A Review of the Best News of the Week on Identity Mgt & Web Fraud

Why Biometric Data Breaches Won’t Require You To Change Your Body (danielmiessler.com, Sep 26 2017)
The real risk to biometric authentication will come at some (likely distant) point in the future where it’s possible to: 1) take extraordinarily high resolution images of peoples’ faces, eyes, hands, etc., and then 2) recreate those body parts in three dimensions with such detail and precision that they can trick any sensor.

The Top 20 AWS IAM Documentation Pages so Far in 2017 (AWS Security Blog, Oct 02 2017)
Here’s the 20 pages that have been the most viewed AWS Identity and Access Management (IAM) documentation pages so far this year.

Infographic: Top 10 Signs Knowledge-Based Authentication is Going Extinct (Jumio, Oct 03 2017)
Given how much personally identifiable information (PII) is out in the wild, the fate of KBA is now being openly questioned. Knowledge-based authentication is an authentication process in which the user is asked to answer at least one “secret” question. KBA is often used as a component for self-service password retrieval.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

How Good Are Equifax’s Identity Protection Offerings? (Wired, Sep 30 2017)
After its massive data breach and bungled initial response, Equifax is offering a free set of tools to protect your identity, but they have limits.

Google Will Retool User Security in Wake of Political Hack (Bloomberg, Sep 30 2017)
Google is preparing to upgrade its security tools for online accounts to better insulate users from cyberattacks and politically motivated hacks, according to two people familiar with the company’s plan.

New Research Shows Cyber Criminals Increasingly Focused on Credential Theft (WatchGuard, Sep 29 2017)
WatchGuard’s report findings from Q2 2017 revealed that criminal tactics used to access user credentials are growing in prevelance, and that a record 47 percent of all malware is new or zero day, and thus able to evade signature-based antivirus solutions.

Poor access control dooms federal cybersecurity, watchdog finds – CIO Dive (CIO Dive, Oct 03 2017)
All 24 agencies of the CFO Act showed continued weakness in access control and security management, according to the Government Accountability Office’s (GAO) September report on federal information security. Between $3 million and $1.3 billion were spent on IT security practices, which ranged between 1% and 22% of organizations’ overall IT budget.

The Google tracking feature you didn’t know you’d switched on (Naked Security – Sophos, Oct 03 2017)
Matt’s a security expert but Google’s Your Timeline slipped past him and almost everyone he asked. Using GPS, Wi-Fi and cell tower data, Google’s Your Timeline can paint a very accurate picture of your daily life.

Google Updates Cloud Access Management Policies (Dark Reading, Oct 03 2017)
Custom roles for Cloud Identity and Access Management will give users full control of 1,287 public permissions in the Google Cloud.

Adobe invests in Aadhaar-based authentication for its ‘e-sign’ solution – Economic Times (The Economic Times, Oct 04 2017)
In a bid to facilitate better adoption of e-signatures in the country, Adobe on Wednesday announced investment on integration of Aadhaar-based authentication in its e-signature solution “Adobe Sign”.

Google updates custom roles for Cloud IAM policies (Google Cloud Platform Blog, Oct 03 2017)
Custom roles offer customers full control of 1,287 public permissions across Google Cloud Platform services. This helps administrators grant users the permissions they need to do their jobs — and only those permissions. Fine-grained access controls help enforce the principle of least privilege for resources and data on GCP.

Developing RESTful APIs with Python and Flask (Auth0 Blog, Sep 28 2017)
This article shows how to use Flask and Python to develop a RESTful API. They start by creating an endpoint that returns static data (dictionaries). After, they create a class with two specializations and a few endpoints to insert and retrieve instances of these classes. Finally, they show how to run the API on a Docker container.

Are you ready for DFARS? (Gemalto blog, Oct 05 2017)
With the Defense Federal Acquisition Regulation Supplement compliance deadline approaching, businesses are scrambling to meet compliance requirements. DFARS addresses the need for strong, two-factor authentication and physical access controls. Are you ready for DFARS?

Closing the Password Security Gap (The LastPass Blog, Oct 05 2017)
Nearly three-quarters of employees want a tool to help them manage their passwords. That’s not surprising knowing that 61 percent of IT executives rely exclusively on employee education to enforce strong passwords.

