A Review of the Best News of the Week on Identity Management & Web Fraud

The 773 Million Record “Collection #1” Data Breach (Troy Hunt, Jan 16 2019)
Many people will land on this page after learning that their email address has appeared in a data breach I’ve called "Collection #1". Most of them won’t have a tech background or be familiar with the concept of credential stuffing so I’m going to write this post for the masses

US Judge: Police Can’t Force Biometric Authentication (Dark Reading, Jan 15 2019)
Law enforcement cannot order individuals to unlock devices using facial or fingerprint scans, a California judge says.

AT&T says it’ll stop selling location data amid calls for federal investigation (Philly, Jan 11 2019)
AT&T said Thursday that it will stop selling its customers’ location data to third-party service providers after a report this week said the information was winding up in the wrong hands.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Google Demanded T-Mobile, Sprint to Not Sell Google Fi Customers’ Location Data (Motherboard, Jan 11 2019)
Google’s phone, text, and data service relies on infrastructure provided by T-Mobile and Sprint. A Motherboard investigation found both telcos selling customers’ location data that ultimately ended up in the hands of bounty hunters.

Facebook Knows How to Track You Using the Dust on Your Camera Lens (Gizmodo, Jan 10 2019)
Facebook has long said that it doesn’t use location data to make friend suggestions, but that doesn’t mean it hasn’t thought about using it.

USB-C Authentication sounds great, so why are people worried? (Naked Security – Sophos, Jan 14 2019)
USB-C Authentication could banish USB threats forever, but it might also mean you’re tied to buying ‘approved’ accessories.

Phishers Use Zero-Width Spaces to Bypass Office 365 Protections (SecurityWeek, Jan 11 2019)
The issue resided in the use of zero-width spaces (ZWSPs) in the middle of malicious URLs within the RAW HTML of the emails. This method breaks the URLs, thus preventing Microsoft’s systems from recognizing them and also preventing Safe Links from successfully protecting users. What’s more, these zero-width spaces don’t render, meaning that the recipient would not notice the random special characters in the URL.

BEC scammers add payroll diversion to their repertoire (Help Net Security, Jan 16 2019)
The attacker creates an email account, makes it look like it belongs to the individual they are attempting to impersonate, and contacts the personnel in charge of payroll.

“Stole $24 Million But Still Can’t Keep a Friend” (Krebs on Security, Jan 15 2019)
“Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings.”

OneLogin snares $100M investment to expand identity solution into new markets (TechCrunch, Jan 10 2019)
OneLogin is not a young startup by any means. The identity access management company was founded in 2009 and has watched while companies like Ping Identity, Duo Security and Okta had tidy exits. But as CEOs are fond of pointing out, the total addressable market is large and where investors see a chance, they take […]

Advanced Phishing Scenarios You Will Most Likely Encounter This Year (Dark Reading, Jan 14 2019)
In 2019, there will be no end in sight to email-driven cybercrime such as business email compromise, spearphishing, and ransomware.

Identity and authentication, the Google Cloud way (Google Cloud Blog, Jan 10 2019)
This post describes Google Cloud’s authentication and identity management offerings to help you determine what solution best fits your needs.

Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges (SecurityWeek, Jan 14 2019)
Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.

British TV viewers targeted by email fraudsters (Graham Cluley, Jan 14 2019)
TV fraudsters are using the disguise of emails from the TV Licensing authority to steal large sums of money from the bank accounts of unwary Brits.

How GPS Tracking Technology Can Curb Domestic Violence (Wired, Jan 15 2019)
Opinion: GPS-monitored violent offenders are 95 percent less likely to commit a new crime. We need to implement an integrated, nationwide domestic violence program that tracks domestic abusers.

Hacked Instagram Influencers Rely on White-Hat Hackers to Get Their Accounts Back (Motherboard, Jan 17 2019)
Leaked internal documents and stories from influencers show that Instagram has an influencer-hacking problem.

Email crooks swindle woman out of $150K from home sale (Naked Security – Sophos, Jan 17 2019)
Unfortunately, somebody else has: it looks like it wound up in the pocket of an email fraudster who inserted themselves into the exchange and tricked Appert into sending an electronically signed PDF with her bank details. The scammer(s) apparently also convinced the solicitors to deposit Appert’s money into a purported “corporate” bank account that they controlled.

Microsoft font gives away forgery in bankruptcy case (Naked Security – Sophos, Jan 17 2019)
In a case that could be straight out of a legal TV drama, a computing font has cost a couple two houses in a Canadian bankruptcy case….The courts decided that the trusts claimed by the McGoeys were shams, and one of the most convincing pieces of evidence were the fonts used to create them…Both of these fonts were part of the ClearType font collection developed for Microsoft in 2002, which didn’t become available to the general public until the company used it in Vista and Office 2007 five years later. That made things a bit awkward for the McGoeys.

Ukrainian nationals charged with hacking SEC docs in $4.1 million scam (SC Magazine, Jan 16 2019)
The Department of Justice has charged two Ukrainian nationals for hacking into the Security and Exchange Commission’s (SEC) computer system to steal confidential corporate information and sell it to the highest bidder or to make trades.

Battle Lines Forming Ahead of a Looming U.S. Privacy Law Fight (SecurityWeek, Jan 17 2019)
The Information Technology and Innovation Foundation called for national legislation that would repeal and replace existing privacy laws with a “common set of protections” intended to encourage innovation while also quashing tougher state laws.