Home Tags NFC

Tag: NFC

LG G6 review: LG’s “personal best” still can’t compare to Samsung

Recommending the G6 is hard when Samsung is building a better version of the same phone.

Huawei Watch 2 hands on—This feels like a last-gen smartwatch

With a small, ugly screen and no digital crown, the Huawei Watch 2 feels old.

No key, no login: G Suite admins can now make FIDO...

Forget 6-digit 2FA codes, just plug in a USB stick!

It’s Android Wear 2.0 launch day—here’s what’s getting updated

Google announces new hardware and updates with the new smartwatch OS.

LG Watch Sport review: Google’s bulky watch breaks free from the...

First Android Wear 2.0 device takes the smartwatch platform in a new direction.

69% off Omaker M4 Portable Bluetooth Shower and Outdoor Speaker with...

The M4 speaker from Omaker is IP54 rated, so its rugged splash, shock and dustproof design makes it ideal for shower and outdoor use.

The latest Bluetooth 4.0 technology helps it pair quickly with your device (tap-to-pair with NFC capable devices) and maintain a long 33-foot connection range.

Crystal clear sound quality and robust bass is realized through a 3W audio driver and passive subwoofer.

The M4 is capable of producing 12 hours of music at 80% volume, up to three times longer than similar-sized portable speakers.
It  fully recharges in just 3 hours using an included Micro USB cable.

The unit averages 4.5 out of 5 stars from over 4,800 people on Amazon (read reviews), many of which report sound quality that rivals more expensive speakers.

Amazon indicates that its list price has been reduced significantly to just $27.99.
See the discounted Omaker M4 speaker now on Amazon.To read this article in full or to leave a comment, please click here

Better authentication: Go get 'em, FIDO

Only a handful of industry associations accomplish what they set out to do.
In the security realm, I’ve always been a huge fan of the Trusted Computing Group.
It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner. The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security.

Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings.
Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it.

Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices. All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks.

Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method.

The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength.

FIDO authentication must be supported by your device or browser, along with the authenticating site or service. With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided. The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations.

Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client.

The client’s private key never leaves the client device and can be used only when the user physically interacts with the device. FIDO authentication goes much further than traditional TLS.
It links “registered” devices to their users and those devices to the eventual websites or services.

Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services.

A nice graphical overview of the FIDO authentication process can be found here. Google Security Keys Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper.

Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services. Several vendors make the physical, tamperproof Security Keys.

The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor.

Each dongle has a unique device ID, which is registered to the user on each participating website.

The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing. Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers.

Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that.

The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each.

That’s not bad for greater peace of mind. FIDO updates FIDO recently announced the 1.1 version of its specification.
It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC).

FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce.
Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well. The 2.0 version of the FIDO specification is already in the works.

FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone. Reducing the use of stolen credentials takes a big bite out of online crime.
I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible.

After years of previous attempts at similar initiatives, this one looks posed for broad success.

Op-ed: Why I’m not giving up on PGP

Aurich Lawson / Thinkstockreader comments 25 Share this story Neal H. Walfield is a hacker at g10code working on GnuPG.

This op-ed was written for Ars Technica by Walfield, in response to Filippo Valsorda's "I'm giving up on PGP" story that was published on Ars last week. Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015.

The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous." In this article I want to respond to the points that Filippo raises.
In short, Filippo is right about some of the details, but wrong about the big picture.

For the record, I work on GnuPG, the most popular OpenPGP implementation. Forward secrecy isn't always desirable Filippo's main complaint has to do with OpenPGP's use of long-term keys.
Specifically, he notes that due to the lack of forward secrecy, the older a key is, the more communication will be exposed by its compromise.

Further, he observes that OpenPGP's trust model includes incentives to not replace long-term keys. First, it's true that OpenPGP doesn't implement forward secrecy (or future secrecy).

But, OpenPGP could be changed to support this. Matthew Green and Ian Miers recently proposed puncturable forward secure encryption, which is a technique to add forward secrecy to OpenPGP-like systems.

But, in reality, approximating forward secrecy has been possible since OpenPGP adopted subkeys decades ago. (An OpenPGP key is actually a collection of keys: a primary key that acts as a long-term, stable identifier, and subkeys that are cryptographically bound to the primary key and are used for encryption, signing, and authentication.) Guidelines on how to approximate forward secrecy were published in 2001 by Ian Brown, Adam Back, and Ben Laurie.

