The old magnetic stripe technology currently used in credit and debit cards in the United States is inexpensive and readily available, making our cards highly vulnerable to fraud. It’s understandable then that credit and debit card fraud is Americans’ primary fear, with 68% of those surveyed describing themselves as extremely or very concerned about the security of their credit or debit card data and 66% as extremely or very concerned about identity theft.

Compare that to the 58% who are extremely or very concerned about terrorism and war, or 41% who fear the possibility of a serious health epidemic. If a health epidemic actually occurred, that would naturally take prevalence over our financial concerns. But for now, we’re mostly worried about our money.

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when an identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or sometimes even when you hand it over to pay at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft, though I’ve always been inclined to categorize it as simple credit card fraud.

EMV credit cards—or “chip and PIN” cards—are safer than the magnetic stripe cards still used in the U.S. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”

In simple terms, with EMV technology, users’ financial data is thoroughly scrambled. It makes sense, therefore, for smart, forward thinking banks to encourage EMV migration as soon as possible.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

Contactless payment, also known as NFC or near field communication, is a technology that allows electronic devices to communicate wirelessly. In the case of a mobile wallet application, those devices would typically be a mobile phone and a point of sale terminal at a checkout counter. (NFC has other uses beyond credit card transactions: it can integrate with hardware—to unlock a door, for example—or it can activate software.)

Soon enough, using your smartphone as a credit card will be commonplace. By 2015, mobile contactless payments, in which you pay by holding your phone near a payment terminal, are expected to have increased by 1,077%.

Contactless payments are a faster, more convenient alternative to cash when making small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

There are five facts you should know about contactless payment:

1. Tens of millions of people use contactless technology every day—in passports, identity cards, and transit fare cards for secure, fast, convenient transactions.
2. These transactions are protected by multiple layers of security, which protect both retailers and consumers.
3. Some of these security features are incorporated within a card’s microprocessor chip, while others are part of the same networks that protect traditional credit and debit card transactions.
4. Regardless of your payment method, it is still essential that you check your bank statements regularly for unauthorized transactions.
5. While contactless payment has been deployed in numerous settings, it is not yet available everywhere. So, assuming that you prefer not to carry large sums of cash, you’ll still need to carry a traditional credit card or, if you are traveling outside of the U.S., an EMV card.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

Frequent fliers accustomed to traveling internationally for business are helping drive demand for EMV cards within the United States. Business travelers who have found it increasingly difficult to use their magnetic stripe cards while abroad are now requesting that American banks provide EMV, or chip and PIN cards, which are used more commonly in Europe and around the world.

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication. These security measures make chip and PIN cards far more secure than the magnetic stripe cards that are standard in the United States, since the magnetic stripes containing sensitive financial data are vulnerable to skimming at ATMs and point of sale terminals. In Europe, chip and PIN technology has significantly reduced the potential for fraud in transactions where the credit card is not physically present.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”

Most of the EMV-based cards offered in the United States are chip-and-signature, rather than chip-and-PIN, due to differences in the way payments are processed. Nevertheless, these advances in card technology are a positive step, so thank you to business travelers for pushing banks to incorporate EMB technology and making overseas travel more convenient and more secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

Have you ever thought about what would happen if you lost your mobile phone? These days we rely on our mobile phones more than ever. For a lot of us, it can also be a nightmare if it’s lost, stolen or hacked, especially since today it’s become our most personal computer,

But despite the fact that 1/2 of of us would rather lose our wallet than our mobile phone, only 4% of us have taken steps to protect our mobile device with security.

For most of us, our first reaction when we lose our wallet is I have to cancel my credits cards, get a new license, etc. When we lose our phones, we think about the pain and cost of replacing the device. But that’s just the tip of the iceberg.

We don’t realize that our photos, emails, text messages and our apps can be an open door for thieves into our personal information, privacy and financial accounts.

And the time to replace your smartphone and its contents can consume as much as 18 hours of your life.

Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens and keyboards are easier targets for “over the shoulder” browsing.

Below is an infographic that shows why you should protect your smartphone and some tips to protect you and your device.

Take time to protect your mobile device. Here’s some tips to keep your mobile safe:

Never leave your phone unattended in a public place

Put a password on your mobile and set it to auto-lock after a certain period of time.

If you use online banking and shopping sites, always log out and don’t select the “remember me” function

Use mobile device protection that provides anti-theft which can backup and restore the information on your phone, as well as remotely locate it and wipe data in the case of loss or theft, as well as antivirus and web and app protection.

Robert Siciliano is an Online Security Evangelist to McAfee. 

An employee may pay for their device and its monthly plan, but employees who use their personal devices at work should be required to adhere to a Bring Your Own Device (BYOD) policy that sets the ground rules. If you choose to use your personal device for work purposes at any time for any reason, then your employer will more than likely want control over that device. This means like in a company mobile liability policy, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination, wipe the data.

The day after you get your new and shiny mobile or tablet, chances are you’ll take it right to work and request the IT department set it up with your email and access to the company network. And as more and more companies agree to this, they are also requiring you to agree to their terms as well.

Expect an acceptable use policy. This is one that is governed by the company’s CIO and others basically telling you what you can and can’t do. Read it carefully because once you sign it, your job will be on the line of you don’t abide by it.

Running in the background will be an application that you will be required to download and install. This app may have a certificate authenticating you and the device to connect to the company network and run company programs.

The installed application should provide the enterprise the ability to essentially remotely control your mobile at some level. I wouldn’t be concerned about this unless of course you’re not abiding by the agreement you signed.

At a minimum expect the application to have the ability to locate your mobile if its lost or stolen via the phone’s GPS, lock your phone locally whether you want to or not, (by default you have to choose 1-5 minutes).  Mobile security software apps should also remotely wipe your mobile of all its data. Having encryption, antivirus and a firewall is a key factor in protecting data.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.

The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.

These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.

The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach  CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Second: spyware, malware and viruses on a user’s device can easily record passwords.  Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.

The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.

Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you have”—a personal security device separate from the PC

While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3^rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

Robert Siciliano is an Online Security Evangelist to McAfee.