A Review of the Best News of the Week on Identity Management & Web Fraud

A New Facebook Bug Exposes Millions of Email Addresses (Wired, Apr 22 2021)
A recently discovered vulnerability discloses user email addresses even when they’re set to private.

Account protections – A Google Perspective (Elie on Internet Security and Privacy., Apr 16 2021)
This talk provides an overview of how accounts get compromised and the defenses we found effective at Google to reduce accounts hijacking risks.

Mastercard Acquires Digital Identity Verification Firm Ekata for $850 Million (SecurityWeek, Apr 20 2021)
Mastercard on Monday announced that it’s acquiring digital identity verification company Ekata for $850 million.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How the Biden Administration Can Make Digital Identity a Reality (Dark Reading, Apr 16 2021)
A digital identity framework is the answer to the US government’s cybersecurity dilemma.

Everybody hates “FLoC,” Google’s tracking plan for Chrome ads (Ars Technica, Apr 20 2021)
The EFF, Mozilla, Brave, Vivaldi, and DuckDuckGo say “no way” to FLoC.

Foreign threat actors used fake LinkedIn profiles to lure 10,000 UK nationals (SC Media, Apr 20 2021)
The targeting shows that humans remain the weak link in any cyber and data security strategy.

Arrest Made Over California City Data Breach (Infosecurity Magazine, Apr 15 2021)
One Huntington Park financial official arrested and others placed on leave following data breach

Google Broke Australian Law Over Location Data Collection: Court (SecurityWeek, Apr 16 2021)
Google violated Australian law by misleading users of Android mobile devices about the use of their location data, a court ruled Friday in a landmark decision against the global digital giant.

Improper cloud IAM leaving organizations at risk (Help Net Security, Apr 19 2021)
There is an industry-wide cloud permissions gap crisis, leaving countless organizations at risk due to improper identity and access management (IAM), a CloudKnox Security report reveals. The report findings underscore the fact that attackers can leverage over-privileged identities to traverse laterally, elevate permissions and cause extensive data exfiltration

Number of users of software-based facial recognition for payments to surge (Help Net Security, Apr 19 2021)
The number of users of software-based facial recognition to secure payments will exceed 1.4 billion globally by 2025, from just 671 million in 2020, a Juniper Research study reveals. This rapid growth of 120% demonstrates how widespread facial recognition has become; fuelled by its low barriers to entry, a front-facing camera and appropriate software.

US Charges Nigerian with Elder Fraud (Infosecurity Magazine, Apr 19 2021)
Maryland resident accused of conning seniors out of nearly half a million dollars over social media

Four ways to comply with GDPR in the absence of the Privacy Shield (SC Media, Apr 20 2021)
Now that an EU court invalidated the Privacy Shield, companies must take even more care to make sure they comply with GDPR. Today’s columnist, Conrad Smith of Open Raven, offers ways for security teams to make that happen.

Brace yourselves. Facebook has a new mega-leak on its hands (Ars Technica, Apr 20 2021)
Facebook Email Search v1.0 can process 5 million email addresses per day, researcher says.

2020 Changed Identity Forever; What’s Next? (Dark Reading, Apr 20 2021)
For all the chaos the pandemic caused, it also sparked awareness of how important an identity-centric approach is to securing today’s organizations.

How do I select an identity management solution for my business? (Help Net Security, Apr 21 2021)
According to a recent survey, the pandemic-driven shift to remote work has significantly changed how companies are investing in identity and access management capabilities and zero trust security.

Critical infrastructure implications of the Pulse Secure multi-factor authentication bypass (Help Net Security, Apr 22 2021)
The FireEye Mandiant team has discovered multiple threat actors exploiting a zero-day vulnerability in Pulse Secure VPN appliances. The attack infrastructure is very sophisticated. The attacks persist in the VPN appliances, even across software updates, they change read-only filesystems to read-write filesystems and use a variety of mechanisms to evade detection.