Payment, Mobile, and Online Security Mashup

March 1, 2009
  • ThreatMETRIX Online Fraud Control and Chargeback Protection USA
    ThreatMETRIX monitors online profiles of users to determine the risk of a sensitive transaction. Their risk profile will work even if the users browser has disabled cookies or javascript. The service also accesses a reputation network to determine if the presented user has been flagged on any other web services, firewall logs, and honey pots. This looks very similar to some of the services offered by RSA.
  • Silver Tail Systems: Protects Websites from Logic Attacks
    “Online criminals don’t need to break into your website, VPN or secure networks to defraud you or your customers. They can use the front door – exploiting legitimate business logic or business logic flaws of the website itself”. Silver Trail has two products. The forensics product monitors you site and raises alerts when it identifies suspicious behavior (deviations from the norm). It also provides a search tool that allows administrators to investigate behavior. The rules engine provides a mechanism that allows administrators to restrict navigation flow on the site for specified users.
  • NCore Systems
    NCore Systems provides enterprise class delivery channel solutions to Banks within the ASEAN region fusing applications, innovative security and middleware technology into a single integrated platform. The company builds complete virtual financial destinations that empower Financial Institutions to ‘reach out and touch’ their customers through the innovative use of web based and mobile technology. Basically, they provide online banking and a software based mobile banking second factor authentication.
  • Aradiom: Mobile framework, Security Token
    Aradiom provides a security token application that can serve as a second factor for online sites. The Aradiom SolidPass can be used to generate a one time password, generate challenge codes, and security questions. SolidPass also supports Transaction Data Signing (TDS). This allows the user to authenticate the transaction with a challenge issued by the enterprise and a response generated by SolidPass based on the transaction details
  • Acculynk: Software Pin Capture
    Acculynk provides a solution that allows online shoppers to pay for products using a unique software pin capture solution. The solution allows you to enter your pin using a pin pad control on the screen. The order of the numbers scramble after each digit in your pin is entered. The biggest advantage is the reduction in charges to the merchant. In many cases, pin purchases cost less than credit purchases.
  • Atmel Products – Security & Smart Card ICs – Secure RFID: CryptoRF
    CryptoRF is 64 bit encryption security for RF devices. CryptoRF product labels, tags, and cards are virtually impossible to copy. Rather than using passwords that are easily captured during contactless transactions, CryptoRF devices use the authentication keys, session encryption keys and a random number to generate a unique identity, or “cryptogram”, for each transaction. The host reader and the CryptoRF device must both be able to duplicate each other’s cryptograms before any data can be accessed or written.Uniquely, CryptoRF devices allow two completely independent users, each of which has its own separate authentication key to access the same section of the memory. This feature is useful for applications such as cards used in cash-transactions.
  • TazTag mobile identity
    The TazCard is a new multi-purpose device in a slim credit card format (6 mm in thickness).  It’s like a personal safe with a large touch screen, a fingerprint sensor and various communication interfaces (NFC, USB, ZigBee) TazCard interfaces with a range of security applications such as access control, ticketing, couponing and payment. If required, a Java Software Development Kit makes possible the addition of further customized applications. I really like the finger print technology. Also, all data exchanges requires approval. So, the card will not exchange information unless the user is authenticated (with finger print) and authorizes the data exchange.  I think NFC payment adoption would accelerate dramatically if fingerprint technology was introduced in phones at the same time NFC chips were introduced.

How Safe is Mint?

February 26, 2009

mintlogoMint owes much of their success to the ease in which  they allow you to setup access to your various bank accounts. The technology behind Mint – normally referred to as account aggregation – is not new. Earlier this decade, account aggregation was the next big thing in internet banking.

Many banks and service providers rushed to add aggregation to their internet banking offerings. The problem was that customers were never too keen on account integration.  One of the main adoption inhibitors was customers’ reluctance to supply their usernames and passwords for their other financial institutions. Adoption remained low, and many banks dropped aggregation features all together.

Apparently Mint is the pill that helps people overcome their password sharing inhibitions.  Mint’s concoction of PFM tools and account aggregation is so useful that close 700,000 people are willing to trust them with their internet banking credentials for their various accounts.  Technically, Mint does not store user credentials.   Here is the explanation they give.

“We connect securely to your financial institutions using one or more online financial service providers. Your online banking credentials are stored only with these institutions enabling Mint to automatically and securely update your transactions and saving you from updating, syncing or uploading financial information manually.”

