Daily Archives: September 18, 2018

SN 681: The Browser Extension Ecosystem

This week we prepare for the first ever Presidential Alert unblockable nationwide text message, we examine Chrome's temporary "www" removal reversal, checkout Comodo's somewhat unsavory marketing, discuss a forthcoming solution to BGP hijacking, examine California's forthcoming IoT legislation, deal with the return of Cold Boot attacks, choose not to click on a link that promptly crashes any Safari OS, congratulate Twitter on adding some auditing, check in on the Mirai Botnet's steady evolution, look at the past year's explosion in DDoS number of size, note another new annoyance brought to us by Windows 10... Then we take a look at the state of the quietly evolving web browser extension ecosystem.

We invite you to read our show notes.

Hosts: Steve Gibson and Jason Howell

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Risky Business #514 — New NSO Group report released and another State Department email breach. Drink!

This edition of the show features Adam Boileau and Patrick Gray discussing the week’s security news:

  • Citizen Lab drops NSO Group report
  • “Weaponised Stuxnet” claims are idiotic
  • Another State Department email breach! Drink!
  • Dutch foil planned attack against Swiss Novichok lab
  • Mirai botnet authors working for FBI
  • US telcos want to be consumer auth brokers
  • US fails to extradite “Mr Bitcoin”
  • Much, much more

This week’s show is brought to you by Remediant. They make a just-in-time access solution for privileged account management (PAM), and we’re doing something a little different in this week’s sponsor interview.

Paul Lanzi of Remediant will be along, but so will Harry Perper of MITRE corporation. Harry’s pay-cheques say MITRE, but he’s been working on a NIST project. The National Cybersecurity Center of Excellence (NCCoE) at NIST has been working on a project to provide guidance on the secure usage and management of privileged accounts. The so-called 1800-18 document is a practical guide and reference architecture for privileged account management and we’ll talk to both Harry and Paul about that after the news.

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Cyber Sleuths Find Traces of Infamous iPhone and Android Spyware ‘Pegasus’ in 45 Countries - Motherboard
HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries - The Citizen Lab
iOS Security Guide iOS 12 September 2018
US military given more authority to launch preventative cyberattacks - CNNPolitics
People Are Recklessly Speculating That the Massachusetts Gas Explosions Were a Stuxnet-Related Hack - Motherboard
State Department email breach exposed employees' personal information - POLITICO
Novichok poisoning: Russians expelled from Switzerland
The Mirai Botnet Architects Are Now Fighting Crime With the FBI | WIRED
U.S. Mobile Giants Want to be Your Online Identity — Krebs on Security
Senior Google Scientist Resigns Over “Forfeiture of Our Values” in China
Google Plans to Launch Censored Search Engine in China, Leaked Documents Reveal
Google's prototype Chinese search engine links searches to phone numbers | Technology | The Guardian
Vijay Boyapati on Twitter: "When I worked at Google, as an engineer on Google News, I was asked to write code to censor news articles in China (circa 2006). I refused and they took me off the project and put someone else on it. Doesn't surprise me Google is back at it. "Don't be Evil" is a Google myth.… https://t.co/1geUCURHay"
US loses extradition battle with Russia for Bitcoin kingpin | ZDNet
US lawmakers introduce bill to fight cybersecurity workforce shortage | ZDNet
Ransomware attack blacks out screens at Bristol Airport | ZDNet
Security flaw can leak Intel ME encryption keys | ZDNet
Nasty piece of CSS code crashes and restarts iPhones | ZDNet
New cold boot attack affects 'nearly all modern computers' | ZDNet
Uproar after Adobe winds down Magento rewards-based bug bounty program | ZDNet
Jason Woosley on Twitter: "The demise of #BugBounty at @Magento has been greatly exaggerated. Yesterday we announced the transition of this program to the @Adobe @HackerOne system. We failed to mention that we will continue to pay out for this incredibly valuable work. Hack on!"
Proofpoint: One month out from deadline, half of agency domains are DMARC compliant
Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites | TechCrunch
Facebook pilots new political campaign security tools — just 50 days before Election Day | TechCrunch
Facebook Broadens Its Bug Bounty to Include Third-Party Apps | WIRED
Google remotely changed the settings on a bunch of phones running Android 9 Pie - The Verge
Zero day in popular video surveillance technology goes public, unpatched
Privileged Account Management | NCCoE
fs-pam-project-description-draft.pdf

Microsoft and Imperva Collaboration Bolsters Data Compliance and Security Capabilities

This article explains how Imperva SecureSphere V13.2 has leveraged the latest Microsoft EventHub enhancements to help customers maintain compliance and security controls as regulated or sensitive data is migrated to Azure SQL database instances.

