Identity Mgt & Web Fraud

Identity Mgt & Web Fraud – The Week’s Best News – 2019.12.12

2019-12-12 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

Silicon Valley Is Listening to Your Most Intimate Moments (Bloomberg, Dec 11 2019)
How the world’s biggest companies got millions of people to let temps analyse some very sensitive recordings.

Ring’s Hidden Data Let Us Map Amazon’s Sprawling Home Surveillance Network (Gizmodo, Dec 09 2019)
As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to underscore the privacy it had pledged to provide users.

Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits. (Forbes, Dec 09 2019)
Avast sells user data but says there’s no privacy risk, according to the newly appointed CEO.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

DHS Retreats on Possible Facial Screening of US Citizens (SecurityWeek, Dec 09 2019)
The Homeland Security Department is backing away from requiring that U.S. citizens submit to facial-recognition technology when they leave or enter the country.

Only 53% of Security Pros Have Ownership of Workforce IAM (Dark Reading, Dec 10 2019)
Most practitioners report an increase in identities, but many don’t have control over how those identities are protected from a range of attacks.

Real-time phishing alerts and stolen password warnings added to Chrome (SC Magazine, Dec 11 2019)
Google yesterday announced that its latest Chrome release adds real-time phishing alerts and password breach warning capabilities to the browser. The real-time anti-phishing capabilities represents an upgrade to Google’s Safe Browsing service, which compiles an ever-changing blacklist of dangerous websites that browsers can check against. Typically, when a Chrome user visits a website, the browser…

The post Real-time phishing alerts and stolen password warnings added to Chrome appeared first on

Data Leak Exposes 750K Birth Certificate Applications (Infosecurity Magazine, Dec 10 2019)
AWS misconfiguration leaves storage bucket wide open

How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC (Dark Reading, Dec 06 2019)
Money meant to fund an Israeli startup wound up directly deposited to the scammers.

LogMeIn updates its LastPass Identity solution with passwordless login for business customers (Help Net Security, Dec 05 2019)
LastPass Identity now delivers a complete passwordless login experience for employees across applications, VPNs and devices (PCs, Macs, Android & iOS mobile devices) through device-native biometric authentication, single sign-on and federated identity integrations, all while giving IT complete control over every access point.

Cookie-stealing malware wants to know your Facebook ad budget (Naked Security – Sophos, Dec 05 2019)
The AdKoob malware that sneakily peeks at how much you’re spending on ads is back.

What are the qualities of a good digital identity management program? (Help Net Security, Dec 10 2019)
A digital identity program should be:
Safe – To ensure security, privacy and compliance.
Flexible – To work across multiple platforms (on-premise and cloud); work with people, systems and devices.
Agile – To quickly adapt to end-user needs, IT requirements and new applications.
Scalable – To address the shifting requirements of the business — such as adding new users from an acquisition or managing an influx of customers.
Open – To accommodate many types of users, including employees, consumers, partners and contractors.
Private – To give users control over their information and an understanding of how it is used and how they can access it.
Frictionless – To provide a seamless and convenient experience for both users and cybersecurity administrators.
Resilient – To overcome potential service disruptions, technology failures, or cyber threats — whether on-premise or in the cloud.

TikTok settles class action over child privacy one day after it’s filed (Naked Security – Sophos, Dec 10 2019)
The $1.1m settlement is an “excellent result,” TikTok said, unsurprisingly: compared with its $5.7m FTC fine, it’s dirt cheap.

Exposed Data Shows Where Police Departments Fly Their Drones (VICE, Dec 10 2019)
Dronesense, which sells a platform for controlling drones to police, left customer data including flight plans exposed.

This Alleged Bitcoin Scam Looked a Lot Like a Pyramid Scheme (Wired, Dec 10 2019)
Five men face federal charges of bilking investors of $722 million by inviting them to buy shares in bitcoin mining pools.

78% of people forgot a password in the past 90 days (Help Net Security, Dec 11 2019)
HYPR released the findings of a two and a half year Password Usage Study, which compiled data from over 500 full-time workers across the United States and Canada to better understand how individuals use, treat and manage their passwords.

