A Review of the Best News of the Week on Identity Management & Web Fraud

Twitter getting better at detecting fraudulent accounts (SC Media, Jun 03 2020)
Twitter this week said that it removed an account that pretended to be Antifa — the anti-fascist organization President Trump has claimed is an instigator of ongoing protests surrounding the police killing of George Floyd — but was actually the handiwork of a white power group.

Facebook to verify identities on accounts that churn out viral posts (Naked Security – Sophos, Jun 01 2020)
Hopefully it’s a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.

Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion (Krebs on Security, Jun 04 2020)
“An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Google sued by Arizona for tracking users’ locations in spite of settings (Naked Security – Sophos, May 29 2020)
Maps, weather, searches et al. suck up location data in the background, even if Tracking is turned off. Arizona says it’s consumer fraud.

Facial recognition fails accuracy test raises privacy concerns; ACLU sues Clearview AI (SC Media, May 28 2020)
Existing criticisms of facial recognition technology once again is being called into question as news of Amazon’s “Rekognition” software was found to incorrectly match 105 U.S. and U.K. politicians. A blog post by privacy advocate Paul Bischoff published on comparitech.com/ May 28 criticized the tool for being inaccurate after he compared new data from Comparitech…

Password Changing After a Breach (Schneier on Security, Jun 01 2020)
“This study shows that most people don’t change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in…”

COVID-19 privacy protection bill introduced with bipartisan support (Ars Technica, Jun 02 2020)
The bill’s authors hope privacy and public health don’t have to be at odds.

Google Faces $5B Lawsuit for Tracking Users in Incognito Mode (Dark Reading, Jun 03 2020)
A proposed class-action lawsuit accuses Google of collecting browser data from people who used “private” mode.

Kentucky is 6th state to disclose leak of unemployment claims amid Covid-19 (SC Media, May 29 2020)
Kentucky has become the sixth state to disclose a data leak related to unemployment-related forms that has taken place during the Covid-19 pandemic.

People know reusing passwords is risky – then do it anyway (WeLiveSecurity, May 28 2020)
And most people don’t change their password even after hearing about a breach, a survey finds

OPSEC fail! “Super-hacker” accidentally outs himself through careless clues left on social media (Graham Cluley, May 29 2020)
Hacker VandaTheGod didn’t realise he was leaving clues scattered across Facebook and Twitter that helped security researchers uncover his true identity.

iPhone privacy prompts discriminate against non-Apple apps, complaint says (Ars Technica, May 29 2020)
Anticipating a competing product from Apple, Tile goes on the offensive.

How to Protest Safely in the Age of Surveillance (Wired, May 31 2020)
Law enforcement has more tools than ever to track your movements and access your communications. Here’s how to protect your privacy if you plan to protest.

The “return” of fraudulent wire transfers (Help Net Security, Jun 03 2020)
Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts…

How do industry verticals shape IAM priorities? (Help Net Security, Jun 03 2020)
IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne.

Amtrak breached, some customers’ logins and PII potentially exposed (Naked Security – Sophos, Jun 03 2020)
The US rail service hasn’t disclosed the number of passengers affected in a 16 April breach.

French Virus Tracing App Goes Live Amid Debate Over Privacy (SecurityWeek, Jun 02 2020)
France is rolling out an official coronavirus contact-tracing app aimed at containing fresh outbreaks as lockdown restrictions gradually ease, becoming the first major European country to deploy the smartphone technology amid simmering debates over data privacy.

What Government Contractors Need to Know About NIST, DFARS Password Reqs (Dark Reading, Jun 03 2020)
Organizations that fail to comply with these rules can get hit with backbreaking fines and class-action lawsuits.

San Francisco benefits program breach exposes PII on 74,000 (SC Media, Jun 04 2020)
A breach of the San Francisco Employees’ Retirement System (SFERS) may have exposed the information of 74,000 members, including names, addresses, birth dates, banking and IRS data as well as details on beneficiaries.

Work from home survey finds major security lapses as workers share devices, reuse passwords (SC Media, Jun 03 2020)
Stay-at-home workers are threatening corporate IT security with 93 percent of them admitting they reuse passwords and 29 percent allowing other family members to use their company-issued devices for homework and online entertainment, according to a report from CyberArk.