Comments
Mexaly • December 26, 2024 1:20 PM
Standard defenses. Check through direct third channel contact. We all know that.
The only question is how to teach the masses.
Clive Robinson • December 27, 2024 3:14 AM
@ ALL,
Something else people are not generally aware of with mobile phones but should be…
There is increasing use of “Tap and Go” unauthenticated by user payments.
It’s a “cost saving for the service provider and merchant” dressed up to look like it’s a “convenience for the user” which it’s not.
The “Near Field Communications”(NFC) system behind it is bidirectional in many different ways…
Which means an NFC enabled mobile phone can be both a card reader and impersonate a card to another reader as standard.
However the mobile phone can also be a relay or “man in the middle” to information in the NFC system.
It is now quite common to see “mobile phone cases” that also hold the users cards well within the phone NFC head range…
The NFC protocols are not exactly “high security” or “high assurance” so at some point somebody is going to write malware to exploit the adjacency of those cards to the NFC head in the mobile phone in various ways.
It’s why “convenience” and “cost saving” by service providers are the enemy of the users security. Worse the service providers are very aware of this and so quite deliberately “externalise” the risk and thus liability onto the user where legislation does not stop them.
So the lesson is,
“If users are to be safe from system risks, then the service providers have to carry the risk and be not just liable, but easily so.”
You will now hear screams from lobbyists and the like that,
Such legislation will stifle innovation
It is of course complete nonsense, in fact legislation and regulation actually encourages innovation. As well as encouraging “security thinking and practice” by the service providers. But importantly it also reduces the overall economic cost to a society.
But the legislation is not likely to happen in many places because the “Government” does not want it. Their Treasuries have a problem of the “black economy” of people “not paying taxes” etc. If they can get rid of anonymous payments by the likes of cash and get full traceability on transactions at others expense they will exploit it in every which way they can…
John Freeze • December 27, 2024 3:21 AM
The funny thing is, this only worked because google authenticator is synced “to the cloud”.
This is a feature that Google forced on my authenticator:
One day, after openening the Authenticator app, it would say “please sync your codes to your account”. After clicking on “no thanks” all codes were gone!
So I was left with a blank Authenticator. Only after activating the cloud sync feature, my codes miraculously reappeared. And today I learned what that can lead to.
Thank you Google, not
John Freeze • December 27, 2024 3:26 AM
unrelated to this post, but the Friday Squid Blogging post cannot be commented.
When I click on the link, I am greeted by redbubble.com with this super scary cookie banner:
“We and our 914 partners process your personal data” and we all know that by “process” they mean “steal, sell and otherwise misuse”
Winter • December 29, 2024 12:12 PM
@Clive
There is increasing use of “Tap and Go” unauthenticated by user payments.
The unparalleled BOFH has applied this principle:
BOFH: Printer’s festive bips herald a merry mystery for the Boss’s budget
‘https://www.theregister.com/2024/12/20/bofh_2024_episode_24/
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
lurker • December 26, 2024 12:31 PM
How do yu protect victims from their own poor OpSec?
Google is in the dock too. The linking of account functions they think make it easier for users, make it easier for scammers too.