iPhone 6 Will Have NFC: Morgan Stanley

From FinExtra

 In a group report, the bank’s Katy Huberty says: “Mobile payments is a major opportunity for Apple to improve user experiences and potentially add a new revenue stream.”

Huberty’s colleague Craig Hettenbach predicts that NFC will be a core part of Apple’s assault on payments, citing the recent patent filings by the company and the emergence of Host Card Emulation, which would let Apple break free from wireless operators. 

He also notes that the new mPOS system Apple is rolling out in its stores includes a VeriFone-made iPhone sleeve that is equipped for NFC, and highlights recent reports of a contactless payments agreement with China UnionPay.


eBay Discovers Massive Cyber Security Breach; Will Ask Users to Change Passwords

The company said the breach didn’t affect PayPal.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

Ponemon: Cost of Data Breaches Rising

Ponemon Institute:

Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

Read the full report, here.

U.S. Department of Justice Levels Cyber Espionage Charges Against Five Chinese Military Hackers

From CNBC:

The U.S. Justice Department has filed the first-ever criminal charges for cyber economic espionage against a state actor, according to a U.S. government official familiar with the case. The charges name several Chinese government officials, accusing them of using military and intelligence facilities to steal trade secrets from American energy and manufacturing companies.

From DOJ:

We allege that members of unit 61398 conspired to hack into computers of six U.S. victims to steal information that would provide an economic advantage to the victims’ competitors, including Chinese state-owned enterprises.

In the past, when we brought concerns such as these to Chinese government officials, they responded by publicly challenging us to provide hard evidence of their hacking that could stand up in court.

Well today, we are.

For the first time, we are exposing the faces and names behind the keyboards in Shanghai used to steal from American businesses.

Unit 61398 was specifically mentioned in the Mandiant Report last year.

From AP, (February, 2013):

Unit 61398 of the People’s Liberation Army has been recruiting computer experts for at least a decade. It has made no secret of details of community life such as badminton matches and kindergarten, but its apparent purpose became clear only when a U.S. Internet security firm accused it of conducting a massive hacking campaign against North American targets.

Hackers with the Chinese unit have been active for years, using online handles such as “UglyGorilla,” Virginia-based firm Mandiant said in a report released Tuesday as the U.S. prepared to crack down on countries responsible for cyber espionage. The Mandiant report plus details collected by The Associated Press depict a highly specialized community of Internet warriors working from a blocky white building in Shanghai.

Summary of the Indictment, here.

The Bitcoin Disclosures

Finra. The SEC. And now top regulators in Connecticut and Georgia; All are decrying the risks behind virtual currencies, in particular Bitcoin.

It’s a righteous move –one that is, interestingly enough, being heralded by a group of Bitcoin businesses.

During a public hearing this past week in Chicago hosted by the Conference of State Bank Supervisors, several cryptocurrency entrepreneurs (including executives from CoinX and BitPay) had this to say:

The panelists urged state and federal regulators to provide clear and consistent regulatory expectations and guidance without restricting innovation.  The panel commended the Task Force for issuing model consumer guidance to provide more information to consumers considering transacting in virtual currencies.

Read the entire press release, here

From one of my stories this week:

The state Department of Banking and Finance had a stark warning for Georgians late last month: If you invest or use digital currencies, such as Bitcoin, you are largely on your own.

As a part of the guidance, the department recognized the growing popularity of this new way to pay, as well as its propensity to be abused by cheats and fraudsters.

Regulators can do little to help if you get ripped off.

“At this point, you do realize, right, that’s not an FDIC insured institution?” said Kevin Hagler, commissioner of the Georgia Department of Banking and Finance, in an interview with The Atlanta Journal-Constitution.


LifeLock’s Digital Wallet Not (Completely) Secure: Deleting Software From App Stores

LifeLock recently alerted its customers that its digital wallet — a piece of smartphone software that holds folks’ personal credentials — is not PCI compliant.

That means, according to a consensus in the payments industry, the technology is just not safe for people to use.

As a result, the Arizona company is deleting the software from all of the app stores, Google Play and Amazon, included. Separately, LifeLock is also deleting customers personal information from its internal servers. Just to be sure.

The payments card industry standard dictates how payment card information should be stored.

From a disclosure:

We have determined the app is not fully compliant with payment card industry (PCI) security standards, and we are taking immediate steps to correct this and ensure the ongoing safety of your personal information. 

It’s important for you to know that we have no reason to believe your personal information, including credit card numbers and other data, has been compromised as a result of the PCI compliance issue. 

This does not affect [a customer’s] ability to use your credit cards or other information you have uploaded to LifeLock Wallet.

Late last year, LifeLock acquired Lemon Wallet for $42.6 million. (Read the TechCrunch story, here.)

More on payments card standard (from Wikipedia):

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debitcreditprepaide-purseATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraudvia its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

It’s worth keeping in mind that PCI standards are the bare minimum that every business has to comply with — from the deli on the corner to, yes, even Target before and after its infamous data breach debacle.

The LifeLock snafu also calls into question Lemon Wallet’s founder, Wences Casaresthe same dude behind Bitcoin vault Xapo.

Just another reason for top banking regulators, both state and federal, to be concerned.

FTC, LabMD Update


Washington, D.C. (May 15, 2014) – Today, Cause of Action (CoA) is filing an emergency appeal on behalf of LabMD, following a federal judge’s ruling that he lacked jurisdiction even while telling the Federal Trade Commission (FTC) “the public is served by guiding people beforehand rather than beating them up after.”