Sunday, December 6, 2009

iPhone Malware Threat is Serious


  • In essence, this threat is serious. - ComputerWorld

  • It's Hip to Be Square - Huey Lewis and the News


  • Media should be Hip on Security - PIN Payments News



Last week, Jack Dorsey, the Silicon Valley media darling who founded Twitter, introduced Square, which frankly is a toy when compared to HomeATM's PCI 2.x PIN Entry Device. (which also hooks up to any phone via the earjack and was introduced a year ago)    There was a ton of hype.  A lot was written.  My favorite headline was that this is the PayPal for mobile phones.  Others really thought being able to use their finger to write their signature on the screen was the bomb.  (No...just an existing application...see: Write Text on your iPhone with Your Finger:)  But Mr. Dorsey is hot stuff right now, (thanks to Twitter) and the media would ooh and aah anything he does because he's the reigning Silicon Valley rock star du jour.  So they cover the sizzle...but there's more at stake. 



Surprisingly, in this day and age of breaches, hacks, malware and browser vulnerabilities, NOT a lot has been written about the the steak...i.e. the security/encryption of the device...  I did read that the Square doesn't "store" the credit/debit card numbers. (well that's positive, but doesn't mean "jack")  Unfortunately, in today's sophisticated world, hackers don't need "storage" to obtain card  numbers, so serious questions remain about the encryption.  They say the information is encrypted, but if it's only a second or two after you swipe the card, that's "too little, too late."   The card holder data must be instantaneously encrypted inside the Square, not after the Square sends the information to the iPhone.  Otherwise a window of opportunity is created for hackers to intercept the data prior to encryption. 





Frankly, it no different that entering it into the phone by keystrokes.  Here's an astute observation from an industry exec about the square:



"All this does is encode the magstripe data to audio for pickup by the application. Then the application works exactly as a web based payment application. So the only difference between this and a merchant typing their customers card details into a web browser on their iPhone is that they don't have to type the card number, Nothing to see here."

Encrypting the card numbers "AFTER" you type them in is the equivalent of fixing the hole in your boat after it sinks.   (so there is something to see there after all)



Also, (coincidentally) last week there was a report that the "jailbroken" iPhones could be breached. Now, in a new report from an iPhone developer, hackers are free to hack even those models that have not been jailbroken. Call this malware program "Genesis" because it's only the beginning...it's time to stop "toying around" with encryption.



"Nicolas Seriot, an iPhone developer, presented his findings during a conference in Geneva on iPhone privacy.


"The popular Apple iPhone smartphone may be at risk from a security vulnerability that affects even those models that haven't been hacked, or 'jailbroken,' according to new findings from a Swiss software engineer," Andy Patrizio reports for eSecurityPlanet.

"Nicolas Seriot, an iPhone developer, presented his findings during a conference in Geneva on iPhone privacy. According to his research, malware could exploit a previously unknown hole to access a user's e-mail accounts, Safari, and YouTube searches, keyboard cache content, and the Wi-Fi connection logs," Patrizio reports.





"Most hacks that affect the iPhone are the ones that are unlocked with 'jailbreak' utilities... Evidently, however, even iPhones fresh off the shelf could be vulnerable, according to Seriot, who showed how a malicious application could gather personal data from an iPhone without using private APIs," Patrizio reports.





"Based on his conclusions, a malicious app is free to move around all it wants once inside the system -- reading a user's address book, stealing their phone number, viewing their browser history, and culling other private data from the device," Patrizio reports. "Apple did not respond to requests for comment."





Patrizio reports, "Seriot also said that unlike the transmission methods popular among PC malware, iPhone trojans will make their way to the device by way of the Apple App Store. 'Reviewers can be fooled,' he noted in his presentation."



In his presentation, (located here in PDF format) Seriot indicates that he believes portions of the iPhone subsystems that are simply not secured. Instead, functions including phone information and the file system can be accessed by making the right calls to variables





Full article here.

It (the virus) also looks for authentication systems that use SMS, better known as mTANs. mTANs are frequently used by banks that send an SMS message with a password to mobile phones, allowing people to log in to their online accounts, Sophos wrote.





Reblog this post [with Zemanta]

Disqus for ePayment News