Smart Card & Identity News More Problems With EMV Terminal ... July-A… · the target ATM only generates 4 UNs you would just need to pre-collect 4 ARQC messages from a genuine card.

Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sm& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card

y News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Iden• Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity NewCard & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Sma

& Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card & Identity News • Smart Card

July/August 2012 Volume 21 • Number 7

Smart Card & Identity News Smart Cards, SIM, Payment, Biometrics, NFC and RFID

www.smartcard.co.uk

©2012 Smart Card News Ltd., Rustington, England. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, optical, recording or otherwise, without the prior permission of the publishers.

Continued on page 4….

This last month has seen more attacks on the terminals that are used to make electronic payments and mobile phone devices that can be used to do just about anything including electronic payments. In the case of EMV POS terminals and ATMs a Cambridge University team (Mike Bond, Omar Choudary, Steven Murdoch, Sergei Skorobogatov and Ross Anderson) has published their results on flaws in the implementation of unpredictable numbers (i.e. can’t be pre-determined by an observer such as a random number sequence) as part of the authentication protocol which could lead to unauthorised payments. In the case of mobile phones which are increasingly being used to both make and receive electronic payments Charlie Miller from Accuvant Labs has demonstrated the weaknesses in implementing the NFC software stack in mobile phones that may even allow the hacker to take control of the phone.

More Problems With EMV Terminal (in)Security and How to Control Somebody

else’s Phone via NFC

6 • Competitive landscape shifts as EPOS market continues recovery

12 • Tackling the Geolocation Cookie Imperative

9 • When Users, Admins and Applications go to War

5 • RTA NOL Card Wins Best Prepaid Card

Smart Card & Identity News Published monthly by Smart Card News Ltd

Head Office: Smart Card News, Gratwicke House, 10 East Street, Littlehampton, West Sussex, BN17 6AW Telephone: +44 (0)1903 734677 Website: www.smartcard.co.uk Email: [email protected] Researcher– Patsy Everett Researcher – Patsy Everett

Technical Researcher – Dr David Everett Production Team – John Owen, Lesley Dann, Adam Noyce Contributors to this Issue – RBR London, Paul Kenyon, Ramsés Gallego Photographic Images – Dreamstime.com Printers – Hastings Printing Company Limited, UK ISSN – 1755-1021 Smart Card News Ltd shall not be liable for inaccuracies in its published text. We would like to make it clear that views expressed in the articles are those of the individual authors and in no way reflect our views on a particular issue. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means – including photocopying – without prior written permission from Smart Card News Ltd.

© Smart Card News Ltd

What do you do when your phone or tablet gets old? Do you put it into a cupboard or perhaps it gets handed down through the family in some sort of pecking order. How about all the information that is stored on the device, contact lists and probably even user name and passwords even if vaguely disguised. It's so easy we always talk about securely getting secret information onto a device in the first place but we never discuss how to get it off when we have finished with it. Information security specialists with ISO 27001 in hand may well be up to speed but I don't think that's got as far as the average user. How many people do you know that consciously attend to the termination of old devices. Of course it does extend into industry, we often hear of computers being scrapped with a wealth of information still left on the hard disk. But the mobile phone is worse, very few people actually think about the value of the data they have stored on their device and if you worry about phones you should probably be paranoic about what people store on their tablets. To start, just imagine I had your phone in my possession for 24 hours and I could read and copy anything stored on the phone or SIM card. Still not worried? Then also assume that I can run any program on the device that currently exists and also probably take advantage of user names and passwords that are pre-stored by the app to stop you having to keep entering the authentication data. Now you should be starting to get worried. Those that remember the early PCs that often worked entirely off floppy disks will also remember the famous Norton Utilities, guaranteed to recover lost data on your disk drive. The reason it worked of course is that when you delete a file in any computer system it doesn’t actually remove the data, it just sets a flag to tell the operating system that this memory can be re-used. If you actually want to delete data you have got to overwrite it in such a way that there is no residual trace. Would you believe it but this is actually quite difficult to do. How many people do you know that run programs to delete the contents of memory or disk drive? Such programs have to write patterns of 1’s and 0’s many times to remove all trace of the data. Anything less and clever programs can recover the data.

Our Comments

Dear Subscribers, As you get older you start to think more about the meaning of life cycles and how much attention we give to the birth of a new project and how little attention we pay to objects as they reach what should be their expiry date.

Editorial

Disclaimer

Patsy Everett

Smart Card & Identity News • July/August 2012

22

Regular Features

Lead Story - More Problems With EMV Terminal (in)Security. . . . . . . . . . . 1 Events Diary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

World News In Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5, 8, 10, 14

Industry Articles Competitive landscape shifts as EPOS market continues recovery . . . . . . . . 6

When Users, Admins and Applications go to War . . . . . . . . . . . . . . . . . . . . . 9 Tackling the Geolocation Cookie Imperative . . . . . . . . . . . . . . . . . . . . . . . . 12

Contents

The PC market is of course quite mature and there are programs designed specifically to remove all trace of stored data (I would be suspicious of the free ones), but on a mobile phone you may find it more difficult. Our lead article this month has been looking at problems of software implementation in both POS terminals and mobile phones. But actually the problem is far worse than we have so far described. Malware is really a big problem on mobile phones, particularly Android which have about 60% of the market. The thing is that there is no simple solution, there is no silver bullet that can just magically fix the malware problem. The problem is likely to continue for some time and yet more and more people are relying on their mobile phone for the management of sensitive data. We often talk amongst friends at the dinner table and I can tell you that none of our security friends use their mobile phones for making payments or doing electronic banking. This may not be the world according to Visa and Mastercard but we have a gap and I’m just holding off until somebody finds a way of fixing it! Patsy.

Source: www.smartcard.co.uk/calendar/

September 2012

25-26 – Cards & Payments - Paris, France -http://www.efma.com/index.php/networking/conferences/overview/EN/2/45/1-IPLBJ

October 2012

02-04 - Prepaid Summit: Europe 2012 - Prague, Czech Republic - http://www.vrl-financial-news.com/cards--payments/cards-international/events/prepaid-summit-europe-2012.aspx

02-03 - ATM Security 2012 - London, UK - http://www.rbrlondon.com/atmsecurity

04-05 - Cards & Payments Summit Europe 2012 - London, UK - http://www.commercialpaymentsinternational.com/events/detail/the-commercial-cards-payments-summit-europe-2012/

10-11 - Mobile Payments - Copthorne Tara Hotel, London, UK - http://www.smi-online.co.uk/events/overview.asp?is=8&ref=4069

