A Review of the Best News of the Week on Identity Management & Web Fraud

California DMV Leak Spills Data from Thousands of Drivers (Dark Reading, Nov 06 2019)
Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.

Accounting Scams Continue to Bilk Businesses (Dark Reading, Nov 06 2019)
Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows – most often via e-mail – continue to enable big paydays.

Details of an Airbnb Fraud (Schneier on Security, Nov 06 2019)
“This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb. The whole article is worth reading.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

ACLU sues feds to get information about facial-recognition programs (Ars Technica, Oct 31 2019)
Inquiring lawsuits want to know what the DOJ, DEA, & FBI are using the tech for.

ICO to Police: Go Slow on Facial Recognition (Infosecurity Magazine, Nov 01 2019)
UK watchdog set to work on statutory code of practice

Men who were paid $100,000 by Uber to hush-up hack plead guilty to extortion scheme (Graham Cluley, Oct 31 2019)
Two hackers face up to five years in prison after pleading guilty to their involvement in a scheme which saw them attempt to extort money from Uber and LinkedIn in exchange for the deletion of stolen data.

Perspective | Think you’re anonymous online? A third of popular websites are ‘fingerprinting’ you. (Washington Post, Nov 01 2019)
Our latest privacy experiment tested sites for an invisible form of online tracking that you can’t easily avoid.

Nikkei Hit in $29m BEC Scam (Infosecurity Magazine, Nov 04 2019)
Media giant and US city latest victims of email fraud

Undercover reporter tells all after working for a Polish troll farm (Naked Security – Sophos, Nov 04 2019)
Together with her troll colleagues, she managed 200 fake social profiles, promoted clients’ products, and trolled their competitors.

Vendor Email Compromise is Latest Identity Deception Attack (SecurityWeek, Nov 04 2019)
Identity deception attacks continue to grow, but the type of attack seems to be changing. During Q3, 2019, phishing campaigns impersonating brands dropped by 6% over the previous quarter. Attacks impersonating individuals, however, increased by 10%. The drop in brand impersonation may be partly related to increased industry adoption of DMARC, which is up 49% over the last year.

Proofpoint Acquires Insider Threat Management Firm ObserveIT for $225 Million (SecurityWeek, Nov 04 2019)
Cybersecurity firm Proofoint announced on Saturday that it has agreed to acquire ObserveIT, a Boston, Mass.-based provider of insider threat management solutions.

New bill would create Digital Privacy Agency to enforce privacy rights (Ars Technica, Nov 05 2019)
The bill proposes sweeping reforms to privacy rights and enforcement.

Florida city sends $742K to fraudsters as it bites the BEC hook (Naked Security – Sophos, Nov 05 2019)
“Here’s our new bank account number,” the scammers said. When the real construction firm sent their invoice, payment was made to the crooks.

IBM: Face Recognition Tech Should be Regulated, Not Banned (SecurityWeek, Nov 05 2019)
IBM weighed in Tuesday on the policy debate over facial recognition technology, arguing against an outright ban but calling for “precision regulation” to protect privacy and civil liberties.

Obfuscation as a Privacy Tool (Schneier on Security, Nov 05 2019)
“This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative.”

Former Twitter employees charged with spying on users for Saudis (Ars Technica, Nov 06 2019)
Indictment accuses two of passing data about people critical of Saudi royals, government.

Tech-support scammers used data stolen by Trend Micro employee (Ars Technica, Nov 06 2019)
Support-scam callers used leaked data about Trend Micro customers handed over by insider.

Facebook Admits Another Developer Privacy Snafu (Infosecurity Magazine, Nov 06 2019)
Groups API wasn’t properly restricted, says social network

Influencers Pay Thousands to Get Back Into Their Hacked Instagram Accounts (VICE, Nov 06 2019)
A white hat hacker who used to help for free is now charging hacked influencers to help them regain access to their accounts.