Tag Archives: Phishing

Vulnerabilitat Passkeys: Les Claus d’Accés Sincronitzades no són Invulnerables

Vulnerabilitat Passkeys: Imatge amb clau trencada, ham de phishing i títol DEF CON 33 – Passkeys Pwned, que simbolitza l'atac d'intercepció WebAuthn i la fallada de les claus d'accés sincronitzades.

Vulnerabilitat Passkeys: Una vulnerabilitat crítica, revelada a la DEF CON 33, demostra que les passkeys sincronitzades poden ser objecte de phishing en temps real. De fet, Allthenticate va provar que una sol·licitud d’autenticació falsificable pot segrestar una sessió WebAuthn en viu.

Resum Executiu — La Vulnerabilitat Passkeys i el WebAuthn API Hijacking

▸ Conclusió Clau — Atac de WebAuthn API Hijacking

Oferim un resum dens (≈ 1 min) per a decisors i CISOs. Per a una anàlisi tècnica completa (≈ 13 min), però, hauríeu de llegir l’article sencer.

Imagineu un mètode d’autenticació elogiat com a resistent al phishing — anomenat passkeys sincronitzades — i després explotat en viu a la DEF CON 33 (del 8 a l’11 d’agost de 2025, Las Vegas). Llavors, quina era la vulnerabilitat? Era una fallada de WebAuthn API Hijacking (un atac d’intercepció al flux d’autenticació), que va permetre la falsificació de la sol·licitud de passkeys en temps real.

Aquesta única demostració, de fet, desafia directament la seguretat proclamada de les passkeys sincronitzades al núvol i obre el debat sobre alternatives sobiranes. Vam veure emergir dues troballes clau de recerca a l’esdeveniment: primer, la falsificació de la sol·licitud en temps real (un atac d’intercepció de WebAuthn), i segon, el DOM extension clickjacking. Cal destacar que aquest article se centra exclusivament en la falsificació de la sol·licitud perquè innegablement soscava la promesa “resistent al phishing” per a les passkeys sincronitzades vulnerables.

▸ Resum

El punt feble ja no és la criptografia; en canvi, és el disparador visual. En resum, els atacants comprometen la interfície, no la clau criptogràfica.

Visió Estratègica Aquesta demostració, per tant, exposa una fallada històrica: els atacants poden abusar perfectament d’un mètode d’autenticació anomenat “resistent al phishing” si poden falsificar i explotar la sol·licitud en el moment adequat.

Crònica per llegir
Article to Read
Temps de lectura estimat: ≈ 13 minuts (+4–5 min si mireu els vídeos incrustats)
Nivell de complexitat: Avançat / Expert
Idiomes disponibles: CAT · EN · ES · FR
Accessibilitat: Optimitzat per a lectors de pantalla
Tipus: Article Estratègic
Autor: Jacques Gascuel, inventor i fundador de Freemindtronic®, dissenya i patenta sistemes de seguretat de maquinari sobirans per a la protecció de dades, la sobirania criptogràfica i les comunicacions segures. Com a expert en conformitat amb ANSSI, NIS2, GDPR i SecNumCloud, desenvolupa arquitectures by-design capaces de contrarestar amenaces híbrides i garantir una ciberseguretat 100% sobirana.

Fonts Oficials

TL; DR

  • A la DEF CON 33 (del 8 a l’11 d’agost de 2025), investigadors d’Allthenticate van demostrar un camí de WebAuthn API Hijacking: els atacants poden segrestar passkeys anomenades “resistents al phishing” a través de la falsificació de la sol·licitud en temps real.
  • La fallada no resideix en els algorismes criptogràfics; més aviat, es troba a la interfície d’usuari—el punt d’entrada visual.
  • En última instància, aquesta revelació exigeix una revisió estratègica: hem de prioritzar les passkeys lligades al dispositiu per a casos d’ús sensibles i alinear els desplegaments amb models d’amenaça i requisits reglamentaris.

2024 Cyberculture Digital Security

Russian Cyberattack Microsoft: An Unprecedented Threat

2025 Digital Security

Email Metadata Privacy: EU Laws & DataShielder

2025 Digital Security

Chrome V8 Zero-Day: CVE-2025-6554 Actively Exploited

2025 Digital Security

APT29 Exploits App Passwords to Bypass 2FA

2025 Digital Security

Signal Clone Breached: Critical Flaws in TeleMessage

2025 Digital Security

APT29 Spear-Phishing Europe: Stealthy Russian Espionage

2024 Digital Security

Why Encrypt SMS? FBI and CISA Recommendations

2025 Digital Security

APT44 QR Code Phishing: New Cyber Espionage Tactics

2023 Digital Security

WhatsApp Hacking: Prevention and Solutions

2024 Digital Security

BitLocker Security: Safeguarding Against Cyberattacks

2024 Digital Security

French Minister Phone Hack: Jean-Noël Barrot’s G7 Breach

2024 Digital Security

Cyberattack Exploits Backdoors: What You Need to Know

2021 Cyberculture Digital Security Phishing

Phishing Cyber victims caught between the hammer and the anvil

2024 Digital Security

Google Sheets Malware: The Voldemort Threat

2024 Articles Digital Security News

Russian Espionage Hacking Tools Revealed

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

2024 Digital Security Technical News

Apple M chip vulnerability: A Breach in Data Security

Digital Security Technical News

Brute Force Attacks: What They Are and How to Protect Yourself

2023 Digital Security

Predator Files: The Spyware Scandal That Shook the World

2023 Digital Security Phishing

BITB Attacks: How to Avoid Phishing by iFrame

2023 Digital Security

5Ghoul: 5G NR Attacks on Mobile Devices

2024 Digital Security

Europol Data Breach: A Detailed Analysis

Digital Security EviToken Technology Technical News

EviCore NFC HSM Credit Cards Manager | Secure Your Standard and Contactless Credit Cards

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense

Articles Digital Security EviVault Technology NFC HSM technology Technical News

EviVault NFC HSM vs Flipper Zero: The duel of an NFC HSM and a Pentester

Articles Cryptocurrency Digital Security Technical News

Securing IEO STO ICO IDO and INO: The Challenges and Solutions

Articles Cyberculture Digital Security Technical News

Protect Meta Account Identity Theft with EviPass and EviOTP

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation

2023 Articles Cyberculture Digital Security Technical News

Strong Passwords in the Quantum Computing Era

2024 Digital Security

PrintListener: How to Betray Fingerprints

2021 Articles Cyberculture Digital Security EviPass EviPass NFC HSM technology EviPass Technology Technical News

766 trillion years to find 20-character code like a randomly generated password

2024 Articles Digital Security News Spying

How to protect yourself from stalkerware on any phone

2023 Articles DataShielder Digital Security Military spying News NFC HSM technology Spying

Pegasus: The cost of spying with one of the most powerful spyware in the world

2024 Digital Security Spying

Ivanti Zero-Day Flaws: Comprehensive Guide to Secure Your Systems Now

2024 Articles Compagny spying Digital Security Industrial spying Military spying News Spying Zero trust

KingsPawn A Spyware Targeting Civil Society

2024 Articles Digital Security EviKey NFC HSM EviPass News SSH

Terrapin attack: How to Protect Yourself from this New Threat to SSH Security

Articles Crypto Currency Cryptocurrency Digital Security EviPass Technology NFC HSM technology Phishing

Ledger Security Breaches from 2017 to 2023: How to Protect Yourself from Hackers

2024 Articles Digital Security News Phishing

Google OAuth2 security flaw: How to Protect Yourself from Hackers

Articles Digital Security EviCore NFC HSM Technology EviPass NFC HSM technology NFC HSM technology

TETRA Security Vulnerabilities: How to Protect Critical Infrastructures

2023 Articles DataShielder Digital Security EviCore NFC HSM Technology EviCypher NFC HSM EviCypher Technology NFC HSM technology

FormBook Malware: How to Protect Your Gmail and Other Data

Articles Digital Security

Chinese hackers Cisco routers: how to protect yourself?

Articles Crypto Currency Digital Security EviSeed EviVault Technology News

Enhancing Crypto Wallet Security: How EviSeed and EviVault Could Have Prevented the $41M Crypto Heist

Articles Digital Security News

How to Recover and Protect Your SMS on Android

Articles Crypto Currency Digital Security News

Coinbase blockchain hack: How It Happened and How to Avoid It

Articles Compagny spying Digital Security Industrial spying Military spying Spying

Protect yourself from Pegasus spyware with EviCypher NFC HSM

Articles Digital Security EviCypher Technology

Protect US emails from Chinese hackers with EviCypher NFC HSM?

Articles Digital Security

What is Juice Jacking and How to Avoid It?

2023 Articles Cryptocurrency Digital Security NFC HSM technology Technologies

How BIP39 helps you create and restore your Bitcoin wallets

Articles Digital Security Phishing

Snake Malware: The Russian Spy Tool

Articles Cryptocurrency Digital Security Phishing

ViperSoftX How to avoid the malware that steals your passwords

Articles Digital Security Phishing

Kevin Mitnick’s Password Hacking with Hashtopolis

En Ciberseguretat Sobirana ↑ Aquest article forma part de la nostra secció de Seguretat Digital, continuant la nostra recerca sobre els exploits de maquinari de confiança zero i les contramesures.

▸ Punts Clau

  • Vulnerabilitat Confirmada: Les passkeys sincronitzades al núvol (Apple, Google, Microsoft) no són 100% resistents al phishing.
  • Nova Amenaça: La falsificació de la sol·licitud en temps real explota la interfície d’usuari en lloc de la criptografia.
  • Impacte Estratègic: Les infraestructures crítiques i les agències governamentals han de migrar a credencials lligades al dispositiu i a solucions sobiranes fora de línia (NFC HSM, claus segmentades).

Què és un Atac de WebAuthn API Hijacking?

Un atac d’intercepció de WebAuthn a través d’una sol·licitud d’autenticació falsificable (WebAuthn API Hijacking) consisteix a imitar en temps real la finestra d’autenticació mostrada per un sistema o navegador. Per tant, l’atacant no busca trencar l’algorisme criptogràfic; en lloc d’això, reprodueix la interfície d’usuari (UI) en el moment exacte en què la víctima espera veure una sol·licitud legítima. Els enganys visuals, el cronometratge precís i la sincronització perfecta fan que l’engany sigui indistingible per a l’usuari.

Exemple simplificat:
Un usuari creu que està aprovant una connexió al seu compte bancari a través d’una sol·licitud legítima del sistema d’Apple o Google. En realitat, està interactuant amb un quadre de diàleg clonat per l’atacant. Com a resultat, l’adversari captura la sessió activa sense alertar la víctima.
▸ En resum: A diferència dels atacs de phishing “clàssics” a través de correu electrònic o llocs web fraudulents, la falsificació de la sol·licitud en temps real té lloc durant l’autenticació, quan l’usuari té més confiança.

Història de les Vulnerabilitats de Passkey / WebAuthn

Malgrat la seva robustesa criptogràfica, les passkeys — basades en els estàndards oberts WebAuthn i FIDO2 de la FIDO Alliance — no són invulnerables. La història de les vulnerabilitats i les recerques recents confirmen que el punt feble sovint resideix en la interacció de l’usuari i l’entorn d’execució (navegador, sistema operatiu). La indústria va adoptar oficialment les passkeys el 5 de maig de 2022, després d’un compromís d’Apple, Google i Microsoft per estendre el seu suport a les seves respectives plataformes.

Cronologia exhaustiva de l'evolució de les vulnerabilitats Passkey i WebAuthn (2012-2025), des de la creació de FIDO fins als atacs d'IA, destacant solucions com PassCypher per a la ciberseguretat a Andorra i Catalunya.
Evolució Accelerada de les Vulnerabilitats Passkey i WebAuthn (2012-2025): Una cronologia detallada que il·lustra els punts d’inflexió clau en la seguretat de les credencials, des de la fundació de FIDO fins a l’aparició de l’IA com a multiplicador d’amenaces, incloent-hi les revelacions de la DEF CON 33 i l’emergència de solucions sobiranes com PassCypher, crucial per a la protecció digital a Andorra i Catalunya.

Cronologia de la Vulnerabilitat Passkeys

  • SquareX – Navegadors Compromesos (agost 2025):

    A la DEF CON 33, una demostració va mostrar que una extensió o script maliciós pot interceptar el flux de WebAuthn per substituir les claus. Vegeu l’anàlisi de TechRadar i l’informe de SecurityWeek.

  • CVE-2025-31161 (març/abril 2025):

    Salt d’autenticació a CrushFTP mitjançant una condició de carrera. Font Oficial del NIST.

  • CVE-2024-9956 (març 2025):

    Apoderament de comptes mitjançant Bluetooth a Android. Aquest atac va demostrar que un atacant pot desencadenar remotament una autenticació maliciosa a través d’un intent `FIDO:/`. Anàlisi de Risky.Biz. Font Oficial del NIST.

  • CVE-2024-12604 (març 2025):

    Emmagatzematge en text clar de dades sensibles a Tap&Sign, explotant una mala gestió de contrasenyes. Font Oficial del NIST.