Events Diary


33

…. Continued from page 1 The thing is which of these is more important to the security fraternity or more particularly the payments industry. Both pieces of work are pretty smart but which one, either, both or none might actually lead to serious security breaches? I still can’t believe that people don’t get it, in the world of smart cards or more precisely the secure chip or element the security of the chip has never really been the big problem, it’s the terminals and that includes mobile phones that cause the real problems. So often people explain to me how it’s the cryptography, whatever you do don’t use Triple DES or 1024 bit RSA. If it hasn’t got 4096 bits it just can’t be long enough. I’ve never forgotten the story told to me by a famous mathematician who many years ago posted an innocuous blog (yes, blogs have been around for ages in the academic world) explaining tongue in cheek his difficulty in writing a program to factorise numbers. He published a 512 bit number (carefully chosen as the product of two large primes, there’s the clue this happened in the late 70’s a little after RSA was first published) in the blog and asked if somebody would mind factorising the number for him. Of course nobody succeeded but a surprisingly large number had a go! I feel the same way about security hardened integrated circuit chips, no back bedroom buddy is going to read out the contents of memory on his PC but many seem to imagine they can. Now I appreciate there are specialised reverse engineering laboratories and universities that may be able to reverse engineer the chip and even aggregated shared computing resources that might be able to factorise large numbers but these are not the sort of attacks that are really going to damage a modern commercial system unless you can be sure you can defraud the system without getting caught. I really can’t imagine Cambridge University doing that because they are making a totally different point more about the fact that you don’t get perfection in information systems and that the service providers, in this case the banks shouldn’t make such claims. But make mistakes in the terminal protocol and/or implementation and now you move into the world of the back bedroom hackers which is a much more likely attack surface. The Cambridge University attack is based on the observation that many ATMs implement a poor calculation of Unpredictable Numbers (UNs) which are used in the EMV protocol as evidence of freshness, i.e. the transaction is happening now and wasn’t pre-calculated earlier. In particular what they have demonstrated is that if you can collect from a genuine card a set of ARQC (Authorisation request message from card to Issuer which is cryptographically protected by a secret key in the card and shared by the Issuer) messages with enough UNs to match one that will be generated by the ATM then you can fool the system with a fake card. So for example if the target ATM only generates 4 UNs you would just need to pre-collect 4 ARQC messages from a genuine card. This data collection does of course require the user to go to a bogus POS terminal where the terminal sets about collecting all these ARQC messages without the customer becoming suspicious. In addition when collecting these ARQC messages it will be necessary to pre-set the core parameters such as the amount of the transaction and the date. All this information is then loaded into the fake card which will set out to fool the system by playing one of these pre-stored ARQC messages. Note it is not a replay attack because as far as the Issuer is concerned these messages have never been previously used. The ARQC does also include an Application Transaction Counter (ATC) which increments every transaction or more precisely every time the terminal does a Generate AC request to the card to get the ARQC. However the Issuer is only likely to detect a repeat transaction counter, for operational reasons he will have to allow with some gaps in the transaction counter sequence. It is not really in doubt that this form of attack is possible and arguably the ATM manufacturers have been careless in their implementation of the protocol or at the very least the certification test conditions are inadequate. However the claim in the paper from the Cambridge team that ‘We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit’ is to say the least misleading. A more realistic statement would be that ‘it is possible that EMV cards could be cloned but is the least likely of the possible error scenarios’. However where I would agree with the Cambridge team is over the software integrity of the POS terminals. This is not only difficult to achieve but is difficult to measure and even more difficult to maintain in any form of uncontrolled environment. You might argue that a mobile phone falls into this category rather neatly.


44


55

World News In Brief

RTA NOL Card Wins Best Prepaid Card

The Unified Card (NOL) of the Roads & Transport Authority (RTA) has recently won the Best Prepaid Card in the Middle East Award as part of the Middle East Smart Card Awards; which is the Middle East's only exclusive award program for banks, payment systems and smart cards.

Mattar Al Tayer, Chairman of the Board & Executive Director of RTA, expressed his delight to see NOL Card, feted with this coveted Award, finishing ahead of other competitive cards from banks and leading financial institutions in the region.

"NOL card is both safe and difficult to counterfeit as it is aligned with approved international standards. The design of the card, which is made by several manufacturers, has been tailored to meet future requirements of the electronic payment systems and account for the possibility of adding a variety of uses that go beyond using mass transit systems.

FIME Opens NFC Mobile Test Laboratory in Seoul

FIME announced its expansion in Asia with the opening of its NFC mobile test laboratory in Seoul, South Korea. The rapid growth of the NFC mobile market in South Korea and an increase in FIME's Korean customer-base are the key driving factors behind FIME's decision to open its Seoul laboratory. FIME will work with mobile device manufacturers and network operators to provide integration testing and certification services, ensuring that NFC-enabled handsets are fully interoperable and compliant with industry standards and EMV payment specifications prior to market release.

Pascal Le Ray, General Manager, commented: "With 20 million Koreans predicted to own an NFC-enabled handset by the end of this year, it is evident that South Korea is quickly becoming a global leader in the development and deployment of NFC mobile technology."

The beauty of the Blackhat conference is that the researchers actually demonstrate what you always thought was possible and quite often things you didn’t imagine were possible. This year in Las Vegas has been no exception and perhaps of particular interest to us is some work undertaken by Charlie Miller of Accuvant Labs on the vulnerability of NFC implementations in mobile phones using Android (Android 2.3.3) and MeeGo (1.2 Harmattan PR1.2) OS’s as examples. Charlie describes how to fuzz (don’t you love this word) the NFC software protocol stack for the Samsung Nexus S and the Nokia N9. Then he goes on to describe how he can see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can force some phones to parse images, videos, contacts, office documents, and even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. He concludes that the next time you present your phone to pay for your cab, be aware you might have just gotten owned. This to me is a far more serious statement about software integrity. Every day we are using mobile phones and are integrating them into our way of life including electronic banking and payments. If you can’t trust the software then you have a problem. I suspect your first reaction is to assume that the correctness of the software comes by default and that you only need to worry about malware. The problem is in fact far more inherent particularly when you can’t trust the core platform by those who try to get it right long before the hackers try to take over. History is full of problems with the software right the way back to the software compliers which produce the code that actually runs on the target device. All ideas of Code walk through’s and Common Criteria evaluations are important but there is absolutely no proof of software correctness. Next time you use your phone just think of all that code all from different sources in which you have no real participation. It is a subject we will come back to but let Charlie at least alert you to a problem that is not going to be solved any time real soon. The answer for those that are impatient is in the question ‘in any system what can you actually trust’? Dr David Everett, SCN Technical Researcher.


