A Review of the Best News of the Week on Identity Management & Web Fraud

Trust, or Lack of It, Is a Key Theme on RSAC Keynote Stage (Dark Reading, Mar 05 2019)
Neither machines nor humans might be entirely trustworthy, but the cooperation of the two might be the answer to issues of misinformation, deep fake videos, and other issues of trust, say security leaders.

Facebook isn’t letting you opt-out of having people search for you by your phone number (Graham Cluley, Mar 04 2019)
If you really must use Facebook, don’t give it your phone number – not even for 2FA.

NSA might shut down phone snooping program, whatever that means (Naked Security – Sophos, Mar 07 2019)
We’ve heard this tale before. This time, it was mentioned by a congressional aide. Also, the NSA released Ghidra, a free reverse-engineering tool.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Help Desk: Digital life after death, passwords on Post-Its and a new Comcast nightmare (Washington Post, Feb 28 2019)
The problem: States have very different ways of recognizing online accounts and data. Some treat digital assets as property like a car or a savings account. Others treat digital assets as private data that shouldn’t be accessed by anyone else. In general, tech companies won’t turn over your data without your express consent, though some make exceptions for heirs.

Ex-NY Giant Arrested in Connection With ID Theft Ring: DA (NBC New York, Mar 01 2019)
Five people, including a Brooklyn man who ran a credit consulting business and a former University of Florida football player who briefly played with the New York Giants, were arrested in connection to an alleged identity theft ring that attempted to steal more than $1,000,000, prosecutors say.

#BSidesSF2019: How to Secure Online Identities with Simple, Secure Open Standards (Infosecurity Magazine, Mar 04 2019)
The biggest problem we have on the internet today is hacked credentials

IRS warns of new tax-related phishing scams (SC Magazine, Mar 05 2019)
“After stealing client data from tax professionals and filing fraudulent tax returns, these criminals use the taxpayers’ real bank accounts for the deposit. Thieves are then using various tactics to reclaim the refund from the taxpayers, and their versions of the scam may continue to evolve…”

Why Chinese Companies Plug a US Test for Facial Recognition (Wired, Mar 06 2019)
A US government agency tests the accuracy of facial recognition programs. The top spots are routinely filled by Chinese and Russian companies.

Facebook Plans Makeover as Privacy-Focused Network (Dark Reading, Mar 07 2019)
CEO Mark Zuckerberg published a lengthy post detailing the company’s shift from open platform to privacy-focused communications.

Touch ID and Beyond: Duo’s Plans for WebAuthn (The Duo Blog, Mar 05 2019)
WebAuthn will enable the most convenient and secure authentication method for end users – the device that they are already using – to validate that the user is who they say they are via a biometric. As a reminder, WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication.

Turkish Group Using Phishing Emails to Hijack Popular Instagram Profiles (Dark Reading, Feb 28 2019)
In some cases, attackers have demanded ransom, nude photos/videos of victims in exchange for stolen account, Trend Micro says.

Sextortion Scammers Target Employees (Infosecurity Magazine, Mar 01 2019)
One in 10 spear-phishing emails feature extortion attempt, says Barracuda Networks

Palisades Park receives $200,000 advance after cyberattack (SC Magazine, Feb 28 2019)
As proof that not all cyberattacks leave victims broke and out of luck, the New Jersey borough of Palisades Park received a $200,000 advancement on its insurance claim this week after a breach at Mariner’s Bank, based in the nearby town of Edgewater, drained nearly half a million dollars from its accounts.

Scytale grabs $5M Series A for application-to-application identity management (TechCrunch, Mar 04 2019)
Scytale, a startup that wants to bring identity and access management to application-to-application activities, announced a $5 million Series A round today. The round was led by Bessemer Venture Partners, a return investor that led the company’s previous $3 million round in 2018. Bain Capital Ventures, TechOperators and Work-Bench are also participating in this round.

Hackers Sell Access to Bait-and-Switch Empire (Krebs on Security, Mar 04 2019)
“Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches.”

Sale of SSL/TLS certificates on the dark web is rampant (Help Net Security, Mar 06 2019)
There is no dearth of compromised, fake and forged SSL/TLS certificates for sale on dark web markets, researchers have found.

Phishers shift efforts to attack SaaS and webmail services (Help Net Security, Mar 05 2019)
Phishing that targeted SaaS and Webmail services jumped from 20.1 percent of all attacks in Q3 to almost 30 percent in Q4. Attacks against cloud storage and file hosting sites continued to drop, decreasing from 11.3 percent of all attacks in Q1 2018 to 4 percent in Q4 2018.

Enabling access to the corporate network with Cloud Identity credentials (Google Cloud Blog, Feb 27 2019)
“Cloud Identity, Google Cloud’s identity as a service (IDaaS) platform, now offers secure LDAP functionality that enables authentication, authorization, and user/group lookups for LDAP-based apps and IT infrastructure. Today, we hear from OpenVPN, which has tested and integrated its OpenVPN Access Server with secure LDAP, enabling your employees and partners to use their Cloud Identity credentials to access applications through VPN.”

Global Privacy Study Finds Firms Failing on Accountability (Infosecurity Magazine, Mar 06 2019)
ICO warns that 15% have no incident response measures in place