  • CVE-2025-26788 (febrer 2025):

    Salt d’autenticació al Servidor FIDO de StrongKey. Font Detallada.

  • Passkeys Pwned – Segrest de l’API basat en el navegador (inicis de 2025):

    Un estudi de recerca va mostrar que el navegador, com a mediador únic, pot ser un punt de fallada. Llegiu l’anàlisi de Security Boulevard.

  • CVE-2024-9191 (novembre 2024):

    Exposició de contrasenyes a través d’Okta Device Access. Font Oficial del NIST.

  • CVE-2024-39912 (juliol 2024):

    Enumeració d’usuaris a través d’una fallada a la biblioteca PHP `web-auth/webauthn-lib`. Font Oficial del NIST.

  • Atacs de tipus CTRAPS (2024):

    Aquests atacs a nivell de protocol (CTAP) exploten els mecanismes d’autenticació per a accions no autoritzades. Per a més informació sobre els atacs a nivell de protocol FIDO, vegeu aquesta presentació de Black Hat sobre les vulnerabilitats de FIDO.

  • Primer Desplegament a Gran Escala (setembre 2022):

    Apple va ser el primer a desplegar passkeys a gran escala amb el llançament d’iOS 16, fent d’aquesta tecnologia una realitat per a centenars de milions d’usuaris. Comunicat de Premsa Oficial d’Apple.

  • Llançament i Adopció de la Indústria (maig 2022):

    La FIDO Alliance, unida per Apple, Google i Microsoft, va anunciar un pla d’acció per estendre el suport de les passkeys a totes les seves plataformes. Comunicat de Premsa Oficial de la FIDO Alliance.

  • Atacs de Cronometratge a keyHandle (2022):

    Una vulnerabilitat que permet la correlació de comptes mesurant les variacions de temps en el processament dels `keyHandles`. Vegeu l’article d’IACR ePrint 2022.

  • Phishing de Mètodes de Recuperació (des del 2017):

    Els atacants utilitzen proxies AitM (com Evilginx, que va aparèixer el 2017) per amagar l’opció de passkey i forçar un retorn a mètodes menys segurs que es poden capturar. Més detalls sobre aquesta tècnica.

  • Black Hat FIDO 2017 → CTRAPS (CTAP Replay / Protocol-level Attacks):

    A la conferència Black Hat USA 2017 es van presentar vulnerabilitats a nivell de protocol CTAP, demostrant la possibilitat de repetir missatges d’autenticació per realitzar accions no autoritzades.
    Vegeu la presentació oficial de Black Hat.

La IA com a Multiplicador de la Vulnerabilitat Passkeys

La intel·ligència artificial no és una fallada de seguretat, sinó un catalitzador que fa que els atacs existents siguin més eficaços. Des de l’aparició dels models d’IA generativa com GPT-3 (2020) i DALL-E 2 (2022), han aparegut noves capacitats per a l’automatització d’amenaces. Aquests desenvolupaments permeten notablement:

  • Atacs a Gran Escala (des del 2022): La IA generativa permet als atacants crear sol·licituds d’autenticació i missatges de phishing personalitzats per a un volum massiu d’objectius, augmentant l’efectivitat del phishing de mètodes de recuperació.
  • Recerca de Vulnerabilitats Accelerada (des del 2023): La IA es pot utilitzar per automatitzar la cerca de fallades de seguretat, com l’enumeració d’usuaris o la detecció de fallades lògiques en el codi d’implementació.
Nota Històrica — Els riscos associats a les sol·licituds falsificables a WebAuthn ja van ser plantejats per la comunitat a l’issue #1965 de W3C GitHub (abans de la demostració de la DEF CON 33). Això demostra que la interfície d’usuari ha estat reconeguda des de fa temps com un punt feble en l’autenticació anomenada “resistent al phishing”.

“Aquestes vulnerabilitats recents i històriques ressalten el paper crític del navegador i del model de desplegament (device-bound vs. synced). Reforcen la crida a arquitectures sobiranes que estiguin desconnectades d’aquests vectors de compromís.”

Vulnerabilitat Passkeys i del Model de Sincronització

Una de les vulnerabilitats de seguretat de les passkeys més debatudes no concerneix el protocol WebAuthn en si mateix, sinó el seu model de desplegament. La majoria de les publicacions sobre el tema diferencien entre dos tipus de passkeys:

  • Passkeys lligades al dispositiu: Emmagatzemades en un dispositiu físic (com una clau de seguretat de maquinari o una Secure Enclave). Aquest model es considera generalment molt segur perquè no es sincronitza a través d’un servei de tercers.
  • Passkeys sincronitzades: Emmagatzemades en un gestor de contrasenyes o un servei al núvol (iCloud Keychain, Google Password Manager, etc.). Aquestes passkeys es poden sincronitzar a través de múltiples dispositius. Per a més detalls sobre aquesta distinció, consulteu la documentació de la FIDO Alliance.

La vulnerabilitat rau aquí: si un atacant aconsegueix comprometre el compte del servei al núvol, podria potencialment obtenir accés a les passkeys sincronitzades a tots els dispositius de l’usuari. Aquest és un risc que les passkeys lligades al dispositiu no comparteixen. La recerca acadèmica, com aquest article publicat a arXiv, explora aquesta qüestió, destacant que “la seguretat de les passkeys sincronitzades es concentra principalment en el proveïdor de passkeys.”

Aquesta distinció és crucial perquè la implementació de passkeys sincronitzades vulnerables contradiu l’esperit mateix d’un MFA anomenat resistent al phishing, ja que la sincronització introdueix un intermediari i una superfície d’atac addicional. Això justifica la recomanació de la FIDO Alliance de prioritzar les passkeys lligades al dispositiu per a la màxima seguretat.

La Demostració de la DEF CON 33 – WebAuthn API Hijacking en Acció

El WebAuthn API Hijacking és el fil conductor d’aquesta secció: expliquem breument el camí d’atac mostrat a la DEF CON 33 i com una sol·licitud falsificable va permetre la presa de control de la sessió en temps real, abans de detallar les proves en viu i els fragments de vídeo.

Passkeys Pwned — La Vulnerabilitat Passkeys a la DEF CON 33

Durant la DEF CON 33, l’equip d’Allthenticate va presentar una xerrada titulada “Passkeys Pwned: Turning WebAuthn Against Itself.”
Aquesta sessió va demostrar com els atacants podien explotar el WebAuthn API Hijacking per comprometre passkeys sincronitzades en temps real utilitzant una sol·licitud d’autenticació falsificable.

Utilitzant la frase provocadora “Passkeys Pwned”, els investigadors van emfatitzar deliberadament que fins i tot les credencials anomenades resistents al phishing poden ser segrestades quan la pròpia interfície d’usuari és el punt feble.

Proves de WebAuthn API Hijacking a la DEF CON 33

A Las Vegas, al cor de la DEF CON 33 (del 8 a l’11 d’agost de 2025), la comunitat de hackers més respectada del món va presenciar una demostració que va fer que molts es remoguessin. De fet, els investigadors d’Allthenticate van mostrar en viu que una passkey sincronitzada vulnerable – malgrat ser etiquetada com a “resistent al phishing” – podia ser enganyada. Llavors, què van fer? Van executar un atac de WebAuthn API Hijacking (falsificació de la sol·licitud del sistema) del tipus de falsificació de la sol·licitud d’autenticació en temps real. Van crear un quadre de diàleg d’autenticació fals, perfectament cronometrat i visualment idèntic a la UI legítima. En última instància, l’usuari creia que estava validant una autenticació legítima, però l’adversari va segrestar la sessió en temps real. Aquesta prova de concepte fa tangible la “Fallada d’Intercepció de WebAuthn de les Passkeys” a través d’una sol·licitud falsificable en temps real.

Fragments de Vídeo — WebAuthn API Hijacking en la Pràctica

Per visualitzar la seqüència, mireu el clip següent: mostra com el WebAuthn API Hijacking sorgeix d’un simple engany de la UI que alinea el temps i l’aparença amb la sol·licitud del sistema esperada, conduint a una captura de sessió sense problemes.

Autors Oficials i Mitjans de la DEF CON 33
Shourya Pratap Singh, Jonny Lin, Daniel Seetoh — investigadors d’Allthenticate, autors de la demo “Your Passkey is Weak: Phishing the Unphishable”.
Vídeo d’Allthenticate a TikTok — explicació directa per l’equip.
Vídeo de la DEF CON 33 Las Vegas (TikTok) — un cop d’ull a la conferència.
Fragments destacats de la DEF CON 33 (YouTube) — incloent la fallada de les passkeys.

▸ Resum

La DEF CON 33 va demostrar que les passkeys sincronitzades vulnerables poden ser compromeses en viu quan una sol·licitud d’autenticació falsificable s’insereix al flux de WebAuthn.

Comparació – Fallada d’Intercepció de WebAuthn: Falsificació de Sol·licitud vs. DOM Clickjacking

A la DEF CON 33, dues grans troballes de recerca van sacsejar la confiança en els mecanismes d’autenticació moderns. De fet, ambdós exploten les fallades relacionades amb la interfície d’usuari (UX) en lloc de la criptografia, però els seus vectors i objectius difereixen radicalment.

Comparació de l'arquitectura de PassCypher i FIDO WebAuthn destacant la resistència al phishing i els riscos de falsificació de sol·licituds
Comparació de les arquitectures de PassCypher i FIDO WebAuthn mostrant per què les Passkeys són vulnerables al WebAuthn API hijacking mentre que PassCypher elimina els riscos de falsificació de sol·licituds.

Falsificació de Sol·licitud en Temps Real

DOM Clickjacking

  • Autors: Un altre equip d’investigadors (DEF CON 33).
  • Objectiu: Gestors de credencials, extensions, passkeys emmagatzemades.
  • Vector: iframes invisibles, Shadow DOM, scripts maliciosos per segrestar l’autocompletat.
  • Impacte: Exfiltració silenciosa de credencials, passkeys i claus de la cartera de criptomonedes.

▸ Conclusió clau: Aquest article se centra exclusivament en la falsificació de sol·licituds, que il·lustra una fallada d’intercepció de WebAuthn important i posa en dubte la promesa de “passkeys resistents al phishing”. Per a un estudi complet sobre DOM clickjacking, consulteu l’article relacionat.

Implicacions Estratègiques – Passkeys i Vulnerabilitats d’UX

Com a resultat, la “Fallada d’Intercepció de WebAuthn de les Passkeys” ens obliga a repensar l’autenticació al voltant de models sense sol·licitud i sense núvol.

▸ Anàlisi
No és la criptografia el que falla, sinó la il·lusió d’immunitat. La intercepció de WebAuthn demostra que el risc resideix en la UX, no en l’algorisme.

Regulacions i Conformitat – MFA i Intercepció de WebAuthn

Documents oficials com la guia de la CISA sobre MFA resistent al phishing o la directiva OMB M-22-09 insisteixen en aquest punt: l’autenticació és “resistent al phishing” només si cap intermediari pot interceptar o segrestar el flux de WebAuthn.
En teoria, les passkeys de WebAuthn respecten aquesta regla. A la pràctica, però, la vulnerabilitat passkeys sincronitzades obre una fallada d’intercepció que els atacants poden explotar a través d’una sol·licitud d’autenticació falsificable.

A Europa, tant la directiva NIS2 com la certificació SecNumCloud reiteren el mateix requisit: cap dependència de serveis de tercers no controlats.

Com a tal, la “Fallada d’Intercepció de WebAuthn de les Passkeys” contradiu l’esperit d’un MFA anomenat resistent al phishing, perquè la sincronització introdueix un intermediari.

En altres paraules, un núvol dels EUA que gestiona les vostres passkeys queda fora de l’abast d’una sobirania digital estricta.

▸ Resum

Una passkey sincronitzada vulnerable pot comprometre el requisit d’un MFA resistent al phishing (CISA, NIS2) quan un atac d’intercepció de WebAuthn és possible.

Estadístiques Europees i Francòfones – Phishing en Temps Real, Intercepció de WebAuthn i la Vulnerabilitat Passkeys

Els informes públics confirmen que els atacs de phishing avançats — incloent tècniques en temps real — representen una amenaça major a la Unió Europea i a la zona francòfona.

  • Unió Europea — ENISA: Segons l’informe Threat Landscape 2024, el phishing i l’enginyeria social representen el 38% dels incidents reportats a la UE, amb un augment notable dels mètodes de Adversary-in-the-Middle i de la falsificació de sol·licituds en temps real, associada a la intercepció de WebAuthn. Font: ENISA Threat Landscape 2024
  • França — Cybermalveillance.gouv.fr: El 2023, el phishing va generar el 38% de les sol·licituds d’assistència, amb més d’1.5M de consultes relacionades amb aquest tipus d’atac. Les estafes de falsos assessors bancaris van augmentar un +78% respecte al 2022, sovint mitjançant sol·licituds d’autenticació falsificables. Font: Informe d’Activitat 2023
  • Canadà (Francòfon) — Centre Canadenc per a la Ciberseguretat: L’Avaluació Nacional d’Amenaces Cibernètiques 2023-2024 indica que el 65% de les empreses esperen patir un atac de phishing o ransomware. El phishing segueix sent un vector preferit per eludir l’MFA, incloent-hi mitjançant la intercepció del flux de WebAuthn. Font: Avaluació Oficial
▸ Lectura Estratègica
La falsificació de sol·licituds en temps real no és un experiment de laboratori; forma part d’una tendència en què el phishing s’adreça a la interfície d’autenticació en lloc dels algorismes, amb un ús creixent de l’atac d’intercepció de WebAuthn.

