Connect with us

Technology

Cybersecurity Researcher Says Mobile Payment Platforms Are Selling Your Data To Third-Parties

Published

on

Mobile Payment Platforms are selling your data to third-parties

Mobile payment and financial platforms are selling your data including your email, location, and transaction details to the highest third-party bidder, a tech researcher and cybersecurity expert said.

One of these mobile payment platforms is Alipay, a China-based company that “sells its customer (transaction) data to third parties for monitoring and marketing purposes.”

According to Victor Gevers, a cybersecurity adviser from GDI. Foundation, companies like Alipay, are selling their customer data to third-party clients with the highest bid and in most cases, these third-party companies cannot handle sensitive information and store them in unsecured databases.

Screenshot from @0xDUDE / Twitter

Gevers discovered one of these databases that came from Alipay. He said that he was able to find one of these databases in an unsecured MongoDB database and noted that anyone with basic training could find others within 30 minutes of trained searches.

“I train journalists, so they investigate data leaks like this themselves. Within 30 minutes, they can do exactly the same we do for investigating and reporting systems. This is too easy to find if you know how to spell company names in a search engine,” Gevers wrote in his Twitter account in response to a Tweet highlighting that anyone can get the said data.

THEY WILL SELL YOU OUT

Gevers raised concerns that financial applications and mobile intermediary like Alipay are selling their customers out.

“Payment providers will always SELL you out,” he exclaimed.

In a Tweet, he explained that Alipay sold data to a third party which uses them to calculate a credit score system to see to who they can sell their service more on another platform.

When asked how did he know that the data was from Alipay and not from some other rightful party to the transaction like the merchant or an e-commerce platform, he said that there is only one “entity who can/has access to all” and that’s Alipay. He added that if they exclude governments as the owners of the breached databases, it is easy to determine that it is the payment provider that use third parties “study/convert their own [money] transfer data into ‘research projects’ which gets sold.”

According to Gevers, one proof to his claim that Alipay owns the database that he uncovered was the rising rate of global financial institutions and payment service providers sharing their transaction data to third parties so they can “enrich” it. Gevers noted that these third parties have poor security implementations and that he and his team keep on finding open databases that have exposed the supposed trend.

The tech expert refers to the Fintech data breach that happened a month ago where 1.9 billion bank transactions from 2018 were discovered to be vulnerable after it was sold to a third-party payment provider.

In a separate tweet, he explained that all the transactions in the Fintech breach were categorized to “study” income and spending behavior of US citizens.

In a tweet he previously made last February, he revealed that 1,933,515,811 bank transactions comprising more than 2.1 TB of data are completely open for anyone to see, edit, and throw away “with a simple instruction.”

Since then, Gevers said that the leaking server had been taken down.

However, a Twitter user with the handle @MoeMoeil, refuted Gevers claims that the data leak was the fault of Alipay citing that there is no proof to that. He postulates that the information in the leak was voluntarily given out to the third party by users.

In China, the user said, many websites and companies are requiring users to submit their personal information like name, ID, phone, bankcard, and even mugshots holding their card. He claimed that he was able to locate the loan credit service provider where the leaked data came from and according the the firm’s documentation, the data was given to them by a “collaboration agency.”

“Now consider this scenario: A user wants to borrow money from a P2P-loan agency. The agency says “I need to check your Alipay transaction history first.” The user gives his Alipay account and password to the agency and the agency downloads the full history of the user… Later, this agency, being a “collaboration agency,” sells the downloaded transaction history to the financial credit investigating company,” wrote Moe Moeil as a response to Victor Gever’s tweets.

“In this case, I think Alipay shall be innocent, since the user himself surrendered the account access.”

The twitter user also noted that there is still a need to investigate how the “collaboration agency” got the data.

Meanwhile, other text experts raised the concern on Chinese cybersecurity problem. While Gevers agreed that indeed a problem is happening in China, he noted that other countries are also unsecured, thus making it a universal problem that needs to be addressed as soon as possible.

“I think the Chinese government is doing a lot to keep its citizens safe seen from their perspective. Also, outside China, many things are not safe. So it is not only a local issue but also a global issue,” he wrote.

As of yesterday, the said breached database was already partially locked down. According to Gevers, the owner of the database locked it down within an hour after he shared the screenshots of his discovery. It is not accessible to the public anymore. /apr

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Technology

This Apple Patent Secures 360-Degree Rotatable Camera For Its Watch Series

Published

on

Photo by Luke Chesser on Unsplash

The U.S. Patent and Trademark Office granted a patent for Apple that allows it to include a rotatable camera on its Apple Watch products—a revolutionary innovation to the smartwatch market.

Other brands have teased about introducing a built-in camera on their smartwatches before. However, that entails maneuvering the user’s wrist in a challenging position — proving that the technology is far from ready for launch.

Apple secured a patent that would solve the problem. The Apple Watch patent comes along with 63 newly granted patents for Apple Inc.

