Tag Archives: security

News

PayPal vs Apple Pay: How secure is your money?

Image Leave a comment

The name PayPal has become synonymous with the most popular method of Internet payment. Everyone knows of PayPal and many, many people use it. And why not? Having a secure and private method of payment online has been an incredible resource. For many of us, eBay was the first online store where we first heard about PayPal, and over the years, eBay and PayPal have had a comfortable relationship. Well, in late 2015 eBay and PayPal will be severing their ties as PayPal moves on from eBay and out on their own.

This leaves PayPal open to join with someone else. Enter Apple Pay. Apple Pay is Apple’s new payment option through its app featured on Apple products like the new iPhone 6 or iPhone 6 Plus. PayPal is not only popular, but also easy to use for its customers. Here’s how it will work: iPhone users will find the PayPal app, locate the store on the app, and sign themselves in. This is done while the user is in the store, ready to make their purchase. It will be that easy. In order for the payment to go through, the iPhone user will be required to aim their phone directly at the point of payment within the store, put their finger on the Touch ID option, and then the transaction will be complete. Basically, point and shoot. A confirmation of a successful transaction will be in the form of a beep and a vibration.

So now let’s talk about the security of paying through PayPal and the Apple Pay app. The security that has been implemented for iPhone users to utilize this paying option is of the highest caliber. The benefit of having this payment option is mainly so that you don’t have to show your personal credit card information while in the store and run the risk of having your personal credit and identity breeched somehow. That said, both Apple and PayPal had to make sure that your personal credit card and bank information was extremely secure. According to PayPal, the personal information and credit card numbers of its users are “heavily guarded, both physically and electronically.” We trust their word, and they ensure to do whatever it takes to continue to guard this information.

new-iphone
Pay with Touch ID (Source: Apple)

In addition, PayPal’s servers are not directly connected to the Internet, in an effort to prevent hackers from getting to that information. The only eyes that see your personal information and transactions is you, especially when you receive an email immediately after each purchase or payment through PayPal. This way, you have the ability to keep track of what is going on with your account.

Likewise with Apple Pay, your personal credit card numbers and information is secure and not seen by Apple or the employees in the stores. The way Apple Pay functions is “users take a photo of their credit card and add it to their phone’s Passbook where it is assigned a unique device account number, encrypted and stored in the phone’s Secure Element Chip.” The individual security code and the number of the device you are using will be the two items needed to complete the purchase. According to the company, “Apple will never know what you purchased, and you’ll still get rewards points on the credit cards you use.”

With all of that purchasing power in one place, there is also a protection for you if you lose your iPhone. This protection is the Find my iPhone feature. A misplaced or lost iPhone’s information can be erased completely if it’s not in the owner’s hands, and this way your private information will not be accessed by criminals.

How-To

How to enable Apple’s two step verification

Image Leave a comment

Last week’s hack of Hollywood photos was a wake-up call to the general public and the Apple Corporation about being lax with internet security. Apple’s devices can all enable two-factor authentication now, and these steps will show you how it’s done, so you can protect yourself all the more effectively.

two-step-apple-verification-1

First, long into the Apple ID system. You can either go to https://appleid.apple.com or just find the “Manage your Apple ID” listing in your device. If this is the first time you’ve heard of it, you should know that you can also do billing and update contact information from this listing as well.

Second, find “Password and Security” from the options menu, and answer the security questions that it provides. Then scroll to the “Two-Step Verification” listing and click the “Get Started” link.

two-step-apple-verification-2

Third, Apple will send you an SMS with a verification code to the phone number you’ve assigned on your Apple ID. If your phone number is out of date and needs to be changed, you’ll have to wait 72 hours before being able to change the number—this is another Apple security measure that prevents hackers and other people from immediately locking you out of your own device.

Fourth, after you have the SMS and entered the verification code, you can register an iPad, iPhone, or iPod on which you’ve already used your Apple ID, to enable “Find my iPhone”. Currently these are the only devices you’ll be able to receive future codes with, sent as a special push notification from Apple. Apple may add more devices to the security list in the future. 

