A Review of the Best News of the Week on Identity Management & Web Fraud

When Identity Thieves Hack Your Accountant (Krebs on Security, Apr 11 2018)
This is the story of a CPA in New Jersey whose compromise by malware led to identity theft and phony tax refund requests filed on behalf of his clients.

Facebook’s secret plan to access hospital patient records (Graham Cluley, Apr 06 2018)
Facebook wanted to gobble up data from hospitals about their most vulnerable patients, and match it up with user profiles on the world’s biggest social network.

The ‘Despacito’ YouTube Hack Was Probably Pretty Simple to Pull Off (Wired, Apr 11 2018)
The removal of YouTube’s most popular video this week was likely the result of a low-cost phishing scam rather than sophisticated hacking.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Secret Service Warns of Chip Card Scheme (Krebs on Security, Apr 05 2018)
In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates the modified card, thieves can start draining funds from the account.

Twitter Bots Post Two-Thirds of Links to Popular Sites on the Platform (Wired, Apr 09 2018)
A new study from Pew Research shows that the bulk of links on Twitter don’t come from actual humans.

T-Mobile Stores Part of Customers’ Passwords In Plaintext, Says It Has ‘Amazingly Good’ Security (Motherboard, Apr 09 2018)
A T-Mobile Austria customer representative made a shocking admission in a Twitter thread.

Obscure E-Mail Vulnerability – Schneier on Security (Schneier on Security, Apr 09 2018)
Netflix doesn’t ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.

FIDO2: Authenticate easily with phishing-resistant security (Help Net Security, Apr 11 2018)
The W3C has advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage.

2.6 Billion-Plus Data Records Breached Last Year (Dark Reading, Apr 11 2018)
Most exposed data records caused by human error.

SSO v SSI (Gluu, Apr 11 2018)
SSO : Single Sign-On SSI : Self Sovereign Identity   At IIW XXVI last week, there was much excitement about innovations in SSI. It’s tempting to hope that it’s the dawn of a new era, one in which people free themselves from the evil lords of federated identity. Finally, we can de-centralize! IDPs insert themselves …

GAO report recommends stronger security controls for third parties that receive Medicare beneficiary data (SC Magazine, Apr 09 2018)
The U.S. Government Accountability Office (GAO) last week publicly released a report warning that the Centers for Medicare and Medicaid Services (CMS) has failed to provide specific security controls guidance to research organizations with whom it shares Medicare beneficiary data.

Fraud fighters’ guide to handling suspicious logins (Sift Science Blog, Apr 05 2018)
Account takeover leads to a number of negative downstream effects – from financial loss to customer churn to overall brand damage. There are many things a business can do to respond to an ATO attack, but at that point, it’s already too late and you may have lost users’ trust. So what can you do to prevent unauthorized access to accounts in the first place?

Synthetic Identity Fraud: The Growing Threat and How to Stop It (ThreatMetrix, Apr 10 2018)
When validating a social security number for instance, how many businesses can determine when an identity is too “perfect”—with say, only one lifelong email address, or a lack of human randomness in its associated devices, locations, accounts and online behaviors?

Don’t Give Away Historic Details About Yourself (Krebs on Security, Apr 09 2018)
Social media sites are littered with seemingly innocuous little quizzes, games and surveys urging people to reminisce about specific topics, such as “What was your first job,” or “What was your first car?” The problem with participating in these informal surveys is that in doing so you may be inadvertently giving away the answers to “secret questions” that can be used to unlock access to a host of your online identities and accounts.

The CIAM Implications of the Facebook Cambridge Analytica Scandal (Forrester, Apr 11 2018)
It’s too early to assess the longer-term implications of Facebook’s change, but if your organization is currently using social login for B2C use cases (or planning to support it in future), this is something to monitor. It may also lead to CIAM vendors changing their road map as they prioritize other integration and authentication features over building broad social identity provider support.

How to Build a Cybersecurity Incident Response Plan (Dark Reading, Apr 05 2018)
Being hit by a cyberattack is going to be painful. But it can be less painful if you’re prepared, and these best practices can help.

How ODNS keeps your browsing habits secret (Naked Security – Sophos, Apr 10 2018)
Oblivious DNS keeps your DNS traffic private without retooling the internet

Mobile Phishing Attacks Up 85 Percent Annually (SecurityWeek, Apr 11 2018)
The rate at which users are receiving and clicking on phishing URLs on their mobile devices has increased at an average rate of 85% per year since 2011, mobile security firm Lookout reports.

How to dynamically generate GCP IAM credentials with a new HashiCorp Vault secrets engine (Google Cloud Platform Blog, Apr 10 2018)
On Google Cloud Platform (GCP), you can manage services or temporary users using Cloud Identity and Access Management (IAM) service accounts, which are identities whose credentials your application code can use to access other GCP services.

Facebook Rolls Out ‘Data Abuse Bounty’ Program (Dark Reading, Apr 11 2018)
The social media giant also got hit with a lawsuit the day before unveiling its new reward program.