A Review of the Best News of the Week on Identity Management & Web Fraud

Details of a Computer Banking Scam (Schneier on Security, Mar 22 2021)
“This is a longish video that describes a profitable computer banking scam that’s run out of call centers in places like India. There’s a lot of fluff about glitterbombs and the like, but the details are interesting. The scammers convince the victims to give them remote access to their computers, and then that they’ve mistyped a dollar amount and have received a large refund that they didn’t deserve. Then they convince the victims to send cash to a drop site, where a money mule retrieves it and forwards it to the scammers.

I found it interesting for several reasons. One, it illustrates the complex business nature of the scam: there are a lot of people doing specialized jobs in order for it to work. Two, it clearly shows the psychological manipulation involved, and how it preys on the unsophisticated and vulnerable. And three, it’s an evolving tactic that gets around banks increasingly flagging blocking suspicious electronic transfers.”

Google Reveals What Personal Data Chrome and Its Apps Collect On You (The Hacker News, Mar 23 2021)
Privacy-focused search engine DuckDuckGo called out rival Google for “spying” on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes.

“After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it,” the company said in a tweet. “Spying on users has nothing to do with building a great web browser or search engine.”

Ransomwared Bank Tells Customers It Lost Their SSNs (VICE, Mar 22 2021)
A data breach that already hit bank employees just got much worse

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

A SpaceX Engineer’s Dark Web Insider Trading Sparks SEC First (Wired, Mar 19 2021)
“MillionaireMike” allegedly ran a stock tip scam that earned him $27,000 in bitcoin payments.

Jumio Secures Whopping $150m Investment from Private Equity Firm (Infosecurity Magazine, Mar 23 2021)
Investment represents largest digital identity funding round ever

ID.me Snags $100M in Series C Funding (SecurityWeek, Mar 23 2021)
Digital identity network play ID.me, Inc. has joined the growing list of cybersecurity unicorns after banking a new $100 million funding round that values the company at $1.5 billion.

Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job (VICE, Mar 23 2021)
The new cameras, which are being implemented nationwide, use artificial intelligence to access drivers’ location, movement, and biometric data. 

Highlights from the latest AWS Identity launches (AWS Security Blog, Mar 18 2021)
“Here is the latest from AWS Identity from November 2020 through February 2021. The features highlighted in this blog post can help you manage and secure your Amazon Web Services (AWS) environment. Identity services answer the question of who has access to what. They enable you to securely manage identities, resources, and permissions at scale and to operate your AWS environment more efficiently.”

You make the rules with authentication controls for Cloud Storage (Google Cloud Blog, Mar 19 2021)
Let’s go back in time, to when you first created a bucket. You’ll need to decide whether you want to apply permissions using uniform or fine-grained access. We have some recommendations, so let’s dive in.

Dropbox to Make Password Manager Feature Free for All Users (Infosecurity Magazine, Mar 17 2021)
As of April, users can try a limited version of Dropbox Passwords free-of-charge

#COVID19, Password Spraying and the NHS (Infosecurity Magazine, Mar 22 2021)
How password spraying risks threatens the NHS

Groups Call for Ethical Guidelines on Location-Tracking Tech (Wired, Mar 25 2021)
The Locus Charter asks companies to commit to 10 principles, including minimizing data collection and actively seeking consent from users.

A Security App’s Fake Reviews Give Us a Window Into ‘App Store Optimization’ (VICE, Mar 19 2021)
The CEO of pEp purchased fake reviews to bolster his app’s ratings on the Google Play Store and the Apple’s App Store.

How to stay ahead of the rise of synthetic fraud (Help Net Security, Mar 22 2021)
While banks have been successful in reducing card fraud in recent years, a new and rising threat has emerged: synthetic identity fraud. By combining real and falsified information on digital platforms, financial criminals have been able to commit this type of fraud with impunity.

US Indicts Software Engineer (Infosecurity Magazine, Mar 19 2021)
Swiss man indicted for allegedly stealing and publishing sensitive government and corporate data

Facebook Fails in Bid to Derail $15 Bn Privacy Suit (SecurityWeek, Mar 23 2021)
The US Supreme Court on Monday declined to consider an appeal by Facebook that would have derailed a $15 billion lawsuit over whether it illegally tracked users about a decade ago.

Breach at California State Controller’s Office (Infosecurity Magazine, Mar 24 2021)
Phishing attack exposes unclaimed property holder report data

Firefox 87 Adds Stronger User Privacy Protections (SecurityWeek, Mar 23 2021)
Mozilla today announced the release of Firefox 87 in the stable channel fitted with a new intelligent tracker blocking mechanism.

Almost $2 billion lost to BEC scams in 2020 (WeLiveSecurity, Mar 24 2021)
Nearly half of reported cybercrime losses in 2020 were the result of BEC fraud, according to an FBI report

How to scale your authorization needs by using attribute-based access control with S3 (AWS Security Blog, Mar 18 2021)
“In this blog post, we show you how to scale your Amazon Simple Storage Service (Amazon S3) authorization strategy as an alternative to using path based authorization. You are going to combine attribute-based access control (ABAC) using AWS Identity and Access Management (IAM) with a standard Active Directory Federation Services (AD FS) connected to Microsoft…”