Tag: password

RSA: Boleto Fraud Ring in Brazil Linked To Billions in Bogus Transactions

RSA, the security division of EMC Corp. said on Wednesday that its researchers uncovered a massive online fraud ring that has infiltrated The Boleto, a popular payment method in Brazil. RSA said in a blog post on Wednesday that a coordinated investigation a “Boleto malware or ‘Bolware’ fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. The value of the transactions is estimated at $3.75 billion USD, or $8.57 Brazilian Reals.  The Boleto is a popular and regulated electronic payment system that is the second most popular form of payment in the country, after credit cards. According to RSA, the malware in question allows attackers to carry out man-in-the-browser attacks that modify transaction details on an infected client system so that funds are directed into mule banking accounts controlled by the fraudsters. RSA researchers discovered 8,095 fraudulent Boleto ID numbers tied to 495,753 compromised transactions. The Bolware botnet is […]

This Week In Security: Poking Holes In Two Factor Authentication

It was another busy week in the security world. There was big news on the legal front, as The U.S. Supreme Court took steps to protect the data stored on mobile devices from warrantless searches by police. (That’s good news.) But the week also plenty of concerning stories about the security of data stored on mobile phones, tablets and the like. One of the stories that gained a lot of attention was DUO Security’s report on a flaw in PayPal’s two factor authentication feature that could expose the accounts of  security-conscious PayPal users. As The Security Ledger reported, DUO researcher Zach Lanier discovered a flaw in mobile APIs published by PayPal that would allow anyone with a valid PayPal user name and password to sidestep two-factor authentication when accessing PayPal accounts that had that option enabled. After DUO went public with information on the flaw, PayPal disabled two factor authentication […]

Paypal Disables Two Factor From Mobile

In the wake of a disclosure, yesterday, that a secure log-in feature was vulnerable to hacking, PayPal has suspended the ability of customers who elect to use the feature to log in to PayPal using the company’s mobile application. In a blog post on Wednesday, PayPal Director of Global Initiatives Anuj Nayar said that the company took the step of disabling mobile application log ins after the researcher, Zach Lanier of DUO Security, published his findings in a blog post yesterday. As reported by The Security Ledger, researcher Zach Lanier of DUO Labs discovered that a PayPal mobile API (application program interface) for its Security Key two-factor authentication technology contains a vulnerability that would allow even a non-technical hacker to bypass the second factor when accessing a Paypal customer’s account. The problem comes up when trying to access a Paypal account protected using two-factor authentication using a PayPal mobile application – […]

Researchers Sidestep Paypal Two-Factor Authentication

Researchers at DUO Security claim to have found a way of bypassing a two factor authentication feature that secures logins to Paypal.com, eBay’s online payment service. The vulnerability could allow an attacker who has stolen a Paypal customer’s user name and password to gain access to the account, even though the customer had enabled the more secure two-factor authentication option. DUO described the problem in a blog post early Wednesday. According to researcher Zach Lanier, Paypal has published an API (application program interface) for its Security Key two-factor authentication technology that contains a vulnerability that would allow even a non-technical hacker to bypass the second factor when accessing a Paypal customer’s account. An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” the company wrote in […]

Update: Another IPMI Mishap? Researcher Claims Supermicro Devices Vulnerable

There’s more bad news for companies that rely on the Intelligent Platform Management Interface (IPMI) to manage servers and other hardware in their IT environments. Specifically: researcher Zachary Wikholm over at Cari.net has published evidence of what he says is a head-slapping vulnerability affecting devices that use IPMI Base Management Controllers (BMCs) made by the firm SuperMicro. According to Wikholm, servers equipped with Supermicro BMCs store a password file, PSBlock, in plain text and – making matters worse- leave it open to the world on port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” he wrote. Baseboard Management Controllers (BMCs) are small, embedded systems attached to a system’s motherboard that manage IPMI communications. Wikholm says that Supermicro has fixed the problem in the latest version of its IPMI firmware. However, companies are often reluctant to flash […]