A Review of the Best News of the Week on Identity Management & Web Fraud

What’s a username generator and why do you need one? (LastPass Blog, Apr 26 2018)
You can select different criteria for your username so it fits your needs. For example, you can select the “Easy to Say” checkbox to get a username you can pronounce.

Digital Identity Makes Headway Around the World (Dark Reading, Apr 23 2018)
The US is lagging behind the digital ID leaders.

Prick up your ears! There’s a new biometric in town (Graham Cluley, Apr 23 2018)
Boffins at NEC say that they have developed a biometric technology that can surreptitiously identify individuals by differences in their ears.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Web trackers exploit ‘login with Facebook’ feature to gather, share user data (SC Magazine, Apr 19 2018)
Third-party JavaScript trackers that are embedded on websites where users login through Facebook can gather their data, including email addresses, researchers found.

Exfiltrating private keys from air-gapped cold wallets (Help Net Security, Apr 24 2018)
Air-gapped cold wallets might be one of the safest options for keeping your cryptocurrency stash, but even they can be compromised. And, as demonstrated by security researchers from the Ben-Gurion University of the Negev, Israel, extracting private keys from such a wallet can be done relatively easily.

Transcription Service Leaked Medical Records (Krebs on Security, Apr 23 2018)
MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records — apparently for thousands of physicians.

MyEtherWallet users robbed after successful DNS hijacking attack (Help Net Security, Apr 25 2018)
Unknown attackers have managed to steal approximately $150,000 in Ethereum from a number of MyEtherWallet (MEW) users, after having successfully redirected them to a phishing site posing as MyEtherWallet.com.

Using Carrier Intelligence to Validate Mobile User Identity (Dark Reading, Apr 19 2018)
To confidently validate the identity of mobile users without adding business-killing friction to login and on-boarding processes, Lea Tarnowski and Wendell Brown of Averon suggest leveraging the intelligence mobile carriers already have about their customers.

How porn bots abuse government websites (Naked Security – Sophos, Apr 20 2018)
Bots run by shady websites are creating thousands of phantom pages

LinkedIn Vulnerability Allowed User Data Harvesting (SecurityWeek, Apr 20 2018)
LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.

Is Facebook’s Anti-Abuse System Broken? (Krebs on Security, Apr 20 2018)
Facebook has built some of the most advanced algorithms for tracking users, but when it comes to acting on user abuse reports about Facebook groups and content that clearly violate the company’s “community standards,” the social media giant’s technology appears to be woefully inadequate.

Researchers discover next generation phishing kit (Help Net Security, Apr 25 2018)
Created by a cyber-criminal known as ‘[A]pache’, the kit makes it simple for those with very little technical ability to carry out their own cyber-attack. By simply downloading this multi-functioning phishing kit and following the straightforward installation instructions, a threat actor is able to launch a phishing campaign, that collects the personal and financial information of unsuspecting consumers, very quickly.

New Phishing Attack Targets 550M Email Users Worldwide (Dark Reading, Apr 26 2018)
In an attempt to steal financial data, the attack bribes users with coupons in exchange for taking an online quiz.

Wrong Number: Phone Scammers Run Off With Millions by Impersonating Chinese Consulate Staff (McAfee, Apr 25 2018)
Phone scammers pretending to be from a Chinese Consulate office are tricking people in the U.S. into giving them large amounts of money.

RSA Identity Products Chief: Why Authentication Should Be Invisible (eWEEK, Apr 20 2018)
It’s all about how to integrate user authentication automatically into the user experience (UX), so that the user doesn’t have to think about checking into or turning on a device in a secure fashion.

Google, Microsoft Push Websites To Go Password-Less (PCMag, Apr 21 2018)
At the RSA conference, Google and Microsoft demoed how websites could adopt password-free login systems with the help of Android smartphones and Windows PCs.

With new security and intelligent features, the new Gmail means business (Google, Apr 26 2018)
Work safer, smarter, more efficiently with the new Gmail.

SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients (Dark Reading, Apr 20 2018)
Names, addresses, phone numbers, account balances, may have been exposed.

Why So Many People Make Their Password ‘Dragon’ (Wired, Apr 22 2018)
The type of site a password data set comes from can also skew results.

NBlog April 24 – privacy policies under GDPR (NoticeBored blog, Apr 24 2018)
As the world plummets towards the May 25th GDPR deadline, organizations are revising their web-based privacy policies to align with both the new regulatory regime and their internal privacy practices.