Iris Scan to Validate Mobile Payments

Nowadays everyone is using mobile payment systems like Apple Pay and Samsung Pay. Payment systems like these uses bio-metric scans. The new bio-metric scan technologies beyond the use of fingerprint scan can boost the adaptation rate when purchases are made with smartphones. These technologies include palm vein sensors or sensors that assess the person’s typing pattern or behaviors.

Iris has developed a new technology that will help to authenticate online purchases. While SMS (Short Messaging Service) is an option, banks want more security to conduct transactions more securely.  That’s where Iris developed a multi-modal scan that will provide us with the voice and behavioral scans and facial integrations that might help for online purchase.

Smartphone vendors and payment software developers need to consider the new bio-metric technologies and multi-modal scan approach to provide concrete security. Tiffany Huang, an analyst at Lux Research said “Bio-metrics is needed to improve mobile payment usage and it’s hard to see one bio-metric usage winning in the medium-to-far-term”.

A US Federal Revenue survey of around 2000 people showed that 75% didn’t use mobile payments, as they feel more convenient to pay in cash or use their credit cards. While 59% don’t feel safe in using mobile payment for privacy and security concern.

As this new palm vein sensor is smart enough to prevent spoofing, but they are rare because of its size. They require a large piece of hardware to read the palm vein pattern. Huang said, “Palm veins are 100 times more unique than fingerprints and can't be easily spoofed because the veins are below the surface of the skin”.

The fingerprint scan sensor that are used in iPhone for Apple pay and other galaxy phones for Samsung pay are mature and are being used for years and its hardware is relatively cheap. But capacitive sensors can be spoofed easily by duplicating fingerprint pattern.

This is the main reason that encouraged Iris to develop new technology in the payment industry that ensures security at tits best without being spoofed. No doubt it requires some serious build hardware that may be costly, but not enough to put your customer at risk.

Read more

by Malik korrich ~ mercredi 20 juillet 2016 0 commentaires

Hackers are now the biggest threat in securing U.S. borders

GPS spoofing and jamming is considered a real threat for a long time. It was first discovered by the Dr. Humphreys research team in 2013, when they presented their work in front of the world. Since then we believed that the latest model drones are not vulnerable to spoofing, but the revelations from Timothy Bennett last week has proved us all wrong.

According to Timothy Bennett, there are hackers who are backed by drug lords spoofing and jamming US Drones to avoid surveillance. U.S borders are now secured by the drones who provide complete surveillance to Homeland Security. But the drug mafia in US has now found a way to bypass these surveillance, which can be a big threat for the national security in long run.

This news opened a new debate among US officials who are trying to secure their borders at all costs. Bennett opened the pandora box last week when he said, "“The bad guys on the border have lots of money. And, what they are putting money into is spoofing and jamming of GPSs, so we are doing funding to look at small UAS that we can counter this”. 

But the question now is, are those small UAS (drones) are secure enough to avoid spoofing or jamming? Yes ... It's possible if the GPS signals are encrypted, only then a drone can be secure of commands from an outside source. 

 . 

It's not a surprising thing that drug mafia is using hackers to get their products past US borders. But thing which should be alarming for any US citizen - if those drugs can come in US without being traced, how long will it take for organizations ISIS to follow the same route and exploit the border weaknesses of US borders with the help of Hackers to fulfill their goals.  

We all know that technology is now essential for the security of any country. But that same technology can be used against them, if it's vulnerable. 

Read more

by Malik korrich ~ mercredi 30 décembre 2015 0 commentaires

SMS Spoofing Tutorial- SET Backtrack 5

Mobile communication is now everywhere, mobile hacking is seems to be difficult and a normal user, student and ethical hacker usually don't go towards the mobile hacking field. Mobile hacking is so general word and it contains hacking attack from physical layer to application layer of OSI model. Spoofing attack is not a new attack and you must have heard about IP spoofing, DNS spoofing and SMS spoofing. 