Cas d’Ús Sobirà – Neutralitzant la Vulnerabilitat Passkeys

En un escenari pràctic, una autoritat reguladora reserva les passkeys sincronitzades per a portals públics de baix risc. Per contra, l’opció PassCypher elimina la causa fonamental de la “Fallada d’Intercepció de WebAuthn de les Passkeys” eliminant la sol·licitud, el núvol i qualsevol exposició al DOM.
Per a sistemes crítics (govern, operacions sensibles, infraestructures vitals), desplega PassCypher en dues formes:

Per què PassCypher Elimina la Vulnerabilitat Passkeys

Les solucions PassCypher contrasten radicalment amb les passkeys FIDO que són vulnerables a l’atac d’intercepció de WebAuthn:

  • Sense sol·licitud del sistema operatiu/navegador — per tant, sense sol·licitud d’autenticació falsificable.
  • Sense núvol — sense sincronització vulnerable ni dependència de tercers.
  • Sense DOM — sense exposició a scripts, extensions o iframes.
✓ Sobirania: En eliminar la sol·licitud, el núvol i el DOM, PassCypher elimina qualsevol punt d’ancoratge per a la fallada d’intercepció de WebAuthn (falsificació de sol·licituds) revelada a la DEF CON 33.

PassCypher NFC HSM — Eliminant el Vector d’Atac de Falsificació de Sol·licituds WebAuthn

L’atac d’Allthenticate a la DEF CON 33 demostra que els atacants poden falsificar qualsevol sistema que depèn d’una sol·licitud del sistema operatiu/navegador. PassCypher NFC HSM elimina aquest vector: no hi ha sol·licitud, ni sincronització al núvol, els secrets estan encriptats de per vida en un nano-HSM NFC, i es validen amb un toc físic. Funcionament per a l’usuari:

  • Toc NFC obligatori — validació física sense interfície de programari.
  • HID BLE Mode AES-128-CBC — transmissió fora del DOM, resistent als keyloggers.
  • Ecosistema Zero-DOM — cap secret apareix mai al navegador.

▸ Resum

A diferència de les passkeys sincronitzades vulnerables, PassCypher NFC HSM neutralitza l’atac d’intercepció de WebAuthn perquè una sol·licitud d’autenticació falsificable no existeix.

WebAuthn Hijacking i la Vulnerabilitat Passkeys Neutralitzats per PassCypher NFC HSM

Tipus d’Atac Vector Estat
Falsificació de Sol·licitud Diàleg fals del sistema operatiu/navegador Neutralitzat (sense sol·licitud)
Phishing en Temps Real Validació capturada en viu Neutralitzat (toc NFC obligatori)
Registre de Tecles Captura de teclat Neutralitzat (HID BLE encriptat)

PassCypher HSM PGP — Claus Segmentades contra el Phishing

L’altre pilar, PassCypher HSM PGP, aplica la mateixa filosofia: sense sol·licitud explotable.
Els secrets (credencials, passkeys, claus SSH/PGP, TOTP/HOTP) resideixen en contenidors encriptats AES-256 CBC PGP, protegits per un sistema patentat de claus segmentades.

  • Sense sol·licitud — per tant, no hi ha finestra per falsificar.
  • Claus segmentades — són inexportables i s’acoblen només a la memòria RAM.
  • Desencriptació efímera — el secret desapareix immediatament després d’utilitzar-lo.
  • Sense núvol — no hi ha sincronització vulnerable.

▸ Resum

PassCypher HSM PGP elimina la superfície d’atac de la sol·licitud falsificada en temps real: proporciona autenticació de maquinari, claus segmentades i validació criptogràfica sense exposició al DOM ni al núvol.

Comparació de la Superfície d’Atac

Criteri Passkeys Sincronitzades (FIDO) PassCypher NFC HSM PassCypher HSM PGP
Sol·licitud d’Autenticació No No
Núvol de Sincronització No No
Clau Privada Exportable No (UI atacable) No No
WebAuthn Hijacking/Intercepció Present Absent Absent
Dependència de l’Estàndard FIDO No No
▸ Anàlisi En eliminar la sol·licitud d’autenticació falsificable i la sincronització al núvol, l’atac d’intercepció de WebAuthn demostrat a la DEF CON 33 desapareix completament.

Senyals Febles – Tendències Relacionades amb la Intercepció de WebAuthn

▸ Senyals Febles Identificats

  • L’adopció generalitzada d’atacs a la UI en temps real, incloent la intercepció de WebAuthn mitjançant una sol·licitud d’autenticació falsificable.
  • Una dependència creixent de núvols de tercers per a la identitat, que augmenta l’exposició de les passkeys sincronitzades vulnerables.
  • Una proliferació d’esquives a través de l’enginyeria social assistida per IA, aplicada a les interfícies d’autenticació.

Glossari Estratègic

Una revisió dels conceptes clau utilitzats en aquest article, per entendre la Vulnerabilitat Passkeys i les solucions.

  • Passkey / Passkeys

    Una credencial digital sense contrasenya basada en l’estàndard FIDO/WebAuthn, dissenyada per ser “resistent al phishing.”

    • Passkey (singular): Es refereix a una única credencial digital emmagatzemada en un dispositiu (p. ex., Secure Enclave, TPM, YubiKey).
    • Passkeys (plural): Es refereix a la tecnologia en general o a múltiples credencials, incloses les passkeys sincronitzades emmagatzemades als núvols d’Apple, Google o Microsoft. Aquestes són particularment vulnerables al WebAuthn API Hijacking (falsificació de la sol·licitud en temps real demostrada a la DEF CON 33).
  • Passkeys Pwned

    Títol de la xerrada a la DEF CON 33 d’Allthenticate (“Passkeys Pwned: Turning WebAuthn Against Itself”). Destaca com el WebAuthn API Hijacking pot comprometre les passkeys sincronitzades en temps real, demostrant que no són 100% resistents al phishing.

  • Passkeys sincronitzades vulnerables

    Emmagatzemades en un núvol (Apple, Google, Microsoft) i utilitzables a través de múltiples dispositius. Ofereixen un avantatge d’UX però una debilitat estratègica: dependència d’una sol·licitud d’autenticació falsificable i del núvol.

  • Passkeys lligades al dispositiu

    Lligades a un sol dispositiu (TPM, Secure Enclave, YubiKey). Més segures perquè no tenen sincronització al núvol.

  • Sol·licitud (Prompt)

    Un quadre de diàleg del sistema o del navegador que demana la validació de l’usuari (Face ID, empremta digital, clau FIDO). Aquest és l’objectiu principal de la falsificació.

  • Atac d’Intercepció de WebAuthn

    També conegut com a WebAuthn API Hijacking, aquest atac manipula el flux d’autenticació falsificant la sol·licitud del sistema/navegador i imitant la interfície d’usuari en temps real. L’atacant no trenca la criptografia, sinó que intercepta el procés de WebAuthn a nivell d’UX (p. ex., una sol·licitud de Face ID o d’empremta digital clonada). Vegeu la especificació oficial de W3C WebAuthn i la documentació de la FIDO Alliance.

  • Falsificació de la sol·licitud en temps real

    La falsificació en viu d’una finestra d’autenticació, que és indistingible per a l’usuari.

  • DOM Clickjacking

    Un atac que utilitza iframes invisibles i Shadow DOM per segrestar l’autocompletat i robar credencials.

  • Zero-DOM

    Una arquitectura sobirana on cap secret s’exposa al navegador o al DOM.

  • NFC HSM

    Un mòdul de maquinari segur que està fora de línia i és compatible amb HID BLE AES-128-CBC.

  • Claus segmentades

    Claus criptogràfiques que es divideixen en segments i només es tornen a muntar en memòria volàtil.

  • Credencial lligada al dispositiu

    Una credencial adjunta a un dispositiu físic que no és transferible ni clonable.

▸ Propòsit Estratègic: Aquest glossari mostra per què l’atac d’intercepció de WebAuthn apunta a la sol·licitud i a l’UX, i per què PassCypher elimina aquest vector per disseny.

FAQ Tècnica (Integració i Casos d’Ús)

  • P: Com podem resoldre la Vulnerabilitat Passkeys?

    R: Sí, la millor manera de mitigar la Vulnerabilitat Passkeys és amb un model híbrid: manteniu FIDO per a casos d’ús comuns i adopteu PassCypher per a l’accés crític per eliminar completament els vectors d’intercepció.

  • P: Quin és l’impacte en la UX sense una sol·licitud del sistema?

    R: L’acció es basa en el maquinari (toc NFC o validació HSM). No hi ha cap sol·licitud o quadre de diàleg d’autenticació falsificable per suplantar, la qual cosa resulta en una eliminació total del risc de phishing en temps real.

  • P: Com podem revocar una clau compromesa?

    R: Simplement revoqueu l’HSM o la clau en si mateixa. No hi ha cap núvol a purgar ni cap compte de tercers a contactar.

  • P: PassCypher protegeix contra la falsificació de sol·licituds en temps real?

    R: Sí. L’arquitectura PassCypher elimina completament la sol·licitud del sistema operatiu/navegador, eliminant així la superfície d’atac explotada a la DEF CON 33.

  • P: Podem integrar PassCypher en una infraestructura regulada per NIS2?

    R: Sí. Els mòduls NFC HSM i HSM PGP compleixen amb els requisits de sobirania digital i neutralitzen els riscos associats a les passkeys sincronitzades vulnerables.

  • P: Les passkeys lligades al dispositiu són completament inviolables?

    R: No, però eliminen el risc d’intercepció de WebAuthn basat en el núvol. La seva seguretat depèn llavors de la robustesa del maquinari (TPM, Secure Enclave, YubiKey) i de la protecció física del dispositiu.

  • P: Un malware local pot reproduir una sol·licitud de PassCypher?

    R: No. PassCypher no es basa en una sol·licitud de programari; la validació es basa en el maquinari i és fora de línia, per la qual cosa no existeix cap visualització falsificable.

  • P: Per què els núvols de tercers augmenten el risc?

    R: Les passkeys sincronitzades vulnerables emmagatzemades en un núvol de tercers poden ser objectiu d’atacs Adversary-in-the-Middle o d’intercepció de WebAuthn si la sol·licitud es veu compromesa.

  • P: Hi ha suport tècnic local a Andorra o Catalunya?

    R: Sí. Com a empresa andorrana, oferim un suport tècnic directe i local, la qual cosa facilita la implementació i la resolució de problemes per a empreses de la regió, garantint una comunicació fluida i una resposta ràpida.

  • P: Com puc adquirir els HSM físics des d’Andorra o Catalunya?

    R: L’adquisició es fa directament a través del nostre lloc web i el procés d’enviament o lliurament in situ està optimitzat per a Andorra i la regió catalana, la qual cosa garanteix una logística ràpida i eficient. No hi ha cap complicació d’importació.

Consell CISO/CSO – Protecció Universal i Sobirana

Per saber com protegir-se de la intercepció de WebAuthn, és important saber que EviBITB (Embedded Browser-In-The-Browser Protection) és una tecnologia integrada a PassCypher HSM PGP, inclosa la seva versió gratuïta. Detecta i elimina automàticament o manualment els iframes de redirecció utilitzats en atacs BITB i de falsificació de sol·licituds, eliminant així el vector d’intercepció de WebAuthn.

  • Desplegament Immediat: És una extensió gratuïta per als navegadors Chromium i Firefox, escalable per a un ús a gran escala sense una llicència de pagament.
  • Protecció Universal: Funciona fins i tot si l’organització encara no ha migrat a un model sense sol·licituds.
  • Compatibilitat Sobirana: Funciona amb PassCypher NFC HSM Lite (99 €) i el PassCypher HSM PGP complet (129 €/any).
  • Sense Contrasenya Complet: Tant PassCypher NFC HSM com HSM PGP poden reemplaçar completament FIDO/WebAuthn per a tots els camins d’autenticació, amb zero sol·licituds, zero núvol i 100% sobirania.

Recomanació Estratègica:
Desplegueu EviBITB immediatament a totes les estacions de treball per neutralitzar la falsificació de BITB/sol·licituds, i després planifiqueu la migració de l’accés crític a un model PassCypher complet per eliminar permanentment la superfície d’atac.

FAQ CISOs/CSOs

P: Quin és l’impacte regulador de la Vulnerabilitat Passkeys?

