A Review of the Best News of the Week on Identity Management & Web Fraud

Your Old Phone Number Can Be Used to Hack You, Study Finds (VICE, May 06 2021)
The majority of old phone numbers are still tied to important online accounts that can be easily taken over by hackers.

Google to Automatically Enable Two-Step Verification for Some Accounts (SecurityWeek, May 06 2021)
Google is marking World Password Day with a blog post summarizing the password management features it offers, and the company announced that it will automatically enroll some accounts in two-step verification (2SV).

Identifying the Person Behind Bitcoin Fog (Schneier on Security, May 03 2021)
“The person behind the Bitcoin Fog was identified and arrested. Bitcoin Fog was an anonymization service: for a fee, it mixed a bunch of people’s bitcoins up so that it was hard to figure out where any individual coins came from. It ran for ten years.

Identifying the person behind Bitcoin Fog serves as an illustrative example of how hard it is to be anonymous online in the face of a competent police investigation:

Most remarkable, however, is the IRS’s account of tracking down Sterlingov using the very same sort of blockchain analysis that his own service was meant to defeat. “

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

US Mulling Domestic Spying Partnership with Private Companies (Infosecurity Magazine, May 03 2021)
US president reportedly considering using private firms to spy on Americans’ online activity

Big Telecom Used Fake and Dead People to Fight Net Neutrality, NY AG Says (VICE, May 06 2021)
An investigation by New York’s attorney general has confirmed that Big Telecom paid to flood the net neutrality debate with millions of fake comments.

Your Digital Identity’s Evil Shadow (Dark Reading, Apr 29 2021)
To be fair, these services do offer legitimate purposes for enterprise companies, such as website testing and fraud protection. But when in the wrong hands, they are stealthy means to bypass security systems by hiding behind a proxy with legitimate IP addresses and user agents.

The Challenge of Securing Non-People Identities (Dark Reading, Apr 29 2021)
Non-people identities, which can act intelligently and make decisions on behalf of a person’s identity, are a growing cybersecurity risk.

eCommerce fraud losses to surpass $20 billion this year (Help Net Security, May 02 2021)
The value of losses due to eCommerce fraud will rise this year, from $17.5 billion in 2020 to over $20 billion by 2021; a growth of 18% over a single year, according to a study from Juniper Research. The research found that fraudsters have targeted consumers as they have increased their eCommerce use; exposing insecure fraud mitigation processes from merchants who are unfamiliar and unprepared for the continuing fraud challenges in this market.

PKI market valuation to cross $7 billion by 2027 (Help Net Security, Apr 29 2021)
The market valuation of public key infrastructure will cross $7 billion by 2027, according to Global Market Insights. Rising digital interaction and reliance on digital authentications and regulatory compliance across enterprises are expected to boost the market growth. What’s driving demand for PKI solutions? The demand for PKI solutions and services is primarily driven by the increasing need across enterprises to improve security capabilities in response to the growing instances of file-based…

The Anti-Fraud Lifecycle (SecurityWeek, May 03 2021)
It is a known fact that cybercriminals choose the path of least resistance. Naturally, easy cashout methods with good returns are much more favorable than methods that are high risk, complicated or yield small profits. While this is not the only factor in determining how much fraud is committed through a certain vector (for example, it takes time for cashout methods to become public knowledge in cybercriminal circles and thus become widely adopted), it is a major aspect.

Effort to Protect Consumer Data Privacy Stalls in Florida (SecurityWeek, May 02 2021)
A campaign by Gov. Ron DeSantis to help Floridians regain ownership of the troves of data that companies collect came to a halt Friday, when state lawmakers could not agree on how tightly to limit how Big Data harvests and uses people’s information.

Users increasingly putting password security best practices into play (Help Net Security, May 04 2021)
While there is awareness of password security best practices, there is still work to be done to put that awareness to full use, a Bitwarden survey reveals. While Americans are more likely to report being affected by a data breach in the last 18 months (one-third versus one-fourth of global respondents), 1 in 3 are more interested in having a password that is easy to remember versus being secure.

Use longitudinal learning to reduce risky user behavior (Help Net Security, May 04 2021)
People ignore information that isn’t relevant to them, which is why IT and HR departments have been approaching security training incorrectly for years. Long-form, all-hands security seminar trainings have contributed to nearly daily data breaches for decades.

Contact Tracer Breach Hits the Keystone State (Infosecurity Magazine, May 03 2021)
PHI of 72,000 Pennsylvanians exposed after Insight Global employees allegedly ignored security protocols

Don’t Buy Into Facebook’s Ad-Tracking Pressure on iOS 14.5 (Wired, May 03 2021)
The company tells Apple users that tracking helps keep those platforms “free of charge,” but opting out now doesn’t mean paying up later.

4,700 Amazon employees had unauthorized access to private seller data (Ars Technica, May 04 2021)
Shoddy security allowed various employees to use info to their advantage.

Pandemic accelerating need for insider risk management (Help Net Security, May 04 2021)
As companies exit the pandemic, security leaders will be challenged with new data security complexities. Remote work over the past year magnified challenges that companies face around protecting data exposure and file exfiltration from insider risk, and that will only continue if proactive precautions aren’t taken.

IAM makes it easier for you to manage permissions for AWS services accessing your resources (AWS Security Blog, May 04 2021)
“aws:PrincipalIsAWSService is a global IAM condition key that simplifies resource-based policies (such as an Amazon S3 bucket policy) when granting access to AWS services. It gives you a shorthand for allowing AWS services to access your resources and can be used alongside other desired restrictions, such as restricting access to your networks.”

Homecoming Queen Hacker to be Tried as an Adult (Infosecurity Magazine, May 05 2021)
Florida teen accused of hacking students’ accounts to rig homecoming contest to face felony charges as an adult

States Push Back Against Use of Facial Recognition by Police (SecurityWeek, May 05 2021)
Law enforcement agencies across the U.S. have used facial recognition technology to solve homicides and bust human traffickers, but concern about its accuracy and the growing pervasiveness of video surveillance is leading some state lawmakers to hit the pause button.