Identity Mgt & Web Fraud

Identity Mgt & Web Fraud – The Week’s Best News – 2019.11.07

2019-11-07 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

California DMV Leak Spills Data from Thousands of Drivers (Dark Reading, Nov 06 2019)
Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.

Accounting Scams Continue to Bilk Businesses (Dark Reading, Nov 06 2019)
Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows – most often via e-mail – continue to enable big paydays.

Details of an Airbnb Fraud (Schneier on Security, Nov 06 2019)
“This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb. The whole article is worth reading.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

ACLU sues feds to get information about facial-recognition programs (Ars Technica, Oct 31 2019)
Inquiring lawsuits want to know what the DOJ, DEA, & FBI are using the tech for.

ICO to Police: Go Slow on Facial Recognition (Infosecurity Magazine, Nov 01 2019)
UK watchdog set to work on statutory code of practice

Men who were paid $100,000 by Uber to hush-up hack plead guilty to extortion scheme (Graham Cluley, Oct 31 2019)
Two hackers face up to five years in prison after pleading guilty to their involvement in a scheme which saw them attempt to extort money from Uber and LinkedIn in exchange for the deletion of stolen data.

Perspective | Think you’re anonymous online? A third of popular websites are ‘fingerprinting’ you. (Washington Post, Nov 01 2019)
Our latest privacy experiment tested sites for an invisible form of online tracking that you can’t easily avoid.

Nikkei Hit in $29m BEC Scam (Infosecurity Magazine, Nov 04 2019)
Media giant and US city latest victims of email fraud

Undercover reporter tells all after working for a Polish troll farm (Naked Security – Sophos, Nov 04 2019)
Together with her troll colleagues, she managed 200 fake social profiles, promoted clients’ products, and trolled their competitors.

Vendor Email Compromise is Latest Identity Deception Attack (SecurityWeek, Nov 04 2019)
Identity deception attacks continue to grow, but the type of attack seems to be changing. During Q3, 2019, phishing campaigns impersonating brands dropped by 6% over the previous quarter. Attacks impersonating individuals, however, increased by 10%. The drop in brand impersonation may be partly related to increased industry adoption of DMARC, which is up 49% over the last year.

Proofpoint Acquires Insider Threat Management Firm ObserveIT for $225 Million (SecurityWeek, Nov 04 2019)
Cybersecurity firm Proofoint announced on Saturday that it has agreed to acquire ObserveIT, a Boston, Mass.-based provider of insider threat management solutions.

New bill would create Digital Privacy Agency to enforce privacy rights (Ars Technica, Nov 05 2019)
The bill proposes sweeping reforms to privacy rights and enforcement.

Florida city sends $742K to fraudsters as it bites the BEC hook (Naked Security – Sophos, Nov 05 2019)
“Here’s our new bank account number,” the scammers said. When the real construction firm sent their invoice, payment was made to the crooks.

IBM: Face Recognition Tech Should be Regulated, Not Banned (SecurityWeek, Nov 05 2019)
IBM weighed in Tuesday on the policy debate over facial recognition technology, arguing against an outright ban but calling for “precision regulation” to protect privacy and civil liberties.

Obfuscation as a Privacy Tool (Schneier on Security, Nov 05 2019)
“This essay discusses the futility of opting out of surveillance, and suggests data obfuscation as an alternative.”

Former Twitter employees charged with spying on users for Saudis (Ars Technica, Nov 06 2019)
Indictment accuses two of passing data about people critical of Saudi royals, government.

Tech-support scammers used data stolen by Trend Micro employee (Ars Technica, Nov 06 2019)
Support-scam callers used leaked data about Trend Micro customers handed over by insider.

Facebook Admits Another Developer Privacy Snafu (Infosecurity Magazine, Nov 06 2019)
Groups API wasn’t properly restricted, says social network

Influencers Pay Thousands to Get Back Into Their Hacked Instagram Accounts (VICE, Nov 06 2019)
A white hat hacker who used to help for free is now charging hacked influencers to help them regain access to their accounts.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.10.31

2019-10-31 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

Balls, bats & Baby Shark: MLB authentication process is serious biz (WAPO, Oct 29 2019)
At the World Series, authenticators in both dugouts and clubhouses keep a close eye on the action.

