A Review of the Best News of the Week on Identity Management & Web Fraud

Alleged SIM Swapper Arrested in California (Krebs on Security, Aug 22 2018)
“Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.”

ID.me Becomes First Identity Provider to Be Approved as NIST 800-63-3 Conformant (Business Wire, Aug 21 2018)
ID.me announced that it has been granted Approval by the Kantara Initiative’s Board of Directors as a full Credential Service Provider conformant to NIST’s recently issued Special Publication (SP) 800-63-3 guidelines at Identity Assurance Level 2 (IAL2) and Authenticator Assurance Level 2 (AAL2).

Facebook purges hundreds of pages, accounts for ‘coordinated, inauthentic activity’ (SC Magazine, Aug 22 2018)
Many of the pages, groups and accounts originated in Russia and Iran and targeted persons in the U.S., U.K., Middle East and Latin America.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Hanging Up on Mobile in the Name of Security (Krebs on Security, Aug 16 2018)
All four major wireless carriers — AT&T, Sprint, T-Mobile and Verizon — let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

How to Protect Your Phone Against a SIM Swap Attack (Wired, Aug 19 2018)
Your phone number is increasingly tied to your online identity. You need to do everything possible to protect it.

Ohio Man Sentenced To 15 Months For BEC Scam (Dark Reading, Aug 21 2018)
Olumuyiwa Adejumo and co-conspirators targeted CEOs, CFOs, and other enterprise leaders in the US with fraudulent emails.

The single sign-on account hijacking threat and what can we do about it? (Help Net Security, Aug 22 2018)
The researchers first wanted to see how widely SSO is used. They crawled the top 1 million websites according to Alexa to see whether they offer SSO support for 65 IdPs that support the OAuth 2.0 and/or OpenID Connect standards. Of the 912,206 that were processed, 57,555 (6.30%) domains offered it.

EU GDPR vs US: What Is Personal Data? (Cloud Security Alliance, Aug 20 2018)
Well, according to the GDPR, personal data means “any information relating to an identified or identifiable natural person.”

8 Things Every C-Level Exec Should Know About Identity (PingTalk, Aug 21 2018)
The group looked at everything from authentication to user experience to compliance, and came up with a few key takeaways.

BOPIS Fraud Jumps 250%: Is ‘Buy Online, Pick Up In-Store’ Becoming a Big Problem? (ThreatMetrix, Aug 16 2018)
According to FierceRetail, fraud rates for BOPIS (“Buy Online, Pickup in-Store”) have been a fraction of those seen in eCommerce. But over the last year, some merchants reported seeing BOPIS fraud jump as much as 250%.

Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning (Krebs on Security, Aug 17 2018)
The criminals who hacked into Pune, India-based Cosmos Bank executed their two-pronged heist the following day, sending co-conspirators to fan out and withdraw a total of about $11.5 million from ATMs in 28 countries.

ETSI releases cryptographic standards for secure access control (Help Net Security, Aug 21 2018)
ETSI Technical Committee on Cybersecurity has recently released two specifications on Attribute-Based Encryption (ABE) that describe how to protect personal data—with access controls.

Financial Watchdog Puts Pressure on Banks to Stop Fraud (Infosecurity Magazine, Aug 23 2018)
Ombudsman says lenders can’t simply blame customers for falling victim

Necurs Botnet Goes Phishing for Banks (Dark Reading, Aug 16 2018)
A new Necurs botnet campaign targets thousands of banks with a malicious file dropping the FlawedAmmyy remote-access Trojan.

SuperProf private tutor site massively fails password test, makes accounts super easy to hack (Graham Cluley, Aug 17 2018)
Superprof, which claims to be “the world’s largest tutoring network”, has made its newest members’ passwords utterly predictable… leaving them wide open to hackers.

Researchers reveal new online user tracking techniques (Help Net Security, Aug 20 2018)
The good news is that they’ve also scanned the Alexa Top 10,000 most popular sites and found no evidence that these techniques are already being used by user tracking services and advertisers.

Fortnite login credentials sold on the dark web for cheap (SC Magazine, Aug 17 2018)
Researchers at Top10 VPN have uncovered a thriving marketplace for selling U.K. gamer logins and passwords on the popular Battle Royal-esque game “Fortnite” on the dark web.

Incentivai launches to simulate how hackers break blockchains (TechCrunch, Aug 17 2018)
Incentivai is coming out of stealth with its artificial intelligence simulations that test not just for security holes, but for how greedy or illogical humans can crater a blockchain community. Crypto developers can use Incentivai’s service to fix their systems before they go live.

Phishing scam claims recall on exploding Barclays credit cards (SC Magazine, Aug 20 2018)
Scammers are taking phishing attack low tech in a scheme targeting Barclays’ customers claiming that a recall has been issued for customer’s cards dude to exploding EMV chips.

Extortionist lawyer pleads guilty to creating porn honeypot (Naked Security – Sophos, Aug 22 2018)
Minneapolis lawyer Paul Hansmeier has pleaded guilty to a scheme in which he and another lawyer made porn films, seeded them to BitTorrent websites, and then extorted those who downloaded them, threatening to file lawsuits unless they paid $3,000 to keep from the embarrassment of getting dragged through court.