Fraud Prevention and the Evolving Threats to Online Gambling (ThreatMetrix, Oct 05 2017)
Recently, fraudsters spread fake news using automated bots to pull off a betting scam involving odds-making in professional soccer. Meanwhile, popular gambling site 888 was hit with $7 million in fines over allegations that one customer was somehow allowed to make 850,000 bets worth $1.3 million using money stolen from their employer.

A Review of the Best News of the Week on Identity Mgt & Web Fraud

Digital Drivers License (DDL) Pilot Goes Live in Maryland and Washington DC (Gemalto blog, Sep 26 2017)
Smartphone-based ID is tested for age & ID verification in Maryland and DC at shops, casinos, stadiums and police stops. The pilot kicked off at Bay Ridge Wine & Spirits, a quaint family-owned and run liquor store in Annapolis, MD.

Machine Learning Will Revolutionize E-commerce (Signifyd, Sep 27 2017)
It’s hard to talk to any retailer for more than four or five minutes without the phrase “customer experience” coming up…consider the possibility of a smart machine following along in a conversation between a customer and an agent, he said. The machine would be able to point the agent to prompts and information that would help him or her help the retailer’s customer.

iPhone X has face recognition but this heart-scan authentication goes one better (ZDNet, Sep 26 2017)
A heart-based authentication system keeps you logged in until you walk away from the device.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

inBay Technologies Closes $1+ Million Financing (inBay Press Release, Sep 22 2017)
inBay Technologies, developers of ‘passwordless’ authentication solutions, today announced the company has secured $1+ million of financing from European-based Ramphastos Investments, co-leading with an Ottawa-based super angel represented by Tongda One Partners Ltd.

Making multifactor authentication work [for Federal Agencies] (GCN, Sep 25 2017)
MFA solutions for the federal government cannot be one size fits all, so how an agency implements MFA should depend on the sensitivity of its data and where MFA would be used within the agency’s architecture.

A guide to common types of two-factor authentication (VentureBeat, Sep 25 2017)
There are four main types of 2FA in common use by consumer websites, and it’s useful to know the differences. Some sites offer only one option; other sites offer a few different options.

Busting myths behind authentication and authorization (CSO Online, Sep 26 2017)
We need to dispel some of the myths in cybersecurity, authentication and authorization. First up, are reverse proxies bad?

​Service NSW to develop multi-factor authentication identity platform as opt-in (ZDNet, Sep 25 2017)
Service NSW, New South Wales’ centralised organisation for government service delivery, currently uses a relatively simplistic platform for identification. The roadmap for the state government’s one-stop-shop for service delivery includes the rollout of multi-factor authentication, but on an opt-in basis.

SAP Buys CIAM Vendor Gigya (Forrester Blogs, Sep 25 2017)
SAP announced it has acquired Mountain View, CA based Customer Identity and Access (CIAM) provider Gigya. Several media outlets placed the purchase price in the $350M range. Gigya has been a CIAM vendor since 2010 and raised ~$105M in venture capital, so if the purchase price is accurate, it reflects a good return for Gigya’s investors.

Android Lockscreen Patterns Less Secure Than PINs (Threatpost, Sep 25 2017)
An academic study set out to prove whether it’s better to protect your Android phone with a PIN or a swipe pattern. The answer is PIN. At least when it comes to proximity attacks, namely someone lurking about trying to guess your PIN or unlock pattern.

UK Police: Buying Fake Goods Online Can Lead to ID Theft (Infosecurity Magazine, Sep 27 2017)
UK Police: Buying Fake Goods Online Can Lead to ID Theft. City of London Police says over 4,000 sites were created using stolen IDs.

Reset Your AWS Root Account’s Lost MFA Device Faster by Using the AWS Management Console (AWS Security Blog, Sep 21 2017)
To help secure your AWS resources, AWS recommends that you follow the AWS Identity and Access Management (IAM) best practice of enabling multi-factor authentication (MFA) for the root user of your account. With MFA turned on, the root user of your account is required to submit one form of authentication, which is the account password…

Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards (Krebs on Security, Sep 26 2017)
Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment card systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.

