A Review of the Best News of the Week on Identity Management & Web Fraud

Browser stored personal information there for the taking (SC Magazine, Mar 06 2018)
Researchers have found that browsers like Chrome and Firefox store a great deal of visitor information, much of which can be easily discovered and taken by cybercriminals.

What Is Your Bank’s Security Banking On? (Krebs on Security, Mar 06 2018)
A large number of banks, credit unions and other financial institutions just pushed customers onto new e-banking platforms that asked them to reset their account passwords by entering a username plus some other static identifier — such as the first six digits of their Social Security number (SSN), or a mix of partial SSN, date of birth and surname. Here’s a closer look at what may be going on (spoiler: small, regional banks and credit unions have grown far too reliant on the whims of just a few major online banking platform providers).

How Dutch Police Took Over Hansa, a Top Dark Web Market (Wired, Mar 08 2018)
Dutch police detail for the first time how they secretly hijacked Hansa, Europe’s most popular dark web market.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

#GartnerIAM: Common Privilege Pitfalls Are Easily Overcome (Infosecurity Magazine, Mar 05 2018)
The four most common pitfalls of privileged access management (PAM) fall upon two trends – how to provision for remote access and how to manage credentials for privileged accounts.

Financial Cyber Threat Sharing Group Phished (Krebs on Security, Mar 01 2018)
The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.

‘We know all about you’ – MoviePass CEO admits to tracking users (Naked Security – Sophos, Mar 07 2018)
Last week, at an Entertainment Finance Forum session titled, appropriately enough, “Data is the New Oil: How Will MoviePass Monetize It?”, MoviePass CEO Mitch Lowe unabashedly enthused over how the company now uses – or can use, a company spokesman emphasized in the media outfall that followed – subscribers’ data.

How Guccifer 2.0 Got ‘Punk’d’ by a Security Researcher (Dark Reading, Mar 08 2018)
Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the ‘unsupervised cutout’ who shared with him more stolen DCCC documents.

Inside RSA’s state-of-the-art fraud intelligence command center (CSO Online, Mar 08 2018)
RSA’s Anti-Fraud Command Center helps financial services firms stay a step ahead of fraudsters and criminals. The ultimate goal: Someday make it not worth their effort to even try.

RSAC 2018 – Year of the User: Designing Effective Security UX & Software Security Maturity (The Duo Blog, Mar 08 2018)
What’s going to be in the word cloud this year? We were hearing (and leading) more discussions around the BeyondCorp security model last February, and there will doubtless be greater attention on it this April, as organizations try to solve the problem of the “crunchy outside and soft, gooey inside.”

Chrome’s WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack (Wired, Mar 01 2018)
While still the best protection against phishing attacks, some Yubikey models are vulnerable after a recent update to Google Chrome.

Thinking about identity management for the RSA Security Conference (CSO Online, Mar 02 2018)
Password elimination, software-defined perimeter, and the need for security to “own” identity should be highlighted at the RSA Conference.

NY DFS, NIST and NAIC align on multi-factor authentication in financial services (CSO Online, Feb 28 2018)
In sum, MFA must be used when accessing internal networks from an external network, unless the CISO has provided written approval to use reasonably equivalent, or more secure, access controls.

Biohacking your body can be really painful… and not hugely useful (Graham Cluley, Mar 04 2018)
Turns out that the outcome of hacking your body by implanting technology is not necessarily all positive.

Google gets sued for denying “right to be forgotten” request (SC Magazine, Mar 05 2018)
A businessman, whose “right to be forgotten” request was denied by Google to “defend the public’s right to access lawful information”, has filed a lawsuit in the high court in a bid to make Google remove references to his criminal past.

Apple issues advice on how to spot App Store and iTunes phishing scams (Graham Cluley, Mar 02 2018)
Typical examples include emails that ask you to update your account information, or pretend to be a receipt for a purchase from the App Store, iTunes Store, iBooks Store or Apple Music.

Intelligo is using AI to make background checks relevant again (TechCrunch, Mar 06 2018)
Intelligo is an Israeli company trying to make background checks relevant again by using AI and machine learning to not only speed up and automate the process, but also run more thorough checks.

Inside China’s creepy ‘social credit’ system that analyses internet shopping and social media use in order to blacklist ‘lazy’ or wasteful citizens and allow those who behave well to borrow money (The Sun, Mar 06 2018)
While the social credit scheme will become mandatory in China in 2020, it is currently being tested in pilot schemes which have been rolled out through private financial companies. The most high profile of these is Sesame Credit which has been developed by Ant Financial and uses computer algorithms to score people from 350 to 950, reports The Guardian.

Killing Social Security Numbers Will Make Identity Problems Worse (ID.me Blog, Mar 06 2018)
What if two John Smith’s are born on the same day and one joins the military while the other goes to jail as a sex offender? What if two John Smith’s are born on the same day and one goes on to build excellent credit by paying all of his debt on time while the other John Smith has gone bankrupt multiple times?

Most top US higher ed institutions fail to protect students from phishing (Help Net Security, Mar 07 2018)
88.8 percent of the root domains operated by top colleges and universities in the United States are putting their students, staff and other recipients at risk for phishing attacks that spoof the institution’s domain, according to 250ok.

Dark Web Experts: ID Fraudsters Unaffected by Police Efforts (Infosecurity Magazine, Mar 07 2018)
AlphaBay/Hansa takedown has forced scammers to be more creative, says Terbium Labs