A Review of the Best News of the Week on Identity Management & Web Fraud

Google to Stop Automatically Logging Users into Chrome (Dark Reading, Sep 27 2018)
The decision comes days after security researcher had blasted company for jeopardizing user privacy with browser update.

A Small Google Chrome Change Stirs a Big Privacy Controversy (Wired, Sep 24 2018)
The latest update to Google’s browser has riled privacy advocates by appearing to log people in without their explicit permission.

AdGuard adblocker resets passwords after credential-stuffing attack (Naked Security – Sophos, Sep 25 2018)
AdGuard has taken the decision to reset all user accounts after suffering a credential-stuffing and brute-force password attack.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Why voice fraud rates continue to rise with no signs of slowing down (Help Net Security, Sep 21 2018)
Advancements in voice technology are not without consequence. The average fraudster’s toolbox is more advanced than ever, thanks to developments in machine learning and AI technology. Pindrop found fraudsters are increasingly leveraging techniques like imitation, replay attack, voice modification software and voice synthesis, often with great success.

Facebook Building a ‘War Room’ to Battle Election Meddling (SecurityWeek, Sep 21 2018)
Facebook on Wednesday said it will have a “war room” up and running on its Silicon Valley campus to quickly repel efforts to use the social network to meddle in upcoming elections.

The New YubiKey Will Help Kill the Password (Wired, Sep 24 2018)
The latest batch of hardware-based tokens from Yubico will eventually let you skip the password altogether.

There’s No Longer Any Excuse For Not Using a Password Manager (Motherboard, Sep 24 2018)
Autofill passwords on Android and iOS 12 means that “I’m lazy” is no longer an excuse for not using LastPass or 1Password.

Open banking is coming to the U.S.: How secure will it be? (CSO Online, Sep 21 2018)
As defined in Wikipedia, open banking includes the use of an open application programming interface (API) that enables third parties to develop and build applications and services around a financial institution. Open banking also provides account owners with additional financial transparency options, including open data and private data using open source technology.

iTunes is assigning you a ‘trust score’ based on emails and phone calls (Naked Security – Sophos, Sep 24 2018)
It’s just a number to detect fraud, not a Black Mirror-esque score that’s going to rate us all as social misfits unworthy of wedding invitations.

NewsNow Ditches Passwords After Possible Breach (Infosecurity Magazine, Sep 26 2018)
News aggregation site pushes responsibility out to email providers

EMM and IAM Play Well Together (Gartner Blog Network, Sep 26 2018)
Enterprise mobility management (EMM) — and now unified endpoint management (UEM) — platforms have always had a strong identity and access management (IAM) component. After all, policies and configurations are…

Bankrupt NCIX customer data resold on Craigslist (Naked Security – Sophos, Sep 24 2018)
What happens to sensitive customer data when a large company that has collected it over many years suddenly goes bust?

Hackers Target Real Estate Deals, With Devastating Impact (SecurityWeek, Sep 23 2018)
James and Candace Butcher were ready to finalize the purchase of their dream retirement home, and at closing time wired $272,000 from their bank following instructions they received by email.

Beware of Hurricane Florence Relief Scams (Krebs on Security, Sep 24 2018)
“If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.”

Cloudflare Encrypts SNI Across Its Network (SecurityWeek, Sep 25 2018)
Cloudflare this week announced it has turned on Encrypted SNI (ESNI) across all of its network, making yet another step toward improving user privacy.

Malicious Login Attempts Spike in Finance, Retail (Infosecurity Magazine, Sep 20 2018)
Analyzing data gathered from its Intelligent Platform and attack data from across the company’s global infrastructure, researchers found approximately 3.2 billion malicious logins per month from January through April 2018. In addition, 2018 has seen 1.4 million compromised usernames and passwords.

Warning issued as Netflix subscribers hit by phishing attack (Naked Security – Sophos, Sep 21 2018)
Netflix phishing scammers are at it again, sending emails that try to steal sensitive details from subscribers.

Microsoft offers completely passwordless authentication for online apps (Ars Technica, Sep 24 2018)
Phone-based authentication is the way forward instead.

Independence Blue Cross Breach Exposed 17K Records (Infosecurity Magazine, Sep 21 2018)
An employee error left PHI of members exposed on public-facing website.

Cloud Biometrics Use to Soar in Two Years: Report (Infosecurity Magazine, Sep 25 2018)
Over 500m users by 2020, predict analysts. Unlike device-based biometric systems — like FIDO, and Apple’s Touch ID and Face ID — cloud-based biometrics capture the information on the device but then send it to the cloud for processing.