Latest news with #TransportLayerSecurity
Techday NZ
22-05-2025
- Techday NZ
Report finds low ECH use but risks from malicious actors grow
Corrata has published a report examining the impact of the Encrypted Client Hello (ECH) privacy protocol on enterprise security and the adoption of the protocol by malicious actors. The Living With ECH Report analysed billions of connections made by enterprise employee mobile devices over a three-month period to assess the practical deployment and security implications of the latest privacy technology in internet communications. ECH, an extension to the most recent version of the Transport Layer Security (TLS 1.3) standard, encrypts information exchanged between devices and Content Delivery Networks, preventing network providers from being able to identify which websites users are trying to access. According to Corrata's findings, actual usage of ECH by enterprise mobile devices remains infrequent, with less than 0.01% of TLS connections employing the protocol. Nonetheless, more than 9% of the top one million domains are ECH-enabled, demonstrating some groundwork for future adoption. The report identified a notable risk associated with ECH adoption. Corrata's analysis revealed that 17% of ECH-enabled sites are classified as risky, indicating that malicious actors are already making use of the increased anonymity provided by the protocol. The risk is particularly acute for Chrome users who have encrypted DNS enabled. Corrata stated, "ECH could degrade, not improve, privacy: Banks and other regulated entities are often required to monitor the internet traffic going into and out of their organisation. To date, these enterprises have been able to selectively decrypt traffic without looking at sensitive data like employees' health records. But with ECH blocking their filtering, enterprises would have little choice but to decrypt all internet traffic for inspection, drastically degrading employees' privacy." The analysis highlighted the significant role played by Cloudflare in enabling ECH. Cloudflare is the only major Content Delivery Network supporting ECH, and almost all of the sites that have ECH enabled use its infrastructure. The report also noted that large website owners appear reluctant to adopt the protocol due to concerns that users may face blocks from security systems in enterprises or by public authorities. While internet service providers and enterprise security teams have reduced visibility under ECH, the protocol still allows CDNs like Cloudflare to access certain data. Malicious actors are leveraging this infrastructure to support phishing attacks, Corrata said. "Over 90% of phishing detections use Cloudflare infrastructure, according to Corrata's analysis. In addition to the anonymity provided by ECH, these sites take advantage of other Cloudflare features. For example, the "captcha" page can be used to direct desktop traffic to the legitimate site while mobile traffic is sent to the fake one. Alternatively, traffic not coming from the targeted country may be redirected to the legitimate site. These are deliberate tactics to avoid detection by security providers." The report also identified several barriers to widespread adoption of ECH. While 20% of devices are configured to use encrypted DNS and DNS resolvers that support ECH, the absence of support from browsers such as Safari and operating systems like Android hampers wider implementation. The adoption of ECH requires the participation of multiple industry stakeholders, each with different priorities. Matthieu Bentot, Chief Technology Officer of Corrata, commented on the current state of adoption. "The extremely low level of ECH adoption suggests that the security community's fears that enterprise internet traffic would go dark are not yet being realised. While the potential certainly exists for ECH to become a thorn in the side of defenders, the early signs are that this is the time to prepare rather than panic." The findings from the Living With ECH Report are based on Corrata's analysis of billions of connections made by devices running the company's mobile threat detection and response solution. The data reflects traffic from both iOS and Android devices, with Corrata tracking successful ECH connections between January and March 2025 by analysing DNS queries and TLS connection metadata.
