A Review of the Best News of the Week on Identity Management & Web Fraud

CBP Bought ‘Global’ Location Data from Weather and Game Apps (VICE, Oct 06 2020)
New documents obtained by Motherboard provide more detail on what exactly location data firms are selling to the U.S. government.

Introducing Amazon One—a new innovation to make everyday activities effortless (Amazon Blog, Oct 08 2020)
We’re always looking for ways to make our customers’ lives better, and one area where we’ve spent time innovating is the customer shopping experience in stores. Today, our physical retail team is excited to introduce a new innovation called Amazon One.

Verizon Payment Security Report is a Wake-up Call: Time to Refocus on PCI DSS Compliance (Dark Reading:, Oct 06 2020)
Too many organizations fail to enact the baseline payment security controls, according to the Verizon 2020 Payment Security Report, and the recent Blackbaud ransomware incident is merely the latest evidence.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

On Risk-Based Authentication (Schneier on Security, Oct 05 2020)
“Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.”

NIST launches privacy tech challenge with a $276,000 payout (SC Media, Oct 06 2020)
NIST is on the hunt for advancements that can better protect privacy within big data, which could have huge applications across public and private sectors.

Facial Recognition at the Border Is Fueling Other Forms of Surveillance, Report Says (VICE, Oct 07 2020)
Facial recognition images taken at border crossings can be repurposed by government agencies and private companies, threatening human rights, the report warns.

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30M (Krebs on Security, Oct 07 2020)
September featured two stories on a phony tech investor named John Bernard, a pseudonym used by a convicted thief named John Clifton Davies who’s fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments. Those stories prompted a flood of tips from Davies’ victims that paint a much clearer picture of this serial con man and his cohorts, including allegations of hacking, smuggling, bank fraud and murder.

Wacky Indoor Amazon Drone Takes on Privacy Skeptics (SecurityWeek, Oct 02 2020)
It could be the wackiest product yet from Amazon — a tiny indoor drone which buzzes around people’s homes as a security sentry.

Two Charged in ATO Attack on US Athletes (Infosecurity Magazine, Oct 02 2020)
Charges brought after illegal takeover of NFL and NBA players’ social media accounts

LinkedIn Password Thief Jailed (Infosecurity Magazine, Oct 01 2020)
US imprisons cyber-thief who stole millions of user records from Dropbox and LinkedIn

Father of Identity Theft’ Sentenced to 207 Months (Dark Reading, Oct 02 2020)
James Jackson was convicted of mail fraud, aggravated identity theft, access device fraud, and theft of mail last year.

German Privacy Watchdog Fines H&M $41M for Spying on Workers (SecurityWeek, Oct 01 2020)
A German privacy watchdog said Thursday that it is fining clothing retailer H&M 35.3 million euros ($41 million) after the company was found to have spied on some of its employees in Germany.

H&M not alone: Companies often fall short in privacy protections for employees (SC Media, Oct 07 2020)
Many businesses treat information about their own employees differently than that of customers, which could place them squarely in violation of privacy regulations.

Biometric Data Collection Demands Scrutiny of Privacy Law (Dark Reading, Oct 02 2020)
An IT lawyer digs into the implications of collecting biometric data, why it can’t be anonymized, and what nations are doing about it.

Why CIOs need to focus on password exposure, not expiration (Help Net Security, Oct 05 2020)
The cybersecurity market is growing even in the midst of the pandemic-driven economic downturn, with spending predicted to reach $123 billion by the end of the year. While disruptive technologies are undoubtedly behind much of this market growth, companies cannot afford to overlook security basics.

Preventing ecommerce fraud: A look at current trends and patterns (Help Net Security, Oct 04 2020)
Forter released its Fraud Attack Index, delivering in-depth insight into the impact of COVID-19 on online buyer behavior and ecommerce fraud trends. This edition revealed that: New customer accounts now represent 30% of transactions, five times more than they did pre-COVID-19.

NIST crowdsourcing challenge aims to de-identify public data sets to protect individual privacy (Help Net Security, Oct 04 2020)
NIST has launched a crowdsourcing challenge to spur new methods to ensure that important public safety data sets can be de-identified to protect individual privacy. The Differential Privacy Temporal Map Challenge includes a series of contests that will award a total of up to $276,000 for differential privacy solutions for complex data sets that include information on both time and location. Critical applications vulnerability For critical applications such as emergency planning and epidemiology,

As ATO attacks surge, consumers expect merchants to protect them from fraud (Help Net Security, Oct 05 2020)
Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.

Attacks on authentication turn ransomware from disruption to disaster (SC Media, Oct 05 2020)
Ransomware has become an endemic problem in both the public and private sectors globally. And, let’s be honest: it has been for years. Recently, the cybercrime landscape shifted.

New Privacy Features in iOS 14 (Schneier on Security, Oct 07 2020)
A good rundown.