Security Bits Logo no alpha channel

Security Bits – 20 October 2019

Security Medium 1 — Apple Card is not Magic

A story made a lot of news this week because it involved a physical Apple Card being skimmed. It underlines the fact that people do not understand that when they fall back to using the physical card or entering the virtual number into a website manually, they are back to using the obsolete and dangerously insecure credit card infrastructure of old. That’s why Apple went to so much trouble to make Apple Pay the default way to use the card, and why they describe the physical card and the virtual number as fallback mechanisms for when Apple Pay can’t be used.

We’ve seen two distinct types of fraud against Apple Card — cloning attacks against the magnetic strip (not the chip for “Chip & PIN”), and leaking of the virtual number after entering it online.

It’s impossible to protect the magnetic strip — that’s why most of the planet abandoned it years ago! This isn’t a problem with the Apple Card, but with the payment industry!

With the virtual number Apple Pay users have a little more control than users of more traditional cards because they have the power to change the virtual number themselves without having to get a new card issued by their bank.

It’s also vital to remember that from a legal point of view, customers are not liable for fraudulent transaction on any credit card — so it’s American banks that literally pay the price for their own failure to move with the times!


Security Medium 2 — Safari is Not Sending URLs from Non-Chinese Browsers to Tencent 🧯

Confusion reigned for a while when Apple updated the wording of their Safari privacy statement in a way that could be interpreted as saying they send all browsing data to Chinese firm Tencent as part of their phishing protections. To cut a long story short, no, that’s not what’s happening. Chinese iPhones use Tencent for phishing protection, and other iPhones use Google.

This story revolves around an important security protection that’s enabled by default on all versions of Safari. The feature, named Fraudulent Website Warning, protects users from known phishing URLs but putting up a warning when they browse to one.

The feature relies on blacklists maintained by search providers. Google’s Safe Browsing API is probably the most comprehensive such blacklist, hence its use by just about every major browser (except Edge). Google’s API is not available in China, hence Chinese iPhones having to use an alternative service. The most comprehensive Chinese blacklist is the one maintained by Tencent, so it makes sense Apple would use it in China.

Apple have made clear that they only use Tencent in China, but we don’t have to take their word for it — security researchers have peeped under Safari’s bonnet and confirmed that the code does what Apple says it does.

The APIs for these services are also surprisingly privacy-aware. No cookies are sent, and the browser never actually sends the URLs to the blacklist providers for testing.

The way it works is that the browser periodically asks the blacklist provider to send a list of hashes of URL prefixes on which phishing URLs exist. These are hashes of parts of URLs. The browser keeps this list internally, and checks every website the user visits against it. Most of the time the prefix won’t match so the browser doesn’t need to do anything more to verify that the site is not blacklisted. If the prefix hash does match the browser asks the blacklist provider for hashes of all the full known-bad URLs with the matching prefix. The browser then checks a hash of the full URL against that more detailed list of hashes.

So, what does the provider know? Just two things: your IP address, and the prefix of a URL you visited, but not the full URL. No cookies are included in the API calls either.

IP addresses make very poor tracking identifiers — many humans share individual IPs, and individual humans move around between many different IPs. There simply isn’t a good mapping from single humans to single IP addresses, so they’re just not suited to reliable tracking!

I can’t see any scandal here, or indeed any cause for concern. The benefits of phishing protection far outweigh the very small privacy concerns over the purely hypothetical very inaccurate tracking the blacklist providers could deploy.


Notable Security Updates

Notable News

  • A zero-day bug has been found in Android that affects many popular Android handsets (including Google Pixels 1 & 2, Samsung Galaxies S7, S8 & S9). A patch is expected from Google in the October update, and that patch will then have to make its way to user via the relevant manufacturers. The bug is being actively exploited in the wild —… &…
  • Facebook’s Libra crypto currency suffers more defections — with the departure of Visa, Mastercard, eBay & Stripe all major payment processors have now departed —… &…
  • A flaw has been found in the Galaxy S10’s fingerprint sensor that results in it being fooled into accepting any fingerprint when used with certain screen protectors. Samsung are working on a fix, but in the mean time users should revert to another unlock mechanism —…
  • The Face Unlock feature on Google’s Pixel 4 works even when users eyes are closed (i.e. no attention detection like on iPhones), making it significantly less secure —…
  • Twitter have clarified their approach to politicians who break their terms of services – they still won’t delete most of their tweets or accounts, but they will put the offending tweets behind a notice users have to click-through to see the tweet —…
  • Instagram have updated their apps to give users more and easier control over the data shared with third-party services they connect to their Instagram accounts —…
  • Microsoft have announced that they’ll be adding a feature to allow Xbox gamers to filter the messages they receive —…

Suggested Reading

Palate Cleansers

  • After many years of trying, security researchers have finally cracked the password used by the famous Unix co-creator Ken Thompson in 1980. It turns out to have been a great password for the time — hard to guess, but given his love of chess, easy for him to remember: p/q2-q4! (it’s so-called descriptive notation for an opening chess move). Thanks to the same set of ancient hashes we’ve known for some time that BASH author Stephen Bourne had a much more lax attitude to security since his password was bourne, as did Eric Schmidt who used his wife’s name and some exclamation marks (wendy!!!). Finally, we know that famous C-guru and Unix co-creator Brian Kernighan used the secure-looking but utterly insecure /.,/., (try type it and you’ll see it’s no better than qwerty) —…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top