Apple Watch Rotatable Camera
Source: 9to5mac

The new patent opens the possibility of future Apple Watches with the ability to capture images and video via a rotatable, pull-out camera.

The patent describes the invention as similar to an extension of the Apple Watch band, where the built-in camera can be pulled out to expose and use it. Primarily, this will enable the Apple Watch user to avoid the tricky wrist-maneuvering.

“Such functionality can replace or at least meaningfully augment a user’s existing camera-enabled iPhone.”

Notably, cameras on smartwatches were initially introduced with similarities to the conventional smartphones where it is stationary on the screen. The patent describes it to have a pull-out functionality where a user can point towards the desired direction.

Furthermore, the built-in camera can even be rotated at a 360-degree angle. Meaning, a single camera can function both as a front and back camera, allowing Apple to save more space, as it is compacted on a very small device.

As described, the camera is placed on the tip of an extendable band where “an optical sensor [is] attached to or integrated within the distal end portion of the camera watch band […] and a data connection between the optical sensor and the watch body.”

The band, where the camera will be placed, is told to be flexible enough that users can manipulate it into any form via twisting and bending. A combination of a “malleable metal core” with “magnetorheological fluid,” and “mechanical links” will comprise the band to help maintain its form. This combination may also help prop the camera end to a fixed position such as bending towards the user to make FaceTime calls.

Users can take photos or record videos by pinching the camera watch band, asking Siri to do it, or by clicking on the Apple Watch screen.

2 Apple Watch with camera in band
Apple Watch Rotatable Camera
Source: Patently Apple

The latest report comes along with Apple’s plans of marketing the Apple Watch Series, as a more independent device from the rest of the company’s products such as an iPhone.

“A smartwatch with the capability of capturing images or videos may enable a user to forego carrying a smartphone when doing some activities, especially activities or environments where it would be difficult to take a smartphone (e.g., hiking, running, swimming, surfing, snowboarding, and any number of other situations),” says in its patent report.

Furthermore, Apple recently announced in its Worldwide Developer Conference that the Apple Watch is getting its own App Store with its own set of dedicated applications mainly focused on its Health functionalities.

Notably, the recent release remains to be a patent. There is no guarantee when we’re exactly going to see the built-in camera function in the Apple Watch or if we are ever going to witness it (at all).

It could yield similar results to Apple’s infamous AirPower—a wireless charging pad that can simultaneously power three devices without the need to place it in specific areas to work. The product never went into production as it proved to be challenging after all.

The future still holds the answer whether or not Apple will be able to make the camera feature with up-to-par quality. Questions regarding the camera’s quality, its strength, and durability of the camera band remain as a mystery.

On the other hand, if Apple does decide to push through with the invention and follow Apple’s standard with product quality, it could easily win over the current market, which is already dominating.

As of 2018, Apple’s Apple Watch Series still takes first place on the market for smartwatches with a total of 51% global market share. It is selling like hot pancakes as Apple’s shipments increased by 1.4 million units compared to the same quarter in the previous year, for a total of 9.2 million units shipped in Q4 2018.

Continue Reading

Politics

‘Youtube’ Removes ‘Project Veritas’ Leak Exposing The Bias Of ‘Google’ Against Trump

Is Google the only one who can prevent a “next Trump situation?” A Google exec thinks so.

Published

on

Jen Gennai said that Google is the only one that can stop Trump victory. Photo: Carlos Luna | Flickr | CC BY 2.0

As the election season approaches, Google’s video-streaming service, Youtube, took down a video that exposed the California-based technological superpower of being politically biased against the President and his bid for the next election.

The video, which has since been removed from the platform by Youtube, shows a senior employee at the company appearing to admit that the company plans to interfere in the next presidential election to stop Donald Trump.

The video is part of the Project Veritas, that has exposed numerous scandals corruption, dishonesty, self-dealing, waste, fraud, and other misconduct by private individuals, corporations, politicians and government agencies. It was founded by James O’Keefe and claimed that it aims to “further the common good and general welfare of the citizens of the United States by conducting investigations into waste, fraud, abuse, corruption, dishonesty, self-dealing and other misconduct for the purpose of educating the public, stakeholders, policymakers, and communities in order to create a more ethical and transparent society.”

Only Google can prevent “next Trump situation”

The said video is still available in the Project Veritas website and featured undercover footage of a top Google employee, Jen Gennai, who preaches that the company, Google, should not be broken up because they still need to stop the reelection of the President and only they can prevent “next Trump situation.”

“Elizabeth Warren is saying we should break up Google. And like, I love her but she’s very misguided, like that will not make it better it will make it worse, because all these smaller companies who don’t have the same resources that we do will be charged with preventing the next Trump situation, it’s like a small company cannot do that,” the video revealed appearing to be said by Gennai.

In the same video, Gennai appears also to declare that Trump’s victory in the 2016 elections “screwed us (Google).”