66

Competitive landscape shifts as EPOS market continues recovery

By RBR London

A total of 1.68 million programmable electronic point-of-sale (EPOS) terminals were shipped to retailers and hospitality operators around the world in 2011, according to new research by London-based strategic research and consulting firm RBR (www.rbrlondon.com/retail). By the end of the year, almost 11.2 million terminals were in operation. Shipment activity during the year surpassed the level seen in 2008 – the last year before the full impact of the global economic crisis was seen – but was still below the 2007 record of 1.72 million units. Global progress obscures regional variation North America is once again the world’s largest EPOS region; shipments rose 17% in 2011 to 503,000 as the economy recovered and companies gradually resumed their expansion and replacement programmes. Activity remains below pre-crisis levels, however. Asia-Pacific is now the second largest region. Growth of just 6% in 2011 was partly due to a decline in the Japanese market, which had a difficult year following the tsunami and nuclear accident in March. Asia-Pacific is however the only region where shipments have grown in each of the last three years. Western Europe was the only region to shrink, with shipments down 5% as the region’s economy deteriorated, and customers wary of replacing existing units and generating little new business. The performance was disappointing across the region, with only three countries seeing any growth. The other regions – Latin America, central and eastern Europe (CEE) and the Middle East and Africa (MEA) – all grew by more than 20%, yet together they represented just 16% of global shipments.

Programmable EPOS Shipment Growth 2010-2011, by Region

Source: Global EPOS and Self-Checkout 2012 (RBR)

‐5%

23%17%

29%

6%

41%

‐10%

0%

10%

20%

30%

40%

50%

WesternEurope

Central &EasternEurope

NorthAmerica

LatinAmerica

Asia‐Pacific Middle East& Africa


77

M&A activity among vendors reshapes competitive landscape IBM is by a wide margin the world’s largest supplier of programmable EPOS terminals. In 2011, the company accounted for 20% of global shipments. In April 2012, Japan’s Toshiba TEC announced that it would buy IBM’s Retail Store Solutions division – the company’s point-of-sale hardware, software and services business. At a worldwide level, Toshiba TEC itself had a 5% share of EPOS shipments in 2011 – although the majority of its sales were to clients in its home market – giving the combined entity a quarter of the global market. NCR moved up to second place in 2011 with a share of 11%, thanks to its acquisition of Radiant Systems, whose EPOS hardware is used mostly in the hospitality and leisure segments. HP and Wincor Nixdorf were close behind in third and fourth place respectively.

Suppliers’ Shares of Programmable EPOS Shipments Worldwide, 2011

Source: Global EPOS and Self-Checkout 2012 (RBR) Mobile technology to complement, rather than replace, fixed EPOS At a global level, EPOS shipment numbers are expected to increase by 7% in 2012 – slightly slower growth than in 2011, reflecting the challenging economic backdrop. In the longer term, new technologies represent the major threat to growth. Mobility is currently the hottest topic in retail, and it will affect almost every aspect of the industry, including EPOS. Recent years have seen deployments of mobile EPOS technology for various purposes, including queue-busting at peak times in large-format stores, providing a better one-to-one service in speciality retail and enhancing at-seat service in restaurants and bars. In most cases, new devices are being used in addition to existing EPOS terminals, rather than instead of them. Nevertheless, a more substantial shift away from fixed EPOS will be seen in high-touch retail, for example in fashion. Initially, the biggest deployments will be in North America: fixed EPOS shipments to the US general merchandise segment are forecast to start falling in 2014. Between 2011 and 2017, the global installed base of programmable EPOS terminals is forecast to increase by a CAGR of 4%. In the fast-growing economies of Latin America, CEE, Asia-Pacific and MEA, retailers and hospitality operators – both international and domestic – have ambitious expansion plans. With them comes a boom in the usage of EPOS technology, with growth averaging 10% per annum in these markets. RBR is a strategic research and consulting firm with three decades of experience. It specialises in the areas of cards, payments and automation in the banking, retail and hospitality sectors. Based in London, RBR serves clients across more than 100 countries worldwide through premium research reports, consulting, newsletters and events.

IBM20%

NCR11%

HP10%

Wincor Nixdorf9%Toshiba TEC

5%Posiflex4%

Micros3%

DigiPoS3%

Others35%


88

World News In Brief Fujitsu Launches New Chip for High-Frequency RFID Tags

Fujitsu Semiconductor Limited announced the MB89R112, a chip for high-frequency RFID tags that includes 9 KB of FRAM storage. The FerVID Family uses ferro-electric memory, or FRAM, for fast write speeds, high-frequency rewritability, radiation tolerance, and low-power operation.

Fujitsu Semiconductor has responded to this need with the MB89R112 chip for RFID tags, which includes a serial interface SPI and 9 KB of memory capacity, an amount not found in any competing product for the HF band. The MB89R112 is designed as a near-field passive RFID that complies with the industry standard ISO/IEC 15693. The product was made available in sample quantities in August.

NFC Keychain for iPhones and Android Devices from China RFID

China RFID (DAILY RFID) has released latest NFC tag-03 in a keychain form to read with iPhones and android devices. This NFC keychain is easily carried to bring NFC payment, such as mobile payment and loyalty services.

The NFC keychain can help to deploy any kind of near field communication service, such as mobile payment, mobile ticketing and loyalty services. And it ensures high security between the information exchange and payment processes. This ISO 14443 tag supports encryption, it reads and write protected by password.

Heartland Payment Systems CSO Named Information Security Executive of the Decade

John South, chief security officer at Heartland Payment Systems has won the inaugural Information Security Executive (ISE) of the Decade Central Award from T.E.N. -- Tech Exec Networks, Inc., a national technology and information security executive networking and relationship-marketing firm. The recipient of the ISE Central 2011 Award, South was selected from six previous ISE Award winners in honour of achieving the highest distinction in advancing the security industry in the region.

South was honoured for his industry stewardship, including his leadership of industry organisations to fight cybercrime. He currently serves on the Board of Directors of the Financial Services Information Sharing and Analysis Centre (FS-ISAC), the only industry forum for collaboration on critical security threats facing the financial services sector. He also serves on the Board of Advisors of the Payment Card Industry Security Standards Council (PCI SSC) to help strengthen security standards and protect cardholder data against threats worldwide.

MasterCard and Deutsche Telekom Unite in European Partnership on Mobile Payments

MasterCard and Deutsche Telekom announce a European partnership to enable consumers to use their mobile phones as a convenient and secure way to pay.

The first consumer roll-out will take place in Poland later this year. Also this year German consumers will be introduced to mobile payments, initially in a trial with mobile phone tags and cards, continuing into the first half of next year with a mobile wallet service which will also be open to other issuing banks and partners. Deutsche Telekom will issue the MasterCard products via its subsidiary company ClickandBuy, the owner of an e-money licence. Products will also be launched in other European markets.

The fact that the mobile wallet will be realized in the environment of the SIM card of the smartphones brings considerable benefits to the consumer: not only is the payment transaction secure, but the consumer has continuous and complete transparency and control because each transaction is confirmed via a text message.

Skrill Agrees to Buy paysafecard.com

Skrill, a European online payment provider and majority owned by Investcorp, has announced that an agreement has been reached for the 100% acquisition of paysafecard.com Wertkarten AG, an Austrian provider of prepaid vouchers that enable consumers to shop online. This strategic acquisition will transform Skrill's offering for both merchants and end-users by combining a digital wallet service with prepaid solutions available in 31 countries. The acquisition, which is subject to regulatory approvals being obtained.