Although their proposal is only for an approximation of forward secrecy, it is significantly simpler than Green and Miers' approach, and it works in practice. As far as I know, Brown et al.'s proposal is not often used. One reason for this is that forward secrecy is not always desired.

For instance, if you encrypt a backup using GnuPG, then your intent is to be able to decrypt it in the future.
If you use forward secrecy, then, by definition, that is not possible; you've thrown away the old decryption key.
In the recent past, I've spoken with a number of GnuPG users including 2U and 1010data.

These two companies told me that they use GnuPG to protect client data.

Again, to access the data in the future, the encryption keys need to be retained, which precludes forward secrecy. This doesn't excuse the lack of forward secrecy when using GnuPG to protect e-mail, which is the use case that Filippo concentrates on.

The reason that forward secrecy hasn't been widely deployed here is that e-mail is usually left on the mail server in order to support multi-device access.
Since mail servers are not usually trusted, the mail needs to be kept encrypted.

The easiest way to accomplish this is to just not strip the encryption layer.
So, again, forward secrecy would render old messages inaccessible, which is often not desired. But, let's assume that you really want something like forward secrecy.

Then following Brown et al.'s approach, you just need to periodically rotate your encryption subkey.
Since your key is identified by the primary key and not the subkey, creating a new subkey does not change your fingerprint or invalidate any signatures, as Filippo states.

And, as long as your communication partners periodically refresh your key, rotating subkeys is completely transparent. Ideally, you'll want to store your primary key on a separate computer or smartcard so that if your computer is compromised, then only the subkeys are compromised.

But, even if you don't use an offline computer, and an attacker also compromises your primary key, this approach provides a degree of future secrecy: your attacker will be able to create new subkeys (since she has your primary key), and sign other keys, but she'll probably have to publish them to use them, which you'll eventually notice, and she won't be able to guess any new subkeys using the existing keys. Enlarge / Circuit Benders and more at the 2011 Doo Dah Parade. Sheyneinlalaland Physical attacks vs. cyber attacks So, given that forward secrecy is possible, why isn't it enabled by default? We know from Snowden that when properly implemented, "encryption … really is one of the few things that we can rely on." In other words, when nation states crack encryption, they aren't breaking the actual encryption, they are circumventing it.

That is, they are exploiting vulnerabilities or using national security letters (NSLs) to break into your accounts and devices.

As such, if you really care about protecting your communication, you are much better off storing your encryption keys on a smartcard then storing them on your computer. Given this, it's not clear that forward secrecy is that big of a gain, since smartcards won't export private keys.
So, when Filippo says that he is scared of an evil maid attack and is worried that someone opened his safe with his offline keys while he was away, he's implicitly stating that his threat model includes a physical, targeted attack.

But, while moving to the encrypted messaging app Signal gets him forward secrecy, it means he can't use a smartcard to protect his keys and makes him more vulnerable to a cyber attack, which is significantly easier to conduct than a physical attack. Another problem that Filippo mentions is that key discovery is hard.
Specifically, he says that key server listings are hard to use.

This is true.

But, key servers are in no way authenticated and should not be treated as authoritative.
Instead, if you need to find someone's key, you should ask that person for their key's fingerprint. Unfortunately, our research suggests that for many GnuPG users, picking up the phone is too difficult. So, after our successful donation campaign two years ago, we used some of the money to develop a new key discovery technique called the Web Key Directory (WKD).

Basically, the WKD provides a canonical way to find a key given an e-mail address via HTTPS.

This is not as good as checking the fingerprint, but since only the mail provider and the user can change the key, it is a significant improvement over the de facto status quo. WKD has already been deployed by Posteo, and other mail providers are in the process of integrating it (consider asking your mail provider to support it). Other people have identified the key discovery issue, too. Micah Lee, for instance, recently published GPG Sync, and the INBOME group and the pretty Easy privacy (p≡p) project are working on opportunistically transferring keys via e-mail. Signal isn't our saviour Filippo also mentions the multi-device problem.
It's true that using keys on multiple devices is not easy. Part of the problem is that OpenPGP is not a closed ecosystem like Signal, which makes standardising a secret key exchange protocol much more difficult. Nevertheless, Tankred Hase did some work on private key synchronisation while at whiteout.io.

