Noutați

TMS Aurelius academic license

In February 2020 we announced the TMS Academic Program. Today we are happy to extend the TMS Academic Program with a new product : TMS Aurelius v5.1. This license can be used with Delphi 10.4.x Sydney. With the Delphi Academic edition students already have an extremely powerful tool in their hands and we want to enrich this with offering our most popular products also free to students with the TMS Academic Program. Getting started : Register for a free TMS Aurelius Academic license with a school or university email address Receive your credentials to login on our website via your student email address Login and download your free TMS Aurelius Academic installer Install the product in the Delphi 10.4.x edition. Enjoy being part of the TMS family with full access to our website, TMS support center, product updates for 1 year and develop great Delphi VCL applications Interesting video’s: TMS Aurelius video’s Available books: IntroducingDelphi ORM: Object Relational Mapping Using TMS Aurelius. Get started with TMS software today and secure your place for the future in the Delphi world! TMS Aurelius is our new addition to the family and we plan to extend this academic program. We are curious to know how the TMS Academic Program helped you so far in achieving exciting software development challenges and we are eager to learn what next TMS products you would wish to see in the academic program.

Read More

How To Build Powerful Data Visualizations Using D3 In JavaScript

D3 is a powerful JavaScript library for creating amazing data visualizations. It helps you to visualize the data on the web easily using HTML tables or SVG. On the other hand, Ext JS is a JavaScript framework for building interactive cross-platform applications. By using D3 with the Ext JS apps, you can build powerful data visualizations, helping organizations and individuals uncover valuable insights effectively. In this article, you will find all the details.   What is D3? D3 stands for Data-Driven Documents. It is an open-source JavaScript library for producing dynamic, readable, and interactive data visualizations in web browsers. It utilizes modern web standards, including SVG, HTML, and CSS.  D3 can bind any arbitrary data to Document Object Model (DOM) and apply data transformation. For example, it can generate an HTML table from an array of numbers. It can use the same data to produce an interactive SVG bar chart. D3 enables you to present information in a visually appealing way. Also, it gives you full control over the data selection process.  Why should you use D3 for data visualization? You should use D3 because it helps you to build any kind of visualization that you want easily. It’s a tool that enables you to present the numbers in a readable form. Also, it helps you to generate reports easily, make comparisons effectively, and understand the pattern deeply.  D3 is a JavaScript library, which utilizes a functional style. So, you can reuse codes and add specific functions easily. As a result, you can create powerful data visualizations conveniently. D3 helps you to create memorable presentations with amazing data visualization. If you are working at a startup, you can convince investors effectively by using properly transformed data that uncover valuable insights.      How to Build Powerful Data Visualizations with D3 and Ext JS D3 can be easily integrated with Ext JS apps to produce amazing data visualizations. It supports different component types, including Hierarchical Components, Heatmap Components, and Custom Components. In this post, you will find the details of integrating the “Sunburst” and “Zoomable Sunburst” components, which fall under “Hierarchical Components,”  in the Ext JS apps. Sunburst  The D3 sunburst component provides a dynamically compelling rendering of hierarchical data. It visualizes tree nodes as concentric wedge sectors, with the root circle in the center. It opens outward for every level of depth in the hierarchy.  To produce the visualization shown above, you have to create the Model by using the following codes: Ext.define(‘KitchenSink.model.Tree’, {    extend: ‘Ext.data.TreeModel’,     fields: [        ‘name’,        ‘path’,        ‘size’,        {            name: ‘leaf’,            calculate: function(data) {                return data.root ? false : !data.children;            }        },        {            name: ‘text’,            calculate: function(data) {                return data.name;            }        }    ],     proxy: {        type: ‘ajax’,        url: ‘data/tree/tree.json’    },     idProperty: ‘path’ }); Next, you have to create the Controller. Ext.define(‘KitchenSink.view.d3.SunburstController’, {    extend: ‘Ext.app.ViewController’,    alias: ‘controller.sunburst’,     […]

