Sites Turn to Audio Fingerprinting to Track Users
Researchers from Princeton University, conducting a privacy survey of the top one million web sites, discovered a variety of tracking and identification techniques in use, including a novel tactic that uses audio signals to fingerprint machines and browsers. The Princeton study measured a slew of different stateful and stateless tracking techniques, with the goal of measuring […]
Walmart Sues Visa Over Chip-and-PIN Security
In what may be a sign of things to come, Walmart, the world’s largest retailer, has filed a lawsuit against Visa USA over the payment card brand’s refusal to allow consumers to use PINs, rather than signatures, to verify their identities during transactions with chip cards. The suit, filed this week in New York State […]
Researchers Find Private Slack Tokens Posted on GitHub
Developers building bots for Slack are including their personal access tokens in code posted on GitHub, researchers have found, a problem that could give anyone who finds the tokens access to internal Slack conversations and files. Slack is a team communications app used in many organizations to share information, files, and other data. Developers can […]
GitLab Fixes Authentication Bypass Flaw
GitLab has patched a serious authentication vulnerability that enabled any user to take over another user’s account with two-factor authentication enabled. The vulnerability was a result of the way that GitLab’s authentication flow produced one-time passwords for accounts with 2FA enabled. An attacker who knows a victim’s username and can capture network traffic could sign in […]
Facebook Releases Account Kit SDK for Authentication Without Passwords
Facebook has released a new SDK called Account Kit that enables app developers and site owners to provide a login experience without passwords. The new system, which the company announced at its developers’ conference yesterday, uses Facebook’s own infrastructure to perform authentication via SMS and email. Account Kit doesn’t require that users have a Facebook […]
New Florida Law Exempts Agencies From Reporting Some Breach Details
Florida’s governor has signed a bill that allows state agencies not to release details of data breaches and security audits if that information would “facilitate the unauthorized access, modification, disclosure or destruction of data”. The new law, which went into effect on Friday, requires that agencies still release details of breaches to a group of state law […]
Sidestepping Apple Pay Enrollment Authentication
SAN FRANCISCO–Apple has touted its Apple Pay system as a convenient, simple, and secure alternative to using physical debit or credit cards. But researchers have identified some weaknesses in the enrollment and authentication flow of the system that could have allowed attackers to add stolen cards to their own Apple Pay accounts and use them […]
The Selfie is the New Payment Biometric
Banks, credit card companies, and other financial companies are turning over every rock in an effort to fight fraud, including trying out novel authentication techniques. The latest move in this area is toward facial recognition via smartphones as a way to ensure the person making a purchase is who he claims to be. After decades […]
UVA Hit With Another Data Breach
A mistake by an employee who clicked on a link in a phishing email and unwittingly granted access to an attacker has resulted in a data breach at the University of Virginia that dates back to late 2014 and exposed personal information of about 1,400 people. The breach includes allowed attackers to get access to some […]