But, if you are worried about targeted attacks as Filippo is, then keeping your keys on a computer, never mind multiple computers, is not for you.
Instead, you want to keep your keys on a smartcard.
In this case, using your keys from multiple computers is easy: just plug the token in (or use NFC)! This assumes that there is an OpenPGP-capable mail client on your platform of choice.

This is the case for all of the major desktop environments, and there is also an excellent plug-in for K9 on Android called OpenKeychain. (There are also some solutions available for iOS, but I haven't evaluated them.) Even if you are using Signal, the multi-device problem is not completely solved.

Currently, it is possible to use Signal from a desktop and a smartphone or a tablet, but it is not possible to use multiple smartphones or tablets. One essential consideration that Filippo doesn't adequately address is that contacting someone on Signal requires knowing their mobile phone number. Many people don't want to make this information public.
I was recently chatting with Jason Reich, who is the head of OPSEC at BuzzFeed, and he told me that he spends a lot of time teaching reporters how to deal with the death and rape threats that they regularly receive via e-mail.

Based on this, I suspect that many reporters would opt to not publish their phone number even though it would mean missing some stories.
Similarly, while talking to Alex Abdo, a lawyer from the ACLU, I learned that he receives dozens of encrypted e-mails every day, and he is certain that some of those people would not have contacted him or the ACLU if they couldn't remain completely anonymous. Another point that Filippo doesn't cover is the importance of integrity; he focused primarily on confidentiality (i.e., encryption).
I love the fact that messages that I receive from DHL are signed (albeit using S/MIME and not OpenPGP).

This makes detecting phishing attempts trivial.
I wish more businesses would do this. Of course, Signal also provides integrity protection, but I definitely don't want to give all businesses my phone number given their record of protecting my e-mail address. Moreover, most of this type of communication is done using e-mail, not Signal. I want to be absolutely clear that I like Signal. When people ask me how they can secure their communication, I often recommend it.

But, I view Signal as complementary to OpenPGP.

First, e-mail is unlikely to go away any time soon.
Second, Signal doesn't allow transferring arbitrary data including documents.

And, importantly, Signal has its own problems.
In particular, the main Signal network is centralised, not federated like e-mail, the developers actively discourage third-party clients, and you can't choose your own identity.

These decisions are a rejection of a free and open Internet, and pseudononymous communication. In conclusion, Filippo has raised a number of important points.

But, with respect to long-term OpenPGP keys being fatally flawed and forward secrecy being essential, I think he is wrong and disagree with his compromises in light of his stated threat model.
I agree with him that key discovery is a serious issue.

But, this is something that we've been working to address. Most importantly, Signal cannot replace OpenPGP for many people who use it on a daily basis, and the developers' decision to make Signal a walled garden is problematic.
Signal does complement OpenPGP, though, and I'm glad that it's there. Neal H. Walfield is a hacker at g10code working on GnuPG. His current project is implementing TOFU for GnuPG.

To avoid conflict of interests, GnuPG maintenance and development is funded primary by donations. You can find him on Twitter @nwalfield.
E-mail: neal@gnupg.org OpenPGP: 8F17 7771 18A3 3DDA 9BA4 8E62 AACB 3243 6300 52D9 This post originated on Ars Technica UK

FIDO Authentication Standards Provide Security Efficiency for Google

Google researchers publish a study based on two-years of Security Keys usage and determine that improved security, reliability and lower costs are the result. In a new two-year research study, Google researchers have concluded that the use of the FIDO ...

Sorry, iPhone fans – only Fandroids get Barclays’ tap-to-withdraw

It's only a test Barclays is trialling smartphone cash withdrawals. The UK's first contactless mobile cash service will allow the bank's customers to withdraw up to £100 in-branch, with just a tap of their Android smartphone or contactless debit card.

The technology offers an alternative to traditional cash withdrawals from specially outfitted ATM machines. The service is initially being piloted in the North before rolling out to over 180 Barclays branches in the New Year.
It will be available on more than 600 in-branch machines.

Barclays customers with an Android smartphone or contactless debit card would need to tap their phone/card against the contactless reader before entering their PIN on the machine and withdrawing their cash as normal. The Contactless Cash functionality will only be available on NFC-enabled Android devices that have downloaded the latest version of Barclays Mobile Banking.