Database as a Service Benefits

Platform as a Service (PaaS) database offerings such as Azure SQL are rapidly becoming a popular option for organizations deploying databases in the cloud.

One of the benefits of Azure SQL, which is essentially a Relational Database as a Service (RDaaS), is that all of the database infrastructure administrative tasks and maintenance are taken care of by Microsoft – and this is proving to be a very compelling value proposition to many Imperva customers.

Security is a Shared Service

What you should remember with any data migration to a cloud service, is that while hardware and software platform maintenance is no longer your burden, you still retain the responsibility for security and regulatory compliance.  Cloud vendors generally implement their services in a Shared Security Model.  Microsoft explains this in a whitepaper you can read here.

To paraphrase in the extreme, Microsoft takes responsibility for the security of the cloud, while customers have responsibility for security in the cloud.

This means Microsoft provides the services and tools (such as firewalls) to secure the infrastructure (such as networking and compute machines), while you are responsible for application and database security.

Though this discussion is about how it works with Azure SQL, the table below from the Microsoft paper referenced above shows the shared responsibility progression across all of their cloud offerings.

Figure 1:  Shared responsibility model from the Microsoft Whitepaper Shared Responsibilities for Cloud Computing

Brief Description of How Continuous Azure SQL Monitoring Works

SecureSphere applies multiple services in the oversight of data hosted by Azure SQL.  The Services include but are not limited to the following:

  • Database vulnerability assessment
  • Sensitive data discovery and classification
  • User activity monitoring and audit data consolidation
  • Audit data analytics
  • Reporting

The vulnerability assessment and data discovery are done by scanning engines that have some kind of service account access to database interfaces.  The activity monitoring is done by a customizable policy engine, pre-populated with compliance and security rules for common compliance and security requirements such as separation of duties – but fully customizable for company or industry-specific requirements.

With Azure SQL, SecureSphere monitoring and audit activity leverages the Microsoft EventHub service.  Recent enhancements to EventHub, on which Microsoft and Imperva collaborated, provide a streaming interface to database log records that Imperva SecureSphere ingests, analyzes with its policy engine (and other advanced user behavior analytics), and then takes appropriate action to prioritize, flag, notify, or alert security analysts or database administrators about the issues.

Figure 2:  Database monitoring event flow for a critical security alet

Benefits of Imperva SecureSphere for Azure SQL Customers

A Key benefit that a solution such as SecureSphere Database Activity Monitoring (DAM) provides is integrating the oversight of Azure SQL into a broad oversight lifecycle all enterprise databases.  With SecureSphere, here are some things you can do to ensure the security of your data in the cloud:

  • Secure Hybrid enterprise database environments: While many organizations now pursue a “cloud first” policy of locating new applications in the cloud, few are in a position to move all existing databases out of the data center, so they usually maintain a hybrid database estate – which SecureSphere easily supports.
  • Continuously monitor cloud database services: You can migrate data to the cloud without losing visibility and control. SecureSphere covers dozens of on-premises relational database types, mainframe databases, and big data platforms.  It supports Azure SQL and other RDaaS too – enabling you to always know who is accessing your data and what they are doing with it.
  • Standardize and automate security, risk management, and compliance practices: SecureSphere implements a common policy for oversight and security across all on-premises and cloud databases.  If SecureSphere detects that a serious policy violation has occurred, such as unauthorized user activity,  it can immediately alert you.  All database log records are consolidated and made available to a central management console to streamline audit discovery and produce detailed reports for regulations such as SOX, PCI DSS and more.
  • Continuously assess database vulnerabilities: SecureSphere Discovery and Assessment streamlines vulnerability assessment at the data layer. It provides a comprehensive list of over 1500 tests and assessment policies for scanning platform, software, and configuration vulnerabilities. The vulnerability assessment process, which can be fully customized, uses industry best practices such as DISA STIG and CIS benchmarks.