Edinburgh Reporter
15-05-2025
- Business
- Edinburgh Reporter
Security Features Offered by New Online Casinos
New online casinos guarantee the security of their customers through the implementation of advanced security technologies and standards. The following are detailed descriptions of the principal security features such casinos typically offer. Image by Aidan Howe from Pixabay Licensing and Regulation New casino venues are authorized by reputable regulatory organizations such as the UK Gambling Commission, Malta Gaming Authority, or Gibraltar Regulatory Authority. Such authorities have robust measures for guaranteeing casinos operate on an equitable basis, protecting deposits of players, and upholding responsible gaming strategies. Authorization further entails that casinos undergo regular auditing and compliance visits, which enhance player confidence and ensure lawful liability. Advanced Encryption Technology To protect sensitive information of players, new casinos use Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols with 128-bit or 256-bit encryption strength. The technology encrypts data transfer between the casino servers and the player's device, making it impossible for cyber attackers to intercept or view individual information, login details, and financial transactions. Two-Factor Authentication (2FA) A majority of new casinos have two-factor authentication as an extra layer of protection. After providing a password, users have to authenticate using a second method, such as one-time code sent via SMS, email, or by an authenticator app. This extra step significantly reduces the risk of unauthorized access, even in case of compromised login credentials. Regular Security Audits and Risk Assessments New casinos run regular security audits and vulnerability scans, typically by independent cybersecurity firms. Such scans uncover potential vulnerabilities in the casino's infrastructure, software, and processes for immediate remediation. Regular testing keeps security controls up-to-date and efficient against emerging cyber threats. Cybersecurity Technologies and Protection from Threats To safeguard themselves against cyberattacks, new casinos utilize a range of cybersecurity technologies such as: Intrusion Detection and Prevention Systems (IDPS): Identify and stop dubious activity or unauthorized access attempts from network traffic. Anti-Malware and Antivirus Software: Protect servers and systems from viruses, ransomware, and malware. Distributed Denial of Service (DDoS) Protection: Block attacks aimed at flooding casino servers, with unbroken service and player access. Fraud Detection Using Artificial Intelligence (AI) Online new casinos employ artificial intelligence and machine learning algorithms to monitor players in real-time. These technologies analyze betting trends, transaction behavior, and speed of play to detect anomalies indicative of fraud, money laundering, or collusion. Catching them at an early point allows casinos to respond swiftly by confirming or blocking accounts, guaranteeing an equal gaming experience. Firewall and Network Security Secure firewalls are deployed to scan and filter in-transit traffic to stop malicious attempts to access casino servers. Segmentation and hardened configurations help isolate the sensitive data and restrict the attack surface to secure against breach. Continuous Monitoring and Account Protection Player accounts and transactions are always scanned for abnormalities. Casinos will mark aberrant login points, abrupt betting patterns of increases, or constant inability to log in. On suspicious activity, additional verification procedures such as identity confirmation or temporary account freezing are initiated to prevent fraud. Transparent Privacy Policies and Data Management New casinos provide clear and understandable privacy policies describing how player data is collected, stored, and utilized. Compliance with data protection regulations like the General Data Protection Regulation (GDPR) ensures player information is handled responsibly, with access to data, correction, and removal choices. Trust and confidence in players are built through transparency. New online casinos have a variety of safe payment options, including credit/debit cards, e-wallets (PayPal, Skrill), instant bank transfers, and cryptocurrencies (Bitcoin, Ethereum, etc.). The above-mentioned payment options are all protected by encryption and fraud protection settings, offering fast, secure, and anonymous transactions that reduce the risk of financial theft or data leakage. New. Advanced online casinos employ a comprehensive, multi-layered security system, which combines regulatory oversight, leading-edge technology, and live monitoring to protect players' money and personal information. These safeguards create a safe, fair, and pleasant gaming experience, giving confidence when choosing a modern online casino platform. Like this: Like Related
CNET
14-05-2025
- Business
- CNET
Why Is Venmo Asking Me to Register With Plaid? What You Need to Know About the Free Financial Service
You don't have to create your own account with Plaid but you can use Plaid Portal to view what types of information you have shared with the service. pixelfit / Getty Images If you've shared your banking login with an investing or budgeting app in the past few years, there's a good chance you've also given your data to a company called Plaid. Don't be alarmed, Plaid is a service that works behind the scenes to securely link bank accounts to financial apps. It's used by more than 12,000 financial institutions and more than 8,000 apps and payment services, like Venmo. But is Plaid safe to use and what does it do with your banking info? Here's what you need to know. How does Plaid work? With your permission, Plaid allows a financial app or service to access information from your bank. Think of Plaid as the go-between, encrypting and securing data as it's sent from your bank to the app or service. For example, let's say you want to use a budgeting app like Rocket Money. Instead of manually entering your account numbers and routing numbers for your different bank accounts and inputting your transaction histories, Plaid will automatically share the data with Rocket Money so it can analyze your earning, spending and saving patterns to develop a roadmap for your finances. Is Plaid safe to use? Anytime you're doing anything with your banking information, you need to focus on the security features that will keep that