A Review of the Best News of the Week on Identity Management & Web Fraud

Suspect forced to unlock iPhone with his face (Naked Security – Sophos, Oct 02 2018)
The order so far hasn’t raised Fifth Amendment objections either, your face being something you are, rather than something you know.

Voice Phishing Scams Are Getting More Clever (Krebs on Security, Oct 01 2018)
“Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.”

Facebook Admits Phone Numbers May be Used to Target Ads (SecurityWeek, Sep 28 2018)
Facebook on Thursday confirmed that advertisers were privy to phone numbers given by members of the social network for enhanced security.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Organizations apply stronger PKI security controls due to their increasingly critical role (Help Net Security, Sep 28 2018)
Over the past few years, cloud applications, and now the IoT, are the newest disrupters to future PKI planning as organizations not only tend to the digital certificate needs of today, but must also simultaneously prepare for the future – a future with never-before-seen diversity and scale.

Major Tech Companies Finally Endorse Federal Privacy Regulation (Schneier on Security, Sep 28 2018)
The major tech companies, scared that states like California might impose actual privacy regulations, have now decided that they can better lobby the federal government for much weaker national legislation that will preempt any stricter state measures.

Helen Nissenbaum on Data Privacy and Consent (Schneier on Security, Oct 04 2018)
“This is a fantastic Q&A with NYU Law Professor Helen Nissenbaum on data privacy and why it’s wrong to focus on consent. I’m not going to pull a quote, because you should read the whole thing.”

SEC Fines Voya Financial Advisors $1m (Infosecurity Magazine, Sep 27 2018)
VFA agrees to pay hefty fine for violations of Identity Theft Red Flag Rules. Though they never admitted or denied the SEC’s findings, VFA has agreed to pay $1m to settle the charges for its failure to establish policies and procedures to protect against cyber intrusion.

Robocallers slapped with huge fines for using spoofed phone numbers (Naked Security – Sophos, Sep 28 2018)
The FCC is looking to penalize Affordable Enterprises of Arizona for more than $37.5 million for what it says are more than 2.3 million illegally spoofed robocalls that pretended to be from consumers’ phone numbers.

Explosion of look-alike domains aims to steal sensitive data from online shoppers (Help Net Security, Oct 01 2018)
The growth in look-alike domains appears to be connected to the availability of free TLS certificates; 84 percent of the look-alike domains studied use free certificates from Let’s Encrypt.

NSA staffer takes top-secret hacking tools home ‘to study’, gets 66 months (Naked Security – Sophos, Oct 03 2018)
Nghia Hoang Pho may not have had malicious intent, but removal of the materials forced the NSA to abandon years of signals collection work.

Students swap data for coffee at cashless cafe (Naked Security – Sophos, Oct 02 2018)
In this US-based cashless cafe, university students hand over personal data in exchange for a dose of caffeine and sponsorship propaganda.

Illicit Crypto Activity points to need for Fraud Detection (Gartner Blog Network, Oct 01 2018)
Organizations simply need to invest in these fraud detection services if they are serious about fighting crime, whether or not they are being regulated. Unlike KYC processes used for anti-money laundering — which are a different matter and are dictated by regulators — fraud detection services need not need rob individuals of their anonymity. They are often based on non-PII data and instead use digital fingerprints and behavior analysis.

Protecting user identities (Microsoft Secure, Sep 04 2018)
If you’re in a Microsoft environment, this post details the Microsoft 365 security solutions help you protect users and corporate accounts.

Apollo Faces Criticism for Breach of 200 Million Contacts (Infosecurity Magazine, Oct 02 2018)
Sales engagement startup Apollo exposed 200 million contacts in a data breach.

Apple Chief Says Firm Guards Data Privacy in China (SecurityWeek, Oct 03 2018)
Apple chief executive Tim Cook on Tuesday said the company is devoted to protecting people’s privacy, with data encrypted and locked away on servers even in China.

New Twitter Rules Target Fake Accounts, Hackers (SecurityWeek, Oct 02 2018)
Twitter on Monday announced that it has made some changes in preparation for the upcoming midterm elections in the United States. The changes include updated rules that target fake accounts and hackers.

Formjacking: Major Increase in Attacks on Online Retailers (Symantec, Oct 04 2018)
Symantec has blocked almost a quarter of a million instances of attempted formjacking since mid-August.

What is CIAM? The ForgeRock Approach (Forgerock, Sep 28 2018)
“Merchants and services providers have been able to personalize UX to an extent, but only on a limited number of factors. An administrator who wanted to alter a customer’s login journey if that user logged in from a Microsoft-based device vs. a Linux-based device, was out of luck in most cases. To the extent digital identity could be used to shape the UX, it was primarily through integration with marketing automation solutions. To be clear, ForgeRock sees integration with marketing automation platforms as a good thing. We believe, however, that the most effective approach to customizing the UX through CIAM demands a robust feature set that enables integration of identity end-to-end across the enterprise.”