R: Aquest tipus d’atac pot comprometre el compliment dels requisits de MFA “resistent al phishing” definits per la CISA, NIS2 i SecNumCloud. L’existència d’una Vulnerabilitat Passkeys en el vostre sistema fa que l’organització s’enfronti a sancions del GDPR (i de la Llei 29/2021 d’Andorra) i a una qüestió sobre les seves certificacions de seguretat.

P: Existeix una protecció universal i gratuïta contra la Vulnerabilitat Passkeys?

R: Sí. EviBITB és una tecnologia integrada a PassCypher HSM PGP, inclosa la seva versió gratuïta. Bloqueja els iframes de redirecció (Browser-In-The-Browser) i elimina el vector de sol·licitud d’autenticació falsificable explotat en la intercepció de WebAuthn. Es pot desplegar immediatament a gran escala sense una llicència de pagament.

P: Hi ha solucions per a la Vulnerabilitat Passkeys?

R: Sí. PassCypher NFC HSM i PassCypher HSM PGP són solucions completes i sobiranes sense contrasenya que aborden directament la Vulnerabilitat Passkeys: permeten l’autenticació, la signatura i l’encriptació sense infraestructura FIDO, amb zero sol·licituds falsificables, zero núvols de tercers i una arquitectura 100% controlada.

P: Quin és el pressupost mitjà i el ROI d’una migració a un model sense sol·licitud?

R: Segons l’estudi Temps Dedicat als Mètodes d’Autenticació, un professional perd una mitjana de 285 hores/any en autenticacions clàssiques, la qual cosa representa un cost anual d’uns 8.550 $ (basat en 30 $/h). PassCypher HSM PGP redueix aquest temps a ~7 h/any, i PassCypher NFC HSM a ~18 h/any. Fins i tot amb el model complet (129 €/any) o l’NFC HSM Lite (99 € de compra única), el punt d’equilibri s’assoleix en pocs dies o poques setmanes, i l’estalvi net supera 50 vegades el cost anual en un context professional.

P: Com podem gestionar una flota híbrida (llegat + moderna)?

R: Manteniu FIDO per a usos de baix risc mentre els substituïu gradualment per PassCypher NFC HSM i/o PassCypher HSM PGP en entorns crítics. Aquesta transició elimina les sol·licituds explotables i manté la compatibilitat amb les aplicacions.

P: Quines mètriques hem de seguir per mesurar la reducció de la superfície d’atac?

R: El nombre d’autenticacions a través de sol·licituds del sistema vs. autenticació per maquinari, incidents relacionats amb la intercepció de WebAuthn, temps mitjà de correcció i el percentatge d’accessos crítics migrats a un model sobirà sense sol·licituds.

Pla d’Acció CISO/CSO

Per als professionals de la ciberseguretat a Andorra i Catalunya, la Vulnerabilitat Passkeys és un senyal d’alerta. L’estratègia digital busca la màxima sobirania, i els models sense sol·licitud i sense núvol — encarnats per HSMs sobirans com PassCypher — redueixen radicalment la superfície d’atac.

Acció Prioritària Impacte Esperat
Implementar solucions per a la Vulnerabilitat Passkeys, substituint-les per PassCypher NFC HSM (99 €) i/o PassCypher HSM PGP (129 €/any) Elimina la sol·licitud falsificable, elimina la intercepció de WebAuthn i permet un accés sobirà sense contrasenya amb un període de recuperació de la inversió de dies segons l’estudi sobre el temps d’autenticació
Migrar a un model PassCypher complet per a entorns crítics Elimina tota la dependència de FIDO/WebAuthn, centralitza la gestió sobirana d’accessos i secrets, i maximitza els guanys de productivitat mesurats per l’estudi
Desplegar EviBITB (tecnologia integrada a PassCypher HSM PGP, versió gratuïta inclosa) Ofereix una protecció immediata i sense costos contra BITB i el phishing en temps real mitjançant la falsificació de sol·licituds
Endurir la UX (signatures visuals, elements no clonables) Complica els atacs a la UI, el clickjacking i la recuperació
Auditar i registrar els fluxos d’autenticació Detecta i segueix qualsevol intent de segrest de flux o d’atacs Adversary-in-the-Middle
Alinear-se amb NIS2, SecNumCloud i GDPR Redueix el risc legal i proporciona proves de conformitat
Alinear-se amb la Llei 29/2021 d’Andorra Reforça la sobirania digital, evita la dependència de tercers i assegura la conformitat amb el marc legal del Principat
Formar els usuaris sobre les amenaces d’interfície falsificable Enforteix la vigilància humana i la detecció proactiva
]

Perspectives Estratègiques davant la Vulnerabilitat Passkeys

El missatge de la DEF CON 33 és clar: la seguretat de l’autenticació es guanya o es perd a la interfície. En altres paraules, mentre l’usuari validi les sol·licituds d’autenticació gràfica sincronitzades amb un flux de xarxa, el phishing en temps real i la intercepció de WebAuthn continuaran sent possibles.

La Vulnerabilitat Passkeys, lligada a la sincronització al núvol, és una preocupació major per a les organitzacions que busquen la sobirania digital.

A curt termini, cal generalitzar l’ús de **solucions lligades al dispositiu** per a aplicacions sensibles. Això és el primer pas per contrarestar la Vulnerabilitat Passkeys. A mitjà termini, l’objectiu és eliminar la UI falsificable dels camins crítics. Finalment, la trajectòria recomanada serà eliminar permanentment la Vulnerabilitat Passkeys dels camins crítics mitjançant una transició gradual a un model PassCypher complet, proporcionant una solució definitiva per a les passkeys vulnerables en un context professional.

Dropbox Security Breach 2024: Phishing, Exploited Vulnerabilities

A realistic depiction of the 2024 Dropbox security breach, featuring a cracked Dropbox logo with compromised data such as emails, user credentials, and security tokens spilling out. The background includes red flashing alerts and warning symbols, highlighting the seriousness of the breach.

Delving into the 2░0░2░4░Dropbox Security Breach: A Chronicle of Vulnerabilities, Exfiltrated Data

In 2024, a shadow fell over cloud storage security. The Dropbox breach exposed a shocking vulnerability, leaving user data at risk. This deep dive explores the attack, the data compromised, and why encryption remains your ultimate defense. Dive in and learn how to fortify your digital assets.

Dropbox Security Breach. Stay updated with our latest insights.

Europol

Dropbox Security Breach: Password Managers and Encryption as Defense By Jacques Gascuel, this article examines the crucial role password managers and encryption play in mitigating the risks of cyberattacks like the Dropbox Security Breach

Phishing Tactics: The Bait and Switch in the Aftermath of the Dropbox Security Breach

The 2024 Dropbox Security Breach stands as a stark reminder of the ever-evolving cyberthreat landscape and the urgent need for robust security measures. In this comprehensive article, we’ll unravel the intricate details of this breach, examining the tactics employed by attackers, the vast amount of sensitive data compromised, and the far-reaching consequences for affected users. We’ll also delve into the underlying security vulnerabilities exploited and discuss essential measures to prevent similar incidents in the future. Finally, we’ll explore the crucial role of advanced encryption solutions, such as DataShielder and PassCypher, in safeguarding sensitive data stored in the cloud. Through this in-depth analysis, you’ll gain a clear understanding of the Dropbox breach, its impact, and the proactive steps you can take to enhance your own cybersecurity posture.

Crafting Convincing Emails

Attackers meticulously crafted phishing emails, often disguised as notifications or security alerts, to deceive employees.

  • Crafting Convincing Emails: Attackers meticulously crafted phishing emails, often disguised as notifications or security alerts, to deceive employees.
  • Exploiting Human Trust: By leveraging the trust employees had in Dropbox, attackers successfully persuaded them to divulge sensitive information.
  • MFA Circumvention: The compromise of MFA codes highlights the need for additional layers of security beyond passwords.
Diagram illustrating the stages of the 2024 Dropbox Security Breach attack flow.
This diagram depicts the stages of the 2024 Dropbox Security Breach, from phishing emails to data exfiltration and its aftermath.

Dropbox Security Breach Attack Flow: Unraveling the Steps of the Cyberattack

  • Phishing Emails: Attackers send out phishing emails to Dropbox employees, mimicking legitimate communications.
  • Credential Harvesting: Employees fall victim to phishing tactics and reveal their credentials, including MFA codes.
  • Unauthorized Access: Attackers gain unauthorized access to Dropbox Sign infrastructure using compromised credentials.
  • Exploiting Automated Tools: Attackers exploit automated system configuration tools to manipulate accounts and escalate privileges.
  • Data Exfiltration: Attackers extract a vast amount of sensitive data, including emails, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, and MFA data.

Exploited Vulnerabilities: A Technical Analysis

The attackers behind the Dropbox breach exploited a combination of vulnerabilities to gain unauthorized access and exfiltrate sensitive data.

Specific CVEs Exploited

  • CVE-2019-12171: This vulnerability allowed attackers to store credentials in cleartext in memory, posing a significant security risk.
  • CVE-2022-4768: This critical vulnerability in Dropbox Merou affected the add_public_key function, leading to injection attacks.
  • Automated System Configuration Tools: The exploitation of these tools highlights the need for robust access controls and security measures.

Exfiltrated Data: The Scope of the Breach

The sheer volume of data compromised in the Dropbox breach is staggering, raising serious concerns about the potential impact on affected users.

Types of Data Exposed

  • Exposed Emails: Attackers now possess email addresses, potentially enabling them to launch targeted phishing attacks or engage in email scams.
  • Vulnerable Usernames: Usernames, often coupled with leaked passwords or other personal information, could be used to gain unauthorized access to other online accounts.
  • Misused Phone Numbers: Exposed phone numbers could be used for unwanted calls, text messages, or even attempts to reset passwords or gain access to other accounts.
  • Hashed Passwords: A Target for Cracking: While not directly readable, hashed passwords could be subjected to brute-force attacks or other cracking techniques to recover the original passwords.
  • Compromised Authentication Tokens: API keys and OAuth tokens, used for app authentication, could enable attackers to impersonate users and access their Dropbox accounts or other connected services.

The Dropbox Breach Fallout: Unraveling the Impact and Consequences

The ramifications of the Dropbox breach extend far beyond the compromised data itself. The incident has had a profound impact on both affected users and Dropbox as a company.

Consequences of the Breach

  • User Privacy Concerns: The exposure of personal information has left users feeling vulnerable and at risk of identity theft, phishing attacks, and other cyber threats.
  • Reputational Damage: Dropbox’s reputation as a secure cloud storage provider has taken a significant hit, potentially affecting user trust and future business prospects.
  • Financial Costs: Dropbox has incurred substantial expenses in investigating the breach, notifying affected users, and implementing additional security measures.

Lessons Learned: Preventing Future Breaches and Strengthening Security

In the aftermath of the Dropbox breach, it’s crucial to identify key takeaways and implement preventive measures to safeguard against future incidents.

Essential Security Practices

  • Secure Service Accounts: Implement strong passwords for service accounts and enforce strict access controls, adhering to the principle of least privilege. Consider using Privileged Access Management (PAM) solutions to manage and monitor service account activity.
  • Regular Penetration Testing: Conduct regular penetration tests (pen tests) to identify and remediate vulnerabilities in systems and networks before they can be exploited by attackers. Engage qualified security professionals to simulate real-world attack scenarios.
  • Continuous Monitoring and Incident Response: Establish a robust incident response plan to effectively address security breaches. This plan should include procedures for identifying, containing, and remediating incidents.
  • Patch Management: Prioritize timely patching of software and systems with the latest security updates. Implement a comprehensive patch management strategy to ensure the prompt deployment of critical security updates.

Beyond the Breach: Enhancing Proactive Defense with Advanced Encryption

While robust security practices are essential for preventing breaches, additional layers of protection can further safeguard data. Advanced encryption solutions play a pivotal role in this regard. Here, we’ll delve into two such solutions – DataShielder HSM PGP and NFC HSM, and PassCypher HSM PGP and NFC HSM – and explore how they address the vulnerabilities exploited in the 2024 Dropbox breach.

DataShielder HSM PGP and NFC HSM

DataShielder HSM PGP and NFC HSM provide client-side encryption for data stored in the cloud. By encrypting data at rest and in transit (as depicted in the following diagram [Insert DataShielder Diagram Here]), DataShielder ensures that even if an attacker gains access to cloud storage, the data remains inaccessible. This robust protection is achieved through:

  • Client-Side Encryption: Data is encrypted on the user’s device before being uploaded to the cloud.
  • Hardware Security Module (HSM) or NFC HSM: Encryption keys are stored within a secure HSM or NFC HSM, offering physical separation and robust protection against unauthorized access.
  • Offsite Key Management: Encryption keys are never stored on the cloud or user devices, further minimizing the risk of compromise (as illustrated in the diagram).
  • Post-Quantum Encryption: Additionally, DataShielder incorporates post-quantum encryption algorithms to safeguard against future advancements in code-breaking techniques.

Diagram showing DataShielder HSM PGP and DataShielder NFC HSM encryption process for Dropbox security breach protection.