99

When Users, Admins and Applications go to War

By Paul Kenyon, COO, Avecto

Poor privilege management damages productivity. But do organizations even know it is happening? When the power of administrators managing Windows application privileges crashes head-on into the needs of employees, the results are rarely pretty but, paradoxically, almost always hidden from sight.

It’s not over-dramatic to describe the arena in which this to and fro plays out as a silent ‘battlefield’ that can be described using one of two scenarios. The first is not as universal as in the past but there will still be many organizations, especially small enterprises, in which it will still hold sway; a standard user asks to access a local or network application that requires admin-level privileges (legacy applications often assume such permissions as an uncomplicated demand) and is given it without question. With these privileges granted that user has just armed his or herself with a huge amount of power, both for good and ill, which looks uncomplicated until the user strays beyond his or her level of competence. The potential for users to generate security problems by installing, removing or fiddling with applications as they please is now accepted as risky in ways that require far less explanation than would have been the case even half a decade ago. Nevertheless, while the world has moved on from the insecure mindset of old this has ended up creating a problem almost as significant as the one being solved; controlling risk by locking down applications, and shutting off privilege escalation completely using Windows 7 and Vista User Account Control (UAC). Under this second scenario, networks don’t grind to a halt – application privileges aren’t required for all interactions - but there is now growing evidence that they slow down in ways that admins don’t always see, or perhaps care to see. Network users are now interrupted with occasional UAC application dialogs for which they have no authorization, blocking their work and productivity to an extent that is difficult to estimate in terms of its harm to business. The issue is surprisingly little discussed – employees are rarely asked for their views on using company networks and privilege escalation is pretty abstract for most workers – but privilege management vendor Avecto made an interesting start with a recent survey examining the usually mysterious effects of over-restricting and mismanaging privileges. The questionnaire of 1,000 UK employees discovered a hidden toll on both employee and company alike, with almost one in five people believing they had missed a deadline at some point as a result of being denied full access to an application, and over a quarter convinced IT departments were not giving them the access to the applications necessary to do their jobs. As to the support burden, 17 percent said they had called IT to request admin rights around three to five times per year, which probably represents an underestimate of the problem – many employees will only call IT as a last resort, preferring to suffer in silence. One in twenty mentioned contacting IT up to an energy-sapping 10 times a year. Admin rights are invariably withheld for security reasons and you can see why. An astonishing 16 percent said they would be tempted to do the dirty on former employers by using admin credentials to access sensitive data. Former employees attempting to come through the back door is no urban myth either; more than one in five said they knew people in their organization who had attempted to breach IT security policies, most likely by downloading and installing non-approved applications or copying and removing company data. “We always knew that there would be a significant impact on businesses if they mismanage user admin rights

Paul Kenyon


1100

World News In Brief

Mozilla Gains Global Support for a Firefox Mobile OS

Industry support is growing behind Mozilla's plans to launch a new fully open mobile ecosystem based on HTML5. The operating system, which Mozilla has confirmed will use its Firefox brand, will power the launch of smartphones built entirely to open Web standards, where all of the device's capabilities can be developed as HTML5 applications.

Mapping to key Firefox footprints around the globe, leading operators Deutsche Telekom, Etisalat, Smart, Sprint, Telecom Italia, Telefonica and Telenor are backing the open Firefox OS as an

exciting new entrant to the smartphone marketplace. They have also identified the potential of the technology to deliver compelling smartphone experiences at attainable prices.

Device manufacturers TCL Communication Technology (under the Alcatel One Touch brand) and ZTE announced their intentions to manufacture the first devices to feature the new Firefox OS, using Snapdragon processors from Qualcomm Incorporated, the leader in smartphone platforms. The first Firefox OS powered devices are expected to launch commercially in Brazil in early 2013 through Telefonica's commercial brand, Vivo.

through security breaches, people accessing data after they leave, or expensive help desk calls. This survey also reveals the impact on individuals”, commented Avecto chief operating officer Paul Kenyon after reading the results. If these experiences are as common as they appear to be, it paints a depressing picture of network life in many organizations. Employees are stymied by inscrutable rules that probably haven’t been explained and which encourage them either to suffer in productivity-damaging silence or find risky ways around the controls. Admins,meanwhile, can be oblivious to the issue while still fielding an inconvenient level of admin support requests. Money and time is wasted while, conversely, money is not being made. Admins need security and certainty about what users can and can’t do; employees need speed, simplicity and above all as few interruptions to their workflow as possible. Can these apparently conflicting needs be reconciled? As already alluded to, the problem lies at the heart of Windows (and all established desktop operating systems), whereby users are divided into either ‘standard ‘or ‘admin’ accounts which define which applications, tasks and scripts can be run and under what circumstances. A solution is to manage this through a privilege management layer that bolts into Windows Active Directory, assigning privileges to applications based on defined security policies and ‘least privilege’. With this admins can transform the way network users relate to applications. Employees can be allowed to run chosen apps without interruption, without being given unlimited admin rights as part of this process, and even offered the possibility of requesting applications on-demand. Users are given only the minimum privileges they need and whitelisting can be used to lock down unmanaged alien applications from running at all. If this offers a way out, admins should still heed the hidden warning that lies buried inside Avecto’s employee survey results. Simply designing application policies from an admin perspective risks miscalculating how employees actually use and access applications. To doge this pitfall, a good privilege management system must also have a research or ‘discovery’ mode able to provide data on how applications and users are interacting with one another. It is essential to build application policies after studying the way applications are actually used (and perhaps abused) rather than from an idealistic template based on deceptive generalizations. Privilege management used to be seen as just another optional management layer but its benefits are finally starting to be appreciated as core to the usability, productivity and security of Windows applications. Employees and the administrators supporting them should be able to see applications as allies in a battle not the site of a fruitless civil war.


1111

Ingenico and Chase Paymentech Bring EMV, NFC and POS Payment Options to U.S. Customers

Ingenico announced today that Chase Paymentech has selected Ingenico's new generation Telium iCT250 point-of-sale (POS) terminal for sale to merchants in the United States.

With the Telium iCT250, Chase Paymentech merchants can securely accept transactions presented by EMV chip card, NFC-enabled mobile phones, contactless cards, and traditional magnetic stripe cards.

Both companies closely collaborated to conclude the Class A certification of Ingenico's iCT250 hardware and application on Chase Paymentech Solution's Tampa (PNS) processing platform using their proprietary UTF message format.

The new Telium based iCT250 terminal, available in the U.S. and Canada, was designed to meet the requirements of Visa's Technology Innovation Program (TIP) and the key elements outlined in MasterCard EMV Roadmap in the U.S. The terminals clear backlit graphic display on a colour screen and backlit keypad allows easy transaction reading in any lighting conditions and clear signage to promote the merchant's brand.

