A Review of the Best News of the Week on Identity Management & Web Fraud
Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy (Krebs, Jun 19 2019)
“A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers.”
Significant trends are beginning to develop in the Government ID market (Help Net Security, Jun 14 2019)
“In African nations, there is a clear focus on providing national IDs that have payment functionality, bringing financial inclusion to a largely underbanked population, and increasing commerce among countries within the IGAD trading bloc.
“In Latin America, there is a trend toward issuing smart driver’s license programs, spearheaded by Brazil, an innovative project, encompassing a smart physical credential alongside a mobile driver’s license companion. In North America, developments in Real ID in the wake of identity legislation has prompted a drive for scrupulous citizen-issued credentials.”
Before You Use a Password Manager (Medium, Jun 20 2019)
I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor…
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Robocall revenge: Meet the techies turning the tables on scammers (CBS, Jun 14 2019)
In a video that’s received more than 2 million views, a man who calls himself “Jim Browning” infiltrates scammers in India
Yubico Replacing YubiKey FIPS Devices Due to Security Issue (SecurityWeek, Jun 14 2019)
Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength.
Malware sidesteps Google permissions policy with new 2FA bypass technique (WeLiveSecurity, Jun 17 2019)
ESET analysis uncovers a novel technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions
Instagram testing simpler method to retrieve hacked accounts (SC Magazine, Jun 17 2019)
…testing an in-app method, essentially a two-factor authentication tool, that will be triggered either when Instagram notes the user is having trouble logging in or by the user clicking “need more help” on the login page. The app will then ask the person for some specific information related to the account, email account or a phone number that is associated with it, and then send a six-digit code to the contact source indicated that will allow entry to the account.
The Evolution of Identity (Dark Reading, Jun 18 2019)
How data and technology can help businesses make the right fraud decisions, protect people’s identities, and create an improved customer experience.
Tricky Scam Plants Phishing Links in Your Google Calendar (Wired, Jun 17 2019)
Scammers are taking advantage of default calendar settings to try to trick users into clicking malicious links.
Canadian City Loses $500,000 to Phishing Attack (SecurityWeek, Jun 14 2019)
The City of Burlington, Ontario, revealed Thursday that it fell prey to “a complex phishing email” that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released.
Federal Agencies Still Using Knowledge-Based Identity Verification (SecurityWeek, Jun 17 2019)
Some U.S. government agencies still rely on knowledge-based identity verification despite the fact that this system has been easy to beat following the massive data breaches suffered by the Office of Personnel Management (OPM) and Equifax…
Why one old web scam is on the rise again (ZDNet, Jun 18 2019)
Fake domains and bogus websites are experiencing something of a revival – unfortunately.
Seven Million Venmo Transactions Published on GitHub (Infosecurity Magazine, Jun 17 2019)
“I would highly encourage all users to switch their Venmo account to private…”
Twitch Sues to Identify Users Who Uploaded Christchurch Video and Porn to Its Platform (VICE, Jun 17 2019)
Users posted the violating material to the section of Twitch for Valve-developed game ‘Artifact’ over Memorial Day weekend.
Chrome updates improve security, privacy for extensions (SC Magazine, Jun 18 2019)
Chrome will boost the security and privacy for extensions by reimagining the way a number of powerful APIs work with its new Declarative Net Request API. Instead of a user granting each extension access to all of their sensitive data, Google created a way for developers to request access to only the data needed to…
With GDPR’s ‘Right of Access,’ Who Really Has Access? (Dark Reading, Jun 19 2019)
How a security researcher learned organizations willingly hand over sensitive data with little to no identity verification.
Millions Fall Victim to System Cleaner Hoaxes (Infosecurity Magazine, Jun 19 2019)
Nearly 1.5 million users were attacked in first half of 2019, says Kaspersky.
Pass the salt! Popular CMSs aren’t securing passwords properly (Naked Security – Sophos, Jun 19 2019)
A group of researchers has discovered that many of the web’s most popular content management systems are using obsolete algorithms to protect their users’ passwords.
ACLU tells Ga. Supreme Court Fourth Amendment should apply to personal data stored by cars (SC Magazine, Jun 19 2019)
Fourth Amendment protections should apply to personal data in a car’s Event Data Recorder, the American Civil Liberties Union (ACLU) will argue before the Georgia Supreme Court today.
You’d better change your birthday – hackers may know your PIN (WeLiveSecurity, Jun 19 2019)
Are you in the 26% of people who use one of these PIN codes to unlock their phones?