Mobile ‘Wallets’ Attract Greater Interest From Thieves, Researchers

As mobile phones allow us to carry our money in an electronic “wallet,” they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone.  Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks against Google Wallet and Square’s credit card readers have prompted improvements in security.

Square credit card reader with American Express card
Square’s credit card readers recently added encryption for credit card data.

Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.

Researcher Adam Laurie requesting one of the new encrypted Square readers from his Twitter followers.
Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.

NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.

These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.

The post Mobile ‘Wallets’ Attract Greater Interest From Thieves, Researchers appeared first on McAfee Blogs.

How to Protect Your Privacy From “Leaky” Apps

Back in 2010, The Wall Street Journal was already warning us about app developers’ lack of transparency with regard to their intentions.

“An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders. The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.”

And since then, our level of engagement with mobile apps has only increased (with over 10 billion apps downloaded), while there has not been a lot of movement to prevent applications from accessing your data.

So what to do? Privacy concerns are justified, but there is a limit to what how this information can be utilized. If you feel the urge to free yourself from data tracking, you could delete and avoid apps, or you could provide false information, but that could violate terms of service and might not be effective, anyway.

When downloading an application, make an effort to consider what you are giving up and what you are getting in return, and to consciously decide whether that particular tradeoff is worthwhile.

You can also use mobile security software like McAfee Mobile Security that scans your installed apps to determine the level of access being granted to each of them. This feature then alerts you to apps that may be quietly siphoning data and enjoying unnecessarily extensive control of device’s functionality and then you can decide if you want to keep the app or delete it.









With better insight, you can take more your mobile security and privacy into your own hands.



Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

The post How to Protect Your Privacy From “Leaky” Apps appeared first on McAfee Blogs.

QR Codes Could Deliver Malware

You’ve seen barcodes all your life. So you know what they look like: rectangles “boxes” comprised of a series of vertical lines. When a cashier scans a barcode, you hear a familiar beep and you are charged for that item.

A QR code looks different and offers more functionality. QR stands for “quick response.” Smartphones can download QR readers that use the phone’s built-in camera to read these codes. When the QR code reader application is open and the camera detects a QR code, the application beeps and asks you what you want to do next.

Today we see QR codes appearing in magazine advertisements and articles, on signs and billboards; anywhere a mobile marketer wants to allow information to be captured, whether in print or in public spaces, and facilitate digital interaction. Pretty much anyone can create a QR codes.

Unfortunately, that’s where the cybercriminals come in. While QR codes make it easy to connect with legitimate online properties, they also make it easy for hackers to distribute malware.

QR code infections are relatively new. A QR scam works because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to an malicious website or download an unwanted application or mobile virus.

Here’s some ways to protect yourself from falling victim to malicious QR codes:


  • Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.
  • If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.
  • Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.
  • Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.



Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

The post QR Codes Could Deliver Malware appeared first on McAfee Blogs.

Manage Your Privacy with Mobile App Protection

I’m at Mobile World Congress (MWC) in Barcelona, an annual event that showcases the industry’s latest innovations. This year there’s a dazzling array of new gadgets being unveiled that are smarter and faster than ever before from Nokia’s 808 PureView with its unprecedented 41 megapixel camera to Samsung’s Galaxy Beam, which packs a built-in projector so you can share images, video or presentations up to 50″ wide.

Another theme here is near field communication (NFC), which has been bandied about for a while, however, it appears it will finally become useful in our daily lives. You’ll start seeing a lot more information around paying for items with your mobile soon. A number of retail outlets are upgrading their pay points to accommodate payment simply by tapping your phone on a hotspot. Beyond payments, NFC can be used for other useful things such as exchanging business cards or connecting to Wi-Fi or Bluetooth with a simple tap of your mobile phone.

McAfee App AlertSurprisingly, although there’s been a lot of news and debate about privacy, it is not a focus here at MWC.  For example, do you know what types of personal and private information your apps are allowed to access?  On Android, you have to accept the permissions of an app before it’s installed on your phone, but at times, it can be difficult to discern what you’ve accepted unless you thoroughly read the terms. We think you should never be surprised about the info an app is accessing, which is why we announced our App Protection product last year and it is now integrated into our McAfee Mobile Security software solution. This feature does a few things to make sure your apps “ain’t misbehavin.” First, it takes an inventory of your installed apps and gives you a graphical depiction of its permissions. As you click on the full privacy report for each app, you’ll also see if that app is associated with any risky URLs. Finally, we will check the app against our app reputation database, which is a part of McAfee Global Threat Intelligence.


If you’re at MWC, and, even if you’re not, “Like” us on Facebook and enter our drawing to win a Samsung Galaxy Tab with a one year subscription of McAfee Mobile Security by clicking on the sweepstakes tab. If you are at MWC, come by the Intel booth in Hall 8 8B197 to get a gift and see McAfee Mobile Security. (Look for the McAfee reps in the bright red shirt).

Let us know what you like at MWC. Any cool stuff?

The post Manage Your Privacy with Mobile App Protection appeared first on McAfee Blogs.

McAfee Mobile Security Delivers at Mobile World Congress

In Barcelona, Spain on Feb. 27, 2012 McAfee unveils its series of technology advancements that deliver upon its vision of providing comprehensive mobile security and privacy protection for devices, data and apps. McAfee® Enterprise Mobility Management (EMM™) 10.0, available now, includes significant security updates for enterprise customers to enable ‘bring your own device’ practices in the enterprise. With EMM 10.0, IT professionals will have improved control to identify, secure, and assign policies to both employee- and business-owned smartphones and tablets.

The concern for IT professionals is “BYOD” (Bring Your Own Device) which has become widely adopted to refer to mobile workers bringing their own mobile devices, such as smartphones, tablets and PDAs, into the workplace for use and connectivity. Today, many consumers expect to be able to use personal smartphones and mobile devices at work, which is an IT concern. Many corporations that allow employees to use their own mobile devices at work implement a “BYOD policy” to help IT better manage these devices and ensure network security.”

Expanded Data Security, Application Security and Ease of Administration

McAfee EMM software gives enterprises the ability to offer their employees mobile device choice, while delivering secure and easy access to mobile corporate applications. New features and functionality include:

  • Expanded Data Security: Email “Sandboxing” for iOS and an integrated Secure Container for Android, available by Q2
  • Enhanced Application Security: Application Blacklisting for Android and iOS allows the administrator to define a set of applications and block access.
  • Ease of Administration: Bulk provisioning for Android and iOS


Enhanced Protection for Consumers

McAfee® Mobile Security 2.0 for consumers, which offers an all-encompassing approach to mobile security and protects a user’s privacy when using smartphones and Android tablets. McAfee Mobile Security combines powerful anti-theft, antivirus, call and SMS filtering, web and app protection. It was also recently awarded with the LAPTOP Magazine Editors’ Choice award for best mobile security app.

McAfee can also be seen the week of Feb. 27 at Mobile World Congress in Barcelona, Spain at the Intel stand in Hall 8 B197 and at the RSA Conference in San Francisco, CA at McAfee booth #1117 or Intel booth #1324. Be sure if you are attending Mobile World Congress to stop by for a chance to win a Samsung Galaxy Tab!





Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

The post McAfee Mobile Security Delivers at Mobile World Congress appeared first on McAfee Blogs.