Atmel Next-Generation LF RFID Transponder Provides

Atmel Corporation announced the production availability of a low-frequency (LF) RFID transponder device, the Atmel ATA5577M1330C-PP. Ideal for applications in building access control systems, industrial automation, consumer and industrial segments, and as tokens, key fobs or transponders, this new device offers designers the ability to develop more flexible, high-performance tag devices.

The new device provides a broad range of data rates from RF/2 to RF/128 (64kBit/s to 1kBit/s at 125kHz), modulation and a variety of coding schemes including ASK, FSK, PSK, Manchester, Bi-phase and NRZ. The Atmel-patented digital Analogue Frontend Register (AFE) enables the chip's analogue front end circuitry to adapt to the transponder and reader system for maximum performance. The ATA5577M1330C-PP is the only device on the market where the analogue behaviour can be tuned in a closed and sealed transponder for increased performance. By eliminating the need to

open the transponder for tuning, the on-chip AFE register helps simplify the design and production process significantly.

Survey Discovers Some Companies Lose 75% of their Security Devices

Millions of pounds are being wasted every year recovering and replacing lost physical authentication tokens as IT professionals admit the on-going management costs are huge as users frequently lose them. That's the findings of a survey recently conducted by SecurEnvoy, who found that a staggering 12% of companies waste 'months', every year, recovering and replacing lost physical security tokens. The survey was conducted amongst 300 IT security professionals in London.

An additional 10% revealed they waste weeks every year in management time chasing and replacing physical tokens, 13% lose days while a lucky 16% were able to contain this to a matter of hours.

Tokens are obviously frequently being lost, when you look at a typical 12 month period it was galling to find that 7% of companies were losing tokens at a shockingly high rate of between 51% and 75%, 14% at between 26% and 50%, 13% between 11% and 25% and 32% of companies recorded 10% of lost tokens. You really do have to admire the commitment of the 3% of respondents who confessed that between 76% and 100% of all physical tokens in their organisation were being lost every year! When you think each token has an overhead cost - averaged at GBP 50 per token, that's a lot of money to write off.

Anderson Zaks Gains Approval to Provide a 'Transaction Ready' Payment Service with Next Generation PIN Pads

Anderson Zaks has announced its new payment solution working with next generation PINpads that incorporate contactless payment facilities. The company has combined its PCI DSS compliant RedCard managed service with Ingenico's IPP 300 range of encrypted PINpad terminals to offer a service that is 'type approved' for all acquirers (banks). This fully integrated solution will enable merchants to quickly install a secure payment solution that is compliant with regulatory requirements, without formal accreditation.


1122

Tackling the Geolocation Cookie Imperative

By Ramsés Gallego, CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt Certified, international vice president of ISACA

Ramsés Gallego discusses the new EU cookie legislation and the effect this will have on companies that provide location-based services. If you are involved in designing, maintaining or managing a web site, then you should have noticed a new EU-wide amendment to the law as it relates to web browser cookies and consent. While much has been written about the failure of many portals to adhere to the new cookie rules—which became law in the EU member states at the end of May—the reality is that all EU sites, no matter how large or small, will eventually have to adhere to the new rules.

Some sites will be better placed to amend their cookie administration than others, but my observations suggest that the new rules will be a potentially major headache for those portals that make use of location-based (geolocation) information on their visitors. In a nutshell, the EU rules mandate that the placement of cookies onto the user's device requires consent from a user unless they are "strictly necessary" for a service requested by the user. It appears that an exception to the rule will be narrowly interpreted by the Information Commissioners Office (ICO) in the UK, allowing short-lived cookies, for example, that permit Internet users to shop online easily and quickly. The UK's ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit, a user-impact assessment and an action plan. Geolocation and the New Legislation Geolocation is a discipline that is firmly on the modern Internet-savvy business agenda, as it can bring tremendous marketing rewards to the site concerned, in the form of geo-marketing activities, targeted-messages, and so on. The introduction of the new cookie legislation presents a number of risks to portals that use geolocation. These risks can potentially outweigh the rewards because the site is required to interpret a lot of the data on the user “in the clear”, including location, time and web-browsing habits. Therefore, organisations need to be cautious when embracing mobility and all the features that come with it, and include mobile devices within their corporate security strategy and integrate the devices within the business asset management programme. The issue here is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities. The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of Web pages is being tracked/recorded. This directive is here to stay and its implications and resulting implementations pose difficulties from a security perspective. Many of the ways a business will implement the required advisories will involve the use of intrusive messages that advise users about the privacy policy—and some sites will not let further browsing take place until the user has explicitly accepted the required conditions. This necessary approach will be difficult for businesses that strive for user-friendly experiences on the web to accept. However, implementing the EU cookie directive on a secure and effective basis is needed, as the data involved are both high-risk and personal. Sensitive data that could be leaked typically include information on gender, age and other attributes that could allow your “digital persona” to fall into the wrong hands, including Internet marketers.

Ramsés Gallego


1133

This leads us neatly into the privacy aspect of the new legislation. - As a result of the Internet, we have few barriers and few secrets. Many think that is now cool to post where we are, what we are doing, with whom, when and even why. In fact, according to an April 2012 survey conducted by global IT association ISACA, 32% of individuals in the US are using location-based services more now than they did 12 months ago (worryingly, 43% don’t read the agreements associated with location-based apps, so most aren’t sure of the information they’re providing to organisations). Clearly, organisations need to address how they are gathering location-based information and what they do with it. This business security process is about defining a security posture around classification of information, data collection practices, etc., that can identify a person's present location—and equally important, past and future locations. Organisations must clearly indicate the methods of collection, the retention policies, and when—and how—the information will be destroyed. The costs of not complying Failing to comply with the new EU cookie directive will certainly have ramifications such as cost, as well as legal and reputational consequences. And, whilst the financial implications can leave a big impact, the cost of reputational damage is likely to be far greater. The concept of privacy, when dealing with personal information, centres on the individual's trust in an organisation and its information systems. It is that trust that allows us—as individuals—to make a judgement call on whether we are happy to release the kind of information that we do to that organisation. Unfortunately, we have seen several examples recently with recognised brands suffering data/information breaches. Based on the fallout from these breaches, it should be clear to any manager that companies must communicate the technical and organisational mechanisms they have in place to protect user information—such as encryption, processes and procedures. How to comply with the directive Businesses using geolocation applications and methods of data collection have a responsibility to behave ethically and protect the consumers’ information and rights. And, whilst there are clear differences in how the US, Europe and other regions of the world treat the explicit consent of their Internet user, businesses around the world should provide opportunities to opt-in—not by default, but with an explicit consent from the user. Companies also need to include geolocation data as one of the priorities within their audit governance strategy. The definition of governance, by the way, is "setting strategic direction, and achieving corporate goals, ascertaining that risks are managed and that resources are used responsibly." The governance of geolocation data should be addressed using these facets of the definition. ISACA can assist greatly in the planning process that is central to the task of meeting the EU cookie directive’s governance requirements. Earlier this year, the association released the COBIT 5 framework (available as a free download at www.isaca.org/cobit.) COBIT 5 is created for business and IT professionals. Its guidance helps enterprises to bridge the gap between IT control requirements, technical issues and business risks. Just this month, ISACA published COBIT 5 for Information Security, which provides additional guidance on the enablers within the COBIT framework and equips security professionals with the knowledge they need to use COBIT for more effective delivery of business value. The bottom line is that, if properly governed, geolocation is a tool that can be very effective for both consumers and businesses, and the EU cookie directive will, in the end, protect both of these parties.


