Walmart Sues Visa Over Chip-and-PIN Security
In what may be a sign of things to come, Walmart, the world’s largest retailer, has filed a lawsuit against Visa USA over the payment card brand’s refusal to allow consumers to use PINs, rather than signatures, to verify their identities during transactions with chip cards. The suit, filed this week in New York State […]
As Chip-and-PIN Emerges, Attackers Favor Credential Theft and Online Fraud
The move to chip-and-PIN technology in the United States last year was supposed to be a security win, making in-store transactions more reliable and resistant to fraud. But the adoption rate for the technology hasn’t been as high as expected, and experts and analysts say that criminals are simply shifting their focus to other tactics such […]
Researchers Find Serious Flaws in Samsung SmartThings Platform
Researchers at the University of Michigan have identified a set of vulnerabilities in Samsung’s SmartThings platform that allowed them to remotely unlock doors, set off smoke alarms, and perform other unwanted actions through the use of overprivileged apps. SmartThings is a platform designed to support the use of a variety of connected devices in a […]
Researchers Find Private Slack Tokens Posted on GitHub
Developers building bots for Slack are including their personal access tokens in code posted on GitHub, researchers have found, a problem that could give anyone who finds the tokens access to internal Slack conversations and files. Slack is a team communications app used in many organizations to share information, files, and other data. Developers can […]
Office 365 Bug Could’ve Allowed Attackers to Login to Virtually Any Account
Security researchers in January discovered a critical vulnerability in the SAML implementation in Microsoft’s Office 365 service that could allow an attacker to log in to a victim’s account and gain full access to email, contacts, and other sensitive data. The vulnerability was present in Office 365 for an unknown amount of time, and there […]
Verizon DBIR Shows Focus on Credential Theft in Breaches
Attackers are continuing to refine their tactics and develop new tools, but in a lot of cases they still rely on tried-and-true methods such as phishing, social engineering, malware, keyloggers, and credential theft to achieve their goals. The 2016 Verizon Data Breach Incident Report shows that these tactics and tools are still among the most-used by […]
Massive Bank of Bangladesh Attack Hit SWIFT Payment System
Attackers who pulled off the massive bank fraud at the Bangladesh Bank in February did so by using custom malware and attack tools that were able to monitor the internal messages that conduct financial transactions, delete certain messages, and then insert others to send money to accounts they control, researchers say. The tools targeted the SWIFT […]
GitLab Fixes Authentication Bypass Flaw
GitLab has patched a serious authentication vulnerability that enabled any user to take over another user’s account with two-factor authentication enabled. The vulnerability was a result of the way that GitLab’s authentication flow produced one-time passwords for accounts with 2FA enabled. An attacker who knows a victim’s username and can capture network traffic could sign in […]
Bill Requiring Phone Crypto Backdoors Dies in California Assembly
A California bill that would require backdoors in phone encryption has died in the state assembly after failing to gain enough support to move out of committee. The bill, proposed in January, would have required that device manufacturers have the capability of decrypting and unlocking any phone sold in California after Jan. 1, 2017. A […]