Reference:
https://zenosloim.blogspot.com/2021/09/210930-swedbank-pay-security-flaw.html
It seems that SwedBank is very generous giving to anyone for free, Christmas presents.
Similar security flaw in the SwedBank Pay paying system, makes possible to order/buy anything and paying via SwedBank Pay (PayEx) payment system.
You'll never be invoiced.
The SwedBank Pay (PayEx) was informed about the new security flaw.
Use chemical solvents as antihacking tool.
Guaranteed for any Apple, Android, BlackBerry, Windows Phone, Java, Linux, or any other platform using password for log in to access the device or using tokens for OAuth to banking services.
Background:
Using a password implies using a physical keyboard (ex. BlackBerry) or a virtual keyboard generated on the screen.
Every person has a particular way of making the input of password: timing between individual keystrokes, pressure of individual keystrokes, physiological health - amount of perspiration and fat substances on fingers, resulting in particular amounts of chemical traces left on surface of keyboard (physical or virtual).
Up to day there is no device with virtual keyboard which aleatory generates the geometry (disposal) of the individual tastes (buttons).
UV-analyzers used by enforcement agencies for taking fingerprints can map exactly the areas with specific amount of human perspiration and fat on surface. This identifies exactly which symbols were used in password.
Spectrometers can measure exactly the amount of rests, hence the older of each individual trace. This identifies the succession of the symbols.
So your password is revealed.
More: most token based OAuth for banking services are using only digits, making easier to reveal the password.
How many persons use to use a chemical solvent to wipe the keyboard of their device after use?
So, use a chemical solvent to wipe your keyboard or DO NOT USE A PASSWORD, only fingerprint or iris-recognition for login and banking services.
210930 SwedBank Pay (PayEx) security flaw - Bugg i betalssystemet PayEx från SwedBank
A security flaw was discovered in SwedBank Pay (PayEx) payment system, allowing to buy anything from a customer using the above payment system, without paying in practice, because you will never be invoiced or debted by the bank.
The SwedBank Pay (PayEx) was informed via secured communication about the security flaw, detailed description and how to remedy the security flaw.
Buggfel har upptäckts i betalningssystemet PayEx tillhörande SwedBank, som tillåter att beställa via faktura tjänster och varor från företag som använder SwedBank Pay (PayEx).
Företaget för betalt från SwedBank Pay (köpet blir godkänt via faktura), men själva kunden som handlat blir ej debiterad, utan SwedBank får betala.
SwedBank Pay (PayEx) har informerats via säkrade kanaler om buggen, hur den uppstår och hur kan den korrigeras, med detaljerad information.
Recent Kaseya events just remind me of my comment on Solar Winds affair:
https://zenosloim.blogspot.com/2020/12/201222-from-solar-winds-hack-to.html
Well, same story happens again: blind and dumb trust in well-known US software company.
Or what happens when you cut costs by outsourcing at any price and not using own application specialists.
In Sweden we have full fun: major companies are completely blocked or partially blocked: Coop, SJ...
I remember when working as Application Specialist at SAAB, I provoked rumour when I said that I discovered hidden malware on a CD received from the renowned German company Rohde & Schwarz.
Impossible, absurd...but I was right in my assessment.
Nowadays, being an Application Specialist, is no longer important, who cares to test and reverse engineer/repack updates from Microsoft, Adobe, ... Kaseya, Solar Winds...?
Consequences? Russian hackers become rich on criminal activities and dumb arrogance of chiefs obsessed by cutting costs at any price.
We need Application Specialists in Windows softwares among others, only Linux techies are not enough...:), because advanced filtering firewalls from Israel Check Point are too expensive to be affordable.
Also not anyone is using multi- layered security solutions for email servers and intranet.
210603 Google Play payment mechanism security issue - any paid app can be downloaded
I just discovered a security issue in Google Play payment system, which makes possible for an unauthorized person to download any paid app without payment.
Google was contacted for reporting and correction of the security issue.
References:
https://zenosloim.blogspot.com/2016/02/it-services-outsourcing-between-cutting.html
https://zenosloim.blogspot.com/2017/07/transportstyrelsen-skandalen.html
Background:
During past years, keyword Outsourcing was the magic key for many Swedish responsibles from both government agencies, state authorities and big private companies.
Cutting costs without long term planning and analysis, became almost a catastrophic way of thinking and a 100% sure way to IT-security incidents and disasters.
Now it seems that many rational analysers have made their point listened and the result is here:
https://sverigesradio.se/artikel/regeringen-lagger-fram-ny-sakerhetslag
"Skärpt säkerhetslag ska skydda känslig information
Publicerat idag kl 10.30
Regeringen föreslår nu ändringar i säkerhetsskyddslagen som ska granskas av lagrådet.
Syftet är att hindra att känslig information kommer på avvägar. Till exempel måste myndigheter eller privata företag i vissa fall samråda med Säpo om IT-system ska läggas ut på entreprenad. Det kan gälla verksamhet med kopplingar till förvaret, energiförsörjning, eller telefon- och datanätverk.
Struntar de i samrådet kan de straffas med en avgift på upp till 50 miljoner kronor."
At last...
Sådana chefer som lägger allt inkl. känslig IT-drift på entreprenad, utan att tänka på konsekvenser, borde också lägga deras eget tjänst på entreprenad, så att någon mer kompetent ersätter dem.
About 2 weeks ago something strange happened.
A mail sent apparently from Microsoft Outlook servers invited me to click on a link to reconfirm my Google account designed as recovery account for my Microsoft account.
Why strange?
1. In case of account suspicious activity or hacking, there are well defined rules of alert.
2. Having more accounts on Microsoft and Google, respective suspicious email came only on certain accounts: those used for corporate purpose which were associated with interesting list of Contacts.
3. Analysis of email's header revealed only real internal ip addresses from Microsoft Outlook.
Same for the clickable link sent to click on in order to reverify your data.
4. Despite message said if you do not reverify, you can no longer use the account, checking the account from a different ip and device, all was ok, and more, the pretended email did not even existed, alike so-called flash-sms.
My Good Sense told me do ignore the email and for sure something happened inside Microsoft.
Today, the world news showed I was right.
Massive internal attack on Microsoft Outlook servers and Cloud- based email services.
I can only imagine how many US and world companies and authorities using Microsoft Outlook.com services are now in big trouble.
Such a sofisticated attack and hack could only be done by a state actor: China or Russia.
Israel is not in discussion, being an US ally.
In any case, the whole trouble was kept totally secret for at least 10 days.