The approach, which they call Quantum-Secure Authentication (QSA), centers on single particles of light, or photons, and their ability to encode data so that attackers cannot determine what the information is. It exploits a property of photons that allows them to effectively be in multiple places at once, a phenomenon described in quantum physics.
Researchers in the Netherlands are applying quantum physics in an attempt to create fraud-proof credit cards and ID cards.
“Quantum-physical principles forbid an attacker to fully characterize the incident light pulse,” the researchers wrote in an article in the journal Optica. “Therefore, he cannot emulate the key by digitally constructing the expected optical response, even if all information about the key is publicly known.”
The researchers at the University of Twente and Eindhoven University of Technology coated a credit card with a thin layer of white paint containing millions of nanoparticles. When light hits the nanoparticles, it bounces around until it escapes, creating a unique pattern that depends on the precise position of the particles in the paint. The card is “enrolled” in the system by recording the way that it reflects light.
To authenticate the card, a bank machine showers the paint with a pulse of light that is unique to each transaction. When the correct tell-tale pattern of light emerges as an “answer” to the bank’s “question,” the card can be authenticated.
While an attacker could measure the entire incoming light pattern and then use a projector to return the correct answer, the ability of photons to be in multiple places at once allows the bank to create the complex light question with only a small number of photons, or even just one. Due to the characteristics of quantum physics, an attempt to observe the question and answer process between a reader and the card would destroy the information in the transmission, making it more secure.
“Even if somebody has the full information of how the card is built, technology does not allow him to build a copy,” lead author Pepijn Pinkse of the University of Twente said via email. “The nanoparticles are too small and there are too many of them which need to be positioned with too high accuracy.”
The approach could be used in everything from authenticating passports to opening electronic locks on car doors or accessing secure areas such as government buildings.
The No. 1 U.S. online retailer is also exploring adding a same-day delivery option on all items sold by third-party merchants on its site, a move that some logistics experts said may help offset the high costs of speedy, last-mile delivery.
The company’s global ambitions for same-day delivery were echoed in at least seven listings for senior product and marketing jobs based at the company’s headquarters in Seattle, including three posted online this week.
“Our long-term vision is that customers can order and receive a sellers’ product the same day anywhere in the world,” according to one job listing posted in late October.
It is not clear when Amazon hopes to meet its goals and how it would extend same-day delivery to more third-party sellers, who account for 40 percent of items sold on Amazon’s website and pay fees between 8 percent and 20 percent in most categories.
An Amazon spokesman declined to comment.
Amazon offers same-day delivery in just over a dozen U.S. cities, charging $5.99 for members of its Prime program while non-members pay $8.99. In October, the company launched a same-day delivery service in the United Kingdom with newspaper delivery company Connect Group PLC.
A senior product manager role advertised on Tuesday called for a candidate to shape the future of same-day delivery and “drive large worldwide projects with huge customer-facing and financial impact.”
Offering fast shipping is a key piece of Amazon’s strategy to compete with brick-and-mortar stores. But the effort is costly – during the first nine months of 2014, Amazon’s shipping costs were more than double its shipping revenue.
But the potential payoff could be big, analysts say. According to a September survey by RBC Capital Markets, just 4 percent of Amazon customers used same-day delivery, but they spent 15 percent more than others.
Amazon.com Inc will move more of its drone testing outside U.S. borders unless it gets quick permission from U.S. regulators to proceed with outdoor trials, the company said in a recent letter to the Federal Aviation Administration.
The U.S. online retailer has already started conducting outdoor tests “in other countries with regulatory environments more supportive of small (unmanned aircraft systems) innovation,” according to the letter written by Amazon vice president of global public policy Paul Misener.
Amazon says outdoor testing is crucial to developing its “Prime Air” program, which aims to use drones – small unmanned aircraft – to deliver packages in 30 minutes or less. It said it preferred to keep that testing within the United States.
In July, Amazon sought permission from the FAA to test drones in outdoor areas near Seattle, where one of its research and development labs is working on the technology, but the FAA has been slow to give its approval.
“Without approval of our testing in the United States, we will be forced to continue expanding our Prime Air R&D footprint abroad,” Misener wrote in the letter, first reported by The Wall Street Journal.
Drones are among several initiatives underway at Amazon to help control rising shipping costs and compete with brick-and-mortar stores by delivering items quickly. Amazon said there were dozens of U.S. job openings for its Prime Air division for hardware engineers and research scientists.
The company said Friday that the cardholder name, account number, expiration date, and verification code could have been stolen by hackers who apparently had access to the company’s payment processing system between Nov. 8 and 26.
The incident came to light in late November when Bebe said it noticed suspicious activity on computers that operate the payment processing system. Stores affected were the roughly 200 it operates in the U.S., Puerto Rico and the U.S. Virgin Islands.
