It turns out that stealing someone’s Google Wallet funds isn’t that much more difficult than stealing that person’s actual wallet, according to a few recently publicized exploits. I think these types of vulnerabilities threaten to kill the adoption of NFC before it is even fully born, said the Yankee Group’s Carl D. Howe. All forms of mobile payment rely on being able to trust the payment system.
Mobile shopping received a setback last week when security researchers discovered flaws in Google (Nasdaq: GOOG) Wallet that could potentially expose its PIN to enterprising hackers.
When Google introduced its wallet, it bragged that it used to be protected as a result of transaction data was once saved in a safe component in Wallet-enabled phones. What researchers at a safety outfit referred to as zVelo came upon, regardless that, used to be that the PIN for the wallet was stored outdoor the safe element the place it could be cracked with a brute drive assault.
Once you have a user’s PIN, you can access anything that the Google Wallet application can do, even stuff that is stored properly in the secure element, which is where the PIN should be stored, zVelo researcher Joshua Rubin told TechNewsWorld.
Google just chose not to use the secure element for the PIN, which doesn’t make a whole lot of sense, he added.
Fortunately for house owners of Android phones with Google wallet, the zVelo attack calls for a cellular to be rooted — modified for greater get entry to to its administrative workings.
When you root a phone, you make it less secure and allow miscreants to perform mischief on it, as zVelo was able to do, according to Google.
To date, there’s no identified vulnerability that enables somebody to take a client phone and gain root get admission to even as preserving any pockets information such because the PIN, Google spokesperson Nate Tyler told TechNewsWorld.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone, he added.
No Rooting, No Problem? No Dice
That’s fine for a rooted phone, but it doesn’t address another vulnerability publicized in the wallet later in the week.
A blogger known as The smartphone Champ explained that if a criminal clears the applying settings for Google pockets on a telephone, then accesses the app, it’ll ask for a new password, which the thief can simply fill in.
Meanwhile, the wallet will automatically tie the prepaid credit card in the device to the wallet with the new password, which allows the bandit to shop with your phone and charge their purchases on your card.
Google doesn’t have a fix for that problem yet, Tyler noted. He recommended that anyone who loses a phone with a wallet on it should call Google support (855-492-5538) and cancel their prepaid card.
It remains to be seen how this flap will affect consumers’ perceptions about the pockets in particular and cell buying groceries normally.
I think these types of vulnerabilities threaten to kill the adoption of NFC [technology used in Google Wallet] before it is even fully born, Carl D. Howe, data research vice president for the Yankee Group, told TechNewsWorld.
All forms of cellular cost rely on with the ability to believe the fee device, he persisted. If shoppers lose that trust, then they only received’t use cell costs.
The root-less hack is a pernicious one, he asserted, and we perceive it as a serious threat.
I believe that Google will have to address this vulnerability or face consumers who will become more skeptical that they can trust Google, he added.
Customer Records Prime Target
Customer records were in the crosshairs of cybercriminals more than ever in 2011, according to Trustwave. A substantial number of all attacks (89 percent) were focused on obtaining personally identifiable information, credit card data and other customer data.
The file, in response to Trustwave investigations in 2011 of more than three hundred information breaches and the efficiency of greater than 2,000 penetration exams all over the world, additionally came upon that the meals and beverage trade made up almost part (44 percent) of the corporate’s probes all through the period and that a 3rd of them concerned industries with franchise models.
Trustwave researchers also found that the most common password used by global businesses was Password1 because it satisfies the default Microsoft (Nasdaq: MSFT) Active Directory complexity setting.
DDoS Attacks on IPv6
The first attacks on the new Internet numbering system, IPv6, were observed in 2011, noted a report released last week by Arbor Networks. This marks a significant milestone in the arms race between attackers and defenders, the report stated, and confirms that network operators must have sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.
While this is the first example of pronounced IPv6 DDoS attacks, IPv6 safety incidents stay uncommon uncommon, it brought. this can be a transparent indication that at the same time as IPv6 deployments proceed to develop, IPv6 is not but economically or culturally vital sufficient to warrant critical attention by way of the internet felony underground.
Breach Diary
-> Feb. 6: Anonymous posts to Internet portions of code for Symantec’s (Nasdaq: SYMC) pcAnywhere program after failing to extort US$50,000 from the company for not making the code public.
-> Feb. 8: Cyberanarchists SwaggSec breach servers of Foxconn, which assembles 40 percent of consumer electronics in the world, and posts contact details of a number of the company’s global sales managers, user names and IP addresses, as well as a list of its email users and clients’ purchases.
-> Feb. 8: A hacker who calls himself Neon Seven and claims affiliation with the ZCompany Hacking Crew posted to the Web more than 200 credit card numbers stolen from U.S. and Israeli sources in retaliation of Israel’s treatment of Palestinians.
-> Feb. 8: Website of Nigerian National Assembly breached by @OccupyAllSt and the passwords to the accounts of 19 senators posted to the Internet.
-> Feb. 9: Boston Police division website, offline for six days after breach via nameless, returns to provider. attack used to be inspired through department’s treatment of Occupy Boston motion.
Security Calendar
-> Feb. 23: Eddie Lazarus Reflects on a Dramatic Tenure as FCC Chief of Staff. 10 to 11:30 a.m. at Information Technology and Innovation Foundation, Washington, D.C.