India Turns Every Face and Finger into a Payment Key

India will allow biometric authentication—facial recognition and fingerprints—for instant payments on its Unified Payments Interface (UPI) starting October 8, according to three anonymous sources. This leapfrogs the traditional numeric PIN and leans on Aadhaar, the government’s unique ID system housing citizens’ biometric data. It’s a pivot enabled by recent Reserve Bank of India guidelines endorsing alternative authentication methods, and it situates UPI’s operator, the National Payments Corporation of India (NPCI), at the intersection of fintech ambition and state-backed digital identity. The feature’s debut is timed to coincide with the Global Fintech Festival in Mumbai, where NPCI plans a demonstration, though it declined Reuters’ request for comment. The unnamed sources—restricted from public disclosure—underscore both the secrecy and regulatory choreography involved. This isn’t just a new feature; it’s a structural bet on India’s biometric infrastructure and its fusion with digital payments architecture, turning every fingerprint into a PIN and every face into a wallet.

More via Reuters

Airport Outage Sparks Delays as CBSA Rules Out Cyberattack

On Sept. 28th, chaos erupted in several Canadian airports as CBSA-maintained border control kiosks went down, paralyzing passenger flow at Toronto Pearson and Billy Bishop. Primary Inspection Kiosks failed nationwide, stranding travelers and stalling customs processing. A WestJet passenger reported sitting on the tarmac at Pearson for over an hour; WestJet responded that customs was at full capacity and deplaning was paused. The disruption triggered fears of a cyberattack, but CBSA denied any external interference. According to CityNews, “Meanwhile, CBSA says the outage was due to unforeseen technical problems during routine systems maintenance.” (Our money is on DNS).

The technical failure affected both traveler and commercial traffic, though systems and volumes have since returned to normal. CBSA is expected to deliver a formal report on the incident within 30 days to the Minister of Public Safety.

More via Toronto City News

Chinese Hackers Turn Open Source Monitoring Tool into Global Malware Delivery System

Chinese-linked threat actors hijacked Nezha, an open-source monitoring tool, to deploy Gh0st RAT in a targeted campaign disclosed by Huntress in August 2025. Initial access was gained via an exposed phpMyAdmin panel, whose language was set to Simplified Chinese before attackers enabled general query logging and injected a one-liner PHP web shell into the log file, renamed with a .php extension for execution.

The shell, controlled via ANTSWORD, enabled execution of whoami, privilege escalation, and deployment of the Nezha agent, which connected to external C2 server c.mid[.]al. The agent launched PowerShell to disable Microsoft Defender Antivirus via exclusions and trigger a loader-dropper chain culminating in Gh0st RAT execution. Over 100 machines were compromised, primarily in Taiwan, Japan, South Korea, and Hong Kong, with victims also in India, Malaysia, Singapore, Ireland, France, Colombia, Kenya, and others. Intriguingly, the attackers’ Nezha dashboard ran in Russian, suggesting misdirection or multi-national capabilities.

More here:  Hacker News

Guelph Woman Loses Savings in Fake Doug Ford Cryptocurrency Scam

A woman in Guelph, Ontario lost $90,000 USD after seeing a fake social media ad falsely claiming Ontario Premier Doug Ford was launching a cryptocurrency to help Canadians. Enticed, she invested $350 and was soon contacted by individuals impersonating an investment firm, urging repeated contributions. Her attempts to withdraw were blocked by demands for additional “fees.” She reported the incident to the Guelph Police Service on Wednesday (exact date not disclosed). Authorities warned that cryptocurrency scams—especially those masquerading as government-endorsed initiatives—are difficult to investigate and offer almost no chance of fund recovery. They stressed the importance of independent research before investing. The Canadian Anti-Fraud Centre (CAFC) urges all victims, including those without financial loss, to report incidents via their website or by calling 1-888-495-8501. Missing but now identified: the scam was online, investment-themed, and fee-based; the scam’s medium was social media; and the relevant reporting agency is CAFC, not just local police.

More at CP24