Home Tags Apple Pay

Tag: Apple Pay

Report: Apple wants to let you exchange money with your friends

First-party money transfer service would compete with Paypal, Google, and more.

My first (belated) payment with Apple Pay: Wow, this really does...

I would have tried Apple Pay sooner, but my bank didn't support it until recently. Now that I have it, I'm a believer.

Sorry, iPhone fans – only Fandroids get Barclays’ tap-to-withdraw

It's only a test Barclays is trialling smartphone cash withdrawals. The UK's first contactless mobile cash service will allow the bank's customers to withdraw up to £100 in-branch, with just a tap of their Android smartphone or contactless debit card.

The technology offers an alternative to traditional cash withdrawals from specially outfitted ATM machines. The service is initially being piloted in the North before rolling out to over 180 Barclays branches in the New Year.
It will be available on more than 600 in-branch machines.

Barclays customers with an Android smartphone or contactless debit card would need to tap their phone/card against the contactless reader before entering their PIN on the machine and withdrawing their cash as normal. The Contactless Cash functionality will only be available on NFC-enabled Android devices that have downloaded the latest version of Barclays Mobile Banking.

The facility is limited to Android smartphones, with iPhone fans left out in the cold.

Apple restricts the use of iPhones' NFC chips to its own Apple Pay facility and there's no hook-in that for third-party apps from banks or anyone else. Barclays claims Contactless Cash offers increased security because it removes the risk of magnetic card skimming and distraction fraud, since a smartphone never needs to leave a customer's hand. In a statement, Ashok Vaswani, chief exec of Barclays UK, said: "Our customers now expect to be able to use their smartphone to make their everyday purchases. We want taking out cash to be just as easy. With Contactless Cash customers can quickly and securely take out money with just a tap of their smartphone – a first for the UK." Cindy Proven, chief strategy and marketing officer at Thales e-Security, cautioned that the security of the system is reliant on making sure customer's smartphones are free of malware. "It's encouraging to see the payments industry continue its commitment to embracing digitalisation to improve efficiency of payments and further reduce the possibility of fraud with ATM withdrawals," Proven said. "However, with risks to mobile payments – such as malware already present on an end-user's device – it is critical that security remains front of mind when developing such innovations." ® Sponsored: Customer Identity and Access Management

Kaspersky Lab Black Friday Threat Overview 2016

 Download the PDF Introduction The Internet has changed forever how people shop.

By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer.
In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones.

That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network. Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others.

They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart. The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year. As the number and speed of transactions increase, so do the cyberthreats.
In this overview, Kaspersky Lab reveals the reality in terms of the top cyber-attacks targeting consumers and retailers during this remarkable buying period. To put this data in context, it is worth looking back over the last few years to see how the landscape has evolved, focusing in particular on Black Friday and Cyber Monday. In 2013, the concepts of Black Friday and Cyber Monday were already well established in North America and starting to gain momentum elsewhere. In the US alone, Cyber Monday saw online sales grow by 21% on 2012, raking in sales of $2.27 billion.

Black Friday achieved $1.93 billion worth of transactions, but won out on average sales value. 17% of total sales were undertaken on mobile – a 55% increase on 2012.
In the UK, online sales rose by a slightly more modest 16% in November, with over $600 million believed to have been spent online on Cyber Monday alone. This was also the year when US retailer Target discovered that the credit card details of around 40 million customers were breached between 27 November and 15 December, apparently through hacked in-store point-of-sale systems. In 2014, the year of the now infamous Sony Entertainment hack, the records set in 2013 were all broken. Thanksgiving Day 2014 in the US marked the moment when more mobile devices (52%) than computers were used (48%) for browsing online; and Black Friday online sales were up 21% compared to the same day in 2013 – with around one in three (30%) orders placed using a mobile device.

Adobe estimates overall online sales in the US of $2.4 billion on Black Friday, $1.3 billion on Thanksgiving Day and $2.7 billion on Cyber-Monday.
In the UK, online sales peaked during the week of Black Friday sales surged by 44%, compared to the previous week, and up a staggering 135% on the same week in 2013. Mobile sales rose by 83%. And the records were all broken again in 2015. In the US, Cyber Monday 2015 was the largest online sales day, ever. Online consumers spent a record $3.07 billion – and $8.03 billion across the four-day Thanksgiving weekend.
IBM analysis shows that, overall, online sales were up by a quarter (26%) on 2014, with 40% of sales now coming from mobile devices. The big consumer hacks of the season involved malware targeting point-of-sales systems in hotels, including Hyatt, Starwood and Hilton worldwide. 2016 looks set to break records all over again, and criminals will probably try even harder to take advantage of all the noise and activity to steal credentials to financial accounts or even to grab the money directly.

This overview will cover the types of cyberthreats that buyers, sellers and providers of payment systems may face over the coming weeks.
Methodology and Key Findings The overview is based on information gathered from Kaspersky Lab malware and phishing detection systems (number of attacks or number of attacked users), and also from the analysis of events and conversations happening on the hacker underground – multiple internet forums where users allegedly involved in financial fraud operations tend to gather.

The overview covers Q4 in 2013, 2014, 2015 and partly (in some cases) 2016.

Even though, officially, the “Black Friday” sales period ends with Cyber Monday, right after the Thanksgiving holidays, just a few days later another “high” sales period begins: the so-called pre-Christmas period, which is also one of the most profitable times of the year for retailers. We count October as a high sales period as well, because so-called “Black Friday” sales campaigns often start prior to the actual sales days (Halloween sales are a good example), and – what is more important – cybercriminals tend to start preparations in advance of day X. The overview also contains a list of actions that could be implemented by regular users, business owners and owners of payment infrastructure in order to prevent fraud during the high retail season. Key Findings: The share of financial phishing during the high sales season is 9 percentage points higher than during other times of the year. The share of phishing attacks against online shops and payment systems during the period is usually higher than phishing against banks. Criminals are trying to connect their malicious campaigns, such as spreading financial malware and phishing pages, to particular dates: Black Friday, Cyber Monday, and the pre- and post-Christmas days. Underground vendors of skimmers and dummy plastic cards are already experiencing an increase in sales. Kaspersky Lab researchers expect blackmailing DDoS-attacks against online retailers during the holidays. More about these findings can be found in the overview. Phishing Among cybercriminals, phishing is one of the most popular ways to steal payment card details and credentials to online banking accounts.

A phishing scheme is relatively easy to set up (the fraudster doesn’t even need to know how to write malware; only basic web development and design skills are required), yet it is effective because it is mostly based on social engineering techniques.

During the holiday period, users are eager to find the best goods at the best price and they are expecting to see offers of this kind while surfing the web.

Cybercriminals know about that and try to exploit this feature as much as possible. Share of financial phishing in overall volume of attacks As statistics from the previous years show, financial phishing usually accounts for no less than a quarter of all phishing attacks registered in a year.

For example, in 2013, it was 31.45% of all registered phishing attacks, in 2014 – 28.74%, in 2015 – 34.33%.

The current year is not yet over, but judging by the quarterly statistics the trend is the same. Share of financial phishing in overall number of phishing attacks 2013 – 2016 And at the same time things are significantly different when it comes to what we call the holiday sales period.

As expected, the share of financial phishing at this time is noticeably higher than the typical yearly result. Share of financial phishing in different periods in comparison to the holiday period Although in 2013 the number of financial phishing attacks during the high sales period was only 0.5 percentage points higher than the total result for the same year, in 2014 and 2015 we detected a clear difference of around 9 p.p. in favour of attacks during the holidays. Of course these data are not enough to talk about a strong tendency; nevertheless, the chances are high that this year this difference will emerge again. Types of financial phishing At Kaspersky Lab we distinguish between three major types of financial phishing: Banking, E-payment and E-shopping.

They are all types of phishing pages that imitate the corresponding legitimate services dealing with financial transactions.

Based on what we have observed in Q4 in 2014 and 2015, during the “Holiday” period, the separation between different types of financial phishing is different to the result for the full year. For example, in 2013, shares of phishing attacks during the year and during the last “Holiday” quarter weren’t very different – less than 1 percentage point. However inside the category differences were much more visible. That year the share of e-shop phishing in Q4 increased more than 1 percentage point to 7.8%.

And the share of phishing against users of popular payment systems more than doubled compared to the rest of the year – 5.46% against 2.74%.

At the same time, the share of phishing against users of online banking was lower than during the year: 18.76% against 22.2%. The situation was repeated the next year, but with more visible amplitude.
Shopping phishing during the holiday season was 5.32 p.p. higher than the full year result.

And the payment systems’ phishing was 2.78 p.p. higher. 2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19% The change in shares of different types of financial phishing in 2013-2015 These differences are accompanied by attacks against particular targets.
In 2014, Kaspersky Lab researchers conducted a small investigation into the dynamics of attacks during Black Friday and discovered that the number of attempts to load phishing pages detected and blocked by users of Kaspersky Lab products was actually growing. Here are the timeline graphs for several targets that are traditionally most often used by phishing scammers. Dynamics of detection of attempts to load phishing page where the American Express brand is mentioned demonstrates very similar behaviour in 2014 and 2015. Dynamics of phishing attacks using the American Express brand in the week of Black Friday 2014 2015 Example of timeline of attacks against a particular target And when it comes to other brands connected to online money and shopping the situation is repeated.

