Security News

The mobile app of U.S. pharmaceutical retailer Walgreens inadvertently disclosed personal messages to other customers due to an internal application error, revealing some health-related information. Walgreens filed a copy of the data breach notification it has sent to affected customers with California's Office of the Attorney General, which makes those notifications public.

Pharmacy store chain Walgreens has started informing some users of its mobile application that their personal and health-related information may have been seen by other customers. The Walgreens mobile application allows users to shop, refill their prescriptions, get pill reminders, consult a doctor or pharmacist via a live chat feature, print photos in stores, obtain rewards, and store coupons.

The percentage of companies admitting to suffering a mobile-related compromise has grown despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report, which is based on a survey of 876 professionals responsible for the buying, managing and security of mobile and IoT devices, as well as input from security and management companies such as Lookout, VMWare and Wandera. The report also shows that attackers hit businesses big and small, and operating in diverse industries, and that those that had sacrificed mobile security in the past year were 2x as likely to suffer a compromise.

It enables Intune users to connect from managed mobile apps to data sources of their choice via a micro VPN. The growth in demand for, and usage of enterprise mobile applications is undeniable, with the enterprise mobile application development market expected to grow at a CAGR of 15.65% by 2025. Enterprises continue to struggle with secure access from the managed mobile apps to their sensitive data, stored on premises or in their private clouds, that increasingly power critical business outcomes and cost-effectively driving end-user adoption of mobile apps.

The impersonation attack - named "IMPersonation Attacks in 4G NeTworks" - exploits the mutual authentication method used by the mobile phone and the network's base station to verify their respective identities to manipulate data packets in transit. The man-in-the-middle attack allows a hacker to impersonate a user towards the network and vice versa.

Researchers have found a way to impersonate mobile devices on 4G and 5G mobile networks, and are calling on operators and standards bodies to fix the flaw that caused it. Research into the vulnerability, conducted by academics at Ruhr Universität Bochum and New York University Abu Dhabi, is called Impersonation Attacks in 4G Networks, although deployment requirements for 5G networks mean that it could work on those newer systems too.

A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users. In IMP4GT attack, the researchers explain in a whitepaper, the impersonation can be conducted on either the uplink direction or the downlink direction.

Samsung has admitted that what it calls a "Small number" of users could indeed read other people's personal data following last week's unexplained Find my Mobile notification. Several Register readers wrote in to tell us that, after last Thursday's mystery push notification, they found strangers' personal data displayed to them.

Exploiting a vulnerability in the mobile communication standard LTE, researchers at Ruhr-Universität Bochum can impersonate mobile phone users. David Rupprecht and Dr. Katharina Kohls from the Chair of System Security developed attacks to exploit security gaps in the mobile phone standard LTE. "An attacker can book services, for example stream shows, but the owner of the attacked phone would have to pay for them," illustrates Professor Thorsten Holz from Horst Görtz Institute for IT Security, who discovered the vulnerability together with David Rupprecht, Dr. Katharina Kohls and Professor Christina Pöpper.

Cybercriminals targeted mobile banking users by sending malicious SMS messages to their smartphones as part of a phishing campaign to steal account holders' information, including usernames and passwords, according to the cybersecurity firm Lookout. More than 3,900 mobile banking app users of several Canadian and American banks fell victim to the SMS phishing attacks, which started in June 2019 and apparently recently ended, researchers at Lookout say in their new report.