A Review of the Best News of the Week on Identity Management & Web Fraud

Balls, bats & Baby Shark: MLB authentication process is serious biz (WAPO, Oct 29 2019)
At the World Series, authenticators in both dugouts and clubhouses keep a close eye on the action.

Cachet Financial Reeling from MyPayrollHR Fraud (Krebs on Security, Oct 24 2019)
“When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.”

Reality Check on the Demise of Multi-Factor Authentication (SecurityWeek, Oct 30 2019)
Forrester Research has estimated that despite increasing cyber security budgets, 80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. As a result, MFA is considered one of the primary defenses against identity-based cyber-attacks.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Comcast fights Google’s encrypted-DNS plan but promises not to spy on users (Ars Technica, Oct 25 2019)
Comcast has gone on the record to say that it does not track its broadband users’ Web browsing histories, even though the company is lobbying against a Google plan that could make it harder for ISPs to track their users.

Firefox Privacy Protection makes website trackers visible (Naked Security – Sophos, Oct 25 2019)
Mozilla has added another privacy tweak to Firefox version 70 – the ability to quickly see how often websites are tracking users.

Researchers find hole in EU-wide identity system (Naked Security – Sophos, Oct 31 2019)
The flaw lay in the integration software that the EU provides for coupling eIDAS nodes together. Its SAML parsing allowed an attacker to avoid the signature verification process, meaning that they could tamper with a SAML message to impersonate anyone.

Phishers have been targeting UN, UNICEF, Red Cross officials for months – and still do (Help Net Security, Oct 25 2019)
Researchers have brought to light a longstanding phishing campaign aimed at the UN and its various networks, and a variety of humanitarian organizations, NGOs, universities and think tanks.

Study Reveals the Worst State for Online Privacy (Infosecurity Magazine, Oct 24 2019)
Wyoming was found to meet just one of the 20 key criteria, which was that laws were in place to protect K–12 student information, such as grades and attendance records.

Phishers strike at mobile wellness app company (Naked Security – Sophos, Oct 25 2019)
Online criminals launched a cyberattack on healthcare app company Evergreen Life. Its app helps people log their own health information, taking in fitness, nutrition, and even DNA records.

Millions of Adobe Customers Exposed in Privacy Snafu (Infosecurity Magazine, Oct 28 2019)
Adobe has become the latest big name to expose customer details via a misconfigured database, after researchers discovered nearly 7.5 million accounts via an online search. Security researcher Bob Diachenko teamed up again with Comparitech to find the Elasticsearch database, which was left online without any password protection.

Crypto Capital boss arrested over money laundering (Naked Security – Sophos, Oct 28 2019)
Bitfinex says the payment processor has $880M of the cryptocurrency exchange’s “lost” funds. Polish authorities seized $390m of it.

Google to Face Court on Claims It Misled Australians on Personal Data (WSJ, Oct 29 2019)
Alphabet’s Google is being taken to court by an Australian regulator that alleges the internet giant misled customers about how it collected and used personal location data.

Sextortion scammers are hijacking blogs – and victims are paying up (Naked Security – Sophos, Oct 30 2019)
Sextortion scammers have started hijacking poorly managed or defunct blogs to expand an increasingly profitable business.

Aussie Consumer Watchdog Sues Google Over Location Data Use (SecurityWeek, Oct 29 2019)
Australia’s consumer watchdog on Tuesday announced legal action against Google for allegedly misleading customers about the way it collects and uses personal location data.

No, you apparently can’t run for office just to put false ads on Facebook (Ars Technica, Oct 30 2019)
An attempt to call out Facebook’s policy is working—just not on Facebook.

Office 365 users targeted with fake voicemail alerts in suspected whaling campaign (Help Net Security, Oct 31 2019)
The malicious emails take the form of (fake) Microsoft-branded notifications telling recipients of a missed call.
They contain an attachment: an HTML file that, when loaded, shows potential victims to a page that:
-Autoplays a file that sounds like a truncated, recorded voice message
-Tells them to wait while the entire voice message is downloaded from the server
-Instructs them to log in to access the message.

21 Million Stolen Fortune 500 Credentials For Sale on Dark Web (SecurityWeek, Oct 30 2019)
There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.

Uber Says It Will Sue Los Angeles Over Sharing Scooter Location Data (VICE, Oct 30 2019)
The move comes after Uber decided not to provide the location data according to a Los Angeles Department of Transportation deadline.