A Review of the Best News of the Week on Identity Management & Web Fraud

99% of compromised Microsoft enterprise accounts lack MFA (Sophos, Mar 09 2020)
Cybercriminals compromise over a million Microsoft enterprise accounts each month as too few customers use multi-factor authentication.

Through apps, not warrants, ‘Locate X’ allows federal law enforcement to track phones (Protocol, Mar 05 2020)
Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you’ve traveled, your movements may be in the company’s data.

FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts (Krebs on Security, Mar 10 2020)
FBI officials last week arrested a Russian computer security researcher on suspicion of operating deer.io, a vast marketplace for buying and selling stolen account credentials for thousands of popular online services and stores.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Russia Is Learning How to Bypass Facebook’s Disinfo Defenses (Wired, Mar 05 2020)
Social media platforms have stepped up the fight against Russia’s Internet Research Agency—but the IRA is evolving too.

Here’s Why I’m Campaigning Against Facial Recognition in Schools (VICE, Mar 11 2020)
A student organizer explains why the fight to ban facial recognition in schools and college campuses is entering a critical moment.

Maximizing customer engagement when fraud prevention is top of mind (Help Net Security, Mar 09 2020)
According to the report, 52% of consumer banks plan on implementing additional security solutions to keep customers’ accounts secure, and 46% want to invest in better identity verification measures. But with attention – and budget – devoted almost exclusively to security and compliance, it’s easy for areas like innovation, customer engagement, and user experience to fall by the wayside. In the report cited above, only 28% of banks indicated an interest in adding support for new channels.

Dating App Maker Match Group Backs US Bill Seen as Privacy Threat (SecurityWeek, Mar 11 2020)
Match Group, the parent company of dating apps such as Tinder, on Tuesday publicly endorsed a US bill others in the tech industry fear will erode online privacy and speech in the name of fighting child abuse.

Google data puts innocent man at the scene of a crime (Naked Security – Sophos, Mar 10 2020)
The man became a suspect because location data from his Android phone was swept up in a surveillance dragnet called a geofence warrant.

IRS scams during tax season target unsuspecting consumers (Help Net Security, Mar 11 2020)
Scam robocalls and phishing emails disguised as banks continue to trick consumers to put their personal information at risk, and tax season is no exception. Increase in potential threats During this time of the year consumers need to be aware of the increase in potential threats as hackers pose as collectors from the IRS, tax preparers or government bureaus.

Brave browser to block web fingerprinting with randomisation (Naked Security – Sophos, Mar 11 2020)
Brave is testing a new defence against fingerprinting: confusing algorithms by randomising some of the data they collect.

How privacy and security affect product design (SC Media, Mar 05 2020)
Take, for example, California’s IoT Security law — enacted without much fanfare in September 2018 and effective as of January 1, 2020. In a nutshell, the law requires manufacturers of internet-connected devices sold or used in California to build reasonable security into those products. More specifically, it prohibits the use of generic default passwords.

Former Acting Inspector General Charged in Federal Fraud Scheme (Dark Reading, Mar 06 2020)
A federal grand jury has indicted Charles K. Edwards on 16 counts related to a conspiracy to steal software from one department and sell an enhanced version to another.

Fake Tech Support Company Dupes 40K Victims Out of $8m (Infosecurity Magazine, Mar 06 2020)
College drop-out admits setting up a fake company to con 40K victims out of $8m

Watch out for Office 365 and G Suite scams, FBI warns businesses (Naked Security – Sophos, Mar 10 2020)
The FBI has warned users of Microsoft Office 365 and Google G Suite hosted email about Business Email Compromise (BEC) scams.

Google Allows Enrolling Security Keys on More Devices (SecurityWeek, Mar 10 2020)
Google has announced that Android and macOS users can now use more web browsers to initially register security keys to their accounts.

Researchers Want to Protect Your Selfies From Facial Recognition (VICE, Mar 09 2020)
Fawkes’ may be the most advanced system yet for fooling facial recognition tech like Clearview AI—until the algorithms catch up.

Eight Million Shopper Records Leaked Online (Infosecurity Magazine, Mar 11 2020)
Unsecured MongoDB database exposes Amazon UK, eBay and other customers

Comcast accidentally published 200,000 “unlisted” phone numbers (Ars Technica, Mar 11 2020)
Comcast made the same mistake once before and had to pay $33 million.

Vermont sues Clearview, alleging “oppressive, unscrupulous” practices (Ars Technica, Mar 11 2020)
Vermont has a law regulating data brokers and claims Clearview broke it.

First 100,000 Victims of Western Union Fraud Scheme Receive $153m (Infosecurity Magazine, Mar 11 2020)
Western Union Remission Fund starts paying back victims of money transfer scams