A Review of the Best News of the Week on Identity Management & Web Fraud

Forced Password Reset? Check Your Assumptions (Krebs on Security, Aug 21 2019)
“Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.”

China Attacks Hong Kong Protesters With Fake Social Posts (Wired, Aug 19 2019)
Twitter and Facebook say they’ve taken down misinformation campaigns from China that cast pro-democracy activists as ISIS members and cockroaches.

Ready or Not, Here Comes FIDO: How to Prepare for Success (SecurityWeek, Aug 21 2019)
Planning and Preparation Are Key to Successfully Adopting FIDO Standards for “Simpler, Stronger Authentication”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Finally, a Lightning YubiKey to Kill Password Clutter on Your iPhone (Wired, Aug 20 2019)
First announced in January, the Lightning YubiKey has been in the works for more than a year now. Yubico first needed to get Apple’s MFi certification—a license required for all Lightning devices—before it could start designing the product and getting third-party developers on board. The dongle, priced at $70, has a Lightning connector on one side and USB-C on the other side.

Scammers use bogus search results to fool voice assistants (Naked Security – Sophos, Aug 20 2019)
The Better Business Bureau reports that scammers have worked out how to game search results for company customer support telephone numbers.

Facebook’s New Privacy Feature Comes With a Loophole (Wired, Aug 20 2019)
Off-Facebook Activity will give you a summary of the third-party websites and apps that share your visit history with Facebook, and will allow you to clear them. You can also choose not to allow Facebook to use your browsing history for personalized advertising in the future…But not complete control. Even if you turn off Facebook’s ability to use your browsing history for ads, Facebook will still collect that information, and it will still be connected to your account for up to two days.

Breaking Down Identity: The Top 10 Most Frequently Asked Questions (The LastPass Blog, Aug 05 2019)
“We recently announced the expanded LastPass business suite which has taken the LastPass business lineup from password management to an identity solution inclusive of password management, single sign-on and multi-factor authentication….”

Brooklyn Man Gets 57 Months for $1m Fraud Scheme (Infosecurity Magazine, Aug 19 2019)
Decade-long rampage involved account hijacking and check-forging

Clickjacking Still Popular Among Online Scammers (Infosecurity Magazine, Aug 15 2019)
A perennial technique among online fraudsters, clickjacking isn’t going away anytime soon, researchers say.

Who Gets Privileged Access & How to Enforce It (Dark Reading, Aug 20 2019)
Let’s begin by re-evaluating IT infrastructures to determine who has access to what, why, and when.

Chrome users ignoring warnings to change breached passwords (Naked Security – Sophos, Aug 20 2019)
If you were told that the password you had just entered was known to have been compromised in a data breach, what would you do?

The People Paid to Dox Airbnb Addresses (VICE, Aug 22 2019)
In response to a need to enforce short term rental legislation, an industry of companies has popped up tasked with finding the real addresses of Airbnbs and other properties.