Apple Pushing Two-Factor Authentication: What to Do (Tom’s Guide, Sep 26 2017)
What Apple is really doing it forcing people who upgrade to those two operating systems to also upgrade to Apple’s more secure two-factor authentication, which has already been around for a couple of years.

Will Apple’s new face recognition replace fingerprint verification? (Gartner Blog Network, Sep 27 2017)
In its recent iPhone X announcement, Apple introduced the TrueDepth camera for use in various applications including Face ID, Animoji, Apple Pay and selfies. 3D sensing technology is the next big thing on smartphones for three reasons.

Guidelines to comply with PCI DSS 3.2 (Gemalto blog, Sep 26 2017)
Starting in Feb 2018, all who access systems that hold credit card data will be required to authenticate with multi-factor authentication. This is a direct outcome of PCI DSS’s new requirement providing best practices for organizations that need to extend their MFA and comply.

7 Things to Consider Before Making the Switch to MFA (Okta blogs, Sep 25 2017)
MFA is a great way to secure your users’ apps and services from unauthorized access. Here are some points to consider as you plan your deployment.

A Review of the Best News of the Week on Identity Mgt & Web Fraud

Experian Site Can Give Anyone Your Credit Freeze PIN (Krebs on Security, Sep 21 2017)
A free online service offered by big-three credit bureau Experian allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

SecureAuth to Merge with Core Security (Dark Reading, Sep 20 2017)
K1 Investment Management, which owns Core Security, plans to acquire the identity management and authentication company for more than $200 million.

Gartner Privileged Access Management Market Overview 2017 (Secure Thinking by Centrify, Sep 20 2017)
Gartner just published their 2017 Market Overview guide for PAM. The drivers for PAM are similar to last year’s, with a new emphasis on the need for “a comprehensive cybersecurity defense strategy, specifically for critical infrastructure.” Here’s Gartner’s list of drivers…

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

How One of Apple’s Key Privacy Safeguards Falls Short (Wired, Sep 15 2017)
Researchers say they’re doing it wrong. For the past year, Apple has touted a mathematical tool that it describes as a solution to a paradoxical problem: mining user data while simultaneously protecting user privacy. That secret weapon is “differential privacy,” a novel field of data science that focuses on…

Why SMS two-factor authentication puts your bitcoins at risk (Naked Security – Sophos, Sep 20 2017)
In a video uploaded on Monday, researchers from the Russian security firm Positive Technologies demonstrated that they were able to use the SS7 flaws to take control of a Coinbase Bitcoin wallet and suck out funds.

AWS IAM Policy Summaries Now Help You Identify Errors and Correct Permissions in Your IAM Policies (AWS Security Blog, Sep 15 2017)
AWS updated policy summaries to help you identify and correct errors in your IAM policies. Now, you will see a warning if policy elements (Actions, Resources, and Conditions) defined in your IAM policy do not match.

How to Enable Your Users to Access Office 365 with AWS Microsoft Active Directory Credentials (AWS Security Blog, Sep 14 2017)
You can now enable your users to access Microsoft Office 365 with credentials that you manage in AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD.

A Note on Consumer Identity World US 2017 (Axiomatics, Sep 19 2017)
UX, Security, Privacy and CIAM. Ryan Fox of Capital One came to introduce their API-first strategy. As a bank, they are implementing and offering a set of APIs to enable business interactions that deliver better consumer experiences. This goes through an API that can be used for user identity verification.

FIDO Standards Provide Easy, Secure Way for European Payments Industry to Meet PSD2 Strong Authentication Requirements (FIDO Alliance, Sep 20 2017)
While the final draft RTS requires two secure and distinct factors of authentication, it also recognizes that these factors can be housed in a single “multi-purpose” device – such as a mobile phone, tablet or PC – as long as “separate secure execution environments” are used (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)).

Trusted insider at the federal level raises concerns (CSO Online Cyber Crime, Sep 21 2017)
Charged with bank fraud, Imran Awan provided IT services to the U.S. House of Representatives for 14 years. Is he a white-collar criminal or something more sinister?

5 Insights on Why Proving Identity Online Is Hard (and What Can Be Done to Make It Easier) (ID.me Blog, Sep 18 2017)
Moderated by ID.me CEO Blake Hall, the panel discussed why identity proofing has become a challenge and how organizations can work towards creating a more secure identity ecosystem.