Lastly, Apple will generate a unique recovery master key that can be used to unlock your account if you forget your password or don’t have access to any of your devices. Apple strongly recommends you write down the recovery key and store it in a secure place—like a bank deposit box or a gun safe.  

two-step-apple-verification-3Now a general warning: If you manage to forget your password, throw away your recovery master key AND lose access to all of your “trusted” devices, you will not be able to login to the Apple ID system, period. No exceptions. Apple Corporation will officially not be able to help you, but a customer service representative can recommend replacement devices for you to buy.

Anyway, when you’ve finished your verification process, you’ll be asked for a code when you try to go online. Apple will be installing more two-step verification for more tasks, like restoring backups on a new device, later this year.

News

Apple updating security for iCloud

Image Leave a comment

After last week’s mass release of nude photos from multiple Hollywood actresses, Apple Inc. announced new security measures to keep user accounts safe.

In an interview with the Wall Street Journal, Chief Executive Tim Cook said hackers were able to brute force into the actresses’ phones by correctly guessing security questions and opening their passwords.

None of the passwords were leaked directly from the company’s servers, he claimed.

Cook says Apple will now alert users through email notifications and allow them to take action immediately when someone moves iCloud data to a new device, logs into an account for the first time, or when changing a password. Apple will start notifying members of the changes in two weeks.

Cook admitted Apple should have done more to make people aware of the dangers of hacking.

“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” Cook said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Apple will also increase two-factor authentication, which requires an Apple user to have both a main password and either a separate four-digit one-time code or a long access key purchased with the system in order to unlock the device.

With the feature is turned on, these steps will be needed to to sign into an iTunes account from another device. Two-factor authentication will also be used for iCloud accounts.

Cook claimed that most users don’t have two-factor authentication, so Apple will encourage people to download the newest version of iOS and activate it. If the celebrities already had the system in place, hackers wouldn’t have had an opportunity to guess the correct answers to security questions, Cook said.

Outside security experts critized Apple for made the previous security too easy to hack, in only requiring answers to security questions.

“There’s a well-understood tension between usability and security,” said security researcher Ashkan Soltani to the Wall Street Journal. “More often than not, Apple chooses to err on the side of usability to make it easier for the user that gets locked out from their kid’s baby photos than to employ strong protections for the high-risk individuals.”

The new notifications will only notify users after their devices have been hacked, Soltani claimed.

The company is trying to salvage its reputation ahead of a new product launch announcement next week. Apple is cooperating with federal law enforcement to investigate and prosecute the hackers. The company did not release information on how many users were affected.

News

Emergency update for Flash released by Adobe

Image 2 Comments

Can we please live in a world where Flash becomes obsolete? Wasn’t that the whole point of iOS? Are there really websites out there that still use this broken and buggy web software? Apparently there is, or so it seems. Adobe has found and patched several zero-day exploits over the last couple months, and they just announced that they’ve found and patched another one. Every time they do this they have to release an “Emergency” update for Flash which has to be installed. It’s getting a little tedious.

More Problems for Flash on the Mac

According to fireeye.com:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

The exploit affects all of the latest versions of the Flash plugin, including those in use on the Mac. It allowed hackers to execute malicious code by taking control of the virtual function table pointer object. Whatever that means.

Apple Was Smart

The good news here is that Macs don’t come with Flash installed automatically anymore. In order to get Flash users have to go out and get it themselves. This will save a lot of computers. The problem with all of these “Emergency” patches is that non-technologically inclined people will either ignore the warning, or will get tired of the warnings that seem to come every few days. That could lead to a state of ambivalence, which would be bad for everyone.

If you’re running Flash, but don’t really use it all that much, the best thing you can do is get rid of it altogether. If you need Flash, then make sure you have auto-update turned on, so that you’re always up to date.

If you’re the tech support person for someone like your parents, you should help them avoid flash at all costs, and if you can’t, make sure they are always up to date.

Conclusion

Hackers are never going to stop trying to ruin our computers and steal our money. The issue isn’t that Flash is terrible, or that it takes up every machine resource known to man, but that it is a hacker-magnet. It has so many holes in it you might as well call it a sponge.

Flash can’t die soon enough. Not only is HTML 5 more reliable, and more stable, it will also solve a lot of these zero day exploits, which seem to pop up over and over again.

You can find more info on this exploit on Adobe’s security page.