Consumers love their smartphones, but a
substantial number of them don't love using them to pay for purchases.
With Samsung's introduction of its Galaxy S5 phone last week, the
company is betting it can change some of those consumers' minds on that
subject.
Like Apple's iPhone 5s, the S5 has a fingerprint scanner. Unlike the
Apple product, though, the S5's scanner can be used to pay for things.
That's because Samsung has partnered with PayPal and the FIDO Alliance
to allow S5 users to shop with a swipe anywhere PayPal is accepted.
To do that, though, the Samsung crew will have to overcome some stiff consumer resistance.
For example, when asked about using phones for mobile payments, nearly half of consumers (49 percent) ranked security as their major concern in a survey conducted by Ovum last year.
"We think consumers will be wary and need some convincing due to security concerns," Ovum Principal Analyst Eden Zoller told TechNewsWorld. "Consumers already worried about the security of established m-payment mechanisms are likely to view a new technology and process with suspicion."
The Spoof Test
Apple already knows the pitfalls of linking biometrics to buying."Apple got panned immediately because its fingerprint sensor could be spoofed," explained Van L. Baker, Gartner's research vice president for mobility.
"That's true, but it's not meant to be a security vehicle. It's not meant to be a transaction vehicle," he pointed out.
"It's a convenience. You don't have to use a pass code. You can use your finger instead," Baker told TechNewsWorld.
"If Samsung is trying to upgrade it to the level of a secure transaction, then we'll have to wait to see how long it takes for someone to spoof the Samsung platform," he added. "If it's spoofable, then I won't be authorizing any transactions with it."
Powerful brands have a way of swaying consumers' sentiments, Ovum's Zoller pointed out. "Samsung is a hugely popular smartphone brand with global reach, while PayPal is a trusted payments service provider," he said. "This is a powerful combination."
Busy Bromium
A nasty malicious advertising attack on YouTube and a flaw in a Microsoft program designed to stop Zero Day attacks on Windows have been uncovered by Bromium.The YouTube attack was particularly pernicious.
"It was incredibly scary, from what we saw," Bromium Chief Security Architect Rahul Kashyap told TechNewsWorld.
Google has addressed the problem, but what made it so frightening was that the attackers found a way to infect ads being served up to YouTube pages, and those infections could be passed on to anyone who landed on the pages.
"Everything happened behind the scenes," Kashyap said. "It was a classic drive-by download exploit."
Machines that came into contact with infected pages were fed a banking Trojan from the Caphaw family, Bromium's McEnroe Navaraj said in a company blog post. That type of malware is used to steal bank account information and drain a victim's bank accounts.
Of late, ad networks have become juicy spoils for hackers.
"These have become high value targets to leverage in an attack because you can infect millions of users with a single click," said Bromium CSA Kashyap.
Defeating EMET
Zero Day attacks are daunting to malware fighters because the forays exploit flaws that have never been seen before. A valuable weapon for combating Zero Day attacks is Microsoft's Enhanced Mitigation Toolkit -- or it was valuable until Bromium uncovered a way to bypass its scrutiny.EMET is especially effective at identifying malware that uses a technique called "ROP" (Return Oriented Programming). Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques, according to Bromium.
What Bromium found was that EMET was good at stopping attacks where there was pre-existing memory corruption, but if it's running in the same space as some malicious code, EMET can be bypassed.
"We want people to understand the limitations of the tool," Kashyap said. "If we could do this, then hackers could as well."
Microsoft has been alerted about those limitations, and it has promised to fix them, as well as add some more weapons in EMET, when it next updates the program.
0 comments:
Post a Comment