It’s past time to contain identity sprawl. Here’s how to do it. (SC Magazine, Dec 11 2019)
Identity sprawl – too many usernames and too many passwords – has never been as big a concern as it is today: More devices are being brought into the enterprise, more people are working remotely and using their own devices, and more users continue to access on-premises and cloud data stores.

Younger Generations Drive Bulk of 2FA Adoption (Dark Reading, Dec 11 2019)
Use of two-factor authentication has nearly doubled in the past two years , pointing to a new wave of acceptance.

Active Directory password reset best practices (Help Net Security, Dec 12 2019)
Password change and password reset are terms that are often used interchangeably. However, they are not the same. A user will perform a password change when they remember their existing password, and a password reset when they have forgotten it.

How identity is addressed by enterprise IT security teams (Help Net Security, Dec 12 2019)
The majority of companies have experienced a five-fold increase in the number of workforce identities, which are being driven primarily by mobile and cloud technology. Encouragingly, one-hundred percent of IT security stakeholders report that a lack of strong IAM practices introduces security risk, an IDSA survey reveals.

Over One Billion Email-Password Combos Leaked Online (Infosecurity Magazine, Dec 12 2019)
Unsecured database featured a total of 2.7bn emails

Identity Mgt & Web Fraud – The Week’s Best News – 2019.12.05

2019-12-05 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

China introduces mandatory face scans for phone users (Yahoo News , Dec 01 2019)
China will require telecom operators to collect face scans when registering new phone users at offline outlets starting Sunday, according to the country’s information technology authority, as Beijing continues to tighten cyberspace controls.

Pressure mounts for federal privacy law with second bill (Naked Security – Sophos, Nov 29 2019)
Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data.

Twitter Promises Increased Transparency With New Privacy Center (SecurityWeek, Dec 03 2019)
Twitter this week announced the launch of a privacy center whose goal is to provide increased transparency on how the social platform handles user information.

Share today’s post on Twitter Facebook LinkedIn

Hackers Trick Venture Capital Firm Into Sending Them $1 Million (VICE, Dec 05 2019)
A Chinese VC firm and an Israeli startup had the money stolen right out from under their noses thanks to spoofed emails and bogus domains.

Ad fraud: Fake local news sites are rolling in the dough (Naked Security – Sophos, Dec 03 2019)
The fakery is funded by advertisers who are unwittingly paying fraudsters who pump up the page views on small “news” sites to eye-watering levels. They’re doing so by buying fake traffic from bots: evidenced by anomalies such as nearly all the traffic coming from mobile devices. That’s atypical, unless a site is specifically targeted at a mobile audience.

FTC: Fraudsters Go Low-Tech to Trick the Elderly (Infosecurity Magazine, Dec 04 2019)
Scam letters and requests for cash payments increasingly common

Steam players – beware of fake skins as phishers try to hijack accounts (Naked Security – Sophos, Dec 04 2019)
Phishing scammers have once again targeted users of the popular Steam gaming service, it was revealed this week.

Artificial Fingerprint Ring Could Combat Biometric Data Theft (Infosecurity Magazine, Dec 04 2019)
A cybersecurity company has teamed up with a 3D accessory designer to produce a ring that could tackle the issue of what to do if your biometric data is stolen. The attractive and wearable piece of jewelry features a synthetic fingerprint that can be used to unlock phones, make payments, or even access a home or office.

DHS May Require US Citizens Be Photographed at Airports (SecurityWeek, Dec 04 2019)
Federal officials are considering requiring that all travelers — including American citizens — be photographed as they enter or leave the country as part of an identification system using facial-recognition technology.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.11.28

2019-11-28 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

The CA DMV Is Making $50M a Year Selling Drivers’ Personal Info (Vice, Nov 25 2019)
A document obtained by Motherboard shows how DMVs sell people’s names, addresses, and other personal information to generate revenue.

