A Review of the Best News of the Week on Identity Management & Web Fraud

I Gave a Bounty Hunter $300. Then He Located Our Phone (Motherboard, Jan 08 2019)
T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.

A YubiKey for iOS Will Soon Free Your iPhone From Passwords (Wired, Jan 08 2019)
Yubico has finally gotten the green light from Apple to make a hardware authentication token that works on iPhones and iPads.

Managing identity and access management in uncertain times (CSO Online Identity Management, Jan 07 2019)
Emerging standards and frameworks such as Gartner CARTA, Zero Trust, NIST SP 800 and IDSA provide guidelines, but how organizations manage identity and access management in 2019 is what matters most.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Microsoft’s ‘Project Bali’ Wants to Let You Control Your Data (Dark Reading, Jan 04 2019)
Currently in private beta, Bali is designed to give users control over the data Microsoft collects about them.

Apple Phone Phishing Scams Getting Better (Krebs on Security, Jan 03 2019)
“A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.”

Security certificate yanked from Russia-backed website, hurting ability to divide voters (McClatchy Washington Bureau, Jan 05 2019)
A Russian-funded English-language website aimed at sowing divisions among Americans has had a vital internet security certificate yanked, meaning U.S. internet users will have difficulty accessing the site.

G Suite warns admins about domain data exfiltration attempts (Help Net Security, Jan 09 2019)
Google has rolled out new options for the G Suite alert center, to help administrators battle phishing emails more efficiently and spot data export operations initiated by attackers. The new features are set to be ON by default and are available to all G Suite editions.

SIM Swapping Victims Who Lost Millions Are Pressuring Telcos to Protect Their Customers (Motherboard, Jan 08 2019)
A small group of victims of SIM swapping hacks is trying to raise awareness, teach people about the scam, and put pressure on cell phone providers to step up their efforts against cybercriminals.

Automated phishing attack tool bypasses 2FA protection (Graham Cluley, Jan 09 2019)
Modlishka may help raise awareness of the danger of reverse proxy phishing attacks, but it’s easy to imagine that many criminals will be tempted to put it to malicious use.

Biometric Security Can Be Hacked, but It’s Really Hard to Do (eWEEK, Jan 05 2019)
Last month, a pair of security researchers demonstrated how it’s possible to fool a vein recognition system, but they also showed just how hard that actually is to do. New-gen scanners work a lot better now than they did previously, but like any biometric reader, they can be fooled.

Phishing Template Uses Fake Fonts (Infosecurity Magazine, Jan 04 2019)
A first-of-its kind phishing template exploits web font features, says Proofpoint.

Why 2-factor authentication, the gold standard of tech, may not be that secure after all (CNBC, Jan 07 2019)
A former FBI-most-wanted hackers says cybercriminals can bypass this with a new form of phishing.

Survey: Americans Warming to Use of Facial Recognition Tech (Nextgov, Jan 08 2019)
Americans do not favor strict limits on facial recognition technology, according to a new national survey.

Thousands Complain About TV License Phishing Emails (Infosecurity Magazine, Jan 07 2019)
Users are tricked into entering personal and financial details

How Mastercard Is Improving Fraud Detection With Identity Check (eWEEK, Jan 07 2019)
Mastercard is implementing the EMV 3-D Secure 2.0 specification in an effort to help improve the overall experience of online credit card payment authorization.

Akamai to add CIAM capability to enhance digital trust by acquiring Janrain (Help Net Security, Jan 07 2019)
Akamai Technologies revealed that the company has entered into an agreement to acquire Janrain. Janrain enables enterprises to enhance digital trust by offloading login and registration workloads, and its integration with Akamai’s Intelligent Edge Platform is expected to provide security, regulatory compliance and scale to online engagements.

Contactless Fraud Losses Double but Remain Low (Infosecurity Magazine, Jan 08 2019)
The value of contactless card fraud has almost doubled in the UK over the past year, although still remains a tiny fraction of overall card losses…UK victims still lost nearly £1.2m in first 10 months of 2018

Hacker uses early warning system for fake message campaign (Naked Security – Sophos, Jan 08 2019)
Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.

FBI looks hoaxer texting GOP lawmakers (SC Magazine, Jan 07 2019)
The FBI is reportedly investigating several incidents where someone impersonating Vice President Mike Pence’s press secretary is sending text messages to Republican lawmakers.

How to centralize and automate IAM policy creation in sandbox, development, and test environments (AWS Security Blog, Jan 07 2019)
To keep pace with AWS innovation, many customers allow their application teams to experiment with AWS services in sandbox environments as they move toward production-ready architecture. These teams need timely access to various sets of AWS services and resources, which means they also need a mechanism to help ensure least privilege is granted…