Mint offloads your user credentials to one or some of their partners. Mint lists some very impressive data and data center security features.  The problem is the listed security features apply to Mint’s datacenter; not their partners data center.

yodleelogo1Mint does not advertise the identity of their account aggregation partner, but Yodlee, a well known account aggregation company, lists Mint as one of their customers. I think it’s pretty safe to assume that Yodlee provides some of the account aggregation features for Mint. Thus, there is a good chance that Yodlee is storing your username and password. That’s not necessarily bad. After all, Yodlee is a trusted partner of many large financial institutions.  However, there is a strong possibility that the way Yodlee stores your passwords is not as safe as the way your internet banking site stores your passwords.

Your internet banking site probably stores a hashed version of your password.  A password hash is a one way encryption technique. The main benefit to hashed passwords is that even if a hacker cracks/discovers the encryption scheme and steals your encrypted password from your banks database, they will not be able to unscramble your password.  Your password is pretty safe.

The nature of account aggregation prevents Yodlee from storing hashed passwords.  They probably encrypt your passwords in their database, but if a hacker ever got a hold of their encyption scheme and their database content, they could get your internet banking passwords.

Is the difference in password encryption and storage significant?  Probably not. I track five accounts in Mint, and I don’t worry too much about my login credentials being stolen. The possibility of a key logger virus being placed on my computer is probably much greater than the possibility of a Mint/Yodlee datacenter breach.

I feel comfortable supplying Mint/Yodlee with my passwords for my various banks because I know that, in the event of a databreach, they have more to lose than I do.   Where as I might have to go through the hassle of changing passwords and canceling cards, Mint and Yodlee would have to go through the hassle of closing up shop and hiring good bankcruptcy lawyers.

Delicious Money Mashup: Enterprise web2.0, + Thrive…

February 7, 2009
  • MoBank © The wherever you go bank
    MoBank is a mobile focused bank in the UK. It will be interesting to see how this works. I imagine that they will rely primarily on interchange and premium services that they sell on top of their regular services. I think in the US this concept would work on college campuses. Community banks, and especially credit unions should consider similar initiatives.  Financial institutions could create mobile brands the same way many of them have created online only brands.
  • NACHA Group Close to Proposals for Mobile Payments on the ACH
    It looks like NACHA will be formalizing something that has already been happening anyway: Mobile ACH transfers. PayPal allows you to send P2P payments via your mobile device (text messages or mobile app/site). If you do not have stored funds with PayPal, they pull money from your bank account via ACH. It seems like there is an opportunity for banks to take advantage of any new NACHA guidelines for mobile ACH. It will be interesting to see what NACHA comes up with. Given the wide reach of NACHA and the the participation level of banks, the potential is huge.
  • Security experts warn of online banking Trojan
    These types of threats are still present even with the mandated implementation of dual factor authentication. It seems this is a version of a man-in-the middle attack that intercepts information on its way to or from your computer. This could allow the criminal to take over your session and conduct some transactions on your behalf. This is a problem for Online Banking sites because it is difficult to stop these types of intrusions since they are result of something on the client’s computer and not the Online Banking site. One way banks could help with this would be to offer virus detection software or even hardware (i.e. USB keys) that runs the browser session from a “vault” that is walled off from the operating system.
  • Web 2.0 and the Enterprise: A Symbiotic Relationship
    This presentation lists five reasons why the relationship between the enterprise and web2.0 sites is symbiotic. 1. “The Facebook Affect” Work and personal lives continue to blur. 2. People share with each other if they trust each other. Obviously the workplace fosters that trust and is conducive to sharing ideas online. 3. Big ideas and little ideas matter. It is much easier to gather and manage little ideas via social networking. 4. Social graphs serve as a bridge. Social graphs allow you to combine and aspects of social sites. Linkedin can be used in the enterprise, and I can share these delicious posts on Facebook. 5. The enterprise is changing. Some companies are letting their engineers comment in forums. A broader group of employees is engaging with customers via social tools such as blogging, twitter, and forums.  Although my five reasons would probably be a little different than the author, I agree that social collaboration tools could greatly improve productivity in the workplace.  How many times have you worked for weeks on a project only to find out that someone else in the organization is doing something very similar and much of your work overlaps?  Web2.0 could solve those types of problems and it could create an environment where new ideas are shared more freely and efficiently.
  • Acquires Thrive
    Thrive is a financial transaction aggregator in the form of Mint and Wesabe. owns several real estate and lending related sites including It will be interesting to see how the combine the services of their different sites. Particularly how they combine the services of LendingTree with Thrive. As I mentioned in a previous post adding lending, account opening, bill payment, and transfer services is probably the next step for sites like Mint and Wesabe.