Hey Chef, What’s the Length of your Encrypted Password? (Okta blogs, Sep 21 2017)
Does your organization, or one you are testing/auditing, use Chef Data Bags or SaltStack Pillar with the GPG.renderer to secure secrets for deployment and operations?

“Admin from Hell” holds company to ransom with porn makeover (Naked Security – Sophos, Sep 21 2017)
The IT admin demanded $10,000, when he didn’t get it things got X-rated.

A Review of the Best News of the Week on Identity Mgt & Web Fraud

How Many Times Has Your Personal Information Been Exposed to Hackers? (The New York Times, Sep 14 2017)
An interactive quiz to find out which parts of your identity may have been stolen in major hacking attacks over the last four years.

Ayuda! (Help!) Equifax Has My Data! (Krebs on Security, Sep 14 2017)
First rule of website configuration: change username/password from admin/admin to something else. Krebs writes about an Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish.

How to Hack Passwords: How Long Would It Take Your Grandmother To Do It? (Secure Thinking by Centrify, Sep 13 2017)
First step for Grandma is to visit Amazon and pickup some hardware. Perhaps a nice BitCoin mining rig that can compute SHA – 256 hashes at 60 GH per second. What does that mean? 1 MH/s is 1,000,000 (one million) hashes per second. 1 GH/s is 1,000,000,000 (one billion) hashes per second. So this rig can do 60 Billion hashes per second and it is only $699. Great Christmas present for this Grandma.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

Ryan Fox @ Capital One = identity today is like credit cards at their beginning where you had a separate card per retailer. #CIW2017

— Heather Flanagan (@sphcow) September 12, 2017

India’s biometric database is a dystopian nightmare (VICE News, Sep 08 2017)
Seven years ago nearly 400 million people in India did not exist in the eyes of the government. They were “ghosts” who had no identity and no way of getting one, says Sahil Kini, one of the architects of India’s controversial Aadhaar database. In a country trying to modernize on the fly and take its place among the world’s superpowers, this massive yet unknown population presented a huge problem.

The Equifax Breach Exposes America’s Identity Crisis (Wired, Sep 08 2017)
“Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne.

US carriers partner on a better mobile authentication system (Engadget, Sep 08 2017)
Sprint, T-Mobile, Verizon and AT&T have formed a coalition called the Mobile Authentication Taskforce to come up with a new system. Working with app developers and others, they’ll explore the use of SIM card recognition, network-based authentication, geo-location, and other carrier-specific capabilities.

Why Relaxing Our Password Policies Might Actually Bolster User Safety (Dark Reading, Sep 11 2017)
Here’s another summary of recent recommendations, Special Publication 800-63-3: Digital Authentication Guidelines, released in June.

Chrome’s Plan to Distrust Symantec Certificates (Google Online Security Blog, Sep 11 2017)
At the end of July, the Chrome team and the PKI community converged upon a plan to reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web.

Now Create and Manage AWS IAM Roles More Easily with the Updated IAM Console (AWS Security Blog, Sep 08 2017)
The AWS Identity and Access Management (IAM) console is updated to make it easier for you to create, manage, and understand IAM roles. This includes an updated role-creation workflow that better guides you through the process of creating trust relationships (which define who can assume a role) and attaching permissions to roles. Additionally, you can now view and understand the permissions attached to roles more easily by using policy summaries for each role in your account.

Senator Seeks Privacy Answers on Face ID (Pindrop, Sep 14 2017)
As tech enthusiasts pore over the design details of the iPhone X and swoon at the thought of a quarter-inch more screen space, some lawmakers are asking Apple for more details about the way the phone’s new Face ID authentication system works and what might be done with users’ faceprints.

Equifax Cyberattack Underscores Dangers in Post-Breach World (ThreatMetrix, Sep 13 2017)
Consumers are already getting what they want from first movers in banking, eCommerce, media, lending, insurance and other industries that have transitioned to today’s smart authentication systems. These technologies verify identities using hundreds of dynamic data elements and global, crowdsourced threat intelligence that can’t be faked. Trust is established instantly, streamlining the digital experience for legitimate customers, while blocking out fraudsters—even if they’re using valid credentials.