DataShielder HSM PGP and NFC HSM: Ensuring Dropbox security breach protection with AES-256 encryption and offsite key management

PassCypher HSM PGP and NFC HSM

PassCypher HSM PGP and NFC HSM go beyond traditional password management, offering a comprehensive security suite that directly addresses the vulnerabilities exploited in the 2024 Dropbox breach. Here’s how PassCypher strengthens your defenses:

  • Multi-Factor Authentication (MFA) with Hardware Security: PassCypher NFC HSM offers additional protection for logins by securely managing Time-based One-Time Passwords (TOTP) and HOTP keys. Users can scan a QR code to automatically store the encrypted TOTP secret key within the NFC HSM, adding a layer of hardware-based authentication beyond passwords.
  • Real-Time Password Breach Monitoring: PassCypher HSM PGP integrates with Have I Been Pwned (HIBP), a constantly updated database of compromised passwords. This real-time monitoring allows users to be instantly notified if their passwords appear in any known breaches.
  • Phishing Prevention: In addition to the URL sandbox system and protection against typosquatting and BITB attacks mentioned earlier, PassCypher’s comprehensive approach empowers users to identify and avoid malicious attempts (as detailed in the diagram).
  • Client-Side Encryption: PassCypher utilizes client-side encryption to ensure data remains protected even if attackers manage to exfiltrate it (as shown in the diagram).

 

Diagram illustrating PassCypher HSM PGP and PassCypher NFC HSM, focusing on Dropbox security breach protection

By combining these features, PassCypher HSM PGP and NFC HSM provide a robust defense against the social engineering tactics and credential theft exploited in the Dropbox breach.

Statistics of the 2024 Dropbox Security Breach

While verifying the exact number of users affected by data breaches can be challenging, security experts estimate that the Dropbox breach could have impacted a substantial number of users. Some reports suggest that the breach may have affected up to 26 billion records, making it one of the largest data breaches in history. However, it is crucial to note that this figure is unconfirmed and may not reflect the actual number of individuals impacted.

Key Takeaways for Enhanced Cybersecurity

  • Uncertain Numbers: The exact number of affected users remains unclear, highlighting the challenges in verifying breach statistics.
  • Potential for Massive Impact: The estimated 26 billion records underscore the potential scale of the breach and its far-reaching consequences.
  • Importance of Reliable Sources: Relying on reputable sources for breach information is crucial to ensure accurate and up-to-date data.

Conclusion: A Call for Vigilance and Enhanced Security in the Wake of the Dropbox Security Breach

The 2024 Dropbox security breach serves as a stark reminder of the ever-evolving cyberthreat landscape and the urgent need for vigilant security practices. Organizations must prioritize robust security measures, including strong access controls, regular vulnerability assessments, and timely patching. Additionally, advanced encryption solutions, such as DataShielder HSM PGP and NFC HSM and PassCypher HSM PGP and NFC HSM, can provide an extra layer of protection for sensitive data.

Key Takeaways for Enhanced Cybersecurity

  • Collective Responsibility: Cybersecurity is a shared responsibility, requiring collaboration between organizations and individuals.
  • Continuous Learning and Awareness: Staying informed about emerging threats and adopting best practices are essential for effective cybersecurity.
  • Protecting Sensitive Data: Prioritizing data protection through robust security measures and advanced encryption is paramount.

The 2024 Dropbox security breach serves as a cautionary tale, highlighting the vulnerabilities that can exist even in large, established organizations. By learning from this incident and implementing the recommendations discussed, we can collectively strengthen our cybersecurity posture and protect our valuable data from the ever-evolving threat landscape.

Phishing Cyber victims caught between the hammer and the anvil

Phishing: Cyber victims caught between the hammer and the anvil

Phishing Cyber Victims by Jacques Gascuel This article will be updated with any new information on the topic, and readers are encouraged to leave comments or contact the author with any suggestions or additions.

Phishing: how cyber-victims are caught between scam and blackmail

Have you ever received an email or a message that looked like an official communication from a trusted organization, such as your bank, your phone operator or your social network? Did it ask you to confirm your personal or financial information, to pay a fine or to update your software? If so, you may have been targeted by a phishing attack.

Discover our other articles on digital security

Phishing is a fraudulent technique that aims to deceive internet users and to steal their information, money or identity. Phishing is a major threat for the security of individuals and organizations, as it can lead to financial losses, identity theft, extortion or malware infections. In this article, I will explain to you what phishing is, how to protect yourself from it, what to do if you fall victim to it and what are the current trends of this phenomenon.

What is phishing?

Phishing is a form of social engineering that exploits the human factor rather than the technical factor. In other words, phishing relies on manipulating people’s emotions, such as fear, curiosity or greed, rather than hacking their devices or systems.

Phishing usually involves sending emails or messages that mimic the appearance and content of official communications from legitimate organizations. These messages often contain a link or an attachment that directs the recipients to a fake website or a malicious file. The goal of phishing is to trick the recipients into revealing their personal, financial or confidential information, such as their passwords, their bank account numbers or their credit card details. Alternatively, phishing can also persuade the recipients to make fraudulent payments or to download malware on their devices.

Phishing can target anyone who uses the internet, whether they are individuals or organizations. However, some groups are more vulnerable than others, such as seniors, students or employees. According to a report by Verizon (https://enterprise.verizon.com/resources/reports/dbir/), phishing was involved in 36% of data breaches in 2020.

How to protect yourself from phishing?

To protect yourself from phishing, you need to be able to recognize the signs that can indicate that a message is fraudulent. Here are some examples of signs to watch out for:

  • Spelling or grammar mistakes in the message.
  • Suspicious addresses or links that do not match the supposed organization behind the message.
  • Urgent or unusual requests, such as confirming your bank details, paying a fine or updating your software.
  • Attachments or links that invite you to download or open a file.

If you receive a suspicious message, do not click on the links, do not open the attachments and do not reply to the message. Instead, check the source of the message by looking at the sender’s address, hovering over the links with your mouse to see their real destination or contacting directly the organization supposed to be behind the message by another means (phone, official website, etc.).

You can also use some tools and practices to enhance your security online, such as:

  • Installing an antivirus software and keeping it updated.
  • Using strong and unique passwords for each site and service you use.
  • Enabling two-factor authentication whenever possible.
  • Avoiding public Wi-Fi networks or using a VPN (Virtual Private Network) when accessing sensitive sites.
  • Educating yourself and others about cyber threats and how to prevent them.

What to do if you are a victim of phishing?

If you have clicked on a link, opened an attachment or disclosed personal or financial information following a fraudulent message, you may be a victim of phishing. In this case, it is important to act quickly to limit the consequences. Here are some tips to follow:

  • Change your passwords on all sites and services you use, especially those related to your bank accounts, your social networks or your email accounts.
  • Contact your bank or your phone operator to report the incident and block your cards or lines if necessary.
  • File a complaint with the competent authorities, such as the police, the FTC (Federal Trade Commission) or the IC3 (Internet Crime Complaint Center).
  • Report the fraudulent message to the concerned organizations, such as https://www.antiphishing.org/ or https://www.us-cert.gov/report-phishing. These sites also offer you information and services to help you cope with the consequences of phishing.

What is the new bill on justice and why is it raising concerns about privacy?

The bill on justice is a legislative project. It aims to modernize and simplify justice in France. It covers civil, criminal, administrative and digital justice. It also strengthens the investigation and prosecution of serious offenses, such as terrorism and organized crime.

One measure authorizes remote activation of phones by the police for some investigations. Article 3 “An unfailing commitment to better prevent radicalization and fight against terrorism” of the bill includes this measure. It modifies article 706-102-1 of the code of criminal procedure. This article defines how to activate remotely any electronic device that can emit, transmit, receive or store data.

This measure raises privacy concerns because it lets the police access personal or professional data in phones without the owners’ or possessors’ consent or knowledge. It also lets the police locate, record or capture sounds and images from phones without notification or justification. This measure may violate fundamental rights and freedoms, such as privacy, confidentiality, dignity, presumption of innocence and right to a fair trial.

What is remote activation of phones and how does it work?

Remote activation of phones by the police is an intelligence technique that allows law enforcement agencies to access data or record sounds and images from phones without the consent or knowledge of the phone users. This technique can be used for criminal investigations or national security purposes.

To remotely activate phones, law enforcement agencies need three factors: compatibility, connectivity, and security of the phones. They need to be compatible with the software or hardware that enables remote activation. They need to be connected to a network or a device that allows remote access. They need to have security flaws or vulnerabilities that can be exploited or bypassed.

Law enforcement agencies can remotely activate phones by three methods: exploiting vulnerabilities, installing malware, or using spyware on phones. Exploiting vulnerabilities means taking advantage of security flaws or weaknesses in the phone’s operating system, applications, or protocols. Installing malware means putting malicious software on the phone that can perform unauthorized actions or functions. Using spyware means employing software or hardware that can monitor or control the phone’s activity or data.

By remotely activating phones, law enforcement agencies can access data such as contacts, messages, photos, videos, location, browsing history, or passwords. They can also record sounds and images such as conversations, ambient noises, or camera shots. They can do this in real time or later by retrieving the data from the phone’s memory or storage.

What is the French bill on remote activation of phones by the police and what are its implications?

The French bill on remote activation of phones by the police is a legislative text that was promulgated on 25 May 2021. It is part of the justice orientation and programming bill for 2023-2027, which aims to modernize the justice system and reinforce its efficiency and independence.

The bill introduces a new article in the code of criminal procedure, which allows the judge of liberties and detention (at the request of the prosecutor) or the examining magistrate to order the remote activation of an electronic device without the knowledge or consent of its owner or possessor for the sole purpose of locating it in real time. This measure can be applied for crimes or misdemeanors punishable by at least five years’ imprisonment, a fairly broad criterion.

The bill also allows the judge of liberties and detention (at the request of the prosecutor) or the examining magistrate to order the remote activation of an electronic device without the knowledge or consent of its owner or possessor for the purpose of recording sounds and images from it. This measure can be applied only for crimes relating to organized crime and terrorism.

These measures cannot concern parliamentarians, journalists, lawyers, magistrates and doctors, nor the defendants when they are in the judge’s office or with their lawyer.

The bill also specifies that the remote activation of an electronic device must be done in a way that does not alter its functioning or data, and that the data collected must be destroyed within six months after their use.

The bill aims to provide law enforcement agencies with more tools and information to prevent, investigate and prosecute crimes, especially in cases where phones are encrypted, hidden or destroyed. It also aims to harmonize the French legislation with other countries that have used or considered this technique, such as the United States, Germany, Italy, Israel, Canada, China, France, and the United Kingdom.

However, the bill also raises ethical and social challenges, as it involves a trade-off between security and privacy, as well as between effectiveness and legitimacy. It may undermine the right to respect for private life and the right to a fair trial, which are guaranteed by the European Convention on Human Rights and the French Constitution. It may also expose law enforcement agencies to legal or technical challenges or dangers, such as encryption technologies that can prevent or hinder remote activation. It may also create distrust or resistance among phone users or providers, who may use encryption technologies or legal remedies to protect their data or communications.

The bill has been criticized by several actors, such as lawyers, human rights defenders, digital rights activists, journalists and academics. They have denounced its lack of proportionality, necessity and oversight. They have also questioned its effectiveness and legitimacy. They have called for its withdrawal or amendment.

The bill is still subject to constitutional review by the Constitutional Council before its final promulgation.

How did the Senate vote on the bill and where to find the official sources?

The Senate adopted this measure on October 20, 2021, with some amendments. The Senate voted in favor of this measure by 214 votes against 121. The Senate also added some safeguards to this measure, such as limiting its duration to four months renewable once and requiring prior authorization from an independent judge.

The National Assembly still has to examine the bill before adopting it definitively. The National Assembly may approve, reject or modify this measure. The final text may differ from the one that the Senate voted.

The examination of the bill by the National Assembly will start on December 6, 2021. You can follow the progress of the bill on the website of the National Assembly. You can also find the official text of the bill and the report of the Senate on their respective websites. You can also consult the website of the Ministry of Justice for more information on the bill and its objectives.

What are the benefits and risks of remote activation of phones?

This technique can affect citizens’ and suspects’ behavior in different ways.

On one hand, it can deter people from serious offenses. It exposes them to a higher risk of detection and identification. It reduces their incentives for criminal activities.

On the other hand, it can also make people more cautious or paranoid. It increases their uncertainty and fear. It leads them to avoid electronic devices, encrypt their communications, or use countermeasures such as jamming devices.

This technique can also impact public safety and security positively and negatively.

On one hand, it can improve the efficiency and effectiveness of law enforcement agencies. It provides them with more information and evidence. It helps them prevent, investigate and prosecute crimes.

On the other hand, it can also pose risks for human rights and civil liberties. It allows intrusive and covert surveillance. It violates privacy, confidentiality and dignity. It can also be subject to abuse, misuse or error by law enforcement agents or hackers.

Finally, it can create a feeling of insecurity and mistrust towards institutions, which can access personal or professional data in phones. It can also harm respect for presumption of innocence by placing permanent suspicion on people targeted by this technique. It can also infringe on protection of journalistic sources or right to information by discouraging whistleblowers or witnesses from speaking freely. It can finally encourage people concerned to adopt avoidance or circumvention strategies, such as changing phones regularly, using encrypted applications or switching to airplane mode.

