Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
As if withdrawing money from an ATM wasn’t dangerous enough, researchers discovered that Russian-speaking Skimer group forces ATMs to assist them in stealing users’ money. Instead of installing skimmer devices onto an ATM, they could turn the whole ATM into a skimmer itself. Main window of the infected ATM Discovered in 2009, Skimer was the first malicious program to target ATMs, and now, the cybercriminals have resurfaced, reusing the malware.
Read the full article here.
A security researcher could have stolen as much as $25 Billion from one of the India’s biggest banks ‒ Thanks to the bank’s vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim’s current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
If this wasn’t enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender’s account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else’s account.
Read the full article here.
Last year, credit card issuers finally introduced “chip” credit cards to the United States. It’s been a painless process for the most part, but now Walmart is suing Visa over the technology, claiming it’s not secure for customers.
EMV is meant to be more secure, and while it will incorporate PINs in the future, for now, chip-enabled credit and debit cards will work just fine with a signature.
Last year, Walmart tried to require debit card customers to pay the old way: with their PINs. Visa came back and demanded they allow signatures for those cards via the new chip technology. Walmart spokesperson Randy Hargrove explained the issue:
PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers. Visa has acknowledged in many other countries that chip-and-pin offer greater security. Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.
Walmart’s outrage probably has less to do with security and more to do with money, though. It’s cheaper for Walmart to verify via PIN than signature. According to the Wall Street Journal, signature verification costs about five cents more per transaction. In other words, the new technology encourages customers to use their bank cards as credit instead of debit, which is more expensive for Walmart.
It’s easy to see why Walmart is upset—this new technology is costing them money, and the credit card companies still haven’t rolled out cheaper, more secure PIN technology. Their suggestion that customer security is at risk, however, is a little misleading.
Walmart’s statement suggests Visa puts customers’ security at risk by allowing signatures instead of PINs for debit card transactions. It does kind of suck that we’re still waiting for full blown “chip and PIN” technology, which is supposed to be even more secure, but the new credit cards aren’t any riskier than your old ones.
Read the full article here.
via https://ift.tt/1MXQBSg
A software vulnerability in a WhatsApp browser add-on could allow hackers to take remote control of MILLIONS of computers across the globe, a security firm has warned. WhatsApp Web allows Android, BlackBerry, Windows Phone and most recently iPhone users to continue their WhatsApp conversations within a browser window.
via https://ift.tt/1Q5Udks
Android: If you’re not using the Android Device Manager to help find your lost phone, we highly recommend it. What happens when you actually lose your phone, though? Thanks to a guest mode in the Android app, you can use your friend’s phone to find your own.
The Android Device Manager app allows you to quickly locate, lock, or wipe your other devices. However, you can also use the guest mode to allow someone else to quickly log in and find their device. This makes it much easier to help a friend find their phone, as the only alternative is to log in to their own account from a laptop, which may not be as easily accessible. In any case, if you’re not using ADM to track your phone in case of an emergency, it’s highly recommended you set it up now.https://ift.tt/1SN3RZQ…
Android Device Manager | Google Play Store
via https://ift.tt/1IUhuE4
Stagefright is a critical Android vulnerability that attackers can exploit using specifically prepared Multimedia Messaging Service messages (MMS). What makes the vulnerability particularly troublesome is that it can be exploited passively on devices. All that it takes is to sent a prepared MMS to a device running Android to get system or media privileges on […]
Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.
The post Find out if your mobile is vulnerable with Stagefright Detector App for Android appeared first on gHacks Technology News.
via https://ift.tt/1NchIXY
Dreamify is a free Android application that transforms photos or images on the device into art. Google revealed Deep Dream, a neural networks research project, back in June 2015, and an unforeseen side effect of that was huge interest in the generated images. People from all over the world wanted to know how they could […]
Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader.
The post Dreamify: transform photos using Google’s Deep Dream algorithm appeared first on gHacks Technology News.
via https://ift.tt/1N3j8Gz
Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations.
via https://ift.tt/1D67jN7
Own an Android phone? Beware, Your Android smartphones can be hacked by just a malformed text message.
Security researchers have found that 95% of Android devices running version 2.2 to 5.1 of operating system, which includes Lollipop and KitKat, are vulnerable to a security bug, affecting more than 950 Million Android smartphones and tablets.
Almost all Android smart devices available
via https://ift.tt/1OwPyr2