Read More

Canary in a Coal Mine: Detecting Cyberattacks Early

Published April 15, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Many catastrophic events are obvious, with their effects immediately visible — but not all. Fire, flood, tornadoes and earthquakes are all examples of events that can cause a substantial impact to business operation and do not require any effort to detect. Everyone can see what causes the damage. Cyberattacks can be very different. While some cyberattacks, such as Denial of Service (DoS) attacks, cause interruptions that are immediate and visible, many other attacks are not so obvious. For example, an attack that extracts sensitive customer information likely will not raise alarms and can occur without anyone realizing what happened. Since the first step in responding to a security incident is to identify that an incident has occurred, identification becomes important to survival.  A recent IBM breach report states that companies that are victims of a cyberattack take an average of 207 days to identify the breach. And it takes, on average, an additional 73 days to contain it. Think about that: On average, victims of cyberattacks only realize they have been attacked after half the year has passed. Since many cybercriminals plunder their victims repeatedly after the initial breach, losses can accumulate the longer an attacker goes undetected. A key indicator of how much damage a cyberattack may cause is how soon that attack is detected and stopped. Early breach identification is the single most important action to reduce the blast radius and increase the likelihood of surviving the attack. Let’s look at some ways companies can place controls that provide an early alert of cyberattack activity. Like the canaries coal miners used to carry with them, an early warning of danger can help avert disaster. Manage cybersecurity risk Encountering business interruptions is not a new phenomenon. There are many ways an organization can run over operational “speed bumps” that reduce or completely block its ability to carry out its core business functions. These speed bumps are often referred to as risk. Risk is the probability that something will occur that has either a positive or negative effect. Most risk is perceived as something that may cause loss, but risk can have a positive result, such as finishing a project early. We will only cover negative risk in this article. A proven way to minimize the negative effects of realized risk is to develop plans to handle the risks that can cause the most damage. Of course, that is easier said than done. Ignoring risk is dangerous. But managing it well can be the difference between surviving and succumbing to a realized risk such as a cyberattack. The quality of your plans is directly related to your probability of success. Business Impact Analysis The first plan you will need to combat cyberattacks is a Business Impact Analysis (BIA). A BIA summarizes your business processes and identifies the functions that must be operational for your organization to stay in business. These core functions are called Critical Business Functions (CBFs). Once you have identified your CBFs, you know what you must protect. If any CBF gets interrupted, your business process […]

