GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
Skyscraper Ad

Friday, September 22, 2017

SEC uncovers massive breach

H ackers exploited a software vulnerability to access the Security and Exchange Commission's corporate filing system in 2016, according to a Sept. 20, 2017, disclosure by the SEC. The agency discovered the intrusion during a security assessment authorized by SEC Chairman Jay Clayton, the commission stated.

The story, initially reported by Wall Street Journal reporter Dave Michaels, rapidly spread across news channels, igniting fierce commentary among security analysts, who questioned why the SEC failed to patch a known vulnerability in its Edgar filing system. This latest criminal intrusion doesn't impinge on the payments chain in the same manner that the recent, massive Equifax breach has potential to do, but the questions it raises illuminate the need to implement significantly improved data security practices and technology across the board, some experts noted.

"While we await greater detail about what layer and component of the application stack was exploited, it furthers the point that strengthening application security is critical. In this case, a vulnerable piece of software was used to exfiltrate sensitive and ephemerally private information," said Kunal Anand, Chief Technology Officer and co-founder at Prevoty. "On the heels of the now historical Equifax breach, two burning questions are top of mind: 1) was the vulnerable software component previously known and did Edgar fail to patch it? and 2) why wasn't this information encrypted, or was it encrypted and did attackers compromise sensitive keys?"

Brad Keller, Senior Director 3rd Party Strategy at Prevalent Inc., called the Edgar breach a classic case of criminals targeting a system used by numerous companies. "It's a simple business proposition – why expand resources to hack into one company's data base when, through the relatively same level of effort, you can gain access to dozens (or in the case of Edgar tens of thousands) of corporate financial records," he stated. "While the SEC is not a vendor in the classic sense, the analogy to why criminals target vendors for the higher 'return on hack', is very clear."

Penetrate once, compromise many

Jeff Hill, Prevalent Director of Product Management, said the SEC hack took a page from an exploit reported in August 2015, involving an international hacking group that intercepted a corporate wire service and made millions off insider trades.

"The Edgar episode is also tantalizing efficient for bad actors: penetrate once, compromise many," Hill noted. "Rather than hacking multiple public companies to illicitly gather valuable insider information, the Edgar perpetrators could parlay a single breach into a potential monetizable data bonanza."

Gabriel Gumbs, Vice President of Product Strategy at Stealthbits Technologies, said the hackers gained access to Business Wire, PR Newswire and Marketwired, and used the wire services to trade ahead of more than 800 financial releases, which resulted in more than $30 million in fraudulent stock market transactions. "Other financially motivated hackers were clearly paying attention, as the SEC hack targeted the same type of information," he added. "Protecting information that will be made public but has to remain private for some period of time is very difficult to govern."

Gumbs urged publicly traded companies to implement private data governance programs with dynamic access rights to protect classified information prior to public disclosure. "This is not an area most organizations have shown competence in, and for any publicly traded company it is an area that they must be proficient in, but until then, expect this will not be the last such insider trading hack," he added.

SEC's five-point protection plan

Clayton implemented a five-point security assessment in May 2017, intended to identify and patch vulnerabilities in the SEC's data collection, risk management, supervision of regulated entities, coordination with other regulators and pursuit and enforcement of cyber threat actors that seek to harm investors and markets. Forensic analysts have yet to determine whether the internal assessment or criminal behavior alerted the SEC to the year-old data breach.

Hill suggested the SEC hack, like the 2015 breach, was exposed by anomalous insider trading behavior rather than traditional security methods, which he called, "a particularly disconcerting reality for the SEC's security professionals, if in fact that's the case."

In an SEC statement about the intrusion, Clayton said, "I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important. Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself. Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."

Apple's Face ID faces uphill challenge
Thursday, September 21, 2017

A pple iOS user reaction to the new Face ID authentication system built into the iPhone X has been mixed. Face ID, unveiled Sept. 12, 2017, requires users to look at the screen to unlock the phone, access secure apps and enable Apple Pay. Despite Apple's claims that "all saved facial information is protected by the secure enclave" and that "processing is done on-device and not in the cloud to protect user privacy," many are skeptical of using facial recognition for identification purposes.

According to a survey conducted by Juniper Research Ltd., of the U.S. iOS users it surveyed, more than 40 percent said they are unlikely to use facial recognition as a payment security technology. By contrast, among contactless payment users overall, a majority considered fingerprint and voice recognition technologies more appealing, with 74 percent and 62 percent, respectively, likely to use these technologies.

