A Review of the Best News of the Week on Identity Management & Web Fraud

US Air Force Defector Allegedly Helped Iran Hack Americans (Wired, Feb 13 2019)
In an astonishing indictment, the DOJ details how Monica Witt allegedly turned on her former counterintelligence colleagues.

31 AGs ask FTC to update Identity Theft Rules (SC Magazine, Feb 13 2019)
Attorneys general from 31 states have asked the Federal Trade Commission (FTC) to update its Identity Theft Rules. Noting the proliferation of identity theft and consumers’ inability to divine how information stolen from breaches is being used, the AGs said that the rules – also known as the Red Flags Rule and the Card Issuers Rule.

UK Data Intelligence Firm to Acquire IDology for $300 Million (SecurityWeek, Feb 13 2019)
UK-based Identity Data Intelligence specialist GBG has agreed to acquire the Atlanta-based identity verification and fraud prevention services provider IDology for $300 million in cash.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


4 Payment Security Trends for 2019 (Dark Reading, Feb 07 2019)
Visa’s chief risk officer anticipates some healthy changes ahead.

Apple sued for ‘forcing’ 2FA on accounts (Naked Security – Sophos, Feb 12 2019)
Time is money, baby: Jay Brodsky claims that Apple’s 2FA “intermeddling” takes minutes out of his day, causing economic loss”

Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions (Krebs on Security, Feb 08 2019)
“A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.”

Location-based Marketing Meets Privacy Awareness (Gartner Blog Network, Feb 07 2019)
Cautious marketers are looking for ways to reap the benefits of location-based relevance while avoiding the risks of association with dubious data collection. This leads us back to the old out-of-home concept of using location-based displays rather than phones as the primary vectors of engagement (with the user option to move the engagement to the phone if interested). Yes, you guessed it: digital out-of-home is due for a comeback (DOOH!). DOOH has struggled over the years with measurement problems, lack of scale, lack of standards, and so forth, but technology is starting to boost its appeal.

A Scammer Used YouTube’s Copyright System to Ransom Creators (Motherboard, Feb 07 2019)
By submitting fake copyright “flags” a scammer demanded hundreds of dollars via Paypal or Bitcoin and even managed to get past YouTube’s anti-abuse team.

Germany bans Facebook from combining user data without permission (SC Magazine, Feb 07 2019)
Germany’s Federal Cartel Office, or Bundeskartellamt, on Thursday banned Facebook from combining user data from its various platforms such as WhatsApp and Instagram without explicit user permission.

Phishers Serve Fake Login Pages via Google Translate (SecurityWeek, Feb 07 2019)
A recent phishing attack targeting mobile users leveraged Google Translate to serve fake login pages to Google and Facebook users.

Experian: US Suffers the Most Online Fraud (Dark Reading, Feb 11 2019)
New data from the credit reporting firm shows the sheer scale of online activity in the US also has made businesses and consumers there prime targets.

Secret Service busts online car sales crime ring (Naked Security – Sophos, Feb 11 2019)
They posed as military needing to offload cars before deployment, allegedly posting bogus ads on Craigslist, eBay, and AutoTrader.

Get-rich-quick social media scams are turning teens into money mules (Naked Security – Sophos, Feb 11 2019)
Young people are being talked into handing over their bank details with the promise of some easy cash.

Dunkin’ Donuts target of credential stuffing for second time (SC Magazine, Feb 12 2019)
For the second time in three months, Dunkin’ Donuts has been the target of credential stuffing attacks. Using credentials from other sites, hackers broke into DD Perks rewards program accounts, which they sold on the dark web, according to a report from ZDNet, based on findings by Lastline.

Blockchain and Trust (Schneier on Security, Feb 12 2019)
“Much has been written about blockchains and how they displace, reshape, or eliminate trust. But when you analyze both blockchain and trust, you quickly realize that there is much more hype than value. Blockchain solutions are often much worse than what they replace.”

Scammers Are Filing Fake Trademarks to Steal High-Value Instagram Accounts (Motherboard, Feb 12 2019)
Scammers don’t only hack Instagram accounts. Sometimes they just provide Instagram with some paperwork.

Equifax Partner Breaches Customer Data (Infosecurity Magazine, Feb 13 2019)
Image-I-Nation Technologies supplies software for background checks

What’s behind this 1,000-character phishing URL? (Naked Security – Sophos, Feb 14 2019)
Bleeping Computer learned of a strange phishing campaign which uses an unusually long URL – but why?

Another flaw found in macOS Mojave’s privacy protection (Naked Security – Sophos, Feb 13 2019)
Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws. Here’s another.

620 million records from 16 websites listed for sale on the Dark Web (Naked Security – Sophos, Feb 13 2019)
Some of the breaches are new, while some were reported last year. The sites include MyFitnessPal, MyHeritage, Whitepages and more.