Newsletters

An academic study presented last week at the USENIX security conference has detailed several vulnerabilities in the modern financial ecosystem that can be exploited by threat actors to add stolen cards to digital wallet apps and conduct transactions with stolen funds without being detected.

The paper—titled "In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping"—is an eye-opener and wake-up call for app makers and banks that they need to improve the security of some of their underlying processes.

The study looked at the services of several major US banks (AMEX, Bank of America, Chase, Citi, Discover, US Bank, etc.) and three of today's top digital wallet providers in Apple, Google, and PayPal.

Recent improvements made to mobile banking apps and mobile operating systems are forcing threat actors to evolve their tactics with new and never-before-seen techniques.

One such example was recently uncovered in Czechia by local authorities, which called on security firm ESET to help with their investigation.

This new technique involves the cloning of a victim's NFC card data and sending it to an attacker, who then abuses it to make payments at PoS terminals or withdraw money from ATMs.

The Australian Government plans to build a digital trust and identity infrastructure spanning the entire economy. The initiative aims to fill a real need as there is no robust way to prove your real-world identity online, despite it being a common and important requirement.  

The Minister for Government Services, Bill Shorten, announced the Trust Exchange or TEx initiative last week. The unstated/apparent hope for the TEx is that it becomes the standard for Australians to prove their identity and confirm personal attributes across government and the private sector. Part of the intent of TEx is that robust verification is done with less sharing of personal information.

"TEx would take all the hassle out of finding dozens of documents to prove who you are when you're doing things like setting up a bank account or buying a mobile phone or even trying to rent a property", Shorten said. "TEx will connect the bank or telco or real estate agent with your digital wallet and you then consent to share only the identity attributes or credentials you choose to."

After making a mess of its comms earlier this year in May, Microsoft has published a more detailed timeline about its plan to enforce multi-factor authentication for all users accessing Azure and other admin portals.

The company says that by October this year, MFA will be required to access the Azure portal, Microsoft Entra admin center, and Intune admin center.

Admins will receive emails and notifications in the Azure Service Health portal to enable MFA for their accounts or face losing access to their paid services.

A security researcher has discovered secret hardware backdoors in RFID key cards manufactured by a major Chinese company.

The backdoors can allow threat actors to clone affected smart cards within minutes and access secure areas.

They impact smart cards manufactured by Chinese company Shanghai Fudan Microelectronics that were built using MIFARE Classic chips from NXP.

A threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructure.

The data extortion campaign has been taking place since earlier this year and involves a large-scale scan of the internet for companies that have exposed their environment variable files.

Also known as .ENV, these files act as a centralized location for storing configuration data by multiple software solutions.

In sharp contrast to events during the 2016 US presidential election campaign, an apparent hack and leak operation targeting the Trump campaign is being treated responsibly by America’s mainstream media. 

For us, 'responsible' behaviour means verifying the documents, assessing the material's newsworthiness, and giving readers context of the potential operation.    

On Saturday, after being approached by news outlet Politico with leaked documents, the Trump campaign claimed it had been hacked in an attempt to interfere with the 2024 election. 

US officials have seized server infrastructure linked to a data extortion group known as Dispossessor and RADAR.

Officials from the DOJ and FBI have seized nine domains and 24 servers linked to the gang's operations.

A criminal complaint was also filed against an individual going by the hacker pseudonym of "Brain," which officials believe is based out of Europe—possibly Poland.

The Trump campaign claims it was hacked by Iran after a trove of sensitive documents were leaked to Politico at the end of July.

The news outlet says it received the documents from an individual using the name Robert and an AOL email address.

The documents allegedly contained vetting materials pertaining to J.D. Vance and Marco Rubio, which were compiled by the Trump team as part of the Vice President nomination process. The documents are allegedly part of a larger collection of files stolen from the campaign.

The US State Department is offering a $10 million reward for any information on six Iranians behind Cyber Av3ngers, an Iranian hacktivist group that has repeatedly attacked critical infrastructure across the US and other countries.

The six were identified as members of an Iranian cyber unit known as the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

The six were sanctioned by the US Treasury in February this year, but this marks the first time the US has formally linked the six to the Cyber Av3ngers persona.