A Review of the Best News of the Week on Identity Management & Web Fraud

Kaseya Hacked via Authentication Bypass (Dark Reading, Jul 08 2021)
The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar — but good authentication practices are also imperative.

Dozens of Chinese phone games now require facial scans to play at night (Ars Technica, Jul 07 2021)
After a 2018 test, "Midnight Patrol" system officially rolls out to 60 Tencent games.

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax (Krebs on Security, Jul 01 2021)
Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.

Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Brits Lose Over £1bn in Fraud So Far This Year (Infosecurity Magazine, Jul 06 2021)
Brits have lost over £1bn to fraud in the first half of 2021, but cases fell significantly in Q2 compared to Q1

Vulnerability in the Kaspersky Password Manager (Schneier on Security, Jul 06 2021)
“A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords:

The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.

The product has been updated and its newest versions aren’t affected by this issue.”

How facial recognition solutions can safeguard the hybrid workplace (Help Net Security, Jul 02 2021)
The number of US adults teleworking due to the pandemic fell by 30% between January and May 2021 (from 23% to 16%), with the biggest drop in May. As more employees return to their offices, new and unexpected challenges hidden within the new hybrid work model threaten to severely disrupt safety and security.

Research partnership to examine how fraudsters abuse financial tech innovations (SC Media, Jul 02 2021)
Federal Reserve Bank of Atlanta and GSU team will study P2P and mobile payments, e-wallets, and central bank digital currencies

Platform or roaming FIDO2 authenticators: Which one is right for your workforce? (Help Net Security, Jul 05 2021)
One of the main criticisms of any advanced authentication system is usability. In FIDO2 multi-factor authentication (MFA), platform authenticators aim to be the answer to our usability woes, but do they improve the user experience and are they enterprise ready? In this article, we’ll dive into the world of FIDO2 authenticators, the problems that still exist and how these create major roadblocks for enterprises widely adopting FIDO2.

Why the Password Isn’t Dead Quite Yet (Wired, Jul 06 2021)
Everyone hates the old ways of authentication. But while change is closer than ever, it comes with its own drawbacks.

Most Insider Data Breaches Aren’t Malicious (Infosecurity Magazine, Jul 07 2021)
New research finds 78% of reported breaches that involve an insider were not malicious

‘How can I help you today?’ Scammers dupe online support agents through live chat platforms (SC Media, Jul 08 2021)
The scheme is yet another recent example of phishing campaigns leveraging communication mediums outside of email to catch prospective victims off-guard. And it works in part because website operators that use chat features are not always diligently scanning uploaded files for malware.

Digital Identity: Establish safety while maintaining convenience (SC Media, Jul 08 2021)
Today’s columnist, Eric Haller of Experian, says now that society has grown more reliant on services like online grocery shopping and telehealth as a result of the pandemic, companies need to invest in strong digital identity technologies.