Cachet Financial Reeling from MyPayrollHR Fraud (Krebs on Security, Oct 24 2019)
“When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.”

Reality Check on the Demise of Multi-Factor Authentication (SecurityWeek, Oct 30 2019)
Forrester Research has estimated that despite increasing cyber security budgets, 80 percent of security breaches involve weak, default, stolen, or otherwise compromised privileged credentials. As a result, MFA is considered one of the primary defenses against identity-based cyber-attacks.

Share today’s post on Twitter Facebook LinkedIn

Comcast fights Google’s encrypted-DNS plan but promises not to spy on users (Ars Technica, Oct 25 2019)
Comcast has gone on the record to say that it does not track its broadband users’ Web browsing histories, even though the company is lobbying against a Google plan that could make it harder for ISPs to track their users.

Firefox Privacy Protection makes website trackers visible (Naked Security – Sophos, Oct 25 2019)
Mozilla has added another privacy tweak to Firefox version 70 – the ability to quickly see how often websites are tracking users.

Researchers find hole in EU-wide identity system (Naked Security – Sophos, Oct 31 2019)
The flaw lay in the integration software that the EU provides for coupling eIDAS nodes together. Its SAML parsing allowed an attacker to avoid the signature verification process, meaning that they could tamper with a SAML message to impersonate anyone.

Phishers have been targeting UN, UNICEF, Red Cross officials for months – and still do (Help Net Security, Oct 25 2019)
Researchers have brought to light a longstanding phishing campaign aimed at the UN and its various networks, and a variety of humanitarian organizations, NGOs, universities and think tanks.

Study Reveals the Worst State for Online Privacy (Infosecurity Magazine, Oct 24 2019)
Wyoming was found to meet just one of the 20 key criteria, which was that laws were in place to protect K–12 student information, such as grades and attendance records.

Phishers strike at mobile wellness app company (Naked Security – Sophos, Oct 25 2019)
Online criminals launched a cyberattack on healthcare app company Evergreen Life. Its app helps people log their own health information, taking in fitness, nutrition, and even DNA records.

Millions of Adobe Customers Exposed in Privacy Snafu (Infosecurity Magazine, Oct 28 2019)
Adobe has become the latest big name to expose customer details via a misconfigured database, after researchers discovered nearly 7.5 million accounts via an online search. Security researcher Bob Diachenko teamed up again with Comparitech to find the Elasticsearch database, which was left online without any password protection.

Crypto Capital boss arrested over money laundering (Naked Security – Sophos, Oct 28 2019)
Bitfinex says the payment processor has $880M of the cryptocurrency exchange’s “lost” funds. Polish authorities seized $390m of it.

Google to Face Court on Claims It Misled Australians on Personal Data (WSJ, Oct 29 2019)
Alphabet’s Google is being taken to court by an Australian regulator that alleges the internet giant misled customers about how it collected and used personal location data.

Sextortion scammers are hijacking blogs – and victims are paying up (Naked Security – Sophos, Oct 30 2019)
Sextortion scammers have started hijacking poorly managed or defunct blogs to expand an increasingly profitable business.

Aussie Consumer Watchdog Sues Google Over Location Data Use (SecurityWeek, Oct 29 2019)
Australia’s consumer watchdog on Tuesday announced legal action against Google for allegedly misleading customers about the way it collects and uses personal location data.

No, you apparently can’t run for office just to put false ads on Facebook (Ars Technica, Oct 30 2019)
An attempt to call out Facebook’s policy is working—just not on Facebook.

Office 365 users targeted with fake voicemail alerts in suspected whaling campaign (Help Net Security, Oct 31 2019)
The malicious emails take the form of (fake) Microsoft-branded notifications telling recipients of a missed call.
They contain an attachment: an HTML file that, when loaded, shows potential victims to a page that:
-Autoplays a file that sounds like a truncated, recorded voice message
-Tells them to wait while the entire voice message is downloaded from the server
-Instructs them to log in to access the message.

21 Million Stolen Fortune 500 Credentials For Sale on Dark Web (SecurityWeek, Oct 30 2019)
There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.

