A Review of the Best News of the Week on Identity Management & Web Fraud

Turn on MFA Before Crooks Do It For You (Krebs on Security, Jun 19 2020)
“Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here’s the story of one such incident.

Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other Internet Bread Crumbs (Schneier on Security, Jun 22 2020)
“Interesting story of how the police can identify someone by following the evidence chain from website to website. According to filings in Blumenthal’s case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30.”

FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy (Krebs on Security, Jun 18 2020)
An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Apple Announces New Privacy Features at WWDC 2020 (SecurityWeek, Jun 23 2020)
Apple kicked off its 2020 Worldwide Developers Conference (WWDC) on Monday — a virtual event due to the current coronavirus pandemic — and announced several new privacy features coming to its products.

Privacy-Focused OS Wants to Know How Facebook and the FBI Hacked it (VICE, Jun 23 2020)
The developers of Tails and a video player targeted by Facebook and the FBI in an operation to catch a child predator are still in the dark about how the feds hacked the software.

Phishing attacks impersonate QuickBooks invoices ahead of July 15 tax deadline (TechRepublic, Jun 22 2020)
Phishing attacks impersonate QuickBooks invoices ahead of July 15 tax deadline

Police arrested wrong man based on facial recognition fail, ACLU says (Ars Technica, Jun 24 2020)
Complaint alleges police said, “the computer got it wrong,” but arrested anyway.

Amazon establishes Counterfeit Crimes Unit with dedicated global team (Help Net Security, Jun 24 2020)
“Amazon announced it has established a new Counterfeit Crimes Unit, dedicated to bringing counterfeiters that violate the law and Amazon’s policies by listing counterfeit products in its store to justice. Amazon’s Counterfeit Crimes Unit is a global, multi-disciplinary team composed of former federal prosecutors, experienced investigators, and data analysts, and will join Amazon’s extensive work to drive counterfeit to zero.”

Google Tweaks Privacy Settings to Keep Less User Data (SecurityWeek, Jun 24 2020)
Google is tweaking its privacy settings to keep less data on new users by default.

US Indicts Six Nigerians Over $6m Email Scam (Infosecurity Magazine, Jun 18 2020)
US takes action against Nigerians who targeted Americans with email scams

Privacy and security concerns related to patient data in the cloud (Help Net Security, Jun 22 2020)
The Cloud Security Alliance has released a report examining privacy and security of patient data in the cloud. In the wake of COVID-19, health delivery organizations (HDOs) have quickly increased their utilization of telehealth capabilities (i.e., remote patient monitoring (RPM) and telemedicine) to treat patients in their homes.

Companies are rethinking their approach to privacy management (Help Net Security, Jun 21 2020)
TrustArc announced the results of its survey on how organizations are protecting and leveraging data, their most valuable asset. The survey polled more than 1,500 respondents from around the world at all levels of the organization. “There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc.

Online Fraudsters Steal £17m Over #COVID19 Lockdown (Infosecurity Magazine, Jun 22 2020)
Action Fraud says younger shoppers are more likely to be tricked

5 Steps for Implementing Multicloud Identity (Dark Reading, Jun 23 2020)
Why embracing, not fighting, decentralization will pave the way to smoother cloud migrations.

Exposed Code in Contact Tracing Apps: Copycats and Worse (Infosecurity Magazine, Jun 23 2020)
Attack scenarios share a common characteristic: the ability to tamper with the integrity of contact tracing apps.

Anatomy of a survey scam – how innocent questions can rip you off (Naked Security – Sophos, Jun 22 2020)
We take part in a fraudulent survey so you don’t have to. Show your friends and family how these scams unfold.

Scam uses Elon Musk’s name to trick people out of US$2 million in bitcoin (WeLiveSecurity, Jun 22 2020)
The giveaway scheme uses the tech titan’s name as part of Bitcoin addresses for extra credibility

Why identity-based, distributed controls are better suited to address cloud-era threats (Help Net Security, Jun 25 2020)
With more and more IT resources moving to the cloud and remote work becoming a ubiquitous business practice due to COVID-19, perimeter-based security is undeniably becoming a weak link, especially since attackers have repeatedly demonstrated they can bypass firewalls and spread laterally within enterprise networks.

33% Surge in Financial Fraud Attempts During #COVID19 Lockdown (Infosecurity Magazine, Jun 25 2020)
Financial providers foil criminals seeking to take advantage of pandemic disruption

Companies Say Strong Authentication Important But Still Over-Rely on Passwords (SecurityWeek, Jun 24 2020)
The need for improved access control is proven by empirical observation — it keeps failing. But improving access control beyond passwords suffers from a fundamental contradiction: while 98% of companies believe strong authentication is necessary for secure cloud adoption, 41% believe the username/password combination is one of the most effective access management tools, and 58% allow their employees to log on to corporate resources via social media credentials.