A Review of the Best News of the Week on Identity Management & Web Fraud

How Banksy Authenticates His Work (RepRage, Apr 11 2019)
That torn-in-half banknote though? Never mind signatures, embossing or wax seals. The Di Faced Tenner is doing all the authentication heavy lifting here. The tear is what uniquely separates the private key, the half of the note kept secret under lock and key at Pest Control, with the public key. The public key is the half of the note attached to the authentication certificate which gets passed on with the print, and allows its authenticity to be easily verified. (credit to Bruce Schneier for finding this story)

How web forms can steal your bandwidth and harm your brand (Naked Security – Sophos, Apr 11 2019)
Got a mailing list? Ever signed up for one? Ever stopped to think how a crook could abuse the security-related confirmation process?

SEC Allows Shareholder Votes on Amazon Facial “Rekognition” (SecurityWeek, Apr 08 2019)
Amazon shareholders will get the opportunity to vote on two non-binding shareholders’ resolutions concerning the Amazon Rekognition facial recognition system.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

How Political Campaigns Use Personal Data (Schneier on Security, Apr 03 2019)
Data-driven technologies are an inevitable feature of modern political campaigning. Some argue that they are a welcome addition to politics as normal and a necessary and modern approach to democratic processes; others say that they are corrosive and diminish trust in already flawed political systems. The use of these technologies in political campaigning is not going away; in fact, we can only expect their sophistication and prevalence to grow.

Chrome, Safari and Opera criticised for removing privacy setting (Naked Security – Sophos, Apr 09 2019)
Forthcoming versions of the Chrome, Apple Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings.

A new scam targets your direct deposit info and sends your paycheck to a criminal’s account (CNBC, Apr 10 2019)
Fraudsters are now trying to convince HR personnel to change your direct deposit paycheck information.

How Bots Are Disrupting Airline Ticket Sales (eWEEK, Apr 05 2019)
Questionable online travel agencies, travel aggregators, competitors and criminals are using malicious bots to conduct a variety of attacks on airline websites that result in online fraud, website downtime and loss of potential revenue.

79% of organizations want a federal privacy law amid lack of compliance (Help Net Security, Apr 04 2019)
There is a significant enthusiasm for a federal privacy law amid organizations’ lack of ability to comply with data privacy rules stemming from both mushrooming government regulations and complex data sharing agreements between companies.

As fraud attacks grow more sophisticated, a need for contextual detection strategies increases (Help Net Security, Apr 04 2019)
Fraudsters are using a complex array of tools to build armies of fake accounts, 74% of all fraudulent accounts are created from desktops, and cloud service provider IP ranges are at a higher risk.

BEC Gang “London Blue” Lines Up 8500 New Execs (Infosecurity Magazine, Apr 05 2019)
Organized email scam group targets thousands more firms

Securing your app and driving down call center fraud (Help Net Security, Apr 08 2019)
Specifically, I’m going to dive into two categories of use cases. The first being functions that you can automate through your app to completely avoid the call center. The second being functions that you can streamline to reduce call times.

Motel 6 to pay $12M for sharing guest info with ICE (SC Magazine, Apr 05 2019)
Motel 6 will pay a $12 million settlement to Washington state after employees at several of the chain’s locations shared information – without a warrant – on 80,000 guests in the state with Immigration and Customs Enforcement (ICE) over a two-year period.

Ex-Senate Employee Pleads Guilty to Theft of Personal Data (SecurityWeek, Apr 08 2019)
A former congressional staffer has pleaded guilty to five federal offenses that stem from illegally posting online the home addresses and telephone numbers of five Republican senators who backed Brett Kavanaugh’s Supreme Court nomination.

Home Office Error to Blame for Windrush Privacy Snafu (Infosecurity Magazine, Apr 09 2019)
The Home Office has apologized after an “administrative error” led to the personal details of hundreds of historic migrants to the UK being exposed. Around 500 private email addresses were accidentally shared with other applicants of a government compensation scheme for the so-called “Windrush” generation.

Fired sysadmin pleads guilty to doxxing five senators on Wikipedia (Naked Security – Sophos, Apr 09 2019)
Cosko, 27, pleaded guilty to five counts including making public restricted personal information, computer fraud, witness tampering and obstruction of justice,

Amazon admits that employees review “small sample” of Alexa audio (Ars Technica, Apr 10 2019)
Amazon says it uses human transcriptions to "improve the customer experience."

Two robocallers fined $3m for Google listings scam (Naked Security – Sophos, Apr 10 2019)
The robocall scammers were defrauding small businesses who were scared of seeing their Google search listings drop off.

Over 60,000 Stolen Profiles Sold on Underground Marketplace (SecurityWeek, Apr 10 2019)
An underground invitation-based private marketplace for stolen digital fingerprints offers more than 60,000 stolen bot profiles at the moment…

Credential-stuffing attacks behind 30 billion login attempts in 2018 (WeLiveSecurity, Apr 10 2019)
Streaming media feature among services that take the spotlight in a report on credential-stuffing attacks in 2018