information out of the hands of bad actors. Here's a rundown of the key features that help make Plaid safe: Login and password protection: You'll need to enter your username and password for your financial institution to allow Plaid to share the account info. However, Plaid's website says it doesn't share your login info with the apps . You'll need to enter your username and password for your financial institution to allow Plaid to share the account info. However, Plaid's website says it doesn't share your login info with the apps Best-in-class encryption: While Advanced Encryption Standard and Transport Layer Security are terms that may not mean much to people who don't speak cybersecurity lingo, they are both signals of Plaid's efforts to keep all information as secure as possible while it's being transmitted. It's all encrypted, meaning that outside parties cannot view your info while it's in transit. While Advanced Encryption Standard and Transport Layer Security are terms that may not mean much to people who don't speak cybersecurity lingo, they are both signals of Plaid's efforts to keep all information as secure as possible while it's being transmitted. It's all encrypted, meaning that outside parties cannot view your info while it's in transit. Multifactor authentication: When you share your details with Plaid, expect to get a text on your phone as well. The confirmation is an additional layer of security to help Plaid verify that it's really you. Plaid says that "almost all logins" have multifactor authentication. When you share your details with Plaid, expect to get a text on your phone as well. The confirmation is an additional layer of security to help Plaid verify that it's really you. Plaid says that "almost all logins" have multifactor authentication. Regular audits:. By inviting third-party scrutiny, Plaid can regularly and independently test its application programming interfaces (API) and security controls. Additionally, Plaid says it does not sell or rent consumers' financial data. There is no record of any major data breaches with Plaid. How do I use Plaid? You don't really have to do much to use Plaid. The reason the service exists is to sync your personal financial data with a new company without requiring more setup on your end. If you're using Plaid, however, you'll know because a pop-up window informs you that you will be giving Plaid permission to share certain types of data with the app or service. If you agree, you'll enter your bank login information and Plaid will connect the two systems. If you want to know what types of data you're sharing via Plaid and with what companies, you can create a Plaid Portal account. You'll share your phone number and Plaid will scour its service to display the connections you have through the service. Can Plaid see my bank account balance and other financial data? Once you enter your bank login details, Plaid may be able to view your account balance and share those details with another service. For example, if you're applying for a personal loan or using a new budget app, the lender or the app provider will likely need to know your account balance. Other pieces of data that Plaid can collect, use and share with other providers includes: Name, mailing address, phone number and email address Transaction history including date, amount, type, and full description of each purchase, withdrawal or other transaction Account name and account type Account number Routing number Real-time balance In the past, Plaid has gotten into trouble for collecting too much data: The company settled a class-action lawsuit for $58 million that alleged Plaid was collecting more information than it needed. Can I choose what information to share with Plaid? When Plaid asks for your bank login information to connect your account with another company, you'll get a clear rundown of the types of information that will be shared. Additionally, you can submit a request to delete your data and eliminate connections with other services via Plaid's Privacy Request Form or within the Plaid Portal. Are there safer alternatives to Plaid? Plaid may not be your only option for connecting your bank account, depending on the service. For example, if you don't want to share your data with Plaid for account verification with Venmo, you can choose a manual process that includes microtransactions -- small deposits and withdrawals. Apps may partner with alternative data connection services such as MX, TrueLayer or Finicity to share your information. It's tough to say whether any of these are actually safer than Plaid; they may just offer a different user experience and, depending on your financial institution, they might be easier. Sharing your financial information with any company can feel stressful. However, Plaid's security protocols seem designed to alleviate a lot of those concerns. FAQs Do I need Plaid? If you want to use an app to help manage your finances or make payments, that app requires a digital connection to your bank to share your data. Creating and maintaining secured connections with thousands of financial institutions isn't feasible for most apps. Instead, they use a service like Plaid, which builds and maintains connections for more than 12,000 financial institutions. Depending on the app, you may have the option to use alternative data connection services or to use a manual process to share your information. Why is Venmo asking me to use Plaid? Venmo uses Plaid to instantly verify your bank account information. By entering your username and password for your online banking portal, Plaid is able to let Venmo know your essential details -- your bank account and routing numbers -- to let you send and receive money. Do I have to create a Plaid account to use it? Plaid acts as a middleman that links your bank with whatever app or service needs your account information, so you don't need a standalone Plaid account. If you want to know what information you have shared with Plaid, however, you can create a Plaid Portal account that will give you an overview of all the data. Is Plaid safe to use with my financial accounts? While no company is 100% immune to data breaches and online hackers, Plaid is used by thousands of financial institutions for protecting and transmitting sensitive information. The company follows rigorous security protocols to safeguard your financial accounts including best-in-class encryption and multi-factor authentication for the vast majority of transactions.