Overconfidence in fingerprints

However, mounting evidence suggests that confidence in fingerprint ID security could be premature. Researchers at the New York University Tandon School of Engineering and Michigan State University College of Engineering found that partial similarities between fingerprints could render fingerprint ID systems in today's mobile devices susceptible to fraud.

"The vulnerability lies in the fact that fingerprint-based authentication systems feature small sensors that do not capture a user's full fingerprint," university researchers noted.

"Instead, they scan and store partial fingerprints, and many phones allow users to enroll several different fingers in their authentication system. Identity is confirmed when a user's fingerprint matches any one of the saved partial prints."

Researchers hypothesized that based on similarities among different people's partial prints a "MasterPrint" could be created. Michigan State University Professor of Computer Science and Engineering Arun Ross said, "As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features. If resolution is not improved, the distinctiveness of a user's fingerprint will be inevitably compromised."

Security a major concern

The Juniper survey also found that 32 percent of those who do not use contractless mobile payment methods were concerned about transaction security; only 14 percent within the contactless-payment user group expressed such concerns. Along similar lines, 10 percent of mobile banking users voiced doubts about transaction security, while among nonusers, 30 percent had reservations about security.

"Transaction security is a key barrier for mobile financial services adoption," said James Moar, Senior Analyst at Juniper. "Addressing these concerns will bring many consumers to the point where they will consider using such services."

According to Juniper, the number of U.S. contactless payment users grew by just 2 percent year-over-year, with a majority of deployments stemming from smartphone original equipment manufacturers (OEMs) such as Apple Pay, Samsung Pay and Android Pay. Among those surveyed, 73 percent of OEM-Pay users expected to increase usage compared with 39 percent of nonusers expected to start using mobile contactless payments.

For more information about the Consumer Attitudes to Mobile Banking & Contactless Payments: US survey report, visit

NFC Forum boosts interoperability, quality, differentiation, metrics
Wednesday, September 20, 2017

F ollowing its mission to advance the use of near field communication (NFC) by developing specifications, ensuring interoperability and educating the market, the NFC Forum just added an NFC tag and reader certification to its global Certification Program. This addition means that tag/inlay, NFC reader and handset manufacturers will now be able to test and verify the performance and interoperability of all key components in the NFC ecosystem.

This program is designed for companies who put a premium on customer experience and want to ensure that their NFC-enabled devices function the way they want when they want, the NFC Forum stated, adding that the top four reasons to certify with this program are interoperability, quality assurance, product differentiation and useful metrics.

"We are excited about the next wave of product innovation this program will usher in," the Forum said. "Certification will help ensure that NFC tags, readers and handsets provide consistent, compelling and connected user experiences."

Faster, less costly implementations

The program is designed to shorten the adoption process, lower adoption costs and simplify product implementations. "NFC Forum Certification demonstrates to customers, consumers and partners that a company values product quality and improving the customer experience," said Paula Hunter, NFC Forum Executive Director. "Certification also helps ensure a product embedded with NFC can work with the 36 billion IoT devices predicted to be in use by 2020 by creating a simple, easy way for businesses and consumers to be connected."

Dr. Joerg Schmidt, Business Development Manager for NFC, Transportation and Standardization, at Infineon, added, "The NFC Forum Certification Program will help organizations to innovate and create products that offer consistent, compelling and connected user experiences across the entire NFC ecosystem of handsets, readers and tags. The certification program will drive industry-wide interoperability with other devices ensuring that products do what customers want, when they want it."

Six steps to certify

Certification involves six steps, as follows:

  1. Join: Become a member of the NFC Forum to enjoy membership benefits and start the Certification process, if your organization is not already a member.
  2. Prepare: Familiarize yourself with the NFC Forum Certification Policy and Device Requirements.
  3. Test: Determine which Authorized Test Lab meets your test your product(s) testing needs and schedule your testing.
  4. Report: Once testing at an Authorized Test Lab is complete, pay certification fees and agree to the NFC Forum Terms and Conditions during checkout.
  5. Apply: Assemble the package of all required certification documents, create an account, and submit your documentation online to the NFC Forum.
  6. Promote: Once certified, it's recommended that you add the Certification Mark to your site, product (if appropriate), packaging and collateral (according to the NFC Forum Certification Mark Guidelines). The mark may be used upon acceptance of the NFC Forum Certification Mark License Agreement and a one-time fee per registered organization. Also, be sure to share your product certification news with your customers.

