A Review of the Best News of the Week on Identity Management & Web Fraud

Banks, Arbitrary Password Restrictions and Why They Don’t Matter (Troy Hunt, Sep 17 2019)
Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don’t matter. Also, allow me to argue with myself for a moment: banks shouldn’t have these restrictions in place anyway.

Barclaycard: So Far, So Good for Strong Customer Authentication (Infosecurity Magazine, Sep 18 2019)
Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. The new user authentication rules mandated by the European Union’s revised Payment Services Directive (PSD2) were introduced by the UK’s leading acquirer on Saturday, September 14.

Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek (ProPublica, Sep 19 2019)
Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

NIST Privacy Framework Draft Released (Lexology, Sep 13 2019)
NIST is accepting public comments on the draft Privacy Framework until 5 p.m. EST on October 24, 2019.

Chase sent me a fraud alert over an unauthorized phone number (The Points Guy, Sep 17 2019)
“Just 32 minutes after the fraudster called Chase, my (apparently stolen) card number was cancelled, all because Chase’s system flagged an unknown phone number from someone that was in possession of my 16-digit account number.”

CFPB probes fake credit card accounts at Bank of America (SC Magazine, Sep 18 2019)
The Consumer Financial Protection Bureau (CFPB) has been probing of Bank of America (BoA) for allegedly opening customer credit card accounts with authorization a la Wells Fargo. The BoA investigation emerged after the bureau posted documents to its site showing the back and forth regarding turning over emails and other records with the bank’s attorneys, one of whom acknowledged a “vanishingly small” number of “potentially unauthorized credit card accounts.”

Cracking Forgotten Passwords (Schneier on Security, Sep 18 2019)
Expandpass is a string expansion program. It’s “useful for cracking passwords you kinda-remember.” You tell the program what you remember about the password and it tries related passwords.

Marketer Exposes 198 Million Car Buyer Records (Infosecurity Magazine, Sep 13 2019)
Dealer Leads leaves 413GB of data publicly accessible

Mozilla Private Network VPN gives Firefox another privacy boost (Naked Security – Sophos, Sep 13 2019)
Is this week’s test pilot launch of Mozilla Private Network the moment browser VPNs finally become a must-have privacy feature?

Five ways to manage authorization in the cloud (Help Net Security, Sep 17 2019)
These approaches take into account the growing number of security blind spots and weak points in the cloud environment. Instead of being connected by wire within the confines of a corporate network, most of these new services are open to the internet, expanding the attack surface of the company’s infrastructure. Here are five key developments to consider for managing authorization in the cloud.

Former hacker warns against password reuse (Naked Security – Sophos, Sep 17 2019)
Kyle Milliken is back from jail, and he has some advice for you: Do. Not. Reuse. Your. Passwords.

Cybercriminal’s Black Market Pricing Guide (Dark Reading, Sep 17 2019)
Common prices criminals pay one other for products and services that fuel the cybercriminal ecosystem.

Impersonation Fraud Still Effective in Obtaining Code Signatures (Dark Reading, Sep 17 2019)
Fraudsters continue to attempt to fool certificate authorities into issuing valid digital certificates for legitimate organizations by impersonating an authoritative user. The reward? The ability to sign code with a legitimate signature.

US Companies Unprepared for Privacy Regulations (Dark Reading, Sep 17 2019)
US companies are poorly prepared for even the most rudimentary privacy regulations, a new report says.

Facebook boots multiple inauthentic accounts created in Iraq and Ukraine (SC Magazine, Sep 17 2019)
Facebook excised from its platform hundreds of inauthentic pages, groups and accounts that were created by actors in Iraq and Ukraine. The social media giant removed 76 accounts, 120 Facebook pages, one group, two events and…

This Software Will Give You a Fake Face to Protect Your Privacy (VICE, Sep 17 2019)
DeepPrivacy masks your real face with a flurry of a million other faces.

On Roku and Amazon Fire TV, Channels Are Watching You (Wired, Sep 18 2019)
New research shows that over 2,000 streaming apps track information about your devices—even when you tell them not to.

Before He Spammed You, this Sly Prince Stalked Your Mailbox (Krebs on Security, Sep 18 2019)
It’s easy to laugh at this letter, because it’s sometimes funny when scammers try so hard. But then again, maybe the joke’s on us because sending these scams via USPS makes them even more appealing to the people most vulnerable: Older individuals with access to cash but maybe not all their marbles. Sure, the lure costs $.55 up front. But a handful of successful responses to thousands of mailers could net fortunes for these guys phishing it old school.