A Review of the Best News of the Week on Identity Management & Web Fraud

Facebook Says 87m Users Affected (Infosecurity Magazine, Apr 05 2018)
Social network on charm offensive with new privacy features

Facebook and Twitter may be forced to identify bots (Naked Security – Sophos, Apr 05 2018)
If passed, the bill would give platforms 72 hours to investigate reports of bots seeking to mislead Californians and to remove or disclose them.

Tax-themed email campaigns steal credentials and spread banking Trojans, RATs, and ransomware (Proofpoint, Mar 28 2018)
While many of these campaigns have been fairly indiscriminate in their targeting, some were also much more narrowly targeted at organizations in vertical such as Legal, Accounting, and others with a particular interest in tax returns and related communications.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Jaywalkers to be named, shamed and fined thanks to facial recognition (Naked Security – Sophos, Mar 29 2018)
South China Morning Post says that an AI firm based in Shenzhen, Intellifusion, that already provides technology to the city’s police is now in talks with local mobile phone carriers and social media platforms such as WeChat and Sina Weibo to develop the instantaneous texted-fine system.

Airbnb China announces it will share user data with government (SC Magazine, Mar 30 2018)
Airbnb is notifying its users in China that the company will share guest’s information with authorities to comply with national laws and regulations.

Unlocking iPhones with Dead People’s Fingerprints (Schneier on Security, Mar 30 2018)
It’s routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people….

How I Fell for an Academic Vanity Honeypot Hacking Scheme (Wired, Apr 03 2018)
How a hacker weaponized flattery and took over our writer’s Twitter account.

Why you might want to tell Facebook you now live in Europe (Graham Cluley, Apr 04 2018)
But if you live in, say, the United States, China, India, or anywhere else in the world, Zuckerberg is not prepared to promise you’ll have the same privacy guarantees.

A 200-Year-Old Idea Offers a New Way to Trace Stolen Bitcoins (Wired, Apr 05 2018)
Based on a legal precedent from an 1816 British court decision, they posit that the first coin that leaves a Bitcoin address should be considered the same coin as the first one that went into it, carrying with it all of that coin’s criminal history. And if that coin was once stolen from someone, he or she may be allowed to claim it back even after it has passed through multiple addresses.

Why the Path Towards Zero Trust Starts with Next-Gen Access (Centrify, Apr 05 2018)
When it comes to developing the necessary blueprint on how to implement Zero Trust Security in their own organizations, many security practitioners are struggling. The biggest question is where to start.

Know Identity Conference Wrap-up: Decentralized Identity Summit (Gluu | Blog, Mar 30 2018)
As to be expected these days, there was quite a lot of chatter about blockchain and decentralized identity in various forms.

Football team pays $2.5 million to criminals in transfer fee scam (Naked Security – Sophos, Mar 29 2018)
According to reports, Italian football club Lazio just paid a transfer fee of $2.5m to scammers instead of the proper recipients.

Equifax sent erroneous letters to breach victims (SC Magazine, Apr 02 2018)
During the aftermath of the massive data breach which compromised the data of nearly 150 million consumers, Equifax notified some people using inaccurate letters.

20 Arrested in Italy and Romania for Spear Phishing Scam (SecurityWeek, Mar 30 2018)
Authorities this week arrested 20 individuals in Italy and Romania for their role in a banking phishing scam that defrauded bank customers of €1 million ($1.23 million).

Using biometrics to protect crypto currency (Help Net Security, Apr 03 2018)
Passwords and physical tokens are already being used by many organizations at great cost because of password churn, distribution of physical devices and recovery but biometrics are a relative newcomer that adds new benefit. These benefits include: identity verification, biometric signatures, and non-repudiation.

One-Third of Internal User Accounts Are ‘Ghost Users’ (Dark Reading, Apr 04 2018)
Attackers and malware can easily move laterally through an organization, thanks to inadequate access controls on filesystems and a proliferation of inactive but enabled users.

The “Ronald Reagan” Attack Allows Hackers to Bypass Gmail’s Anti-phishing Security (Cloud Security Alliance Blog, Apr 02 2018)
At the core of the attack is the fact that when Gmail’s anti-phishing layer scans the email for impersonation and performs an SPF check, it looks at one “sender” field in the email header but the sender name presented to the human receiver of the email in the Gmail web interface, is taken from another field in the email header.

Adopting a continuous KYC mentality (CSO Online, Mar 30 2018)
KYC must be an ongoing process that begins when they sign up for an online account, through the onboarding process, and continues throughout the course of the entire customer relationship.

Mobile devices and PSD2: a checklist for security compliance (Gemalto blog, Apr 05 2018)
The Regulatory Technical Standards (RTS) – which define how PSD2 is to be implemented – do indeed accept the use of mobile devices without requiring hardware companions, so long as the RTS security principles are fulfilled.

Security Report Finds Phishing, Not Zero-Days, Is the Top Malware Infection Vector (The Duo Blog, Mar 29 2018)
The latest Internet Security Threat Report (ISTR) from Symantec covers the past year in review when it comes to financial and banking security trends, the most common malware infection vectors, mobile malware and ransomware trends and much more.