A Review of the Best News of the Week on Identity Management & Web Fraud

Hackers Leak Personal Data of Washington DC Police Officers (VICE, May 11 2021)
The ransomware gang Babuk released the personal details of several Metropolitan Police Department officers—essentially a full dox—in an attempt to extort the department into paying a ransom to stop further leaks.

Amazon: We Blocked 10 Billion Bad Listings in 2020 (Infosecurity Magazine, May 11 2021)
Retail giant reveals major counterfeit threat in new report

13 best practices for user account, authentication, and password management, 2021 edition (Google Cloud Blog, May 06 2021)
Updated for 2021: This post includes updated best practices including the latest from Google’s Best Practices for Password Management whitepapers for both users and system designers.
Account management, authentication and password management can be tricky. Often, account management is a dark corner that isn’t a top priority for developers or product managers. The resulting experience often falls short of what some of your users would expect for data security and user experience.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

City of Chicago Hit by Data Breach at Law Firm Jones Day (SecurityWeek, May 10 2021)
The city of Chicago on Friday said that employee emails were compromised in a Jones Day data breach involving Accellion’s FTA file sharing service.

What’s Google FLoC? And How Does It Affect Your Privacy? (Wired, May 09 2021)
There’s a battle raging over how advertisers can target us on the web—or whether they should be able to target us at all.

Three Marylanders Indicted Over BEC Scam (Infosecurity Magazine, May 07 2021)
Defendants charged in connection with dating and BEC scams that netted over $2.3m

How does certificate-based authentication work? (Network World Security, May 10 2021)
Certificate-based authentication is a cryptographic technique that allows one computer to securely identify itself to another across a network connection, using a document called a public-key certificate.

Twitter’s Tip Jar Privacy Fiasco Was Entirely Avoidable (Wired, May 07 2021)
Sending its users to PayPal has created all sorts of problems that Twitter should have caught ahead of time.

Fintech Startup Offers $500 for Payroll Passwords (Krebs on Security, May 10 2021)
How much is your payroll data worth? Probably a lot more than you think. One financial startup that’s targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work.

Investment Scammer John Davies Reinvents Himself? (Krebs on Security, May 07 2021)
John Bernard, a pseudonym used by a convicted thief and con artist named John Clifton Davies who’s fleeced dozens of technology startups out of an estimated $30 million, appears to have reinvented himself again after being exposed in a recent investigative series published here. Sources tell KrebsOnSecurity that Davies/Bernard is now posing as John Cavendish and head of a new “private office” called Hempton Business Management LLP.

Vulnerability attacks weakness in Microsoft Azure virtual machine extensions (SC Media, May 11 2021)
The flaw, which Microsoft patched in March, would allow an attacker to escalate privileges and access sensitive user data.

University of California Confirms Personal Information Stolen in Cyberattack (SecurityWeek, May 11 2021)
The University of California (UC) this week confirmed that personal information was stolen in a cyberattack involving the Accellion File Transfer Appliance (FTA) service.

Scammers aren’t always who we expect them to be: How AI and biometrics can help (Help Net Security, May 12 2021)
When it’s time to hire a new employee, organizations go to great lengths to avoid hiring someone who would commit fraud: background checks, credit checks, drug tests, etc. But the truth is that few people deliberately join an organization with the intent to defraud them. If we look at the profile of an occupational fraudster, these people are not always who we expect them to be.

Kansas Identity Theft Spike Could Be Linked to Data Breach (Infosecurity Magazine, May 11 2021)
Alleged data breach at Kansas Department of Labor may account for state leading national unemployment fraud stats