A Review of the Best News of the Week on Identity Management & Web Fraud

Breached H20 plant employees used same TeamViewer pw and no f/w (Ars, Feb 10 2021)
Shortcomings illustrate the lack of security rigor in critical infrastructure environments.

Authorities bust SIM-swap ring they say took millions from the rich and famous (Ars Technica, Feb 10 2021)
SIM-swapping is a worldwide scourge. Law enforcement is trying to make a dent.

Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online (VICE, Feb 09 2021)
// Favicons can break through incognito mode, VPNs, and Pi-holes to track your movement online


Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


The cost of synthetic fraud to reach new highs (Help Net Security, Feb 09 2021)
A TransUnion research finds instances of synthetic fraud and outstanding balances for suspected synthetic accounts at U.S. financial institutions have declined significantly after the WHO declared COVID-19 a global pandemic. However, new analysis by Aite Group finds the cost of synthetic fraud will rebound post-pandemic, reaching new highs. Synthetic identity fraud involves fraudsters creating fictitious identities by piecing together real identity attributes and fake information with the intent…

Scammers Selling Fake #COVID19 Vaccination Cards for Just $20 (Infosecurity Magazine, Feb 10 2021)
DomainTools says market is building for anti-vaxxers

UK Govt Reveals Plans to Build Trust in Use of Digital Identities (Infosecurity Magazine, Feb 11 2021)
Public invited to contribute to draft rules around data protection, security and inclusivity

Unemployment Fraud: As If Being Out of Work Wasn’t Bad Enough (Dark Reading, Feb 11 2021)
With the pandemic as a backdrop, cybercriminals have recognized an unprecedented opportunity to steer billions of dollars in unemployment claims into the own accounts.

ISO 27701: A Pathway to Privacy and Regulatory Compliance (Infosecurity Magazine, Feb 05 2021)
Answers to some commonly asked questions regarding ISO 27701

Cops can’t access $60M in seized bitcoin—fraudster won’t give password (Ars Technica, Feb 05 2021)
The fraudster served two years for distributing bitcoin mining malware.

Identity verification market to grow steadily in the next few years (Help Net Security, Feb 07 2021)
The identity verification market is expected to grow at a CAGR of 13.1% over the forecast period 2020 to 2025, according to ResearchAndMarkets. Adoption of solutions through stringent regulations and the need for compliance are influencing the market growth. The regulatory authorities have now become more stringent toward KYC (Know Your Customer) and AML (Anti-money Laundering) compliance, among reporting entities

Europol Breaks $14m Card Fraud Ring (Infosecurity Magazine, Feb 08 2021)
Operation Secreto results in 105 arrests across the continent

Tens of Thousands of Patient Files Leaked in US Hospital Attacks (Infosecurity Magazine, Feb 08 2021)
Ransomware group suspected, but lack of malware perplexes

Crypto Fund Founder Pleads Guilty to $100m Fraud Scheme (Infosecurity Magazine, Feb 08 2021)
Virgil Sigma and VQR investors left high and dry

Government Demands for Amazon User Data Exploded in 2020 (Wired, Feb 06 2021)
Plus: Smartmatic lawsuits, a fake WhatsApp, and more of the week’s top security news.

Most zoombombing incidents are inside jobs (Help Net Security, Feb 09 2021)
Most zoombombing incidents are “inside jobs” according to a study featuring researchers at Binghamton University, State University of New York. As the COVID-19 virus spread worldwide in early 2020, much of our lives went virtual, including meetings, classes and social gatherings.

Paralegal’s Pal Admits Outing Witnesses (Infosecurity Magazine, Feb 08 2021)
Iowan pleads guilty to accessing sensitive, non-public information and releasing it on Facebook

Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer (Schneier on Security, Feb 09 2021)
“MalwareBytes is reporting a weird software credit card skimmer. It harvests credit card data stolen by another, different skimmer:

Even though spotting multiple card skimmer scripts on the same online shop is not unheard of, this one stood out due to its highly specialized nature.”

Tougher EU Privacy Rules Loom for Messenger, Zoom (SecurityWeek, Feb 10 2021)
Messaging apps such as Messenger or WhatsApp and video calls on Zoom face stricter privacy rules in Europe, after a draft law passed a key EU hurdle on Wednesday.

Don’t fear the authentication: Google Drive edition (Google Cloud Blog, Feb 09 2021)
“There are times when I’m building an application on GCP when I don’t want to use a more traditional datastore like Cloud SQL or Bigtable. Right now, for example, I’m building an app that allows non-technical folks to easily add icons into a build system. I’m not going to write a front-end from scratch, and teaching them source control, while valuable, isn’t really something I wanted to tackle right now. So an easy solution is to use Google Drive. Maybe you never thought of it as a data store…”

Big Tech will try to pre-empt harsh privacy laws by writing their own (Help Net Security, Feb 11 2021)
Over the past decade, the firms that make up the so-called Big Tech have captured enough of the global economy to resemble industrial cartels from a bygone era. Amazon, Apple, Google, Facebook, and Microsoft form behemoths within their respective markets. Whether you’re an individual or a business entity, avoiding these organizations or their subsidiaries is difficult. More than likely, your personal information is regularly collected and used by several of them.