A Review of the Best News of the Week on Identity Management & Web Fraud

Riding the State Unemployment Fraud ‘Wave’ (Krebs on Security, May 23 2020)
“When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.”

COVID-19 Tracing Apps & Measuring the Impact of Government Overreach (Wickr, May 21 2020)
As the COVID-19 crisis continues, government oversight and information gathering is at an all-time high.

GDPR enforcement over the past two years (Help Net Security, May 27 2020)
Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Device owners demand opt-out power from COVID-19 contact tracing apps (SC Media, May 21 2020)
To encourage widespread acceptance of Bluetooth-based COVID-19 contact tracing applications, developers should allow consumers to opt out of data sharing at any time, and they should also be more forthcoming about their security efforts and data usage, according to the results of a new survey.

Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to (Ars Technica, May 27 2020)
Losing your 2FA codes can be bad. Having backups stolen can be worse. What to do?

Colorado and Ohio become latest states to disclose PUA program data leaks (SC Media, May 21 2020)
Colorado and Ohio have become the latest states to disclose the accidental exposure of information belonging to citizens who applied to the federal Pandemic Unemployment Assistance program as a means of seeking some financial security during the ongoing COVID-19 crisis.

Data Breach Hits Florida Unemployment System (SecurityWeek, May 22 2020)
Some Florida residents who have made unemployment claims may have had personal data stolen, officials said Thursday.

Two years later, has GDPR fulfilled its promise? (WeLiveSecurity, May 25 2020)
Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?

GDPR Enforcement Loosens Amid Pandemic (Dark Reading, May 27 2020)
The European Union has given some organizations more breathing room to remedy violations, yet no one should think regulators are planning to abandon the privacy legislation in the face of COVID-19.

Web Scrapers Have Bigger-Than-Perceived Impact on Digital Businesses (Dark Reading, May 21 2020)
The economic impact of bot traffic can be unexpectedly substantial, a PerimeterX-commissioned study finds.

Fiserv reduces the number of legitimate debit card transactions wrongly identified as fraudulent (Help Net Security, May 24 2020)
…it has launched a unique offering designed to reduce the number of legitimate debit card transactions that are wrongly identified and declined as fraudulent, while effectively managing risk.

Signal secure messaging can now identify you without a phone number (Naked Security – Sophos, May 22 2020)
Signal decouples its secure messaging service from your phone number – a bit.

Internet Organizations Ask US House to Limit Access to Search, Browsing History (SecurityWeek, May 26 2020)
In a letter to the U.S. House of Representatives, several Internet organizations are urging for an amendment to the surveillance bill known as the USA FREEDOM Reauthorization Act to prohibit warrantless collection of search and browsing history.

French Privacy Watchdog Okays Coronavirus Tracing App (SecurityWeek, May 27 2020)
France’s privacy watchdog gave the green light Tuesday to a government-backed cellphone app that will alert users if they have been in contact with an infected person.

Qatar Tracing App Flaw Exposed 1 Mn Users’ Data: Amnesty (SecurityWeek, May 26 2020)
A security flaw in Qatar’s controversial mandatory coronavirus contact tracing app exposed sensitive information of more than one million users, rights group Amnesty International warned Tuesday.

State-Based Contact-Tracing Apps Could Be a Mess (Wired, May 27 2020)
With no nationwide Covid-19 notification software in sight, security and interoperability issues loom large.

More than 80% of State Governments and Health Departments Exposed to Email Fraud Risk (Proofpoint, May 28 2020)
In an examination of U.S. state governments and health departments, Proofpoint uncovered that 44 percent of these entities do not have a published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting users.

Computer science student discovers privacy flaws in security and doorbell cameras (Help Net Security, May 28 2020)
Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed.

Data Breach at Bank of America (Infosecurity Magazine, May 27 2020)
Data breach mars Bank of America’s PPP application process

Arizona Takes Google to Court Over Location Tracking (SecurityWeek, May 28 2020)
The US state of Arizona filed a lawsuit Wednesday accusing Google of committing fraud by being deceptive about gathering location data.