Read More

Automate Access To Current And Historical Currency Exchange Rates Via API

{     “success”: true,     “timestamp”: 1618443847,     “base”: “EUR”,     “date”: “2021-04-14”,     “rates”: {         “AED”: 4.401602,         “AFN”: 92.987438,         “ALL”: 123.189782,         “AMD”: 622.325441,         “ANG”: 2.150997,         “AOA”: 771.454377,         “ARS”: 111.049893,         “AUD”: 1.550998,         “AWG”: 2.156941,         “AZN”: 2.046165,         “BAM”: 1.960773,         “BBD”: 2.419639,         “BDT”: 101.557685,         “BGN”: 1.956108,         “BHD”: 0.4518,         “BIF”: 2355.859391,         “BMD”: 1.198301,         “BND”: 1.602747,         “BOB”: 8.262446,         “BRL”: 6.775187,         “BSD”: 1.198391,         “BTC”: 1.9067596e–5,         “BTN”: 90.06308,         “BWP”: 13.096988,         “BYN”: 3.135003,         “BYR”: 23486.695865,         “BZD”: 2.415529,         “CAD”: 1.499979,         “CDF”: 2391.808752,         “CHF”: 1.105916,         “CLF”: 0.030816,         “CLP”: 850.318038,         “CNY”: 7.824422,         “COP”: 4381.9464,         “CRC”: 734.603479,         “CUC”: 1.198301,         “CUP”: 31.754971,         “CVE”: 110.932648,         “CZK”: 25.94405,         “DJF”: 212.962255,         “DKK”: 7.437344,         “DOP”: 68.255016,         “DZD”: 158.571629,         “EGP”: 18.777483,         “ERN”: 17.976802,         “ETB”: 49.55004,         “EUR”: 1,         “FJD”: 2.452563,         “FKP”: 0.870416,         “GBP”: 0.869667,         “GEL”: 4.140164,         “GGP”: 0.870416,         “GHS”: 6.926206,         “GIP”: 0.870416,         “GMD”: 61.113259,         “GNF”: 11983.008607,         “GTQ”: 9.248383,         “GYD”: 250.707366,         “HKD”: 9.305333,         “HNL”: 28.903569,         “HRK”: 7.57158,         “HTG”: 97.906362,         “HUF”: 358.507893,         “IDR”: 17515.083611,         “ILS”: 3.931206,         “IMP”: 0.870416,         “INR”: 89.904135,         “IQD”: 1751.316633,         “IRR”: 50454.456016,         “ISK”: 151.714206,         “JEP”: 0.870416,         “JMD”: 179.460912,         “JOD”: 0.849552,         “JPY”: 130.510579,         “KES”: 127.98481,         “KGS”: 101.611855,         “KHR”: 4847.126741,         “KMF”: 492.801162,         “KPW”: 1078.470959,         “KRW”: 1338.046775,         “KWD”: 0.361276,         “KYD”: 0.998693,         “KZT”: 516.331626,         “LAK”: 11287.993862,         “LBP”: 1825.846885,         “LKR”: 241.461698,         “LRD”: 206.832071,         “LSL”: 17.555151,         “LTL”: 3.538271,         “LVL”: 0.72484,         “LYD”: 5.410369,         “MAD”: 10.702619,         “MDL”: 21.535088,         “MGA”: 4535.568261,         “MKD”: 61.636388,         “MMK”: 1689.632611,         “MNT”: 3415.939059,         “MOP”: 9.586206,         “MRO”: 427.793183,         “MUR”: 49.357594,         “MVR”: 18.514034,         “MWK”: 943.661381,         “MXN”: 24.066602,         “MYR”: 4.947184,         “MZN”: 73.899259,         “NAD”: 17.5549,         “NGN”: 455.949342,         “NIO”: 42.036495,         “NOK”: 10.054341,         “NPR”: 144.100848,         “NZD”: 1.677843,         “OMR”: 0.461273,         “PAB”: 1.198391,         “PEN”: 4.348335,         “PGK”: 4.229665,         “PHP”: 58.092767,         “PKR”: 183.160095,         “PLN”: 4.554208,         “PYG”: 7547.686137,         “QAR”: 4.363013,         “RON”: 4.926575,         “RSD”: 117.877158,         “RUB”: 91.127306,         “RWF”: 1171.339041,         “SAR”: 4.494591,         “SBD”: 9.559982,         “SCR”: 18.14974,         “SDG”: 455.955933,         “SEK”: 10.143077,         “SGD”: 1.600804,         “SHP”: 0.870416,         “SLL”: 12252.625895,         “SOS”: 699.807988,         “SRD”: 16.960723,         “STD”: 24839.742882,         “SVC”: 10.486172,         “SYP”: 1506.944044,         “SZL”: 17.554312,         “THB”: 37.538567,         “TJS”: 13.664046,         “TMT”: 4.206036,         “TND”: 3.287535,         “TOP”: 2.735603,         “TRY”: 9.677839,         “TTD”: 8.146733,         “TWD”: 33.952055,         “TZS”: 2778.859514,         “UAH”: 33.497945,         “UGX”: 4315.378685,         “USD”: 1.198301,         “UYU”: 52.971442,         “UZS”: 12589.347994,         “VEF”: 256232928513.0559,         “VND”: 27655.584381,         “VUV”: 131.260508,         “WST”: 3.033771,         “XAF”: 657.576278,         “XAG”: 0.047174,         “XAU”: 0.00069,         “XCD”: 3.238468,         “XDR”: 0.841171,         “XOF”: 660.854586,         “XPF”: 120.009287,         “YER”: 299.994695,         “ZAR”: 17.244269,         “ZMK”: 10786.147736,         “ZMW”: 26.585877,         “ZWL”: 385.853094     } }

