How’s 2017 treating you so far?
Your first #MobSec5 issue of 2017 includes:
- No card? No problem — fraudulent ATM withdrawals via mobile app
- DNS hijacking via Android malware
- FTC reprimanding IT provider for lax security in router and network-connected camera products
Thanks for reading. Happy New Year, have a good weekend, be good, and stay safe.
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.
Android Security Bulletin—January 2017
(Android Open Source Project)
“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update.”
On Tuesday, Google published an Android Security Bulletin including two different patch levels for January (2017-01-01 and 2017-01-05). Even so, remember that 73 percent of Android devices remain on woefully out-of-date versions of Android (according to Google data as of December 5, 2016). Manufacturers Blackberry (January 2017 security bulletin) and Samsung (January 2017 security bulletin) followed quickly behind, both issuing their own security updates this week.
Stolen Passwords Fuel Card-less ATM Fraud
(Krebs on Security)
“Some financial institutions are now offering so-called ‘cardless ATM’ transactions that allow customers to withdraw cash using nothing more than their mobile phones. This new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash.”
Illustrating just one of the challenges banks confront as they embrace mobile technology to better serve their customers, Brian Krebs reports that an attacker stole $2,900 out of a woman’s bank account via a mobile banking app used for “card-less ATM” withdrawals. Using the victim’s online banking username and password, the attacker added a phone number to her account, transferred $2,900 from savings to checking, added a new mobile device to the account, and changed the associated contact e-mail address. Finally, using the card-less ATM mobile app that provides a seven-digit code for entry into an ATM (in lieu of a card), the attacker withdrew $2,900 from the account. A bank spokesperson mentioned that the woman wasn’t the only victim of this scheme and referenced a news story about the arrest of six men in Miami in December 2016. Whether the bank flagged any of the suspicious account activity and where exactly authentication mechanisms broke down is unclear. The victim claims the bank did not notify her of any of the changes to her account at the time. Banks implement authentication in their mobile apps in different ways. If your bank offers it, enable multi-factor authentication functionality (even SMS-based two-factor authentication is better than nothing). If you develop mobile banking apps, familiarize yourself with FFIEC guidance on mobile payments and app risk.
“The Federal Trade Commission is cracking down on D-Link for selling wireless routers and internet cameras that can easily be hacked, the U.S. regulator claimed on Thursday.”
The Federal Trade Commission’s (FTC’s) complaint against D-Link is just the most recent example of the agency holding companies accountable for privacy and security claims made about their products and services. Among other allegations, the FTC claims that a mobile app provided by D-Link to access routers and connected cameras stores log-in credentials in cleartext on the mobile device (to avoid this yourself, see Implement Secure Data Storage from the NowSecure Secure Mobile Development Best Practices). In 2014 the FTC took action against Snapchat for allegedly misrepresenting claims about privacy and security practices related to the mobile app. Similarly, in March 2016 the Consumer Financial Protection Bureau reprimanded online payments platform Dwolla for misrepresenting their security practices (and specifically for not testing the security of their applications prior to release). If you develop mobile apps and make claims about their security and privacy, be diligent. As a security consultant stated on the Hacker News website, following best practices in developing your products and validating adherence to those practices goes a long way: “I have never seen a company held liable for any breaches that occurred while they were following best practices.” In a recently completed three-part blog series, NowSecure Director of Mobile Services Katie Strzempka provided tips for launching and managing a mobile app security program that institutes security standards and audits apps against those standards to reduce mobile app security risk.
The Switcher Trojan hacks Wi-Fi routers, switches DNS
(Kaspersky Lab Official Blog)
“Once the malicious app infiltrates the target smartphone connected to a Wi-Fi network, it communicates to a command-and-control (C&C) server and reports that the Trojan has been activated in a particular network.”
This attack involves installing malware on a mobile device and compromising DNS settings on a Wi-Fi router to serve up fraudulent websites masquerading as legitimate ones. Once installed and the compromised device connects to a Wi-Fi router, the app communicates with an attacker-controlled server. That server attempts to log into the router with administrator credentials and modify settings to point the router to a malicious DNS server (DNS servers resolve text URLs to their associated numerical IP addresses). Any other devices using the compromised wireless router and associated DNS settings can then be directed to a malicious web server that serves up phony web pages. As always, don’t install suspicious Android apps and try to only download apps from the Google Play store. In addition, secure the configurations of your Wi-Fi routers (starting with changing any default usernames or passwords).
“Fancy Bear used an Android application infected with X-Agent, a cross-platform remote access toolkit, to reach Android devices that were used for certain features employed by artillery systems in Ukraine.”
Cyberwar for Sale
(The New York Times)
“After a maker of surveillance software was hacked, its leaked documents shed light on a shadowy global industry that has turned email theft into a terrifying — and lucrative — political weapon.”
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own Internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality.”
What Happened with mHealth Security, Mobile Privacy in 2016?
“Mobile devices are increasing in popularity, and are quickly becoming beneficial tools for healthcare. However, mHealth security measures cannot be ignored, and mobile data must be considered when organizations track where PHI is stored and how it is used.”
“As the dangers of net-connected devices become more apparent, the Federal Trade Commission seeks tools to keep your smart fridge out of a hacker’s control.”
“On the one hand, organizations want to maximize employee performance and increase productivity, innovation and collaboration, all of which are enabled and, indeed, enhanced by mobile technology. On the other, many mobile apps don’t meet corporate standards for data protection and encryption.”
Fiat Chrysler and Google team on Android in-car tech
“Fiat Chrysler and Alphabet are already working together via Waymo, the former Google self-driving car project, and now Google is also teaming with the automaker for in-car system tech, using Android as the base for a new infotainment and connect car platform.”
If you like #MobSec5, subscribe now to receive #MobSec5 and other updates in your inbox.