A Review of the Best News of the Week on Identity Management & Web Fraud
Russian national confesses to biggest bank hack in US history (Ars Technica, Sep 23 2019)
In all, defendant stole more than 100 million records stole, prosecutors say.
Google Wins EU Fight Against Worldwide ‘Right to be Forgotten’ (SecurityWeek, Sep 24 2019)
Google is not required to apply an EU “right to be forgotten” to its search engine domains outside Europe, the EU’s top court ruled Tuesday in a landmark decision.
Millions of YouTube accounts hijacked through phishing and compromised 2FA (SC Magazine, Sep 24 2019)
Cybersecurity executives blamed YouTube’s continued use of multifactor authentication and relying on user credentials instead of more advanced forms authentication as the reasons behind why millions of accounts were hijacked over the last few days.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Payment card thieves hack Click2Gov bill paying portals in 8 cities (Ars Technica, Sep 20 2019)
New wave of attacks comes after previous Click2Gov hack compromised 300k payment cards.
Could EarEcho change the way we authenticate our phones? (Naked Security – Sophos, Sep 23 2019)
Researchers have discovered a way to use wireless earbuds as a biometric authentication system.
The Private Surveillance System That Tracks Cars Nationwide (VICE, Sep 19 2019)
It’s not just the NSA with all of the surveillance power in America, there’s a booming corporate-owned surveillance industry used by private investigators.
A Feminist Take on Information Privacy (Schneier on Security, Sep 20 2019)
“Maria Farrell has a really interesting framing of information/device privacy: What our smartphones and relationship abusers share is that they both exert power over us in a world shaped to tip the balance in their favour, and they both work really, really hard to obscure this fact and keep us confused and blaming ourselves. Here are some of the ways our unequal relationship with our smartphones is like an abusive relationship:”
New surveillance tech means you’ll never be anonymous again (Wired, Sep 23 2019)
Forget facial recognition. Researchers around the world are creating new ways to monitor you. Lasers detecting your heartbeat and microbiome are already being developed
Passwordless authentication is here now, and it is vastly superior to using a password (Help Net Security, Sep 24 2019)
“Mirko Zorz, Help Net Security’s Editor in Chief, recently published an article about the state of passwordless authentication that predicted a long journey before this technology is viable. We would like to share that passwordless multi-factor authentication is a reality today.”
Tackling biometric breaches, the decentralized dilemma (Help Net Security, Sep 26 2019)
Tech giants are bought in on distributed biometrics protocols WebAuthn and FIDO2. In fact, decentralized biometrics solutions based on these protocols are available at a number of big name tech companies. By moving to decentralized biometrics solutions, companies are not buying into a false sense of security provided with centralized biometrics. Centralized biometrics stores are not more secure. They are not more reliable.
Vimeo sued for storing faceprints of people without their say-so (Naked Security – Sophos, Sep 26 2019)
The suit was filed under BIPA, the Illinois law that requires written consent to grab people’s faceprints – the same law Facebook’s battling.
Researchers analyzed 16.4 billion requests to see how bots affect e-commerce (Help Net Security, Sep 20 2019)
E-commerce companies suffer from a continual barrage of bad bots that criminals, competitors, resellers and investment companies use to carry out unauthorized price scraping, inventory checking, denial of inventory, scalping, customer account takeover, gift card abuse, spam comments, transaction fraud and more.
Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq (Infosecurity Magazine, Sep 19 2019)
Social network removes hundreds of accounts after coordinated inauthentic behavior
Twitter Culls 10,000 More State-Sponsored Accounts (Infosecurity Magazine, Sep 23 2019)
Social network spots wide-ranging attempts to spread misinformation
Two charged with tech-support scamming the elderly for $10m (Naked Security – Sophos, Sep 23 2019)
The tech-support scammers were allegedly part of a network of crooks in the US and India who conned about 7,500 victims.
Google Tightens Its Voice Assistant Rules Amid Privacy Backlash (Wired, Sep 23 2019)
Following Apple, Amazon, and others, Google will put in new safeguards against accidental voice assistant collection and transcription.
Facebook has booted tens of thousands of data-grabbing apps (Naked Security – Sophos, Sep 24 2019)
400 developers have been naughty with user data, noncompliant with policy, and/or have ignored Facebook’s audit, it says.
Teenage TalkTalk hacker accused of $800,000 cryptocurrency theft in the United States (Graham Cluley, Sep 25 2019)
Elliott Gunton – aka “Glubz” – is charged in relation to the December 2017 security breach of cryptocurrency exchange EtherDelta.
Ineffective Package Tracking Facilitates Fraud (Schneier on Security, Sep 25 2019)
“This article discusses an e-commerce fraud technique in the UK. Because the Royal Mail only tracks packages to the postcode — and not to the address – it’s possible to commit a variety of different frauds. Tracking systems that rely on signature are not similarly vulnerable.”
Employees are mistakenly confident that they can spot phishing emails (Help Net Security, Sep 26 2019)
While a majority (79%) of people say they are able to distinguish a phishing message from a genuine one, nearly half (49%) also admit to having clicked on a link from an unknown sender while at work