“If you used a payment card at a U.S., Puerto Rico or U.S. Virgin Islands store during this time frame, you should review your account statements for any unauthorized activity,” it said in a message to customers.
The last couple of years have been bad ones for the safety of credit card data at major U.S. retailers. Millions of credit and debit card numbers have been compromised in breaches at retailers, including Target, Home Depot, PF Chang’s restaurants, Super Valu grocery stores, Neiman Marcus, UPS Store and others.
In many cases, the attacks were targeted at payment processing terminals and used sophisticated malware that stole card details as consumers swiped their cards. Many of the thefts were only discovered after the card numbers appeared for sale on Internet hacking forums.
Such was the case with Bebe Stores. First news of the hack came earlier this week through the closely followed Krebs on Security blog.
Amazon.com Inc has installed more than 15,000 robots across 10 U.S. warehouses, a move that looks to reduce operating costs by one-fifth and get packages out the door more quickly in the run-up to Christmas.
The orange 320-pound (145 kg) robots, which scoot around the floor on wheels, show how Amazon has adopted technology developed by Kiva Systems, a robotics company it bought for $775 million in 2012. Amazon showed off the robots ahead of Cyber Monday, the biggest online shopping day of the year.
The robots are designed to help the leading U.S. online retailer speed the time it takes to deliver items to customers and better compete with brick-and-mortar stores, where the bulk of Americans still do their shopping.
The robots also may help Amazon avoid the mishaps of last year’s holiday season, when a surge of packages overwhelmed shipping and logistics company UPS and delayed the arrival of Christmas presents around the globe. Amazon offered shipping refunds and $20 gift cards to compensate customers.
Amazon deployed the robots this summer, ahead of the key holiday quarter, when the company typically books about one-third of its annual revenue. The updated warehouses are in five states — California, Texas, Florida, New Jersey and Washington.
The move comes at a cost. Amazon estimated in June 2013 that it would spend about $46 million to install Kiva robots at its warehouse in Ruskin, Florida, including $26.1 million for the equipment, according to company filings to local government.
The Kiva robots have allowed Amazon to hold about 50 percent more items and shorten the time it takes to offer same-day delivery in several areas, said Dave Clark, senior vice president of worldwide operations and customer services.
Apple’s latest success with Apple Pay includes the addition of support from hundreds of grocery stores within six major chains in the past week: BiLo Holding, 830 stores; Harvey’s and Winn-Dixie, 530; Albertson’s and Jewel-Osco, 180; Shaws and Star Markets, 150; United Food Stores, 60; and Associated Food Stores, 135. Wegmans and Whole Foods were already part of the original 35 retail chains offering Apple Pay in an estimated 225,000 stores, about 5% of all possible U.S. retail locations.
In addition, on Thursday, American First Credit Union said its Visa card now supports Apple Pay, joining more than 500 U.S. banks already supporting the service through Visa, MasterCard and American Express cards.
In the past week, SunTrust and Regions Bank added their support.
McDonald’s has confirmed that more than 50% of its in-store mobile payments at 14,000 restaurants were made with Apple Pay in its first month. Whole Foods recently said it processed more than 150,000 Apple Pay transactions in the first three weeks of the service. And Walgreens, the national drug store chain, said in-store mobile payments had doubled since Apple Pay launched.
EBay Inc is making over its local delivery program and extending more logistics options to smaller merchants that make up the bulk of the e-commerce giant’s sprawling base of marketplace sellers, according to one of its executives.
More of eBay’s smaller sellers, including some with annual sales under $100,000, will allow shoppers to buy items online that can be picked up in stores, an option now used by big companies such as Best Buy Co Inc and Toys ‘R’ Us.
EBay also plans to dismantle its standalone mobile app for its $5 same-day delivery service “eBay Now” as soon as this week. The service will instead be folded into eBay’s mobile app and website.
“The big play in the U.S. has been around buy online, pick-up in store,” Tom Allason, head of eBay Local, said Wednesday.
The shift reflects how eBay and other technology companies, including Amazon.com Inc and Google Inc, still struggle with the high cost of same-day delivery. Only a fraction of a small retailer’s sales come from customers who also opt for same-day delivery, making it difficult to make a profit.
“That’s a part of why delivery is only one piece of the equation,” Allason said in an interview.
Earlier, the e-commerce giant intensified efforts to court retailers as it prepares to split its marketplaces division next year from PayPal, the payments unit that has been the fastest-growing part of its business.
EBay had planned to expand same-day delivery to 25 markets by the end of 2014, but it is only available in New York, San Francisco, the broader Bay Area, Dallas and Chicago.