Read More

Creating custom File Dialogs: ShellBrowser Delphi Components

No doubt, the VCL FileDialogs offer a multitude of configuration options that cover most standard use cases. But sometimes this might not be enough and you want to create a specialized custom dialog with a different layout, additional controls (e.g. for import/export dialogs) or different looks. Rebuilding the dialog from scratch, including all the file system related components, will however in most cases not be a feasible alternative. At this point, the ShellBrowser Components can fill the gap quite comfortably: All the Win32 shell related functionality is wrapped into easy-to-use components so you can concentrate on your special use case. You can obtain a trial version of the ShellBrowser Components via Embarcadero’s GetIt Package Manager or using the link at the end of this article. After installation, you will find the ShellBrowser components in the “JAM Software” section of the component palette. The Windows Explorer style The quickest way is using a “TJamExplorerBrowser” component as the main building block of the dialog. Similar to the FileDialog components of VCL, ExplorerBrowser is built around a Windows COM object, representing a configurable file system browser which shares most parts with the Windows File Explorer. Using the “VisiblePanes” property, you can configure what parts of the control you want to show (the folder view on the right side cannot be hidden). Other design time options for the control include setting the path or “Special Folder” – a collection of named locations, including file system folders (e.g. SF_DOWNLOADS) and virtual folders (SF_DRIVES), as well as different filtering and view settings. To make the dialog complete, we’ll add two more typical file dialog components, the “TJamOpenSaveComboBox” for the file name to be opened or saved, and the “TJamFilterCombo” for specifying file extension filters which can be applied. Keeping controls in sync There is no need to write code to synchronize the components! This can be done using a “TJamShellLink”. You can simply drop an instance from the component palette and assign it as the “ShellLink” property of the ShellBrowser controls that should be synchronized. Let me show you in this small example: All ShellBrowser controls on the form use the same ShellLink. TJamShellLink synchronizes selected paths, files and filters among attached controls. The ShellLink can be used to restrict navigational access to an allowed range of folders, too. In the example below, it will apply the filter that is set in the TJamFilterCombo to ExplorerBrowser, set the text of the “TJamOpenSaveComboBox” to the file name that is selected in ExplorerBrowser and navigate to the path that the user types in the TJamOpenSaveComboBox in ExplorerBrowser. Using the ExplorerBrowser as the main file system component in this example has the benefit that – being a Windows control – it looks and behaves exactly like Windows Explorer. The drawback is that not all details of appearance or behavior can be accessed or modified. E.g. there is no way to filter the visible root nodes of the navigation tree; ExplorerBrowser also does not support VCL Styles or any other form of dark theme. Even more control: TJamShellTree and TJamShellList As an alternative approach, the ExplorerBrowser component can be replaced by various other ShellBrowser controls, such as the TJamShellList, TJamShellTree and TJamShellBreadCrumbBar. These are not based on a Windows COM object, but replicate its look and behavior as closely as […]

Read More

Delphi Provides Better Enterprise Source Code Protection Than WPF And Electron

How do Delphi, WPF .NET Framework, and Electron perform compared to each other, and what’s the best way to make an objective comparison? Embarcadero commissioned a whitepaper to investigate the differences between Delphi, WPF .NET Framework and Electron for building Windows desktop applications. The benchmark application – a Windows 10 Calculator clone – was recreated in each framework by three Delphi Most Valuable Professionals (MVPs) volunteers, one expert freelance WPF developer, and one expert Electron freelance developer. In this blog post, we are going to explore the IP Security metric, which is part of the Functionality comparison used in the whitepaper. What is IP Security in a deployable application? How secure is the intellectual property of the source code in a deployable project? After businesses invest resources into their projects, they face the challenge of putting their product into the hands of the public while protecting the code and techniques that produce revenue. This qualitative metric evaluates the ability of a user to access source code via decompilation.  Intellectual property protection is fundamentally important to long-term business plans. If a product solves a new problem or utilizes a novel technique, the developers should understand how their choice of framework affects IP vulnerability. Delphi programs compile into platform-native machine code rather than intermediate code. Decompilation using free tools can recover the GUI form but only yields assembly code for the logic. IP security is more tenuous in WPF. Decompiling executable and library files with free tools results in recognizable C# business logic and nearly recognizable XAML text. Finally, Electron has the most significant problem – it gives away source code with each installation by default. Electron application code can be recovered with a simple text editor – a function of how the framework is structured – but can be somewhat obfuscated using third-3rd party tools. Available decompiler tools and their results when applied to each framework’s calculator application are listed below. The goal of this decompilation exercise was to determine the feasibility of retrieving both the UI and the original code from each framework’s calculator application using open-source or free tools. The frameworks assessed were Delphi VCL, Delphi FMX, WPF (C#), and Electron (with Angular). When the Delphi VCL and FMX calculators were decompiled, all UI elements were successfully extracted and the logic code was presented as assembly. This exercise did not extract function and procedure structure, but it may be possible. Decompiling the WPF calculator yielded the UI elements and mostly recognizable C# code. WPF .NET Framework applications use a known MSIL (Microsoft Intermediate Language) format that is easy to disassemble and decompile. Dependent assemblies can easily be extracted. Resources can easily be extracted. .NET Reflection can be used to extract information about a .NET assembly. The entire contents can be extracted including the classes, methods, code, and resources from an assembly. An advanced decompiler can reconstruct almost the exact structure of your code including for/while loops, if statements, and try catch blocks. Literal strings can easily be extracted. Finally, calls to methods and properties to external assemblies can be extracted. The UI elements and JavaScript code of the Electron calculator are easily exposed using a standard text editor. The Typescript code was transpiled into JavaScript and could not be recovered. Overall, Electron’s packaging provided a very limited level of obfuscation. Let’s take a […]

