A Review of the Best News of the Week on Identity Management & Web Fraud
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations (Duo Blog, Feb 27 2018)
This blog post describes a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.
How to Fight Mobile Number Port-out Scams (Krebs on Security, Feb 28 2018)
T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily “porting” your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark.
AT&T, Sprint, T-Mobile and Verizon unveil next-generation mobile authentication platform details (PR Newswire, Mar 01 2018)
This highly secure solution will deliver a cryptographically verified phone number and profile data for users of authorized applications with their consent. Authentication security is strengthened by processing unique attributes such as a network verified mobile number, IP address, SIM card attributes, phone number tenure, phone account type and more.
US Border Patrol Hasn’t Validated E-Passport Data For Years (Wired, Feb 22 2018)
For over a decade, US Customs and Border Protection has been unable to verify the cryptographic signatures on e-Passports, because they never installed the right software.
Visa: EMV Cards Drove 70% Decline in Fraud (Dark Reading, Feb 23 2018)
Merchants who adopted chip technology saw a sharp decline in counterfeit fraud between 2015 and 2017, Visa reports.
Apple’s China-based iCloud data center raises privacy, human rights fears (SC Magazine, Feb 26 2018)
Human rights activists are concerned that the Chinese government’s regulation requiring that Apple host its citizen’s iCloud accounts on servers in China could make it easier for that nation to track down dissenters.
I’ve Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned (Troy Hunt, Feb 26 2018)
tl;dr – a collection of nearly 3k alleged data breaches has appeared with a bunch of data already proven legitimate from previous incidents, but also tens of millions of addresses that haven’t been seen in HIBP before. Those 80M records are now searchable…
Three years of the Right to be Forgotten (Elie Bursztein – Google, Feb 26 2018)
The “Right to be Forgotten” is a privacy ruling that enables Europeans to delist certain URLs appearing in search results related to their name. In order to illuminate the effect this ruling has on information access, we conduct a retrospective measurement study of 2.4 million URLs that were requested for delisting from Google Search over the last three and a half years.
USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online (Krebs on Security, Feb 26 2018)
In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address.
I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick (Troy Hunt, Feb 27 2018)
In the immortal words of Ricky Bobby, I wanna go fast. When I launched Pwned Passwords V2 last week, I made it fast – real fast – and I want to talk briefly here about why that was important, how I did it and then how I’ve since shaved another
Validating Leaked Passwords with k-Anonymity (Cloudflare, Feb 21 2018)
“Instead, our approach adds an additional layer of security by utilising a mathematical property known as k-Anonymity and applying it to password hashes in the form of range queries. As such, the Pwned Passwords API service never gains enough information about a non-breached password hash to be able to breach it later.”
Real-time Captcha technique improves biometric authentication (ScienceDaily, Feb 19 2018)
A new login authentication approach could improve the security of current biometric techniques that rely on video or images of users’ faces. Known as Real-Time Captcha, the technique uses a unique ‘challenge’ that’s easy for humans — but difficult for attackers who may be using machine learning and image generation software to spoof legitimate users.
FTC warning users to do homework before using VPN apps (SC Magazine, Feb 23 2018)
The FTC is warning users to read the fine print and do their homework before purchasing a VPN app.
Nuance Biometric Security Turns Your Body Into an Authentication Tool (eWEEK, Feb 28 2018)
While Beranek didn’t provide specifics, modern smartphones contain accelerometers and multi-axis electronic gyroscopes that can detect even the tiniest of movements. Each person has a characteristic way in which they hold a phone when they’re talking or otherwise using the device. An authentication system can detect the pattern of these movements as a way to tell you from someone else, even if they’re using the same phone.
Which phishing messages have a near 100% click rate? (Help Net Security, Feb 23 2018)
Two simulated phishing templates had a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan.
Half of UK Firms Hit by Cyber-Related Fraud in Past Two Years (Infosecurity Magazine, Feb 23 2018)
Nearly half of UK organizations (49%) have suffered from cyber-related fraud in the past two years, according to the latest research from PwC.
‘In Fraud We Trust’ – Cybercrime org bust shows we’re fighting pros (Naked Security – Sophos, Feb 26 2018)
The two former security officials said that the most important message for the public from the sweeping indictment is that companies aren’t just dealing with rag-tag script kiddies nowadays; rather, they’re basically up against other well-run companies…
1Password Adds Pwned Password Check (PCMag, Feb 23 2018)
1Password now allows you to check to see if a password you choose/use is present on the Pwned Passwords list. If it is, pick another because that one is not offering you the same level of security a truly unique and unbreached password will.
Mass. tax collector breach victims double original estimate (SC Magazine, Feb 23 2018)
The state revenue department now admits private data, including the names, tax identification numbers and the banking information of the payroll processors of more than 39,000 business taxpayers were compromised.
Researchers Propose Improved Private Web Browsing System (SecurityWeek, Feb 26 2018)
A group of researchers from MIT and Harvard have presented a new system designed to make private browsing even more private. Dubbed Veil, the system proposes additional protections for people who share computers with other people at the office, in hotel business centers, or university computing centers.