A Review of the Best News of the Week on Identity Management & Web Fraud

Identifying People by Their Browsing Histories (Schneier on Security, Aug 25 2020)
“Interesting paper: “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories”:
We examine the threat to individuals’ privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third parties.”

iOS 14 privacy settings will tank ad targeting business, Facebook warns (Ars Technica, Aug 26 2020)
Facebook is worried that users won’t opt in to tracking when given the choice.

The Loophole the DMV Uses to Sell Your Data to Private Investigators (VICE, Aug 27 2020)
Some private investigators told Motherboard that the reasons they can give to DMVs to access drivers’ personal data are too broad.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Experian Data Breach Hits 24 Million Customers (Infosecurity Magazine, Aug 20 2020)
South African businesses also affected as fraudster tricks firm

How Four Brothers Allegedly Fleeced $19 Million From Amazon (Wired, Aug 20 2020)
The scheme involved 7,000 $94 toothbrushes, according to law enforcement.

Yet Another Biometric: Bioacoustic Signatures (Schneier on Security, Aug 21 2020)
Sound waves through the body are unique enough to be a biometric:

“Modeling allowed us to infer what structures or material features of the human body actually differentiated people,” explains Joo Yong Sim, one of the ETRI researchers who conducted the study. “For example, we could see how the structure, size, and weight of the bones, as well as the stiffness of the joints, affect the bioacoustics spectrum.”

Amazon Supplier Fraud (Schneier on Security, Aug 26 2020)
“Interesting story of an Amazon supplier fraud:
According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one instance, Amazon ordered 12 canisters of disinfectant spray costing $94.03. The defendants allegedly shipped 7,000 toothbrushes costing $94.03 each, using the code for the disinfectant spray, and later billed Amazon for over $650,000.”

MFA Mistakes: 6 Ways to Screw Up Multifactor Authentication (Dark Reading, Aug 20 2020)
Fearful of messing up its implementation, many enterprises are still holding out on MFA. Here’s what they need to know.

Instacart Reveals Third Party Employees Accessed Customer Data (Infosecurity Magazine, Aug 21 2020)
Instacart reveals that employees of a third party vendor viewed shopper profiles more than was necessary

Volume of Stolen Cards on Dark Web Drops 41% (Infosecurity Magazine, Aug 21 2020)
Russian crackdown and COVID-19 to blame, claims Sixgill

Why we need a federal data privacy law – and how CCPA sets the pace (SC Media, Aug 21 2020)
The country needs to pass federal privacy legislation to establish a national standard for individual rights. Today, too many state laws exist, creating confusion and duplication. We need to create a national standard that would apply to all businesses and organizations. By not having a national standard, we miss the opportunity to establish a consistent…

Grandoreiro banking trojan impersonates Spain’s tax agency (WeLiveSecurity, Aug 22 2020)
Beware the tax bogeyman – there are tax scams aplenty

Unredacted suit shows Google’s own engineers confused by privacy settings (Ars Technica, Aug 25 2020)
Users could make change, but it was “difficult enough that people won’t,” one employee wrote.

The state of GDPR compliance in the mobile app space (Help Net Security, Aug 26 2020)
Among the rights bestowed upon EU citizens by the General Data Protection Regulation (GDPR) is the right to access their personal data stored by companies (i.e., data controllers) and information about how this personal data is being processed. A group of academics from three German universities has decided to investigate whether and how mobile app vendors respond to subject access requests, and the results of their four-year undercover field study are dispiriting.

FBI Investigates COVID-19 Patient Data Breach (Infosecurity Magazine, Aug 25 2020)
A COVID-19 patient data breach in South Dakota is under federal investigation

Participant in Phony Tech Support Scheme Pleads Guilty (SecurityWeek, Aug 26 2020)
A man authorities say participated in a scam to steal victims’ banking information by offering phony computer tech support services has pleaded guilty, federal prosecutors say. Abrar Anjum, 34, a citizen of India, pleaded guilty Monday to conspiracy to commit wire fraud in U.S. District Court in Providence.

Customs and Border Protection Paid $476,000 to a Location Data Firm in New Deal (VICE, Aug 25 2020)
It’s just a question of, one, is it ethical, and two, does that open up the information to being released elsewhere?,’ a former Venntel worker told Motherboard.

Privacy conscious cloud migrations: mapping the AWS Cloud Adoption Framework to the NIST Privacy Framework (AWS Security Blog, Aug 19 2020)
This post will help you make privacy-conscious cloud migration decisions by mapping the National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (NIST Privacy Framework) to the AWS Cloud Adoption Framework (AWS CAF).

Facing gender bias in facial recognition technology (Help Net Security, Aug 27 2020)
In the 1960s, Woodrow W. Bledsoe created a secret program that manually identified points on a person’s face and compared the distances between these coordinates with other images. Facial recognition technology has come a long way since then. The field has evolved quickly and software can now automatically process staggering amounts of facial data in real time, dramatically improving the results (and reliability) of matching across a variety of use cases.

Ghanaian Extradited to U.S. for Cybercrimes That Caused Millions in Losses (SecurityWeek, Aug 26 2020)
A man from the African country of Ghana was recently extradited to the United States over his role in various types of cybercrime schemes that authorities say caused millions of dollars in losses.