Though the growth of attacks in 2015 happened after Black Friday and peaked on Cyber Monday. Dynamics of phishing attacks using the Visa brand on Black Friday 2014 2015 Example of timeline of attacks against a particular target Last but not least phishing attacks that utilize online shopping brands also obviously have a connection to specific days, such as Black Friday. Dynamics of phishing attacks using the Wal Mart brand on Black Friday 2014 2015 Example of timeline of attacks against a particular target Example of timeline of attacks against a particular target Spikes in the number of detections are also typical for Christmas and the New Year period – basically they’re the second highest period in the whole quarter.

Further in this overview we will show that attack peaks are typical features not only for phishing, but for financial malware attacks as well. Examples of “Holiday” Phishing In most cases cybercriminals don’t bother themselves with inventing anything special.
Instead they just copy pages of legitimate shops, internet banking and payment systems. As can be seen on the picture below the phishing copies of the Amazon shop quite precisely resemble the original website. Example of a fake Amazon e-shop Which is also true for sites of payment systems and banks.

Below are pictures of phishing sites imitating Visa and American Express data submission forms.

Along with some others, these two brands are traditionally among the top of those faked by phishers. Example of a fake Visa payment form Example of a fake American Express payment form Sometimes criminals create whole fake web-shops simply to collect victims’ credit card data. Example of 100% fake internet shop They attract victims with extremely low prices for goods from famous brands.

And then – when the victim has chosen the item they like and proceeds to the payment page, they simply steal their financial credentials. Example of 100% fake internet shop, part 2, the payment page Another way in which criminals exploit the hot sales period is by creating allegedly legitimate websites that are selling gift cards and coupons that – if they’re real – can be monetized in legitimate internet shops. However, criminals sell phony coupons, not real.

The only purpose of these websites is to collect card credentials.

An example of such a website is displayed in the picture below. Example of a fake shop selling phony coupons And of course criminals exploit the brand of Black Friday itself and they start their preparations way in advance. While preparing this overview Kaspersky Lab researchers came across a number of fake websites, which have the word Black Friday in the name and the content of which offers outstanding discounts on expensive goods. Example of a fake Black Friday themed shop In all, Kaspersky Lab security specialists expect that in 2016 the trends which emerged in previous years (higher than average percent of financial phishing, topical Black Friday scams, etc.) will continue their development as phishing remains one of the main source of credit card data for criminals and is still one of the easiest ways to set up a fraud scheme. Financial malware For years, banking trojans were one of the most dangerous cyberthreats out there. Unlike usual spyware which hunts for any type of credentials and, in most cases, is not very sophisticated, banking trojans are aimed specifically at users of internet banking and remote banking systems.

Criminals tend to invest a lot of resources in the development of such malware and also develop different sophisticated techniques to avoid detection by AV products, and spread the malware as effective as possible.

The most famous examples of banking malware are: ZeuS, SpyEye, Carberp, Citadel, Emotet, Lurk and others. In previous years Kaspersky Lab experts have prepared two reports covering the global financial malware landscape, in 2013 and in 2014.

And since then multiple things have changed: first of all the number of users attacked with banking malware has started to decrease. Most likely this is due to the fact that criminals have largely switched their attention from clients of banks to the banks themselves, because a sophisticated attack against a bank can bring much more profit than an attack against a regular user.

Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally. What hasn’t changed a lot is the attention of criminals to the high sales season. the change in the number of attacks and attacked users from November to December 2015 According to Kaspersky Lab telemetry, during the holiday season of 2015, 261,000 users were attacked with banking malware That’s significantly less than in the same period a year ago, when 307,600 users were attacked. However, 2015 has shown the fairly obvious interest that criminals are showing in Black Friday, Cyber Monday and Christmas.
In October the number was 61,674 users, in November – 81,038, and in December – 154,324 attacked users.

A year before, in 2014, 101,300 users were hit in October, 164,000– in November and 102,900 in December. The pattern is obvious. The dynamics of attacks with help of financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday) As can be seen on the graph above, the number of attacked users started to grow from November 22nd and peaked on November 26th, the day before the Black Friday 2015.

The next visible peak happened on November 30th, which was the day of Cyber Monday that year.

These two peaks were noticeably the biggest since the beginning of the period. The dynamics of attacks with financial malware in Christmas period 2015 The next big rise in the number of attacks and attacked users happened on 24th of December, right before Christmas, followed by a huge two-day spike detected on 28th and 29th, not long before New Year’s Eve. In 2014, the spikes of attacks in the holiday season weren’t that obvious, but still it was clear enough that the Black Friday period is of interest: a visible rise in attacks started on November 24th and peaked on November 27th, which was again the day before Black Friday.

After that another spike was registered on 1st December, which was the day of Cyber Monday. The dynamics of attacks with financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday) Christmas 2014 also has shown correlation between holiday dates and attacks: on 24th and on 28th of December. The dynamics of attacks with financial malware in the Christmas period 2014 Almost the same spikes appear when it comes to Mobile malware. Most of the detections on the graphs below were generated by a few families of malware: Faketoken, Svpeng, Marcher and Acecard.

These four are the main threats when it comes to mobile banking on Android, and the criminals behind them obviously used the holidays to actively propagate these malicious programs.
It was especially visible in 2014: The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday 2014 period 2015 was significantly calmer in terms of the number of detections, but certain spikes were still in place. The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday in 2015 POS malware Another dangerous type of malware which we have already seen and are expecting to see during this season is POS-malware – the type of financial malware which infects the OS of point of sales terminals and then steals the credentials of the credit cards processed by these devices.
So far, due to the specific nature of the devices that this type of malware tends to attack, we don’t yet have relevant statistics on the number of detections during the holiday period. However we can estimate the threat by counting the number of families which our experts added in recent years.
In 2013 only 4 families were added to our collection, but the 2013 Target breach inspired many criminals to attempt to reproduce the “success” of those who hacked the famous retailer, and the next year 12 more families of POS-malware were added. 2015 was the hottest year in terms of POS malware with 14 new families. 2016 is fairly calm so far: 6 new families were added to our collection since the beginning of the year.
In total there are at least 36 families of malware capable of stealing data from POS terminals out there in the wild.

The number is even bigger than the amount of banking malware families, 30 species of which are now in the Kaspersky Lab collection. Expect new attacks The motivation behind attacks that are tied to concrete dates are clear: cybercriminals suggest that the chances that users will be working with their financial accounts online more than usual are higher than on any other day.

Therefore they tend to increase their hacking efforts to raise their own chances of stealing money. Judging by the dynamics of attacks of “holiday” dates from 2014 and 2015, Kaspersky Lab expects that in 2016, the situation may be repeated. News from the Underground While online shoppers are drawing up their wish-lists for the upcoming sales, retailers are preparing their stores for a massive rise in visitors, and financial infrastructure owners – banks and payment systems – are getting ready for a huge increase in the number and value of transactions, criminals are also preparing for the season.

For this report Kaspersky Lab experts have conducted some research into events and discussions taking place on several secret, invitation-only underground forums, where users allegedly involved in different types of financial fraud tend to gather and discuss things. More about Cyber Monday Based on the results of the research, we can say that underground cybercriminals, at least on East European fora, are more excited about Cyber Monday than about Black Friday.

This may be because Cyber Monday is more about online sales.

There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers. Also, from a logistics perspective, Cyber Monday is more convenient than Black Friday, which is more about offline sales.

Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer.
Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways. That said, ATM skimming attacks will happen during Black Friday and will continue through other holidays: Christmas and New Year. Example of an online advertisement for skimmers on one of the hacker forums Based on information from the last year, during December 2015 more than 500 skimmers were sold on an East European black market, while “usual” sale rate is 25 – 30 devices per month.

These devices come packed with everything necessary for successful data-stealing, like fake PIN-pads, hidden cameras etc.

The vast majority (around 96.5%) of skimmers mimic the products of four popular vendors, and the rest 3.5% are skimmers that replicate custom models. As a result of the 2015 holiday fraud campaign, criminals experienced certain problems with the cashing out of compromised cards.

Based on conversations on the corresponding web resources, the cash-out projects (groups that undertake the cash-out for other criminals) were heavily overloaded so the cash-out orders took three months to complete.

This was due to a large number of stolen credentials waiting to be cashed-out.

According to Kaspersky Lab data, during December 2015 criminals were able to collect approximately 10 times as many credentials as during a non-holiday period.

Basically this equates to the total number of card details they are usually able to steal during the rest of the year. Example of an advertisement by an online shop selling stolen credit cards credentials Information on several forums suggests that, in 2016, a month prior to the start of the Black Friday, vendors of skimmers were already experiencing an increase in sales, alongside vendors of blank cards that will later be used to clone stolen cards.

Also, some vendors are offering new generations of POS skimmers which are attached to legitimate POS’s. Unlike earlier skimmers, the new generation is placed inside the card reader, which makes them much harder to spot with the naked eye. Another interesting trend is that many criminals are avoiding starting their campaigns with malware, choosing instead phishing attacks because they consider them to be more efficient and safe.

Besides that they are actively utilizing schemes that involve direct contact with the victim.
In these attacks the fraudsters will call the victim, seemingly on behalf of a bank, and try to find out their credit card credentials with help of psychological tricks. Kaspersky Lab experts also expect that more cases of cash-out through Apple Pay and Samsung Pay payment systems will happen during this holiday season.

The recent increase in the list of countries where the systems are supported has brought a certain inspiration to criminal community.

The ability to attach a card to an Apple ID and then use it to pay for real goods creates a relatively convenient way to cash-out for so called “stuffers” – criminals who specialize in cashing out through buying goods from internet and physical shops, as well as for virtual carders – criminals who monetize stolen credentials through virtual goods Another rather interesting conclusion made by Kaspersky Lab researchers during their research of the cybercriminal underground, is that fraudsters expect a lot of profits from attacks during the holiday period, especially the pre- and post- Christmas to New Year period, not only due to the high number of buyers seeking to spend money, but also because (based on their experience, which they share on forums) in this period the anti-fraud departments of banks are weakened.

