A Review of the Best News of the Week on Identity Management & Web Fraud

The Risk of Weak Online Banking Passwords (Krebs on Security, Aug 05 2019)
“If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, Plaid, Yodlee, YNAB and others to surveil and drain consumer accounts online.”

Demystifying New FIDO Standards & Innovations (Dark Reading, Aug 01 2019)
Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.

How Privacy Laws Hurt Defendants (Schneier on Security, Aug 02 2019)
“Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don’t have the same level of access to aid in their defense”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Romance Scams Soar as Victims Become Unwitting Money Mules (Infosecurity Magazine, Aug 06 2019)
FBI in new warning as losses climb 71%

Privacy Watchdogs Warn Facebook Over Libra Currency (SecurityWeek, Aug 06 2019)
Global privacy regulators joined forces Tuesday to demand guarantees from Facebook on how it will protect users’ financial data when it launches its planned cryptocurrency, Libra.

Phone Pfarming for Ad Fraud (Schneier on Security, Aug 06 2019)
“No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high — here’s an article that places losses between $6.5 and $19 billion annually — and something companies like Google and Facebook would prefer remain unresearched.”

Microsoft is right, mandatory password changes are obsolete (Help Net Security, Aug 01 2019)
Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

North Carolina county falls for BEC scam, to the tune of $1,728,083 (Naked Security – Sophos, Aug 01 2019)
The county could only claw back some of the $2,504,601 it paid to a scammer posing as a contractor working on building a new high school.

U.S. indicts three over alleged phishing campaign targeting universities, businesses (SC Magazine, Aug 01 2019)
The Department of Justice has indicted two Americans and a Nigerian on multiple charges for their alleged roles in a phishing scheme that targeted college employees, banks and other businesses from May 2013 through June 2014.

Faked Facebook Accounts Linked to Saudi Arabia, Mideast Region (SecurityWeek, Aug 01 2019)
Facebook on Thursday said it derailed a pair of shady online influence campaigns in the Arabic-speaking world including one linked to the Saudi Arabian government.

How Do I Monitor for Malicious Insiders? (Dark Reading, Aug 05 2019)
Big picture: Think holistic, with appropriate levels of visibility into each stage of the insider threat kill chain.

Improving the Customer Experience with Client Initiated Backchannel Authentication (CIBA) (PingTalk, Aug 01 2019)
For enterprises that want to improve the end-user experience during authentication and authorization, a new technical specification is designed to help you do exactly that. Client Initiated Backchannel Authentication (CIBA) is an extension to OpenID Connect, the open federated identity standard for single sign-on (SSO) that enables seamless access to SaaS, mobile, cloud and enterprise applications.

Authorization Series – Pt 1: What is Authorization? (Auth0 Blog, Jul 31 2019)
How you can harness the power of roles, permissions, groups, and Auth0 Rules

DisruptOps: Breaking Attacker Kill Chains in AWS: IAM Roles (Securosis Blog, Aug 02 2019)
“Over the past year I’ve seen a huge uptick in interest for concrete advice on handling security incidents inside the cloud, with cloud native techniques. As organizations move their production workloads to the cloud, it doesn’t take long for the security professionals to realize that the fundamentals, while conceptually similar, are quite different in practice. One of those core concepts is that of the kill chain…”

Two-Factor vs Adaptive Authentication: Which Is Better? (The LastPass Blog, Jul 29 2019)
Adaptive authentication allows MFA to be deployed in a way that evaluates a user’s risk profile and behaviors and adapts authentication requirements to different situations. By only prompting the user when necessary and offering a more intuitive experience with features like biometrics, adaptive authentication offers many usability benefits over 2FA.

NY SHIELD Act: Cybersecurity Safeguards To Protect Private Info (National Law Review, Aug 05 2019)
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards.

FBI Issues Relationship Fraud/Confidence Scheme Warning (Dark Reading, Aug 06 2019)
Criminals are getting increasingly sophisticated in their efforts to commit fraud and recruit ‘money mules,’ according to the FBI.

Fake Dell support rep admits to talking US colleges out of $874,000 (Naked Security – Sophos, Aug 06 2019)
His victims: UCSD and a Pennsylvania university. He hid out in Kenya for nearly 8 months before being nabbed.