A Review of the Best News of the Week on Identity Management & Web Fraud
Clear – U.S. Airports. Now It Wants Your Entire Digital Identity. (Medium, Oct 20 2020)
‘You are your driver’s license, your credit card, your health care card, your building access card’
Singapore’s World-First Face Scan Plan Sparks Privacy Fears (SecurityWeek, Oct 19 2020)
Singapore will become the world’s first country to use facial verification in its national ID scheme, but privacy advocates are alarmed by what they say is an intrusive system vulnerable to abuse.
Morgan Stanley Fined $60m Over Data Disposal (Infosecurity Magazine, Oct 20 2020)
Failure to properly oversee decommissioning of data centers lands Morgan Stanley a hefty fine
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
US Indicts Members of Transnational Money-Laundering Organization (Dark Reading, Oct 15 2020)
Members of the QQAAZZ group helped cybercriminals conceal origins of stolen funds, DoJ alleges.
Banks risk losing customers with anti-fraud practices (Help Net Security, Oct 15 2020)
Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO. Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.
VoIP Firm Broadvoice Leaks 350 Million Customer Records (Infosecurity Magazine, Oct 16 2020)
Elasticsearch misconfiguration to blame once again
Minneapolis Will Consider Facial Recognition Ban (VICE, Oct 16 2020)
The motion could signal a wave of reforms over the use of military and surveillance equipment following the killing of George Floyd by Minneapolis police.
Global adoption of data and privacy programs still maturing (Help Net Security, Oct 19 2020)
The importance of privacy and data protection is a critical issue for organizations as it transcends beyond legal departments to the forefront of an organization’s strategic priorities. A FairWarning research, based on survey results from more than 550 global privacy and data protection, IT, and compliance professionals outlines the characteristics and behaviors of advanced privacy and data protection teams.
UK Data Privacy Watchdog Slashes BA Fine as Virus Bites (SecurityWeek, Oct 19 2020)
The UK’s data privacy watchdog on Friday slashed a fine imposed on British Airways over a cyber attack after taking into account coronavirus fallout on the embattled airline’s finances.
Can we trust passwordless authentication? (Help Net Security, Oct 20 2020)
We are beginning to shift away from what has long been our first and last line of defense: the password. It’s an exciting time. Since the beginning, passwords have aggravated people. Meanwhile, passwords have become the de facto first step in most attacks. Yet I can’t help but think, what will the consequences of our actions be?
Biometric device revenues to drop 22%, expected to rebound in 2021 (Help Net Security, Oct 19 2020)
In the aftermath of the COVID-19 pandemic, global biometric device revenues are expected to drop 22%, ($1.8 billion) to $6.6 billion, according to a report from ABI Research. The entire biometrics market, however, will regain momentum in 2021 and is expected to reach approximately $40 billion in total revenues by 2025.
Identity-Focused Intelligence Firm 4iQ Raises $30 Million (SecurityWeek, Oct 20 2020)
Identity-focused intelligence company 4iQ on Tuesday announced that it has raised $30 million in a Series C funding round led by ForgePoint Capital and Benhamou Global Ventures.
Major Data Breach at Ohio School District (Infosecurity Magazine, Oct 20 2020)
Personal data of faculty, staff, and students exposed in data breach at Toledo Public Schools
How to automatically archive expected IAM Access Analyzer findings (AWS Security Blog, Oct 12 2020)
AWS Identity and Access Management (IAM) Access Analyzer continuously monitors your Amazon Web Services (AWS) resource-based policies for changes in order to identify resources that grant public or cross-account access from outside your AWS account or organization.
How to add authentication to a single-page web application with Amazon Cognito OAuth2 implementation (AWS Security Blog, Oct 09 2020)
“In this post, I’ll be showing you how to configure Amazon Cognito as an OpenID provider (OP) with a single-page web application. This use case describes using Amazon Cognito to integrate with an existing authorization system following the OpenID Connect (OIDC) specification.”
Sharing our data privacy commitments for the AI era (Google Cloud Blog, Oct 14 2020)
More and more companies want to adopt the latest cloud-based artificial intelligence (AI) and machine learning (ML) technologies, but they are subject to an increasing array of data privacy regulations. This is an important concern for customers, who are interested in using AI and ML systems to drive better business outcomes while complying with new data privacy laws.
Data Privacy vs. Data Security: What is the Core Difference? (Cloud Security Alliance, Oct 20 2020)
For organizations that collect or manage data—and individuals who own it—private data and the security of that data should not be taken lightly. They are primary concerns when undertaking the process of protecting fundamentally sensitive information such as identities, finances, and health records. Without them, cybercriminals and other malicious actors would have access to staggering amounts of potentially damaging data. However, not everyone recognizes or understands the difference between data privacy and security. As a result, the terms are often used incorrectly or confused as the same thing.
So, what are data privacy and security?
Fraud Analysts Miss Dark Web Data (Infosecurity Magazine, Oct 22 2020)
Nearly half of fraud analysts investigating financial crimes are not able to follow leads into the dark web
Time for a mobile privacy reset? (Naked Security – Sophos, Oct 22 2020)
Can you remember which permissions you gave to what apps, and why? Nor can we… time for a reset!
XSS Vulnerability Exploited in Tech Support Scam (SecurityWeek, Oct 22 2020)
Malwarebytes security researchers have identified a new campaign in which tech support scammers are exploiting a cross-site scripting (XSS) vulnerability and are relying exclusively on links posted on Facebook to reach potential victims.