15.4 C
New York
Saturday, May 11, 2024

Help Might Finally Be on the Way to Fight SIM-Swap Attacks

A WIRED report found that Google geolocation data had been used in 45 investigations and counting of the US Capitol rioters. That includes the use of two geofence warrants that enabled the FBI to pinpoint suspects within the building in a narrow window of time on January 6. It was an extraordinary use of geofencing during an extraordinary time; experts acknowledge that it was likely justified, but they worry about a slippery slope, especially as the use of geofence warrants has exploded in recent years.

In other Google news, Android suffered yet another wave of scam apps. In a campaign that dated back to at least November, hundreds of malicious apps were snuck into Google Play and were collectively downloaded over 10 million devices. The bad apps used various evasive maneuvers to avoid detection and tried to trick users into signing up for a recurring charge. Researchers are unclear how much money the scammers made off with, but given the number of victims it's potentially in the hundreds of millions of dollars.

The internet infrastructure company Cloudflare is getting into email security, with two free, new tools designed to protect enterprise customers from phishing and other email woes. The Senate yelled at Facebook again, this time about teen mental health. And now that you can go passwordless on your Microsoft account, we put together a quick guide for how to enable it.

Dune lends itself to many interpretations, but its most compelling might be as a template for future global conflicts, from Afghanistan to cyberwar. And we looked at why a real-life James Bond probably wouldn't use an iPhone. (Or the Nokia he relies on in the movie, for that matter.)

And there's more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

The FCC Finally Pays Attention to SIM-Swap Attacks

SIM-swap attacks, in which someone ports your phone number to their device in order to get past two-factor authentication on your most sensitive accounts, have been a scourge for years. They've resulted in cryptocurrency theft, bank accounts being drained, and social media account takeovers. And while there's no simple way to stop them, there are certainly approaches that the US hasn't yet tried. Which is why it's heartening that the FCC finally appears to be paying attention to them; this week the agency said it was planning to push carriers to implement more secure authentication before transferring numbers to a new device. It won't solve the problem entirely—especially since phone company employees have at times actively enabled the attacks—but it's a long overdue start.

Cybersecurity CEO Arrested in Russia on Treason Charges

Russia has continued to crack down on every facet of technology in the country, which this week took a troubling turn. Law enforcement in the country has reportedly arrested Ilya Sachkov, founder and CEO of international cybersecurity firm Group-IB. He's accused of working with “foreign intelligence services” to undermine Russia's national interests; the company has said he is innocent of all charges. Sachkov faces up to 20 years in prison if found guilty.

Researchers Find a Way to Make Big Apple Pay Payments on a Locked iPhone

Security researchers this week demonstrated a flaw in how Visa implements Apple Pay's Express Transit feature that let them make unauthorized contactless payments from a locked iPhone. First, they impersonated a transit system ticket barrier using a cheap piece of radio equipment, to make the iPhone think it was connecting with a legitimate system. Then, they used a so-called relay attack to direct payment messages from the iPhone to a reader under their control, allowing them to make large transactions without the need for any biometric confirmation. It's an issue that would apply primarily to stolen iPhones, and Apple indicated in a statement to the BBC that Visa seems unlikely to fix the flaw given the relative complexity of the attack.

The First Alleged Ransomware Death in the US

We write a lot about ransomware and its various deleterious effects on society. But as attacks continue to escalate—against hospitals in particular—you should take some time to read this Wall Street Journal report about the real human cost. It's a devastating but essential read.

Correction 10/3/21 9:40am ET: This story had incorrectly stated that Group-IB was based in St. Petersburg; it is an international company with headquarters in Singapore.

Related Articles

Latest Articles