By Waqas Rafay Baloch has reported Vulnerability in Edge and Safari Browsers that Allows Address Bar Exploitation. Nowadays the phishing attacks have become increasingly sophisticated and difficult to detect so it is indeed appreciable that security researchers are managing to spot such campaigns in their initial phases. Reportedly, a security researcher from Pakistan Rafay Baloch has discovered […] This is a post from HackRead.com Read the original post: Pakistani hacker reports address bar spoofing flaws in Edge & Safari browser
The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.
Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.
Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:
The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.
The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.
In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.
The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.
Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.
“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”
Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.
“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.”
‘A DISMAL TRACK RECORD’
A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.
All four major mobile providers currently are struggling to protect customers against scams designed to seize control over a target’s mobile phone number. In an increasingly common scenario, attackers impersonate the customer over the phone or in mobile retail stores in a bid to get the target’s number transferred to a device they control. When successful, these attacks — known as SIM swaps and mobile number port-out scams — allow thieves to intercept one-time authentication codes sent to a customer’s mobile device via text message or automated phone-call.
Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.
Weaver said after he became a victim of a SIM swapping attack a few years back, he was blown away when he learned how simple it was for thieves to impersonate him to his mobile provider.
“SIM swapping is very much in the news now, but it’s been a big problem for at least the last half-decade,” he said. “In my case, someone went into a Verizon store, took over the account, and added themselves as an authorized user under their name — not even under my name — and told the store he needed a replacement phone because his broke. It took me three days to regain control of the account in a way that the person wasn’t able to take it back away from me.”
Weaver said Project Verify could become an extremely useful way for Web sites to onboard new users. But he said he’s skeptical of the idea that the solution would be much of an improvement for multi-factor authentication on third-party Web sites.
“The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”
It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data.
On May 10, The New York Times broke the news that a cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to local police forces across the United States.
A few weeks after the NYT scoop, KrebsOnSecurity broke the story that LocationSmart — a wireless data aggregator — hosted a public demo page on its Web site that would let anyone look up the real-time location data on virtually any U.S. mobile subscriber.
In response, all of the major mobile companies said they had terminated location data sharing agreements with LocationSmart and several other companies that were buying the information. The carriers each insisted that they only shared this data with customer consent, although it soon emerged that the mobile giants were instead counting on these data aggregators to obtain customer consent before sharing this location data with third parties, a sort of transitive trust relationship that appears to have been completely flawed from the get-go.
AT&T’s Jaskolski said the mobile giants are planning to use their new solution to further protect customers against SIM swaps.
“We are planning to use this as an additional preventative control,” Jaskolski said. “For example, just because you swap in a new SIM, that doesn’t mean the mobile authentication profile we’ve created is ported as well. In this case, porting your sim won’t necessarily port your mobile authentication profile.”
Jaskolski emphasized that Project Verify would not seek to centralize subscriber data into some new giant cross-carrier database.
“We’re not going to be aggregating and centralizing this subscriber data, which will remain with each carrier separately,” he said. “And this is very much a pro-competition solution, because it will be portable by design and is not designed to keep a subscriber stuck to one specific carrier. More importantly, the user will be in control of whatever gets shared with third parties.”
My take? The carriers can make whatever claims they wish about the security and trustworthiness of this new offering, but it’s difficult to gauge the sincerity and accuracy of those claims until the program is broadly available for beta testing and use — which is currently slated for sometime in 2019.
I am not likely to ever take the carriers up on this offer. In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.
As with most things related to cybersecurity and identity online, much will depend on the default settings the carriers decide to stitch into their apps, and more importantly the default settings of third-party Web site apps designed to interact with Project Verify.
Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.
“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” he said. “In some cases, the [third-party site] can say here are some things I absolutely need, and here are some things we’d like to have. Those are some of the things we’re working through now.”
By David Balaban Science fiction movies often depict various situations related to cybercriminals’ activity. These can include predicaments where threat actors disrupt the transportation system of a large city or cause power outages in entire regions. In fact, this is beyond science fiction these days – impacting the power grid isn’t that difficult. The only viable way to […] This is a post from HackRead.com Read the original post: Air-conditioned apocalypse: A blackout scenario involving smart climate control devices
By Waqas Zerodium, an infosec and premium zero-day acquisition platform tweeted about the flaw in Tor browser on Monday. The infamous exploit vendor and buyer/seller of popular software vulnerabilities, Zerodium has revealed a critical flaw in Tor browser software. According to a tweet posted by Zerodium, the zero-day vulnerability is present in the NoScript browser plugin and can […] This is a post from HackRead.com Read the original post: Security firm uses Twitter to disclose critical zero-day flaw in Tor Browser
By Waqas Vulnerabilities and security flaws in vehicle security systems aren’t as surprising for us as it is that even the most renowned car manufacturers aren’t able to provide consumers with fool-proof systems. Wired reports that Tesla recently fixed a vulnerability in the security systems of its cars after a group of researchers in Belgium proved that the […] This is a post from HackRead.com Read the original post: Researchers demonstrate how to unlock Tesla wireless key fobs in 2 seconds
By Waqas ProtonMail, a Swiss-based end-to-end email encryption service, has announced the name of one of the attackers involved in the DDoS attack against the company earlier this year. Due to the attack, the email service of ProtonMail stopped responding for a minute several times despite having adequate mitigation measures in place. The identified hacker, a teenager […] This is a post from HackRead.com Read the original post: Teen arrested for DDoS attack on ProtonMail & making fake bomb threats
By Uzair Amir Schneider Electric has released a warning and advisory notice according to which the USB drives shipped with some of the company’s products may be infected with malware. “Schneider Electric is aware that USB removable media shipped with the Conext Combox and Conext Battery Monitor products may have been exposed to malware during manufacturing at a […] This is a post from HackRead.com Read the original post: Schneider Electric Shipped USB Drives Loaded with Malware
By Waqas It is no secret that the US government has always suspected and even accused North Korea was carrying out ransomware attacks using the destructive WannaCry ransomware and for hacking Sony Pictures. But it merely has remained a suspicion so far. However, now the US authorities have found solid evidence of the involvement of North Korean […] This is a post from HackRead.com Read the original post: WannaCry ransomware fame North Korean hacker tracked down by the US
By Waqas Hackers are always looking for new and profitable targets for their own malicious gains. So, it is quite natural that the world’s favorite airline is on their radar. Reportedly, British Airways has become a victim of a “worrying” and “astounding” data breach in which private and financial information of about 380,000 of the airlines’ customers has […] This is a post from HackRead.com Read the original post: British Airways hacked- Private & financial data of 380,000 customers stolen
By Waqas Tor is a browser known to keep the IP addresses of its users private and confidential due to which users can surf the web anonymously. However, according to RiskIQ’s threat researcher Yonathan Klijnsma, it is possible to identify the IP addresses of Tor users. Klijnsma states that misconfigured Dark Web servers are mainly responsible for […] This is a post from HackRead.com Read the original post: Misconfigured Tor sites using SSL certificates exposing public IP addresses
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org