Tag Archives: banking

Apple Pay thoughts and security

The big Apple event on Tuesday wasn’t that big a deal in my opinion. The iPhone 6 was expected although not in 2 editions but that is the least that Apple had to do to catch up with Android. Apple watch? Meh … sleek industrial design and interesting software options but ultimately I still think that smart watches in general have a limited use.

Couple of reasons why:

  • short battery life – until you start using one of these, you won’t realise what an issue that is ( my current Seiko is going on for 4 years now on the same battery, 1 day on a charge for smart watches is a problem)
  • you don’t get any health info while your watch is on charge because you can’t wear it at the same time as charging
  • security – smart watches can be hacked; do you really want your health and personal info out there for all to see? And how do the vendors handle your privacy and security?
  • you still need a phone to use in conjunction with most smart watches – no phone? limited usefulness …

So onto the main crux of this article: Apple’s new NFC-based payment system. What’s new? Well pretty much nothing that hasn’t been done before – think Google Wallet. They have some  good integration with Touch ID on the iPhone, and the on-board security chip, along with agreements with a number of American banks and the 3 main payment networks AMEX, Mastercard and Visa. The only benefit Apple brings to the table is a large user base as well as a knack for popularizing systems like this. And that is it.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly. Some banks are even putting transaction limits in place as a form of risk analysis/protection.

Although the recent nude celebrities hack on iCloud wasn’t entirely Apple’s fault, this episode goes to show how far end users and vendors have to go to understand personal security and privacy properly. And that’s the crux of the matter. We’ll also have to see how country-specific consumer rights, privacy and legal laws impact on a global product like this.

But security is always a primary concern. And while Apple has promised fixes to iCloud and iOS in the next period, the perception of Apple’s security is not good, and their track record is similarly poor.

Anyone can spend $1500 buying Elcomsoft’s iOS Forensic Toolkit or $79 on the Phone Password Breaker and proceed to literally pull an iPhone apart, getting access to pretty much every single piece of data you’ve ever put on there. There are also cheaper ( $0 ) hacks out there involving an iPhone and iTunes running on a Windows machine. Scary stuff when you’re storing potentially vital personal data on your phone.

So what else can we say about Apple Pay? There are some more practical issues:

  • battery life of your phone will suffer with having NFC switched on all the time ( I can’t see people turning it on and off when required )
  • there is a much wider attack surface with NFC being switched on all the time, potentially leading to a security nightmare
  • the payment industry is actually moving away from NFC towards bio-metrics
  • many US retailers and banks have cited the high cost of NFC-enabled payment equipment as a reason for not going all in

So, while I think Apple could be moderately successful with something like this, there are significant issues to be worked out in the practical implementation. We’ll see …

ZeuS banking trojan now into SMS

New versions of the ZeuS trojan are starting to target the SMS-TAN system which is used to send transaction numbers ( TANs ) to clients’ cell phones to authenticate that person for a online transaction. Now, the developers of ZeuS have pursued the last strategy to get trojans onto devices in an attack requiring multiple stages. The most important step is still infecting a Windows PC. Then, victims view a specially crafted web site that masquerades as a security update for the victims cell phone.

Victims are asked to enter their cell phone number so they can receive a link for the download in a text message. The PC infected with the trojan then promptly sends a text message containing a link to what appears to be a new security certificate. Users are then asked to download and install the certificate on their mobile phones, which requires an Internet connection on the phone.

This effectively completes the compromise of all stages of internet banking at this point in time, the starting point being MS Windows. There is only one solution for this:

Do NOT use a Windows PC for online banking.

ProPublica and This American Life team up to expose investment bankers and hedge fund managers

A fascinating look into the financial crash in America and world wide:

http://www.thisamericanlife.org/sites/all/play_music/play_full.php?play=405

For seven months a team of investigative journalists from ProPublica looked into a story for us, the inside story of one company that made hundreds of millions of dollars for itself while worsening the financial crisis for the rest of us.

A hedge fund named Magnetar comes up with an elaborate plan to make money. It sponsors the creation of complicated and ultimately toxic financial securities… while at the same time betting against the very securities it helped create. Planet Money‘s Alex Blumberg teams up with two investigative reporters from ProPublica, Jake Bernstein and Jesse Eisinger, to tell the story. Jake and Jesse pored through thousands of pages of documents and interviewed dozens of Wall Street Insiders. We bring you the result: a tale of intrigue and questionable behavior, which parallels quite closely the plot of a Mel Brooks musical.