Samsung Galaxy S5 that allows hackers to clone fingerprints

Security researchers at FireEye have discovered a vulnerability in the Samsung Galaxy S5 that allows hackers to clone fingerprints.

Samsung Galaxy S5 and other ‘unnamed Android devices’ could leak user fingerprints to hackers that can clone them.

According to security experts at FireEye, although Samsung implements encryption mechanism to protect user fingerprints archived on the mobile phone, an attacker can steal them just before they are encrypted.

Smartphones acquire the user fingerprints in order to authenticate it, the scanned print is then compared against a copy held by the ARM TrustZone technology.

When the user presses his finger against the device, the TrustZone code accesses the sensor, checks the scanned print and then provide the result of the comparison back to the OS. The TrustZone code is the unique one that could read data from the sensor.

The attacker can then steal the fingerprints, clone and use them impersonate the victim against other authentication services that use his fingerprints.

The researchers highlighted that any hacker with user-level access that can run programs as root could steal fingerprints from the mobile device. The situation is easier for Samsung Galaxy S5 on which a malware would only require system-level access.

“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Yulong Zhang, one of the researchers, explained, to Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

The good news it fixed for mobile devices running Android 5.0 Lollipop and higher, for this reason the experts urge users to update their mobile for the last release of the Google OS.

Samsung confirmed that is investigating on the flaw in order to protect its customers.

“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.” confirmed a Samsun spokesperson.

The discovery made by the experts is the last problem in order of time for  fingerprint scanner that equip popular mobile devices.

Last year a team of experts discovered that was possible to bypass the Samsung Galaxy S5 fingerprint scanner by using ‘crude fake fingerprint’ modeled from wood glue and captures with a photo.

samsung galaxy s5 fingerprint


Swivel Secure OneTouch

Swivel simplifica el proceso de autenticación a través de OneTouch

Se disparará la demanda de soluciones móviles de autenticación multi-factor
Las apps de autenticación biométrica, alternativa a las contraseñas alfanuméricas
La biometría, el futuro de la autenticación en los dispositivos móviles
Swivel se prepara para el aumento del mercado de autentificación sin identificadores
OneTouch es una aplicación móvil de autenticación rápida de dos factores concebida especialmente para los sectores en los que el acceso a datos críticos empresariales es de vital importancia.

Aprovechando la creciente adopción de dispositivos móviles personales en el lugar de trabajo, Swivel Secure ha presentado OneTouch, una aplicación móvil que ofrece una autenticación de mayor velocidad, y que utilizarse para garantizar el acceso a una completa gama de entornos remotos, incluidas redes privadas virtuales (VPN), sitios web, nubes corporativas y escritorios virtuales.
OneTouch ofrece a los negocios una experiencia de autenticación de dos factores optimizada digitalmente que satisface las expectativas del usuario en cuanto a velocidad y conveniencia. El proceso de autenticación a través de OneTouch es hasta 10 segundos más veloz que los métodos convencionales, lo que le hace idóneo para su uso en entornos en los que el factor tiempo es importante, tales como los sectores de la salud, jurídicos y minoristas. En su configuración más sencilla, la autenticación se realiza contan solo tocar el dispositivo del usuario.

“Hoy en día, es muy complicado complacer a los usuarios de dispositivos móviles, que se frustran muy fácilmente con los procesos complicados”, explica Chris Russell, director general de tecnologías de Swivel Secure. “Swivel evoluciona de forma continua para adaptarse a las necesidades en constante cambio de nuestros clientes y el lanzamiento de OneTouch no es una excepción. Mientras que las empresas modernizan sus tecnologías de la información para la era móvil, sus redes corren más que nunca grandes amenazas; las violaciones de datos en 2014 batieron todos los récords y no parece que ésta dinámica vaya a cesar. OneTouch aborda perfectamente ambos problemas en una única aplicación móvil, versátil y rápida”.

La aplicación móvil de descarga gratuita es compatible con todos los sistemas operativos, incluido Windows. Además, puede integrarse con cualquier despliegue actual de Swivel para ofrecer a las organizaciones más opciones en materia de seguridad.


Phishing Techniques

Phishing Techniques


Phishing is the method used to steal personal information through spamming or other deceptive means. There are a number of different phishing techniques used to obtain personal information from users. As technology becomes more advanced, the phishing techniques being used are also more advanced. To prevent Internet phishing, users should have knowledge of various types of phishing techniques and they should also be aware of anti-phishing techniques to protect themselves from getting phished. Let’s look at some of these phishing techniques.

Email / Spam

Phishers may send the same email to millions of users, requesting them to fill in personal details. These details will be used by the phishers for their illegal activities. Phishing with email and spam is a very common phishing scam. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, and verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.

Web Based Delivery

Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.

Instant Messaging

Instant messaging is the method in which the user receives a message with a link directing them to a fake phishing website which has the same look and feel as the legitimate website. If the user doesn’t look at the URL, it may be hard to tell the difference between the fake and legitimate websites. Then, the user is asked to provide personal information on the page.

Trojan Hosts

Trojan hosts are invisible hackers trying to log into your user account to collect credentials through the local machine. The acquired information is then transmitted to phishers.

Link Manipulation

Link manipulation is the technique in which the phisher sends a link to a website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. One of the anti-phishing techniques used to prevent link manipulation is to move the mouse over the link to view the actual address.

Key Loggers

Key loggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse click to make entries through the virtual keyboard.

Session Hacking

In session hacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

System Reconfiguration

Phishers may send a message whereby the user is asked to reconfigure the settings of the computer. The message may come from a web address which resembles a reliable source.

Content Injection

Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is asked to enter personal information.

Phishing through Search Engines

Some phishing scams involve search engines where the user is directed to products sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

Phone Phishing

In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.

Malware Phishing

Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

Phishers take advantage of the vulnerability of web security services to gain sensitive information which is used for fraudulent purposes. This is why it’s always a good idea to learn about the various phishing techniques, including phishing with Trojans and Spyware.