Read More

Incredible Real-Time Mobile App Is Built With Delphi

The OCEASet™ real-time mobile application is the companion tool for configuring the OCEABridge™ Bluetooth®/Cloud gateway. OCEABridge™ is a gateway device that provides a transparent link between customer’s local Emerald™ or Atlas™ dataloggers and the OCEASOFT Cloud service via the Internet. Readings are taken in real-time by dataloggers and are captured wirelessly and automatically by OCEABridge™.  The readings are forwarded to the Cloud for monitoring and reporting. What kind of real-time data can be captured? According to OCEASoft’s website the apps provide: Wireless data logger communication with Bluetooth Configurable data logging start time Definable high and low limits, with delays Fast access to readings, events, and alarms Automatic data transfer to OCEASOFT’s secure OCEACloud platform Values displayed in °C or °F, in GMT or local time Generates e-mail with mission report and attached CSV file with all information Download complete reports in PDF, XLS, and CSV format The apps are written using RAD Studio’s Delphi with the Firemonkey cross-platform capabilities and this means they’re available on both iOS and Android. Website OCEASet iOS App Store ‎OCEASet on the App Store (apple.com) Google Play OCEASet Screenshot Gallery Reduce development time and get to market faster with RAD Studio, Delphi, or C++Builder. Design. Code. Compile. Deploy.Start Free Trial   Upgrade Today    Free Delphi Community Edition   Free C++Builder Community Edition

Read More

Introducing TMS WEB Core for Visual Studio Code 1.3

We are on the verge of rolling out the first beta of the next milestone of our TMS WEB Core for Visual Studio Code product. This is the version v1.3 and along all TMS WEB Core framework enhancements that will come in TMS WEB Core for Delphi 1.7, the new release v1.3 will introduce the major new feature that is package support. Learn all about in in our upcoming free webinar! Package support comes to TMS WEB Core for Visual Studio Code Package support is what will enable software developers to install packages containing component code for install of components for design-time use. While it is perfectly possible to use custom components with the current release of TMS WEB Core for Visual Studio Code, it was restricted to use these components at runtime. So, developers had to create and instantiate classes of components in code. With the new release, we will bring the RAD experience also for custom components. You write your custom component, add its source code to a package and then compile and install the package in the IDE. After this step, the registered component classes are added on the tool palette and can be dragged on the form designer and can be customized visually by changing properties via the object inspector. Our architect of TMS WEB Core for Visual Studio Code created this video for you to explain this: FNC comes to TMS WEB Core for Visual Studio Code Yes, the exciting news is not just that you can now add custom components for design-time use in TMS WEB Core for Visual Studio Code, but also that the entire range of TMS FNC components becomes available for use with TMS WEB Core for Visual Studio. We lost count of the total number of FNC components but this must meanwhile be approaching 300 or perhaps more. So yes, you will be able to install into TMS WEB Core for Visual Studio Code and use all of these components for creating classic web client applications, PWA’s (Progressive Web Applications) or Electron based cross-platform desktop apps* for Windows, macOS and Linux. And of course, you will be able to develop these applications from a Windows, macOS or Linux machine as the Visual Studio Code IDE is at home on these operating systems and so will be our FNC components. Opening, compiling & installing the package from the IDE List, add & remove component packages in the IDE Components on the tool palette and use the FNC components on the designer * Note that our Miletus technology for creating cross-platform desktop apps that will come in TMS WEB Core for Delphi 1.7, is scheduled for TMS WEB Core for Visual Studio Code v1.4 and will at that point also offer Windows, macOS and Linux support for and from these three operating systems. Join our upcoming free webinar Interested in learning all about the new version v1.3? We have a free webinar coming up for you via our platform TMS Web Academy (built with TMS WEB Core for Visual Studio Code by the way) and we have as host our chief architect José Leon Serna assisted by Bruno Fierens. Register now for this free webinar and be first to learn everything about component creation from TMS WEB Core for Visual Studio Code.