“We all got screwed over in 2016; again it wasn’t just us, it was, the people got screwed over, the news media got screwed over, like, everybody got screwed over, so we’re rapidly like, happened there and how do we prevent it from happening again,” she added.

“We’re also training our algorithms, like, if 2016 happened again, would we have, would the outcome be different?”

They need to change the law to force Google to change

Gennai is also strong in its stance that government pressure and intervention could not force Google to change its ways. She said that if the lawmakers want to change how Google behaves, they have to change the law.

“We got called in front of Congress multiple times, so we’ve not shown up because we know that they’re just going to attack us. We’re not going to change our; we’re not going to change our mind. There’s no use sitting there being attacked over something we know we’re not going to change. They can pressure us, but we’re not changing. But we also have to be aware of what they’re doing and what they’re accusing us of,” she said in the video.

Gennai works on “responsible innovation” in the Global Affairs division of Google — the same division run by Kent Walker, the Google VP who has declared his intention to make the populist-nationalist movement represented by Donald Trump a “blip” or “hiccup” in history, which he said, “bends towards progress.”

This rhetoric coincides and corroborated earlier leaks that exposed other top managers and officials from Google to have made similar statements involving the same sentiments.

Similar sentiments from other Google execs

Earlier this year, a Google engineer, Mike Wacker, published an email showing an official from the tech superpower telling his subordinates that the Trump election victory motivated the company’s stand on fake news.

“Also, I posted a comment on a meme regarding fake news on Search, and someone reported it to [Human Resources]. I didn’t say I was in favor or against, just cautioned that we need to be car[e]ful. My manager brought it up in our 1:1 last week. Made me feel very uncomfortable for having an opposing view. He said we need to stop hate [speech] and fake news because that’s how Trump won the election,” Wacker wrote in his post.

“I obviously didn’t say anything and just wanted it to end. I [redacted] would like to see all managers be required to take political bias training.”

Continue Reading

Technology

‘Operation Soft Cell’ Linked To State-Sponsored Chinese Hacking Group

Operation Soft Cell has been operating since 2012.

Published

on

The operation is called Operation Soft Cell. Photo: The Preiser Project | Flickr | CC BY 2.0

A Chinese-linked operation has been found to be stealing sensitive call data, including identifiable information by breaching into telecommunication network in order to gain espionage intelligence on high-value targets, a report reveals.

The operation, called Operation Soft Cell, was discovered by the cybersecurity research firm Cybereason and was said to have been operating since 2012 – which makes a total of seven years of hacking into telecom systems and networks from different countries around the world. Furthermore, researchers have also found evidence that the operations have been attacking cell networks a few years before 2012.

A state-sponsored operation

Researchers have linked the operation to a China-based hacking group APT10 as the tools, and TTPs used in the attacks are commonly associated with the Chinese threat actor. They also believed that the said attacks are state-sponsored and highly coordinated.

“We’ve concluded with a high level of certainty that the threat actor is affiliated with China and is likely state-sponsored. The tools and techniques used throughout these attacks are consistent with several Chinese threat actors, specifically with APT10, a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS),” the researchers said in the report.

The attacks, as per the tech experts, were aimed to obtain CDR records of a large telecommunications provider. The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.

Modifying attacks wave after wave to prevent being linked

And the attackers have been evolving, changing their techniques now and then to prevent the attacks from being linked to each other.

“During the persistent attack, the attackers worked in waves- abandoning one thread of attack when it was detected and stopped, only to return months later with new tools and techniques.”

The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The hackers attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As the malicious activity was detected and remediated against, the threat actor stopped the attack.

The threat actor changed activity every quarter. Photo: Cybereason

The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and surveillance activities. This cycle is said to continue, with the attackers and white hats play a game of cat and mouse. Every time white hats corner the attackers, they stop and return with a modified attack a few more times in the next four months.

Espionage is the primary motivation

According to the researchers, they can pinpoint several motives behind this massive cyberspace intrusion. They said that as hacking operations become one of the newest frontiers of global power struggle, institutions that store a vast amount of data started to become the target. And telecommunication corporations became one of the most vulnerable sectors.

“Due to their wide availability and the fundamental service they bring, telecommunications providers have become critical infrastructure for the majority of world powers,” they wrote in the report.

“Threat actors, especially those at the level of nation state, are seeking opportunities to attack these organizations, conducting elaborate, advanced operations to gain leverage, seize strategic assets, and collect information. When successful, these attacks often have huge implications.”

Furthermore, the researchers said that when an attack as big as this and with state support, the motive is usually not financial but instead, they aim to collect data like intellectual property and sensitive information about their clients.

One of the most valuable pieces of data that telecommunications providers hold is Call Detail Records (CDRs). CDRs are a large subset of metadata that contains all details about calls, including Source, Destination, and Duration of a Call, Device Details, Physical Location, Device Vendor, and Version.

This information is invaluable for threat actors as they give them intimate knowledge of any individuals they wish to target on that network. Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement.

“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network,” they added.

Continue Reading

Trending