These strategies can reduce the actual effectiveness of this technique for preventing terrorism and organized crime.

What are the arguments in favor of remote activation of phones?

Some people support this technique because they think it has several advantages for law enforcement and public security.

How can remote activation of phones violate privacy and data protection?

One of the main arguments against this technique is that it can violate privacy and data protection for individuals and groups. Privacy and data protection are fundamental rights recognized by international standards and laws. They ensure human dignity and autonomy.

Remote activation of phones violates privacy and data protection by letting law enforcement agencies access personal or professional data without the owners’ or possessors’ consent or knowledge. It also lets law enforcement agencies access sensitive or confidential data without notification or justification. It also lets law enforcement agencies access excessive or irrelevant data without limitation or proportionality.

For example, remote activation of phones could let the police access medical records, financial transactions, political opinions, religious beliefs, sexual preferences, or other intimate information on a device or a communication. It could also let the police access information that is not related to the investigation or that is out of scope on a device or a communication. It could also let the police access information that is not necessary or appropriate for the investigation or that is disproportionate to the seriousness of the offense on a device or a communication.

How can remote activation of phones improve access to justice and evidence?

Another argument in favor of this technique is that it can improve access to justice and evidence for law enforcement agencies and victims of crimes. Justice and evidence ensure the rule of law and the protection of rights.

Remote activation of phones improves access to justice and evidence by letting law enforcement agencies obtain information that is otherwise inaccessible or difficult to obtain. It also lets law enforcement agencies obtain information that is more reliable and accurate than other sources. It also lets law enforcement agencies obtain information that is timelier and more relevant than other sources.

For example, remote activation of phones could help the police access data that is encrypted or password-protected on a device or a communication. It could also help the police access data that is authentic and verifiable on a device or a communication. It could also help the police access data that is up-to-date and pertinent on a device or a communication.

What are the arguments against remote activation of phones?

Some people oppose this technique because they think it has several disadvantages for human rights and civil liberties.

How can remote activation of phones violate privacy and data protection?

One of the main arguments against this technique is that it can violate privacy and data protection for individuals and groups. Privacy and data protection are fundamental rights recognized by international standards and laws. They ensure human dignity and autonomy.

Remote activation of phones violates privacy and data protection by letting law enforcement agencies access personal or professional data without the owners’ or possessors’ consent or knowledge. It also lets law enforcement agencies access sensitive or confidential data without notification or justification. It also lets law enforcement agencies access excessive or irrelevant data without limitation or proportionality.

For example, remote activation of phones could let the police access medical records, financial transactions, political opinions, religious beliefs, sexual preferences, or other intimate information on a device or a communication. It could also let the police access information that is not related to the investigation or that is out of scope on a device or a communication. It could also let the police access information that is not necessary or appropriate for the investigation or that is disproportionate to the seriousness of the offense on a device or a communication.

How can remote activation of phones undermine the presumption of innocence and the right to a fair trial?

Another argument against this technique is that it can undermine the presumption of innocence and the right to a fair trial for individuals and groups. The presumption of innocence and the right to a fair trial are fundamental rights recognized by international standards and laws. They ensure justice and accountability.

Remote activation of phones undermines the presumption of innocence and the right to a fair trial by letting law enforcement agencies access data that they can use against individuals or groups without any legal basis or due process. It also lets law enforcement agencies access data that they can manipulate or falsify by law enforcement agents or hackers. It also lets law enforcement agencies access data that individuals or groups can challenge or contest.

For example, remote activation of phones could let the police access data that they can incriminate individuals or groups without any warrant or authorization from a judge. It could also let the police access data that they can alter or corrupt by law enforcement agents or hackers. It could also let the police access data that individuals or groups can dispute or refute.

How can remote activation of phones create a risk of abuse and misuse by the authorities?

Another argument against this technique is that it can create a risk of abuse and misuse by the authorities for individuals and groups. Abuse and misuse are illegal or unethical actions that violate rights and obligations. They damage trust and legitimacy.

Remote activation of phones creates a risk of abuse and misuse by the authorities by letting law enforcement agencies access data that they can use for purposes other than those authorized or intended. It also lets law enforcement agencies access data that they can share or disclose to third parties without any oversight or control. It also lets law enforcement agencies access data that they can retain or store for longer than necessary or permitted.

For example, remote activation of phones could let the police access data that they can use for political, personal, commercial, or other interests on a device or a communication. It could also let the police access data that they can transfer or leak to other agencies, organizations, media, or individuals on a device or a communication. It could also let the police access data that they can keep or archive for indefinite periods on a device or a communication.

What are the alternatives and safeguards for remote activation of phones?

Some people suggest that there are alternatives and safeguards for remote activation of phones that can balance security and privacy.

What are the existing legal tools to access phone data with judicial authorization?

One of the alternatives for remote activation of phones is to use existing legal tools to access phone data with judicial authorization. Judicial authorization is a legal requirement that ensures respect for rights and obligations. An independent and impartial judge grants it after evaluating the necessity and proportionality of the request.

Existing legal tools to access phone data with judicial authorization include search warrants, wiretaps, geolocation orders, data requisitions, and international cooperation agreements. These tools let law enforcement agencies obtain information from phones in a lawful and transparent manner. They also provide legal protection and recourse for individuals and groups.

For example, search warrants let law enforcement agencies physically seize phones and extract data from them with judicial authorization. Wiretaps let law enforcement agencies intercept calls and messages from phones with judicial authorization. Geolocation orders let law enforcement agencies track the location of phones with judicial authorization. Data requisitions let law enforcement agencies request data from phone operators or service providers with judicial authorization. International cooperation agreements let law enforcement agencies exchange data with foreign authorities with judicial authorization.

What are the principles and conditions for remote activation of phones according to the bill?

One of the safeguards for remote activation of phones is to follow the principles and conditions for remote activation of phones according to the bill. The bill on justice sets some rules and limits for this technique to prevent abuse and misuse.

The principles and conditions for remote activation of phones according to the bill include:

  • The technique can only be used for terrorism and organized crime investigations.
  • An independent judge who authorizes it must supervise the technique. The technique can only last for four months renewable once.
  • The technique must respect necessity, proportionality, subsidiarity, and legality.
  • Parliament and independent authorities must oversee and control the technique.
  • Experts and stakeholders must evaluate and review the technique.

These principles and conditions aim to ensure a reasonable and accountable use of this technique. They also aim to protect the rights and interests of individuals and groups.

What are the possible ways to limit or challenge remote activation of phones?

Another safeguard for remote activation of phones is to use possible ways to limit or challenge remote activation of phones by individuals or groups. These ways can help protect rights and interests, as well as ensure accountability and transparency.

Some of the possible ways to limit or challenge remote activation of phones are:

  • Using encryption technologies:

    Encryption technologies can make data on phones unreadable or inaccessible to law enforcement agencies, even if they remotely activate them. Encryption technologies can also protect communications from law enforcement agencies’ interception or recording. For example, using end-to-end encryption apps, such as Signal or WhatsApp, can prevent law enforcement agencies from accessing messages or calls on phones.

  • Using security features:

    Security features can prevent law enforcement agencies from installing or activating software or applications on phones that enable remote activation. Security features can also detect or remove software or applications that enable remote activation. For example, using antivirus software, firewalls, passwords, biometrics, or VPNs can prevent law enforcement agencies from accessing phones.

  • Using legal remedies:

    Legal remedies can let individuals or groups contest or oppose remote activation of phones by law enforcement agencies. Legal remedies can also let individuals or groups seek compensation or redress for damages caused by remote activation of phones. For example, using judicial review, administrative appeals, complaints, lawsuits, or human rights mechanisms can challenge law enforcement agencies’ actions or decisions regarding remote activation of phones.

How does this technique compare with other countries?

Law enforcement agencies in other countries, such as the United States, Germany, Italy, Israel, Canada, China, France, and the United Kingdom, have used or considered remote activation of phones by the police. This technique is not new or unique. However, the legal framework, the technical methods, and the ethical and social implications of this technique vary from country to country..

How does remote activation of phones by the police work in different countries?

Remote activation of phones by the police is an intelligence technique that varies from country to country. It depends on the legal framework, the technical methods and the ethical issues of each country. Here are some examples of how it works in different countries.

  • In the United States, this technique is known as “roving bugs” or “mobile device tracking”. The Foreign Intelligence Surveillance Act (FISA) authorizes it for national security purposes and Title III of the Omnibus Crime Control and Safe Streets Act for criminal investigations. It requires a court order based on probable cause and limited in scope and duration. It can locate or record sounds and images from phones. It can be done by installing malware or exploiting vulnerabilities on phones.
  • In Germany, this technique is known as “Quellen-TKÜ” or “source telecommunications surveillance”. The Code of Criminal Procedure and the Telecommunications Act regulate it for criminal investigations and the Federal Intelligence Service Act for national security purposes. It requires a court order based on reasonable suspicion and proportionality. It can intercept communications from phones. To do so, it installs software or uses spyware on phones.
  • In Italy, this technique is known as “Trojan horse” or “spyware”. The Code of Criminal Procedure and the Data Protection Code regulate it for criminal investigations. It requires a court order based on serious indications of guilt and necessity. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.
  • In Israel, this technique is known as “IMSI catchers” or “stingrays”. The Wiretapping Law and the Privacy Protection Law regulate it for criminal investigations and the Security Service Law for national security purposes. It requires a court order based on reasonable grounds and proportionality. It can locate or intercept communications from phones. To do so, it uses devices that mimic cell towers and trick phones into connecting to them.
  • In Canada, this technique is known as “cell site simulators” or “IMSI catchers”. The Criminal Code and the Charter of Rights and Freedoms regulate it for criminal investigations. It requires a court order based on reasonable grounds and proportionality. It can locate or intercept communications from phones. To do so, it uses devices that mimic cell towers and trick phones into connecting to them.
  • In China, this technique is known as “network interception” or “remote control”. The Criminal Procedure Law and the Cybersecurity Law regulate it for criminal investigations and national security purposes. It does not require a court order but only an approval from a higher authority. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.
  • In France, real-time geolocation is regulated by the Criminal Procedure Code and the Intelligence Law for criminal and national security investigations. Article 706-102-1 of the Criminal Procedure Code allows police officers and agents to use a technical device to access, record, store and transmit computer data without the consent of the persons concerned. This requires a court order based on serious reasons and proportionality. Article 230-32 of the Criminal Procedure Code states that “Any technical means for real-time location, throughout the national territory, of a person, without his consent, a vehicle or any other object, without the consent of its owner or possessor, may be used if this operation is required by necessity: “. This also requires a court order based on serious reasons and proportionality.
  • In the United Kingdom, this technique is known as “equipment interference” or “hacking”. The Investigatory Powers Act regulates it for criminal investigations and national security purposes. It requires a warrant based on necessity and proportionality. It can access data or record sounds and images from phones. To do so, it installs software or uses spyware on phones.

How does remote activation of phones by the police raise ethical and social challenges?

Remote activation of phones by the police raises ethical and social challenges in different contexts and situations because it involves a trade-off between security and privacy, as well as between effectiveness and legitimacy.

Security versus privacy

On one hand, remote activation of phones by the police can enhance security by providing law enforcement agencies with more information and evidence to prevent, investigate, and prosecute crimes. It can also deter criminals from using phones to plan or commit crimes.

On the other hand, remote activation of phones by the police can undermine privacy by letting law enforcement agencies access personal or professional data without consent or knowledge. It can also violate human rights and civil liberties by letting law enforcement agencies monitor or record sounds and images without notification or justification.

Effectiveness versus legitimacy

On one hand, remote activation of phones by the police can be effective by increasing the chances of finding relevant information or evidence on phones that may be encrypted, hidden, or destroyed. It can also be efficient by reducing the costs and risks of physical surveillance or interception.

On the other hand, remote activation of phones by the police can be illegitimate by violating the legal framework, the technical methods, or the oversight and control mechanisms that regulate this technique in each country. It can also be counterproductive by creating distrust or resistance among phone users or providers, who may use encryption technologies or legal remedies to protect their data or communications.

The ethical and social challenges of remote activation of phones by the police depend on the legal framework, the technical methods, and the oversight and control mechanisms that regulate this technique in each country. They also depend on the cultural and political values, the public opinion, and the media coverage that shape the perception and acceptance of this technique in each country.

Some of the ethical and social challenges of remote activation of phones by the police are how to :

  • balance security and privacy in the use of this technique?
  • ensure compliance with fundamental rights and freedoms in the use of this technique?
  • prevent abuse, misuse, or error in the use of this technique?
  • provide legal protection and recourse for individuals or groups affected by this technique?
  • ensure accountability and transparency in the use of this technique?
  • evaluate the effectiveness and legitimacy of this technique?
  • foster trust and cooperation between law enforcement agencies and phone users in the use of this technique?

What is the impact of encryption technologies on this technique?

