A Review of the Best News of the Week on Identity Management & Web Fraud

More Alleged SIM Swappers Face Justice (Krebs on Security, Feb 06 2019)
“Another video posted by Ortiz — to a hijacked, highly sought Instagram account “T” — shows members of this group dumping out $200 bottles of glow-in-the-dark Dom Perignon champagne onto designer watches that cost thousands of dollars each.”

Big Telecom Sold Highly Sensitive Customer GPS Data Typically Used for 911 Calls (Motherboard, Feb 06 2019)
A Motherboard investigation has found that around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data.

A bank wants to recover the $81 million North Korea allegedly stole. It won’t be easy. (Washington Post, Feb 06 2019)
A complex lawsuit illustrates the challenges for cybercrime victims.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Facebook Struggles in Privacy Class-Action Lawsuit (Dark Reading, Feb 04 2019)
Facebook’s privacy disclosures “are quite vague” and should have been made more prominent, a federal judge argued.

Using Gmail “Dot Addresses” to Commit Fraud (Schneier on Security, Feb 06 2019)
“…modifying the placement of periods in the email address for each account….This isn’t a new trick. It has been previously documented as a way to trick Netflix users.”

Email authentication use growing steadily in every industry sector (Help Net Security, Feb 04 2019)
…many organizations and agencies aren’t implementing basic preventive measures, starting with Domain-based Message Authentication Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) records.

Google Survey Finds Two in Three Users Reuse Passwords (Infosecurity Magazine, Feb 05 2019)
More than half of users think their accounts are safer than the average users.

PSD2: The Importance of Implementing SCA for Mobile and Desktop Banking (ThreatMetrix, Feb 06 2019)
For those just tuning in, PSD2 is the sweeping set of requirements that is fundamentally transforming the financial services industry throughout the EU. First proposed by the European Banking Authority (EBA) in 2015, the directive is aimed at modernizing a financial services industry that had grown increasingly encumbered by antiquated process, procedures and technology infrastructures that left far too many banks and their customers susceptible to cyber-attacks and online fraud.

New UK Fraud Rules Set to Empower Victims (Infosecurity Magazine, Jan 31 2019)
Consumers can now complain to the fraudster’s bank

With No Unifying U.S. Federal Privacy Law, States Are Implementing Their Own (SecurityWeek, Feb 06 2019)
Many of the new local privacy bills tend to focus on narrow aspects of privacy rather than attempt the wide-ranging privacy control of GDPR and CCPA. Eight are worth considering: New York City, New York State, North Carolina, Oregon, Utah, Virginia, Washington, and Wyoming.

Why Fighting Card-Not-Present Fraud Remains an Ongoing Challenge (SecurityWeek, Feb 04 2019)
The recent takedown of the xDedic marketplace—where threat actors had been buying and selling access to compromised remote desktop protocol (RDP) servers since at least 2016 and that, according to authorities, had facilitated over $68 million USD in fraud—is the latest reminder that fraudulent card-not-present (CNP) transactions remain a persistent and dynamic challenge for fraud teams.

Microsoft Brings Security Notifications to Authenticator App (SecurityWeek, Feb 05 2019)
“You’ll automatically start receiving alerts when we detect sensitive or unusual actions on your account, such as changing your password, adding a new phone number or email addresses, or signing in from a new device or unusual location,” Simons says.

Google Tackles Gmail Spam with Tensorflow (Dark Reading, Feb 06 2019)
Tensorflow, Google’s open-source machine learning framework, has been used to block 100 million spam messages.

Airbus Employee Info Exposed in Data Breach (Dark Reading, Jan 31 2019)
Few details as yet on a cyberattack that hit Airbus’ commercial aircraft business.

Firms That Sold Fake Social Media Activity Settle With New York State (SecurityWeek, Jan 31 2019)
Companies that sold fake social media activity have reached a settlement with the state of New York in a case that, for the first time, established such activity as illegal, the state’s attorney general said Wednesday.

Twitter follow bots cut off from API, as accounts disabled for spreading misinformation from Iran and elsewhere (Graham Cluley, Feb 01 2019)
ManageFlitter, Statusbrew, and Crowdfire have had their access to the Twitter API revoked for allegedly helping users abuse the service, aggressively and repeatedly following and unfollowing large numbers of other accounts – a tactic frequently employed by Twitter spammers.

Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate (Help Net Security, Feb 01 2019)
ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account.

Google’s new Chrome extension flags insecure passwords (Help Net Security, Feb 06 2019)
As the number of compromised and leaked credentials rises inexorably with each passing day, Google has decided to help users choose safe combinations for all their online accounts. To that end, the company has released a new Chrome extension called Password Checkup.

Better Cyberfraud Defense Through Threat Modeling (ThreatMetrix, Jan 31 2019)
In a nutshell, threat modeling asks the defender to go beyond normal system design by considering the flow of a system from an attacker’s perspective, evaluating existing vulnerabilities by asking the simple question “what could go wrong?” With that information in hand, we then ask, “how would it go wrong?” by building an attack tree to find large discrete attacks that could stem from smaller attacks elsewhere in the system.