A Review of the Best News of the Week on Identity Management & Web Fraud

I Forgot Your Password: Breaking Password Recovery Systems (Onapsis at RSAC, May 03 2018)
Objectives:1: Learn about the most common problems and errors affecting password recovery systems.2: Understand through a demo how easy it can be for attackers to abuse these systems.3: Gain insight on how to avoid the problems discussed.

Spring 2018 Password Attacks (SecurityWeek, May 02 2018)
The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.

Transaction Laundering: A Growing Fraud Risk for Merchants (ThreatMetrix, Apr 26 2018)
Hardly a blip on anyone’s radar just a few years ago, losses from transaction fraud like this are now estimated to top $200 billion a year in the U.S., and could reach $500 billion worldwide in 2018. To put that into perspective, total revenue generated by eCommerce in the U.S. was $453 billion last year.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

More Than 1M Children Victims of Identity Fraud in 2017 (Dark Reading, Apr 27 2018)
Total fraud against kids amounted to $2.6 billion and more than $540 million in out-of-pocket costs to families, a new report finds.

Twitter sold data access to Cambridge Analytica-affiliated researcher (Help Net Security, Apr 30 2018)
Dr Aleksandr Kogan, the academic behind the personality quiz app that harvested Facebook information of 80+ million people, has also had access to a random sample of public tweets posted during a five-month period.

Security Trade-Offs in the New EU Privacy Law (Krebs on Security, Apr 27 2018)
“On two occasions this past year I’ve published stories here warning about the prospect that new European privacy regulations could result in more spams and scams ending up in your inbox. This post explains in a question and answer format some of the reasoning that went into that prediction, and responds to many of the criticisms leveled against it.”

Jordan Hamlett Jailed for Attempts to Access Trump Tax Returns (Infosecurity Magazine, Apr 30 2018)
The private investigator who used Trump’s social security number was sentenced to 18 months in jail.

Public breaches drive increase in account takeover attempts (Help Net Security, May 02 2018)
Websites are most likely to experience ATO attacks on a Friday or Saturday. 39 percent of volumetric ATO attacks occur on a Friday or Saturday.

Easier way to control access to AWS regions using IAM policies (AWS Security Blog, Apr 25 2018)
If your company requires users to create resources in a specific AWS region, you can now add a new condition to the IAM policies you attach to your IAM principal (user or role) to enforce this for all AWS services.

When Your Employees Post Passwords Online (Krebs on Security, May 02 2018)
Storing passwords in plaintext online is never a good idea, but it’s remarkable how many companies have employees who are doing just that using online collaboration tools like Trello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources.

Travel Website Password Power Rankings 2018 (Dashlane, May 03 2018)
A staggering 96% travel sites tested do not provide 2FA (two-factor authentication).

12 Trends Shaping Identity Management (Dark Reading, Apr 26 2018)
As IAM companies try to stretch ‘identity context’ into all points of the cybersecurity market, identity is becoming ‘its own solar system.’

Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity (Troy Hunt, Apr 27 2018)
“When I launched Pwned Passwords in August, I honestly didn’t know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data “as a service” by either a plain text password or a SHA-1 hash. But the service did become quite popular, although that was just the beginning…”

86% of Passwords are Terrible (and Other Statistics) (Troy Hunt, May 02 2018)
In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don’t let your customers use that password!

Building a world without passwords (Microsoft Secure, May 01 2018)
There’s a Microsoft Authenticator app?

Password behaviors remain largely unchanged (Help Net Security, May 03 2018)
Despite today’s increased threat landscape and heightened global awareness of hacking and data breaches, password behaviors remain largely unchanged.

Slowing Mobile Banking Fraud to Reverse the Decline in Active User Growth (ThreatMetrix, Apr 27 2018)
Bank of America, JPMorgan Chase and Wells Fargo have all reported declines in annual growth rates among active U.S. mobile users.

Reno Man Created 8,000 Fake Online Accounts via Stolen Identities (Dark Reading, Apr 27 2018)
Kenneth Gilbert Gibson pleaded guilty to creating more than 8,000 fraudulent online accounts to launch a $3.5M fraud operation.

Supreme Court to hear Google privacy settlement case (SC Magazine, May 02 2018)
The appeal by conservative think tank Competitive Enterprise Institute stems from a 2013 case in which Google was found to have violated users’ privacy rights by sharing their search queries with other websites.

The Power of Data Filtering (Axiomatics, May 02 2018)
By using Dynamic Authorization in this way, and utilizing the features of dynamic data masking and redaction, database administrators, data architects and business analysts alike can leverage powerful, fine-grained authorization – to not just mitigate risk – but to move faster…