It’s critically important that organizations extend traditional database compliance and security controls as they migrate data to new database architectures such as Azure SQL. Imperva SecureSphere V13.2 provides a platform to incorporate oversight of Azure SQL instances into broad enterprise compliance and security processes that include both cloud and on-premises, and data assets.

The post Microsoft and Imperva Collaboration Bolsters Data Compliance and Security Capabilities appeared first on Blog.

CVE-2018-17111 (coinlancer)

The onlyOwner modifier of a smart contract implementation for Coinlancer (CL), an Ethereum ERC20 token, has a potential access control vulnerability. All contract users can access functions that use this onlyOwner modifier, because the comparison between msg.sender and owner is incorrect.

CVE-2018-17071 (lucky9io)

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

CVE-2018-11071 (isilon_onefs, isilonsd_edge)

Dell EMC Isilon OneFS versions 7.1.1.x, 7.2.1.x, 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 and Dell EMC IsilonSD Edge versions 8.0.0.x, 8.0.1.x, 8.1.0.x and 8.1.x prior to 8.1.2 contain a remote process crash vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the isi_drive_d process by sending specially crafted input data to the affected system. This process will then be restarted.

CVE-2018-11084 (garden-runc)

Cloud Foundry Garden-runC release, versions prior to 1.16.1, prevents deletion of some app environments based on file attributes. A remote authenticated malicious user may create and delete apps with crafted file attributes to cause a denial of service for new app instances or scaling up of existing apps.

CVE-2018-13982 (smarty)

Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is prone to a path traversal vulnerability due to insufficient template code sanitization. This allows attackers controlling the executed template code to bypass the trusted directory security restriction and read arbitrary files.

Drone Assassins, Security Shaming, and Zero-Day – Hack Naked News #189

Drone assassins are cheap, deadly, and at your local store, State Department shamed, MS-ISAC releases advisory advisory PHP vulnerabilities, a nasty piece of CSS code, a Zero-Day bug in CCTV surveillance cameras, and FreeBSD has its own TCP-queue-of-death bug! Jason Wood's expert commentary on The Effectiveness of Publicly Shaming Bad Security!

Full Show Notes: https://wiki.securityweekly.com/HNNEp... Visit http://hacknaked.tv to get all the latest episodes!

CVE-2018-17178 (botvac_d3_connected_firmware, botvac_d4_connected_firmware, botvac_d5_connected_firmware, botvac_d6_connected_firmware, botvac_d7_connected_firmware)

An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything.

CVE-2018-17177 (botvac_85_firmware, botvac_d3_connected_firmware, botvac_d4_connected_firmware, botvac_d5_connected_firmware, botvac_d6_connected_firmware, botvac_d7_connected_firmware)

An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary.

CVE-2018-17175 (marshmallow)

In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only").

State Department email breach leaks employees’ personal data

The latest government data breach affected State Department employee emails. On September 7th, workers were notified that their personally identifiable information was obtained by an unnamed actor, according to a recent report from Politico. It apparently impacted "less than one percent" of employees and direct victims of the breach were alerted at the time. Apparently, this didn't affect classified information, so at least there's that.

Via: TechCrunch

Source: Politico

CVE-2018-11786 (karaf)

In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.

CVE-2018-11787 (karaf)

In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

CVE-2018-7991 (mate10_firmware)

Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0.110(C00) have a Factory Reset Protection (FRP) bypass vulnerability. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to the computer and then perform some specific operations. Successful exploit could allow the attacker bypass the FRP protection to access the system setting page.

CVE-2018-14642 (undertow)

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

CVE-2018-14641 (linux_kernel)

A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.

Convergence is the Key to Future-Proofing Security

I published a new article today on the Oracle Security blog that looks at the benefits of convergence in the security space as the IT landscape grows more disparate and distributed.

Security professionals have too many overlapping products under management and it's challenging to get quick and complete answers across hybrid, distributed environments. It's challenging to fully automate detection and response. There is too much confusion about where to get answers, not enough talent to cover the skills requirement, and significant hesitation to put the right solutions in place because there's already been so much investment.

Here's are a couple of excerpts:
Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions.
 ...
 Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate.
Click to read the full article: Convergence is the Key to Future-Proofing Security

Mobile and Digital Payments: Worth the Risk?

Thanks in part to the convenience that our mobile devices provide for us, much of the world operates now on instant gratification. From accessing information on the web to doing work –and now sending and receiving digital payments– our devices and applications support us while we’re on the go. Whether we’re paying a friend for dinner, our roommate for rent, or otherwise, many of us use peer-to-peer (P2P) mobile and digital payment apps rather than cash to settle our bills.