In spoofing attack an attacker make himself a source or desire address. As previously discussed DNS spoofing by using Ettercap, this time we will discuss SMS spoofing by Social engineering toolkit on backtrack 5.

What Is SMS Spoofing?

Short message service (SMS) is now available on mobile phones, I, You and everyone using SMS for the communication. SMS spoofing means to set who the message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text/ another number. (Wikipedia).

I will discuss most of the theorical aspect here like how to perform SMS spoofing? How SMS spoofing work? And so many question.

SMS Spoofing Tutorial

Social engineering toolkit contain a SMS spoofing attack vector that can used to perform SMS spoofing. Requirement for tutorial:

• Operating system (Backtrack 5 for this tutorial)
• SET (Social engineering toolkit)
• A Brain (important)

So I will use backtrack 5 to perform SMS spoofing however you can use Ubuntu, Gnacktrack, Backbox and other Linux or other OS.

• On the SET menu select number 7 that is SMS spoofing attack vector.

• On the second step “1. Perform a SMS Spoofing Attack”
• On the third choose what you want to do a Mass SMS spoofing or a single in this case I select 1.
• On the fourth you need to enter the number of the receiver, make sure to enter with country code.
• On the next step 1. Pre-Defined Template
• On this step you need to choose the templates (choose what you want)
• If you have a android emulator that wonderful but you can use some paid services. So its up to you select and than send your message.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.

Read more

by Malik korrich ~ samedi 15 octobre 2011 0 commentaires

DNS Spoofing- Ettercap Backtrack5 Tutorial

Spoofing attack is unlike sniffing attack, there is a little difference between spoofing and sniffing. Sniffing is an act to capture or view the incoming and outgoing packets from the network while spoofing is an act to forging one's source address. In spoofing attack an attacker make himself a source or desire address. This is basically done by using some tricks.

Spoofing is so general word and it contains attack like DNS spoofing, IP spoofing and others.

What Is DNS Spoofing?

DNS spoofing is an attack that can categorize under Man-In-The-Middle-Attack, beside DNS Spoofing MIMA contain:

• ARP poisoning
• Sessions hijacking
• SSL hijacking
• DNS Spoofing

Each attack has its own importance but to be sure it is very difficult to discuss all attacks in single article, I will post some more articles related to MIMA.

DNS spoofing is an attack in which an attacker force victim to enter his credential into a fake website, the term fake does not mean that the website is a phishing page while. To understand DNS spoofing refer to this pictures.

In the normal communication a user send request to the real DNS server while if an attacker spoof the DNS server than this attack is called Man-In-The-Middle-Attack.

Now the question is how to perform DNS spoofing attack, the term spoofing is very similar with sniffing and the sniffing tools can used to perform spoofing attack. For this article I will use ettercap.

What Is Ettercap?

According to official website “Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks”.

It is support cross operating system like it can run on Windows, Linux, BSD and MAC.

DNS Spoofing Tutorial With Ettercap-Backtrack5

If you want to learn more background theory than you can ask question by using comment box, now this section will teach you how to perform Spoofing (Man-In-The-Middle-Attack) attack.

Requirement:

• An Operating system (Linux, Windows etc)
• Ettercap
• SET

I am using backtrack 5 for this tutorial you can use some other OS, social engineering toolkit is not a necessary part but as discussed before about SET tutorial for hacking windows by using fake IP so you can use Spoof your IP into a website. So this is little advance tutorial.

It is recommended to use DNS spoofing attack with Social engineering toolkit attack to make the job done effectively.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.

Other Readings

• DNS, ISA and 2003 server (edugeek.net)
• MIT researchers craft defense against wireless man-in-middle attacks (infoworld.com)
• Responsibilities of the DNS: "Oh YES you will!", "Oh NO you will not!" (via CommunityDNS Blog) (chrisbuijs.com)

Read more

by Malik korrich ~ vendredi 26 août 2011 0 commentaires