A Review of the Best News of the Week on Identity Management & Web Fraud
How $100M in Jobless Claims Went to Inmates (Krebs on Security, Feb 25 2021)
“The U.S. Labor Department’s inspector general said this week that roughly $100 million in fraudulent unemployment insurance claims were paid in 2020 to criminals who are already in jail. That’s a tiny share of the estimated tens of billions of dollars in jobless benefits states have given to identity thieves in the past year. To help reverse that trend, many states are now turning to a little-known private company called ID.me.”
Google Vows to Stop Tracking Individual Browsing for Ads (SecurityWeek, Mar 03 2021)
Google on Wednesday pledged to steer clear of tracking individual online activity when it begins implementing a new system for targeting ads without the use of so-called “cookies”
Okta says it’s buying security rival Auth0 for $6.5 billion, sending stock plunging (CNBC, Mar 04 2021)
Okta, whose software allows office workers to access their apps through a secure service, is buying one of its top competitors.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
TikTok owner ByteDance to pay $92M in US privacy Settlement (SecurityWeek, Feb 26 2021)
TikTok’s Chinese parent company ByteDance has agreed to pay $92 million in a settlement to U.S. users who are part of a class-action lawsuit alleging that the video-sharing app failed to get their consent to collect data in violation of a strict Illinois privacy law.
Judge Approves $650M Facebook Privacy Lawsuit Settlement (SecurityWeek, Feb 27 2021)
A federal judge on Friday approved a $650 million settlement of a privacy lawsuit against Facebook for allegedly using photo face-tagging and other biometric data without the permission of its users.
Meet the Vaccine Appointment Bots, and Their Foes (SecurityWeek, Feb 26 2021)
Having trouble scoring a COVID-19 vaccine appointment? You’re not alone. To cope, some people are turning to bots that scan overwhelmed websites and send alerts on social media when slots open up.
United Airlines to Pay $49m to Settle False Data Claim (Infosecurity Magazine, Mar 01 2021)
Airline accused of defrauding USPS with false automated delivery scan data
Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability (SecurityWeek, Mar 03 2021)
A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.
One in four people use work passwords for consumer websites (Help Net Security, Feb 26 2021)
Employees working from home on a company-provided computer are demonstrating a clear lack of cybersecurity knowledge through high-risk behavior, according to a report released by Ivanti. Using work passwords for consumer websites The report found that one in four consumers admit to using their work email or passwords to log in to consumer websites and applications such as food delivery apps, online shopping sites and even dating apps.
Six Alabamans Charged in $7m Virtual Schools Fraud (Infosecurity Magazine, Feb 25 2021)
School officials accused of falsifying enrollment figures to get more state funding
Schools Are Abandoning Invasive Proctoring Software After Student Backlash (VICE, Feb 26 2021)
Proctorio has cashed in on remote learning since the start of the pandemic. Now, some schools are abandoning the company’s controversial software.
Clubhouse’s security and privacy lag behind its explosive growth (Ars Technica, Feb 28 2021)
The platform has promised to do better after a string of incidents.
Documents Show Agreements Between CBP and JetBlue for Facial Recognition Boarding (VICE, Mar 01 2021)
The documents provide more insight into the dynamics between DHS and airlines, which are increasingly deploying biometric boarding at their gates.
Far-Right Platform Gab Has Been Hacked—Including Private Data (Wired, Feb 28 2021)
The transparency group DDoSecrets says it will make the 70GB of passwords, private posts, and more available to researchers, journalists, and social scientists.
Customers willing to share personal data in exchange for personalized services (Help Net Security, Mar 01 2021)
There is ample opportunity for financial institutions to harness the power of AI to build more meaningful connections and experiences with customers — vastly improving both retention and acquisition, according to research findings released by NTT DATA. In the global study, customers provide striking testimony about what they would like their financial institutions to provide for them: 53% of customers say they would like their financial institution (FI) to proactively send them reminders…
Microsoft’s Dream of Decentralized IDs Enters the Real World (Wired, Mar 02 2021)
The company will launch a public preview of its identification platform this spring—and has already tested it at the UK’s National Health Service.
Password Reuse at 60% as 1.5 Billion Combos Discovered Online (Infosecurity Magazine, Mar 03 2021)
SpyCloud’s latest report reveals persistent threat of account takeovers
Payroll/HR Giant PrismHR Hit by Ransomware? (Krebs on Security, Mar 02 2021)
PrismHR, a company that sells software and services used by other firms to help more than 80,000 small businesses manage payroll, benefits, and human resources, has suffered what appears to be an ongoing ransomware attack.
How to build a serverless real-time credit card fraud detection solution (Google Cloud Blog, Mar 03 2021)
“As businesses continue to shift toward online credit card payments, there is a rising need to have an effective fraud detection solution capable of real-time, actionable alerts. In collaboration with Quantiphi, an award-winning Google Cloud Premier Partner with experience engaging with global financial institutions, we developed a smart analytics design pattern that enables you to build a scalable real-time fraud detection solution in one hour using serverless, no-ops products on Google Cloud.”
Cybercriminals Finding Ways to Bypass ‘3D Secure’ Fraud Prevention System (SecurityWeek, Mar 04 2021)
Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.