1144

World News In Brief

American Express Announces U.S. EMV Roadmap

American Express announced its network roadmap to advance EMV chip-based contact, contactless and mobile payments for all merchants, processors and issuers of American Express-branded cards in the U.S.

American Express will work alongside other industry participants to drive interoperability across the U.S. and other countries and support chip-based technology for chip and PIN, chip and Signature, contactless and mobile transactions.

American Express plans to begin issuing EMV-compliant cards in the U.S. in the latter half of 2012 and by April 2013, processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions.

Bootable USB Flash Drive Allows Secure Remote Working

Cryptzone announces the release of AppGate MOVE (My Own Virtual Environment), a USB flash drive that provides a portable and robust way to access information and applications securely from virtually any computer. As the secure bootable USB works independently of the host device's operating system, the risk from malware infection is eradicated.

Working in combination with an AppGate Security Server, this USB flash drive is a bootable device that contains a full operating system, the AppGate client, a web browser, a Microsoft compatible Office Suite email client, and other applications required to complete daily tasks. MOVE does not rely on, or use the operating system on the computer, and it executes in a secure and trusted environment regardless of the configuration. In addition, MOVE includes an encrypted partition for user data, so it does not use local PC hard drive meaning no trace or residue is left when the session to the AppGate server is closed.

Jamie Bodley-Scott, Account Director for Systems Integratorsat Cryptzone says "With more organisations offering occasional home working, MOVE is a perfect low-cost option, providing trusted access to corporate information from an untrusted computer at home or in a public space. MOVE allows people to work securely because the

configuration of the PC is irrelevant and untouched. This is important from a security policy viewpoint."

Kerry Brown, Whitfield Diffie and Steve Marshall Join Cryptomathic's Technical Advisory Board

e-Security solutions provider Cryptomathic has appointed industry experts Kerry Brown, Whitfield Diffie and Steve Marshall to its new Technical Advisory Board. The selection of Brown, a serial entrepreneur, inventor and partner of Cryptomathic; Diffie, a world renowned cryptographer and security specialist, and Marshall, former Chair of the UK Cards Association Card Security Group and security expert at Barclays; deliver a wealth of expertise to provide guidance that will further advance Cryptomathic's cutting-edge security technology.

With over 25 years' experience, Cryptomathic is a leading provider of security solutions to businesses across a wide range of industry sectors including finance, technology, digital rights management, and government.

Peter Landrock, Executive Chairman and Co-founder of Cryptomathic, comments: "Cryptomathic is dedicated to embracing innovation and investing in the future of the security industry. The renowned experience and knowledge of these individuals across a range of markets and regions will be invaluable as we continue to deliver the next generation of security solutions and retain our role as a market innovator. Their decision to team up with Cryptomathic demonstrates their recognition and appreciation of our company and its values."

ICO Shows its Teeth

Organisations are learning the hard way of the consequences of mishandling people's information, and others need to heed the lessons the Information Commissioner, Christopher Graham, warned at the launch of the ICO's 2011/12 annual report.

The Commissioner's comments came as the ICO imposed a civil monetary penalty (CMP) of GBP 150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers' details.


1155

Information Commissioner, Christopher Graham, said: "Over the past year the ICO has bared its teeth and has taken effective action to punish organisations many of which have shown a cavalier attitude to looking after people's personal information.

"This year we have seen some truly shocking examples, with sensitive personal information, including health records and court documents, being lost or misplaced, causing considerable distress to those concerned. This is not acceptable and today's penalty shows just how much information can be lost if organisations don't keep people's details secure.

Today's penalty was issued after WFSL's Shopacheck business lost two back-up tapes which contained the names, addresses and telephone numbers of their customers in November last year. The tapes have never been recovered.

Twenty Percent of Australians Hit by Identity Theft

An Australian Debt Study report conducted by Veda reveals that 20% of Australians have either had their identities stolen or personal / financial details accessed illegally.

"Identity crime is a thriving industry in Australia, with the Australian Bureau of Statistics estimating the cost of personal fraud to consumers at $1.4 billion dollars a year. Whilst credit card fraud is a common form of identity crime, many people do not realise that with only a small amount of personal data, an identify thief could take out a second mortgage on a house, or open up a new line of personal credit and purchase items in their name or under a false identity, "Matthew Strassberg, a Veda senior advisor told the Sydney Morning Herald.

Slow Start for New Travel Smartcard

The new Leap travel smartcard in Ireland is experiencing a low take up six months after it was introduced at a cost of more than Euro 55 million.

Figures obtained by the Irish Independent reveals that "just 6% of all 500,000 daily Dublin Bus journeys, 7% of the 90,000 Luas trips and 10% of the 100,000 work day journeys on Irish Rail Dart and commuter services are made with the prepaid card, according to National Transport Authority".

Direct to Bill to Drive Mobile Content Monetisation

Telefonica Digital today unveiled plans to leverage the billing relationships it has with its customers globally to help drive the monetisation of mobile content. Telefonica sees the ability to pay for digital goods and services via a mobile phone bill as a key way of driving downloads of paid for content, particularly in developing markets where credit card penetration is low.

Through its Digital unit, Telefonica now has global framework agreements in place to offer direct to bill payments with Facebook, Google, Microsoft and Research In Motion (RIM). It has started to roll out the capability in Europe and plans to have it live in 14 of its operating businesses globally by year end.

Direct to bill offers a simple and convenient way for customers to purchase goods, particularly virtual goods, via their mobile phone. Whether they are buying an app, mobile game or making an in-app purchase, direct to bill enables the customer to simply charge the payment to their phone bill or prepaid credit, avoiding the need to use a credit card.

Global Smart Card Market to Hit $7.3 Billion by 2017

In a new report from Companies and Markets (http://www.companiesandmarkets.com) - Smart Card Technologies and Global Markets - Market Research Report, shows the smart card market is growing at an amazing pace.