"Worldwide, a growing number of touchpoints based on NFC tags enrich the daily life of consumers," stated Dr. Michael Jahnich, Director Contactless Test Solutions at Comprion. "Compliance of NFC tags is essential to ensure the highest level of interoperability of tags, smartphones, and readers, and to offer a satisfying user experience. The NFC Forum Tag Certification Program establishes tag compliance and helps tag vendors and solution providers to deliver consistent, global connectivity across all applications and environments."

For an overview of the program, visit

1-click checkout now out of Amazon's control
Wednesday, September 20, 2017

A mazon Inc.'s 1-click purchase patent expired Sept. 11, 2017, following a successful, 20-year run. Awarded in 1997, when Amazon was selling books online, it enabled consumers to purchase items with a single click, using stored billing, shipping and payment credentials. Retail analysts say the 1-click concept revolutionized online retail and boosted ecommerce spending. Casey Gannon, Vice President of Marketing at Shopgate Inc., expects to see 1-click checkouts broadly implemented across the retail ecosystem in the wake of the patent's expiration.

"With the expiration of Amazon's 1-click buying patent, retailers are left with a significant opportunity to leverage similar technologies, a functionality that can help reduce cart abandonment," Gannon noted. "For mobile users in particular, cart abandonment is one of the most prevalent challenges retailers face."

Miya Knight, Global Retail Technology Director at PlanetRetail RNG, stated, "While shipping, taxes and delivery impact conversion online, shopping cart abandonment costs retailers millions in lost revenue. Therefore, anything that can reduce friction at the point of checkout should be prioritized by retailers." Knight further noted the 1-click patent gave Amazon a competitive advantage; like Gannon, she expects to see competitors implement similar 1-click ordering schemes.

Consumer brand optimization

In addition to speeding checkouts and improving online conversion rates with 1-click ordering, Amazon built a global marketplace that provides consumer brands and retailers with actionable metrics and consumer data. Salt Lake City-based One Click Retail helps leading consumer brands leverage Amazon's advanced algorithms to increase sales through targeted campaigns.

The company expanded on Amazon's marketing principles in a report titled 4 Ps of a successful holiday eCommerce plan: Products, Price, Promotions and Placement, published Sept. 11, 2017. Following are several highlights from the research:

1-click mobile payments

The Amazon Mobile Payments Service launched 1-click mobile payments in October 2009, with a branded mobile app for Apple, Android and Windows mobile devices, along with an application programming interface library for mobile app developers. The solution was designed to provide the same peace of mind and convenience as the online shopping experience to tens of millions of customers, the company stated.

"We're pleased to make it easier for our Amazon Payments developers and merchants to extend mobile payment options and the ease of 1-Click checkout to their customers," said Howard Gefen, Director of Amazon Mobile Payments in an Oct. 5, 2009, statement. "Amazon customers can now also make purchases on third party sites without needing to set up separate payment accounts—they simply use the payment information in their existing Amazon accounts."

Gannon expects more ecommerce merchants to offer 1-click checkout options on the mobile web. "Timeliness is the single most vital aspect of the decision-making process, and mobile retailers should adopt one-click checkout processes, as well as leverage deep links, social login, and other streamlined payment options to most effectively capture the mobile user in the right moment – the exact moment they're browsing," she said.

Four women in payments receive 2017 Wnet Awards
Tuesday, September 19, 2017

W omen's Network in Electronic Transactions (Wnet) just revealed the 2017 Wnet Awards winners. The organization was founded in 2005 to inspire and empower women in the payments industry. The annual awards recognize volunteers who are doing outstanding work to help further those goals.

"Wnet is proud of the accomplishments of all of our members, said Gloria Colgan, Wnet President and President of Velco Payments. "We also rely in the volunteerism of our members to keep Wnet on the cutting edge of providing real member value. We are grateful for the contributions of this year’s award winners."

And the winners are

This year, four women were recognized, as follows:

"Volunteers are the lifeblood of Wnet, and we are all made stronger by the contributions of time and talent of Dawn, Christina, Megan and Theresa, as well as many other Wnet members," said Lisl Cutterer, Wnet’s Executive Director.

For more information about Wnet, please visit

View prior breaking news

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services