Business Wire
25-04-2025
- Business
- Business Wire
Hyosung Urges Operators of All ATMs to Follow Previous Security Guidance Due to Large-Scale Cyberattacks
DALLAS--(BUSINESS WIRE)--Hyosung Americas, the leading provider of ATMs, urges all ATM owners to immediately implement critical security updates to protect their machines from evolving cyber threats that have affected multiple ATM networks across the industry. 'Regular security updates and adherence to best practices are not optional in today's environment,' Nancy said. 'They are essential protective measures against increasingly sophisticated criminal activities.' First identified in September 2024, the attacks target Remote Management Software (RMS) systems and allow unauthorized users to redirect ATM communications, enabling unauthorized control. Hyosung promptly released a security patch, however, some ATMs remain unprotected as owners and other service providers have not yet updated software or are following accepted industry best practices for ATM security. A large-scale cyberattack has been recently reported to the National ATM Council and ATMIA, with concentrated activity in the Northeast and West Coast. 'The security and integrity of the ATM cash ecosystem is our highest priority,' said Nancy Gail Daniels, COO of Hyosung Americas. 'We've been actively communicating with our partners, reinforcing the necessity to implement the steps in security advisories updates and address ATM vulnerabilities since last year. Despite these previous warnings and advisories, the industry is seeing many machines remain unprotected. We strongly urge all ATM operators to implement necessary critical security measures to safeguard their assets.' Recommended Critical Security Practices Steps: Update software immediately to the latest version containing essential features. Change default passwords to strong, unique combinations and do not store these passwords on or within the ATM or ATM management system. Secure the ATM management software with proper IT and network security, including operation behind a tightly configured firewall. Enable Transport Layer Security (TLS) encryption and/or Message Authentication Codes for additional protection. Nancy emphasized that cyberattacks on ATMs are a persistent threat across all brands and manufacturers. 'Regular security updates and adherence to best practices are not optional in today's environment,' she said. 'They are essential protective measures against increasingly sophisticated criminal activities.' ATM owners and partners should access resources from their ATM processor or managed services provider. About Hyosung Americas Hyosung Americas, the world's leading cash management and payments platform service provider, is the North American subsidiary of South Korea-based Hyosung TNS, Inc. Since entering the North American market in 1998, Hyosung has grown from the largest provider of ATMs in the United States to offering best-in-class, innovative, and transformative technology solutions across the cash management and payments spectrum. Hyosung Americas is headquartered in Irving, Texas, and provides research and development support through its Global Software Center in Dayton, Ohio.
Associated Press
21-04-2025
- Business
- Associated Press
47 Day SSL Certificate Lifespans Sparks 'Next Y2K' Concerns; CABForum Vote Accelerates Change
The maximum lifespan for SSL certificates is being rapidly reduced, a change formalized by a CABForum vote on April 11, 2025. Starting with a drop to 200 days in March 2026 and eventually reaching just 47 days by March 2029, this aims to improve security through more frequent validation. However, the accelerated pace raises concerns about potential widespread website outages due to the increased renewal burden, drawing comparisons to the Y2K bug. The cybersecurity landscape is bracing for a significant and accelerated shift as the maximum lifespan for Secure Sockets Layer & Transport Layer Security (SSL/TLS) certificates undergoes a substantial reduction. This change, driven by the need for enhanced online security through more frequent validation, gained significant momentum following a vote by the CA/Browser Forum (CABForum) on April 11, 2025. The CABForum, the industry consortium that governs the issuance of SSL certificates, overwhelmingly approved Ballot SC-081, setting in motion a timeline for dramatically shorter certificate validity periods. This development has some experts concerned about potential widespread website outages and operational disruptions, drawing parallels to the Y2K millennium bug. Currently, the maximum validity period for a Transport Layer Security (TLS) certificate stands at 398 days. However, the CABForum vote has solidified a phased reduction schedule: This progressive shortening of certificate lifespans aims to limit the window of opportunity for the misuse of compromised certificates and encourages the adoption of more automated certificate management practices. However, the increased frequency of required renewals, mandated by the CABForum's decision, presents considerable logistical challenges for website owners and system administrators. Concerns are mounting that many organizations, particularly those with complex infrastructures or less automated systems, may struggle to manage the escalating renewal burden. The comparison to the Y2K bug arises from the potential for widespread, unforeseen consequences stemming from a seemingly technical adjustment. Just as the transition to the year 2000 exposed vulnerabilities in systems reliant on two-digit year formats, the rapid increase in certificate renewals, now formalized by the CABForum vote, could expose weaknesses in organizations' IT management processes. The fear is that a failure to adapt swiftly could lead to a significant increase in expired certificates, rendering websites inaccessible and eroding user trust. Fortunately, solutions are emerging to help organizations automate SSL certificate management and mitigate the risks associated with frequent renewals. Products like the Sectigo ACME SSL Certificate and the Verokey ACME Automation Certificate from SSLTrust offer cost-effective ways to streamline the renewal process, reducing the burden on IT staff and minimizing the potential for errors. These solutions leverage the Automated Certificate Management Environment (ACME) protocol to automate certificate issuance and renewal, ensuring continuous website security and availability in the face of the CABForum's new regulations. The recent CABForum vote underscores the urgency for all website operators to proactively embrace automation and adapt their certificate management strategies to ensure continued online security and accessibility and to potentially avoid a 'next Y2K' scenario. About SSL Certificates: SSL certificates are digital certificates that authenticate a website's identity and enable an encrypted connection. They are essential for securing online transactions, protecting user data, and building trust on the internet. Media Contact Company Name: Keyko Pty Ltd Contact Person: Paul Baka Email: Send Email Country: Australia Website: Press Release Distributed by To view the original version on ABNewswire visit: 47 Day SSL Certificate Lifespans Sparks 'Next Y2K' Concerns; CABForum Vote Accelerates Change
