A Review of the Best News of the Week on Identity Management & Web Fraud

The Value and Ethics of Using Phone Data to Monitor Covid-19 (Wired, Mar 18 2020)
Google and Facebook are discussing plans with the White House to share collective data on people’s movements during the coronavirus pandemic.

U.S. government, tech industry discussing ways to use smartphone location data to combat coronavirus (Washington Post, Mar 18 2020)
The U.S. government is in active talks with Facebook, Google and a wide array of tech companies and health experts about how they can use data gleaned from Americans’ phones to combat the novel coronavirus, including tracking whether people are keeping one another at safe distances to stem the outbreak.

The Internet is drowning in COVID-19-related malware and phishing scams (Ars Technica, Mar 16 2020)
Emails and websites promise info about the pandemic. In reality, they’re shams.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Homeland Security sued over secretive use of face recognition (Naked Security – Sophos, Mar 13 2020)
As of June 2019, CBP had processed more than 20 million travelers using facial recognition, civil rights group ACLU says.

Privacy in a Pandemic: What You Can (and Can’t) Ask Employees (Dark Reading, Mar 16 2020)
Businesses struggle to strike a balance between workplace health and employees’ privacy rights in the midst of a global health emergency.

Coronavirus Widens the Money Mule Pool (Krebs on Security, Mar 17 2020)
“With many people being laid off or working from home thanks to the Coronavirus pandemic, cybercrooks are almost certain to have more than their usual share of recruitable “money mules” — people who get roped into money laundering schemes under the pretense of a work-at-home job offer. Here’s the story of one upstart mule factory that spoofs a major nonprofit and tells new employees they’ll be collecting and transmitting donations for an international “Coronavirus Relief Fund.”

Israel deploys cyber-monitoring against coronavirus, tells people not to leave home (Reuters, Mar 18 2020)
The Israeli government began deploying cellphone-monitoring technology against the coronavirus on Tuesday, and issued directives urging people not to leave home.

How China built facial recognition for people wearing masks (Ars Technica, Mar 18 2020)
Hanwang says its technology has reached 95% accuracy in identifying mask wearers.

The Best and Worst Browsers for Privacy, Ranked (Wired, Mar 19 2020)
A new study examines how Google Chrome, Mozilla Firefox, Apple Safari, Brave, Edge, and Yandex collect user data. 

Some commercial password managers vulnerable to attack by fake apps (Help Net Security, Mar 18 2020)
The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.

Student privacy laws still apply if coronavirus just closed your school (Ars Technica, Mar 12 2020)
FERPA is probably not in anyone’s top 100 concerns right now, but it still exists.

Volusion Magecart Breach Could Net Fraudsters $130m+ (Infosecurity Magazine, Mar 13 2020)
Gemini Advisory claims as many as 20 million card records may have been compromised

Financial Services 2020 Privacy Report (Accenture, Mar 16 2020)
Financial firms face new privacy risks and requirements. Read what financial services privacy executives say they are doing to build their privacy function.

Princess Cruises Confirms Data Breach (Dark Reading, Mar 13 2020)
The cruise liner, forced to shut down operations due to coronavirus, says the incident may have compromised passengers’ personal data.

Eight million EU retail sales records exposed on AWS MongoDB (SC Media, Mar 16 2020)
A database hosed on Amazon Web Services holding eight million retail sales records from the European Union was left exposed compromising customer personal and financial information. The open MongoDB database had no password or other authentication set. It was operated by a third-party vendor who pulled sales data from a range of retailers, including Amazon…

Guide: Supplier CCPA readiness for security and IT teams (Help Net Security, Mar 17 2020)
It’s important for security and IT professionals to understand how the California Consumer Privacy Act (CCPA) will affect how they do their jobs. Businesses that fail to comply with CCPA could face penalties of up to $7,500 per violation and individuals can seek damages through a class action.

Google strips location sharing from Google Hangouts (Ars Technica, Mar 17 2020)
Google seems determined to kill its best messaging app.

NIST shared dataset of tattoos that’s been used to identify prisoners (Naked Security – Sophos, Mar 19 2020)
The EFF got in touch with the institutions that have the dataset. Some deleted it, while one refused and others didn’t bother to respond.

Uber to file federal suit against LA over users’ real-time location data (Naked Security – Sophos, Mar 18 2020)
Real-time, in-trip geolocation data isn’t good for traffic/bike lane planning, a draft of the suit says. What it’s good for is surveillance.

Here’s What Facebook’s Internal Facial Recognition App Looked Like (VICE, Mar 18 2020)
When pointed at an individual it could recognize, the app said “You are friends.”