A Review of the Best News of the Week on Identity Management & Web Fraud

Why Phone Numbers Stink As Identity Proof (Krebs on Security, Mar 17 2019)
“Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.”

How Hackers Pulled Off a $20 Million Mexican Bank Heist (Wired, Mar 15 2019)
Welcome to the world of fake accounts, phantom funds, and money mules.

G Suite Admins Can Now Disable Phone 2-SV (SecurityWeek, Mar 15 2019)
Google is making G Suite accounts more secure by allowing administrators to remove phone-based 2-step verification (2-SV) from the available multi-factor verification options.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Hackers Bypass MFA on Cloud Accounts via IMAP Protocol (SecurityWeek, Mar 15 2019)
Over the past several months, threat actors have been increasingly targeting Office 365 and G Suite cloud accounts that are using the legacy IMAP protocol, in an attempt to bypass multi-factor authentication (MFA), Proofpoint reports.

Epic says its Game Store is not spying on you (Ars Technica, Mar 15 2019)
But Sweeney says it will stop accessing Steam friends lists without permission.

Here’s What It’s Like to Accidentally Expose the Data of 230M People (Wired, Mar 18 2019)
The owner of Exactis, a 10-person firm that exposed a database including nearly every American, tells the story of his company’s downfall.

Scooter Companies Split on Giving Real-Time Location Data to Los Angeles (Motherboard, Mar 19 2019)
Uber, which is pushing back against the requests for real-time location data of its JUMP scooters, was granted a provisional, month-long permit, while other companies received a full-year license.

Education and Science Giant Elsevier Left Users’ Passwords Exposed Online (Motherboard, Mar 18 2019)
Due a to a misconfigured server, a researcher found a constant stream of Elsevier users’ passwords.

Will PSD2 Finally Kill The Password? (SC Magazine, Mar 19 2019)
The EU Payment Services Directive (PSD2) will revolutionize consumer authentication. Passwords have been dying a slow death for a while, but PSD2 is likely going to deal the final death blow. Can we all say, “hip hip hooray?” For those who feel that this is just an issue for the European market, think again.

Shameless’ Scammers Seek to Cash in on Christchurch Massacre (SecurityWeek, Mar 18 2019)
Scammers are trying to cash in on the Christchurch mosque massacres, using phishing emails with links to fake bank accounts to ensnare people keen to donate, New Zealand’s cyber security body said Monday.

Top 12 phishing email subject lines (SC Magazine, Mar 19 2019)
Cybercriminals often try to create a sense of urgency in their phony attempts to swindle unsuspecting users out of crucial information with subject lines that would compel the unsuspecting user into opening the phony email and potentially downloading malicious attachments.

Authorities had OK to use Broidy’s hands, face to unlock phones confiscated in raid (SC Magazine, Mar 19 2019)
Federal agents raiding the offices of former Republican National Committee (RNC) Deputy Finance Chair Elliot Broidy last year looking for details on his dealings with a number of people, including “Trump administration associates,” were authorized to use the fundraiser’s hands and face to unlock phones whose contents were protected by fingerprints or facial scans…

BEC Scammer Pleads Guilty (Dark Reading, Mar 20 2019)
Business email compromise (BEC) operation resulted in $100 million in losses to a multinational technology company and a social media firm, according to the US Attorney’s Office.

Google Photos Bug Let Criminals Query Friends, Location (Dark Reading, Mar 20 2019)
The vulnerability, now patched, let attackers query where, when, and with whom victims’ photos were taken.

Health Apps Can Share Your Data Everywhere, New Study Shows (Motherboard, Mar 20 2019)
A study tested two dozen medicine apps to find out how and where they’re sharing your personal data.

Google Photos bug leaked location history (SC Magazine, Mar 20 2019)
By exploiting the flaw and using a little social engineering, malicious websites could have exposed when Google Photos were taken, according to the report.