Mastercard’s New Payment System Uses a Selfie for Verification

Selfies. You may know them either as the only memorabilia your friends bring from trips abroad or as the cultural shock you never really recovered from. Either way, it is a phenomenon which is here to stay, more so after being immortalized by an unlikely savior: MasterCard.

With the security paranoia and privacy needs prevalent everywhere, the company is now using selfies as a method of verifying your identity. You heard that right. Selfies are not a nuisance anymore, they can quite literally be a life-saver.

The process requires an app for work. After entering your credit card information online, it requires you to take a quite photo from the camera on your phone, which also requires you to blink to make sure the photo isn’t from a photograph. The technology used is clever enough to know whether a video is being used as a hoax verification.

So while the TouchID in your iPhone may be enough for unlocking and other simple operations for now, it is clear that corporations are searching for techniques even more reliable than your fingerprint. With Windows Hello making its way to hundreds of millions of Windows PCs, the path for Iris and other more futuristic modes of verification could get open sooner than you think.

And selfies aren’t even the only crazy verification method. MasterCard is also reportedly trialing heart-beat verification using the unique electrocardiograms of users. The method of payment could catch on as wearables featuring these intricate sensors become more commonplace.

MasterCard isn’t the only company trying out bizarre, futuristic methods. While fingerprints are increasingly getting common now, banks like HSBC are introducing voice passwords, which are set to roll out in 2017-18. ATMs in places like Japan similarly use nerves underneath the finger to allow withdrawals of cash.

As for the selfie method, it should be making its way in the next 12 months although its availability could vary. And don’t deny, that’s the one you’re waiting for.

Whether Operation Self-portrait satiates the privacy hunger of the world remains to be seen but if ever you wanted to get an excuse to get in the craze (or double your snap volume), now is the time to get kicking. And you know who to thank

Russian UnderGroud VSkimmer Botnet Targeting E-Payment

A new botnet emerged from underground and is menacing payment world, the cyber threat dubbed vSkimmer come from Russia according revelation of McAfee security firm. 

The security expert Chintan Shah wrote on a blog post that during monitoring of Russian underground forum found a discussion about a Trojan for sale that can steal credit card information from Windows PC for financial transactions and credit card payments. 

vSkimmer agent is able to detect card readers on the victim’s machine and gather all the information from the Windows machines sending it to a remote control server encrypting it (Base64).

The malware collects the following information from the infected machine and sends it to the control server:

• Machine GUID from the Registry
• Locale info
• Username
• Hostname
• OS version

The vSkimmer malware indicated as the successor of the popular Dexter, a financial malware that targeted Point-of-Sale systems to grab card data as it transmitted during sales flow.

Dexter is responsible for the loss of nearly 80,000 credit card records and data breach of payment card data of Subway restaurants in 2012.

According security researchers at McAfee vSkimemr appeared in the underground forum since February and it could be an ongoing project.

vSkimmer appears more sophisticated of Dexter despite it is easier to use, vSkimmer is an advanced tool to steal credit card data from Windows hosts.

Exactly as its predecessor Dexter, vSkimmer is completely undetectable on the compromised host. vSkimmer waits for a named USB device to be attached to the compromised machine and once detected it the malware dumps the collected data to the removable device. 

“vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.”

To be precise on Track 2 was stored card number, three-digit CVV code, and expiration date are stored, all necessary to qualify card in payment processes.

On credit card information grabbing the post states:

“VSkimmer maintains the white listed process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the white list, it runs Open Process and Read Process Memory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the white list.”

VSkimmer demonstrated the great interest of cyber crime in payments sector institutions have already been attacked in the past by malicious code such as Zeus and SpyEye and this case is just “another example of how financial fraud is actively evolving and how financial Trojans were developed and passed around in the underground community.” This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post, I found really interesting the fact that the offer of similar malware in the underground is increasing and their model of sale is reaching level of excellence never seen first ... we face difficult times.