A Review of the Best News of the Week on Identity Management & Web Fraud
Security of Health Information (Schneier on Security, Mar 05 2020)
“The world is racing to contain the new COVID-19 virus that is spreading around the globe with alarming speed. Right now, pandemic disease experts at the World Health Organization (WHO), the US Centers for Disease Control and Prevention (CDC), and other public-health agencies are gathering information to learn how and where the virus is spreading. To do so, they are using a variety of digital communications and surveillance systems. Like much of the medical infrastructure, these systems are highly vulnerable to hacking and interference.”
ICE has run facial-recognition searches on millions of Maryland drivers (Washington Post, Feb 27 2020)
The direct and largely unlimited access granted to immigration-enforcement officials marks an aggressive new step for the federal agency in regard to Americans’ photos and personal data. It also raises the risk that undocumented immigrants who applied for driver’s licenses under the state’s landmark program could have been targeted.
Shark Tank’ judge Barbara Corcoran gets her $400,000 back from scammers (CNN, Mar 02 2020)
In a twist of good fortune, she said that the German-based bank the bookkeeper used to wire the money froze the transfer before it was deposited into the scammer’s bank account in China. Corcoran said her bank asked the German bank to freeze the transaction so her team could prove it was a fraud.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Airbnb Has Secret ‘Trustworthy Scores’ and This Privacy Group Is Demanding to See Them (VICE, Feb 27 2020)
Nontransparent algorithms determine if you’re ‘trustworthy’ based on whether you’ve engaged in sex work, porn, used drugs and alcohol, or even used swear words online.
More than 2,200 agencies and companies have tried Clearview, report finds (Ars Technica, Feb 28 2020)
Schools, stores, federal agencies, and legions of local police are on the list.
Here’s the File Clearview AI Has Been Keeping on Me, and Probably on You Too (VICE, Feb 28 2020)
We used the California Consumer Privacy Act to see what information the controversial facial recognition company has collected on me.
What Disney+ Can Teach Businesses About Customer Security (Dark Reading, Mar 02 2020)
Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.
US State Dept. Shares Insider Tips to Fight Insider Threats (Dark Reading, Feb 26 2020)
The insider threat is a technology, security, and personnel issue, officials said in explaining an approach that addresses all three factors.
#RSAC: Reality of Browsers Leaking Identifiable Information Detailed (Infosecurity Magazine, Feb 27 2020)
What does your device’s browser reveal about you and your internet use?
Privacy Management Firm OneTrust Raises $210 Million at $2.7 Billion Valuation (SecurityWeek, Feb 26 2020)
OneTrust, a provider of privacy and security compliance tools, has raised $210 million in Series B funding at a valuation of $2.7 billion.
HMRC Scam Calls Surge 234% in a Year (Infosecurity Magazine, Mar 02 2020)
UK tax office is still a major target for phishers
Home Office Admits 100 GDPR Breaches in EU Scheme (Infosecurity Magazine, Mar 02 2020)
Privacy problems for EU citizens hoping to settle in the UK
Facebook’s Download-Your-Data Tool Is Incomplete (Schneier on Security, Mar 02 2020)
Despite Facebook claim, “Download Your Information” doesn’t provide users with a list of all advertisers who uploaded a list with their personal data.
Chinese Nationals Charged With $100m Crypto Money Laundering (Infosecurity Magazine, Mar 03 2020)
They worked on behalf of North Korean Lazarus Group, alleges DoJ
Coder Charged in Massive CIA Leak Portrayed as Vindictive (SecurityWeek, Mar 03 2020)
A software engineer on trial in the largest leak of classified information in CIA history was “prepared to do anything” to betray the agency, federal prosecutors said Monday as a defense attorney argued the man had been scapegoated for a breach that exposed secret cyberweapons and spying techniques.
Online payment fraud attempts see 73% increase (Help Net Security, Mar 04 2020)
Online payment fraud attempts increased by 73 percent in 2019, according to a report from Sift. Additional findings in the report reveal that cybercriminals are using mobile devices more than desktops or laptops to commit payment fraud. In fact, though Windows is the top single operating system for fraudsters, iOS and Android combine to make up more than half of attempted fraudulent transactions.
Social engineering: Mind the identity verification gap (Help Net Security, Mar 03 2020)
The firm attributes the substantial rise to the fact that in the first six months of 2019 there were over 1,300 documented data leaks which mostly exposed email addresses and passwords.
Facebook purges hundreds of fake accounts from state actors, marketers (Naked Security – Sophos, Mar 04 2020)
It removed 5 networks engaged in foreign or government interference in Egypt, India, Russia, Iran, and Myanmar/Vietnam. Some targeted the US.
Tech support scammers hacked back by vigilante (Naked Security – Sophos, Mar 04 2020)
Browning told the BBC his technique is to allow scammers to connect to his computer, which has been set up to attack the scammer’s computer back using the same remote desktop connection. He doesn’t say how he does this – that might depend on the software being used – but the use of a virtualised operating system to isolate the scammer’s activity, some form of reverse RDP attack, and the use of common hacking tools, seems likely.
J.Crew Customer Accounts Breached a Year Ago (Infosecurity Magazine, Mar 05 2020)
Retailer in much-delayed breach notification