In 2011, 6.2 billion smart cards were shipped. It is estimated that smart card shipments are forecast to reach 6.8 billion in 2012 and 11.1 billion in 2017, increasing at a compound annual growth rate (CAGR) of 10.3% from 2012 to 2017. In dollar figures, the smart card market was at $4.7 billion in 2011. It is expected to reach nearly $5.1 billion in 2012 and $7.3 billion in 2017, at a CAGR of 7.4%.

This study is an extensive collection and analysis of market data that defines and explains how the smart card industry is developing and what its prospects are in the long term (2012 to 2017). The study includes the market findings of smart card projects implemented worldwide and also encompasses smart card usage and its acceptance by the public.


1166

Gemalto Machine Identification Module First to Achieve ISO/TS 16949

Gemalto's new automotive-grade Machine Identification Module (MIM) is the first to achieve highest level ISO/TS 16949 certification for state-of-the-art production processes plus a suite of assurances for superior quality products. Gemalto's auto-grade MIM is used by mobile operators, automotive manufacturers and original equipment manufacturers to identify individual vehicles, encrypt M2M communications and ensure secure global connectivity for applications such as smart vehicle systems, eCall emergency solutions and vehicle telematics.

With ISO/TS 16949 certification, Gemalto auto-grade MIMs can be tracked and traced during vehicle production, installation and throughout lifetime driving for up to 15 years. Gemalto provides the ability to quickly identify specific MIMs within 48 hours. These highly robust qualities are crucial to proper risk management in the automotive industry where vehicles and critical components are often warranted for life.

Aussie-first Innovations Make Banking Simpler

The Commonwealth Bank has made it possible for more Australians to embrace mobile banking on more devices, unveiling a number of new innovations to its industry-leading and world-first social payments app CommBank Kaching.

CommBank Kaching is now available on Google Android powered smartphones while Apple iPhones get an Australian first - Bump payments that allow money to be exchanged or a payment to be made by tapping two phones together. Commonwealth Bank also announced it will launch CommBank Kaching for Facebook later this year, making it possible for customers to do all their banking without ever leaving Facebook.

"We're making banking simpler and more convenient. As promised, we're giving Android users access to Kaching which will particularly appeal to the youth market who are using Android more and more," said Andy Lark, Chief Marketing and Online Officer, Commonwealth Bank.

Telefonica and Visa Europe Form Strategic Relationship

Telefonica Digital and Visa Europe announce they have agreed a wide ranging strategic partnership to drive new business opportunities within mobile commerce across Telefonica's European footprint. The agreement will see both companies co-invest in the development of innovative products and services in areas such as mobile wallet, contactless payments (NFC), acquirer services for mobile point of sale, and merchant offers.

Telefonica is committed to striking wide-ranging, open partnerships with a range of companies in order to develop the best possible mobile commerce services. In addition to Visa Europe, it has recently formed partnerships with Sybase and Giesecke and Devrient.

Ingenico Starts Local Production of Payment Terminals for the Russian Federation

Ingenico has announced the start of its production of payment terminals based on the Telium 2 platform in a Russian factory.

The decision has been made after an in-depth analysis of the Russian payment market in terms of volume potential and structure, combined with an economic study of the benefits of manufacturing in the Russian Federation.

The Ingenico terminals will be produced at the Jabil factory, located in the Tver Region, near Moscow. The factory is equipped with the latest modern and high-tech production lines, enabling the manufacture of up to 500,000 units from the Ingenico product range. The flexibility of the manufacturing architecture allows for quick adjustments according to current market requirements - both in quantitative terms, and in the range of configurations.

Vigitrust Announces Master European Reseller Agreement with Verizon

To help its European customers achieve PCI DSS (Payment Cardholder Information Data Security Standard) compliance, VigiTrust has teamed with Verizon to expand its IT Security & Compliance offering to include QSA (Qualified Security Assessor) services. Vigitrust will now offer its


1177

customers Verizon's full portfolio of QSA services, including PCI DSS security project initiation, compliance remediation, compliance validation and certification as well as compliance project management and maintenance.

The Verizon 2012 Data Breach Investigations Report found that 96% of the breach victims investigated were not PCI DSS compliant when they were last assessed (or were never actually assessed or validated). The importance of PCI DSS compliance is therefore clear - but Vigitrust also believes that for best security practice, gap analysis, remediation work & QSA assessments should be completed independently, to prevent a QSA from evaluating their own work. By teaming with Verizon, Vigitrust is able to offer its customers a single interface to both best security practice, and full service assessment.

Morpho's new eco-friendly 100% paper SIM

Morpho (Safran group) has announced that its new environmentally-friendly SIM card SIMply Green, is a paper card made entirely of wood fibres (conforming with EN 13432 and FSC-certified wood). The smart card is biodegradable, compostable and recyclable, reflecting the commitment of Morpho - and most of its customers - to supporting environmental protection.

The new cards have successfully passed extensive testing for milling, punching and embedding to prove that their eco-friendly material does not compromise the expected functionality of a SIM. Optical personalisation of the card is possible with dark backgrounds. SIMply Green is compatible with all handsets available on the market.

The first volumes of SIMply Green have already been delivered to a well-known European mobile network operator.

NanoMarkets Sees Thin-film/Printed Battery Powered Products Surpassing $6.5 billion by 2016

Industry analyst firm NanoMarkets latest report titled, "Thin-Film and Printed Battery Markets - 2012" claims that by 2016, the value of products shipped that are powered by thin-film/printed batteries will reach $6.5 billion.

Smartcards present a compelling market for thin-film and printed battery firms as both Bank of America and e-Bay now offer powered smartcards that have the ability to significantly reduce today's massive monetary losses due to credit card fraud. This sector is dominated by Solicore for now but NanoMarkets fully expects to see other firms making a strong play for the market. By 2016, the value of smartcard products containing thin-film and printed batteries will be around $960 million.

White Paper Reveals the Hidden Controls Holding Back Mobile Wallet Development

Mobey Forum's latest white paper 'Mobile Wallet: The Hidden Controls' takes a step into the future and considers the external forces that will dictate how consumers and merchants engage with mobile wallet technology during their day-to-day activities. The paper defines and analyses a series of 'hidden control points', which map the commercial battlegrounds where stakeholders will vie to influence both acceptance and adoption of mobile wallet technology.

Amir Tabakovic, Head of Market Development at PostFinance and Chair of the Mobey Forum Mobile Wallet Task Force comments: "As the first wave of mobile wallet solutions start to appear, the market's attention remains fixed on mobile wallet apps and the devices where they reside. We think this is unbalanced - the mobile wallet ecosystem is highly complex and its component parts are interdependent. The market's failure to adequately consider the external forces influencing the mobile wallet is preventing the technology from fulfilling its full potential."

The paper will be of interest to merchants, banks and financial institutions, mobile network operators, handset manufacturers and operating system providers. To download the 'Mobile Wallet: The Hidden Controls' white paper without charge, visit www.mobeyforum.org.