Uber Says It Will Sue Los Angeles Over Sharing Scooter Location Data (VICE, Oct 30 2019)
The move comes after Uber decided not to provide the location data according to a Los Angeles Department of Transportation deadline.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.10.24

2019-10-24 by Lucas Samaras

Best Phishing Tactic Is to Make You Think You’ve Been Hacked (Infosec. Mag., Oct 21 2019) Study finds email subject lines referencing online security are the most clicked on

In a First, FTC Bans Company From Selling ‘Stalkerware’ (VICE, Oct 22 2019) The FTC’s move comes after Motherboard revealed a hacker had repeatedly breached Retina-X and gained access to sensitive user data.

Under digital surveillance: how American schools spy on millions of kids (the Guardian, Oct 22 2019) Fueled by fears of school shootings, the market has grown rapidly for technologies that monitor students through official school emails and chats

Share today’s post on Twitter Facebook LinkedIn

Apple’s Good Intentions on Privacy Stop at China’s Borders (Wired, Oct 17 2019) As pro-democracy protests continue in Hong Kong, the tech giant’s troubling relationship with an authoritarian regime has come into focus.

US Lawmakers Call on Apple to Reverse Hong Kong App Ban (Infosecurity Magazine, Oct 21 2019) Firm accused of becoming complicit in Chinese censorship and repression

Facebook must face $35B facial-recognition lawsuit following court ruling (Ars Technica, Oct 22 2019) Facial recognition: far from perfect, increasingly everywhere.

FIDO-Based Authentication Arrives for Smartwatches (Dark Reading, Oct 22 2019) The Nok Nok App SDK for Smart Watch is designed to let businesses implement FIDO-based authentication on smartwatches.

Attackers improving BEC skills (SC Magazine, Oct 22 2019) During this period FireEye has noted attackers are increasingly impersonating executives and attempting to involve a company’s supply chain vendors as part of the attack to make it appear as if the malicious email is a legitimate request. These tactics have been honed to a point where they are easily convincing employees to take the bait.

Georgia Supreme Court rules that collection of vehicular data requires warrant (SC Magazine, Oct 22 2019) The Georgia Supreme Court yesterday ruled that law enforcement must obtain a warrant before pulling data from an automobile as part of a crash investigation, overturning a verdict previously rendered and later upheld by lower courts.

Can License Plate Readers Really Reduce Crime? (Wired, Oct 24 2019) Flock Safety boasts that its cameras caused a dramatic drop in crime in one Georgia county, but experts say it’s not so simple.

SailPoint Buys Orkus and OverWatchID to Strengthen Cloud Access Governance (Dark Reading, Oct 16 2019) The $37.5 million acquisitions will boost SailPoint’s portfolio across all cloud platforms.

New US Privacy Bill Would Intro Jail Time for CEOs (Infosecurity Magazine, Oct 18 2019) A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs. Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.

CBP mulls facial recognition tech for body cams (SC Magazine, Oct 18 2019) The U.S. Customs and Border Patrol (CBP) is considering using facial recognition in body cameras that agents will wear in the future, sending out a request for information (RFI) on biometric options that can be used to verify identity.

Phishing scam targets users of Stripe payment processing service (SC Magazine, Oct 18 2019) Cybercriminals have devised a phishing campaign that that takes aim at customers of the online payment processing company Stripe, with the intention to steal their credentials, compromise their accounts and presumably view their payment card data.

The Washington Post’s New Columnist Consults for Spyware Firm That Helps Saudi Arabia Surveil Journalists (VICE, Oct 22 2019) The new Washington Post columnist consults for NSO Group, which is currently being sued for helping Saudi Arabia surveil Washington Post columnist Jamal Khashoggi, who was murdered.

AWS Security Profile: Ron Cully, Principal Product Manager, AWS Identity | Amazon Web Services (AWS, Oct 23 2019) “In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.”

Firefox 70 lets users track online trackers (Help Net Security, Oct 23 2019) Mozilla has released Firefox 70.0, which delivers performance and power consumption improvements, helpful browser features, new options for developers and, most prominently, new security and privacy protections.

Action Fraud Snafu Leaves 9000 Cases Quarantined (Infosecurity Magazine, Oct 24 2019) Thousands of cybercrime reports sent to the UK’s centralized authority have been mistakenly identified as containing malware, meaning they were not investigated, according to a new report.

Spanish Police Arrest Three in €10m BEC Bust (Infosecurity Magazine, Oct 23 2019) Spanish police have arrested three men in connection with a €10m Business Email Compromise (BEC) ring that targeted corporate victims around the world.

