A Review of the Best News of the Week on Identity Management & Web Fraud

Business ID Theft Soars Amid COVID Closures (Krebs on Security, Jul 27 2020)
“When a business owner wants to open a new line of credit, creditors typically check with Dun & Bradstreet to gauge the business’s history and trustworthiness.

In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft. For 2020, the company estimates an overall 258 percent spike in the crime. Dun & Bradstreet said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.”

Nation State Attackers Shift to Credential Theft (Infosecurity Magazine, Jul 29 2020)
Nation state attackers shift from financial theft and gain to stealing user credentials

Rite Aid Drops Facial Recognition Tech (Infosecurity Magazine, Jul 29 2020)
US drugstore chain removes facial recognition technology from 200 stores

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Over 1000 Twitter staff and contractors had access to internal tools that helped hackers hijack accounts (Graham Cluley, Jul 27 2020)
As Twitter and law enforcement agencies investigate the high profile attack against Twitter accounts, there is a clear lesson for other businesses to learn.

How well do face recognition algorithms identify people wearing masks? (Help Net Security, Jul 28 2020)
Even the best of the 89 commercial facial recognition algorithms tested had error rates between 5% and 50% in matching digitally applied face masks with photos of the same person without a mask.

The results were published as a NIST Interagency Report (NISTIR 8311), the first in a planned series from NIST’s Face Recognition Vendor Test (FRVT) program on the performance of face recognition algorithms on faces partially covered by protective masks.

Amazon Fraud Detector is now Generally Available (AWS News Blog, Jul 28 2020)
Amazon Fraud Detector was originally released in preview mode on December 3rd, 2019. But today it is now Generally Available for customers to check out.

Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts.

Here’s Why Credit Card Fraud is Still a Thing (Krebs on Security, Jul 29 2020)
“Most of the civilized world years ago shifted to requiring computer chips in payment cards that make it far more expensive and difficult for thieves to clone and use them for fraud. One notable exception is the United States, which is still lurching toward this goal. Here’s a look at the havoc that lag has wrought, as seen through the purchasing patterns at one of the underground’s biggest stolen card shops that was hacked last year.”

Tech unicorn Dave admits to security breach impacting 7.5 million users (ZDNet, Jul 27 2020)
Dave user data is now available for download on a public hacking forum.

Cosmetics Giant Avon Leaks 19 Million Records (Infosecurity Magazine, Jul 28 2020)
Unsecured cloud server discovered by researchers

Promo Data Breach Hits 14.6 Million User Accounts (Infosecurity Magazine, Jul 29 2020)
Dark web traders selling personal data and cracked passwords

Instacart customer accounts for sale on dark web (SC Media, Jul 23 2020)
Instacart may have offered Americans a way to stay safe during the pandemic by doing their grocery shopping online but now the grocery app may have put customers at risk after 278,531 accounts were found on sale in two dark web stores.

Attackers have created a specialized economy around email account takeover (Help Net Security, Jul 27 2020)
More than one-third of the hijacked accounts analyzed by researchers had attackers dwelling in the account for more than one week.
20% of compromised accounts appear in at least one online password data breach, which suggests that cybercriminals are exploiting credential reuse across employees’ personal and organization accounts.

Former Florida Tax Collector Charged with Identity Theft (Infosecurity Magazine, Jul 24 2020)
Ex-Florida tax collector indicted for stalking and stealing identity of political rival

US Law Firm Sued Over Fraudulent Wire Transfer (Infosecurity Magazine, Jul 24 2020)
American international law firm Holland & Knight is facing a lawsuit over a fraudulent wire transfer that saw criminals make off with more than $3m.

According to the suit, the law firm was hired by two foundations to sell some stock and carry out a merger plan related to the sale. However, a fraudster was able to steal the proceeds from the sale after intercepting emails from the firm and impersonating the stock seller.

Images in Eye Reflections (Schneier on Security, Jul 27 2020)
“In Japan, a cyberstalker located his victim by enhancing the reflections in her eye, and using that information to establish a location.

Reminds me of the image enhancement scene in Blade Runner. That was science fiction, but now image resolution is so good that we have to worry about it.”

Researchers Foil Phishing Attempt on Netflix Customers (Dark Reading, Jul 28 2020)
Hackers use two stolen domains to steal credentials from Netflix users and then send them to the real Netflix site.

This Billion Dollar Company Considers Privacy Laws a Threat to Its Business (VICE, Jul 29 2020)
ZoomInfo scrapes users’ emails and feeds that data back into its product. A recent public filing demonstrates how businesses in this space view privacy laws.

Customer update: AWS and the EU-US Privacy Shield (AWS Security Blog, Jul 27 2020)
Recently, the Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as model clauses. The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU confirmed that companies can continue to use SCCs as a valid mechanism for transferring data outside of the EU.

Following this ruling, we wanted to inform you that AWS customers and partners can continue to use AWS to transfer their content from Europe to the US and other countries, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR).

Most consumers believe government regulation should help address privacy risks (Help Net Security, Jul 29 2020)
For instance, 60% of consumers believe government regulation should help address the privacy risks facing consumers today, of which 34% say government regulation is needed to protect personal privacy and 26% believe a hybrid option (regulation and self-regulation) should be pursued.

US tax service says, “2FA is a must!” (Naked Security – Sophos, Jul 29 2020)
We know it’s an old drum, but we’re not tired of beating it yet: 2FA is your friend.