The new standard, detailed in a 360-page document, was created based on feedback from more than 200 members of the payments industry globally. A summary of the changes is presented in a document with technical details.

Cybersecurity specialists report that among the most prominent changes of this new release include the implementation of multi-factor authentication for all access to cardholder data environments, as well as replacing the term “firewall” with “network security controls” to support a wider range of data security technologies.

The implementation of updates to the new standard could take an indefinite time, so the current version will remain active until March 2024. The PCI SSC noted that some of the new requirements are initially considered best practices, but will take effect on March 31, 2025. After this date, they will be considered in their entirety in PCI DSS assessments.

Cybersecurity specialist Tim Erlin believes this update came at an ideal time: “Any additional emphasis on secure configuration of systems is a welcome addition to cybersecurity best practices. Although the previous version of PCI DSS addressed secure configuration, its limit came to changing default passwords.”

The expert adds that the new version focuses on the Zero Trust standard for authentication and authorization with permissions for an analytical security posture dynamically, providing access to resources in real time as an alternative to password rotation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Payment card industry releases new PCI DSS v4.0 security standard appeared first on Information Security Newspaper | Hacking News.

In addition to exploiting flaws in the affected payment systems, the attack also requires abuse of contactless payment terminals, eventually allowing the target device to be tricked into falsifying communication between the smartphone and an illegitimate payment terminal.

Apple’s payment system hasn’t been Yunosov’s only target of attack. In subsequent reports, the expert demonstrated how to compromise the security of a Samsung device to empty users’ accounts without having to unlock the device. While the attack works differently, the result is the same as in compromise apple systems.

Another report notes that the same method used to compromise Apple Pay could be used to hack into a Samsung Pay account linked to Visa and MasterCard payment cards, although the flaws appear to have already been addressed.

At the time of writing, Samsung had not issued any comment on these flaws, while Apple and payment operators consider that these are not exploitable flaws, so they will most likely not receive security patches.

An Apple representative mentioned, “This is a concern with a Visa system, but they don’t believe this type of fraud can happen in the real world given the multiple layers of security in place; in the unlikely event that an unauthorized payment is recorded, Visa has the mechanisms in place for its customers to report this malicious activity.”

Visa notes, “Visa cards connected to mobile wallets are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory environments for more than a decade and have shown that they are impractical to execute at scale in the real world.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Expert shows how easy it is to hack apple pay and Samsung tap. They can empty bank accounts appeared first on Information Security Newspaper | Hacking News.

The French government says the incident was “immediately neutralized,” though threat actors had plenty of time to extract hundreds of confidential records, including names, passport numbers and dates of birth, among other data.

On the other hand, a representative of the Ministry of Foreign Affairs points out that at the moment it is not possible to share with the press and cybersecurity community more details about the incident, which includes information such as the nationality of the affected users. It is important to clarify that the information leaked varies according to the affected users, although these details mainly refer to names and contact information.

On the security risks derived from this cyberattack, the statement notes that the information could be used for malicious purposes, although this potential misuse is limited because the leak does not include sensitive financial details as established in the General Data Protection Regulation (GDPR).

For the affected government offices, it is important to note that no malicious actor could create new applications or administrative processes on behalf of the users affected by this leak, whether they are Visa applications or any other French government procedure.

The French authorities have begun to contact the affected users in order to take the corresponding security measures, in addition to claiming to be working together to prevent a similar incident from happening in the future.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Personal data of people who applied for France Visa gets leaked. French government confirms the incident appeared first on Information Security Newspaper | Hacking News.

It seems that the Visa Cybersecurity and Fraud Prevention Team detected this activity over the last summer, identifying multiple attacks by sophisticated hacker groups. This campaign targeted point-of-sale systems in fuel dispensing retailers at multiple locations in the US, Mexico, and Canada.

One of the first incidents was detected in the US, where a company was the target of a phishing campaign. An employee received an email containing an attached link, and after clicking on it, the download of a Remote Access Trojan (RAT) that the hackers used to access the attacked network was triggered.