Mapping Security and Privacy Research across the Decades (Schneier on Security, Oct 24 2019) “This is really interesting: “A Data-Driven Reflection on 36 Years of Security and Privacy Research,” by Aniqua Baset and Tamara Denning…Meta-research—research about research—allows us, as a community, to examine trends in our research and make informed decisions regarding the course of our future research activities. “

Identity Mgt & Web Fraud – The Week’s Best News – 2019.10.17

2019-10-17 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

Wi-Fi Hotspot Tracking – Schneier on Security (Schneier on Security, Oct 15 2019)
Free Wi-Fi hotspots can track your location, even if you don’t connect to them. This is because your phone or computer broadcasts a unique MAC address.

Student tracking, secret scores: How college admissions offices rank prospects before they apply (Washington Post, Oct 15 2019)
Before many schools even look at an application, they comb through prospective students’ personal data, such as web-browsing habits and financial history

Best practices for password management, 2019 edition (Google Cloud Blog, Oct 10 2019)
Two new whitepapers to help you navigate password security:
– Modern password security for users provides pragmatic and human-centric advice for end users to help improve your authentication security habits.
– Modern password security for system designers is the first paper’s technical counterpart, outlining the latest advice on password interfaces and data handling.

Share today’s post on Twitter Facebook LinkedIn

Amazon Calls for Government Regulation of Facial Recognition Tech (SecurityWeek, Oct 13 2019)
Amazon is endorsing the idea of government regulation of facial recognition technology, as part of a wide-ranging statement of its principles on a range of social and political issues.

Why You Don’t Need to Change Passwords So Often (eWEEK, Oct 15 2019)
New research reveals that mandatory periodic password changes will make your enterprise less secure than simply leaving them alone.

350+ hackers hunt down missing people in first such hackathon (Naked Security – Sophos, Oct 15 2019)
Organizers said 100 leads were generated every 10 minutes by contestants using OSINT – open-source intelligence such as online searches.

Google’s USB-C Titan Security Key Arrives in the U.S. (SecurityWeek, Oct 15 2019)
Starting October 15, users in the United States have a new two-factor authentication (2FA) method at their disposal in the form of Google’s USB-C Titan Security Key. Manufactured in partnership with Yubico, the USB-C Titan Security Key is compatible with Android, Chrome OS, macOS, and Windows devices.

Stalker found pop star by searching eyes’ reflections on Google Maps (Naked Security – Sophos, Oct 14 2019)
A man confessed to stalking and attacking a young pop star by zooming in on the reflections in her eyes from selfies.

Most Americans Are Clueless About Private Browsing (Infosecurity Magazine, Oct 11 2019)
New research reveals a dearth of digital knowledge among American adults

Alleged Hacker Arraigned on $1.4 Million Cryptocurrency Fraud Charges (SecurityWeek, Oct 14 2019)
A Michigan man appeared in federal court on Friday on charges related to his involvement in a scheme aimed at defrauding victims of at least $1.4 million in cryptocurrency.

California Attorney General Outlines How State Will Enforce Upcoming Privacy Law (SecurityWeek, Oct 14 2019)
The California Attorney General Xavier Becerra has released the draft proposed regulations on how the state will enforce the California Consumer Protection Act (CCPA) that comes into force on January 1, 2020.

“BriansClub” Hack Rescues 26M Stolen Cards (Krebs on Security, Oct 15 2019)
“BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

Florida Women’s Clinic Warns 520,000 Patients of Data Breach (Infosecurity Magazine, Oct 15 2019)
Hackers may have accessed medical records of North Florida OB-GYN patients

Food writer Jack Monroe loses at least £5,000 in SIM-swap fraud (Naked Security – Sophos, Oct 16 2019)
Her accounts were drained in spite of using 2FA, showing that SIM swaps can still circumvent what’s a good security tool.

Identity Mgt & Web Fraud – The Week’s Best News – 2019.10.10

2019-10-10 by Lucas Samaras

A Review of the Best News of the Week on Identity Management & Web Fraud

Twitter Took Phone Numbers for Security and Used Them for Advertising (VICE, Oct 08 2019)
This could make people think twice about using a phone number to secure their account at all.

