A Review of the Best News of the Week on Identity Management & Web Fraud

As 5G Technology Expands, So Do Concerns Over Privacy (WSJ, Feb 28 2019)
“Because 5G doesn’t penetrate walls very well, you’re going to see a lot more indoor towers,” Steve Bellovin, a professor of computer science at Columbia University who previously worked at Bell Labs and AT&T Labs Research, tells WSJ. Location tracking will be more precise, he said.

Researchers Propose New Approach to Address Online Password-Guessing Attacks (Dark Reading, Feb 21 2019)
Both attackers and legitimate users can a fail a login attempt. “However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time,” he says.

Attacking Soldiers on Social Media (Schneier on Security, Feb 26 2019)
This is the future of warfare. It’s one of the reasons China stole all of that data from the Office of Personal Management. If indeed a country’s intelligence service was behind the Equifax attack, this is why they did it.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Cyber Extortionists Can Earn $360,000 a Year (Dark Reading, Feb 21 2019)
Extortion scams capitalize on compromised credentials, sensitive data, and technical vulnerabilities on Internet-facing applications to pressure victims to pay up.

Payroll Provider Gives Extortionists a Payday (Krebs on Security, Feb 23 2019)
“Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.”

On the Security of Password Managers (Schneier on Security, Feb 25 2019)
Whether this is a big deal or not depends on whether you consider your computer to be trusted.

TurboTax Hit with Cyberattack, Tax Returns Compromised (Dark Reading, Feb 25 2019)
Officials report an unauthorized party obtained tax return data by using credentials obtained from an outside source.

Re-thinking federated identity with the Continuous Access Evaluation Protocol (Google Cloud Blog, Feb 21 2019)
Continuous access evaluation is a new approach to access authorization that enables independent parties to control live user session properties. Sometimes referred to as “continuous authentication” by our industry peers, Google’s vision for a Continuous Access Evaluation Protocol (or CAEP) addresses the same concerns, but uses a standards-based approach.

Your phone could soon recognize you based on how you move or walk (Washington Post, Feb 26 2019)
Within 18 months, your phone may be able to identify you based on the gait of your walk, the tension in your hand or the way your thumb moves across the touch screen.

How WebAuthn aims to solve the password problem (Help Net Security, Feb 27 2019)
WebAuthn is a standard for creating and accessing public key credentials on the web, to enable strong authentication of users. It is the result of a joint effort from the W3C, an international internet standards organization, and the FIDO Alliance, a federation of companies interested in improving identity-based security online. With WebAuthn, users can register and authenticate with web applications using devices such as phones, hardware security keys and laptops/desktops with built-in Trusted Platform Modules (TPM).

Why Not Always Multi-Factor Authentication? (SecurityWeek, Feb 26 2019)
According to a survey of 2,600 IT professionals conducted by security awareness training firm KnowBe4, only 38 percent of large companies use multi-factor authentication (MFA) while a whopping 62 percent of small to midsize companies don’t.

Forget Face ID, the LG G8 comes with palm-reading “Hand ID” biometrics (Ars Technica, Feb 25 2019)
LG’s latest smartphone will authenticate you via the veins in your hand.

Two US Committees Ready to Talk Privacy Regs (Infosecurity Magazine, Feb 22 2019)
Pressure continues to mount for a federal framework for privacy regulations.

Malspam campaign fakes Google reCAPTCHA images to fool victims (SC Magazine, Feb 22 2019)
A recently discovered malspam campaign targeting customers of a Polish bank was found using forgeries of Google reCAPTCHA images to fake legitimacy.

Mexican Privacy Watchdog Criticizes Government Over Spyware (SecurityWeek, Feb 22 2019)
Mexico’s privacy watchdog said Wednesday that the federal Attorney General’s Office stonewalled it for more than a year as it tried to investigate the government’s use of powerful Israeli spyware against journalists, lawyers and activists.

Two weeks after hackers tried to steal 13 million euros, Bank of Valletta goes offline again (Graham Cluley, Feb 26 2019)
The Maltese Bank of Valletta went down two weeks ago as hackers tried to steal 13 million Euros.

Millions of utilities customers’ passwords stored in plain text (Naked Security – Sophos, Feb 27 2019)
Plain-text, unencrypted passwords were sent instead of having users reset them. There was no breach, the firm claims, but how would it know?

Whose Line Is It? When Voice Phishing Attacks Get Sneaky (Dark Reading, Feb 27 2019)
Researchers investigate malicious apps designed to intercept calls to legitimate numbers, making voice phishing attacks harder to detect.

Fighting credential stuffing attacks is an uphill battle (Help Net Security, Feb 28 2019)
Hackers directed credential abuse attempts at retail sites more than 10 billion times from May to December last year, making retail the most targeted segment studied, according to the Akamai 2019 State of the Internet / Security: Retail Attacks and API Traffic report. The report also spotlights two other pressing security concerns, the preponderance of API-call traffic on the web and the apparent misrepresentation of IPv6-based traffic. Credential stuffing attacks Researchers studied the credent

Privileged credential abuse is involved in 74% of data breaches (Help Net Security, Feb 28 2019)
Most IT decision makers are not prioritizing Privileged Access Management (PAM) practices and solutions, despite knowing privileged credential abuse is involved in almost three out of every four breaches, according to Centrify. The survey of 1,000 IT decision makers evenly split between the U.S. and U.K. found that, of those whose organizations have experienced a breach, 74 percent acknowledged it involved access to a privileged account. This number closely aligns with Forrester’s estimate that