The facility is limited to Android smartphones, with iPhone fans left out in the cold.

Apple restricts the use of iPhones' NFC chips to its own Apple Pay facility and there's no hook-in that for third-party apps from banks or anyone else. Barclays claims Contactless Cash offers increased security because it removes the risk of magnetic card skimming and distraction fraud, since a smartphone never needs to leave a customer's hand. In a statement, Ashok Vaswani, chief exec of Barclays UK, said: "Our customers now expect to be able to use their smartphone to make their everyday purchases. We want taking out cash to be just as easy. With Contactless Cash customers can quickly and securely take out money with just a tap of their smartphone – a first for the UK." Cindy Proven, chief strategy and marketing officer at Thales e-Security, cautioned that the security of the system is reliant on making sure customer's smartphones are free of malware. "It's encouraging to see the payments industry continue its commitment to embracing digitalisation to improve efficiency of payments and further reduce the possibility of fraud with ATM withdrawals," Proven said. "However, with risks to mobile payments – such as malware already present on an end-user's device – it is critical that security remains front of mind when developing such innovations." ® Sponsored: Customer Identity and Access Management

Loop of Confidence

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become.

A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments.
In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face. The conventional approach Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail: the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous; to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals; wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks. However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna.

The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment.

Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them. The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks: the payment terminal had to support wireless payments; the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers; if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems; the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud.

This made smartphone-assisted payments unavailable in locations with unstable mobile services; the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated. As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public. New technologies The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies.

The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens.

A token is a unique transaction ID; the card details are never sent to the payment terminal.

This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal. Several years ago, a startup project called LoopPay attempted to address this problem.

The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case.

Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device.
It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup.

After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments.

As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader. We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks: secure element is used to reliably store data; activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint; on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device; KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks; payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched; on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed.

This provides extended protection from viruses and other mobile threats. It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account.

This method of payment works just fine when there is no Internet connection. New old threats There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference.

These attacks may still only be potential threats, but we should still stay alert.

Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc.
In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses. Cybercriminals are also studying Apple and Samsung’s technologies.

To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries. Cybercriminals discussing the prospects of exploiting Apple Pay in Russia At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores.

They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone. Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store.
In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud. Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name.

For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible. To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology.

After all, no one likes to lose money, be it banks or their clients.

Future attack scenarios against ATM authentication systems

A lot has already been said about current cyber threats facing the owners of ATMs. The reason behind the ever-growing number of attacks on these devices is simple: the overall level of security of modern ATMs often makes them the easiest and fastest way for fraudsters to access the bank’s money. Naturally, the banking industry is reacting to these attacks by implementing a range of security measures, but the threat landscape is continually evolving. In order to prepare banks for what they should expect to see from criminals in the near future, we’ve prepared an overview report of future cyberthreats to ATMs. The report will – we hope – help the industry to better prepare for a new generation of attack tools and techniques. The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components. We looked into what is going on underground around these technologies and were surprised to discover that there are twelve manufacturers out there that are already offering fake fingerprint scanners, otherwise known as biometric skimmers. There are also at least three other vendors researching devices that will be able to illegally obtain data from palm vein and iris recognition systems. This is a major trend, because the problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won’t be safe to use in the future. That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they not only steal the document, but also that person’s biometric data. As a result they steal a person’s identity. The biometric data can also be accessed by criminals as a result of hacking into a bank’s infrastructure, which is also a major issue: if you lose the biometric database of your clients it won’t be possible to solve this problem just by recalling compromised payment cards. This is an unrecoverable loss and thus it is a kind of threat that the industry has never experienced before. In general, network-based attacks against ATMs will be a headache for the security personnel of financial organizations in the coming years simply because, based on our penetration testing experience, the network infrastructure of a bank is very often built in a way that a hacker can exploit to gain access and take control of some critical parts of the network, including the network of ATMs. And this situation is not going to change any time soon, due to many reasons, one of which is the sheer size of financial organizations’ networks and the time-consuming and expensive task of upgrading them. Nevertheless, by publishing this report we’d like to draw attention to the problem of ATM security now and in the near future, and to speed up the development of a truly secure ecosystem around these devices. Read the full report here Read the description of attacks here [embedded content]