P2P mobile and digital payment apps like Cash App, PayPal, Venmo, and Zelle have changed the way we transfer money; today it’s faster, simpler, and easier than ever. In fact, they’re so popular that it’s estimated that in 2018, $700 billion will be transferred in this manner. With so much money being sent and received in this way, the ease of transfer begs the question, how secure are these apps?

While some have turned to using cryptocurrency and blockchain to curtail the known dangers of traditional mobile payment apps, recent cryptojacking incidents have proven that even this new technology is not foolproof when it comes to cybersecurity and the determination of cybercriminals. And while the convenience of digital payments can’t be denied, we seem to be prioritizing ease of use over security. Let’s take a look at how digital payments work, as well as their security implications.

How Digital Payments Work

P2P apps like Venmo, Cash App, and others essentially all work in the same way.  Functioning as a digital wallet, users link the app to their bank accounts or credit and debit cards. Then the app adds or subtracts money based on when users receive or send a payment. From there, users can “cash out” their balance to their preferred digital property, such as the account attached to a card or bank account.

P2P Money Transfer Apps and Cybersecurity Concerns

On the surface, digital money transfers may seem harmless, when in fact, they could lead to a headache of unforeseen cybersecurity concerns. The good news is that most money transfer apps will reimburse you for fraudulent charges. However, if someone has physical access to your phone and you don’t keep it locked, they can send money to themselves or others and you won’t get that money back.

Aside from the obvious concern of losing your phone, if you use an unsecured network to transfer money, it’s easier for someone to launch a phishing attack to gain access to your data. That’s because some payment apps will send request links from other users to download the app on their device. These links can be manipulated by cybercriminals and often contain just a letter or number off so that these changes go unnoticed by day-to-day users. When clicked on, a user can be redirected to a web page and presented with malware or a virus and might be prompted to download it– giving an unfriendly host access to your financial information. Thankfully, leveraging your data plan or a VPN rather than an unsecured or pubic Wi-Fi network can help create an extra layer of protection, making it more difficult for cybercriminals to access your sensitive data.

Lastly, there are often unforeseen holes in software that provide backdoor access to your financial information. Meticulously updating the software on your mobile device can help patch up known security issues, also making it easier to protect your data.

Tips to Stay Safe While Using Peer-to-Peer Money Transfer Apps

If you already use a peer-to-peer money transfer app or are on the fence about downloading one, here are some tips to take into account. By practicing multiple security habits simultaneously, your financial information is much more likely to remain safe on your devices and apps:

  • Set up additional security measures. P2P payment platforms require access to sensitive financial information. Check your account settings to see if you can enable multi-factor authentication, PIN/Password requirement, or use fingerprint recognition.
  • Check your preferred app’s permission or settings. Some might share information about your transactions on social media or on the platform itself, like Venmo. Make adjustments to these settings if and when you see fit.
  • Update your software and apps. It’s a best practice to update software and apps when prompted to help seal vulnerabilities when they’re found.
  • Be aware of where you are conducting your money transfers. Opt to use your data plan or a secure, private Wi-Fi network when using a P2P payment app. If you connected to public Wi-Fi, cybercriminals could use the holes in these networks to access your personal banking information and possibly access your P2P app account. If you must use public Wi-Fi, then it’s a good idea to use a Virtual Private Network (VPN).
  • Confirm the deposit went through. When you receive a payment, that money is added to your in-system balance. This is where it will remain until you initiate the transfer to your bank account or use it for another transaction within the app. If you transfer the balance to your bank, confirm it went through. This could take anywhere from a few days to a week. If it takes longer, it’s worth investigating to stop suspicious behavior in its tracks.
  • Be wary of scammers and cybercriminals. If you don’t know the person to which you are sending a digital transfer (say to purchase tickets to an event), look for poor spelling or grammar from them and read links carefully. If something doesn’t look right, that’s often a tell-tale sign that you’re being led astray. Try to find an alternative way to pay, or better yet – find someone who is more trustworthy.

Interested in learning more about IoT and mobile security tips and trends? Stop by ProtectWhatMatters.online, and follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Mobile and Digital Payments: Worth the Risk? appeared first on McAfee Blogs.