A Review of the Best News of the Week on Identity Management & Web Fraud
The New iOS Update Lets You Stop Ads From Tracking You (Wired, Apr 26 2021)
Facebook and other advertisers fought the move, but App Tracking Transparency is finally here.
Experian’s Credit Freeze Security is Still a Joke (Krebs on Security, Apr 26 2021)
In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States. Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.
Supreme Court kills FTC’s “strongest tool” for getting refunds to scam victims (Ars Technica, Apr 23 2021)
Unanimous ruling limits FTC power to obtain refunds; it’s up to Congress to fix it.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Share today’s post on Twitter Facebook LinkedIn
Password Manager Suffers ‘Supply Chain’ Attack (Dark Reading, Apr 23 2021)
A software update to Click Studios’ Passwordstate password manager contained malware.
Between a rock and a hard place: U.S. federal privacy law (SC Media, Apr 26 2021)
President Biden may soon announce an Executive Order that will include mandatory breach notification for software vendors that sell to the federal government. Today’s columnist, Ilia Kolochenko of ImmuniWeb, outlines the history of privacy and notification laws and prospects for a national breach law I the U.S.
Hackers Claim to Have Stolen 250 GB From Washington DC Police (VICE, Apr 27 2021)
The police department confirmed the existence of the breach, but did not specify the extent of the damage.
Ransomware crooks threaten to ID informants if cops don’t pay up (Ars Technica, Apr 28 2021)
The FBI is investigating claim hackers obtained 250GB of police department data.
Experian API Exposed Credit Scores of Most Americans (Krebs on Security, Apr 28 2021)
Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
Identifying People Through Lack of Cell Phone Use (Schneier on Security, Apr 29 2021)
“In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance:
After Faïd’s helicopter breakout, 3,000 police officers took part in the manhunt. According to the 2019 documentary La Traque de Rédoine Faïd, detective units scoured records of cell phones used during his escape, isolating a handful of numbers active at the time that went silent shortly thereafter.”
Costco Issues Scam Warning (Infosecurity Magazine, Apr 22 2021)
Membership-only big-box wholesaler tells Americans to be wary of 14 digital scams
Threat Actors Impersonate Chase Bank (Infosecurity Magazine, Apr 27 2021)
Cyber-criminals launch credential phishing attacks targeting Chase bank customers
Feds Arrest an Alleged $336M Bitcoin-Laundering Kingpin (Wired, Apr 27 2021)
The alleged administrator of Bitcoin Fog kept the dark web service running for 10 years before the IRS caught up with him.
First Horizon Bank Customers Have Account Funds Drained (Infosecurity Magazine, Apr 29 2021)
Attackers stole less than $1 million after breaching internal security
Data Breach Impacts 1 in 4 Wyomingites (Infosecurity Magazine, Apr 28 2021)
Wyoming Department of Health exposes test results of more than a quarter of state residents on GitHub
DigitalOcean says customer billing data accessed in data breach (TechCrunch, Apr 28 2021)
DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned. The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.”
Scammers Are Hacking Target’s Gig Workers and Stealing Their Money (VICE US – Motherboard, Apr 29 2021)
Scammers have been spoofing Target’s delivery company Shipt’s phone number in order to steal its gig workers’ earnings by phishing their credentials from them.
COVID-19 creates a boom in biometric adoption (Help Net Security, Apr 23 2021)
Goode Intelligence published a survey which captured the views and opinions of companies that have deployed or are thinking of deploying biometrics. COVID-19 has accelerated the shift to digital, creating a boom in biometric adoption. Sixty-two percent of survey respondents said that their company has increased the prioritization of technology that supports remote onboarding and authentication due to the pandemic.
MFA spending on the rise, but organizations still unclear on best practices (Help Net Security, Apr 28 2021)
While MFA adoption and spending is on the rise, organizations are still unclear on best practices and methodologies, Yubico and 451 Research reveal. The findings show that MFA adoption and spending has increased within the enterprise due to a confluence of several factors: the growing recognition that stolen credentials and phishing attacks are at the root of most security breaches; the rise of work-from-home (WFH) policies due to the COVID-19 pandemic…
#GartnerIAM: Pandemic Disruption Necessitates a Transformation in Identity Access Management (Infosecurity Magazine, Apr 28 2021)
IAM has to be radically altered in light of distributed workforces
Choose the best way to use and authenticate service accounts on Google Cloud (Google Cloud Blog, Apr 27 2021)
A fundamental security premise is to verify the identity of a user before determining if they are permitted to access a resource or service. This process is known as authentication. But authentication is necessary for more than just human users. When one application needs to talk to another, we need to authenticate its identity as well. In the cloud, this is most frequently accomplished through a service account.