ID.me debuts FIDO U2F security keys as an extra layer of authentication for digital identity verification (ID.me Blog, Sep 12 2017)
To register, users insert the security key into a USB port, enter a password and tap the device when prompted. This will generate a cryptographic code that binds the physical token to their identity, proving that it is not someone pretending to be them. For future login, users follow the same simple process.

Securing Access to Data Stored in Amazon S3 Buckets (The Duo Blog, Sep 12 2017)
While ransomware appears to remain the topic du jour in the media, there’s another problem that isn’t quite as flashy but still irrevocably damaging – misconfigured access to Amazon S3 buckets.

Developing RESTful APIs with Loopback (Auth0 Blog, Sep 07 2017)
Learn how to build and secure RESTful APIs with Loopback.  TL;DR: In this tutorial, they show you how to leverage Loopback to build out your REST APIs quickly. Check out the repo to get the code.

A Review of the Best News of the Week on Identity Mgt & Web Fraud

FIDO Alliance Addresses PSD2 Screen Scraping Debate in Letter to European Commission and European Parliament (FIDO Alliance, Sep 07 2017)
“Should screen scraping be allowed, even as a fallback option, under Payment Services Directive 2 (PSD2)? The FIDO Alliance has been closely observing the discussions on this topic between the European Commission (EC) and European Banking Authority (EBA)…”

ForgeRock Lands $88M In Funding To Expand R&D, Sales Of Identity, IoT Security Solutions (CRN, Sep 07 2017)
“ForgeRock has raised an $88 million in Series D funding round, which the company says it will put towards sales and product development as the market for Internet of Things security and identity heats up.”

Security Flaw in Estonian National ID Card (Schneier on Security, Sep 05 2017)
“On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents.”

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

A brief history of passwords (Thales, Sep 01 2017)
“Passwords themselves are much older than any computer, dating back to ancient times, when a password, or watchword, was used to indicate membership of a select group. Indeed, secret societies were known in cultures as far back as ancient Egypt, but it was the Roman military – who else? – that took passwords to a new level of sophistication.”

Cumbersome task ahead of Aadhaar authentication (The Hindu, Sep 03 2017)
In India, “the authentication of bank accounts with Aadhaar numbers before December 31 seems to be an uphill task in Telangana given that it has been completed in just about 15 per cent of the total four crore plus accounts.”

How Intel Core chips could take over two-factor authentication from your phone (PCWorld, Sep 01 2017)
“Intel’s 8th-gen Core architecture and its associated software cut out the need for a phone, simply requiring you to click a software “button” to authenticate the 2FA transaction.”

Lawyer suggests tying access to encryption to verified ID (Naked Security – Sophos, Sep 04 2017)
Max Hill QC, who is leading the Independent Review of Terrorist Legislation (IRTL) starts a debatable thread: “Social media accounts are used for direct communication and to spread terrorist propaganda, much of which uses encryption and is therefore difficult to monitor. The solution is to force all users to prove who they are before they get access to accounts with encryption privacy turned on.”

Cloud Identity-Aware Proxy: a simple and more secure way to manage application access (Google Cloud Platform Blog, Sep 01 2017)
Google Cloud launches Cloud Identity-Aware Proxy. “Cloud IAP provides granular access controls and is easy to use so that companies can quickly and more securely host their internal apps in the cloud.”

Best Practices for Multi-factor Authentication (MFA) (Secure Thinking by Centrify, Sep 07 2017)
“It’s not difficult to implement, but some up-front planning can further enhance security and save a lot of time and effort. MFA is one of the best ways to prevent unauthorized users from accessing corporate data.”

Identity fraud is everywhere: here’s how to improve market fraud scoring systems (Gemalto blog, Sep 04 2017)
“But what is SIM swap fraud? A fraudster gathers data on a bank customer through “phishing” or “social engineering” to gain access to their online/mobile banking portal. With this data, the fraudster contacts their mobile operator to get their SIM card replaced and/or change Mobile Network Operator while keeping the same mobile number.”

Signifyd’s Meetups: Effective Fraud Prevention and a Chance to Talk Shop (Signifyd, Sep 06 2017)
“Online fraud fighter Noam Naveh had a succinct message for the group of e-commerce and payment security professionals who gathered for Signifyd’s first meetup to share and discuss fraud-prevention techniques.”