EBay is exploring other delivery options for the United States, Germany and other markets, including the “click-and-collect” model used by Shutl in the United Kingdom, in which shoppers pick up certain eBay purchases from British retailer Argos.
The end-to-end encryption comes thanks to a collaboration between WhatsApp and Open Whisper Systems, an open-source development company focused on secure communications.
Facebook-owned WhatsApp has more than 600 million users who log in monthly, making Open Whisper’s encryption deployment the largest ever in the area of end-to-end encrypted communication, Open Whisper said.
The encryption is on by default. It’s only available for Android right now, though the companies are working to roll out support for other platforms.
End-to-end encryption has gained attention following the disclosures about government surveillance last year by former NSA contractor Edward Snowden. Meanwhile, the flood of cyber attacks targeting retailers and Internet companies alike have highlighted the need for better data security.
Edward Snowden himself has called end-to-end encryption the best possible form of encryption, because it keeps people’s data encrypted even while it’s on company servers. The data, in theory, can only be decrypted on people’s personal devices. That means outside groups must target individuals’ machines if they want to access the data.
Some other mainstream services like Google have released products to facilitate end-to-end encryption. And along with Apple, Google’s also working to make encryption the default on smartphones.
But end-to-end encryption still is primarily offered by lesser known companies that don’t rely on people’s data for advertising.
WhatsApp’s end-to-end encryption uses Whisper’s TextSecure protocol, which encrypts text messages over the air and on people’s phones.
WhatsApp declined to comment further on the encryption deployment.
After two years of showing up at high-profile events wearing Google Glass, the gadget that transforms eyeglasses into spy-movie worthy technology, Google co-founder Sergey Brin arrived recently to a Silicon Valley event noticeably bare-faced. He’d left his pair in the car, Brin told a reporter. The Googler, who heads up the top-secret lab which developed Glass, has hardly given up on the product — he recently wore his pair to the beach.
But Brin’s timing is not propitious, coming as many developers and early Glass users are losing interest in the much-hyped, $1,500 test version of the product: a camera, processor and stamp-sized computer screen mounted to the edge of eyeglass frames. Google Inc itself has pushed back the Glass roll out to the mass market.
While Glass may find some specialized, even lucrative, uses in the workplace, its prospects of becoming a consumer hit in the near future are slim, many developers say.
Of 16 Glass app makers contacted by Reuters, nine said that they had stopped work on their projects or abandoned them, mostly because of the lack of customers or limitations of the device. Three more have switched to developing for business, leaving behind consumer projects.
Plenty of larger developers remain with Glass. The nearly 100 apps on the official web site include Facebook and OpenTable, although one major player recently defected: Twitter.
“If there was 200 million Google Glasses sold, it would be a different perspective. There’s no market at this point,” said Tom Frencel, the Chief Executive of Little Guy Games, which put development of a Glass game on hold this year and is looking at other platforms, including the Facebook Inc-owned virtual-reality goggles Oculus Rift.
Several key Google employees instrumental to developing Glass have left the company in the last six months, including lead developer Babak Parviz, electrical engineering chief Adrian Wong, and Ossama Alami, director of developer relations.
Sophos is betting that understaffed IT departments will want to use the cloud to deal with cyber attacks. Kris Hagerman, CEO of the computer security company, said SMBs often have small IT departments and may have no one dedicated to full-time security.
Sophos thinks the answer will be a cloud-based management console to work across its entire security portfolio, Hagerman said. The company’s UTM firewall product handles email security, endpoint and network protection, wireless, web filtering and web server defence.
The company has linked its UTM system to its endpoint protection product so the two can share data, which results in better overall security and easier management, Hagerman said. The system has been given the thumbs up from analyst outfit Gartner which said that its “ease of use consistently rates high. The interface contains general guidance on what each feature does, which is useful for SMB operators, who are not all security experts.”
Hagerman said Sophos’ end user and network businesses—it’s two main lines—are growing twice the rate of the market. There isn’t a magic formula to that growth, he said.
An espionage campaign dubbed Darkhotel has been targeting travelling executives via hotel WiFi for the past four years, Kaspersky has warned, and is still active today.
According to the security firm, Darkhotel infects hotel networks with spying software which in turn infects the computers of targeted executives as soon as they connect to the hotel WiFi network.
The executives are tricked into installing the information-stealing malware by disguising it as an update for legitimate software such as Adobe Flash, Google Toolbar or Windows Messenger.
The malware then searches the computer for sensitive corporate data, cached passwords and log-in credentials.
Kaspersky notes that, once installed, Darkhotel can be used to download more advanced tools capable of stealing data, including all keystrokes.
Kurt Baumgartner, principal security researcher at Kaspersky Lab, said: “For the past few years, Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cyber criminal behaviour.
“This threat has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
According to Kaspersky, top executives from the US and Asia are most likely to be targeted by the Darkhotel malware, in particular those in the Asia-Pacific region.