According to Visa cybersecurity team, after gaining access to the compromised point-of-sale network, hackers injected a sophisticated payment card data collection malware. Although in subsequent incidents detected Visa was unable to detect the way hackers accessed the gas pump, the reports show a mode of operation involving similar malware variants.

This is a much more sophisticated attack variant than the traditional installation of “skimming” devices in gas stations, as now threat actors resort to installing malware to gain access to the internal networks of these companies; it is important to note that Visa only detected the theft of magnetic stripe cards data.

As a recommendation, Visa cybersecurity team recommends that potentially affected companies transition their points of sale to chip-reading-based technology, as these devices significantly reduce the risk of theft of banking information.

A recent release by the research team of cybersecurity firm Tripwire Inc. mentions that the use of magnetic stripe-based technology for credit cards is still very common despite the existence of many other alternatives for years for the security of these means of payment, so it is necessary for card issuing companies to try to implement safer solutions.

Specialists from the International Institute of Cyber Security (IICS) agree with this position, as they believe that the technology used by these companies has been left behind from the requirements needed to maintain payment cards out of the reach of hackers.

To conclude, the specialized ZDNet platform believes that the use of magnetic stripe is coming to its end, as they anticipate that by the end of 2020 fuel dispensing companies will have completed the transition to the use of chip-reading technology and use of PINs to transact at these points of sale. In turn, Visa also urges merchants to update their systems and create a collaborative environment to prevent large-scale credit card fraud, protecting millions of users.

The post Point-of-sale malware: the dangers of using credit cards at gas stations in the US, Mexico and Canada appeared first on Information Security Newspaper | Hacking News.

Apparently these companies are following the example of PayPal, which in previous days announced that it would abandon the project. Financial Times experts believe this to be a severe blow to Facebook and its intentions to develop a massively and globally used means of payment. With the exception of the Dutch firm PayU, all payment management companies that had shown interest in Libra have already quit the deal.

Another factor to consider is the strict scrutiny under which this project is found, as legislators, entrepreneurs and regulators still have too many doubts about the use of virtual assets and their potential impact on a nation’s economy. To address some of these concerns, Mark Zuckerberg will appear before the US House of Representatives on October 23.

On the other hand, some members of the cybersecurity community consider that the inherent features of cryptocurrencies make them an efficient means for money laundering derived from criminal activities; in addition they believe that Libra will be no exception.

Through the Libra Association, an entity that Facebook established to manage any matter related to the project, the social network stated: “We appreciate the support for the consolidation of the Libra Project; even though the structure of the project may change over time we firmly believe that we will be able to consolidate a stable and growing payment network.”

David Marcus, in charge of the Libra Project, said Facebook has interpreted this incident as a “liberation”, adding that there is nothing written about the fate of the cryptocurrency. Marcus served as PayPal president before joining Facebook. 

A few days ago, specialists from the International Institute of Cyber Security (IICS) reported that France’s Ministry of Finance announced a kind of boycott against the use of Libra throughout the European Union; making the cybersecurity community and virtual asset enthusiasts foresee an uncertain future for this project.

The post Facebook Libra cryptocurrency might be shut down. MasterCard, Visa, eBay, Stripe, Mercado Pago got out of the deal appeared first on Information Security Newspaper | Hacking News.

We talk about E.U asks for network history, vulnerabilities in Cloud hardware, SIM Swapping attacks, Artificial clicks in MacOs, Apple launches access with ID

Below are the links of the cyber security news.

1.U.S.  WILL REQUEST FIVE YEARS OF SOCIAL NETWORKS TO VISA APPLICANTS

2.THE THEFT OF MONEY BY ATTACKS TO THE SIM GROWS IN AMERICA

3.VULNERABILITIES IN HARDWARE OF CLOUD COMPANIES

4.APPLE LAUNCHES ID´s TO PROTECT ITS USERS

5.VULNERABILITY IN MACoS ALLOWS TO PERFORM “ARTIFICIAL CLICKS”

The post Cyber security Trends|12 June 19 appeared first on Information Security Newspaper | Hacking News.