A Review of the Best News of the Week on Identity Management & Web Fraud

FBI: Phishing Attacks Aim to Swap Payroll Information (Dark Reading, Sep 19 2018)
Social engineering scams target employees’ payroll credentials so attackers can access and change their bank account data.

Beware of Emails Purporting to be from the IRS (Fortinet Blog, Sep 18 2018)
Since individuals are allowed a six-month extension to provide more time to file, the final deadline is October 15th, which is now approaching. Such a campaign is likely to net an unwitting victim who is not aware of such scams, especially if they are a non-resident alien unfamiliar with US laws and procedures.

2018 Federal Identity Forum & Exposition (Afcea, Sep 20 2018)
The conference is next week, but you can access the 2017 slides and other content now.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

State Department scores an F on 2FA security (Naked Security – Sophos, Sep 18 2018)
Federal agencies in the Executive Branch are legally required to enable 2FA for any accounts with elevated privileges under the Federal Cybersecurity Enhancement Act, passed as part of an omnibus spending bill in December 2015.

Edward Snowden on Protecting Activists Against Surveillance (Wired, Sep 18 2018)
“Turnkey tyranny” has never been closer. For some communities, it feels like it’s already here.

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication (Dark Reading, Sep 19 2018)
New standards offer protection against hacking, credential theft, phishing attacks, and hope for the end of an era of passwords as a security construct.

Take charge of your OAuth ecosystem with these best practices (Google Cloud Blog, Sep 19 2018)
G Suite provides IT admins with full visibility and comprehensive controls to manage application access by vendors outside of Google to your domain’s data stored in Gmail, Drive or other G Suite apps. Here’s a refresher on how you can take charge.

How identity layering improves data flow (CSO Online, Sep 14 2018)
The currently accepted way of designing an identity ecosystem for sharing data is via a platform architecture. This is often hard-coded to provide identities that respond to the calls of a relying party, “Send me your age and I may grant you a bottle of whiskey and do it under my version of SAML 2.” This has limited capability because it is too constrained.

Amazon Probing Staff Data Leaks (SecurityWeek, Sep 17 2018)
Amazon is investigating allegations that some of its staff sold confidential customer data to third party companies particularly in China, the online giant confirmed on Sunday.

Nigerian Fraudster Who Stole Millions Heads to U.S. Prison (SecurityWeek, Sep 14 2018)
A Nigerian man was sentenced in Manhattan federal court to 60 months in prison for his role in fraudulent business email compromise (BEC) scams, the United States Department of Justice announced this week.

How Apple’s Safari Browser Will Try to Thwart Data Tracking (SecurityWeek, Sep 14 2018)
Cookie use goes beyond visiting a particular website. As other sites embed Facebook “like” and “share” buttons, for instance, Facebook’s servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.

China Arrests Suspect for Customer Data Leak at Accor Partner (SecurityWeek, Sep 20 2018)
The 30-year-old suspect had hacked and stolen user data from hotels under Huazhu Group and tried to sell it on overseas websites, the police said in a statement late Wednesday.

Privacy Protection Means Encryption at the Application Layer (SecurityWeek, Sep 19 2018)
Comprehensive Data Security Measures Should Include a Formal Process for Application Security and Vulnerability Assessment