Three New Cyber Threats - May Edition

1. Bypassing fingerprint authentication on devices

Compromising devices with access to firm systems

A new, inexpensive technique will allow cybercriminals to break into devices protected by fingerprint authentication protections.  Some smartphones allow users to access them using their fingerprints rather than a passcode.  As noted in last month’s alert on new threats to wealth management firms, the FBI has reported that criminals are increasingly targeting individuals to steal their devices and then use them to access the employee’s work email and other online accounts.

The prior alert focused on phones with passwords. Criminals will conduct “over-the-shoulder” attacks by memorizing a passcode as a targeted individual enters it into the device.  They later distract the individual and steal the device. The new technique – called “BrutePrint” – enables criminals to target phones which use fingerprints instead of passcodes and takes advantage of two vulnerabilities in the devices’ authentication technologies as well as the fingerprint sensors.

2. Android app with malware has been downloaded 421 million times from Google Play

Theft of passwords

A new malware virus called SpinOk was installed on 101 different legitimate apps offered on Google Play.  The software had been used by other developers because it was advertised as helping increase user interest in the underlying app. However, the same software also steals other information from devices with the app.

That this malware is so widespread creates a serious threat to any wealth managers who have employees that use Android devices to access company systems.  The malware will automatically export to remote server any passwords to sites accessed by the device, allowing cybercriminals to breach company systems.

3. Zero-click hacking of IOS devices

Ability to compromise Apple devices without the user having to click on a link

A widely publicized “zero-day” attack was alleged by Russia intelligence claiming that the NSA and Apple colluded to create a means of hacking an Apple device by just by sending it a text message. Normally the user is required to click on a link in the text for the device to be breached. 

Although Apple has denied any involvement, a similar-type vulnerability in the iOS operating system was previously identified by a Google engineer. After informing Apple so that the vulnerability could be identified and repaired, the engineer detailed what he had found at a major conference.

Apple smartphones are considered by many security experts to be the most secure operating system. That it can, on occasions, be so easily breached is yet another reason why wealth managers may ultimately have to shift to closed systems that can only be accessed by tightly controlled and managed company-owned laptop devices.