A couple of years ago it felt like you couldn’t turn your head in any direction without seeing another headline about cryptomining and – its more evil sibling – cryptojacking.
So, what happened?
Read more in my article on the Tripwire State of Security blog.
Enlarge (credit: fuzecard.com)
The makers of the programmable Fuze smart card say it’s powerful enough to be your wallet in one card yet secure enough to be used the same way as traditional payment cards—including trusting it to restaurant servers when paying the bill. But it turns out that convenience comes with a major catch. A flaw makes it possible for anyone with even brief physical control of the card to surreptitiously siphon all data stored on the device.
Fuze representatives said they’re aware of the vulnerability and plan to fix it in an update scheduled for April 19. They also thanked the two researchers who, independent of one another, discovered the vulnerability and privately reported it. So far, however, Fuze officials have yet to fully inform users of the extent of the risk so they can prevent private data stored on the cards from being stolen or tampered with until the critical flaw is repaired.
Mike Ryan, one of the two researchers, said he created attack code that impersonated the Android app that uses a Bluetooth connection to load credit card data onto the smart cards. While the official Fuze app takes care to prevent pairing with cards that have already been set up with another device, Ryan’s rogue app had no such restrictions. As a result, it allowed him to take complete control of a card, including reading, changing, or adding payment card numbers, expiration dates, and card-verification values.
Read 6 remaining paragraphs | Comments
(credit: Manuel Caballero)
There’s a bug in the latest version of Internet Explorer that leaks the addresses, search terms, or any other text typed into the address bar.
The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn’t intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services.
The flaw was disclosed Tuesday by security researcher Manuel Caballero. This proof-of-concept site shows the exploit works as described on the latest version of IE.
Read 2 remaining paragraphs | Comments
The Register |
Mo money mo mobile payments… Security risks? Whatever!
The Register Analysis A survey on global mobile wallet adoption, published Tuesday, has sparked a lively debate about how banks and fintech might face off in the expanding market for mobile payments. Global payments software firm ACI Worldwide found that security … |