Google's passkeys, introduced in 2022, have become a popular and secure alternative to traditional passwords, being used over 1 billion times across 400 million-plus Google accounts. These passkeys, which rely on fingerprints, face scans, or PINs for authentication, are faster and more resistant to phishing than passwords. Google plans to integrate passkeys into its Advanced Protection Program, enhancing security for high-risk users. Additionally, third-party password managers like Dashlane and 1Password can now support passkeys, further expanding their use. The technology is supported by major companies like eBay, Uber, PayPal, and Amazon, indicating a shift towards passkey-based authentication as a more secure and efficient method.
#Ontario and #CyberSecurity folks - My friend just got an email thanking her for getting vaccinated, with a link to click to access her vaccine certificate. She hasn't been vaccinated lately, so my alarm bells are ringing.
The link to click goes to the domain awstrack.me, which does not look like a legit domain for this kind of thing. On the other hand, the email is addressed to her personally (i.e. there is a salutation that uses her real name), with a minor capitalization typo that was in the definitely-legit emails she recevied previously. Those previous emails also have a link to click that goes to the TLD awstrack.me.
"awstrack” makes me think Amazon Web Services are involved, but that particular TLD is registered in Luxembourg, if I read the whois entry correctly. Why would our provincial health service be routing sensitive information through a European domain?
I suspected that maybe someone got vaccinated recently, and the OHIP number was entered wrong. But my friend checked the portal, and her last vax recorded was in last year, as expected.
EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn.
A controversial push by European Union lawmakers to legally require messaging platforms to scan citizens’ private communications for child sexual abuse material could lead to millions of false positives per day, hundreds of security and privacy experts warned in an open letter Thursday.
Doch auch allein die Titel, Hosts und Themen von zehntausenden Meetings allein enthalten viele Informationen. Diese automatisch zu crawlen und mit OCR zu sortieren/auszuwerten, hätte ein enormes Potential für Spione. 248.000 Bundeswehrangehörige haben einen Webex-Account, monatlich werden rund 45.000 Meetings abgehalten, sagte mir die Bundeswehr auf meine Anfrage. Da kommt einiges an Stoff zusammen. #Cybersecurity#taurus#bundeswehr
WICCON is a not-for-profit, English-speaking, two-day, single-track information security conference, taking place on the 31st of October and the 1st of November in The Netherlands. The speaker line-up is all-women. Workshops are explicitly open to other genders as well.
Well fuck me I changed credit cards a few months ago and forgot to update my Wasabi account for my S3 buckets to backup my NAS. So they suspended the account so I had to make a whole new one, and now just restarted my NAS backup on the Synology box. Well this is probably going to take about a week for the first backup as it’s a couple terabytes.
Your periodic reminder that a Content-Security-Policy that includes cdn.jsdelivr.net is not safe. Any GitHub repo can be loaded via that CDN, so if you find it on a test, prove the point.
🆕 blog! “Bank scammers using genuine push notifications to trick their victims”
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it?…
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.
"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.
"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."
Your phone buzzes. You tap the notification and this pops up on screen:
This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.
Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?
Right!
This is a genuine notification. It was sent by the bank.
You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.
This is reasonably sophisticated, and it is easy to see why people fall for it.
The scammer calls you up. They keep you on the phone while...
The scammer's accomplice calls your bank. They pretend to be you. So...
The bank sends you an in-app alert.
You confirm the alert.
The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.
We need to check it is you on the phone to us.
It isn't saying "This is us calling you - it is quite the opposite!
This pop-up is a security disaster. It should say something like:
Did you call us?
If someone has called you claiming to be from us hang up now
[Yes, I am calling Chase] - [No, someone called me]
I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.
But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.
Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.
And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.