A Review of the Best News of the Week on Identity Management & Web Fraud

Reddit Breach Highlights Limits of SMS-Based AuthN (Krebs on Security, Aug 01 2018)
“Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.”

Cisco to acquire Duo Security in a $2.35 billion deal (SC Magazine, Aug 02 2018)
Cisco will acquire Duo Security in a $2.35 billion deal designed boost Cisco’s ability to increase security between for its customers as they access more content from the cloud.

Feds Accuse Three Hackers of Stealing 15 Million Credit Cards in 100 Security Breaches (Motherboard, Aug 01 2018)
The US Department of Justice announced the indictment of three alleged members of the infamous financial hacking group known as Carbanak or FIN7.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. What’s in the secret sauce?

Phishing Attack Strikes UnityPoint Health (Infosecurity Magazine, Aug 01 2018)
A fraudulent email from senior executive tricks users into clicking.

Facebook Removes Fake Accounts Linked to Russian Firm (Infosecurity Magazine, Aug 01 2018)
Infamous IRA was behind 2016 social media election meddling

‘TELL YOUR DAD TO GIVE US BITCOIN:’ How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers (Motherboard, Aug 02 2018)
California authorities say a 20-year-old college student hijacked more than 40 phone numbers and stole $5 million, including some from cryptocurrency investors at a blockchain conference Consensus.

Click on this iOS phishing scam and you’ll be connected to “Apple Care” (Ars Technica, Aug 02 2018)
Scam website launched phone call, connected victims to “Lance Roger at Apple Care.”

Identity Has Become the Perimeter’: Oracle Security SVP (Dark Reading, Jul 27 2018)
Eric Olden, Oracle’s new leader in security and identity, shares how the enterprise tech giant plans to operate in a cloud-first world.

Identifying People by Metadata (Schneier on Security, Jul 30 2018)
“In this paper, we use Twitter as a case study to quantify the uniqueness of the association between metadata and user identity and to understand the effectiveness of potential obfuscation strategies.”

Insights into consumer attitudes to biometric payments (Help Net Security, Aug 01 2018)
The report reveals that 15% of adults have made a biometric payment in the last year, including a quarter of 18 to 24 year olds.

Microsoft Edge adds WebAuthn as passwords near the end (Naked Security – Sophos, Aug 02 2018)
Microsoft’s Edge browser has finally joined Mozilla Firefox and Google’s Chrome in supporting a working version of the emerging WebAuthn.

Michele Braun: Cybersecurity – passwords, authentication and authorization (Westfair Communications, Jul 27 2018)
In June 2017, the National Institute of Standards and Technology, which creates widely used standards, updated its “Digital Identity Guidelines,” with special attention to usability.

Fortnite click-fraud scammers set to earn $1 million (SC Magazine, Jul 27 2018)
Imperva researchers estimate Fortnite Scammers are earning nearly $1 million annual through pay per click advertising by exploiting users eager to get free in-game currency.

Why Bank of America asked Kansas man for proof of citizenship — and may ask you, too (Kansas City Star, Jul 30 2018)
Bank of America says it’s updating information on all its customers to follow regulation and safety guidelines. A Kansas couple, thinking the request was a scam, ignored the request until their account was frozen.

Russian National Sentenced to 70 Months For $4 Million Debit Card Fraud (Dark Reading, Jul 30 2018)
Mikhail Malykhin’s actions drove one company out business.

UK CNP Fraud Drops as Banks Fight Back (Infosecurity Magazine, Jul 30 2018)
FICO claims technology is making an impact on UK Card Not Present (CNP) fraud.

Massive Singapore Healthcare Breach Possibly Involved Contractor (SecurityWeek, Jul 30 2018)
Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Phone scam exploits Russian hacking fears (Graham Cluley, Aug 01 2018)
Guest contributor Bob Covello describes an unexpected phone call he received out of the blue.

How GDPR Could Turn Privileged Insiders into Bribery Targets (Dark Reading, Aug 02 2018)
Regulatory penalties that exceed the cost of an extortion payout may lead to a new form of ransomware. These four steps can keep you from falling into that trap.

Phishing Campaign Targets 400 Industrial Organizations (SecurityWeek, Aug 02 2018)
A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations…