"Fight the Urge to ‘Click Here to Get Infected’"

from McAfee blog:

Sometimes you can’t trust every link on your Twitter timeline. Yesterday, security researcher Stefan Esser tweeted the following:

Esser is the researcher who developed the Antid0te ASLR utility for jailbroken iPhones. If he helps to protect jailbroken iPhones, why would he want to infect me?

"Looking Into Google Wallet’s Security Setup"

from McAfee blog:

Google just announced its new near field communication payment service, Google Wallet. We’ve looked at Google’s NFC service and security before, but at that time the details were still scarce. Now we’ve gotten a better look at what lies within Google Wallet. It’s part service, part hardware, and part app.

 [...]

The App
The Google Wallet app plays a role in storing and accessing your credit card information from the “secure element”. Unlike with your credit cards, you need to enter a PIN to initiate a tap-and-pay transaction. This step prevents the bad guys from brushing by you in a crowd to grab your info via NFC.

Android apps are relatively easy to reverse-engineer, so that would probably be the first step an attacker would take. Google says that only authorized apps will have access to the “secure element” chip, and the chip uses asymmetric encryption to authenticate access to stored secrets (credit card credentials). This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app. The next step would be to create a malicious application that emulates the official Wallet app to fool the “secure element” chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards.

The Google Wallet app has not yet been widely released, so it’s difficult to properly identify possible weaknesses. Once it’s available on more phones, we’re bound to see more research from both the criminal element and legitimate security researchers.