A Review of the Best News of the Week on Identity Management & Web Fraud

LinkedIn 500M profiles, maintains incident was not a breach (SC Media, Apr 09 2021)
LinkedIn has become one of the most impersonated brands when it comes to phishing, and having access to such a treasure trove of information can help facilitate convincing social engineering attacks.

Digital artists meet scam artists, as criminals pounce on NFT craze (SC Media, Apr 08 2021)
Criminals are standing up fraudulent NFT-themed websites that sell nonexistent items or phish users’ credentials.

Lawsuit: Man suffered ‘great harm’ after wrongful arrest based on Detroit’s facial recognition technology (The Detroit News, Apr 14 2021)
Lawsuit the latest in string of controversies surrounding Detroit police use of the software

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Fraudsters Use HTML Legos to Evade Detection in Phishing Attack (Dark Reading, Apr 08 2021)
Criminals stitch pieces of HTML together and hide them in JavaScript files, researchers report.

600K Payment Card Records Leaked After Swarmshop Breach (Dark Reading, Apr 08 2021)
A leaked database also contains the nicknames, hashed passwords, contact details, and activity history of Swarmshop admins, sellers, and buyers.

NCSC: Large Number of Brits Are Using Easily Guessable Passwords (Infosecurity Magazine, Apr 09 2021)
The survey found 15% of Brits use their pet’s name as a password

Does data stolen in a data breach expire? (WeLiveSecurity, Apr 08 2021)
Some personal information just doesn’t age – here’s what the Facebook data leak may mean for you

Brits Still Confused by Multi-Factor Authentication (Infosecurity Magazine, Apr 12 2021)
FIDO Alliance warns that social media accounts are at risk

Facebook Removes 16k Groups for Trading Fake Reviews (Infosecurity Magazine, Apr 09 2021)
Double intervention by UK watchdog prompts Facebook to axe groups trading in fake reviews

ID Verification Firm Veriff Lands $69 Million in Series B Funding (SecurityWeek, Apr 12 2021)
Veriff, a provider of automated identity verification technology, today announced that it has secured $69 million in Series B financing, bringing the total amount raised by the company to $92.8 million.

On first-ever Identity Management Day, experts detail steps to a better IAM program (SC Media, Apr 14 2021)
Establishing a governance structure and communicating with stakeholders are key strategies, said experts.

How to relate IAM role activity to corporate identity (AWS Security Blog, Apr 13 2021)
“AWS Security Token Service (AWS STS) now offers customers the ability to specify a unique identity attribute for their workforce identities and applications when they assume an AWS Identity and Access Management (IAM) role. This new SourceIdentity attribute makes it easier for you, as an Amazon Web Services (AWS) administrator, to determine the identity that performed the actions while the role was assumed. In this post, I’ll show you how to use the SourceIdentity attribute and how it can help you track usage of your APIs.”

IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity (AWS Security Blog, Apr 07 2021)
“In 2019, AWS Identity and Access Management (IAM) Access Analyzer was launched to help you remove unintended public and cross account access by analyzing your existing permissions. In March 2021, IAM Access Analyzer added policy validation to help you set secure and functional permissions during policy authoring. Now, IAM Access Analyzer takes that a step further and generates policies for you. You can now use IAM Access Analyzer to generate fine-grained policies, based on your access activity in your AWS CloudTrail logs. When you request a policy, IAM Access Analyzer gets to work and identifies your activity from CloudTrail logs to generate a policy. The generated policy grants only the required permissions for your workloads and makes it easier for you to implement least privilege permissions.”

Keyless API authentication—Better cloud security through workload identity federation, no service account keys necessary (Google Cloud Blog, Apr 08 2021)
“Organizations often have applications that run on multiple platforms, on-premises or cloud. For such applications that call Google Cloud Platform (GCP) APIs, a common challenge admins face is securing long-lived service account keys used to authenticate to GCP. Examples of such applications might include:

Analytics workloads running on AWS or Azure that access sensitive datasets stored in Google Cloud Storage …”

The future of touchless visitor management lies with biometrics (Help Net Security, Apr 15 2021)
With so many people making their way into an office building on any given day – whether as a prospective job candidate, a vendor with a delivery, or for a client meeting – it is vital that today’s visitor and employee management systems are prepared to keep the grounds safe from unwanted visitors, including COVID-19.

The impact of the pandemic on AML compliance and fraud strategies (Help Net Security, Apr 14 2021)
Especially, as fraud and financial crime departments experienced increased levels of fraud attacks – with almost three-quarters (70 percent) saying the increased fraud attacks had a major impact on their operations.