A Review of the Best News of the Week on Identity Management & Web Fraud
Apple prohibits developers from using, selling users’ Contacts (Help Net Security, Jun 14 2018)
According to new rules recently published by Apple, iOS app developers must refrain from creating a database of the information gleaned from users’ Contacts and to sell it on.
Why SCIM Matters (OneLogin, Jun 14 2018)
The System for Cross-domain Identity Management (SCIM) is an open standard that developed from the need for a way to synchronize user information between multiple applications. In this way, SCIM is fantastic for streamlining processes, while also reducing mistakes and data inconsistencies between identity ecosystems.
Lessons on ID Proofing From One of New York’s Most Renowned Identity Thieves (Jumio, Jun 13 2018)
After botching a laptop transaction with a stolen credit card at Best Buy, he was apprehended and hit with federal charges. Facing 8.5 years in prison, DeFelippi took a plea bargain and ended up working undercover for the Secret Service for 2 years, where he helped bust numerous underground credit card fraud rings.
New Data Privacy Regulations (Schneier on Security, Jun 08 2018)
When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the Internet.
US Government’s biometric database worries privacy advocates (Naked Security – Sophos, Jun 11 2018)
It is something few Americans will have heard of, but the US Department of Homeland Security’s Homeland Advanced Recognition Technology (HART) is catching the eye of privacy advocates – and not in a good way.
74 Arrested in International Email Scam Schemes (Dark Reading, Jun 11 2018)
A coordinated effort has led to the arrest of 74 individuals around the world on charges of defrauding businesses and individuals.
Endpoint Security and Blockchain Identity at Gartner’s Security Summit (Gartner Blog Network, Jun 08 2018)
The United Nations World Food Programme (WFP) recently implemented a blockchain identity project called “Building Blocks” for Syrian refugees who lose their ‘official identities’ when they are forced to flee their homes. The WFP gives these refugees new identity records on an Ethereum blockchain, so that food assistance is disbursed directly to the refugees by reimbursing their food purchases at their refugee camp in Zaatari Jordan.
Encrypted Messaging Apps Have Limitations You Should Know (Wired, Jun 14 2018)
As recent events have shown, using an encrypted messaging app like WhatsApp or Signal is no privacy panacea.
Librarian Sues Equifax Over 2017 Data Breach, Wins $600 (Krebs on Security, Jun 13 2018)
The 49-year-old librarian from a tiny town in Vermont took Equifax to court. And now she’s celebrating a small but symbolic victory after a small claims court awarded her $600 in damages stemming from the 2017 breach.
The Google Pixelbook power button is now a 2FA token (Naked Security – Sophos, Jun 12 2018)
The Pixelbook’s power button is a 2FA token, which is great, and almost nobody noticed, which isn’t.
Feds Bust Dozens of Nigerian Email Scammers, but Your Inbox Still Isn’t Safe (Wired, Jun 12 2018)
The arrest of dozens of alleged Nigerian email scammers and their associates is a small, but important, first step toward tackling an enormous problem.
MP gets 600 rape threats in a night, wants an end to online anonymity (Naked Security – Sophos, Jun 13 2018)
As a female MP Jess Phillips faces threats of violence and aggression every day.
Florida skips gun background checks for a year after employee forgets login (Naked Security – Sophos, Jun 12 2018)
The Florida Department of Agriculture and Consumer Services stopped using the FBI’s crime database in February 2016 because an employee couldn’t log in.
Fewer Phishing Attacks Hit More Diverse Targets (Dark Reading, Jun 11 2018)
Nearly 300 brands were hit with phishing attacks in Q1, with cloud storage providers now among the top 10 most targeted.
WhatsApp users targeted by homoglyph attack peddling free tickets to theme park (Tripwire, Jun 12 2018)
Fraudsters are using a homoglyph attack to tantalize WhatsApp users with the empty offer of free tickets to a theme park.
Zero Trust Security: Never trust, always verify (Help Net Security, Jun 13 2018)
Zero Trust Security assumes that untrusted actors already exist both inside and outside the network. Trust must therefore be entirely removed from the equation.
Trial of two men accused of $20m hacked press release fraud begins (Naked Security – Sophos, Jun 14 2018)
This is reportedly the first time criminal charges have been brought for a securities fraud scheme involving hacked inside information.
Wiper attack at Chilean bank provided cover for $10M SWIFT heist (SC Magazine, Jun 13 2018)
The bank said in a statement that no customer accounts had been compromised in the attack, which destroyed 9,000 workstations and 500 servers.
How OneLogin is Keeping You Safe from Password Spray Attacks (OneLogin, Jun 13 2018)
Password spray campaigns, also known as “brutespray,” are specific types of password brute force attacks. Password brute force attacks are commonly used by hackers trying to penetrate systems and gain unauthorized access to an account, by attempting different password combinations against accounts until they guess a successful combination.
Account Takeover and the Changing Face of Fraud (Signifyd, Jun 07 2018)
The index, which covered eight retail verticals over eight financial quarters, found that account takeover fraud increased 80 percent between 2016 and 2017.