A Review of the Best News of the Week on Identity Management & Web Fraud

Unknown Data Breach Exposes 80 Million US Households (vpnMentor, Apr 30 2019)
vpnMentor’s research team discovered a hack affecting 80 million American households. Known hacktivists Noam Rotem and Ran Locar discovered an unprotected …

Microsoft’s security chief explains why the company is eliminating passwords (CNBC, May 01 2019)
Microsoft’s security chief explains why the company is eliminating passwords  Ninety percent of Microsoft’s employees can log on to the corporate network without a password, Arsenault said. It’s a reflection of the “passwordless future” Microsoft has touted for years, and backed up by products to move consumers away from memorizing strings of confusing terms. Instead, Microsoft employees use a variety of other options, including Windows Hello and the Authenticator app, which provide other alternatives for logging in, like facial recognition and fingerprints.

After Telcos Shut Off Bounty Hunters, Scammers Sell Fake ‘Phone Pings’ (Motherboard, May 01 2019)
After Motherboard’s investigation led to telcos stopping their sale of phone location data, apparent scammers are exploiting a void in the private investigator industry.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Three Pillars of Preventing Business Email Compromise and Wire Fraud (Coveware, Apr 26 2019)
This guide to preventing business email compromise will help keep your organization safe from the most prevalent form of cyber theft

Password Requirements from NCSC & Cyber Essentials (Infosecurity Magazine, Apr 26 2019)
Password Complexity is Not Required. Expire Passwords Only When Necessary. Use a Password Blacklist. Account Lockouts to Defend Against Brute Force.

We Built an ‘Unbelievable’ (but Legal) Facial Recognition Machine (The New York Times, Apr 30 2019)
What we found shows the technology’s promise — and perils.

Hackers steal $1.75 million from Catholic church in Ohio (Graham Cluley, Apr 30 2019)
Fraudsters hacked into email system, and tricked church staff into believing that a construction company’s bank account details had changed.

The Secure Access Paradigm Shift to Zero Trust (SC Magazine, May 01 2019)
Enter the era of Zero Trust, a model based on the idea that no user should be inherently trusted. Zero Trust is quickly being adopted by progressive security teams who understand the need to approach securing access differently. The principles of secure access do not change, the paradigm shift is in how they are achieved.

Cryptocurrency giants in $850m fraud allegations (Naked Security – Sophos, Apr 29 2019)
The New York Attorney General has accused major cryptocurrency exchange Bitfinex and cryptocurrency Tether of an $850m fraud.

Fingerprint glitch in passports swapped left and right hands (Naked Security – Sophos, Apr 26 2019)
And just who, exactly, is going to pay for new passports if it’s necessary? Danish police are chatting with Kube Data about that.

Cops can try suspect’s fingers on locked iPhones found at crime scene (Naked Security – Sophos, Apr 26 2019)
A Massachusetts federal district judge gave cops a warrant to force-unlock iPhones with the suspect’s fingers.

Why Are We Still Celebrating World Password Day? (Dark Reading, May 02 2019)
Calls to eliminate the password abound on this World Password Day – and the technology to change is ready. So why can’t we get off our password habit?

Credential Stuffing Costs Firms $4m Each Year (Infosecurity Magazine, Apr 30 2019)
Akamai study finds companies suffer 11 attacks each month

Tech support scam uses iframes and pop-ups to trap victims in loop (SC Magazine, Apr 29 2019)
These web pages open two pop-up windows, one requesting user authentication and the other recommending that the user to seek technical support. If victims attempt to click the authentication pop-up’s “Cancel” button, they are directed right back to the URL. Any other buttons, meanwhile, are nonfunctional and are only there for appearances.

Credential stuffing: Bigger and badder than ever (SC Magazine, Apr 26 2019)
Credential stuffing has been around since 2014 enticing cybercriminals with a hefty return on investment and usage has increased of late as even more payment account credentials are stolen and sold on the dark web.

Russian Charged With Stealing $1.5 Million From IRS (SecurityWeek, May 02 2019)
The United States this week indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

California Consumer Privacy Act: 4 Compliance Best Practices (Dark Reading, Apr 30 2019)
Companies that get ahead of the January 2020 data privacy deadline can minimize the risk of sanctions and also gain a competitive advantage in the marketplace.

Digital Ad-Fraud Losses Decline (Dark Reading, May 01 2019)
Even so, more work remains to be done to address online ad fraud operations that cause billions of dollars in losses annually for advertisers.

Privacy sheriffs – CPOs saddle up to protect information assets (SC Magazine, May 01 2019)
Much like in the Old West when the town sheriff and a few deputies did their best to keep the local citizens safe from the black-hatted bad guys who inhabited the surrounding empty land, today’s chief privacy officer (CPO) must keep data locked down at companies, organizations or government entities and beyond the reach of cybercriminals.

Privacy Statistics (SC Magazine, May 01 2019)
An interesting infographic on VPN usage and privacy considerations