Monthly Archives: January 2015

Avira

Is Lack of Security Holding Back Mobile Wallets?

Yet the uptake of mobile wallets to pay for offline goods is significantly lower – Javelin Strategy Research found that mobile POS (Point of Sale) proximity payments made up just 0.01 percent of total retail volume.

So people will use a mobile device to shop at Amazon, but not to pay for items right in front of them. Is the lack of security holding back the adoption of mobile wallets?

Apple’s Apple Pay is now pre-installed on iPhone 6 and 6+ devices, and is accepted in 220,000 stores and by dozens of major banks. Lagging behind, Google Wallet is accepted by 158 of the top online retailers as well as scores of offline merchants such as coffee houses and grocery stores (source: Internet Retailer). Softcard (Isis Wallet) rolled out a pilot in mid-2012 that attracted even fewer users. All three of these mobile wallet solutions use the NFC (Near Field Communication) chip in the mobile device to communicate to the POS system that accepts payment. Security is obviously compromised if the phone were to be stolen, but hackers can also intercept the NFC transmission and capture the wallet information without even touching the device.

To add an extra layer of security, mobile wallet designers are requiring some type of additional authentication to complete a payment transaction. One of the secure authentication methods that is gaining traction is biometric authentication — like a finger-print reader. Biometric identification techniques also include facial recognition, voice recognition, and the most sci-fi of all, eye-scan recognition. Biometric identification is by its nature unique and difficult to copy or steal — unlike knowledge-based identification such as passwords and PIN codes.

Although biometric authentication technology has been available for many years, it took the launch of Apple iPhone’s finger print reader in 2013 to bring the technology mainstream. Now other mobile device makers including HTC and Samsung are including finger print readers as well. Uniform standards are beginning to take shape in order to allow a payments ecosystem to form around these authentication methods and to bring down the costs for merchants to accept them.

If mobile payment methods are made sufficiently secure, mobile wallets may ultimately find adoption far beyond purchases at the café. A secure (and easy) authentication method for mobile wallets would allow them to be used for electronic ticketing like bus fares and parking garages, for larger purchases like home furnishing, and even for official government IDs like driver licenses and passports.

Solving the security challenge will allow mobile wallets and mobile payment apps to finally flourish.

The post Is Lack of Security Holding Back Mobile Wallets? appeared first on Avira Blog.

Security

ST15-001: IRS and US-CERT Caution Users: Prepare for Heightened Phishing Risk This Tax Season

Original release date: January 30, 2015

Overview

Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

Remain alert

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
  2. A Hook: an email-based exploit.
    • Email with embedded malicious content that is executed as a side effect of opening the email
    • Email with malicious attachments that are activated as a side effect of opening an attachment
    • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
  3. A Catch: a transaction conducted by an actor following a successful attempt.
    • Unexplainable charges
    • Unexplainable password changes

Understand how the IRS communicates electronically with taxpayers

  • The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
  • This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
  • The official website of the IRS is www.irs.gov.

Take action to avoid becoming a victim

If you believe you might have revealed sensitive information about your organization or access credentials, report it to the appropriate contacts within the organization, including network administrators. They can be alert for any suspicious or unusual activity.

Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised, contact your financial institution immediately and close those accounts.

If you believe you might have revealed sensitive account information, immediately change the passwords you might have revealed. If you used the same password for multiple accounts, make sure to change the password for each account and do not use that password in the future.

Report suspicious phishing communications

  • Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to [email protected], then delete the original email.
  • Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to [email protected] with subject line, “Suspicious website”.
  • Text Message: If you receive a suspicious text message, do not reply or click on attachments and/or links. Forward the text as-is to 202-552-1226 (standard text rates apply), and then delete the original message (if you clicked on links in SMS and entered confidential information, visit the IRS’ identity protection page).

If you are a victim of any of the above scams involving IRS impersonation, please report to [email protected], file a report with the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (FTC), and the police.

Additional Resources

For more information on phishing, other suspicious IRS-related communications including phone or fax scams, or additional guidance released by Treasury/IRS and DHS/US-CERT, visit:

To report a cybersecurity incident, vulnerability, or phishing attempt, visit US-CERT.gov/report.

Author: US-CERT and IRS

This product is provided subject to this Notification and this Privacy & Use policy.

Full Disclosure

Registration open for Rooted CON 2015

Posted by omarbv on Jan 30

Hello,

As expected, now you can buy your ticket for Rooted CON 2015, from 5th
to 7th March in Madrid (Spain).
As in the previous edition, all talks will be in Spanish and English,
with live translation.

Some talks have been announced last week:

Abel Valero – Dismantling Webex
Adrián Villa – Bypassing DRM Protections at Content Delivery Networks
Alejandro Ramos – Red and Blue: two teams with two flavors
Andrzej Dereszowski – Turla:…