts

Wednesday, June 8, 2011

Senate Rejects Delays on Debit Card Swipe Fees

Today the Senate voted not too delay the "Durbin Amendment" for a year. The caps on debit card interchange fees that banks charge are scheduled to go into effect this July. These fees represent a lot of revenue to big banks and will likely hurt their stock prices while they scramble to figure out how to recoup the revenue loss with new fees. Smaller banks and credit unions (under 10B) are excluded.

OLBB (Online Banking Blog) has been following and blogging about this issue for some time because it will have a big impact on big banks and payment systems. Whenever you legislate change like this there will be a lot happening from all sides including big banks, community banks, the merchants who benefit and the consumer who will be affected but doesn't really know it yet.

We will continue to follow and provide updates on this.