WHY AND HOW YOUR PHONE'S FINGERPRINT SECURITY CAN BE HACKED

                     

The bad news is, fingerprints can still be stolen — and unlike a passcode, you can’t change your fingerprint, so a single credential theft creates a lifetime vulnerability. What looks like a security upgrade turns out to be something much more complex.The vulnerability lies in the fact that fingerprint-based authentication systems feature small sensors that do not capture a user's full fingerprint. Instead, they scan and store partial fingerprints, and many phones allow users to enroll several different fingers in their authentication system.

Identity is confirmed when a user's fingerprint matches any one of the saved partial prints. The there could be enough similarities among different people's partial prints that one could create a "MasterPrint."New findings published Monday by researchers at New York University and Michigan State University suggest that smartphones can easily be fooled by fake fingerprints digitally composed of many common features found in human prints. In computer simulations, the researchers from the universities were able to develop a set of artificial “MasterPrints” that could match real prints similar to those used by phones as much as 65 percent of the time.

The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones.Full human fingerprints are difficult to falsify, but the finger scanners on phones are so small that they read only partial fingerprints.


When a user sets up fingerprint security on an Apple iPhone or a phone that runs Google’s Android software, the phone typically takes eight to 10 images of a finger to make it easier to make a match. And many users record more than one finger — say, the thumb and forefinger of each hand.While Google declined to comment, Apple spokesman Ryan James has said that the chance of a false match in the iPhone’s fingerprint system is 1 in 50,000. “Apple had tested various attacks when developing its Touch ID system, and also incorporated other security features to prevent false matches,” he added.

sources:
https://security.stackexchange.com/questions/144428/how-secure-is-a-fingerprint-sensor-versus-a-standard-password

Millions May Have Picked Up Malware at Google Play Store

As many as 40 million Android users might have downloaded apps that were infected with the FalseGuide malware, security research firm Check Point warned on Monday.

The oldest of the infected apps could have been uploaded to Google Play as long ago as last November, having successfully remained hidden for five months, while the newest may have been uploaded as recently as the beginning of this month. The malware has infected nearly 50 guide apps for popular games

The makers of the FalseGuide malware likely wanted it to masquerade as game guides, which are popular and actually build on the monetary success of their related apps. They require very little development time and are limited in feature implementations. 

Google so far has responded in the only way it can , by removing the infected apps from Google Play. However, given that some of these guides date back to early November, it appears that the company clearly failed to protect its customers.

At this point there may be little users can do except reset their devices and be more cautious of what they download. However, those steps might not be enough to purge the malware.

Another  malware named ‘Judy’ was found in over 41 Google Play Store apps. By far, ‘Judy’ has already infected around 8.5 Million to 36.5 Million Google Play Store users.

Security Research firm ‘Check Point’ discovered the Judy malware first and informed Google of the same. Though Google has started removing the infected apps from the Play store, the malware affected apps have already reached a count of more than 4.5 Million downloads.

So what exactly is ‘Judy’ malware, and how does it work?  

The idea with Judy malware is to create false clicks on ads, and thus boost revenue of these companies. Essentially the Judy malware bypassed Google Play Store’s protection, and the hackers created a “seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store.”

 Judy Malware is believed to have been created by a South Korean firm named Kiniwini. Essentially an ‘auto-clicking adware’, the malware is aimed at making money for the developers by auto-clicking on ads through the infected devices. The Malware spread comes as a direct threat to Google’s reputation as the malware has been able to operate on its Google Play Store undetected, for more than a year.

HACKERS SAY THEY DEMAND 50,000$ RANSOM FOR STOLEN DATA

A pair of malicious hackers say they
demanded that Bell pay a $50,000 US
ransom to prevent stolen customer data from being shared online, according to a person claiming responsibility for the theft.

The breach is the latest in a string of high- profile malicious hacks that have held large corporations' data for ransom. In April, a person or group who went by the name "thedarkoverlord" leaked the latest season of the Netflix TV series Orange Is the New Black , more than a month before its premiere, after the streaming service declined to pay up.

Bell previously told customers that "there is no indication that any financial, password or other sensitive personal information was accessed."
The pair demanded Bell send $50,000 US in bitcoin within 14 days of the email's receipt. In exchange, they claimed they would honour a signed contract promising "video and cryptographical evidence" of the data being "securely deleted."

Some hackers will report vulnerabilities they find to companies — sometimes in exchange for payment, or for altruistic reasons — but try to avoid doing things that might be deemed illegal, such as taking user data.The Bell breach does not appear to be one of those cases, as exodus says their actions were "highly financially motivated."