2019 Global Password Security Report (LastPass, Oct 08 2019)
57% of businesses globally are using multifactor authentication, compared to 45% last year.
13x is how often an employee reuses a password, on average.
23% of employees access their password vault on a smartphone.

FBI’s Use of Surveillance Database Violated Americans’ Privacy Rights, Court Found (WSJ, Oct 09 2019)
Some of the FBI’s electronic surveillance activities violated the constitutional privacy rights of Americans swept up in a controversial foreign intelligence program, a surveillance court has ruled.

Share today’s post on Twitter Facebook LinkedIn

Legacy Systems Held DHS’ Biometrics Programs Back. Not Anymore. (Nextgov, Oct 05 2019)
The cloud-based HART system, which will house data on hundreds of millions of people, promises to significantly expand the department’s use of facial recognition and other biometric software, as well as its partnerships with external agencies.

Microsoft: Any form of MFA takes users out of reach of most attacks (Help Net Security, Oct 04 2019)
“Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population,” Alex Weinert, Group Program Manager for the Identity Security and Protection team at Microsoft, explained.

Egypt Is Using Apps to Track and Target Its Citizens, Report Says (NYTimes, Oct 03 2019)
Egypt Is Using Apps to Track and Target Its Citizens, Report Says The New York Times

JFK Airport’s Terminal 1 launches facial recognition boarding (New York Post, Oct 08 2019)
A biometric self-boarding gate has officially been launched at John F. Kennedy International Airport’s Terminal 1, officials said Tuesday. Lufthansa has deployed the paperless, high-tech boarding p…

Passport facial checks fail to work with dark skin (BBC News, Oct 09 2019)
The UK government admits it knew its facial mapping tech struggled to work with some skin tones.

Insider threats are security’s new reality: Prevention solutions aren’t working (Help Net Security, Oct 07 2019)
Today, 79% of information security leaders believe that employees are an effective frontline of defense against data breaches. However, this year’s report disputes that notion.

Amex Employee Suspected of Wrongfully Accessing Customer Data to Commit Fraud (Infosecurity Magazine, Oct 04 2019)
Amex warns customers to be vigilant for fraudulent activity on their accounts after data breach

New York City Lawmakers Look to Regulate Facial-Recognition Tools (WSJ, Oct 08 2019)
Legislation would establish guidelines for landlords and businesses using biometric data systems

Wi-Fi signals let researchers ID people through walls from their gait (Naked Security – Sophos, Oct 07 2019)
Police could set up transceivers outside a building and compare spectrograms of suspects walking vs. crime scene footage.

£3 billion Safari iPhone privacy lawsuit given go-ahead (Naked Security – Sophos, Oct 04 2019)
A UK class action lawsuit against Google, that represents around 5 million iPhone users, can go ahead, according to the UK Court of Appeal.

Instagram is helping users avoid phishing scams (Engadget, Oct 08 2019)
A new feature lets Instagram users confirm security emails are genuine.

Nationwide facial recognition ID program underway in France (Naked Security – Sophos, Oct 08 2019)
It’s coming next month, in spite of a lawsuit and the data regulator’s protests about lack of consent, data security and privacy.

2020 Presidential Candidate Campaign Websites Fail On User Privacy (SecurityWeek, Oct 08 2019)
Despite everything that has happened over the last four years, the security posture of the 2020 presidential candidates’ campaign websites is little better and often worse than it was in 2016.

How the Software-Defined Perimeter Is Redefining Access Control (Dark Reading, Oct 09 2019)
In a world where traditional network boundaries no longer exist, VPNs are showing their age.

2FA, HTTPS and private browsing still a mystery to most Americans (Help Net Security, Oct 10 2019)
Most US adults know what phishing scams are and where they occur, what browser cookies do, and that advertising is the largest source of revenue for most social media platforms, a recent Pew Research Center survey aimed at testing American’s digital knowledge has revealed.

Impact and prevalence of cyberattacks that use stolen hashed administrator credentials (Help Net Security, Oct 10 2019)
There’s a significant prevalence and impact of cyberattacks that use stolen hashed administrator credentials, also referred to as Pass the Hash (PtH) attacks, within businesses today, according to a survey from One Identity.

California outlaws facial recognition in police bodycams (Naked Security – Sophos, Oct 10 2019)
The bill was introduced by Phil Ting: one of 26 state lawmakers misidentified as suspects in an ACLU test of the technology.