14.1 C
London
Thursday, November 23, 2017
Home Tags Secure Electronic Transactions (SET)

Tag: Secure Electronic Transactions (SET)

Mark Zuckerberg wasn't the only hackers' only target. Mark Zuckerberg made headlines this weekend when hackers broke into the Facebook CEO's other social media accounts.

But the T-shirt-wearing billionaire isn't the only one picking up the pieces of an online assault. A number of other verified celebrity Twitter handles were also compromised, including Keith Richards and Tenacious D, the latter which tweeted Sunday to confirm Jack Black is still alive.

The comedy rock duo of Black and Kyle Gass called the hack a "sick 'prank.'" According to The Verge, other accounts—Katy Perry, Kylie Jenner, the late Ryan Dunn—were also compromised, though any traces of an intrusion have since been deleted from Twitter.
It remains unclear whether any of these hacks are related, but as The Verge pointed out, the high volume and short time frame is "unusual." Celebrities—they're just like you: They don't use strong passwords (or other measures like two-factor authentication and password managers) to thwart would-be attackers. The hack on Zuck's account was carried out by the OurMine Team, which said his password was one of more than 100 million obtained during a 2012 LinkedIn hack.

Though that happened four years ago, an additional set of data from the breach was released last month, prompting more recent hacks. Recent reports suggested the 2012 hacker (who goes by the name "Peace") is selling the stolen account data on the dark Web for five bitcoin (about $2,923). Twitter quickly suspended Zuck's account, and any fake messages posted to Pinterest were scrubbed. Random Access: Fujifilm X70, Mark Zuckerberg hacked, Steam Machines flopping, shake-up at NEST Posted by PCMag on Monday, June 6, 2016
Study into financial small print reveals Americans often get a nice surprise Bank customers worldwide are often in the dark about whether or not they’ll be reimbursed for fraudulent transactions. Customers’ understanding of bank terms and conditions is often sketchy, according to a international study by academics. The researchers found that there is significant variation worldwide, and even within countries on what customers are expected to do in order to ensure they are refunded in cases of fraud.

Advice given by UK banks is sometimes contradictory. Banking terms and conditions matter, as the researchers point out: Terms and Conditions (T&C) are long, convoluted, and are very rarely actually read by customers. Yet when customers are subject to fraud, the content of the T&Cs, along with national regulations, matter.

The ability to revoke fraudulent payments and reimburse victims of fraud is one of the main selling points of traditional payment systems, but to be reimbursed a fraud victim may need to demonstrate that they have followed security practices set out in their contract with the bank. The eight person team1 also studied how well customers understood bank terms and conditions, finding that in most cases banks terms and conditions were more generous to victims of phishing fraud or card loss than customers might have feared.

The exception to this generally positive picture was how UK customers dealt with card loss. “In general, customers who read terms and conditions are re-assured but there was one notable exception in the UK where after reading the T&C our participants thought it less likely that a victim of card theft would be refunded,” Steven Murdoch, a research fellow at University College London, told El Reg. “Even so, the majority of our sample thought the customer should be refunded, but the bank and Financial Ombudsman Service found the customer to be liable for the fraud and so not entitled a refund.” Bank terms and confusions [source: UCL blog post] The study, which involved an expert analysis of 30 bank contracts across 25 countries, exposed strong regional variations.

Germans found their terms and conditions particularly hard to understand, but Americans assume harsher T&Cs than they actually are, and tend to be reassured when they actually read them. This confusion is all too easy to understand.
In most cases the contract terms were “too vague to be understood; in some cases they differ by product type, and advice can even be contradictory”. “While many banks allow customers to write PINs down as long as they are disguised and not kept with the card, 20 per cent of banks do not allow PINs to be written down at all, and a handful do not allow PINs to be shared between accounts,” found the researchers. The findings are summarised on the University College London’s Bentham's Gaze blog here. The full paper, International Comparison of Bank Fraud Reimbursement: Customer Perceptions and Contractual Terms(to be published at the Workshop on the Economics of Information Security, later this month) can be found here (pdf). ® Bootnote The research team was made up of academics from University College London (UCL) and the University of Cambridge alongside a researcher from the Foundation for Information Policy Research. Sponsored: Rise of the machines
Modification almost impossible to catch in post-fab tests says University of Michigan researchers in report that details proof-of-concept attack Researchers at the University of Michigan in Ann Arbor have demonstrated how someone could install a virtually undetectable backdoor on a microprocessor during the fabrication process that could be exploited later to gain complete access to systems running the tampered chips. The method, detailed in a technical paper innocuously titled ‘Analog Malicious Hardware’, was presented recently at the IEEE Symposium on Security and Privacy.

The researchers described it as the first fabrication-time processor attack of its kind and the first to demonstrate an analog attack that is substantially smaller and stealthier than a digital attack. The attack involves the addition of a single, booby-trapped logic gate to a chip that is ready for fabrication and the use of an extremely stealthy process for triggering changes in the gate’s functionality so it eventually acts in a malicious manner.

The attack method is virtually undetectable because it involves no significant changes to the chip’s circuitry or design, according to the researchers. A logic gate is sort of an electronic on-off switch consisting of transistors and wires that controls the operations of a chip. Modern microprocessors can have hundreds of millions of logic gates.

The attack demonstrated by the researchers involves the use of a single such gate, with a capacitor inside capable of storing a minute electrical charge.

The gate is designed in such a manner that its function can be flip-flopped—or switched from off to on—when the accumulated charge in the capacitor reaches a certain pre-defined threshold. The Michigan University research paper describes a method where the rogue gate can be placed in such a way on the chip that it can siphon charges from a nearby wire when certain commands are issued. “If the wire toggles infrequently, the capacitor voltage stays near zero volts due to natural charge leakage,” the researchers said in their report. However, when the wire is toggled frequently the capacitor in the rogue gate begins to charge and eventually reaches a voltage threshold that causes the gate to flip to a malicious state.   Attackers can craft attack triggers that ensure the modification to a malicious state happens only when a sequence of specific and unlikely events happens.

As a result even the most diligent post-fabrication tests are unlikely to catch it, the researchers said. The researchers demonstrated the feasibility of building such backdoors in microprocessors by fabricating a chip based on open-RISC 1200 technology. “Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses,” they noted in the paper. Modern chip design companies can open themselves up to such issues when they use third parties to fabricate their designs, the researchers said.

Attackers can make minute changes to the chip and set it up so the modifications become malicious only when a specific and rare sequence of events happen, thereby evading detection during post-fabrication tests. Yonatan Zunger, head of infrastructure for Google Assistant described the proof-of-concept as one of the “most demonically clever” computer security attacks in many years. “It's an attack which can be performed by someone who has access to the microchip fabrication facility, and it lets them insert a nearly undetectable backdoor into the chips themselves,” Zunger said in a Google+ post. Among those who might want to attempt such an attack would be state-level actors, he said. “I don't know if I want to guess how many three-letter agencies have already had the same idea, or what fraction of chips in the wild already have such a backdoor in them.” Related content: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights