5 Things To Know About Contactless Payment

/in /by

Contactless payment, also known as NFC or near field communication, is a technology that allows electronic devices to communicate wirelessly. In the case of a mobile wallet application, those devices would typically be a mobile phone and a point of sale terminal at a checkout counter. (NFC has other uses beyond credit card transactions: it can integrate with hardware—to unlock a door, for example—or it can activate software.)

Soon enough, using your smartphone as a credit card will be commonplace. By 2015, mobile contactless payments, in which you pay by holding your phone near a payment terminal, are expected to have increased by 1,077%.

Contactless payments are a faster, more convenient alternative to cash when making small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

There are five facts you should know about contactless payment:

  1. Tens of millions of people use contactless technology every day—in passports, identity cards, and transit fare cards for secure, fast, convenient transactions.
  2. These transactions are protected by multiple layers of security, which protect both retailers and consumers.
  3. Some of these security features are incorporated within a card’s microprocessor chip, while others are part of the same networks that protect traditional credit and debit card transactions.
  4. Regardless of your payment method, it is still essential that you check your bank statements regularly for unauthorized transactions.
  5. While contactless payment has been deployed in numerous settings, it is not yet available everywhere. So, assuming that you prefer not to carry large sums of cash, you’ll still need to carry a traditional credit card or, if you are traveling outside of the U.S., an EMV card.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Travel Smart With EMV Technology

/in /by

Frequent fliers accustomed to traveling internationally for business are helping drive demand for EMV cards within the United States. Business travelers who have found it increasingly difficult to use their magnetic stripe cards while abroad are now requesting that American banks provide EMV, or chip and PIN cards, which are used more commonly in Europe and around the world.

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication. These security measures make chip and PIN cards far more secure than the magnetic stripe cards that are standard in the United States, since the magnetic stripes containing sensitive financial data are vulnerable to skimming at ATMs and point of sale terminals. In Europe, chip and PIN technology has significantly reduced the potential for fraud in transactions where the credit card is not physically present.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”

Most of the EMV-based cards offered in the United States are chip-and-signature, rather than chip-and-PIN, due to differences in the way payments are processed. Nevertheless, these advances in card technology are a positive step, so thank you to business travelers for pushing banks to incorporate EMB technology and making overseas travel more convenient and more secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

What Are The Risks Of A Lost Or Stolen Mobile Device?

/in /by

Have you ever thought about what would happen if you lost your mobile phone? These days we rely on our mobile phones more than ever. For a lot of us, it can also be a nightmare if it’s lost, stolen or hacked, especially since today it’s become our most personal computer,

But despite the fact that 1/2 of of us would rather lose our wallet than our mobile phone, only 4% of us have taken steps to protect our mobile device with security.

For most of us, our first reaction when we lose our wallet is I have to cancel my credits cards, get a new license, etc. When we lose our phones, we think about the pain and cost of replacing the device. But that’s just the tip of the iceberg.

We don’t realize that our photos, emails, text messages and our apps can be an open door for thieves into our personal information, privacy and financial accounts.

And the time to replace your smartphone and its contents can consume as much as 18 hours of your life.

Mobile devices are on the move, meaning they can more easily be lost or stolen and their screens and keyboards are easier targets for “over the shoulder” browsing.

Below is an infographic that shows why you should protect your smartphone and some tips to protect you and your device.

 

Take time to protect your mobile device. Here’s some tips to keep your mobile safe:

Never leave your phone unattended in a public place

Put a password on your mobile and set it to auto-lock after a certain period of time.

If you use online banking and shopping sites, always log out and don’t select the “remember me” function

Use mobile device protection that provides anti-theft which can backup and restore the information on your phone, as well as remotely locate it and wipe data in the case of loss or theft, as well as antivirus and web and app protection.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Phisher Use Olympic Lottery Scams For Summer Games

/in /by

Fishing, of course, is the sport of tossing a baited hook into the water and then patiently waiting for a fish to bite.

Phishing is similar. The cybercrook sends out spam email and waits for a victim to take the bait. A phisher can send thousands of phishing emails a day, and eventually some people will get hooked.

Phishing is a multi-billion dollar business. Unlike the ongoing depletion of the ocean’s fisheries, there are still plenty of people out there to phish. Today, many victims in developing nations like India and China have only recently gotten broad­band Internet access, and are considered fresh meat by the bad guys.

Phishers follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays and the change in seasons. They capitalize on significant events and natural disasters, such as Hurricane Katrina, the Japanese Tsunami and the swine flu. On their radar right now is the 2012 Olympics.

Francois Paget, Senior Threat Researcher at McAfee discovered numerous emails combining scam lotteries and the Olympics. Like chocolate and peanut butter these two topics go great together.

“These mails inform the recipients that they have won a substantial amount of money. After contacting the lottery manager, the victims of these rip-offs will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. In some cases, the organizers ask for a copy of the winner’s passport, national ID, or driver’s license. With that personal information compromised, future identity theft activities are guaranteed.”

Awareness is the best way to avoid being scammed. Knowing what the bad guys are doing to hook their victims and learning not getting caught is your best protection. Here’s  a video that explains what phishing is and how to detect if an email is phishing. You should also be aware of phishing when reading emails on our mobile phone. For more information about mobile phishing, read this.

Invest in security software that includes antivirus, anti-spyware anti-phishing and a firewall.

Never click links in the body of an email unless you are 100% sure it’s legit

Don’t go snooping around your spam folders opening emails that look suspect.

When in doubt, delete. Like mom said, if it’s too good to be true, it is.

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Understanding Your BYOD Policy

/in /by

An employee may pay for their device and its monthly plan, but employees who use their personal devices at work should be required to adhere to a Bring Your Own Device (BYOD) policy that sets the ground rules. If you choose to use your personal device for work purposes at any time for any reason, then your employer will more than likely want control over that device. This means like in a company mobile liability policy, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination, wipe the data.

The day after you get your new and shiny mobile or tablet, chances are you’ll take it right to work and request the IT department set it up with your email and access to the company network. And as more and more companies agree to this, they are also requiring you to agree to their terms as well.

Expect an acceptable use policy. This is one that is governed by the company’s CIO and others basically telling you what you can and can’t do. Read it carefully because once you sign it, your job will be on the line of you don’t abide by it.

Running in the background will be an application that you will be required to download and install. This app may have a certificate authenticating you and the device to connect to the company network and run company programs.

The installed application should provide the enterprise the ability to essentially remotely control your mobile at some level. I wouldn’t be concerned about this unless of course you’re not abiding by the agreement you signed.

At a minimum expect the application to have the ability to locate your mobile if its lost or stolen via the phone’s GPS, lock your phone locally whether you want to or not, (by default you have to choose 1-5 minutes).  Mobile security software apps should also remotely wipe your mobile of all its data. Having encryption, antivirus and a firewall is a key factor in protecting data.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Yahoo! Hacked: 15 Tips To Better Password Security

/in /by

In light of the Yahoo Voices hack where 450,000 passwords have been compromised, it’s time again to let the world know what they are doing wrong when it comes to passwords. CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

Common Ways Hacks Happen

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

Tips to Make Your Passwords Secure

Make sure you use different passwords for each of your accounts.

Be sure no one watches when you enter your password.

Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.

Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.

Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.

Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.

Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.

Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.

Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy

Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

In the end, it’s the responsibility to the public to protect themselves. This disclosure now requires those currently exposed to change their password. The rule of thumb is to change your passwords frequently, every six months. It’s a cliché, but true, passwords need to be strong. Let the keyboard be your palate and be creative. A common mistake people make is that they use dictionary or slang terms. Beware. Dictionary attacks use software that automatically plugs common words into password fields making password cracking effortless for various tools.

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube. (Disclosures)

Is A Password Enough? A Closer Look at Authentication

/in /by

Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.

The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.

These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.

The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach  CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Second: spyware, malware and viruses on a user’s device can easily record passwords.  Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.

The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.

Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you have”—a personal security device separate from the PC

While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

NFC at the Summer Games Could Be Exploited

/in /by

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

ID Thief Gets 5 Years for Stealing Identities of More Than 50 People

/in /by

In California, an identity thief was recently sentenced to five years in prison for committing what appears to be classic new account fraud. The thief reportedly used a victim’s identity to open a mailbox at a shipping store in Modesto, which he often used to have fraudulently issued credit cards and other financial and identity information mailed.

Typically, new account fraud refers to financial identity theft in which the victim’s personally identifying information ¾ generally a Social Security number ¾ is used to open new accounts on the strength of the victim’s name and good credit standing, which are then used to obtain products and services.

Since a thief typically provides an alternate mailing address, such as the shipping store mailbox used in this particular case, the victim never receives the bills accumulating in his or her name, and may remain entirely unaware of the accounts’ existence until the debts have gone unpaid long enough to prompt creditors to track down the victim.

This thief used victims’ information to create fake drivers licenses with his photo, which helped make the scam stick when he was asked for ID when using fraudulently obtained credit cards.

There are technologies that help credit issuers detect and stop new account fraud by providing real-time intelligence on the device being used to apply for online credit. This technology, called device reputation by iovation Inc., not only alerts businesses when velocity thresholds have been met, it also exposes whether financial fraud, identity theft and other frauds have attempted by the device or associated computers.

Credit issuers can set up and customize their own unique business rules, and iovation analyze each application and then return a recommendation to allow, deny, or review response for the transaction, along with an explanation of the factors involved.

By identifying new account fraud in real time, credit issuers can save millions of dollars in fraud losses annually. In one case, a Fortune 100 company used iovation to identify 43,000 fraudulent credit applications and save themselves $8 million in fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Will The Rise Of Tablets Affect Security Measures In The Workplace?

/in /by

With unit sales of smartphones and tablets eclipsing those of desktop and notebook PCs, cybercriminals will continue setting their sights on mobile, and increased mobile Internet use will continue exacerbating security and data breach issues in the workplace.

The issues of “BYOD” or Bring Your Own Device to work is plaguing IT managers everywhere. While your company’s IT guy has a relative hold on all the work laptops and desktops, and even some of the mobiles, he is quickly losing control when you bring your new Droid and connect it to the corporate network.  Now he has to worry if that last app you downloaded will infect the network when you plug your device into the company’s PC to update or sync something.

A study by ESET/Harris Interactive shows less than 10% of people using their own tablets for work auto lock them and people were more security-savvy about their smartphones, with 25% using autolock.

McAfee Labs™ points out today’s tablets are more powerful than notebooks were just a few years ago. Although their lack of real keyboards makes them unsuitable for many tasks (editing texts, programming, and design), they are very suitable for browsing the Web, which today is a primary source of malware.

Tablets mainly differ in the size of the screen of a mobile phone, but they share the same software, operating systems, and processors so their security concerns are nearly identical. About the only difference is that some tablets can use USB devices, which increases the attack surface of such devices.

And because like our mobile phone, tablets tend to be portable and one of our most personal computing devices, you need to take steps to protect it. Many of the best practices you use on your computer can be transferred to your tablet.

To help ensure that your tablet is protected, you should:

  • Always password protect your device and set it to auto-lock after a certain period of time to increase your mobile security
  • Never leave your tablet unattended in a public place
  • Don’t click on links on emails and text messages from people you don’t know
  • Even if you know the company or person, use a browser to search for a link or use the company’s official app to navigate to the site
  • Always double-check the web address of a site when doing a search on your mobile phone.
  • If you use online banking and shopping sites, always log out and don’t select the “remember me” function
  • Before downloading a third-party app, check other users’ reviews to see if it is safe, and read the app’s privacy policy to make sure that it is not sharing your personal information

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures