A Review of the Best News of the Week on Identity Management & Web Fraud

De-anonymization Story (Schneier on Security, Jul 28 2021)
This is important:

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more.


The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold­ — and still sell — ­location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters.

Venmo gets more private—but it’s still not fully safe (Ars Technica, Jul 25 2021)
Until it offers privacy by default, it remains a liability for many of its users.

Fraud on the Farm: How a baby-faced CEO turned a Farmville clone into a massive Ponzi scheme (Rest of World, Jul 23 2021)
On November 21, 2019, 25-year-old Recep Ataş stepped onto a shooting range in the Istanbul suburb of Başakşehir. He fired several rounds at the target, before suddenly aiming the weapon directly…

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~20,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

TikTok fined €750,000 for Violating Children’s Privacy (SecurityWeek, Jul 23 2021)
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) announced Thursday that it has imposed a fine of €750,000 on TikTok “for violating the privacy of young children”. More specifically, TikTok failed to provide a privacy statement in the Dutch language, making it difficult for young children to understand what would happen to their data.

Google is finally doing something about Google Drive spam (Ars Technica, Jul 23 2021)
You can now block people in Drive. It’s still woefully inadequate, but it’s something.

Consumer attitudes towards various digital identity authentication methods (Help Net Security, Jul 27 2021)
With concerns around online fraud and identity theft rising, consumers expect businesses to utilize new technologies to protect them online. According to research from Trulioo, 84% of people believe that businesses will need to rely more on automated fraud protection to protect customers as fraudsters become more sophisticated. The research revealed positive attitudes towards a number of newer methods of identity authentication amongst consumers in China, the UK and the U.S.

1Password Raises $100 Million at $2 Billion Valuation (SecurityWeek, Jul 27 2021)
Password management solutions provider 1Password today announced receiving a $100 million investment that increases its valuation to $2 billion. Previously, the company raised $200 million in a Series A funding round.

Here’s what that Google Drive “security update” message means (Ars Technica, Jul 28 2021)
Google is making its sharing links harder to guess, and it’s notifying users.

User data privacy decisions can be easily manipulated (Help Net Security, Jul 23 2021)
Data privacy is an important topic in the digitalized economy. Recent policy changes have aimed to strengthen users’ control over their own data. Yet new research from Copenhagen Business School finds designers of cookie banners can affect users’ privacy choices by manipulating the choice architecture and with simple changes can increase absolute consent by 17%.

Dutch Police Arrest Alleged Member of ‘Fraud Family’ Cybercrime Gang (SecurityWeek, Jul 23 2021)
Authorities in the Netherlands have arrested a 24-year-old believed to be a developer of phishing frameworks for a cybercrime ring named “Fraud Family.”

Verifiable credentials are key to the future of online privacy (Help Net Security, Jul 26 2021)
To realize the full potential of online services, identity verification solutions are required to avoid fraud and boost trust in the systems, for both end users and organizations. In-person data verification can be performed by a service agent easily, usually by asking for a physical ID card, like a driver’s license, and referencing it against the application documents and person present, but how can this be done online? Enter verifiable credentials.

How to prevent corporate credentials ending up on the dark web (Help Net Security, Jul 27 2021)
A little over $3,000 — that’s how much stolen corporate network credentials tend to go for on the dark web. Although the exact asking price for an individual’s credentials may depend on several factors, like how much revenue their enterprise makes, particularly valuable organizations may even see their login details auctioned off for as much as $120,000.

Why Are Users Ignoring Multi-Factor Authentication? (SecurityWeek, Jul 27 2021)
Twitter reports that two-factor adoption remains startling low, prompting exasperation and frustration among cybersecurity professionals.

Olympics Broadcaster Announces His Computer Password on Live TV (VICE, Jul 26 2021)
The announcer complained that it could have been a bit easier to type.

Identity-Based Zero Trust is More Than a Buzzword (eWEEK, Jul 27 2021)
Zero Trust is being invoked frequently by security professionals, almost as a cure-all for all those things that keep them up at night. In fact, the number of organizations using Zero Trust initiatives has more than tripled, from 16% three years ago to 60% today.

Apple Tells Leaker to Snitch on Sources or It Will Report Them to the Police (VICE, Jul 28 2021)
Apple sent a cease and desist letter to the person behind a Twitter account that advertised stolen iPhone prototypes.

LexisNexis Fraud Intelligence Synthetic Score improves synthetic identity fraud detection (Help Net Security, Jul 28 2021)
LexisNexis Risk Solutions unveiled LexisNexis Fraud Intelligence Synthetic Score, a new product designed to help businesses mitigate synthetic identity fraud. LexisNexis Fraud Intelligence Synthetic Score analyzes hundreds of unique identity characteristics and events to help businesses identify inconsistencies and fraud patterns in application profiles.

eCommerce Fraud Prevention Firm Riskified Prices IPO at $21 Per Share (SecurityWeek, Jul 29 2021)
Israel-based ecommerce fraud prevention company Riskified has announced the pricing of its initial public offering (IPO) as it prepares to start trading publicly on the New York Stock Exchange.