pins – Noise https://noise.getoto.net The collective thoughts of the interwebz Fri, 05 Jan 2024 14:12:43 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 PIN-Stealing Android Malware https://noise.getoto.net/2024/01/09/pin-stealing-android-malware/ Tue, 09 Jan 2024 12:03:11 +0000 https://www.schneier.com/?p=68265 This is an old piece of malware—the Chameleon Android banking Trojan—that now disables biometric authentication in order to steal the PIN:

The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility service to force a fallback to PIN or password authentication.

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

...]]> Interesting Attack on the EMV Smartcard Payment Standard https://noise.getoto.net/2020/09/14/interesting-attack-on-the-emv-smartcard-payment-standard/ Mon, 14 Sep 2020 11:21:36 +0000 https://www.schneier.com/?p=60190 It’s complicated, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.

From a news article:

The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app...

]]>