A Review of the Best News of the Week on Identity Management & Web Fraud

“Privacy Nutrition Labels” in Apple’s App Store (Schneier on Security, Nov 12 2020)
Apple will start requiring standardized privacy labels for apps in its app store, starting in December:
Apple allows data disclosure to be optional if all of the following conditions apply: if it’s not used for tracking, advertising or marketing; if it’s not shared with a data broker; if collection is infrequent, unrelated to the app’s primary function, and optional; and if the user chooses to provide the data in conjunction with clear disclosure, the user’s name or account name is prominently

How the U.S. Military Buys Location Data from Ordinary Apps (VICE, Nov 16 2020)
A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people’s personal data to brokers, contractors, and the military.

Data Breach Hits 28 Million Texan Drivers (Infosecurity Magazine, Nov 13 2020)
Human error at insurance software provider to blame

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Most Americans Reuse Passwords for Work Devices (Infosecurity Magazine, Nov 12 2020)
Survey finds 63% of US employees use same passwords for multiple accounts on work devices

The iOS Covid App Ecosystem Has Become a Privacy Minefield (Wired, Nov 13 2020)
An analysis of nearly 500 Covid-related apps worldwide shows major differences in how much data they expect you to give up.

Streetlight Spy Cameras Have Led to a Massive Privacy Backlash in San Diego (VICE, Nov 18 2020)
The city council unanimously voted to pass one of the strongest privacy regulations in the country after a campaign against ‘smart streetlights’

The Multi-Factor Factor (or How to Manage Authentication Risk) (Cloud Security Alliance, Nov 18 2020)
As we debate the necessity of various authentication factors, particularly for passwordless projects, it’s good to take a step back and remember how we got here. There are key three types of authentication:

Credential Stuffing Fills E-commerce Pipeline in 2020 (Dark Reading, Nov 12 2020)
There were 1.3 billion attacks in the third quarter alone, according to new analysis from Arkose Labs.

The iOS COVID-19 app ecosystem has become a privacy minefield (Ars Technica, Nov 15 2020)
Nearly 500 COVID-19-related apps worldwide were analyzed.

Scammers Expose Facebook Data Haul of 13 Million Records (Infosecurity Magazine, Nov 16 2020)
Misconfigured Elasticsearch database to blame

Mac certificate check stokes fears that Apple logs every app you run (Ars Technica, Nov 16 2020)
Amid concern that macOS logs app usage in real time, Apple issues assurances.

Explosion in digital commerce pushed fraud incentive levels sky-high (Help Net Security, Nov 16 2020)
A rise in consumer digital traffic has corresponded with a rise in fraud attacks, Arkose Labs reveals. As the year progresses and more people than ever are online, historically ‘normal’ online behavioral patterns are no longer applicable and holiday levels of digital traffic continue to occur on a near daily basis.

Over 80,000 ID Cards and Fingerprint Scans Exposed in Cloud Leak (Infosecurity Magazine, Nov 17 2020)
AWS S3 bucket managed by TronicsXchange is found online

Austria Privacy NGO Takes on Apple Over ‘Tracking Code’ (SecurityWeek, Nov 16 2020)
An Austrian online privacy NGO said on Monday it was lodging complaints against Apple in two countries over the use of a code on its phones that allows tracking of user behavior.

An Inside Look at an Account Takeover (Dark Reading, Nov 17 2020)
AI threat find: Phishing attack slips through email gateway and leads to large-scale compromise.

#ISSE2020: Look to Decentralized (Rather than Legacy) Identity Approvals (Infosecurity Magazine, Nov 17 2020)
The issues of identity and how legacy problems still impact users

The 200 Most Common Online Passwords of 2020 Are Awful (VICE, Nov 18 2020)
No, ‘naruto,’ ‘yugioh,’ and ‘pokemon’ are not good passwords.

Use real-time anomaly detection reference patterns to combat fraud (Google Cloud Blog, Nov 18 2020)
Businesses of every size and shape have a need to better understand their customers, their systems, and the impact of external factors on their business. How rapidly businesses mitigate risks and capitalize on opportunities can set apart successful businesses from businesses that can’t keep up.

​California Privacy Rights Act: What Are the Consequences for Cloud Users? (Cloud Security Alliance, Nov 13 2020)
California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA), which, on January 1, 2023, will replace California’s current data protection law, the California Consumer Privacy Act (CCPA). CPRA slightly reshapes CCPA, creating additional rights for consumers and additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other.