Due to many employees going on vacation around these dates, banks suffer from a lack of personnel, and it is theoretically easier for criminals to hide fraudulent operations in the stream of legal ones. Example of a fraudster’s website selling a DDoS-attack service Other types of criminal groups – such as those specializing in DDoS attacks, will most likely try to attack online shops for the purpose of blackmailing.

That is a well-known tactic which they use against small and medium retail organizations.

By setting up a DDoS attack they would block access to the attacked store and, until the owner pays a ransom, they would keep it blocked. Not wanting to lose money because of the unavailability of the store the owners will often pay the criminals.

This is likely to happen in the coming holiday season. Conclusion and advice The main purpose of this paper is to raise awareness of the threats that may ruin the upcoming holiday season for regular users and shoppers and owners of online stores and owners of financial infrastructure.

Both Kaspersky Lab telemetry and the analysis of conversations happening on the underground suggest that cybercriminals will pay special attention to the upcoming high sales season.

But this doesn’t mean that the holidays are already doomed. If prepared, each legitimate party of this process: buyers, sellers and financial services providers will end up in profit.

All they have to do is to follow some simple advice. For regular users Do not click on any links received from unknown people or on suspicious links sent by your friends on social networking sites or via e-mail.

They can be malicious; created to download malware to your device or to lead to the phishing webpages aimed at harvesting user credentials. Do not download, open or store unfamiliar files on your device, they can be malicious. Do not use unreliable (public) Wi-Fi networks to make online payments, as hotspots can be easily hacked in order to listen to user traffic and to steal confidential information. Do not enter your credit card details on unfamiliar or suspicious sites, to avoid passing them into cybercriminals’ hands. Always double-check the webpage is genuine before entering any of your credentials or confidential information (at least take a look at the URL).

Fake websites may look just like the real ones. Only use sites which run with a secure connection (the address of the site should begin with HTTPS:// rather than HTTP://) to hinder theft of information transmitted. Don’t tell anybody your one-time password or PIN-code, not even a bank representative.

Cybercriminals can use this data to steal your money. Install a security solution on your device with built-in technologies designed to prevent financial fraud.

For example, Safe Money technology in Kaspersky Lab’s solutions creates secure environment for financial transactions on all levels. And don’t forget about the same rules when using your mobile device for financial transactions, because cybercriminals and fraudsters target them too. For retailers Keep your e-commerce platform up-to-date.

Every new update may contain critical patches to make the system less vulnerable to cybercriminals. Pay attention to the personal information used for registration.

Fraudsters tend to hide their identities but lack of creativity can serve as an indication of fraud. John Smith whose email address reads as 21192fjdj@xmail.com is likely to be a criminal.

Check again and request more details from customers if needed.

Adding captcha might be effective measure against this. Restrict the number of attempted transactions.

Criminals usually make multiple attempts to enter correct card numbers for one purchase. Use captcha and increased time intervals for attempts to re-enter card numbers. Use two-factor authentication (Verified by Visa, MasterCard Secure Code and etc.).
It will dramatically drop the number of cases of illegal card usage. Be careful with suspicious orders.
Several unrelated high-value items for more than $500 and extra payment for fast shipping to another country can be a sign of a criminal hurrying to resell as soon as possible.
In such cases it is recommended to contact the customer on the phone and confirm the order. Use tailored security solution to protect your point of sales terminals from malware attacks and make sure your POS terminals run the latest version of software. Criminals may attempt to DDoS the website of your shop for blackmail purposes. Make sure that your IT security team is prepared for such attacks or, if you don’t have one, ask your hosting provider if it is possible to purchase a DDoS-protection service from them. Educate your clients on possible cyberthreats they may encounter while shopping online and offline For financial organizations Introduce enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex. Conduct annual security audits and penetration tests.
It is better to let professionals find vulnerabilities than wait until they will be found by cybercriminals. Choose a multi-layered approach and techniques against fraud.

Training employees to spot suspicious transactions should be combined with implementation of dedicated fraud prevention solutions.

Financial security software based on innovative technologies helps to detect and fight fraudulent activity beyond human control. Do not leave self-protection to customers.
It is hardly possible to educate all customers – and it is always better to create a multi-layer security architecture that will provide all the services with the necessary level of security. Remember that insiders are usually involved in half or more cybersecurity incidents. Use security approaches that allow for the detection of suspicious and potentially dangerous activity inside your infrastructure. Make sure that your anti-fraud department is fully staffed during the holiday period.

Loop of Confidence

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become.

A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments.
In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face. The conventional approach Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail: the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous; to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals; wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks. However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna.

The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment.

Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them. The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks: the payment terminal had to support wireless payments; the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers; if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems; the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud.

This made smartphone-assisted payments unavailable in locations with unstable mobile services; the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated. As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public. New technologies The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies.

The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens.

A token is a unique transaction ID; the card details are never sent to the payment terminal.

This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal. Several years ago, a startup project called LoopPay attempted to address this problem.

The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case.

Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device.
It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup.

After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments.

As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader. We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks: secure element is used to reliably store data; activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint; on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device; KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks; payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched; on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed.

This provides extended protection from viruses and other mobile threats. It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account.

This method of payment works just fine when there is no Internet connection. New old threats There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference.

These attacks may still only be potential threats, but we should still stay alert.

Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc.
In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses. Cybercriminals are also studying Apple and Samsung’s technologies.

To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries. Cybercriminals discussing the prospects of exploiting Apple Pay in Russia At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores.

They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone. Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store.
In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud. Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name.

For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible. To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology.

After all, no one likes to lose money, be it banks or their clients.

Europe loves to pay by bonk* – survey

Mobile payments going gangbusters, beams Visa Consumers use of a mobile device – either a smartphone, tablet or wearable – to make payments has tripled over the past year, according to a Visa-backed survey. The number of Europeans regularly using a mobile device for payments has tripled from 18 per cent to 54 per cent since 2015, according to the results of an online poll of 36,000 consumers in 19 European countries. Uptake is strong in both developing markets, such as Turkey, where mobile has leapfrogged traditional payment methods, and in tech-savvy markets, such as the Nordics. In the UK, over two-fifths (43 per cent) purchase high-value items such as holidays and electronics on a mobile device as well as using their mobiles regular transactions such as paying household bills (42 per cent) and buying bus or train tickets (41 per cent). More than half the Brits surveyed (58 per cent) used contactless cards this year, up from 20 per cent in 2015. Meanwhile mobile banking activity is increasing across all age groups, according to Visa. The launch of Apple Pay and Android Pay in Europe is helping to push the payments by mobile device trend, which Kevin Jenkins, UK & Ireland managing director at Visa, described as the “future of digital payments”. Infosec experts struck a much more cautious note. Mark James, security specialist at ESET, commented: “It’s no surprise that mobile payments are now becoming more widely used and now we have integrated biometric authentication into our phones it definitely makes it a lot safer for the end user to utilise that technology to their advantage.” “Using a mobile device is so easy, from getting the payment card on to the phone through to actually making the payment and much like credit cards, often too easy,” James added. “Phone manufacturers want your device to be the very centre of your digital life; it interacts with us throughout the day and often is used to wake us first thing in the morning.
It makes sense that our finances will also be controlled and managed from these devices and we will definitely see more and more companies making it easy for us to pay on mobile devices.

But let’s not forget security; it is very important to understand the risks of using your phone for payments, boarding passes and everything else we do.” ® * Tap (mobile phone) to pay.

The phrase "pay by bonk" was coined by former Reg mobile supremo Bill Ray back in 2012...

Download watchOS 3.0 -3.1.3 Information

Languages Download icon watchOS 3.1.3  This update includes improvements and bug fixes. For information on the security content of Apple software updates, please visit this website: https://support.apple.com/kb/HT201222 watchOS 3.1.1  This update includes improvements and bug fixes. Fixes an issue that could prevent contact names from appearing in the Messages app and notifications Fixes an issue that could impact ability to respond to notifications Resolves an issue where the Stocks complication may not update on the watch face Fixes an issue that may prevent the Activity rings from displaying on the Activity watch faces Fixes an issue that prevented the dials on an analog watch face from appearing after changing the temperature unit in the Weather app Resolves an issue that could cause the Maps app to stay launched after navigation has ended Resolves an issue where the incorrect date could be displayed in the Calendar app month view For information on the security content of Apple software updates, please visit this website: https://support.apple.com/kb/HT201222 watchOS 3.1 This update includes improvements and bug fixes. New option to replay bubble and full screen effects in Messages Messages effects can play with Reduce Motion enabled Fixes an issue that could cause the notification for Timer complete to be delivered twice Resolves an issue that could prevent Apple Watch Series 2 from fully charging Resolves an issue where Activity rings may disappear from the watch face Fixes an issue that prevented Force Touch options from appearing in some third-party apps For information on the security content of Apple software updates, please visit this website: https://support.apple.com/kb/HT201222 watchOS 3.0 This update includes support for pairing multiple watches to one iPhone, Maps improvements and new language support.

