The new standard, detailed in a 360-page document, was created based on feedback from more than 200 members of the payments industry globally. A summary of the changes is presented in a document with technical details.

Cybersecurity specialists report that among the most prominent changes of this new release include the implementation of multi-factor authentication for all access to cardholder data environments, as well as replacing the term “firewall” with “network security controls” to support a wider range of data security technologies.

The implementation of updates to the new standard could take an indefinite time, so the current version will remain active until March 2024. The PCI SSC noted that some of the new requirements are initially considered best practices, but will take effect on March 31, 2025. After this date, they will be considered in their entirety in PCI DSS assessments.

Cybersecurity specialist Tim Erlin believes this update came at an ideal time: “Any additional emphasis on secure configuration of systems is a welcome addition to cybersecurity best practices. Although the previous version of PCI DSS addressed secure configuration, its limit came to changing default passwords.”

The expert adds that the new version focuses on the Zero Trust standard for authentication and authorization with permissions for an analytical security posture dynamically, providing access to resources in real time as an alternative to password rotation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Payment card industry releases new PCI DSS v4.0 security standard appeared first on Information Security Newspaper | Hacking News.

In addition to exploiting flaws in the affected payment systems, the attack also requires abuse of contactless payment terminals, eventually allowing the target device to be tricked into falsifying communication between the smartphone and an illegitimate payment terminal.

Apple’s payment system hasn’t been Yunosov’s only target of attack. In subsequent reports, the expert demonstrated how to compromise the security of a Samsung device to empty users’ accounts without having to unlock the device. While the attack works differently, the result is the same as in compromise apple systems.

Another report notes that the same method used to compromise Apple Pay could be used to hack into a Samsung Pay account linked to Visa and MasterCard payment cards, although the flaws appear to have already been addressed.

At the time of writing, Samsung had not issued any comment on these flaws, while Apple and payment operators consider that these are not exploitable flaws, so they will most likely not receive security patches.

An Apple representative mentioned, “This is a concern with a Visa system, but they don’t believe this type of fraud can happen in the real world given the multiple layers of security in place; in the unlikely event that an unauthorized payment is recorded, Visa has the mechanisms in place for its customers to report this malicious activity.”

Visa notes, “Visa cards connected to mobile wallets are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have shown that they are impractical to execute at scale in the real world.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Expert shows how easy it is to hack apple pay and Samsung tap. They can empty bank accounts appeared first on Information Security Newspaper | Hacking News.

Apparently these companies are following the example of PayPal, which in previous days announced that it would abandon the project. Financial Times experts believe this to be a severe blow to Facebook and its intentions to develop a massively and globally used means of payment. With the exception of the Dutch firm PayU, all payment management companies that had shown interest in Libra have already quit the deal.

Another factor to consider is the strict scrutiny under which this project is found, as legislators, entrepreneurs and regulators still have too many doubts about the use of virtual assets and their potential impact on a nation’s economy. To address some of these concerns, Mark Zuckerberg will appear before the US House of Representatives on October 23.

On the other hand, some members of the cybersecurity community consider that the inherent features of cryptocurrencies make them an efficient means for money laundering derived from criminal activities; in addition they believe that Libra will be no exception.

Through the Libra Association, an entity that Facebook established to manage any matter related to the project, the social network stated: “We appreciate the support for the consolidation of the Libra Project; even though the structure of the project may change over time we firmly believe that we will be able to consolidate a stable and growing payment network.”

David Marcus, in charge of the Libra Project, said Facebook has interpreted this incident as a “liberation”, adding that there is nothing written about the fate of the cryptocurrency. Marcus served as PayPal president before joining Facebook. 

A few days ago, specialists from the International Institute of Cyber Security (IICS) reported that France’s Ministry of Finance announced a kind of boycott against the use of Libra throughout the European Union; making the cybersecurity community and virtual asset enthusiasts foresee an uncertain future for this project.

The post Facebook Libra cryptocurrency might be shut down. MasterCard, Visa, eBay, Stripe, Mercado Pago got out of the deal appeared first on Information Security Newspaper | Hacking News.

Although the company remains airtight respect for this incident, some details have gradually been leaked, so it is now possible to claim that data from 90,000 members of the ‘Priceless Specials’ bonus program is exposed on the Internet since last Monday. 

Listed in an Excel file, usernames and email addresses appeared, in addition to the first two and last four digit devices of MasterCard cards. In some cases, the address and phone number of the affected customers even are included. In addition to this Excel document, another list circulates that includes the full card numbers; according to network security experts, it is even possible to find the data of the owners of these cards by comparing both lists.

The company reportedly began sending a message signed by a spokesperson to affected users on Thursday night. In the message, it is stated that “For MasterCard the security and protection of users’ personal data is a very serious matter; we are doing everything we can to determine the causes of this incident and to resolve any security flaws that are found. We’re sorry for the inconvenience caused,” the email says.

Last Monday night, MasterCard revealed that the ‘Priceless Specials’ rewards program platform would be temporarily shut down as a security measure and as part of an internal investigation for a possible third-party intrusion. The company noted that these measures would not affect any of its payment systems. 

Unsurprisingly, The MasterCard message was not very well received by affected users, who now wonder what will happen to their personal information. “More than an apology, I expect some compensation for the damage this incident may cause,” one of the affected users said in an interview with an online news platform.

Another of the victims revealed their plans to file a complaint with the Federal Data Protection and Freedom of Information Commission in Hesse State, Germany. According to network security experts, even if users lock their card for security, there are still risks arising from the leak of personal information, so the danger is not yet over.

Network security specialists from the International Institute of Cyber Security (IICS) recommend affected users report their potentially affected cards to prevent threat actors from using them. Luckily, multiple e-commerce companies request more data to verify a person’s identity before authorizing a transaction, which slightly reduces the impact of the incident. The investigation is still ongoing, but this could only be the beginning of problems for MasterCard. Because a large amount of personal data has been involved in this incident, the company could now face severe penalties for non-compliance with data protection rules in force in the European Union, mainly the General Data Protection Regulation (GDPR).

The post Data breach in MasterCard; users’ personal information and credit card data was hacked appeared first on Information Security Newspaper | Hacking News.