A Review of the Best News of the Week on Identity Management & Web Fraud

Mobile Giants: Please Don’t Share the Where (Krebs on Security, May 22 2018)
“The mobile carriers are selling data about where you are at any time, without your consent, to third-parties for probably far less than you might be willing to pay to secure it.”

The Pentagon has a project that aims to verify identity via smartphone (CSO Online, May 21 2018)
A Pentagon-funded project that aims to add tech to verify identity and ultimately to assign a “risk score” to you could be included in new smartphones within two years.

Verifying data processing for privacy and GDPR (Help Net Security, May 23 2018)
Article 30 of GDPR states, “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” That means that processors and controllers of any personal data must undertake labor-intensive record-keeping of all identity data processing activity.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Suspected Syrian Electronic Army hackers indicted for conspiracy and identity theft (Graham Cluley, May 18 2018)
But don’t imagine that the two suspected hackers will be defending themselves in a US court anytime soon…

Polish Credit Office to move up to 140M credit records to blockchain (SC Magazine, May 18 2018)
The Polish Credit Office (BIK) has announced that it will be moving up to 140 million credit records to Blockchain in what is seen as a significant development in the use of Blockchain for secure document management.

Global Fraud Hits £3.2 Trillion (Infosecurity Magazine, May 22 2018)
UK losses stand at £110bn but greater insight can help reduce risk, says report

FireEye Launches OAuth Attack Testing Platform (SecurityWeek, May 22 2018)
An attacker can obtain OAuth tokens via social engineering, by convincing the victim to click a “Consent link” and approve the application.

Will Amazon’s Facial-Recognition Tech Enable Mass Surveillance? (PCMag, May 22 2018)
The American Civil Liberties Union and 35 other advocacy group are demanding that Amazon stop selling the technology to law enforcement, fearing it’ll be abused.

Facebook Is Beefing Up Its Two-Factor Authentication (Wired, May 23 2018)
The update, now available to most users, comes several months after Facebook was criticized for spamming users’ two-factor authentication phone numbers.

Fraud Drops 76% for Merchants Using EMV, Says Visa (Dark Reading, May 23 2018)
A new report from Visa says that the shift to chip cards has resulted in dramatically reduced credit card fraud levels.

Password pattern analysis: Risky, lazy passwords the norm (Help Net Security, May 24 2018)
Dashlane announced the findings of an analysis of over 61 million passwords. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

2 million stolen identities used to make fake net neutrality comments (Naked Security – Sophos, May 24 2018)
Most crucially, two of those identities were senators who are now demanding the FCC find out who’s behind the bots and the identity theft.

Cybercriminals impersonate popular file sharing services to take over email accounts (CSO Online, May 21 2018)
Email account takeover attacks are growing, and attackers are impersonating OneDrive and other popular web services to steal credentials from employees.

200 Million Sets of Japanese PII Emerge on Underground Forums (SecurityWeek, May 18 2018)
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

Mobile Fraud Soars as Social Sites Help Scammers (Infosecurity Magazine, May 23 2018)
RSA finds legitimate social platforms are unwittingly helping fraudsters

Yubico Brings Security Keys to iOS (PCMag, May 23 2018)
The YubiKey NEO now works with applicable iOS apps, thanks to Yubico’s new SDK.

California Teen Arrested for Phishing Teachers to Change Grades (Dark Reading, May 17 2018)
The student faces 14 felony counts for using a phishing campaign to steal teachers’ credentials and alter students’ grades.

Mugshots.com’s alleged owners arrested for extortion (Naked Security – Sophos, May 22 2018)
Mugshots.com publishes people’s mugshots and extorts a removal fee.

An easier way to control access to AWS resources by using the AWS organization of IAM principals (AWS Security Blog, May 17 2018)
Now, you can use a new condition key, aws:PrincipalOrgID, in these policies to require all principals accessing the resource to be from an account in the organization. For example, let’s say you have an Amazon S3 bucket policy and you want to restrict access to only principals from AWS accounts inside of your organization.

#Oktane18: The Best Password is No Password says Okta CEO (Infosecurity Magazine, May 23 2018)
At Oktane 18 in Las Vegas, Okta announced that organizations will be able to eliminate the login password as a primary factor of authentication