This release also includes additional improvements and bug fixes. Performance and Navigation Press the side button to access your favorite apps in the Dock Apps in the Dock launch instantly with already updated information Add up to 10 apps in the Dock, control music from Now Playing or launch your most recently used app Swipe edge-to-edge to quickly switch your watch face Swipe up from the bottom of your watch face to access important settings in Control Center Watch faces New Minnie Mouse, Activity, and Numerals watch faces Complications now available on Photo, Photo Album, Timelapse, and Motion New complications including Workout, Music, and Messages New Face Gallery in the Apple Watch app on iPhone to add and customize watch faces Discover and add third party complications in the Face Gallery Activity Ability to share and compare your Activity rings Rank alphabetically, or by progress towards Move goal, Exercise goal, steps or today’s workouts Automatic notifications when a friend completes their rings, finishes a workout, or earns an achievement Customized smart replies for encouragement or smack talk New Sharing tab in the Activity app on iPhone to view history Workout Quick Start for most commonly used workouts Multiple metric view, customizable for each workout type New gestures for pause, resume, and marking segments Labels for “Other” workouts to keep track of Yoga, Pilates, Cross Training, and more Auto-pause for running workouts Siri support for pause, resume, and end workouts Route maps with speed indicators for outdoor workouts Wheelchair use Activity rings optimized for wheelchair users Accounts for varying speeds, terrains, and pushing techniques Pushes contribute to all-day calorie goals Time to roll notification and roll ring New Outdoor Run Pace and Outdoor Walk Pace workouts Breathe New Breathe app to take a moment in your day for short deep breathing sessions Calming visualization and haptic cues guide you while you inhale and exhale Adjust session length and breaths per minute Summary upon completion including heart rate Time to breathe reminders Weekly summary Communication Expressive Messaging Full-screen effects to celebrate special moments Tapback for quick replies to messages, links, and photos Handwritten messages animate like ink on paper Send recent built-in or third-party stickers View secret messages with invisible ink Scribble Write words on the display and Apple Watch will convert the handwriting to text Use the Digital Crown to scroll through predicted options Available in English (US), Traditional Chinese, and Simplified Chinese Reply options available in the Messages and Mail notification, including Digital Touch, emoji, and smart replies New emoji, including gender diverse options to existing characters, single parent family variations, rainbow flag, and redesigns of popular emoji Emergency SOS Press and continue to hold the side button to call emergency services Automatically notify SOS contacts and share your location Display your Medical ID with information about medications, allergies, and medical conditions Adjusts the emergency number to your current location Home New Home app to control HomeKit enabled accessories Enable scenes created on your iPhone to control groups of accessories with just a tap Control favorite accessories from your wrist, even remotely with Apple TV or iPad Support for IP cameras to see live video in rich notifications and accessory controls Other improvements New Reminders app for managing scheduled reminders, grocery lists, and more New Find My Friends app for viewing location of friends and family Pay with Apple Pay within third party apps Delete events and switch calendars in Calendar app Support for FaceTime Audio calls directly from Apple Watch Search for Settings in Apple Watch app on iPhone Camera app controls for Flash, Live Photos, HDR, Zoom, Burst, and Front or Rear facing Siri support for Spanish (Chile), Chinese (Cantonese - China), English (Ireland), English (South Africa) Some features may not be available for all countries or all areas. For information on the security content of this update, please visit this website: http://support.apple.com/kb/HT1222

Download iOS 10.0 – iOS 10.2.1 Information

iOS 10.2  iOS 10.2 introduces new features including the TV app (US Only), a new and unified experience for accessing your TV shows and movies across multiple video apps.

Emoji have been beautifully redesigned to reveal even more detail and over 100 new emoji have been added including new faces, food, animals, sports, and professions.

This update also includes stability improvements and bug fixes.   TV Use Up Next to see the movies and shows you’re currently watching and pick up where you left off Get recommendations for new movies and TV shows in Watch Now  Discover new apps and the latest iTunes releases in the Store  Access the Library for your iTunes purchases and rentals   Emoji Beautifully redesigned emoji that reveal even more detail Over 100 new emoji including new faces, food, animals, sports, and professions   Photos Improves stabilization and delivers faster frame rate for Live Photos Improves accuracy of groupings of similar photos of the same person in the People album Fixes an issue where Memories might generate a memory from photos of screenshots, whiteboards or receipts Fixes an issue where the camera would stay zoomed in after switching back from the Camera Roll on iPhone 7 Plus Additional support for RAW digital cameras   Messages Adds new love and celebration full screen effects in Messages Fixes an issue that sometimes prevented the keyboard from displaying in Messages   Music Swipe up the Now Playing screen to more easily access Shuffle, Repeat and Up Next Choose how to sort Playlists, Albums, and Songs in Library   News Stories you’ve saved for later now appear in the new Saved section The best paid stories from channels you subscribe to will now appear in a dedicated section in For You It’s now easier than ever to get to the next story, just swipe left or tap Next Story while reading   Mail Fixes an issue that caused the Move sheet to persist after filing a Mail message Addresses an issue with long press activating copy and paste in Mail Fixes an issue in which the wrong message would be selected after deleting a Mail conversation   Accessibility Adds BraillePen14 support to VoiceOver Fixes an issue where the braille table could switch unexpectedly with VoiceOver Fixes an issue where sometimes Siri enhanced voices were unavailable to VoiceOver Fixes an issue where VoiceOver users could not re-order items in lists Fixes an issue where Switch Control was sometimes unable to delete Voicemails   Other improvements and fixes Adds notification support for HomeKit accessories including window coverings, occupancy, motion, door/window, smoke, carbon monoxide, and water leak sensors Adds notification support for HomeKit accessories when software updates are available to HomeKit accessories  Improves Bluetooth performance and connectivity with 3rd party accessories Fixes an issue that could cause FaceTime participants to appear out of focus Fixes an issue that could cause FaceTime calls to appear with incorrect aspect ratio and orientation Fixes an issue that prevented some Visual Voicemail from completing playback Fixes a Safari Reader issue that could cause articles to open as empty pages Fixes an issue that could cause Safari to quit unexpectedly after marking an item as read in Reading List   For information on the security content of Apple software updates, please visit this website: https://support.apple.com/HT201222 iOS 10.1.1 This update fixes bugs including an issue where Health data could not be viewed for some users. For information on the security content of Apple software updates, please visit this website:  https://support.apple.com/kb/HT201222 iOS 10.1 This update includes Portrait Camera for iPhone 7 Plus (beta), transit directions for Japan, stability improvements and bug fixes. Camera and Photos Introduces Portrait Camera for iPhone 7 Plus that creates a depth effect that keeps your subject sharp while creating a beautifully blurred background (beta) People names in the Photos app are saved in iCloud backups Improved the display of wide color gamut photos in the grid views of the Photos app Fixes an issue where opening the Camera app would show a blurred or flashing screen for some users Fixes an issue that caused Photos to quit for some users when turning on iCloud Photo Library Maps Transit support for every major train, subway, ferry, and national bus line, as well as local bus systems for Tokyo, Osaka, and Nagoya Sign-based transit navigation including layouts of all underground structures and walkways that connect large transit stations Transit fare comparison when viewing alternative transit routes Messages New option to replay bubble and full screen effects Messages effects can play with Reduce Motion enabled Fixes an issue that could lead to contact names appearing incorrectly in Messages Addresses an issue where Messages could open to a white screen Addresses an issue that could prevent the report junk option from displaying with unknown senders Fixes an issue where videos captured and sent in the Messages app could be missing audio Apple Watch Adds distance and average pace to workout summaries in the Activity app for outdoor wheelchair run pace and outdoor wheelchair walk pace Fixes issues that may have prevented Music playlists from syncing to Apple Watch Addresses an issue that was preventing invitations and data to appear in Activity Sharing Fixes an issue that was allowing Activity Sharing to update over cellular when manually disabled Resolves an issue that was causing some third-party apps to crash when inputting text Other improvements and fixes Improves Bluetooth connectivity with 3rd party accessories Improves AirPlay Mirroring performance when waking a device from sleep Fixes an issue where playback would not work for iTunes purchased content when the “Show iTunes Purchases” setting is turned off Fixes an issue where certain selfie apps and face filters used with the FaceTime HD Camera on iPhone 7 and iPhone 7 Plus did not display a live preview Fixes an issue in Health where individual strokes are converted to separate characters when using the Chinese handwriting keyboard Improves performance of sharing websites from Safari to Messages Fixes an issue in Safari that caused web previews in tab view to not display correctly Fixes an issue that caused certain Mail messages to be reformatted with very small text Fixes an issue that caused some HTML email to be formatted incorrectly Fixes an issue that in some cases caused the search field to disappear in Mail Fixes an issue that could prevent Today View Widgets from updating when launched Fixes an issue where Weather widget sometimes failed to load data Fixes an issue on iPhone 7 where Home Button click settings would not appear in search results Fixes an issue that prevented spam alert extensions from blocking calls Resolves an issue that could prevent alarm sounds from going off Fixes an issue where audio playback via Bluetooth would cause the Taptic engine to stop providing feedback for some users Resolves an issue preventing some users from restoring from iCloud Backup For information on the security content of this update, please visit this website: https://support.apple.com/HT201222 iOS 10.0.3 iOS 10.0.3 fixes bugs including an issue where some users could temporarily lose cellular connectivity.  For information on the security content of this update, please visit this website: https://support.apple.com/kb/HT201222     iOS 10.0.2 iOS 10.0.2 fixes bugs and improves the stability of your iPhone or iPad.

