Sunday, December 6, 2009

iPhone Malware Threat is Serious

  • In essence, this threat is serious. - ComputerWorld

  • It's Hip to Be Square - Huey Lewis and the News

  • Media should be Hip on Security - PIN Payments News

Last week, Jack Dorsey, the Silicon Valley media darling who founded Twitter, introduced Square, which frankly is a toy when compared to HomeATM's PCI 2.x PIN Entry Device. (which also hooks up to any phone via the earjack and was introduced a year ago)    There was a ton of hype.  A lot was written.  My favorite headline was that this is the PayPal for mobile phones.  Others really thought being able to use their finger to write their signature on the screen was the bomb.  (No...just an existing application...see: Write Text on your iPhone with Your Finger:)  But Mr. Dorsey is hot stuff right now, (thanks to Twitter) and the media would ooh and aah anything he does because he's the reigning Silicon Valley rock star du jour.  So they cover the sizzle...but there's more at stake. 

Surprisingly, in this day and age of breaches, hacks, malware and browser vulnerabilities, NOT a lot has been written about the the steak...i.e. the security/encryption of the device...  I did read that the Square doesn't "store" the credit/debit card numbers. (well that's positive, but doesn't mean "jack")  Unfortunately, in today's sophisticated world, hackers don't need "storage" to obtain card  numbers, so serious questions remain about the encryption.  They say the information is encrypted, but if it's only a second or two after you swipe the card, that's "too little, too late."   The card holder data must be instantaneously encrypted inside the Square, not after the Square sends the information to the iPhone.  Otherwise a window of opportunity is created for hackers to intercept the data prior to encryption. 

Frankly, it no different that entering it into the phone by keystrokes.  Here's an astute observation from an industry exec about the square:

"All this does is encode the magstripe data to audio for pickup by the application. Then the application works exactly as a web based payment application. So the only difference between this and a merchant typing their customers card details into a web browser on their iPhone is that they don't have to type the card number, Nothing to see here."

Encrypting the card numbers "AFTER" you type them in is the equivalent of fixing the hole in your boat after it sinks.   (so there is something to see there after all)

Also, (coincidentally) last week there was a report that the "jailbroken" iPhones could be breached. Now, in a new report from an iPhone developer, hackers are free to hack even those models that have not been jailbroken. Call this malware program "Genesis" because it's only the's time to stop "toying around" with encryption.

"Nicolas Seriot, an iPhone developer, presented his findings during a conference in Geneva on iPhone privacy.

"The popular Apple iPhone smartphone may be at risk from a security vulnerability that affects even those models that haven't been hacked, or 'jailbroken,' according to new findings from a Swiss software engineer," Andy Patrizio reports for eSecurityPlanet.

"Nicolas Seriot, an iPhone developer, presented his findings during a conference in Geneva on iPhone privacy. According to his research, malware could exploit a previously unknown hole to access a user's e-mail accounts, Safari, and YouTube searches, keyboard cache content, and the Wi-Fi connection logs," Patrizio reports.

"Most hacks that affect the iPhone are the ones that are unlocked with 'jailbreak' utilities... Evidently, however, even iPhones fresh off the shelf could be vulnerable, according to Seriot, who showed how a malicious application could gather personal data from an iPhone without using private APIs," Patrizio reports.

"Based on his conclusions, a malicious app is free to move around all it wants once inside the system -- reading a user's address book, stealing their phone number, viewing their browser history, and culling other private data from the device," Patrizio reports. "Apple did not respond to requests for comment."

Patrizio reports, "Seriot also said that unlike the transmission methods popular among PC malware, iPhone trojans will make their way to the device by way of the Apple App Store. 'Reviewers can be fooled,' he noted in his presentation."

In his presentation, (located here in PDF format) Seriot indicates that he believes portions of the iPhone subsystems that are simply not secured. Instead, functions including phone information and the file system can be accessed by making the right calls to variables

Full article here.

It (the virus) also looks for authentication systems that use SMS, better known as mTANs. mTANs are frequently used by banks that send an SMS message with a password to mobile phones, allowing people to log in to their online accounts, Sophos wrote.

Reblog this post [with Zemanta]

FDIC Issues Warning of New Phishing Scam

Fraudulent correspondence bearing the FDIC's name continues to be mailed, faxed and e-mailed. This correspondence is being used in illegal schemes to collect sensitive personal information, such as bank account numbers, and to steal money and other assets.

The Federal Deposit Insurance Corporation (FDIC) is reminding financial institutions, businesses and consumers that fraudulent correspondence claiming to be from the FDIC continues to be mailed, faxed and e-mailed in the United States and other countries. The correspondence uses various techniques to gain the trust of recipients in hopes they will provide sensitive personal information, including bank account numbers, that can be used to steal money and other assets. Recipients should NOT, under any circumstances, respond to the fraudulent requests. Institutions also are encouraged to inform customers that fraud artists may use the names of the FDIC and other government agencies and to take appropriate precautions.

The criminals, knowing that people trust the FDIC name, have duplicated the official logo and seal in fraudulent letters, forms, certificates and other correspondence. Recent examples have included invoices, bills, transfer forms, guarantees, endorsements, and confirmations of stock and investment purchases. In some cases, recipients were asked to complete fraudulent forms and return them by fax or e-mail. In other cases, recipients were asked to remit funds via check or wire transfer service.

The FDIC rarely sends unsolicited bills or other similar documents to financial institutions, businesses and consumers. In particular, the FDIC does not send unsolicited correspondence asking for sensitive personal information, including bank account information. Anyone receiving such correspondence should contact the FDIC immediately by calling toll-free at 1-877-ASK-FDIC (1-877-275-3342) or by e-mailing to Do not use contact information listed for the FDIC in the correspondence because it is likely to be falsified.

Information about counterfeit items, cyber-fraud incidents and other fraudulent activity may be forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550 17th Street, N.W., Room F-3054, Washington, D.C. 20429, or transmitted electronically to Questions related to fraudulent correspondence, deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed here.

Reblog this post [with Zemanta]

Disqus for ePayment News