Sidestepping Apple Pay Enrollment Authentication
SAN FRANCISCO–Apple has touted its Apple Pay system as a convenient, simple, and secure alternative to using physical debit or credit cards. But researchers have identified some weaknesses in the enrollment and authentication flow of the system that could have allowed attackers to add stolen cards to their own Apple Pay accounts and use them […]
The Selfie is the New Payment Biometric
Banks, credit card companies, and other financial companies are turning over every rock in an effort to fight fraud, including trying out novel authentication techniques. The latest move in this area is toward facial recognition via smartphones as a way to ensure the person making a purchase is who he claims to be. After decades […]
FDIC Releases Cybersecurity Framework for Banks
The FDIC has released a cybersecurity framework for banks that describes a long list of threats to financial institutions and includes recommendations for how they can defend against those threats. The framework doesn’t contain any surprises or novel threats, but provides a broad outline of the problems banks and other financial institutions face, such as […]
On the Wire Podcast: Vijay Balasubramaniyan
Dennis Fisher talks with Vijay Balasubramaniyan, CEO of Pindrop, about the company’s $75 million funding announcement with investments from Google Capital and Google Ventures, the future direction of the company, and the role that voice authentication and security is playing in the emerging Internet of Things era.
LostPass Allows Easy Phishing to Defeat Password Manager
A security researcher has developed a phishing attack against the LastPass password manager app that is virtually impossible to detect and has the ability to mimic the LastPass login sequence perfectly. The technique takes advantage of several weaknesses in the way that LastPass handles user logout notifications and the resulting authentication sequence. Sean Cassidy, the […]
Serious Yahoo Mail XSS Bug Fixed
Yahoo has fixed a serious cross-site scripting vulnerability in its webmail product that could’ve allowed an attacker to take over a victim’s email account with one malicious email. The bug is a specific kind of cross-site scripting vulnerability known as stored XSS. In order to trigger it, an attacker would only need to send a […]
On the Wire Podcast: Mike Hanley
Mike Hanley is the program manager for research and development in Duo Security‘s Labs division, and is a former senior member of the technical staff at the CERT/CC at Carnegie Mellon University. In today’s podcast, Dennis Fisher talks to Mike about the ways in which two-factor authentication is deployed right now, how 2FA use has changed, […]
Hyatt Data Breach Caused by Payment System Malware
A data breach at hundreds of Hyatt hotels that was revealed in December was caused by point-of-sale device malware that stole victims’ payment card information in transactions in hotel restaurants, spas, golf shops, and other locations. The malware was on PoS systems in more than 300 Hyatt hotels around the world, including dozens in the […]
Bankosy Android Trojan Defeats Voice 2FA
Bad guys are always looking for ways to up their game and find ways around the defenses that security companies and users put in their way. To wit, an Android banking Trojan called Bankosy that has added a new capability that allows attackers to bypass voice-based two-factor authentication. The malware has been around for a […]