This update:   Addresses an issue that could prevent headphone audio controls from temporarily not working Resolves an issue that caused Photos to quit for some users when turning on iCloud Photo Library Fixes an issue that prevented enabling some app extensions   For information on the security content of this update, please visit this website: https://support.apple.com/kb/HT201222   iOS 10.0 - iOS 10.0.1 Messages Expressive Messaging Bubble effects let you send messages loudly, gently, slam or with invisible ink Full-screen effects to celebrate special moments Tapback for quick replies to messages, links, and photos Handwritten messages animate like ink on paper Digital Touch lets you send sketches, taps, and heartbeats Tap to replace can emojify your text with just a tap Rich links show a preview of web pages you share iMessage apps New App Store for iMessage Use the power of apps in Messages to share and collaborate with friends Download stickers to send and place on text bubbles and photos   Siri Siri now works with the following types of apps Messaging apps to send, search and read back text messages VoIP apps to place phone calls Photos apps to search for images and photos Ride service apps to book rides Payment apps to make personal payments Fitness apps to start, stop, and pause workouts CarPlay automaker apps to adjust climate, radio, seat, and personal settings   Maps All new look Proactive suggestions for places you’re likely to go next, based on your routine or appointments in Calendar Improved search with new callout design, clustered results and category filters Home, work, favorite locations, and locations from upcoming Calendar events are displayed on the map Displays where your car is parked via CarPlay or Bluetooth Weather for the currently viewed area Extensions Make a reservation within Maps using extensions from participating reservations apps Book a ride to a destination within Maps using extensions from participating ride service apps Turn-by-turn navigation improvements Search along route for gas stations, food, and coffee shops Automatic view adjustment of the road ahead Use pan and zoom during navigation Option to avoid tolls and highways   Photos Advanced face recognition designed with deep learning to automatically group similar faces together Object and scene recognition to intelligently search for photos by what’s in them using advanced computer vision that scans your library locally on device Places album to see all your photos, videos and Live Photos on a map Memories Intelligently highlights forgotten events, trips, and people, and presents them in a beautiful collection Memory movies automatically edited with theme music, titles, and cinematic transitions Related memories make it easy to rediscover even more photos in your collection, based on location, time, people, scenes and objects Easily share with family and friends Brilliance control applies region-specific adjustments to brightness, highlights and contrast   Home New Home app to securely manage and control HomeKit enabled accessories Scenes to control groups of accessories with just a tap Rich Notifications with quick actions to control accessories Optionally share home access with family and friends Remote access and automation of accessories with Apple TV or iPad   Apple Music An all-new design for Apple Music brings greater clarity and simplicity to every aspect of the experience Navigate your Library with an improved menu and see all of the Downloaded Music that you can play on your device while offline See recommendations in For You that highlight mixes, playlists, albums, and Connect posts—selected for you based on the music and artists you love Visit Browse to more easily see exclusive releases, find curated playlists, and discover the most important new releases—picked by our editors each week Listen to Radio more easily—clearly see what’s live on Beats 1, hear your favorite shows on-demand, or choose a curated station for any genre of music Play music with an improved Now Playing experience—swipe up to view available lyrics and quickly see or edit songs that are coming up next   Apple News An all-new design in For You adds bold typography, vibrant color, and distinct sections that make it easier to find stories on specific topics See the most important stories of the day within Top Stories—updated by our editors throughout the day Find the most popular stories right now within Trending Stories—selected based on what others are reading See all of your stories grouped into easy-to-understand sections on the topics you follow or read Discover the best and most interesting stories of the week within Featured Stories—selected by our editors Share stories more easily—just tap the icon on any story to send it to a friend right from For You Receive breaking news notifications from some of your most trusted sources Subscribe to your favorite magazines and newspapers directly in News New personalized Today View widget lets you keep up with the latest stories throughout the day   Experience Raise to Wake automatically wakes the screen as you raise your iPhone Rich notifications that support real time information, audio, photos and videos Today view is redesigned and supports all new widgets for apps like Weather, Up Next, Maps, Stocks and more Control Center is redesigned with easier to access controls including dedicated cards for music playback and Home Expanded use of 3D Touch Lock screen notifications to support an expanded view and access to quick actions New quick actions for built in apps like Weather, Stocks, Reminders, Health, Home, FaceTime, iCloud Drive and Settings Home Screen widgets Control Center for access to quick actions for Flashlight, Timer, Calculator and Camera Clear all in Notification Center   QuickType New emoji, including gender diverse options to existing characters, single parent family variations, rainbow flag and beautiful redesigns of popular emoji Contextual predictions for current location, recent addresses, contact information and calendar availability using deep neural network technology Emoji predictions Calendar events are intelligently populated using deep learning technology with information from your conversations in Mail and Messages Multi-lingual typing now lets you type in two languages at once without having to switch keyboards Rest & Type on iPad intelligently adapts to your unique typing patterns Predictive typing now uses deep neural network technology for greater prediction accuracy   Phone Voicemail transcription (beta) Spam call alerts with spam call identification apps Support for third party VoIP apps receiving calls on the Lock screen, including support for Call Waiting, Mute and Do Not Disturb   Other improvements Apple Pay in Safari View two pages at once using Split View in Safari on iPad Notes collaboration lets you invite people to work on your notes together Markup support in Messages, Photos and PDFs stored in Notes Bedtime Alarm in the Clock app lets you set a regular sleep schedule and receive bedtime reminders Health adds support for health records and organ donation (US Only) Stabilization support for Live Photos for improved camera capture Live Filters support when capturing Live Photos iCloud Drive now supports Desktop and Documents folders from macOS Live search results in Spotlight for Chinese and Japanese Siri support for Spanish (Chile), Chinese (Cantonese - China), English (Ireland), English (South Africa) Ling Wai and Kaiti Black document fonts for Chinese Yu Kyokasho and Toppan Bunkyu fonts for Japanese New definition dictionaries in Traditional Chinese and Danish and bilingual dictionaries in Dutch and Italian New keyboard for Spanish (Latin America)   Accessibility Magnifier now uses the camera on your iPhone or iPad like a digital magnifying glass for real-life objects New range of display color filters to support different forms of color blindness or other vision challenges VoiceOver adds a Pronunciation Editor to customize the way words are pronounced, additional voices, and support for multiple audio sources Additional text highlighting options in Speak Screen and Speak Selection, as well as the ability to speak keyboard letters and predictive typing suggestions to support multi-modal learning Switch control now lets you control iOS, macOS and tvOS all from the same iPhone or iPad, so you don’t need to configure switches for the secondary device Software TTY allows you to place and receive TTY calls without the need for traditional hardware teletypewriter accessories Some features may not be available for all countries or all areas, for more information visit:    http://www.apple.com/ios/feature-availability and http://www.apple.com/ios/whats-new For information on the security content of this update, please visit this website:       http://support.apple.com/kb/HT1222

US sends nastygram to European Union over alleged Apple tax dodging

EnlargeSnow White, Disney Films reader comments 47 Share this story Apple's battle with the European Union’s competition watchdog has been backed by the US government, which on Wednesday waded into the complaint over the iPhone maker's tax arrangements. The US treasury warned in a white paper that Brussels' ongoing investigation into Apple’s tax deal with Ireland could “create an unfortunate international tax policy precedent.” On Thursday, the European Commission responded that there was “no bias” against US companies. After two years of investigations, antitrust chief Margrethe Vestager is expected to issue a decision on allegations of tax dodging by Apple in the autumn. The commission is considering whether the company used so-called “transfer pricing arrangements” to move profits around in order to avoid tax.
Ireland is implicated in letting Apple pay a tiny amount of tax.

Technically, this means that it may have benefited from illegal state aid. “Tax rulings may involve state aid within the meaning of EU rules if they are used to provide selective advantages to a specific company or group of companies,” the commission states. But the US treasury warned that Vestager's office was in danger of overstepping its bounds “beyond enforcement of competition and state aid law under the TFEU [Treaty on the Functioning of the EU] into that of a supra-national tax authority.” It said it was considering “potential responses should the commission continue its present course,” adding: “a strongly preferred and mutually beneficial outcome would be a return to the system and practice of international tax cooperation that has long fostered cross-border investment between the United States and EU member states.” Vestager has already ordered the payment of more than €20 million in back taxes from Starbucks and Fiat Chrysler over similar tax deals with the Netherlands and Luxembourg, and Ireland could be instructed to reclaim up to tens of billions of dollars from Apple. The US government's bean counters are worried about the crackdown, however: There is the possibility that any repayments ordered by the commission will be considered foreign income taxes that are creditable against US taxes owed by the companies in the United States.
If so, the companies’ US tax liability would be reduced. To the extent that such foreign taxes are imposed on income that should not have been attributable to the relevant member state, that outcome is deeply troubling, as it would effectively constitute a transfer of revenue to the EU from the US government and its taxpayers. Put another way, the US treasury appears to be saying: "we get to tax our multinationals, not the EU." Apple CEO Tim Cook has always denied any wrongdoing. The commission has also been pursuing a similar investigation against Amazon in Luxembourg and has warned that other cases may be on the way. “A substantial number of additional cases against US companies may lead to a growing chilling effect on US-EU cross-border investment,” the treasury hit back. On Thursday, the commission's spokesperson, Alexander Winterstein, said that it had taken note of the white paper, before drily saying that EU state aid rules have been in place for years. “With regard to the insinuation of bias, let me repeat what commissioner Vestager has been saying, which is that EU law and competition rules apply indiscriminately to all companies operating in Europe, whether they are big companies or small companies, whether they are companies that are European or companies from outside Europe.

There is absolutely no trace of a bias here,” he added. This post originated on Ars Technica UK

An ATM hack and a PIN-pad hack show chip cards aren’t...