Read More

Securing Cloud Access in Applications

Published March 31, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel As applications become increasingly cloud-based – or even, cloud-native – more and more such code is sending data to and from cloud-based stores, both public and private. This makes the methods and controls that such applications use to access the cloud of particular interest. It also keeps the onus on application owners to protect and preserve application data, particularly when it involves information subject to compliance and regulatory requirements. That brings a host of other concerns into play that range from preserving privacy and confidentiality to the “right to be forgotten” (a GDPR requirement that obliges organizations to dispose of data about any registered individuals within 30 days of request for same, or face fines and penalties). Pass the Data, But Not the Buck Indeed, organizations must realize and own up to their responsibility for data, even when it leaves their hands and goes into the cloud. At best, the cloud service provider will assume a “shared responsibility” for an organization’s data once it hits their servers or data stores. But always, the organization that acquires (and presumably controls and protects) such data remains legally responsible for its privacy, confidentiality, and disclosures of breach, theft, or unwanted access or disclosure. Thus, organizations that use cloud platforms should thoroughly understand the provider’s security capabilities, and any data protection (such as encryption, access control and audit, and so forth) that the provider offers, and what responsibility and liability it assumes for data and applications that run within its systems. Best Security Practices for Cloud Access For cloud-consuming organizations, that’s just the beginning. Best security practices also insist that organizations implement the following principles where access to cloud applications, data, configurations, and resource consumption are concerned: Apply the Principle of Least Privilege (PLP): all access should be set to “deny” by default and only so much access allowed for authorized parties as they need to use an application (ordinary users) or administer the organization’s cloud environments and settings (and all admin level access should be logged, and routinely audited, especially use of privilege, account management, configuration and set-up of applications and data stores, and so forth). Use strong authentication, 2FA or better: Ideally, all access to cloud-based applications and data should require jumping demanding hurdles before access requests get granted. At a minimum, ordinary users should be required to use two-factor authentication (2FA: cellphone or email confirmation of one-time pads). Higher-level access, should probably use multi-factor authentication that includes something beyond 2FA, such as a certificate, smart token device, biometric data (fingerprint, facial scan, and so on), or be tied to a specific admin workstation’s MAC address. Encryption for data in motion and at rest: By default, organizations should turn on and use the strongest encryption they can employ without unduly affecting data access and/or application performance. Data should also be encrypted wherever it’s stored, both at endpoints when used on the client side, and in data stores when in use by an application or truly at idle rest (active or multi-tiered storage repositories). […]

Read More

Getting Ahead of Payment Card Security Threats

Published April 08, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. Payment card attacks are nothing new. Cybercriminals have been targeting payment cards for more than a decade. However, there is a disturbing trend of cybercriminals discovering and leveraging novel ways to steal payment cards credentials during online transactions. Online merchants have long espoused techniques that make online commerce safe, but that assurance is under a new level of attack. Recent advances in payment card attack sophistication up the game for cybersecurity professionals. Protecting online commerce is always challenging, but it can be rewarding and effective. Let’s look at a few ways to stay at least one step ahead of emerging payment card threats. Understanding payment card threats Using someone else’s payment card to steal funds is an attack that has existed as long as payment cards. In the beginning, merchants would use a mechanical device to make an impression of the raised payment card numbers into a set of carbon-copied transaction records. The customer would sign the record and take one copy. A second copy would stay with the merchant, and a third copy would go to a payment processor to settle the payment. The early process was simple, and when the device that created payment card impressions would fail, vigorously rubbing a pen or pencil body over the card would transfer the image to the transaction record. In those days, if you could grab a payment card number and forge the owner’s signature, you could create fraudulent transactions. When online transactions started to become more prevalent, signatures became less important; all cybercriminals needed were elements of a payment card holder’s basic information, such as card number, name and billing address. Intercepting credit card numbers wasn’t very difficult, since encryption wasn’t the norm prior to the early 2000s. But it didn’t take long for the payment card industry to recognize the growing threat to transactions. Several of the biggest payment card industry vendors, including Visa, MasterCard, American Express, JCB International and Discover, joined forces to develop the Payment Card Industry Data Security Standard (PCI DSS). One of the many requirements of the PCI DSS is that all transmissions involving payment card data (and subsequent storage) must be encrypted. PCI DSS increased security and upped the ante for payment card attacks, so the cybercriminals upped their game as well. Now we see a wide range of attacks that focus on intercepting, or skimming, payment card numbers and related data prior to any encryption efforts. The general idea for today’s attacks is to find creative ways to push the attack closer to the point of payment card number acquisition. In the physical world, this led to portable and stealthy physical card skimmers. Card skimmers work by replacing a valid card reader with a device that reads the credit card data and then sends it to an attacker’s preferred repository. Sophisticated skimmers pass the data through to the intended destination to remain undetected for as long as possible. As small battery-powered skimmers became popular, unscrupulous servers at some restaurants began skimming cards with pocket skimmers before processing payment cards properly. (Of […]

Read More