Author: Mahesh Balan

NIST is No Longer Recommending Two-Factor Authentication Using SMS

NIST is no longer recommending two-factor authentication systems that use SMS, because of their many insecurities. In the latest draft of its Digital Authentication Guideline, there’s the line:

[Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.

Tags: authentication, NIST, SMS, two-factor authentication

Posted on August 3, 2016 at 7:11 AM
• 0 Comments

Forget about security! It turns out that the Chip-and-PIN cards are just as easy to clone as magnetic stripe cards.

It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.

We have been told that EMV (

Europay, MasterCard and Visa

) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.

But, it turns out to be just a myth.

A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.

The demonstration was part of their presentation titled,

“Hacking Next-Gen ATMs: From Capture to Washout,”

[

PDF

]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.

Here’s How the Hack Work

The hack requires two processes to be performed.

First, the criminals need to add a small device known as a

Shimmer

to a point-of-sale (POS) machine (here, ATM’s card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.

The shimmer sits between the victim’s chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.

The criminals then use a smartphone to download this stolen data and recreate the victim’s card in an ATM, instructing it to eject cash constantly.

Tod Beardsley, a security research manager for Rapid7,

told

the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.

“It’s really just a card that is capable of impersonating a chip,” Beardsley said. “It’s not cloning.”

The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.

Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.

The risks associated with data breaches continue to grow, impacting a variety of industries, tech firms, and social networking platforms. In the past few months, over 1 Billion credentials were dumped online as a result of mega breaches in popular social networks.

Now, Oracle is the latest in the list.

Oracle has confirmed that its

MICROS

division – which is one of the world’s top three point-of-sale (POS) services the company acquired in 2014 – has suffered a security breach.

Hackers had infected hundreds of computers at Oracle’s point-of-sale division, infiltrated the support portal used by customers, and potentially accessed sales registers all over the world.

The software giant came to know about the data breach after its staff discovered malicious code on the MICROS customer support portal and certain legacy MICROS systems. Hackers likely installed malware on the troubleshooting portal in order to capture customers’ credentials as they logged in.

These usernames and passwords can then be used to access their accounts and remotely control their MICROS point-of-sales terminals.

In a brief letter sent to MICROS customers, Oracle told businesses to change their MICROS account passwords for the MICROS online support site – particularly passwords that are used by MICROS staff to control on-site payment terminals remotely.

“Oracle Security has detected and addressed malicious code in certain legacy MICROS systems,” said the company. “Oracle’s Corporate network and other cloud and service offerings were not impacted by this code.” 

“Payment card data is encrypted both at rest and in transit in the MICROS hosted environment… Consistent with standard security remediation protocols, Oracle [requires] MICROS customers to change the passwords for all MICROS accounts.”

Citing unknown sources, security news site KrebsOnSecurity,

reported

that the attack possibly came from a Russian crime gang, dubbed

Carbanak Gang

, that has been accused of stealing more than $1 Billion from banks and retailer stores in past hacks.

The scope of the data breach is still unknown, but anonymous sources familiar with the breach have told Krebs that the hack may have affected up to 700 systems.

Since customers payment data is encrypted both at rest and in transit, Oracle said that this information is not at risk.

Oracle acquired MICROS in 2014 in a $5 Billion acquisition deal. Currently, MICROS devices are deployed at over 330,000 point-of-sale terminals (or cash registers) at food and beverage outlets, retail stores, and hotels across 180 countries.

The software giant is still investigating the security breach at its payment terminal division.

Over the past few years, the security breach has hit POS terminals – or “cash registers” – operated by a large number of retailers, food chains, hotels, and other types of merchants. Two of the best-known victims to be hit by POS malware are

Target

and

Home Depot

.

POS terminals have emerged as the favorite target for cybercriminal gangs because when it comes to the cheap and easy way to siphon the vast number of payment cards, breaching a single retailer’s internal network could allow criminals to collect Millions of valid payment card numbers in a relatively short amount of time.

If you get caught using a VPN (Virtual Private Network) in Abu Dhabi, Dubai and the broader of United Arab Emirates (UAE), you could face temporary imprisonment and fines of up to $545,000 (~Dhs2 Million).

Yes, you heard that right.

Online Privacy is one of the biggest challenges in today’s interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance.

Here VPNs and proxy servers come into Play.

VPNs and proxy servers are being used by many digital activists and protesters, who are living under the most oppressive regimes, to protect their online activity from prying eyes.

However, using VPN or proxy in the UAE could land you into great difficulty.

The UAE President Sheikh Khalifa bin Zayed Al Nahyan has issued new sovereign laws for combating cyber crimes, which includes a regulation that prohibits anyone, even travelers, in the UAE from using VPNs to secure their web traffic from prying eyes.

Also Read: Best VPN Services for Fast, Anonymous and Secure Browsing

According to the laws, anyone using a VPN or proxy server can be imprisoned and fined between $136,000 and $545,000 (Dhs500,000 and Dhs2 Million).

The laws have already been issued by the UAE President and have now been reported to the official government news service WAM.

For those unfamiliar, Virtual Private Network (VPN) securely routes your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.

Nowadays, VPNs have become a valuable tool not just for large companies, but also for individuals to dodge content restrictions as well as to counter growing threat of cyber attacks.

The UAE’s top two telecom companies, Etislat and Du, have banned VoIP — the phone calling features in popular apps like WhatsApp, Viber, Facebook Messenger and SnapChat that deliver voice calls over the Internet for free — from within the Gulf nation.

Also Read: Opera Browser Now Offers Free and Unlimited Built-in VPN Service

However, soon the vast number of UAE residents who use VPNs and proxies within the UAE for years to bypass the VoIP ban could be in difficulty.

Out of two new laws issued last week, one lays out fines for anyone who uses a VPN or proxy server, local news

reports

. The new law regarding VPNs states:

“Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs500,000 and not exceeding Dhs2 million, or either of these two penalties.”

The new move is in favor of telecom companies for whom VoIP ‘over-the-top’ apps have long been a major issue, as consumers no longer need to pay international calling rates to speak to their loved ones.