Consumers love their smartphones, but a substantial number of them don’t love using them to pay for purchases. With Samsung’s introduction of its Galaxy S5 phone last week, the company is betting it can change some of those consumers’ minds on that subject.
Like Apple’s iPhone 5s, the S5 has a fingerprint scanner. Unlike the Apple product, though, the S5’s scanner can be used to pay for things. That’s because Samsung has partnered with PayPal and the FIDO Alliance to allow S5 users to shop with a swipe anywhere PayPal is accepted.
The system not only will test the faith of S5 owners in its fingerprint scanner, but also be a shakedown cruise for FIDO authentication — which, if successful, could offer a viable alternative to pesky passwords.
To do that, though, the Samsung crew will have to overcome some stiff consumer resistance.
For example, when asked about using phones for mobile payments, nearly half of consumers (49 percent) ranked security as their major concern in a survey conducted by Ovum last year.
“We think consumers will be wary and need some convincing due to security concerns,” Ovum Principal Analyst Eden Zoller told TechNewsWorld. “Consumers already worried about the security of established m-payment mechanisms are likely to view a new technology and process with suspicion.”
The Spoof Test
Apple already knows the pitfalls of linking biometrics to buying.
“Apple got panned immediately because its fingerprint sensor could be spoofed,” explained Van L. Baker, Gartner’s research vice president for mobility.
“That’s true, but it’s not meant to be a security vehicle. It’s not meant to be a transaction vehicle,” he pointed out.
“It’s a convenience. You don’t have to use a pass code. You can use your finger instead,” Baker told TechNewsWorld.
“If Samsung is trying to upgrade it to the level of a secure transaction, then we’ll have to wait to see how long it takes for someone to spoof the Samsung platform,” he added. “If it’s spoofable, then I won’t be authorizing any transactions with it.”
Powerful brands have a way of swaying consumers’ sentiments, Ovum’s Zoller pointed out. “Samsung is a hugely popular smartphone brand with global reach, while PayPal is a trusted payments service provider,” he said. “This is a powerful combination.”
Busy Bromium
A nasty malicious advertising attack on YouTube and a flaw in a Microsoft program designed to stop Zero Day attacks on Windows have been uncovered by Bromium.
The YouTube attack was particularly pernicious.
“It was incredibly scary, from what we saw,” Bromium Chief Security Architect Rahul Kashyap told TechNewsWorld.
Google has addressed the problem, but what made it so frightening was that the attackers found a way to infect ads being served up to YouTube pages, and those infections could be passed on to anyone who landed on the pages.
“Everything happened behind the scenes,” Kashyap said. “It was a classic drive-by download exploit.”
Machines that came into contact with infected pages were fed a banking Trojan from the Caphaw family, Bromium’s McEnroe Navaraj said in a company blog post. That type of malware is used to steal bank account information and drain a victim’s bank accounts.
Of late, ad networks have become juicy spoils for hackers.
“These have become high value targets to leverage in an attack because you can infect millions of users with a single click,” said Bromium CSA Kashyap.
Defeating EMET
Zero Day attacks are daunting to malware fighters because the forays exploit flaws that have never been seen before. A valuable weapon for combating Zero Day attacks is Microsoft’s Enhanced Mitigation Toolkit — or it was valuable until Bromium uncovered a way to bypass its scrutiny.
EMET is especially effective at identifying malware that uses a technique called “ROP” (Return Oriented Programming). Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques, according to Bromium.
What Bromium found was that EMET was good at stopping attacks where there was pre-existing memory corruption, but if it’s running in the same space as some malicious code, EMET can be bypassed.
“We want people to understand the limitations of the tool,” Kashyap said. “If we could do this, then hackers could as well.”
Microsoft has been alerted about those limitations, and it has promised to fix them, as well as add some more weapons in EMET, when it next updates the program.
Breach Diary
- Feb. 24. Blackphone introduces at the Mobile World Congress in Barcelona a US$629 phone that shares the name of the company and guards all its communications with strong encryption and blocks the tracing of Web browsing and Internet searching with the device.
- Feb. 25. University of Indiana notifies state attorney general that names, addresses and Social Security numbers of some 146,000 students and recent graduates from 2011 to 2014 are at risk of disclosure because they were exposed to three Web crawlers gathering information for Internet search engines.
- Feb. 25. Four Minnesota banks sue Target for losses resulting in data breach that compromised personal and payment card information of 110 million of the retailer’s customers last year. Target is facing more than 80 lawsuits nationwide.
- Feb. 25. Apple patches security flaw in OS X Mavericks that could allow hijacking of SSL traffic between a Mac and the Internet.
- Feb. 26. Target reports quarterly profit drop to $520 million from $961 million a year ago. Most of the decline was attributed to weak performance by its Canadian stores, but the company also noted that transactions during the holiday season dropped 5.5 percent, primarily due to a massive data breach.
- Feb. 26. Secunia releases vulnerability review for 2014 finding the total number of vulnerabilities in software increased 32 percent from 2012 to 2013. The vendor with the largest increase in vuls, the report said, was IBM — to 4,181 in 2013 from 772 in 2012, a jump of 442 percent.
- Feb. 26. UK energy companies are being denied insurance to cover cyberattacks because carriers are finding companies’ cyberdefenses inadequate, BBC reports.
- Feb. 26. Tor developers may have free instant messaging software that protects the identity of its users ready by the end of March, The Daily Dot reports.
- Feb. 27. Google reportedly patches flaws in its Maps product that allowed hacker Bryan Seely to plant fake listings on the service, including phony numbers for the FBI and Secret Service from which he recorded citizens’ calls to the agencies.
- Feb. 28. Nearly half (48 percent) of the 341 security professionals participating in a Thycotic Software survey felt the NSA overstepped its boundaries in its surveillance of U.S. citizens, according to results released at the RSA Conference in San Francisco.
Upcoming Security Events
- March 3-8. Cyber Guardian 2014. Sheraton Inner Harbor hotel, Baltimore, Md. Sponsored by SANS. Courses range from $4,895-$5,095.
- March 4-5. 3rd Annual Oil & Gas Security 2014 Summit. Sofitel Dubai Jumeirah Beach Hotel, Dubai. Registration: Pounds 1,645 plus VAT.
- March 6. Leveraging Emerging Technologies in the Security Clearance Process. 7:30-9:30 a.m. ET. Rotunda, Ronald Reagan Building, 1300 Pennsylvania Ave, NW, Washington, DC. Breakfast sponsored by Intelligence and National Security Alliance (INSA) and Nextgov. Free with registration.
- March 5-10. DFIRCON 2014. Monterey Marriott, Monterey, Calif. Sponsored by SANS. Courses range from $4,845-$5,095.
- March 10-11. BSides Vancouver 2014. Best Western Plus Chateau Granville, Vancouver, BC. Free.
- March 12-23. ICS Security Summit. Contemporary Hotel, Lake Buena Vista, Fla. Sponsored by SANS. Cources range from $1,700-$4,595.
- March 18. Cybersecurity: Collaborate, Comply, Conquer. Virtual conference sponsored by ISACA. Free with registration.
- March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
- March 20-12. BSides Austin. WinGate Williamson Conference Center, Round Rock, Texas. $10 per day; students free.
- March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- March 29-30. BSides Mumbai.Mumbai World Trade Centre, Cuffe Parade, Mumbai. 5,000 Indian rupees.
- March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
- April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
- April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
- April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
- April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
- April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
- April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
- June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: thru June 2, $1,795; thru July 26, $2,195; after July 26, $2,595.
- Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
- Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
- Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: thru Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.