GlobalPlatform Welcomes Diebold as Latest Member

GlobalPlatform has announced Diebold, Incorporated as its latest Observer Member. Diebold, has a particular focus on advances in mobile financial services.


1188

of the market and a reputation for weak app security, it's no surprise that Android has become the preferred target for financial malware.

Like previous attacks, both the SPITMO and Tatanga MITMO variants target Windows users on the web and use a web injection in the desktop browser to lure them into installing a fake security application on their phones. The fraudsters claim this application is required by the bank as a new layer of protection, and that 15 million bank customers around the world are already using it.

In most attacks, if the victim is using an operating system other than Android the malware informs the user that no further action is required. However, for all Android users, the desktop component of the MITMO attack requests the victim's phone number and notifies them that a link for downloading the security application has been sent (via SMS) to their mobile device. The user is directed to install the fake application from this link and enter the activation code provided by the malware. Certain attacks also request that BlackBerry users download the application, but it does not actually install on these devices.

Once installed, the mobile malware captures all SMS traffic, including transaction authorisation codes sent by the bank to the victim via SMS, and forwards them to the fraudsters. This enables the criminals to initiate fraudulent transfers and capture the security codes needed to bypass SMS-based out-of-band authorisation systems used by many European banks.

Intel and ASML Reach Agreements to Accelerate Key Next-Generation Semiconductor Manufacturing Technologies

Intel Corporation today announced it has entered into a series of agreements with ASML Holding N.V. intended to accelerate the development of 450-millimeter (mm) wafer technology and extreme ultra-violet (EUV) lithography totalling Euro 3.3 billion (approximately $4.1 billion). The objective is to shorten the schedule for deploying the lithography equipment supporting these technologies by as much as two years, resulting in significant cost savings and other productivity improvements for semiconductor manufacturers.

UBPS to Acquire and Consolidate Three Business Payment Companies

Universal Business Payment Solutions Acquisition Corporation (UBPS) has announced that it has entered into definitive agreements to acquire Electronic Merchant Systems, Jet Pay LLC and AD Computer Corporation.

UBPS will acquire the three companies in a transaction valued at approximately $179 Million. If approved by the regulators and company's stockholders the business combination is expected to close early in the fourth quarter of this year.

Smart Card Alliance Launches 'EMV Connection'

Payments industry stakeholders now have a website dedicated entirely to helping with the United States' upcoming move to EMV chip technology - EMV Connection. The site, launched by the Smart Card Alliance, provides up-to-date information on the status of EMV migration, along with tutorials and educational resources that will assist with migration.

"Now that the payment brands have announced their roadmaps to accelerate EMV adoption in the United States, we've taken the initiative to develop a dedicated website where industry participants can get information about the fundamentals of EMV, and how the migration from magnetic stripe cards to EMV chip technology is progressing in the United States," said Randy Vanderhoof, executive director of the Smart Card Alliance.

The EMV Connection site is laid out so that all major EMV stakeholders-issuers, merchants, payment processors/acquirers and consumers-can easily find valuable information like frequently asked questions, white papers, videos, slideshows, and links to other EMV resources that will best help them travel their own unique EMV migration path.

Man in the Mobile Attacks Single out Android

Trusteer reported the first SPITMO (short for SpyEye in the mobile) attack targeting banking customers on the Android platform. Recently Trusteer discovered the first Tatanga-based man in the mobile (MITMO) attack as well as new SPITMO configurations which are targeting Android mobile banking users in Germany, the Netherlands, Portugal and Spain. With nearly 60%

Oberthur Technologies to Open Service Centre in Canada

Oberthur Technologies announces it has finalised plans to open a secure service centre in Ottawa, Ontario, Canada. The 1,400 m2 facility will enable the personalisation of secure devices and documents (including magnetic stripe and EMV cards as well as SIM cards and identification credentials) for customers throughout Canada.

"Oberthur Technologies' proven global ability to meet customer needs in the payment, telecom and ID markets coupled with the booming Canadian demand in these key segments are at the centre of our decision to open a facility in Canada," said Martin Ferenczi, Managing Director of the Americas Region at Oberthur Technologies.

ISACA Combine Two World-renowned Conferences into One Event

With many organisations facing increased monetary and time pressures, ISACA has responded by combining two of its major conferences. The three-day, inaugural event, taking place 10-12 September in Munich, Germany, will unite its European Computer Audit, Control and Security (CACS) and its Information Security and Risk Management (ISRM) conferences in one convenient setting.

The highly interactive event will provide attendees the opportunity to interact with speakers and peers to discuss today's IT-related topics. Sessions include: Audit Practices That Make an Impact, Improving IT Audit Performance, Securing Data, Solving IT and Business Issues, and IT Risk and Exposure Management. Delegates will be able to select the most appropriate sessions to address their needs in lively sessions, interactive panel discussions, hands-on participation and case studies from a variety of industries. The event also will include sessions at the end of each day, where speakers will review the day's topics and answer questions.

CRI and Discretix Sign Developer Agreement for DPA Countermeasures

Cryptography Research, Inc. (CRI) and Discretix announce they have entered into an agreement enabling Discretix to develop products incorporating Differential Power Analysis (DPA)


1199

Smartcard News Subscription Smart Card & Identity News is an independent international newsletter. Our Key industry topics are smartcards, biometrics, cryptography, identity management, RFID, Mobile and payments. Within these industries we cover technological advances, security breaches, new products, personnel changes, contracts and company take-overs. We also include opinion pieces and technical tutorials from the industry’s leading experts. To subscribe please contact us on +44 (0)1903 734677 or email [email protected], subscription can also be purchased on Amazon by searching for “Smart Card & Identity News”

countermeasures for use by licensees of CRI's DPA patents. Discretix is a provider of field-proven content protection and embedded security solutions for mobile applications.

"Discretix CryptoCell with DPA countermeasures is a certification-ready semiconductor IP platform for the secure element market. Including DPA countermeasures into this product and other enhanced Discretix offerings will help our customers achieve the required certifications at minimal cost and effort," said Asaf Shen, VP marketing, IP products of Discretix.

DPA is a form of attack that involves monitoring the fluctuating electrical power consumption of a target device and then using statistical methods to derive cryptographic keys and other secret information from that device. Strong DPA countermeasures are important for securing mobile devices, bank cards, pay television systems, secure identity products, secure storage media, anti-tamper products and other electronic systems and components. Many of the world's leading security standards require that devices be protected against DPA and related attacks.

HID Global Ships Over 150 Million eID Solutions

HID Global has announced the company has shipped over 150 million high-technology eID (electronic ID) solutions to governments for citizen IDs around the world. The company's management team and employees, along with local political and business officials, are celebrating this milestone in a special ceremony in Ireland.

Smart Card & Identity News More Problems With EMV Terminal ... July-A… · the target ATM only generates 4 UNs you would just need to pre-collect 4 ARQC messages from a genuine card.

Documents