A Review of the Best News of the Week on Identity Management & Web Fraud

Takedown of the “3ve” ad fraud operation (Google Online Security Blog, Nov 27 2018)
The U.S. Attorney’s Office for the Eastern District of New York announced criminal charges associated with this fraud operation. This takedown marks a major milestone in the industry’s fight against ad fraud, and we’re proud to have been a key contributor.
In partnership with White Ops, we have published a white paper about how we identified this ad fraud operation, the steps we took to protect our clients from being impacted, and the technical work we did to detect patterns across systems in the industry.”

Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data (Elie Bursztein – Google , Dec 03 2018)
“Our findings indicate that users readily understand the risk of data breaches and have consistent expectations for technical and non-technical remediation steps. We also find that participants are comfortable with applications that examine leaked data—such as threat sharing or a “hacked or not” service when the application has a direct, tangible security benefit.”

Microsoft, Mastercard Aim to Change Identity Management (Dark Reading, Dec 03 2018)
This project, which brings together Microsoft’s identity technology and Mastercard’s digital transaction capabilities, will serve as the foundation for new Mastercard services run on Microsoft Azure, officials explain in a blog post on the news. The two are teaming up with banks, mobile network operators, and government organizations to make the idea reality.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

39 Arrested in Tech Support Scam Crackdown: Microsoft (Dark Reading, Nov 30 2018)
Law enforcement officials in India raided 16 call center locations that conned primarily American and Canadian victims.

Prisoners allegedly posed as underage girls in $560K sextortion scam (Naked Security – Sophos, Nov 30 2018)
They allegedly victimized 442 military men by sending nude photos and then calling, pretending to be irate fathers or police.

London Blue’ BEC Cybercrime Gang Unmasked (Dark Reading, Dec 04 2018)
Call it karma or just poor OpSec, but a prolific global cybercrime organization recently blew its cover after inadvertently targeting executives at a security firm. The infamous Nigerian/UK group behind a rash of business email compromise (BEC) scams found itself on the other side of its own social-engineering scam when it posed as Agari CEO Ravi Kahtod in an Aug. 7 email sent to Raymond Lim, chief financial officer at Agari, an email security company.

A Breach, or Just a Forced Password Reset? (Krebs on Security, Dec 04 2018)
“Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites.”

LastPass Service Disruption: What Happened and What’s Next (LastPass Blog, Nov 21 2018)
“Yesterday, LastPass suffered a six-hour disruption. While some users were still able to access their LastPass vault during this time, many were unable to do so, which we acknowledge is unacceptable…Eventually, we determined that a server failed in a way that overwhelmed the internal network, slowing down other servers and network devices, as well as the connectivity between our data centers.”

Pindrop raises $90M to bring its voice-fraud prevention to IoT devices and Europe (TechCrunch, Dec 05 2018)
“a platform that it says can identify even the most sophisticated impersonations and hacking attempts, by analysing nearly 1,400 acoustic attributes to verify if a caller or a voice command is legit”

Business Outcomes for Automated Phishing Response (SecurityWeek, Nov 30 2018)
Their interest is driven by two factors: first, they want to know potential business outcomes beforehand, in order to get buy-in from executives and team members during the project planning phase; and second, they want to know—for their own SOC management purposes—how many person-hours can be saved in order to run their SOC more efficiently.

Ping Identity announces new customer Identity-as-a-Service solution for application developers (Help Net Security, Dec 03 2018)
Ping Identity released for the public preview PingOne for Customers. The cloud-based Identity as a Service (IDaaS) offering is built for the developer community, and provides API-based identity services for customer-facing applications.

Schumer Says Marriott Should Pay to Replace Hacked Passports (SecurityWeek, Dec 03 2018)
Sen. Charles Schumer says Marriott hotel officials should pay for new passports for customers whose passport numbers were hacked as part of a massive data breach.

Yubico integrates YubiHSM 2 with AWS IoT Greengrass to deliver private key and secrets storage (Help Net Security, Dec 04 2018)
Yubico unveiled that the YubiHSM 2 (hardware security module) is qualified for Amazon Web Services (AWS) Internet of Things (IoT) Greengrass Hardware Security Integration.

Data Sharing for Fraud Detection: How Do We Get Ahead of the Fraudsters? (ThreatMetrix, Nov 27 2018)
“What this all essentially boils down to, is the ability to perform advanced behavioral analytics to assess not only what is normal behavior for a typical customer at one organization – but what is normal behavior for a specific individual- based on their historical transactions and identity attributes. In order to assess this in any meaningful way, shared intelligence across multiple organizations is essential – otherwise fraud teams are working with an incredibly narrow view.”

Commercial drones with mobile connectivity set to supercharge industry (Gemalto Blog, Nov 20 2018)
One game-changer will be adding SIMs and eSIMs to drones. This opens up all sorts of opportunities, not least because pilots no longer need line-of-sight to the drone.