Enlarge / We've come a long way since this was the norm. eBay reader comments 37 Share this story Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans' mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week's Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM. Double trouble Chip card technology—often called EMV for EuroPay, MasterCard, and Visa for the three companies that developed the chip card standard—is supposed to offer significant security benefits over the old magnetic stripe card system. Magnetic stripe cards have a static card number written into their magnetic stripe, and if a POS system is infected with malware, as was the case in the infamous Target and Home Depot hacks, then a malicious actor can take those card numbers and make counterfeit purchases with them. An EMV card, by contrast, uses a chip to transmit a dynamic number that changes with each purchase. That makes it a lot harder to steal a card number and reuse it elsewhere. But that doesn’t mean it’s impossible. Late last year, security researcher Samy Kamkar demonstrated that he could calculate a replacement American Express card number based on the previous card number, replicate the credit card’s magnetic stripe information on a programmable chip, and use it to make purchases around town, much like the now-defunct Coin card. Kamkar was even able to do this with chip cards—the magnetic stripe on the back of every card has two tracks of data that tell card readers information like cardholder name, the card’s number, its expiration date, etc. Track 2 data will tell a card reader if the card has a chip and needs to be dipped—otherwise it can be swiped. Kamkar’s solution was to alter the Track 2 data and spoof the card reader to tell it that the card only has a magnetic stripe, no chip, thus bypassing the entry of a dynamic number. Last week at BlackHat, two researchers from NCR Corporation, which makes ATM and card reader hardware, performed a similar hack (PDF) that allowed an EMV card to be read as a magnetic stripe card with a static number. The researchers, Nir Valtman and Patrick Watson, showed that if a malicious actor can take control of the information flowing from an external PIN pad (i.e., a card reader not connected to an ATM), then that person can present a duplicate card with altered Track 2 data telling the POS system that the PIN pad has received a card that doesn’t have a chip in it, even if it does. Aaron Gould, a spokesperson for NCR, told Ars via e-mail, “There are only a few scenarios in which the altered copy [of the chip card] would work.” If the transaction happens online, which most in the US do these days (PDF), the issuer will know if its card should be a chip card or not and could deny a transaction from a mag stripe card. But if the transaction happens offline—which does still occur, leaving the POS to queue transactions until they can be transferred to the issuer—then this hack has the potential to work. Valtman and Watson have clarified that altering Track 2 data to spoof a PIN pad and POS to think that they’re receiving information from a mag stripe card instead of a chip card isn’t really breaking how EMV works as much as it’s relying on an already-broken mag stripe system and an inconsistent rollout of EMV. A spokesperson for EMVCo, the member-owned consortium that manages EMV specifications and their rollout, said in a statement that Valtman and Watson’s attack “relies on magstripe information and not the EMV chip. It is EMVCo’s view that when the full payment process is taken into account, suitable protection exists to mitigate against this type of attack, such as ensuring that information read from a chip card is not sufficient to create a valid magstripe card.” In other words, to make and use a duplicate EMV card for fraud, hackers would have to find a way to get magnetic stripe information corresponding to that card in the first place, because just scraping dynamic numbers from EMV chips won’t be enough to reconstruct magnetic stripe data. Valtman and Watson also demoed other ways that they could take advantage of card holders at a checkout terminal. They showed that if the security between the PIN pad and the POS is weak, they could compromise the traffic passing between them to prompt card holders to reenter their PINs so that man-in-the-middle attackers could snap them up or even prompt unsuspecting cardholders to enter their CVV (found on the back of the card and used for fraudulent purchases online) into the compromised PIN pad. “At a high level, some PIN pads are not properly authenticating that it is receiving instructions from the real POS instead of from an attacker,” Gould said to Ars. This takes advantage of the level of confusion that has been baked into the payment process since chip cards were introduced in the US. Customers are becoming accustomed to getting odd demands from the PIN pad—should I insert the card or swipe? Will I need to enter a PIN or will I be asked for a signature? If you complete any step wrong, the card reader will prompt you to try again. Imagine a card reader prompting you to re-enter a PIN. Would you think anything of it? Or if a card reader asked you for your CVV. Surely that would seem more suspicious, but if your kids are crying and the line behind you is growing and the new card reader is prompting you to input your CVV or you can’t pay with that card, would you just do it or would you ask to see a manager? For many people, the answer would likely be the former. To remedy this, Valtman and Watson recommended that traffic from PIN pads to POS systems be encrypted (a self-serving if rational conclusion, as their company NCR develops hardware and software to address such issues. According to the blog PYMNTS, "Terminal makers Ingenico and Verifone both affirm that they offer point-to-point encryption, but also note that retailers and their partners must choose to turn it on." In some cases, retailers have to pay extra to encrypt traffic from the card reader to the POS. Valtman and Watson also suggested that a more secure way to interact with card readers would be to use a mobile payment platform like Android Pay or Apple Pay, due to their reliance on tokenization (which disguises a true card number) and the fact that they can transmit a unique Track 2 code for each transaction. A more difficult hack, a more dangerous hack While the previous hacks don’t really break EMV as much as they fall back on the weaknesses of magnetic stripe technology, researchers at security firm Rapid7 demonstrated a hack that really does undermine the protections that EMV confers. Much like Valtman and Watson’s hack, Rapid7 also exploited the card reader. It placed a shim between the card reader and a demo POS, reading the dynamic card number that the chip generates for that transaction and transmitting the number instantaneously to a hacker at a remote location. That stolen randomized chip card number expires quickly, so hackers have to work fast. The Rapid7 researchers demonstrated their hack on a compromised ATM, although a hacker could use the stolen number to make a one-time purchase on a smartphone, for instance. On the ATM demo, the researchers broke open an ATM and fed it the skimmed number, programming it to request money with the number. The hack is certainly more complicated than the malware that stole numbers from Target and Home Depot—it requires physical access to a card reader and, to recreate the ATM hack, unfettered access to an ATM (which is not always a huge limitation, especially in countries where ATM hacking is more prevalent, as this study on ATM hacks showed us). But the short window of time that hackers have to make any purchases or money requests also limits the amount of damage they could do. In a statement, EMVCo’s spokesperson responded to this hack saying that “it is EMVCo’s view that an attack of this nature would be extremely difficult and risky to deploy in the real world and is not practically scalable. Even if such an attack were to occur, when the full payment process is taken into account, various countermeasures are available to mitigate against this type of attack.” Still, demonstrating that such an attack could happen means a more creative and advanced way to carry out such an attack may still be out there. Certainly, we saw a similarly creative and successful EMV hack years ago in France, when a crime ring stole EMV cards and doctored them with custom chips that accepted any PIN at a register. Here in the US, we may just be scraping the surface of possible ways to break EMV. Listing image by eBay

IT threat evolution in Q2 2016. Overview

 Download the full report (PDF) Targeted attacks and malware campaigns Cha-ching! Skimming off the cream Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware.

The malware, which first surfaced in 2009, has been re-designed.
So too have the tactics of the cybercriminals using it.

The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic. Rather than the well-established method of fitting a fake card-reader to the ATM, the attackers take control over the whole ATM.

They start by installing the Skimer malware on the ATM – either through physical access or by compromising the bank’s internal network.

The malware infects the ATM’s core – the part of the device responsible for interaction with the wider bank infrastructure, card processing and dispensing of cash.
In contrast to a traditional card skimmer, there are no physical signs that the ATM is infected, leaving the attackers free to capture data from cards used at the ATM (including a customer’s bank account number and PIN) or steal cash directly. The cybercriminal ‘wakes up’ the infected ATM by inserting a card that contains specific records on the magnetic stripe.

After reading the card, Skimer is able execute a hard-coded command, or receive commands through a special menu activated by the card.

The Skimer user interface appears on the display only after the card is ejected and only if the cybercriminal enters the correct session key within 60 seconds.

The menu offers 21 different options, including dispensing money, collecting details of cards that have been inserted in the ATM, self-deletion and performing updates.

The cybercriminal can save card details on the chip of their card, or print the details it has collected.
The attackers are careful to avoid attracting attention. Rather than take money directly from the ATM – which would be noticed immediately – they wait (sometimes for several months) before taking action.
In most cases, they collect data from skimmed cards in order to create cloned cards later.

They use the cloned cards in other, non-infected ATMs, casually withdrawing money from the accounts of the victims in a way that can’t be linked back to the compromised ATM. Kaspersky Lab has several recommendations to help banks protect themselves.

They should carry out regular anti-virus scans; employ whitelisting technologies; apply a good device management policy; make use of full disk encryption; password protect the BIOS of ATMs; enforce hard disk booting and isolate the ATM network from the rest of the bank infrastructure.

The magnetic strip of the card used by the cybercriminals to activate the malware contains nine hard-coded numbers.

Banks may be able to proactively look for these numbers within their processing systems: so we have shared this information, along with other Indicators of Compromise (IoCs). In April, one of our experts provided an in-depth examination of ATM jackpotting and offered some insights into what should be done to secure these devices. New attacks, old exploit In recent months we have been tracking a wave of cyber-espionage attacks conducted by different APT groups across the Asia-Pacific and Far East regions.

They all share one common feature: they exploit the CVE-2015-2545 vulnerability.

This flaw enables an attacker to execute arbitrary code using a specially crafted EPS image file.
It uses PostScript and can evade the Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods built into Windows.

The Platinum, APT16, EvilPost and SPIVY groups were already known to use this exploit. More recently, it has also been used by the Danti group. Danti, first identified in February 2016 and still active, is highly focused on diplomatic bodies.