Encryption technologies are methods or systems that make data unreadable or inaccessible to unauthorized parties. Encryption technologies can have a significant impact on remote activation of phones by the police, as they can make this technique more difficult, risky, or controversial.

How can encryption technologies make remote activation of phones by the police more difficult or impossible?

Encryption technologies can make remote activation of phones by the police more difficult or impossible by preventing law enforcement agencies from accessing data or communications on phones, even if they remotely activate them. Encryption technologies can also protect phones from malware or spyware that enable remote activation.

For example, end-to-end encryption, which some apps such as Signal or WhatsApp use, can prevent law enforcement agencies from intercepting or reading messages or calls on phones, as only the sender and the receiver have the keys to decrypt them. Device encryption, which some operating systems such as iOS or Android use, can prevent law enforcement agencies from extracting or viewing data on phones, as they require a password or a biometric authentication to unlock them.

How can encryption technologies make remote activation of phones by the police more risky or harmful?

Encryption technologies can make remote activation of phones by the police more risky or harmful by exposing law enforcement agencies to legal or technical challenges or dangers. Encryption technologies can also harm phone users by compromising their security or privacy.

For example, breaking encryption, which law enforcement agencies sometimes do to access data or communications on phones, can expose them to legal challenges, as it may violate laws or regulations that protect encryption or privacy. It can also expose them to technical dangers, as it may weaken the security of phones or networks and create vulnerabilities for hackers or criminals. Hacking encryption, which law enforcement agencies sometimes do to install malware or spyware on phones, can harm phone users by compromising their security or privacy, as it may allow unauthorized access to their data or functions.

How can encryption technologies make remote activation of phones by the police more controversial or unacceptable?

Encryption technologies can make remote activation of phones by the police more controversial or unacceptable by raising ethical and social issues or debates. Encryption technologies can also create conflicts or tensions between law enforcement agencies and phone users or providers.

For example, undermining encryption, which law enforcement agencies sometimes request to facilitate remote activation of phones, can raise ethical and social issues or debates, as it may affect human rights and civil liberties, such as privacy, confidentiality, dignity, presumption of innocence, and right to a fair trial. It can also create conflicts or tensions between law enforcement agencies and phone users or providers. They may have different interests or values regarding encryption and security.

How does EviCore NFC HSM technology developed by Freemindtronic offer a high level of protection for phone users?

Remote activation of phones by the police can be facilitated by exploiting security flaws, installing malware, or requesting backdoors in encryption technologies. However, some encryption technologies may be resistant to these measures and offer a higher level of protection for phone users. One of them is the EviCore NFC HSM technology developed by Freemindtronic.

This technology lets users create their own encryption keys in a random way and store them in a physical device that communicates with the phone via NFC (Near Field Communication). The device also lets users define their own trust criteria that must be met to use the keys or their segments. The encryption is done in Quantum-Safe AES-256 mode from either a device compatible with the EviCore NFC HSM technology or from an encrypted enclave in the phone created in the Key chain (Apple) or the Key store (Android) via the EviCore HSM OpenPGP technology. The encryption keys are segmented and superior to 256 bits. Moreover, they are physically externalized from computer systems. Everything is designed by Freemindtronic to effectively fight against espionage and corruption of telephone, computer, communication and information systems. Finally, without a server, without a database, even in air gap and airplane mode works EviCore NFC HSM or EviCore HSM OpenPGP technology. Everything is designed to work in volatile memory to leave no trace in telephone and computer systems.

This technology offers a high level of security and privacy for phone users who want to protect their data from unauthorized access, including by the police. It also offers a high level of performance and usability for phone users who want to encrypt or over-encrypt all types of messaging in the world, including SMS and MMS. It also works with other applications that use encryption, such as email, cloud storage or blockchain.

Furthermore, this technology is designed to be totally anonymous, autonomous, unconnected, without a database, without collecting any information of any kind on the identity of the user, nor on the hardware, nor on the terminals used. The technology is designed to be totally isolated and totally independent of the security of the terminal used whether it is connected or not. Freemindtronic does not keep the unique pairing keys for each NFC HSM device. And even if it did, the user at installation will automatically generate segmented complementary keys for encryption with administrator and user passwords. Each NFC device has a unique 128-bit signature dedicated to fighting against counterfeiting of NFC devices. It is also used as a key segment. The secret stored in eprom memories or in enclaves of the phone and/or computer can be individually secured by other segmented keys characterized by additional trust criteria such as a geozone, a random hexadecimal code via an existing or generated QR code or Bar Code via EviCore HSM. It is therefore physically impossible for Freemindtronic but under judicial assignment to decrypt data encrypted via EviCore HSM technologies even with a quantum computer.

In conclusion, remote activation of phones by the police is an intelligence technique. It aims to fight terrorism and crime by accessing data or sounds and images from phones without consent or knowledge. Law enforcement agencies in various countries have used or considered this technique. For example, France, the United States, Germany, Italy, Israel, Canada, China, and the United Kingdom. However, this technique raises technical, legal, ethical, and social challenges. They need to be addressed.

On the technical side, remote activation of phones by the police depends on three factors: compatibility, connectivity, and security of the phones. It can be done by three methods: exploiting vulnerabilities, installing malware, or using spyware on phones.For example, EviCore NFC HSM technology developed by Freemindtronic protects data and communications on phones from remote activation by the police. Encryption technologies can make this technique more difficult or impossible by preventing law enforcement agencies from accessing data or communications on phones, even if they remotely activate them.

On the legal side, remote activation of phones by the police requires a legal framework that regulates its use and scope. Laws or regulations can authorize it and specify the conditions and criteria for its application. Legal remedies can also challenge it and contest or oppose its validity or legality.

On the ethical side, remote activation of phones by the police involves a trade-off between security and privacy, as well as between effectiveness and legitimacy. It can enhance security by providing more information and evidence to law enforcement agencies to prevent, investigate, and prosecute crimes. It can also undermine privacy by letting law enforcement agencies access personal or professional data without notification or justification.

On the social side, remote activation of phones by the police raises issues or debates that affect human rights and civil liberties. For example, privacy, confidentiality, dignity, presumption of innocence, and right to a fair trial. It can also create conflicts or tensions between law enforcement agencies and phone users or providers, as they may have different interests or values regarding encryption and security.

Therefore, remote activation of phones by the police is a complex and controversial technique that requires a careful and balanced approach that respects the rights and interests of all parties involved. The French bill on remote activation of phones by the police and the EviCore NFC HSM Open PGP technology developed by Freemindtronic illustrate the complex and evolving relationship between intelligence and encryption in the digital age. They raise questions about finding a balance. It is between security and privacy, between public interest and individual rights, between innovation and regulation.

: According to Okta, privacy is the right to control how your information is viewed and used, while security is protection from threats or dangers (https://www.okta.com/identity-101/privacy-vs-security/).

: According to Carnegie Endowment for International Peace, finding a balance between security and privacy requires addressing technical, legal, and social questions (https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573).

: According to Springboard, finding a balance between innovation and regulation requires cooperation among stakeholders and respect for human rights (https://www.springboard.com/blog/cybersecurity/privacy-vs-security-how-to-balance-both/).

Phishing: Cyber victims caught between the hammer and the anvil

Responsibility for Phishing, SMiShing, typosquatting, ransomhack, spear phishing, sim swapping, vishing, email and web Spoofing cybervictims is engaged.

There can no longer be any doubt, the responsibility of the Internet user is legally engaged with almost no recourse for the victims to obtain any refund!

Note that we most often find the English term “phishing” which translates “phishing” into French, as well as for the typosquatting that comes from the English “typosquatting” or spear phishing targeted phishing via social engineering techniques or Spoofing technique of spotting.

Following the 2015/2366 directive of the European Parliament and the Council of 25 November 2015, Order No. 2017-1252 of 9 August 2017 makes amendments to Articles L133-16 and L.133-19 of the Monetary and Financial Code for victims of bank card phishing.

Article L133-16 of the Monetary and Financial Code (below) states: “As soon as he receives a payment instrument, the user of payment services takes all reasonable measures to preserve the security of his custom security devices. It uses the payment instrument in accordance with the conditions governing its issuance and use. »

https://www.legifrance.gouv.fr/affichCodeArticle.do?cidTexte=LEGITEXT000006072026&idArticle=LEGIARTI000020860774&dateTexte=&categorieLien=cid

Article L.133-19 of the Monetary and Financial Code (below) states in paragraph IV: “The payer bears all losses caused by unauthorized payment transactions if these losses result from fraudulent conduct on his part or if he did not intentionally or grossly negligently satisfy the obligations referred to in Articles L.133-16 and L.133-17 of the Monetary and Financial Code.”

https://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle=LEGIARTI000020861589&cidTexte=LEGITEXT000006072026

The judgment of the Court of Cassation of 25 October 2017 and that of 28 March 2018 form a case law on the liability of the Internet user victim of phishing by telephone via identity theft and/or via a fake website and/or a fake email.

The judgment of October 25, 2017, (cases of 25.10.17, No. 16-11 644)

https://www.legifrance.gouv.fr/affichJuriJudi.do?idTexte=JURITEXT000035925298&fastReqId=1348908414&fastPos=5&oldAction=rechJuriJudi

Monde.fr press article: http://sosconso.blog.lemonde.fr/2017/10/26/elle-avoue-a-sa-banque-avoir-ete-victime-de-phishing

The judgment of March 28, 2018, (cases. of 28.3.18, No. 16-20 018)

https://www.legifrance.gouv.fr/affichJuriJudi.do?oldAction=rechJuriJudi&idTexte=JURITEXT000036780076&fastReqId=1780826332&fastPos=1

The cassation courts reinforce the obligation of caution of Internet users in the face of phishing attacks that can be telephone, via SMS or e-mail, relating to the use of its bank cards or confidential codes.

  • The March 28, 2018 ruling deepens the liability framework for the Internet user by stating that the failure, by gross negligence, to take any reasonable measures to preserve the safety of its personalised security devices.
  • The user of a payment service who discloses the personal data of this security device in response to an email that contains clues allowing a normally attentive user to doubt its provenance is held solely responsible
  • The bank is not required to inform its customers of the risks of phishing.

How do cybercriminals circumvent 3D Secure code authentication?

Step  1:    The cybercriminal must obtain from his next victim the identifiers and passwords of his phone operator.

What for? To enable the cybercriminal to set up telephone referrals of messages received in particular from his bank. It’s easier than stealing the phone. Hence the importance of regularly changing your passwords from your operator’s account. This point becomes more and more crucial since the smartphone is a mobile payment and/or access control terminal.

Step2:    The cybercriminal must now obtain all the information from the bank card. Several possibilities; or phishing by email, SMS, blackmail, phone by impersonation by an agent of the operator. The victim overconfidence gives him his information. She is not aware that the 3D Secure will also be sent to cybercriminals.

The cybercriminal only has to make the payment that he can validate himself instead of the victim.

The victim informed at the same time as the cybercriminal that there is a request to validate a purchase via his bank card thinks, since she has not validated the payment, that she is safe. She can object to her credit card. Only it’s already too late. The payment is irrevocable and the bank’s liability is cleared. This is the judgment of October 25, 2017.

In another case, the theft of the smartphone with the bank card may have the same result. In the same way when you pay physically with your bank card where you can see in clear the CCV or CVC composed of 3 to 4 digits used for payments on the internet.

It is advisable to use   Freemindtronic  Andorra  EviAlpha technologies for personal use and  EviToken  or  EviCypher  for professional use that allow, after you have physically removed the CCV or CVC code, to make payments on the internet safely. In case of bank card theft, the cybercriminal does not physically have access to the CCV or CVC, the protection with Fullsecure solutions is immediate. This solution is not dependent on the time factor associated with reporting loss or theft for use on the internet. In addition, this solution is capable of managing multiple bank cards and is compatible with any type of bank card internationally, at no additional cost or financial commitment.

There are CCVs or CVCs that change dynamically several times a day. A new security that has an additional annual cost. Used for physical payments, the CCV or CVC is visible. The cybercriminal has only a very short interval of time to rob his victims before the automatic change of the CCV or CVC. In case of theft of this type of bank card, the time depends on the time and date of the declaration of the theft as for other bank cards.

Sim swapping: What does the Monetary and Financial Code say about Secure?sim swapping 3D codes

According to Article L133-23 of the Monetary and Financial Code, it is up to the bank to provide proof of the registration of this type of authentication which makes it possible to presume that the payment has been validated by the rightful holder. Failing that, according to Article L133-18, the transaction is deemed “unauthorized”, the bank is obliged to repay.

The 3D Secure code was developed by Visa and MasterCard to combat the risks of Internet fraud. This code is therefore sent by visa or Master Card’s digital services and is not known to the user until it is received. In fact, it cannot communicate it to a cybercriminal unless the latter has stolen the smartphone, managed to make a copy of the SIM and the most common access to the customer’s accounts of the telephone operator to make a call return to obtain the 3D Secure Code.

What is vishing?

