A Review of the Best News of the Week on Identity Management & Web Fraud

New EU Privacy Law May Weaken Security (Krebs on Security, Feb 15 2018)
…many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats. On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect.

IRS Reports Steep Decline in Tax-Related ID Theft (Dark Reading, Feb 15 2018)
Research group Javelin confirms that the numbers are trending in the right direction, with total fraud losses dropping more than 14% to $783 million.

Facebook Turned Its Two-Factor Security ‘Feature’ Into the Worst Kind of Spam (Gizmodo, Feb 15 2018)
Fortunately, you can opt out of Facebook’s endless texts. In your account, navigate to “Settings” and then “Notifications.” If you’re using two-factor authentication, text notifications will be on by default, but you can toggle them off.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Money Laundering Via Author Impersonation on Amazon? (Krebs on Security, Feb 20 2018)
Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish.

NIST Proposes Metadata Schema for Evaluating Federated Attributes (SecurityWeek, Feb 20 2018)
Verifying identities (entities) is one problem. Managing the authorized transactions available to that verified entity is a separate problem. As industry and government increasingly move online, both the complexity and criticality of different possible cross-domain transactions increase. A single verified entity may be authorized for some transactions, but not others.

I’ve Just Launched “Pwned Passwords” V2 With Half a Billion Passwords for Download (Troy Hunt, Feb 21 2018)
Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems.

People Are Actually Using a Joke Dating Site That Matches People Based on Their Passwords (Motherboard, Feb 22 2018)
This website answers the question no one ever asked: what if you dated someone who used the same password?

Savers Call for Action on Pension Clone Fraud (Infosecurity Magazine, Feb 20 2018)
Fraudsters tricked UK consumers out of £200m last year

How a Bitcoin phishing gang made $50 million with the help of Google AdWords (Graham Cluley, Feb 15 2018)
A cybercrime gang based in Ukraine is estimated to have made as much as $50 million after tricking Bitcoin investors into handing over the login credentials for their online wallets.

Facebook’s Onavo Protect VPN Offers Less Privacy Protection Than Other Apps (Wired, Feb 15 2018)
This week reports have percolated that Facebook is testing a new menu item, called “Protect,” in its iOS app. The feature sports a blue shield icon, and tapping it redirects you to the App Store listing for Facebook-owned VPN app Onavo Protect. But while Onavo does claim to offer some tools that make the web safer, in practice it falls far short of the privacy protections that VPN users reasonably expect.

Apple’s Move to Bring Health Care Records to the iPhone Is Great News (Wired, Feb 19 2018)
The company’s decision to include an open API in its mobile phone OS has great promise for electronic health records.

Facebook told to stop tracking users that aren’t logged in (Naked Security – Sophos, Feb 20 2018)
If Facebook doesn’t stop tracking users across the web, it could face a fine of €250,000 ($315,000) per day, says Belgian court.

Macro-Based Multi-Stage Attack Delivers Password Stealer (SecurityWeek, Feb 19 2018)
A malicious attack uses a multi-stage infection to deploy malware that is capable of stealing passwords from various applications on a victim’s computer, Trustwave reports.

Facebook Will Verify the Physical Location of Ad Buyers with Paper Postcards (Schneier on Security, Feb 20 2018)
The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook’s global director of policy programs, said. The requirement will not apply to issue-based political ads, she said.

How Artificial Intelligence Will Define Cyber Security Over The Coming Years (Business Computing World, Feb 20 2018)
One particular challenge is where credentials are shared with the wrong people. That might be a user sharing logins with a colleague or with an external actor. In the first instance a user may want one-time access to a system or has forgotten their password and requests access via a colleague’s account, for non-malicious reasons…

New email scam targeting accounts personnel at Fortune 500 companies (SC Magazine, Feb 21 2018)
Criminals impersonate legitimate email accounts to initiate wire transfer fraud. Security researchers have uncovered an active Business Email Compromise (BEC) campaign targeting Accounts Payable personnel at Fortune 500.

Survey shows sloppy password habits among young Brits (WeLiveSecurity, Feb 22 2018)
A total of 27% of Brits of all ages – including over 52% of youths aged 18-25 – reuse their email password for a number of other online accounts, according to a study conducted by the United Kingdom government’s ‘Cyber Aware’ campaign together with Experian.

The borg ate my login (CSO Online, Feb 20 2018)
A large part of all login traffic is malicious and much of the bot traffic we see every day is either questionable or downright evil. If you’re a hospitality site, the vast majority – 82 percent – of the logins you see are likely account takeover attempts!

Making Sense of the Technologies Behind Online Identity Verification (Jumio, Feb 15 2018)
So, pick your poison—higher levels of fraud detection with lower conversion rates or opt for higher conversion rates with lower levels of fraud detection/assurance.

Machine Learning Techniques for Fraud Analytics, Part 2 (ThreatMetrix, Feb 20 2018)
Third-party fraud occurs when your customer is an unsuspecting victim of a fraudster who takes over the account. This is far more challenging from a machine learning perspective because the bad definition is not static. Fraudsters adapt. In fact, they are expert game theorists who will continually test and eventually learn to identify new weaknesses in a bank’s defenses.