A Review of the Best News of the Week on Identity Management & Web Fraud
Instagram’s New Security Tools are Welcome Step, But… (Krebs on Security, Aug 29 2018)
“Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.”
Biometrics scanner catches impostor at U.S. airport on just third day of use (Digital Trends, Aug 24 2018)
Well, that didn’t take long. The US Customs and Border Patrol says that a new biometrics system flagged a man using a fake passport on the third day that a biometrics was in use. The program flagged the man when his biometrics didn’t match the ID he presented — his real ID was found in his shoe.
Security Flaws Inadvertently Left T-Mobile And AT&T Customers’ Account PINs Exposed (BuzzFeed, Aug 30 2018)
Mobile account PINs intended to protect T-Mobile and AT&T customers’ accounts were exposed by two security vulnerabilities. After a BuzzFeed News inquiry, the companies fixed the flaws.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
Allstate to Acquire Identity Protection Firm (PYMNTS, Aug 28 2018)
Allstate plans to buy the digital protection firm InfoArmor in a $525 million all-cash transaction that could close later this year.
Chinese Hotel Breach May Have Hit 100 Million+ Customers (Infosecurity Magazine, Aug 30 2018)
GitHub snafu thought to be to blame
What is WebAuthn? (The Duo Blog, Aug 29 2018)
WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. It was officially ratified by the W3C (World Wide Web Consortium) in April of this year, and we’ve seen tremendous movement and support by major browsers ever since. Mozilla Firefox was first with support for WebAuthn and Google added Chrome support just last month. Microsoft’s Edge browser is also expected to add support later this year.
Google removes 39 YouTube channels linked to Iranian influence operations (Help Net Security, Aug 24 2018)
Google has identified and removed 39 YouTube channels, six blogs on Blogger and thirteen Google+ accounts linked to IRIB, the Islamic Republic of Iran Broadcasting, which were leveraged in influence operations aimed at US, UK, and other audiences.
Listening-Watch: Strong, low-effort, wearable 2FA scheme (Help Net Security, Aug 27 2018)
Prakash Shrestha and Nitesh Saxena from the University of Alabama at Birmingham believe they have a solution for the problem: Listening-Watch, a new 2FA mechanism based on a wearable device (watch or a specialized bracelet with low sensitivity microphone) and active browser-generated random speech sounds.
Blocking compromised passwords: How and why to do it (Help Net Security, Aug 27 2018)
NIST’s recommendation urged all applications with user accounts “compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
Phone Numbers Were Never Meant as ID. Now We’re All At Risk (Wired, Aug 25 2018)
Your phone number was never meant to be your identity. Now that it effectively is, we’re all at risk.
Who’s Behind the Screencam Extortion Scam? (Krebs on Security, Aug 25 2018)
“The truth is we may never find out who’s responsible, but it’s still fun to follow some promising leads and see where they take us.”
NBlog August 27 – dynamic authentication (NBlog – the NoticeBored blog, Aug 26 2018)
Depending on how you count them, there are easily more than 20 authentication methods in use today, and yet it is generally agreed that they barely suffice. Rather than inventing yet another method, I wonder if we need a different paradigm, a better, smarter approach to authentication? Specifically, I’m thinking about the possibility of continuous, ongoing or dynamic authentication rather than episodic authentication.
Facebook: It’s too tough to find personal data in our huge warehouse (Naked Security – Sophos, Aug 29 2018)
GDPR: it means give users their data when they ask for it, and Facebook’s refusal to do so has provoked an inquiry by the Irish DPC.
Entrust Datacard raises the bar for zero factor authentication (Help Net Security, Aug 24 2018)
Entrust Datacard announced new capabilities for the company’s Mobile Smart Credential solution — including Bluetooth functionality which provides automated login and logout support across platforms including Apple MAC, Windows and virtual desktops.
6.4 Billion Fake Emails Sent Each Day (Dark Reading, Aug 27 2018)
US the leading source of phony messages worldwide.
Green card lottery website scam raises red flags (SC Magazine, Aug 27 2018)
Online scammers know the best way to pull in victims is to make something that is desperately desired seem easily obtainable, such as boosting one’s chance of winning the U.S. Green Card lottery through a small payment.
Yeliseyev gets six years for selling 62,000 stolen credit cards (SC Magazine, Aug 27 2018)
Ukrainian national Ruslan Yeliseyev, 42, was sentenced to 72 months in prison for trafficking stolen financial information obtained through computer hacking, resulting in losses of about $31 million to his victims.
Microsoft Bringing Google ID Log-ins to Azure Active Directory (eWEEK, Aug 30 2018)
Now in preview, the new service will help enterprises collaborate and share applications with other companies beyond their own networks.
The Importance and Requirements of Privileged Access Management (Infosec Island, Aug 30 2018)
The growing need to secure the “keys to the kingdom” and the steps organizations need to take to protect their critical credentials.
Twitter Suspends Accounts Engaged in Manipulation (SecurityWeek, Aug 29 2018)
Twitter this week announced the suspension of a total of 770 accounts for “engaging in coordinated manipulation.”