Vishing is a form of phishing that uses the phone as a means of deceiving victims. The term comes from the combination of “voice” and “phishing”. Vishing involves calling victims and pretending to be a trusted person or organization, such as a bank, a public service or a phone operator, and asking them for personal, financial or confidential information. For example, a scammer may claim that the victim’s bank card has been compromised and ask them to confirm their card number and PIN. Vishing can also be used to persuade victims to make fraudulent payments or to download malicious software on their phone.

Vishing is a growing threat, as it exploits the trust that people have in the phone and their lack of vigilance against unsolicited calls. Moreover, scammers use sophisticated techniques to make their calls more credible, such as spoofing, which consists of falsifying the phone number displayed on the recipient’s screen. To protect themselves from vishing, it is important to never disclose personal or financial information over the phone, to verify the identity of the caller by calling back the official number of the organization they claim to represent, and to report any suspicious call to the relevant authorities.

How phishing detection ?

The Internet user must become an expert in phishing detection and typosquatting in the face of the ingenuity of cybercriminals.

According to the case law, the Internet user must carry out a “watchful examination of the correspondent’s changing internet addresses or certain clues, such as misspellings…   which should provide clues  “of a sufficient nature to appeal to the Internetuser.”

However, the criteria adopted by the case law since 2015 are already obsolete because of the quality of counterfeiting of websites in perpetual increase, but not only.

Indeed, the only test to detect a“changing address”has become complex for #cybervictimes. These ingenious cyber criminals find many solutions to deceive their vigilance, especially by the use of special characters in the domain name.

Jurisprudential obsolescence in the face of the evolution of phishing by Unicode

Cyber criminals use special characters similar to the Latin alphabet, theunicode E100. They have more than 26 characters at their disposal  (Ḁ ḁ Ḃ ḃ Ḅ Ḇ ḇ Ḉ ḉ Ḋ ḋ ‘Ḏ ḏ Ḑ ḑ Ḓ ḓ Ḕ’, ‘Ḏ ḏ Ḑ ḑ Ḓ ḓ Ḕ’,  ‘Ṟ’, ṟ, ‘, ‘ Ṯ’, ṯ, Ṱ, ṱ’. All they have to do is buy a domain name similar to the original, and replace one of the characters with a unicode character, as similar as possible, with for example a dot below the character.

For example, we will use the websites of telephone operators and banks, just by replacing the letter “r” with“O”it can give this “f-ee.fr”orby replacing “b” with “ḅ” “ḅouyguestelecom.fr” or “ḅanquepopulaire.fr”.

A perverse new game that would be imposed by the jurisprudence that involves the Cyber-Victim to detect the hidden difference in the URL (address).

Are cyber criminals responding to my request? Indeed I had suggested to them in order to help the #cybervictimes to change their modus operandi to help them in the face of jurisprudence. “Please  don’t make any more spelling mistakes, and if it’s not grammatically correct, make sure that the simple review of the changing address is not obvious on the exam  alone.”

With the fake URL and once the counterfeit site is identical to the original, the trap is activated to capture future #cybervictimes.

Smishing (SMS Phishing)

A cybercriminal sends you an SMS (i.e. a text message) asking you to click on a link. If you click on the link in the message, you will be redirected to a fake website asking you to provide your information in a phishing form.

The cybercriminal attempts to obtain your sensitive information through a text message (i.e. SMS). They will ask you to provide personal information such as a social security number, credit card or health insurance information. He claims that you must give this information or something bad will happen to you (e.g. your electricity is cut off, your credit card is blocked or your online account is terminated). To learn more about Smishing, click HERE.

Typosquatting another form of phishing

Almost identical to phishing, fake site, fake URL, with the big difference that the cybercriminal bets on the typos of #cybervictimes when the user informs the internet address. Examples include “fri.fr” without (ee) or “bouyguetelecom.fr” without (s) or “banque-populaire.fr” with the addition of a hyphen or “free.com” by changing the extension (.fr).

A new playground for cyber criminals, a fake address bar on Android phones that use the Chrome browser.

Google Chrome on Android smartphone only shows the title of the site visited rather than displaying the full address bar with the URL. A new feature for user comfort to make more room for content to be played. This allows the cybercriminal to pass a phishing page as a legitimate web page.

Spoofing over domain name extension makes many cyber victims, especially for domains in .com. The cybercriminal buys a .co domain name with a name identical to that of a known site, an example “www.amazon.co”. The cyber victim receives an email that appears to be from the original site. She is invited to log in via a link to the “www.amazon.co” mirror site. She’s not going to be careful that she’s not on the original site with a .co extension instead of .com. It is therefore with confidence that the cyber victim will enter personal information, especially his login ID and password.

How will the case law evolve to determine the threshold that will qualify the Cyber victim as “negligent”?

Natural protection against phishing and typosquatting

There is a barrier to phishing when the domain name extension is proprietary. This is the case, for example, of the extension of the BNP Paribas bank with its own extension “.bnpparibas” of the website “www.mabanque.bnpparibas”. In this case, it is a cost of around $185,000 and a binding procedure to obtain fromICANN  its custom domain name extension that establishes a natural barrier against this type of attack. However, users of these sites still need to be informed of this distinction. Otherwise, the case law is unequivocal and will be imposed on cyber-victims. Indeed, it is difficult to explain that they did not see the different extension.

Learn more about custom extension

https://www.prodomaines.com/extension-personnalisee

Is the overall level of computing so linear among Internet users that they are all able to carry out such a review?

I doubt it very much.

In the same way, to think that only insiders are safe from phishing seems to me a very risky shortcut.

It is becoming more and more difficult for the Internet user to differentiate between the true and the false.

Shouldn’t case law or a revision of the law take into account the quality of the forger as for the currency, to exonerate the responsibility of the victim?

Instant transfer payment, a new eldorado of cybercriminals?!

What will cybercriminals imagine to create new victims following the new implementation initiated by the ECB with the instant transfer payment system, in less than 10 seconds, irrevocably, achievable with a simple telephone number?

How does it work? (Source the tribune)

It is a transfer in euros that is initiated from the website of his bank or his mobile banking application by choosing the instant mode. Simply enter the IBAN or, less tedious, its mobile phone number (converted to IBAN by the bank), or even scan a QR code to send the money. The account is credited in less than 10 seconds and payment confirmation is sent by SMS within 20 seconds. The transfer is irrevocable. The service is usable 24 hours a day, 365 days a year. A ceiling of 15,000 euros has been decided at European level (the Netherlands has abolished it).

I predict an increase in cybercrime on this new SEPA Express system, if the security system is not equal to or greater than that of bank cards!

Innovation goes further and further to allow the machine to gradually substitute for human physical consent since currents of thought believe that man is more failing than the machine.

To this day, we cannot assign a machine to court. In fact, no one is safe from being between the hammer and the anvil.

‘Ransomhack’: blackmail to non-compliance RGPD

Cyber criminals also use phishing to steal private data, known asransomhack. Taken hostage, this data is being blackmailed by using the new European regulations (RGPD) to put pressure on victims. The goal is to get the ransom faster. It is enough to threaten the victim to make public the data if the ransom is not paid, weighing the risk of strong criminal and civil penalties incurred in the event of non-reporting to the CNIL of the theft of data.

Once again the technique of hammer and anvil becomes a formidable weapon in the face of the fear of double punishment, victim and criminally and civilly litigant.

The phishing technique is no longer the preserve of cyber criminals: it may be more or less legal!

It is difficult to establish statistics, as victims do not file complaints. It is very likely that many of you will recognize yourself in this situation.

What for?

Despite the new provisions imposed by the RGDP, online sites selling goods and/or services have found a way to obtain their customers’ bank card information. However, there is no reason for the client to provide this type of information.

Only here, it takes on a legal appearance, to get this valuable information from bank cards. In principle, legally you have the right to request their removal.

Now that we’re done with the theory, let’s move on to practice

As we have seen before, giving the information of bank cards is under the full responsibility of the Internet user.

Similarly, it is common knowledge that cyber criminals regularly steal private data, including bank cards from the databases of merchant sites.

According to the principle of prudence established by the Court of Cassation, could it not be taken up against the victim? Could the Court not consider that there is no need to inform the Internet user that there is a risk that his credit card information will be derogating? That he is in fact the only one responsible for the information he transmits!

Why do online sales sites need this credit card information? What do they really do with it?

I believe that in terms of the RGPD, you would be entitled to ask the question.

There are many good reasons that will be invoked, but these are not for the customer but for the service provider, especially when the service provider has a recurring payment system in place.

This credit card information becomes valuable for the quality of the outstanding accountable or EENE. If you want to know more(https://comptabilite.ooreka.fr/astuce/voir/609429/effet-escompte-non-echu).

What to remember: The expected effect is passed on to another creditor or bank. The higher the quality of the debt, the less expensive the cost of the discount. Even if rates are low, it is a gain.

Another interest is the forgetting and withdrawal of small sums that often go under the radar of customers. Agreements are established that provide for automatic renewal and anniversary dates with a minimum period of time to report the contract.

New: drown the fish under the guise of updates to the terms and conditions of sale! The service contract for which you consented is unilaterally amended. The trick is the criterion of trust. You are made to accept new conditions that cancel the previous ones.

Let us go even further in the violation of the rules of law.

If you cannot be accepted for a new document, a principle of law that does not exist in contractual matters is used. Just as a contract cannot be changed unilaterally, either by adhesion or synallagmatically, without the consent of the co-contractor.

Silence is not worth acceptance!

However, many service companies send you emails informing you that if you do not respond within a certain period of time, the contract will be considered accepted. If you refuse, you lose the service for which the provider had committed. However, the commitment may also include back-doors such as the subject of an update of general terms of sale.

The hammer and anvil method is activated!

This is a form of blackmail that is illegal, done digitally but does not rank in cyber crimes.

What for?

A beginning of response trail, because they act overdrawn and they are legally registered in corporate registers but not cyber criminals in principle.

The deterrent force of a recourse by the Internet user!

They also have a master asset, the cost of a civil or criminal action procedure in relation to the small amounts involved. The cost of obtaining a court order, such as legal fees, legal fees, time spent and the uncertainty of obtaining redress, is enough to make any desire for prosecution give up.

Even if the civil and/or criminal dol can be qualified, no one will ever know that you are also the victim of phishing by deception of the co-contractor to obtain the information of bank cards or private data.

However, when you show the teeth against cybercriminals, they trade without resisting too much. It will also depend on who you are in the fuse position. Ane  against measure of the Internet user. This will also depend on the caller in the fuse position.

The balance of power through blackmail can be balanced. The risk of bad publicity on social networks, the CNIL Pro  or  Private,can have morecostly consequences than the sums incurred. In the same way if the Internet user has insurance that pays for legal and procedural costs. In this hypothesis the blackmail is reversed by the Internet user. The latter is no longer between the hammer and the anvil.

In the end, the amicable arrangement is better than a long trial. As a result, the risk of bad publicity on social networkscan have  more costly consequences than the sums incurred. In this case, this form of threat may allow the Internet user to no longer be between the hammer and the anvil.

What are the current trends of phishing?

Phishing is a constantly evolving phenomenon, which adapts to new technologies and new behaviors of internet users. According to the statistics provided by https://www.phishing.org/phishing-statistics/ or https://www.kaspersky.com/resource-center/threats/phishing-statistics-report, phishing increased significantly in 2020 and 2021, especially because of the Covid-19 pandemic that favored remote work and online shopping. Phishing accounts for about 80% of cyberattacks and affects both individuals and businesses.

Moreover, phishing diversifies and takes new forms, such as vishing, smishing or spear phishing. Vishing is a form of phishing that uses phone calls to trick victims. Smishing is a form of phishing that uses SMS or instant messages. Spear phishing is a form of phishing that targets specific individuals or organizations using personalized information. These new forms of phishing are harder to detect and prevent, as they exploit the trust and emotion of victims.

To conclude, phishing is a major risk for the security of internet users and organizations, which requires vigilance and prevention. By following the tips that I gave you in this article, you can protect yourself from phishing and reduce the chances of being a victim.

You want to know more about the deception of the co-contractor from a legal point of view.

https://www.superprof.fr/ressources/droit/droit-general/droit-des-obligations/faute-et-nullite-du-contrat.html

Having the freedom not to give credit card information outside of a single transaction and under the exclusive control and consent of the payer, should not be a right to defend. Freemindtronic technologies  such as  EviToken  or  EviCypher  with web browser extensions protect bank card information and counter phishing attacks. It is above all a tool to exercise this right to no longer give his credit card information on the internet to be saved.

To learn more about our credit card protection solutions, you can read the following articles on Linkedin:

Why are Freemindtronic’s #NFC Offline electronic safes already in compliance with the decree that will come into effect on 01/01/19?

https://www.linkedin.com/pulse/pourquoi-les-coffres-forts-%C3%A9lectroniques-nfc-offline-de-gascuel/

A new cloud-free individual security service with anti-phishing to protect all types of bank cards from start to finish

https://www.linkedin.com/pulse/un-nouveau-service-de-s%C3%A9curit%C3%A9-individual-without-cloud-with-gascuel/

https://www.linkedin.com/pulse/victimes-dhame%C3%A7onnage-impunity%C3%A9-of-cybercriminals-jacques-gascuel/