The group predominantly targets Indian government organizations, but data from the Kaspersky Security Network (KSN) indicates that it has also infected targets in Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. The exploit is delivered using spear-phishing e-mails spoofed to look as though they have been sent by high-ranking Indian government officials. When the victim clicks on the attached DOCX file, the Danti backdoor is installed, allowing the attackers to capture sensitive data. The origin of the Danti group is unclear, but we suspect that it might be connected to the NetTraveler and DragonOK groups: it’s thought that Chinese-speaking hackers are behind these attacks. Kaspersky Las has also seen another campaign that makes use of the CVE-2015-2545 vulnerability: we’ve called this SVCMONDR after the Trojan that is downloaded once the attackers get a foothold in the victim’s computer.

This Trojan is different to the one used by the Danti group, but it shares some common features with Danti and with APT16 – the latter is a cyber-espionage group believed to be of Chinese origin. One of the most striking aspects of these attacks is that they are successfully making use of a vulnerability that was patched by Microsoft in September 2015.
In November, we predicted that APT campaigns would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware to achieve their goals.

This is a case in point: using a known vulnerability, rather than developing a zero-day exploit.

This underlines the need for companies to pay more attention to patch management to secure their IT infrastructure. New attack, new exploit Of course, there will always be APT groups that seek to take advantage of zero-day exploits.
In June, we reported on a cyber-espionage campaign – code-named ‘Operation Daybreak‘ and launched by a group named ScarCruft – that uses a previously unknown Adobe Flash Player exploit (CVE-2016-1010).

This group is relatively new and has so far managed to stay under the radar. We think the group might have previously deployed another zero-day exploit (CVE-2016-0147) that was patched in April. The group have targeted a range of organizations in Russia, Nepal, South Korea, China, India, Kuwait and Romania.

These include an Asian law enforcement agency, one of the world’s largest trading companies, a mobile advertising and app monetization company in the United States, individuals linked to the International Association of Athletics Federations and a restaurant located in one of Dubai’s top shopping centres.

The attacks started in March 2016: since some of them are very recent, we believe that the group is still active. The exact method used to infect victims is unclear, but we think that the attackers use spear-phishing e-mails that point to a hacked website hosting the exploit.

The site performs a couple of browser checks before redirecting victims to a server controlled by the hackers in Poland.

The exploitation process consists of three Flash objects.

The one that triggers the vulnerability in Adobe Flash Player is located in the second SWF file delivered to the victim.

At the end of the exploitation chain, the server sends a legitimate PDF file, called ‘china.pdf’, to the victim: this seems to be written in Korean. In Q2 2016, @kaspersky #mobile security products detected 3.6M malicious installation packages #KLreport Tweet The attackers use a number of interesting methods to evade detection, including exploiting a bug in the Windows Dynamic Data Exchange (DDE) component in order to bypass security solutions – a method not seen before.

This flaw has been reported to Microsoft. Flash Player exploits are becoming rare, because in most cases they need to be coupled with a sandbox bypass exploit – this makes them tricky to do. Moreover, although Adobe is planning to drop Flash support soon, it continues to implement new mitigations to make exploitation of Flash Player increasingly difficult. Nevertheless, resourceful groups such as ScarCruft will continue to try and find zero-day exploits to target high-profile victims. While there’s no such thing as 100 per cent security, the key is to increase security defences to the point that it becomes so expensive for an attacker to breach them that they give up or choose an alternative target.

The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host-based intrusion prevention and a default-deny whitelisting strategy.

According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab products detect the Flash exploit as ‘HEUR:Exploit.SWF.Agent.gen’.

The attack is also blocked proactively by our Automatic Exploit Prevention (AEP) component.

The payloads are detected as ‘HEUR:Trojan.Win32.ScarCruft.gen’. XDedic: APT-as-a-Service Kaspersky Lab recently investigated an active cybercriminal trading platform called xDedic, an online black market for hacked server credentials around the world – all available through the Remote Desktop Protocol (RDP). We initially thought that this market extended to 70,000 servers, but new data suggests that the XDedic market is much wider – including credentials for 176,000 servers. XDedic includes a search engine, enabling potential buyers to find almost anything – from government and corporate networks – for as little as $8 per server.

This low price provides ‘customers’ with access to data on such servers and their use as a bridgehead for further targeted attacks. The owners of the ‘xdedic[.]biz’ domain claim that they have no relation to those selling access to hacked servers – they are simply selling a secure trading platform for others.

The XDedic forum has a separate sub-domain, ‘partner[.]xdedic[.]biz’, for the site’s ‘partners’ – that is, those selling hacked servers.

The Xdedic owners have developed a tool that automatically collects information about the system, including websites available, software installed and more.

They also provide others tools to its partners, including a patch for RDP servers to support multiple logins for the same user and proxy installers. The existence of underground markets is not new.

But we are seeing a greater level of specialisation.

And while the model adopted by the XDedic owners isn’t something that can be replicated easily, we think it’s likely that other specialized markets are likely to appear in the future. Data from KSN helped us identify several files that were downloaded from the XDedic partner portal: Kaspersky Lab products detect these files as malicious. We have also blacklisted the URLs of control servers used for gathering information about the infected systems. Our detailed report on XDedic contains more information on hosts and network-based IoCs. Lurking around the Russian Internet Sometimes our researchers find malware that is particular about where it infects. On the closed message boards used by Russian cybercriminals, for example, you sometimes see the advice ‘Don’t work with RU’ – offered by experienced criminals to the younger generation: i.e. don’t infect Russian computers, don’t steal money from Russians and don’t use them to launder money.

There are two good reasons for this.

First, online banking is not as common as it is in the west.
Second, victims outside Russia are unlikely to lodge a complaint with the Russian police – assuming, of course, that they even know that Russian cybercriminals are behind the malware that has infected them. But there are exceptions to every rule. One of these is the Lurk banking Trojan that has been used to steal money from victims in Russia for several years.

The cybercriminals behind Lurk are interested in telecommunications companies, mass media and news aggregators and financial institutions.

The first provide them with the means to transfer traffic to the attackers’ servers.

The news sites provide them with a way to infect a large number of victims in their ‘target audience’ – i.e. the financial sector.

The Trojan’s targets appear to include Russia’s four largest banks. The primary method used to spread the Lurk Trojan is drive-by download, using the Angler exploit pack: the attackers place a link on compromised websites that leads to a landing page containing the exploit.

Exploits (including zero-days) are typically implemented in Angler before being used in other exploit packs, making it particularly dangerous.

The attackers also distribute code through legitimate websites, where infected files are served to visitors from the .RU zone, but others receive clean files.

The attackers use one infected computer in a corporate network as a bridgehead to spread across the organization.

They use the legitimate PsExec utility to distribute the malware to other computers; and then use a mini-dropper to execute the Trojan’s main module on the additional computers. In Q2 2016, @kaspersky #mobile security products detected 83,048 mobile #ransomware Trojans #KLreport Tweet There are a number of interesting features of the Lurk Trojan. One distinct feature, that we discussed soon after it first appeared, is that it is ‘file-less’ malware, i.e. it exists only in RAM and doesn’t write its code to the hard drive. The Trojan is also set apart because it is highly targeted.

The authors do their best to ensure that they infect victims that are of interest to them without catching the attention of analysts or researchers.

The incidents known to us suggest Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems; and forensic investigations after the incidents reveal traces of Lurk on the affected computers. Malware stories Cybercriminals get ready for Rio Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events, so it’s no surprise that we’ve seen an increase in cybercriminal activity related to the forthcoming Olympic Games in Brazil. We’ve seen an increase in spam e-mails.

The spammers try to cash in on people’s desire to watch the games live, sending out messages informing the recipient that they have won a (fake) lottery (supposedly organized by the International Olympic Committee and the Brazilian government): all they need to do to claim their tickets is to reply to the e-mail and provide some personal details. Some messages point to fake websites, like this one offering direct sale of tickets without the need to make an application to the official lottery: These fake ticketing sites are very convincing.
Some fraudsters go the extra mile by obtaining legitimate SSL certificates to provide a secure connection between the victim’s browser and the site – displaying ‘https’ in the browser address bar to lure victims into a false sense of security.

The scammers inform their victims that they will receive their tickets two or three weeks before the event, so the victim doesn’t become suspicious until it’s too late and their card details have been used by the cybercriminals. Kaspersky Lab is constantly detecting and blocking new malicious domains, many of which include ‘rio’ or ‘rio2016’ in the title. It’s too late to buy tickets through official channels, so the best way to see the games is to watch on TV or online. We advise everyone to beware of malicious streaming websites – probably the last-ditch attempt by cybercriminals to scam people out of their money. Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point.

This is dangerous, because data sent and received over an open Wi-Fi network can be intercepted.
So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a ‘man-in-the-middle’ device that is able to intercept and read encrypted traffic. To gauge the extent of the problem, we drove by three major Rio 2016 locations and passively monitored the available Wi-Fi networks that visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, the Olympic Park and the Maracana, Maracanazinho and Engenhao stadiums. We were able to find around 4,500 unique access points. Most are suitable for multimedia streaming.

But around a quarter of them are configured with weak encryption protocols: this means that attackers can use them to sniff the data of unsuspecting visitors that connect to them. To reduce your exposure, we would recommend any traveller (not just those who plan to visit Rio!) to use a VPN connection, so that data from your device travels to the Internet through an encrypted data channel.

Be careful though.
Some VPNs are vulnerable to DNS leak attacks – meaning that, although your immediate sensitive data is sent via the VPN, your DNS requests are sent in plain text to the DNS servers set by the access point hardware.

This would allow an attacker to see what you’re browsing and, if they have access to the compromised Wi-Fi network, define malicious DNS servers – i.e. letting them redirect you from a legitimate site (your bank, for example) to a malicious site.
If your VPN provider doesn’t support its own DNS servers, consider an alternative provider or a DNSCrypt service. There’s one other thing that we need if we want to stay connected – electricity: we need to keep our mobile devices charged.

Today you can find charging-points in shopping centres, airports and even taxis.

Typically they provide connectors for leading phone models, as well as a USB connector that a visitor can use with their own cable.
Some also provide a traditional power supply that can be used with a phone charger. But remember that you don’t know what’s connected to the other end of the USB connector.
If an attacker compromises the charging-point, they can execute commands that allow them to obtain information about your device, including the model, IMEI number, phone number and more: information they can use to run a device-specific attack that would then enable them to infect the device. You can find more information about the data that’s transmitted when you connect a device using USB and how an attacker could use it to compromise a mobile device. This doesn’t mean that you shouldn’t charge your device when you’re away from home.

But you should take steps to protect yourself.
It’s always best to use your own charger, rather than using charging cables at a public charging-point or buying one from an unknown source. You should also use a power outlet, instead of a USB socket. Cybercriminals also continue to exploit established ways to make money.

This includes using ATM skimmers to steal credit card data.

The most basic skimmers install a card reader and a camera to record the victim’s PIN.

The best way to protect yourself from this is to cover the keypad as you enter your PIN. However, sometimes cybercriminals replace the whole ATM, including the keypad and screen, in which case the typed password is stored on the fake ATM system.
So it’s also important to check the ATM before you insert your card.

Check to see if the green light on the card reader is on: typically, they replace the card reader with a version where there is no light, or it’s switched off.

Also check the machine to see if there is anything suspicious, such as missing or broken parts. Card cloning is another problem facing visitors to Rio 2016. While chip-and-PIN makes life harder for cybercriminals, it’s possible for them to exploit flaws in the EMV transaction implementation.
It’s difficult to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the data – to be collected later by the cybercriminals.
Sometimes they don’t need physical access to extract the stolen data, as they collect it via Bluetooth. However, there are some steps you can take to reduce your exposure to this type of attack.
Sign up for SMS notifications of card transactions from your bank, if they provide this service. Never give your card to the retailer: if they can’t bring the machine to you, go to the machine.
If the device looks suspicious, use a different payment method.

Before typing your PIN, make sure you’re on the card payment screen and ensure that your PIN isn’t going to be displayed on the screen. Ransomware: backup or pay up? Towards the end of last year, we predicted that ransomware would gain ground on banking Trojans – for the attackers, ransomware is easily monetized and involves a low cost per victim.
So it’s no surprise that ransomware attacks are increasing. Kaspersky Lab products blocked 2,315,931 ransomware attacks between April 2015 and April 2016 – that’s an increase of 17.7 per cent on the previous year.

The number of cryptors (as distinct from blockers) increased from 131,111 in 2014-15 to 718,536 in 2015-16. Last year, 31.6 per cent of all ransomware attacks were cryptors. You can find further information, including an overview of the development of ransomware, in our KSN Report: PC ransomware in 2014-16. Most ransomware attacks are directed at consumers – 6.8 per cent of attacks in 2014-15 and 13.13 percent in 2015-16 targeted the corporate sector. However, the figures are different for cryptors: throughout the 24 months covered by the report, around 20 per cent of cryptor attacks targeted the corporate sector. Hardly a month goes by without reports of ransomware attacks in the media – including recent reports of a hospital and online casino falling victim to ransomware attacks. Yet while public awareness of the problem is growing, it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalizing on this – this is clearly reflected in the number of attacks we’re seeing. It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk.
In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data.
It’s never advisable to pay the ransom. Not only does this validate the cybercriminals’ business model, but there’s no guarantee that they will decrypt your data once you’ve paid them – as one organization discovered recently to its cost.
If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask if your anti-malware vendor is able to help. Kaspersky Lab, for example, is able to help recover data encrypted by some ransomware. Mobile malware Displaying adverts remains one of the main methods of monetization for detected mobile objects.

Trojan.AndroidOS.Iop.c became the most popular mobile Trojan in Q2 2016, accounting for more than 10% of all detected mobile malware encountered by our users during the reporting period.
It displays adverts and installs, usually secretly, various programs using superuser privileges.
Such activity quickly renders the infected device virtually unusable due to the amount of adverts and new applications on it.

Because this Trojan can gain superuser privileges, it is very difficult to delete the programs that it installs. In our report IT threat evolution in Q1 2016 we wrote about the Trojan-Banker.AndroidOS.Asacub family of banking malware. Representatives of this family have an unusual technique for bypassing the security mechanisms used by operating systems – they overlay the regular system window requesting device administrator privileges with their own window containing buttons.

The Trojan thereby conceals the fact that it is gaining elevated privileges in the system, and tricks the user into approving these privileges.
In Q2 2016, Asacub introduced yet another method for deceiving users: the Trojan acquired SMS messenger functionality and started offering its services in place of the device’s standard SMS app. Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the rights to be the main SMS application This allows the Trojan to bypass system constraints first introduced in Android 4.4 as well as delete or hide incoming SMSs from the user. Back in October 2015, we wrote about representatives of the Trojan-PSW.AndroidOS.MyVk family that steal passwords from user accounts on the VK.com social network.

This quarter, those responsible for distributing Trojans from this family introduced a new approach for bypassing Google Play security mechanisms that involved first publishing an app containing useful functionality with no malicious code.

Then, at least once, they updated it with a new version of the application – still without any malicious code.
It was more than a month after the initial publication that the attackers eventually added malicious code to an update.

As a result, thousands of users downloaded Trojan-PSW.AndroidOS.MyVk.i. Data breaches Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media.

This quarter has been no exception, with reported attacks on beautifulpeople.com, the nulled.io hacker forum (underlining the fact that it’s not just legitimate systems that are targeted), kiddicare, Tumblr and others. Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves.
It’s not simply a matter of defending the corporate perimeter.

There’s no such thing as 100 per cent security, so it’s not possible to guarantee that systems can’t be breached.

But any organization that holds personal data has a duty of care to secure it effectively.

This includes hashing and salting customer passwords and encrypting other sensitive data. Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard.

As an alternative, people can use a password manager application to handle all this for them automatically. Unfortunately, all too often people use easy-to-guess passwords and re-use the same password for multiple online accounts – so that if the password for one is compromised, all the victim’s online IDs are vulnerable.

This issue was highlighted publicly in May 2016 when a hacker known as ‘Peace’ attempted to sell 117 million LinkedIn e-mails and passwords that had been stolen some years earlier. More than one million of the stolen passwords were ‘123456’! Many online providers offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

Two-factor authentication certainly enhances security – if people choose to take advantage of it. Several companies are hoping to replace passwords altogether.

Apple allows fingerprint authorization for iTunes purchases and payments using Apple Pay.
Samsung has said it will introduce fingerprint, voice and iris recognition for Samsung Pay.

Amazon has announced ‘selfie-pay’. MasterCard and HSBC have announced the introduction of facial and voice recognition to authorize transactions.

The chief benefit, of course, is that it replaces something that customers have to remember (a password) with something they have – with no opportunity to short-circuit the process (as they do when they choose a weak password). Biometrics are seen by many as the way forward. However, they are not a security panacea.

Biometrics can be spoofed, as we’ve discussed before (here, here and here); and biometric data can be stolen.
In the end, multi-factor authentication is essential – combining something you know, something you have and something you are. Statistics

Apple says banks can’t touch iPhone NFC without harming security

Australian banks complain Apple Pay is unfair without even reading T&Cs Apple has argued that allowing banks to use iPhones NFC chips independently of Apple Pay would compromise the phones' security. The argument has been aired in Apple's response to the four Australia Banks who have requested permission to negotiate with Apple as a bloc rather than join Apple Pay.

The banks want their own apps to be able to use iPhones' wireless payment parts and to get a slice of the cut Apple takes on each Apple Pay transaction, and asked regulator the Australian Competition and Consumer Commission (ACCC) if they could negotiate as a bloc. The ACCC has now posted Apple's submission in reply, a letter (PDF) in which it argues that giving access to iPhones NFC would harm consumers by jeopardising security. Apple staffer Marj Demmer says that “Apple upholds very high standards of security” by building “hardware, software and services … in a deeply integrated manner so we can provide the highest possible security. Providing simple access to the NFC antenna by banking applications would fundamentally diminish the high level of security Apple aims to have on our devices.” The letter also points out that one of the four banks in the bloc argues that Apple Pay's condtions are onerous, but does so without having signed the confidentiality agreement Apple requires before it will explain the finer points of the service. The main argument Apple advances is that the four banks want to get their hands on the iPhone's NFC to preserve their credit card businesses.

Australian credit card interest rates often near 20 per cent, despite home lending rates currently being below five per cent. Demmer therefore accuses the banks as motivated by a desire of wanting “to maintain complete control over their customers … to blunt Apple's entry into the Australian market.” The submission says Apple is already talking to several other local banks and that the four who wish to negotiate together are only doing so to hold up the introduction of Apple Pay.

Demmer also swipes at the four applicants' argument that without access to the NFC they'd be forced to accept Apple's conditions, a notion she says hasn't bothered the 3,000 banks worldwide who happily signed up for Apple Pay. The ACCC will consider the submissions and issue a draft decision shortly.

The regulator sometimes makes odd decisions regarding matters technological, so The Register will keep an eye on the case. ® Sponsored: Global DDoS threat landscape report