A Review of the Best News of the Week on Identity Management & Web Fraud

Apple Flexes Its Privacy Muscles (Securosis Blog, Jun 12 2019)
Regardless of motivations – whether it be altruism, the personal principles of Apple executives, or simply shrewd business strategy – Apple’s stance on privacy is historic and unique in the annals of consumer technology. The real question now isn’t whether they can succeed at a technical level, but whether Apple’s privacy push can withstand the upcoming onslaught from governments, regulators, the courts, and competitors.

U.S. Customs and Border Protection says photos of travelers were taken in a data breach (Washington Post, Jun 11 2019)
CBP says photos of travelers have been compromised as part of a “malicious cyber-attack,” raising concerns over how expanding surveillance efforts could imperil privacy.

The police demanded he unlock his cellphone. He didn’t — and spent 44 days in jail. (NBC, Jun 07 2019)
“The world should know that what they’re doing out here is crazy,” said a man who refused to share his passcode with police.


One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Maryland MVA extends deadline for 43,000 Real ID license holders with paperwork due this month (Washington Post, Jun 07 2019)
Maryland is extending the June deadlines for 43,000 drivers who have to present required documents to the MVA to ensure their licenses are Real ID compliant.

Microsoft Deleted a Massive Facial Recognition Database, But It’s Not Dead (VICE, Jun 06 2019)
The database contained 10 million photos of 100,000 individuals including activists and journalists.

Employment Scam (Schneier on Security, Jun 10 2019)
Interesting story of an old-school remote-deposit capture fraud scam, wrapped up in a fake employment scam.

Apple is making corporate ‘BYOD’ programs less invasive to user privacy (TechCrunch, Jun 10 2019)
When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.

Microsoft Pushing for a Passwordless Windows 10 (SecurityWeek, Jun 11 2019)
The latest release of Windows 10, version 1903, allows users to add a passwordless phone number Microsoft account to Windows and to sign-in with the Microsoft Authenticator app. Moreover, there’s the Windows Hello certified as a FIDO2 authenticator for sign-in on the web, and a streamlined Windows Hello PIN recovery above the lock screen.

Authentication Myths | Our Voices Never Age (Pindrop, May 20 2019)
Voice biometrics are designed to provide a frictionless experience by recognizing your customers with ease, but what happens if your customers only call into your business once a year – or less?

Spain Extradites 94 Taiwanese to China on Phone Scam Charges (SecurityWeek, Jun 07 2019)
The suspects arrived Friday morning at Beijing airport on a chartered flight. Footage on state broadcaster CCTV showed uniformed officers escorting them off the China Eastern plane one-by-one.

UK Taxpayers Overwhelmed with Phishing Scams (Infosecurity Magazine, Jun 10 2019)
FOI request reveals 2.6m reports over past three years

Online shops fear 2FA at checkout will increase abandoned carts (Naked Security – Sophos, Jun 10 2019)
A report says the EU will lose $64b per year once new 2FA rules go into effect, but we support Strong Customer Authentication (SCA) wholeheartedly.

Lone Wolf’ Scammer Built a Multifaceted BEC Cybercrime Operation (Dark Reading, Jun 10 2019)
A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

Criminals Try to Schedule Spam in Google Calendar (Infosecurity Magazine, Jun 10 2019)
Spammers using Google services, including Calendar, Photos and Forms.

It’s a SCAM: Send Bitcoin or your company’s reputation is TOAST! (Naked Security – Sophos, Jun 11 2019)
According to the Bitcoin Abuse Database, since at least late last month, that’s the Bitcoin wallet that somebody’s been telling people to send money to, lest their websites’ reputations get ruined.

3.4 billion fake emails are sent around the world every day (Help Net Security, Jun 12 2019)
The research report also found that the vast majority of suspicious emails emanate from U.S.-based sources.

Jigsaw Bought a Russian Twitter Troll Campaign as an Experiment (Wired, Jun 12 2019)
In a controversial move, the Alphabet-owned tech firm played both sides of an online argument in Russia with the aim of testing disinformation-for-hire services.

UK Orgs Lose 2.5 Months a Year on Poor Password Management (Infosecurity Magazine, Jun 13 2019)
Companies are failing to effectively manage password security

5 Principles to Achieve Zero Trust for the Workforce – Establish Device Trust (Part 3) (The Duo Blog, Jun 11 2019)
“Week one we explored the history of zero trust and how to establish user trust. Week two we explored the history of endpoint security and gaining visibility into devices. Today we will explore the third principle in this five-part blog series — how establish device trust.”

Securing Machine Identities In The Digital Transformation Era (Gemalto blog, Jun 10 2019)
Machine identity is the unique identity assigned to non-human network entities such as devices, applications, processes, etc. via application of familiar Privileged Access Management (PAM) concepts including identity, authentication, Role-based Access Control (RBAC), least-privilege, auditing, etc.