NYPD fingerprint database touched by ransomware (SC Magazine, Nov 25 2019)
The New York City Police Department’s fingerprint database was hit with ransomware in October 2018, a local newspaper learned. The attack was brought in by a third-party vendor who was installing video equipment at the NYPD’s police academy when it connected its infected computer to the police network, according to the New York Post.

Healthcare Execs Charged in $1Bn Fraud Scheme (Infosecurity Magazine, Nov 27 2019)
According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics.

Share today’s post on Twitter Facebook LinkedIn

Scammers try a new way to steal online shoppers’ payment-card data (Ars Technica, Nov 22 2019)
Rather than infecting a merchant’s checkout page with malware that skims the information, the thieves trick users into thinking they’ve been redirected to an authorized third-party payment processor.

New for Identity Federation – Use Employee Attributes for Access Control in AWS (AWS News Blog, Nov 22 2019)
When you manage access to resources on AWS or many other systems, you most probably use Role-Based Access Control (RBAC). When you use RBAC, you define access permissions to resources, group these permissions in policies, assign policies to roles, assign roles to entities such as a person, a group of persons, a server, an application, etc. Many AWS customers told us they are doing so to simplify granting access permissions to related entities, such as persons sharing similar business functions in the organisation.

Use attribute-based access control with AD FS to simplify IAM permissions management (AWS Security Blog, Nov 25 2019)
AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) to centrally govern and manage access to your AWS resources across accounts. Using ABAC enables you to simplify your authentication strategy by enabling you to scale your authorization strategy by granting access to groups of resources, as specified by tags, as opposed to managing long lists of individual resources.

Continuously monitor unused IAM roles with AWS Config (AWS Security Blog, Nov 20 2019)
Developing in the cloud encourages you to iterate frequently as your applications and resources evolve. You should also apply this iterative approach to the AWS Identity and Access Management (IAM) roles you create. Periodically ensuring that all the resources you’ve created are still being used can reduce operational complexity by eliminating the need to track unnecessary resources.

Identify unused IAM roles and remove them confidently with the last used timestamp (AWS Security Blog, Nov 19 2019)
As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those teams and applications evolve, you might only rely on a sub-set of your original roles to meet your needs. This can leave unused roles in your AWS account. To help you identify these unused roles, IAM now reports the last-used timestamp that represents when a role was last used to make an AWS request.

Azure DevOps will no longer support Alternate Credentials authentication (Azure DevOps Blog, Nov 25 2019)
“we’ve offered customers the ability to use Alternate Credentials in situations where they are connecting to Azure DevOps using legacy tools. While using Alternate Credentials was an easy way to set up authentication access to Azure DevOps, it is also less secure than other alternatives such as personal access tokens (PATs). As such, we believe the use of Alternate Credentials authentication represents a security risk to our customers because they never expire and can’t be scoped to limit access to the Azure DevOps data.”

Why do cryptocoin scams work, and how to avoid them? (Naked Security – Sophos, Nov 22 2019)
Loosely speaking, someone who wants to “market” an ICO can promise the world – and can do so without needing any existing products, or prototypes, or stock, or patents, or intellectual property, or indeed anything much at all except a cool-sounding name for their new cryptocoins and a groovy-looking website. Sadly, that makes it surprisingly easy for a cybercrook to invite “investments” – for example by using a bunch of fake testimonials and some judiciously chosen (and perhaps actually accurate) graphs showing how other cryptocurrency values have shot up to the apparently enormous benefit of those who joined in early on.

OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud (Naked Security – Sophos, Nov 25 2019)
A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that started in Bulgaria but spread like a money-sucking fungus around the world.

Civil Rights Groups Demand Congress Investigate Amazon’s ‘Surveillance Empire’ (VICE, Nov 26 2019)
The campaign to pressure consumers and lawmakers to take action arrives after five U.S. senators sent a letter to Jeff Bezos demanding answers about how the tech giant uses its surveillance data.

