A Review of the Best News of the Week on Identity Management & Web Fraud

Judging Facebook’s Privacy Shift (Schneier on Security, Mar 13 2019)
“There is ample reason to question Zuckerberg’s pronouncement: The company has made — and broken — many privacy promises over the years. And if you read his 3,000-word post carefully, Zuckerberg says nothing about changing Facebook’s surveillance capitalism business model. All the post discusses is making private chats more central to the company, which seems to be a play for increased market dominance and to counter the Chinese company WeChat.”

MyEquifax.com Bypasses Credit Freeze PIN (Krebs on Security, Mar 08 2019)
“Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.”

T-Mobile Reveals More Location Data Abuse Following Questions from Senator Wyden (Motherboard, Mar 13 2019)
“It is now abundantly clear that you have failed to be good stewards of your customers’ private location information,” Senator Wyden wrote in a letter addressed to AT&T, T-Mobile, Sprint, and Verizon.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

What’s Really Behind Facebook’s New Privacy and Encryption Effort? (eWEEK, Mar 08 2019)
Facebook also hasn’t said how it plans to monetize these private communications. Will it inject ads into encrypted video calls? Or will users have to look at an ad before they can message their friends? This isn’t clear, but considering that Facebook has to make money to stay alive, it’s important to know how this is going to happen.

Username and Password Hell: Why the Internet Can’t Keep You Logged In (WSJ, Mar 12 2019)
It’s torture typing in usernames and passwords for every site and app we use, and it’s only getting worse as we add more devices. The good news: Everyone knows it’s a problem, and they’re working on it.

FTC says taxpayer voice phishing scams are up nearly 20x (Naked Security – Sophos, Mar 11 2019)
The real Social Security people will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.

Three men cop to $21 million vishing and smishing scheme (Ars Technica, Mar 11 2019)
Phone-based scam may be low-tech, but it netted big bucks, prosecutors say.

Shifting Attacks Put Increasing ID Fraud Burden on Consumers (Dark Reading, Mar 08 2019)
Card-present fraud is down, but attackers continue to find new strategies, and consumers are paying the price.

Facebook sues developers over data-scraping quizzes (Naked Security – Sophos, Mar 12 2019)
As a result of installing the malicious extensions, the app users effectively compromised their own browsers because, unbeknownst to the app users, the malicious extensions were designed to scrape information and inject unauthorized advertisements when the app users visited Facebook or other social networking site as part of their online browsing.

RSA 2019: Protecting your privacy in a NIST and GDPR world (WeLiveSecurity, Mar 08 2019)
Protecting your privacy is no longer just an option but a legal requirement in many parts of the world

Dutch Data Protection Authority chips away at ‘cookie walls,’ declaring they violate GDPR (SC Magazine, Mar 11 2019)
Websites that restrict visitors from viewing and interacting with their content unless they first accept the use of cookies that track their browsing activities are violating the terms of the European Union’s General Data Protection Regulation (GDPR), the Netherlands’ Dutch Data Protection Authority (DDPA) has determined.

Cybercriminals Think Small to Earn Big (Dark Reading, Mar 12 2019)
As the number of breaches increased 424% in 2018, the average breach size shrunk 4.7 times as attackers aimed for smaller, more vulnerable targets.

Firefox Send Is an Easy Way to Share Large Files Securely (Wired, Mar 12 2019)
Mozilla has made public an encrypted file-sharing service with a self-destruct twist.

Marriott CEO reveals more details about the massive data breach (Help Net Security, Mar 13 2019)
Equifax CEO Mark Begor and Marriott CEO appeared before a US Senate subcommittee to testify about the massive data breaches their companies have suffered.

#DPI19: Open Banking and Data Sharing Will Benefit Consumers (Infosecurity Magazine, Mar 13 2019)
…new rules on open banking are permitting more sharing and reuse “of different types of data whilst respecting the privacy and benefit of consumers.” Saying that data “is not the new oil, but is an infrastructure,” Koning explained that data can be used “without loss of quality and competitive edge.”

#DPI19: Privacy Playbooks Can Help Navigate Data Protection Act Rules (Infosecurity Magazine, Mar 13 2019)
“So I started the other way around: how do we develop products in this organization, what are the documentations that are provided, what are the decisions that are made, how do I understand how I insert myself into those points to understand those decisions and help where necessary?”

Man arrested for selling one million Netflix, Spotify, Hulu passwords (Graham Cluley, Mar 13 2019)
Police in Australia have arrested a man who allegedly made AU $300,000 (US $211,000) running a website which sold the account passwords of popular online subscription services including Netflix, Spotify, Hulu, PSN, and Origin.