A Review of the Best News of the Week on Identity Management & Web Fraud

Massive Ad Fraud Scheme Relied on BGP Hijacking (Schneier on Security, Dec 28 2018)
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol: Members of 3ve (pronounced “eve”) used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly “viewed” ads that were hosted on bogus pages run by the scammers themselves­ — who then received a check from ad networks for these billions of fake ad impressions.

Credential Stuffing: Big Breaches Have Bot Attacks Ramping Up Fast (ThreatMetrix, Dec 20 2018)
These login credentials are dishearteningly easy to acquire, too. Leading up to the 2018 holiday season, for instance, stolen customer login credentials for major retailers were for sale on the dark web for between $1.20 to $6.00 each, accounting for 51% of all black market credentials. Social media logins, including instant messaging and dating sites, ranged between $1 to $10. Bank accounts and credit cards were going for $0.50 to $15.50. Once these credentials are harvested, they can be monetized.

The Future of Crime-Fighting Is Family Tree Forensics (WIRED, Jan 03 2019)
Genealogy is about to send a lot more people to jail.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

We’re all Just Starting to Realize the Power of Personal Data (Wired, Dec 28 2018)
This year revealed consumers have a lot more to learn about what happens to their information online.

Researchers create wax hand to get around vein sensor tech (SC Magazine, Jan 02 2019)
Security researchers created a fake hand out of wax capable of getting around vein sensor technology – used by organizations like Germany’s BND signals intelligence agency, the researchers told an audience at Chaos Communications Congress in Leipzig. Jan Krissler and Julian Albrecht used an SLR camera – minus its infrared filter – to photograph vein patterns…

Contactless Biometric Payment Cards arrive in Italy (Gemalto blog, Dec 19 2018)
The first contactless biometric card to be deployed by Mastercard has launched with Intesa SanPaolo, provided by Gemalto.

Top 5 Things I Learned at Gartner IAM Summit 2018 (OneLogin, Dec 18 2018)
Introducing ContinuousNEXT – This was a theme Gartner introduced during the opening keynote describing a new world where change must be managed continuously, DevOps becomes more critical than ever, and automation becomes mainstream. Look for machine learning, analytics, metadata, contextual access, and adaptive access to be at the core of tomorrow’s access management solutions.

Evasive Malware, Meet Evasive Phishing (SecurityWeek, Dec 28 2018)
“In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication.”

FTC warns of Netflix phishing scams (SC Magazine, Dec 27 2018)
The Federal Trade Commission (FTC) is warning consumers of a Netflix-based phishing scam that tells users they need to update their payment details. The emails claim a user’s account is on hold because Netflix is “having some trouble with your current billing information”  and prompts the user to click a malicious link to update their…

USB Type-C to Become More Secure With Authentication Standard (eWEEK, Jan 02 2019)
The USB Type-C authentication standard is moving forward in an effort to help protect systems against malicious USB devices.

Password Manager Users Exposed After Privacy Snafu (Infosecurity Magazine, Jan 03 2019)
Abine admits millions of Blur customers may have been affected

Not using Facebook? Apps still sharing your data with the company, says study (SC Magazine, Jan 02 2019)
A newly released study of 34 prominent Android apps found that roughly 68 percent of them share user data with Facebook even when the device operator isn’t actively logged into the social media service or, for that matter, never created a Facebook account. In such instances, the apps typically communicate to the social media giant…

Town of Salem breach affects 7 million accounts (SC Magazine, Jan 02 2019)
The Town of Salem (video game) was hit with a massive data breach last week that exposed the information on more than 7 million users. The breach was discovered by the cybersecurity research Dehashed on December 28 when he received an anonymous email that indicated someone had gained access to the game’s database.

Report: Hackers hijacking old Twitter accounts to post pro-ISIS content (SC Magazine, Jan 02 2019)
Hackers supporting ISIS have recently been spreading terrorist propaganda on social media by hijacking old, largely abandoned Twitter accounts that were never confirmed via email by their rightful owners…

A Change to the Safari Extension (The LastPass Blog, Jan 03 2019)
For those of you who use LastPass through our Safari extension, we need your attention. Apple has implemented a change in how they handle Safari extensions. Previously, a Safari user could simply download an extension and use it in their browser. Now Apple is requiring users to download and install a Mac App to get the extension.

Banking Fraud: Customers are Now the Most Targeted Fraud Vulnerability (ThreatMetrix, Jan 02 2019)
The rise in Authorised Pushed Payments (APP) banking fraud attacks is having a massive impact, but there are preventative measures banks can take. A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”.

Dynamic Authorization and DevOps (Axiomatics, Dec 20 2018)
“Dynamic Authorization and DevOps work well together. I’ll give a quick overview of the process and then share a few things specific to Axiomatics dynamic authorization and the move to DevSecOps.”