A Review of the Best News of the Week on Identity Management & Web Fraud

AT&T sued for enabling SIM swap fraud (Help Net Security, Aug 16 2018)
He is asking the US District Court for the Central District of California to find in his favor and award him $24 million of compensatory damages and over $200 million of punitive damages.

Why Facebook Enlisted This Research Lab to Track Its Trolls (Wired, Aug 15 2018)
What can the 14-person Digital Forensics Research Lab discover about fake news on Facebook that the billion-dollar company doesn’t already know?

FBI Warns of ‘Unlimited’ ATM Cashout Blitz (Krebs on Security, Aug 12 2018)
“The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Analysis of email address in Mueller indictments exposes 9M weaponized email accounts (SC Magazine, Aug 09 2018)
Probing an email address found in Special Counsel Robert Mueller’s indictments of 13 Russians for interfering in the U.S. presidential election led GroupSense researchers to the discovery of more than nine million stolen, leaked or abandoned email accounts — likely part of a large botnet aimed at spreading misinformation, including generating false comments on the FCC’s net neutrality filing site.

Police Departments Need to Stop Posting Mugshots on Twitter (Wired, Aug 12 2018)
Opinion: When police departments post photos of protestors on social media, it puts them at risk of harassment, or worse.

Microsoft ADFS Vulnerability Lets Attackers Bypass MFA (Dark Reading, Aug 14 2018)
The flaw lets an attacker use the same second factor to bypass multifactor authentication for any account on the same ADFS service.

Feds indict 12 for allegedly buying iPhones on other people’s dimes (Naked Security – Sophos, Aug 13 2018)
They allegedly hacked into phone accounts, convinced retailers they were who they weren’t, and upgraded to shiny new gadgets for small fees.

Instagram users report hack, note recovery emails changed to .ru addresses (SC Magazine, Aug 14 2018)
Some Instagram users found themselves logged out of their accounts and when they tried to reset their passwords they discovered that their recovery email addresses had been set to .ru accounts.

Caesars’ Palace security room checks rattle Def Con attendees, conference SecOps head offers resignation (SC Magazine, Aug 14 2018)
Def Con attendees complained the Las Vegas hotel violated their privacy and made them feel unsafe by spotchecking the room of guests who’ve rejected housekeeping services.

Social Mapper: A free tool for automated discovery of targets’ social media accounts (Help Net Security, Aug 10 2018)
Trustwave has released Social Mapper, an open source tool that automates the process of discovering individuals’ social media accounts.

Cops Claim Victory After Busting $1m Phone Fraud Ring (Infosecurity Magazine, Aug 10 2018)
Twelve charged after allegedly hijacking customers’ accounts

15,000-strong army of Twitter robots found spreading cryptocurrency spam (Naked Security – Sophos, Aug 10 2018)
Researchers unearthed an army of 15,000 robot Twitter accounts plying a cryptocurrency scam.

Social Engineers Show Off Their Tricks (Dark Reading, Aug 13 2018)
Wixey detailed their efforts in a Black Hat presentation on Remote Online Social Engineering (ROSE), his name for long-term campaigns in which actors leverage false personae and highly detailed reconnaissance to compromise target networks. By building a relationship with their targets, attackers can persuade employees to send data and assist in corporate hacking.

Coinbase Acquires Distributed Systems to Double Down on Digital Identity (Wired, Aug 15 2018)
Cryptocurrency exchange Coinbase is banking on decentralized identity to help it find long-term relevance.

Sacramento admits to tracking welfare recipients’ license plates (Naked Security – Sophos, Aug 16 2018)
For 2 years, welfare investigators used a huge database of automated license plate reader images to sniff out fraud, without audit or policy.

Cisco’s $2.35 billion Duo acquisition front and center at earnings call (TechCrunch, Aug 16 2018)
In yesterday’s earnings report, even before the ink had dried on the Duo acquisition contract, Cisco was reporting that its security business grew 12 percent year over year to $627 million. Given those numbers, the acquisition was top of mind in CEO Chuck Robbins’ comments to analysts.

Facial Recognition 10 Buzzwords Demystified (Part 1) (Gemalto, Aug 05 2018)
Facial recognition is becoming quickly adopted around the world. But what do some of the terms used actually mean?

Hackers phish Butlin’s holiday camp chain, access customers’ personal data (Graham Cluley, Aug 10 2018)
Fabled British holiday camp chain Bultin’s has admitted that it has suffered a data breach that may have exposed details of 34,000 guests.
Read more in my article on the Hot for Security blog.

Nigerian National Convicted for Phishing US Universities (Dark Reading, Aug 13 2018)
Olayinka Olaniyi and his co-conspirator targeted the University of Virginia, Georgia Tech, and other educational institutions.

UK Police Deploy Homemade Mobile Fingerprint Scanners (SecurityWeek, Aug 14 2018)
The UK Metropolitan Police Service — the Met, the UK’s largest police force and one of the largest in the world — has introduced a new portable fingerprint scanner. This is not the first portable scanner used by the Met, but differs from the earlier option by being developed in-house.