A Review of the Best News of the Week on Identity Management & Web Fraud

How My Boss Monitors Me While I Work From Home (The New York Times, May 07 2020)
As we shelter in place in the pandemic, more employers are using software to track our work — and us.

Me on COVID-19 Contact Tracing Apps (Schneier on Security, May 01 2020)
“My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

Moving from reCAPTCHA to hCaptcha (The Cloudflare Blog, May 05 2020)
“We recently migrated the CAPTCHA provider we use from Google’s reCAPTCHA to a service provided by the independent hCaptcha. Since this change potentially impacts all Cloudflare customers, we wanted to walk through the rationale in more detail.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Face ID doesn’t work when you’re wearing a mask—Apple’s about to address that (Ars Technica, Apr 30 2020)
Not every beta feature makes it to release, but this one seems likely.

COVID-19 Contact Tracing Apps: Effective Virus Risk Management Tools or Privacy Nightmare? (SecurityWeek, May 04 2020)
Contact tracing apps for COVID-19 (coronavirus) leverage technology as a route to release from citizens from lockdown. People would be set free and the economy could restart. It’s an attractive promise – but experts warn the technology hasn’t been sufficiently examined.

Hacker Bribed ‘Roblox’ Insider to Access User Data (VICE, May 04 2020)
The hacker was able to lookup information on high profile Roblox users as well as reset passwords and take other actions on accounts.

GoDaddy – “unauthorized individual” had access to login info (Naked Security – Sophos, May 05 2020)
Web hosting behemoth GoDaddy just filed a data breach notification with the US state of California.

India orders coronavirus tracing app for all workers (Reuters, May 07 2020)
India has ordered all public and private sector employees use a government-backed contact tracing app and maintain social distancing in offices as it begins easing some of its lockdown measures in districts less affected by the coronavirus.

Singapore to require smartphone check-ins at all businesses and will log visitors’ national identity numbers (The Register, May 07 2020)
Even parks and train stations encouraged to use QR codes. Which may show the limits of Bluetooth contact-tracing!

COVID-19 stimulus fraud targets U.S. citizens (Secureworks, May 07 2020)
Threat actors are selling and buying U.S. taxpayers’ data on underground forums to facilitate theft of coronavirus-relief stimulus checks and income tax refunds.

Sophisticated Phishing Kit Used by Multiple Groups to Target Executives (SecurityWeek, May 01 2020)
A sophisticated phishing kit has been used by multiple cybercrime groups to target high-ranking employees in North America and other parts of the world, and researchers believe there are at least 150 victims.

CCPA privacy requests cost business up to $275k per million consumer records (Help Net Security, May 04 2020)
Organizations who plan on manually processing CCPA data subject requests (DSRs) or data subject access requests will spend between $140k – $275k per million consumer records they have in their systems, according to DataGrail.

How to prevent permission bloat: Overlooked and hidden access (Help Net Security, May 05 2020)
When it comes to your organizational security, you should leave no stone unturned. Overlooked access rights are one of the most unnoticed security threats your organization can face – and it’s less of a stone and more of a somehow-overlooked, but ever-looming mountain.

Why you should be rushing to deploy multi-factor authentication to support remote work (Help Net Security, May 05 2020)
According to a recent Gartner survey, the biggest barrier to effective remote work is poor technology and/or infrastructure for remote work.

Preventing account takeover and social engineering attacks (Help Net Security, May 05 2020)
Since the COVID-19 outbreak, digital fraud has increased significantly, especially when it comes to account takeover. In this Help Net Security podcast, Angie White, Senior Product Marketing Manager at TransUnion, explores ATO and social engineering attacks and offers some suggestions on how to address these threats.

Firefox’s Private Relay service tests anonymous email alias feature (Naked Security – Sophos, May 05 2020)
Mozilla says it will help you come up with alternative email addresses when you sign up for new accounts.

India’s Covid-19 Contract Tracing App Could Leak Patient Locations (Wired, May 06 2020)
The system’s use of GPS data could let hackers pinpoint who reports a positive diagnosis.

AWS IAM introduces updated policy defaults for IAM user passwords (AWS Security Blog, May 03 2020)
“To improve the default security for all AWS customers, we are adding a default password policy for AWS Identity and Access Management (IAM) users in AWS accounts. This update will be made globally to the IAM service on August 3rd, 2020.”

Firefox 76 delivers new password security features and security fixes (Help Net Security, May 07 2020)
Mozilla has released Firefox 76, which comes with critical security fixes and new features related to Firefox Lockwise, the browser’s password manager/generator that’s also available as a standalone app for iOS and Android.

A Fifth of Consumers Hit by Fraud Over Past Year (Infosecurity Magazine, May 07 2020)
Marqeta study finds Brits are less alert to risk exposure than US consumers