My Health Record failed to manage cybersecurity and privacy risks, audit finds (The Guardian, Nov 25 2019)
My Health Record failed to manage cybersecurity and privacy risks, audit finds The Guardian

Facebook built a facial-recognition app that let employees identify people by pointing a phone at them (Business Insider, Nov 26 2019)
The employee-only tool, created around 2015 and 2016, used Facebook’s vast collection of facial data to automatically recognize people.

7 Ways to Hang Up on Voice Fraud (Dark Reading, Nov 27 2019)
Criminals are coming at us from all direction, including our phones. Don’t answer that next call without reading this tips first.

Google Sends 12,000 State Phishing Warnings in Three Months (Infosecurity Magazine, Nov 27 2019)
Government-backed cyber-attacks target global users

Firefox gets tough on tracking tricks that sneakily sap your privacy (Naked Security – Sophos, Nov 27 2019)
Firefox is getting ready to turn on its automatic anti-snooping tools to stop web ‘fingerprinting’ tricks.

How to Get Prepared for Privacy Legislation (Dark Reading, Nov 27 2019)
All the various pieces of legislation, both in the US and worldwide, can feel overwhelming. But getting privacy basics right is a solid foundation.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.11.21

2019-11-21 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

When Bank Communication is Indistinguishable from Phishing (Troy Hunt, Nov 19 2019)
There’s a supremely simple way of banks handling this situation and it was demonstrated by AMEX shortly after the St George incident when they called to verify an unusual credit card transaction. We did the “we want to verify you”, “no I want to verify you” dance after which they simply said, “turn over your card and call us on the number on the back”. How easy is that?!

Out of Season IRS Phishing Campaigns (Akamai, Nov 21 2019)
According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide.

Most Americans feel powerless to prevent data collection, online tracking (Help Net Security, Nov 18 2019)
Most U.S. adults say that the potential risks they face because of data collection by companies (81%) and the government (66%) outweigh the benefits, but most (>80%) feel that they have little or no control over how these entities use their personal information, a recent Pew Research Center study on USA digital privacy attitudes has revealed.

Share today’s post on Twitter Facebook LinkedIn

Activists in Jumpsuits Are Scanning the Faces of DC Residents With Amazon Tech (VICE, Nov 14 2019)
“The action will show that facial recognition surveillance is dangerous both when algorithms work and when they don’t.”

Ticketmaster’s Anti-Scalping Technology Actually Helps Scalpers, Not Fans (VICE, Nov 18 2019)
Buying tickets on Ticketmaster continues to be a complete disaster for everyone who doesn’t make a living buying tickets.

Thousands of hacked Disney+ accounts are already for sale on hacking forums (ZDNet, Nov 18 2019)
Hackers began hijacking accounts hours after Disney+ launched earlier this week.

Google Restricts Data-Sharing for Ads Under Privacy Pressure (IT Pro, Nov 14 2019)
Google will no longer divulge information to participants in its ad auction about the type of content on a website or page where an ad could appear, the Alphabet Inc. company said in a blog post Thursday.

Ho Ho OUCH! There are 4x more fake retailer sites than real ones (Naked Security – Sophos, Nov 19 2019)
Beware, holiday shoppers! The phishers hiding under typosquatting domains are waiting for your keyboard fumbles.

It’s the user’s fault if a Ring camera violates your privacy, Amazon says (Ars Technica, Nov 20 2019)
The company’s answers to congressional questioning only earned it more questions

Anatomy of a BEC Scam (Dark Reading, Nov 21 2019)
A look at the characteristics of real-world business email compromise attacks – and what makes them tick.

Employee Privacy in a Mobile Workplace (Dark Reading, Nov 20 2019)
Why businesses need guidelines for managing their employees’ personal information — without compromising on security.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.11.14

2019-11-14 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

Court Rules Govt Can’t Search Your Phone at the Airport for No Reason (VICE, Nov 12 2019)
The ruling is a significant win for privacy rights of Americans and tourists traveling to the United States.

Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans (WSJ, Nov 14 2019)
Google is teaming with one of the country’s largest health-care systems on an ambitious project named “Project Nightingale” to collect and crunch detailed health information of millions of Americans across 21 states.

Your DNA Profile is Private? A Florida Judge Just Said Otherwise (The New York Times, Nov 14 2019)
Privacy experts say a warrant granted in Florida could set a precedent, opening up all consumer DNA sites to law enforcement agencies across the country.

Share today’s post on Twitter Facebook LinkedIn

Microsoft to Extend California Privacy Law US-Wide (Infosecurity Magazine, Nov 12 2019)
The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It’s set to offer more GDPR-like protections and rights to the Golden State’s citizens, such as the ability to find out what personal information of theirs companies are collecting and to prevent it from being sold to third parties.

Colorado Driver’s Licenses Go Digital (WSJ, Nov 13 2019)
Colorado residents who download a special app can use their phones as a form of ID in places like bars, restaurants and banks, but it is up to the establishments to decide whether they accept the new format.

Ping Identity provides the identity verification solution for myColorado (Help Net Security, Nov 13 2019)
Ping Intelligent Identity platform provides the identity verification solution for the State of Colorado’s official mobile application, myColorado, which contains the new Colorado Digital ID.

Huge Airbnb scam leads to promise to vet every host, every listing (Naked Security – Sophos, Nov 11 2019)
Shuffling people into – surprise! – cobwebby rat traps has been a snap. Actual vetting may help, plus a new guarantee of 100% refunds.

5G Race Could Leave Personal Privacy in the Dust (WSJ, Nov 13 2019)
New networks will collect more data on the physical world. Experts warn public policy hasn’t caught up.

Apple details new Safari, Location Services, Sign in with Apple privacy features (Help Net Security, Nov 07 2019)
three new white papers and tech briefs on how Safari, Location Services, and Sign in with Apple protect user privacy.

Tech Firms React to Netizens’ Digital Privacy Concerns (SecurityWeek, Nov 08 2019)
a slew of tech entrepreneurs are bidding to turn growing consciousness about the problem into a money-making industry and many showcased their skills at this week’s Web Summit in Lisbon.

Please Stop Trying to Pay Me to Advertise Fake iOS Jailbreak Websites (VICE, Nov 08 2019)
An internet marketing firm asked me to promote a series of fake iOS jailbreak sites, including ones for jailbreaks that don’t actually exist.

Florida Police Want Access to Controversial Facial Recognition Network (Infosecurity Magazine, Nov 08 2019)
Miami-Dade cops are making eyes at Pinellas County Sheriff’s FACES

WhatsApp Cofounder Brian Acton on Why Privacy Matters (Wired, Nov 08 2019)
The cofounder of the messaging service and the current chair of the Signal Foundation talks about the proliferation of end-to-end encryption in personal communications.

Tech Support Scammers Exploiting Unpatched Firefox Bug (SecurityWeek, Nov 12 2019)
Mozilla is working on addressing a Firefox bug that has been exploited by tech support scammers to lock the browser when users visit specially crafted websites.

The persuasiveness of a remote job (Forcepoint, Nov 12 2019)
We have recently encountered two methods attempting to scam people linked to this trend of home working. The first is an attempt at cybersquatting, and the second is a small scale botnet pushing out home-working related lures.

Cardplanet Operator Extradited for Facilitating Credit Card Fraud (Dark Reading, Nov 13 2019)
Russian national Aleksei Burkov is charged with wire fraud, access device fraud, and conspiracy to commit identity theft, among other crimes.

The Myths of Multifactor Authentication (Dark Reading, Nov 12 2019)
Organizations without MFA are wide open to attack when employees fall for phishing scams or share passwords. What’s holding them back?

Privacy Rights Group Sues DHS Over ‘Coercive’ DNA Tests at the Border (VICE, Nov 14 2019)
The EFF argues that DNA collection is a surefire way to violate privacy and human rights.

This Bank Had the Worst Password Policy We’ve Ever Seen (VICE, Nov 14 2019)
A European bank makes customers pay to change their passwords, and suggests they Google their password to check if it is secure.