Tag: cyber security

Google passkeys for password-less future: Know what is it and how it works

Google passkeys are currently available for developers to test via Google Play Services beta

Google passkeys are currently available for developers to test via Google Play Services beta

Ahead of the final rollout, Google has announced the release of its passkey support for developers on Android and Chrome. The American software giant says ‘passkey’ is a safer substitute for passwords and other perishable authentication factors. It will be integrated with the Google Password Manager to simplify sign-ins across devices, websites, and applications — no matter the platform. But what is Google passkey and how does it work? Let’s find out:

Passkeys: What is it

Passkeys are a new type of login credential that replaces passwords. The authentication requires either biometric authentication — such as a fingerprint or facial recognition — or a PIN or swipe pattern used with Androids for access. According to Google, they are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. They follow familiar user experience patterns and build on the existing experience of password autofill.

Passkeys: How it works

Google says its passkeys work similarly to using a saved password in the Google Password Manager. To prevent lockouts in the case of device loss, passkeys are backed-up and synced through the cloud on users’ phones and computers. The passkeys can be used to sign in to apps and websites on other nearby devices via users’ phones.

Users can create and use passkeys on Android devices, which are synced through the Google Password Manager. On Android and other supported platforms, developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API. Currently, developers can use Chrome Canary and sign up for the Google Play Services beta to test this.

How to create passkeys:

Step 1: Through settings on the Android 9 device and later, click on Create a Passkey

Step 2: Confirm the passkey account information

Step 3: Present fingerprint, face, or screen lock when prompted

Earlier, Apple released a similar Passkey feature with its iOS 16 update that allows users to use their Apple devices to log in to websites and services without requiring passwords. Apple, Google, and Microsoft partnered with the FIDO Alliance and the World Wide Web Consortium (W3C) earlier this year, for removing passwords for user authentication across the platforms.

What is the SOVA virus?

India’s federal cyber security agency has recently issued an advisory on the SOVA virus. And, leading banks are alerting their consumers to stay cautious about the new virus. Know more in this segment

Several Indian banks, including HDFC Bank and IDBI Bank, have warned account holders against downloading their mobile applications from any source other than official app stores. They issued the alert after an advisory issued by Indian Computer Emergency Response Team or CERT-In. Reason? A new type of malware, is the SOVA virus.

A new version of the Trojan virus, SOVA, has reportedly targeted over 200 mobile banking and crypto apps and is stealing their login credentials and cookies. It can hold the information to ransom.

What is SOVA?
SOVA is an Android banking trojan malware that targets banking apps to steal personal information and adds false layers over a range of apps. These layers help the malware mimic the payment app. The malware was first detected for sale in the underground markets in September 2021.

What can SOVA do?
SOVA virus can harvest usernames and passwords via keylogging, stealing cookies, and adding false overlays to a range of apps. There are several functions an SVA malware can perform. These include performing gestures like swiping, stealing cookies, taking screenshots, and adding false overlays. The virus has also undergone an update. Now, it can encrypt all the data and hold it for ransom.

How does SOVA work?
The malware spreads through smishing. Smishing is a process where fraudulent SMS are sent to individuals prompting them to share their details, including passwords. Once the app is downloaded on the mobile phone, the malware sends the list of all the downloaded apps to the server that the attacker controls.

The server sends back the list of targeted apps to the malware and stores the critical information in an XML file. The malware and the server then manage the apps.

Can the attacked app be uninstalled?
Sorry. After the latest updates, when a user tries to uninstall an attacked app, they will be unable to do so. A message, “This app is secured”, will be displayed on the screen.

How can users protect themselves?
Download the mobile apps only through official app stores. Also, check the “Additional Information” section while downloading the apps and review the app details, number of downloads and user reviews.

Another practice CERT-In recommends is downloading the latest updates of the apps and operating software provided by device vendors. Additionally, download and activate anti-virus software.

Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs

In case of any unusual activity in the bank accounts, immediately report it to the respective banks.

Design a site like this with WordPress.com
Get started