Hello and welcome to another week of mobile security news that matters!
This week’s #MobSec5 includes:
- More people affected by Equifax data breach
- Researchers find popular health apps that send login credentials in the clear, among other alarming security and compliance issues
- Fraudulent versions of mobile banking apps continue to fool 1 in 3 consumers
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
Equifax’s massive 2017 data breach keeps getting worse
(The Washington Post)
“Another 2.4 million people have now been affected by the incident, the credit agency says.”
Mobile health applications have security risks
“A new report suggests that many types of mobile health applications are putting the personal data of millions of users at risk, due to security vulnerabilities.”
A study recently done by Universitat Rovira i Virgili analyzed some of the most popular health apps on Google Play and found some alarming security practices. “Lack of encryption, use of GET instead of POST requests for sensitive data transmission, and insecure programming practices, are some of the major security and privacy open issues for developers to solve when building m-health apps.” At NowSecure, we’ve worked with some of the most advanced security teams to ensure these kinds of issues don’t get released into the wild. We’ve accumulated this wisdom into an ebook with over 50+ best practices. >>>Get Secure Mobile Development Best Practices Here
“On Thursday the four major national U.S. carriers — AT&T, T-Mobile, Sprint, and Verizon — revealed plans for a new authentication platform that could add an extra layer of security for people using apps on Apple’s iPhone and other mobile devices.”
“Russian military spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea, according to U.S. intelligence.”
“Sources say iPhone X and iPhone 8 can already be unlocked via Israeli company Cellebrite, one of America’s favorite contractors.”
“On Wednesday, a 1.3Tbps DDoS attack pummeled GitHub for 15-20 minutes. Here’s how it stayed online.”
“Bugcrowd and HackerOne both launched in 2012 and both companies are competing in the growing bug bounty market to pay a network of white hat hackers to bang on client software to find vulnerabilities.”
“More specifically, nefarious individuals can use Android’s backup mechanisms to save a user’s private key file on an unsecured device. This is made possible due to a lackluster attitude by the Jaxx developers regarding the ‘Android allowBackup’ feature, which has been left enabled since day one.”
Consumers Falling for Fake Mobile Banking Apps
“More than one in three consumers are fooled by fraudulent versions of banking apps.”
PayPal’s Venmo must be more transparent with users, FTC says
“Under the settlement, Venmo cannot misrepresent restrictions on the use of its service, what privacy controls its users have, or the extent of security it provides to users, the FTC announced Tuesday.”
“Phishing campaigns are evolving continuously, but there are still some basic measures that can safeguard your information.”
How to Fight Mobile Number Port-out Scams
(Krebs on Security)
“T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily ‘porting’ your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon.”
If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now.