Among the victims identified by Kaspersky were executives from the private equity, pharmaceutical and electronics manufacturing industries, and figures from law enforcement, military services and non-government organisations.
Kaspersky warned that the Darkhotel malware is still active, and has advised business travellers to use a VPN, make sure that any security solution offers proactive defence against new threats, and treat software updates as suspicious.
The security firm said it is working with hotel chains to mitigate the threat.
The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.
Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.
Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.
That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.
“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”
More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.
“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.
“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.
“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.
“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”
The banks would be major competitors to handset makers Apple and Google because unlike others pushing mobile wallet technology, such as mobile phone carriers and retailers, they already have an intimate relationship with consumers and know their spending habits.
“Banks all around the world are working on this right now,” said James Anderson, senior vice president for mobile and emerging payments at MasterCard.
Anderson didn’t name any of the banks, but said MasterCard is already in conversations with them on how to add mobile payment capability to the existing apps that millions of consumers already have on their phones.
The most likely way will be through a technology called host card emulation, that was introduced in Android 4.4 “KitKat” and allows software apps to emulate the secure element chip found on some bank cards and the iPhone 6. Using software means wider compatibility with phones than if a dedicated chip was required.
The mobile payments market had been relatively quiet until recently. Google Wallet and Softcard, a competitor backed by cellular carriers, were in the market but consumer awareness and interest appeared to be low.
That changed with the launch of Apple Pay on Oct. 20. A million cards were activated in the first three days of use and early adopters have praised its ease of use: users just need to hold their thumb over the iPhone 6 fingerprint reader and bring the device near a terminal for payment to be made.
As a result, competitors are planning their attack. Next year CurrentC, backed by some of the biggest retailers in the U.S., will launch and companies like PayPal are also hoping to expand their footprint in stores.
But an app from a bank might have an edge because it removes a potential hurdle to adoption: unease among consumers that at a third-party is getting access to details of purchases they make.
Apple has stressed that it doesn’t see any of the purchases made by its users but Google’s system is set up so that all payments run through the company’s servers — giving the company an additional layer of information into the lives of its users.
A bank already has access to this information because of its nature and is presumably trusted by its customers. If a customer has a banking app on their phone, it would suggest they also have faith in the bank’s online security system.
Computer Emergency Response Team (US-CERT) has warned that industrial control systems (ICS) in the US have been compromised by the BlackEnergy malware for at least two years.
The BlackEnergy family of malware is believed to be the same used in the cyber attack against Georgia in 2008.
It uses a malicious decoy document to hide its activities, making it easier for the hackers to mount follow-up attacks.
US-CERT said the malware campaign is sophisticated and “ongoing”, and attackers taking advantage of it have compromised unnamed ICS operators, planting it on internet-facing human machine interfaces (HMI) including those from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
It is currently unknown whether other vendors’ products have also been targeted, according to US-CERT.
“At this time, Industrial Control Systems-CERT has not identified any attempts to damage, modify or otherwise disrupt the victim systems’ control processes,” said the team in an alert.
“ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.
“However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment.”
US-CERT describes the malware as “highly modular”, and said that not all functionality is deployed to all victims.
An analysis run by the team identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the internet.
“Analysis of victim system artefacts has determined that the actors have been exploiting a vulnerability (CVE-2014-0751) in GE’s Cimplicity HMI product since at least January 2012,” the alert read.
On Monday, US-CERT also warned of attacks spreading the Dyre banking malware, which steals victims’ credentials.
The department said that, since mid-October, a phishing campaign had targeted “a wide variety of recipients”, but elements, such as the exploits, email themes, and claimed senders of the campaign, “vary from target to target”.
“A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services,” the alert warned.
Apple Pay, which debuted in September, is a mobile payment app that allows consumers to buy things by simply holding their iPhone6 and 6 Plus devices up to readers installed by store merchants.
A Rite Aid spokeswoman told the New York Times that the company does not currently accept Apple Pay. The company is “still in the process of evaluating our mobile payment options.”
Rite Aid and CVS are not part of the group of retailers that had teamed up with Apple on its payment system. However, Apple Pay technology was working in Rite Aid and CVS stores over the week, the newspaper said.
The reason for the disabling was not immediately clear, the newspaper said.
According to analysts, disabling the acceptance of Apple Pay is a way to support a rival system that is being developed by Merchants Customer Exchange (MCX), a consortium of merchants that includes Rite Aid and CVS, the NYT reported.
MCX is developing CurrentC, an app that scans the bar code of the product and initiates the payment transfer by connecting to the customer’s debit card, according to MCX’s website. CurrentC will not be available until 2015.
Apple, Rite Aid and CVS could not be immediately reached for comment.