Connect with us

Gadgets

Apple introduces its own credit card, the Apple Card – TechCrunch

Published

on

Today, Apple announced… a credit card. The Apple Card is designed for the iPhone and will work with the Wallet app. You sign up from your iPhone and you can use it with Apple Pay in just a few minutes.

Before introducing the card, Apple CEO Tim Cook shared a few numbers about Apple Pay. This year, Apple Pay will reach 10 billion transactions. By the end of this year, Apple Pay will be available in more than 40 countries.

Retail acceptance of Apple Pay is always growing. In the U.S., 70 percent of businesses accept Apple Pay. But it’s higher in some countries — Australia is at 99 percent acceptance, for instance.

But let’s talk about the Apple Card. After signing up, you control the Apple Card from the Wallet app. When you tap on the card, you can see your last transactions, how much you owe and how much money you spent on each category.

You can tap on a transaction and see the location in a tiny Apple Maps view. Every time you make an Apple Pay transaction, you get 2 percent in cash back. You don’t have to wait until the end of the month, as your cash is credited every day. For Apple purchases, you get 3 percent back.

As previously rumored, Apple has partnered with Goldman Sachs and Mastercard to issue the card. Apple doesn’t know what you bought, where you bought it and how much you paid for it. And Goldman Sachs promises that it won’t sell your data for advertising or marketing.

When it comes to the fine print, there are no late fees, no annual fees, no international fees and no over-limit fees. If you can’t pay back your credit card balance, you can start a multi-month plan — Apple tries to clearly define the terms of the plan. You can contact customer support through text messages in the Messages app.

The Apple Card isn’t limited to a virtual card. You get a physical titanium card with a laser-etched name. There’s no card number, no CVV code, no expiration date and no signature on the card. You have to use the Wallet app to get that information. Physical transactions are eligible to 1 percent in daily cash.

When it comes to security, you’ll get a different credit card number for each of your devices. It is stored securely and you can access the PIN code using Face ID or your fingerprint. Find more details on security in our separate post.

The card will be available this summer for customers in the U.S.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gadgets

Feds list the top 30 most-exploited vulnerabilities. Many are years old

Published

on

Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.

In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most-exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

What, me patch?

Four of the most-targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.

Discovery dates of the top 4 vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.

The top 12 flaws are:

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

Breaching the gate

The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.

That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.

Wednesday’s advisory went on to say:

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.

The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
  • VMware: CVE-2021-21985

The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.

Continue Reading

Gadgets

Apple, AMD, and Intel shift priorities as chip shortages continue

Published

on

Enlarge / Sure, it’s cheaply produced clip art… but it’s also a disturbingly accurate picture of the current state of supply and demand in the semiconductor product market.

2021’s infamous chip shortages aren’t only affecting automakers. In a post-earnings conference call Tuesday, Apple CEO Tim Cook said, “We’ll do everything we can to mitigate whatever circumstances we’re dealt”—a statement that likely means the company will ration its chip supplies, prioritizing the most profitable and in-demand items such as iPhones and AirPods, at the expense of less profitable and lower-demand items.

CFRA analyst Angelo Zino told Reuters that Cook’s somewhat cryptic statement “largely reflects the timing of new product releases”—specifically, new iPhone releases in September. Counterpoint Research Director Jeff Fieldhack speculates from the flip side of the same coin, saying the company will likely direct supply chain “pain” to its least lucrative products. “Assuming Apple prioritizes the iPhone 12 family, it probably affects iPads, Macs, and older iPhones more,” Fieldhack said.

Processor manufacturer AMD has also been carefully managing its supply chain in response to pandemic-induced shortages. With flagship products that finally outperform rival Intel’s, AMD is focusing on the more profitable high end of the market while leaving the economy segment—until a few years ago, its strongest performer—to Intel. “We’re focusing on the most strategic segments of the PC market,” CEO Lisa Su told investors on a conference call.

Apple and AMD are two of semiconductor foundry TSMC’s largest customers—but the problem isn’t limited to TSMC. Intel, which operates its own foundries, acknowledges supply problems of its own. Intel CEO Pat Gelsinger told the BBC that shortages will get worse in the second half of 2021—and that it will be “a year or two” before supplies return to normal.

Gelsinger played up the importance of building new foundries, as Intel is currently doing in Arizona. But he warns that the foundries will take time to get up to speed and begin alleviating shortages—predicting “a year to two years until we’re back to some reasonable supply-demand balance.” This news arrives on the heels of a delay Intel announced this week for its forthcoming 7 nm process, now not expected until 2022.

In some ways, Intel may actually benefit long-term from the pandemic-related supply chain shortages. Although Intel is falling behind rivals AMD and Apple in both performance and power efficiency, the market can only move so far in the absence of supply.

With all vendors selling essentially every processor they can build, Intel’s long-standing ability to produce 80 percent of the world’s x86 desktop CPUs and 90 percent of x86 data center CPUs cements its place in the market—for now—despite ceding performance crowns to its rivals.

Continue Reading

Gadgets

Here’s what that Google Drive “security update” message means

Published

on

“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Along with Drive, Google is also changing the way unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive does:

In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn’t affect links you’ve shared in the past, and soon Google is going to require your old links to change, which can break them. Google’s new link scheme adds a “resourcekey” to the end of any shared Drive links, making them harder to guess. So a link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” will now look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w.” The resource key makes it harder to guess.

If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you’ll see a button on the right to remove or apply the security update. “Applied” means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while “removed” means the resourcekey isn’t required and any links out there should keep working.

Google's "impacted files" interface. Feel free to add or remove that security update.

Google’s “impacted files” interface. Feel free to add or remove that security update.

YouTube already went through this process earlier in the month, with all unlisted links before 2017 going dead, unless the owners of the videos are still active on YouTube and opted out. Drive is doing this with a bit more finesse than YouTube, though. Thanks to account-based sharing, anyone who accessed your unlisted Drive links in the past will still be granted access to them, even if you upgrade the security. No new people will be able to access the old, upgraded link, though. This way, if you have a stable community that uses an unlisted file, it should mostly be able to keep on trucking. Any new members, however, will be locked out and will need to request access. If you don’t want this, at any point the owner of the file can hit the “share” button and change the settings to generate a new link or turn off the link altogether.

Not letting third parties create a list of all your unlisted files is a good thing, but don’t confuse this link change with any actual security. You should never share anything over the “unlisted” or “get link” features on YouTube, Drive, or Google Photos if you actually want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they should not be considered secure or undiscoverable. This arrangement is totally fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re OK with that, fine. But if not, use Google’s actually private account-based sharing options.

Continue Reading

Trending