Security News
The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.
Passwords remain the dominant method of authentication and top cause of data breaches, according to MobileIron. "The digital workplace is driving transformation within organizations of all sizes as employees are increasingly accessing business apps and data from locations outside of their offices and homes," said Steve Brasen, research director of endpoint and identity management at EMA. "At the same time, mobile threats are increasing. More than 60 percent of respondents indicated their organization had experienced a security breach in just the last year. Organizations need to implement context-aware security and passwordless authentication to dynamically adapt to modern threats while removing the friction that is inhibiting end user productivity."
The patched flaw was made public in early February on the HackerOne bug bounty platform and was forwarded to The Register by concerned reader Matt, who told us: "Note that this is regardless of whether the users had set strong passwords and otherwise wouldn't be vulnerable to credential-stuffing attacks." Professor Alan Woodward of the University of Surrey told The Register that while the vuln was bad, it would require an extra step to enumerate user IDs before the attack would work at scale.
What can you learn from analyzing more than 2 billion phone calls per year? Everything you need to measure to detect fraud and authenticate genuine users. Preventing call center fraud is the most common use case for the platform, but Balasubramaniyan also sees a growing need for voice authentication, spanning everything from home automation systems to corporate fraud.
So how do you know what's going to make authentication more secure and efficient for your organization while also shifting the burden off users? Risk-based authentication is increasingly the answer - but it's more nuanced than that. At its most basic, a risk-based approach may mean simply adopting static risk-based policies that support conditional access.
IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute. The conclusion is that IT security practitioners and individuals are both engaging in risky password and authentication practices, yet expectation and reality are often misaligned when it comes to the implementation of usable and desirable security solutions.
Amazon's Ring is mandating the use of two-factor authentication for all users, a move designed to help stop creepy takeovers of the web-connected home security cameras. Ring users have had the option to use two-factor authentication, but now it will be mandatory, writes Ring President Leila Rouhi in a blog post.
Following several recent reports of hackers gaining access to people's internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor authentication security feature mandatory for all Ring users. Until now, enabling the two-factor authentication in Ring devices was optional, which definitely would have prevented most Ring hacks, but of course, many never bothered to enable it.
Following several recent reports of hackers gaining access to people's internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor authentication security feature mandatory for all Ring users. Until now, enabling the two-factor authentication in Ring devices was optional, which definitely would have prevented most Ring hacks, but of course, many never bothered to enable it.
FIDO protocol based hardware security devices are stronger and fool-proof mechanisms for authentication because it enables public-key cryptography to protect against advanced malware, phishing, and man-in-the-middle attacks. "In OpenSSH, FIDO devices are supported by new public key types' ecdsa-sk' and 'ed25519-sk', along with corresponding certificate types," the OpenSSH 8.2 release note says.