A Review of the Best News of the Week on Identity Management & Web Fraud

Bkav’s new mask beats Face ID in “twin way” (Bkav Corporation, Nov 28 2017)
Bkav’s security experts have successfully crafted a new mask, which beats Face ID in the way that twins unlock iPhone X. With this new research, Bkav raises the severity level to all users, instead of just some special individuals in Bkav’s previous recommendations.

AWS re:Invent Day 1 Recap (Auth0 Blog, Nov 28 2017)
The annual Amazon Web Services (AWS) re:Invent conference kicks off this week. Here’s a TL;DR of all the big announcements as well as Auth0’s observations and things they learned.

Protecting Against S3 Cloud Storage Leaks With a New Approach: BeyondCorp (The Duo Blog, Nov 30 2017)
Enrolling your users and endpoints (devices like laptops, smartphones, PCs, etc.) into inventories; identifying endpoints as trusted using digital certificates and creating access policies based on the authenticated combination of user and endpoint are all steps to take in establishing a new framework for enterprise security, known as BeyondCorp.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

Cloud storage for password managers – are you for or against? (Naked Security – Sophos, Nov 24 2017)
Is the cloud the right place to keep your passwords?

Shifting Fraud Tactics and Synthetic Identity Fraud: A Shining Example of the Biggest Threat in Fraud Prevention (IDology, Nov 29 2017)
According to IDology’s 5th Annual Fraud Report, shifting fraud tactics are the biggest industry challenge to fraud prevention. As legacy identity verification systems mature to spot and prevent mainstream fraud schemes, nimble and savvy criminals rapidly shift their approaches, change domains, and attack anew.

Enterprises must address Internet of Identities challenges (CSO Online Application Security, Nov 22 2017)
No one owns identity at many organizations and identity skills are lacking. In lieu of a solution, these issues could lead to IoT roadblocks and security vulnerabilities.

Managing devops with dynamic authorization (CSO Online, Nov 30 2017)
Security technologies, like Dynamic Authorization, are an integral part of the devops methodology and should be managed in the same manner as the application itself.

Infographic: 10 Reasons to Get Identity Verification Right (Jumio, Nov 28 2017)
If you’re shopping for an identity verification solution, comparing solutions is tough. Most of the vendors are making the same claims, using the same vocabulary, and hoping you can tell the difference.

A Review of the Best News of the Week on Identity Management & Web Fraud

Can IAM solutions benefit from Blockchain? (Gemalto blog, Nov 22 2017)
Blockchain is a database where all participating systems store an identical copy of unchangeable information, which is linked to the previous one, thus forming a chain. This makes it ideal for storing and archiving data. Can Blockchain be leveraged for IAM Solutions?

FCC: robocalls can go get BLOCKED (Naked Security – Sophos, Nov 20 2017)
Many of the calls you receive are legitimately spoofed for very good reasons – when you get a call from an extension at your bank, but your caller ID shows the bank’s main number, for example, it came through a PBX, and that is a “spoofed” call. Other legal reasons to spoof a phone number include when people have legitimate reasons to hide their information: for example, it’s legal to spoof numbers of investigators working on cases, of victims of domestic abuse, or of doctors who need to discuss private medical matters.

Here’s How Much Your Identity Goes for on the Dark Web (PCMag, Nov 20 2017)
For people with high credit scores, a Social Security number, birth date, and full name can sell for $60 to $80 on the digital black market, security firm Flashpoint says.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

Why BYOD Authentication Struggles to be Secure (Infosecurity Magazine, Nov 17 2017)
Over a quarter (28%) of organizations rely solely on user-generated passwords to secure BYOD, potentially exposing countless endpoints to credential guessing, cracking and theft.

Predictive Analytics: Why Is It Important? (Auth0 Blog, Nov 20 2017)
Predictive analytics is the term used to describe using data to make highly informed guesses about future outcomes. In this article, Auth0 explores the technique and see the benefits.

Confessions of a Fraud Analyst – Part 2 (Sift Science Blog, Nov 20 2017)
To succeed as a fraud analyst, you’ve got to be part Sherlock Holmes, part diplomat, and part Jedi. You’ve got to have a sharp mind and nerves of steel. When everything goes well, your company can win big. But when things go wrong…well, at least you’ll have a great story to tell!

KeePass – a password manager that’s cloud-less (but complex) (Naked Security – Sophos, Nov 17 2017)
It does all the things you’d expect a password manager to do – without the cloud.

DMARC Implementation Lags as Email Fraud Surges (Infosecurity Magazine, Nov 21 2017)
Yet just 0.5% of the top million domains have protected themselves from impersonation by DMARC email authentication.

1 in 25 Black Friday Apps Fake, Finds RiskIQ, Threatening $10.8B in Projected Black Friday Online Sales (Business Insider, Nov 20 2017)
To fool consumers into giving up their login credentials and credit card information, threat actors use the keywords, brand names, and branding of popular e-tailers alongside “Black Friday” in fake apps and landing pages promoting deals and coupons.

Identity theft concerns won’t hold back holiday shopping (Help Net Security, Nov 21 2017)
Despite concerns about identity theft and fraud, consumers don’t plan to curb their holiday shopping, according to Discover.

Enterprises must address Internet of Identities challenges (CSO Online, Nov 22 2017)
No one owns identity at many organizations and identity skills are lacking. In lieu of a solution, these issues could lead to IoT roadblocks and security vulnerabilities.

Why you don’t need an RFID-blocking wallet (CSO Online, Nov 22 2017)
RFID wallets, sleeves and clothing are security snake oil. You don’t need RFID protection because there is no RFID crime.

Your Employee’s Laptop is Stolen. Now What? (OneLogin Blog, Nov 22 2017)
When a laptop is stolen, it’s only natural to get a company’s IT department involved. But as employee identities become more complex and when sensitive data is at risk, it’s equally important to involve the human resources department as well.

Call Center Fraud Vectors & Fraudsters Defeated | Recap (Pindrop, Nov 22 2017)
Call center agents may also be characterized by a skewed understanding of the existing fraud problem, paired with a lack of training and internal resources to detect fraud attacks.

Examining Personal Protection Devices: Hardware and Firmware Research Methodology in Action (The Duo Blog, Nov 20 2017)
In a technical paper released today, Duo Labs details research into two personal protection devices based on ARM Cortex M microcontrollers. Tools and techniques are shared, and a novel bypass affecting readback protection in one microcontroller is shown.

A Review of the Best News of the Week on Identity Management & Web Fraud

New research: Understanding the root cause of account takeover (Google Online Security Blog, Nov 09 2017)
With Google accounts as a case-study, they teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, Google analyzed several black markets to see how hijackers steal passwords and other sensitive data.

Defining a New Model for Cyber-Security Trust with Blockchain (eWEEK, Nov 16 2017)
At the SecTor security conference, an MIT futurist details an open-source effort that aims to restore trust and improve data privacy for cyber-security.

Face ID is the Future of Security (Authentication) (Securosis Blog, Nov 10 2017)
“Apple didn’t just throw a facial recognition sensor into the iPhone and replace a fingerprint sensor – they enabled a new security modality. I call this ‘continuous authentication’.”

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

Hacking a Fingerprint Biometric (Schneier on Security, Nov 09 2017)
Embedded in this story about infidelity and a mid-flight altercation, there’s an interesting security tidbit: The woman had unlocked her husband’s phone using his thumb impression when he was sleeping…

Vietnamese Firm Bkav Claims to Have Beaten Apple Face ID With an Elaborate Mask (Gizmodo, Nov 13 2017)
Researchers at Vietnamese firm Bkav claim to have been able to defeat the iPhone X’s facial recognition with an elaborate mask made from a combination of 2D and 3D parts.

IDology Annual Fraud Report Reveals Two-Thirds of Businesses Experienced Increased Fraud Attempts in 2017 (IDology, Nov 15 2017)
More than half of companies reported an increase in mobile-based fraud, led by device cloning.

Top 10 Themes from Money20/20 (Jumio, Nov 09 2017)
After a frantic week in Las Vegas for Money20/20, I can finally take a moment to reflect on some of the big themes and takeaways from the show. Here were the big ideas…

4 Questions Businesses Must Ask Before Moving Identity into the Cloud (Infosec Island, Nov 08 2017)
Whether you’re moving from an on-premise identity governance solution to the cloud or implementing a cloud-based identity governance solution for the first time, it’s important to take a close look at your organization and its needs before taking the next step.

Zero-Trust Model: Never Trust, Always Verify (Secure Thinking by Centrify, Nov 14 2017)
In a zero-trust model, enterprise resources are secured based on the identity of the user, device posture and other conditions such as location, date and time. If a user can confirm their identity, say via a successful multi-factor authentication (MFA) challenge on a trusted corporate laptop, they may be granted access to an application.

Scientists testing sweat analysis for cellphone authentication (ABC News, Nov 14 2017)
Halámek’s approach relies on amino acids found in skin secretions. A phone, for example, will be able to identify what compounds are in its owner’s unique sweat, Halámek told ABC News.

Voice recognition systems easily fooled by impersonators, claims Finnish university study (V3, Nov 15 2017)
Cyber crooks can compromise speech recognition systems with ease, claim researchers at the University of Eastern Finland

Who Am I? Best Practices for Next-Gen Authentication (Dark Reading, Nov 15 2017)
By their very nature, antiquated, static identifiers like Social Security numbers and dates of birth are worse than passwords.

Behavioral Biometrics: At the Intersection of Fraud Detection and Digital Experience (Biocatch Blog, Nov 09 2017)
Behavioral biometrics technology helps companies navigate digital transformation through two main functions: identity proofing and continuous authentication.

Digital Driver’s Licenses Take Flight in Wyoming (Gemalto blog, Nov 16 2017)
How did mobile licensing fare when tested in highway patrol and airport ID verifications in Wyoming?

A look at major identity implementation challenges (and how to address them) (Janrain, Nov 10 2017)
Customer identity and access management (CIAM) provides tremendous value to organizations interested in both improving customer engagement strategies through data and securing and protecting their customer data repositories. If you’re just getting started on your own CIAM journey, there are five common implementation pitfalls to keep an eye out for…

Approve Your Authentication Requests With Just a Glance (The Duo Blog, Nov 14 2017)
Duo’s new biometric policy with support for Face ID replaces their fingerprint-specific policy, making it easy for administrators to add additional biometric checks regardless of whatever biometric factor their end users’ devices support—whether it’s Touch ID, Face ID, or Android Fingerprint.

A Review of the Best News of the Week on Identity Management & Web Fraud

Simple Banking Security Tip: Verbal Passwords (Krebs on Security, Nov 06 2017)
“There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.”

Estonia suspends national 760,000 ID cards found prone to encryption vulnerability (SC Magazine, Nov 08 2017)
Estonia on Friday blocked the certificates of 760,000 national ID cards in response to a cryptographic vulnerability that researchers have discovered is even more dangerous than originally reported.

Duo conducted a U.S.-census-representative survey that asked questions about 2FA usage (The Duo Blog, Nov 07 2017)
Through this survey, they discovered that:
– Only 28% of people use 2FA.
– The majority of participants who did use 2FA (54%) began using it voluntarily.
– Two-thirds of people who had used security keys or push notifications as an authentication method believed it to be convenient and quick.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

How to Protect Yourself From Security Oversights (Auth0 Blog, Nov 03 2017)
An inside look at how tech companies can improve their security and what you can do to help yours, too

Shape Security introduces Blackfish protect consumers whose passwords have been stolen in data breaches (Shape Security, Nov 07 2017)
Credential stuffing attacks are responsible for more than $10 billion in fraud losses, identify theft, and brand damage every year. Shape’s network data shows that in many industries, such as retail, more than 90% of all login attempts to websites often come from credential stuffing attacks instead of from real users. In these attacks, cybercriminals use advanced automation to test stolen passwords on other websites, simulating real users to take over large groups of accounts en masse.

Smile for the camera (or don’t!) – LastPass supports Face ID! (The LastPass Blog, Nov 03 2017)
Now, LastPass users can use Face ID to open up their LastPass vault, instead of typing the master password.

Identity Analytics: The New Face of IAM (SC Magazine, Nov 08 2017)
Identity Analytics (IdA) automates the detection of access risks, access outliers, excess access, shared high privileged access (HPA) accounts, as well as, orphan and dormant accounts. It reduces the attack surface area for identities by replacing roles defined using manual processes and legacy rules, with machine-learning-based intelligent roles.

They Wrote the Book on ABAC (Axiomatics, Nov 08 2017)
Artech House has just published a book on Attribute Based Access Control, authored by Vincent Hu, David Ferraiolo, Ramaswamy Chandramouli and Richard Kuhn.

Device provisioning: Identity attestation with TPM (Microsoft Azure Blog, Nov 07 2017)
Folks using the IoT Hub Device Provisioning Service to securely provision their devices are taking the opportunity to start using hardware security modules (HSM) to store the keys on their devices.

SaaS Identity Security (JumpCloud, Nov 09 2017)
The modern era of identity management kicked off when Tim Howes, and his colleagues at the University of Michigan, created the authentication protocol LDAP. This protocol revolutionized how people could authenticate and manage user access.

How Biometrics is Transforming Online Identity Verification (Video) (BioCatch, Nov 06 2017)
In this panel, biometrics pioneers discuss the benefits, barriers, and challenges we can expect as more and more businesses begin improving their security measures through biometric authentication.

Identity management to-do list aligns with cybersecurity (CSO Online, Nov 07 2017)
Large organizations want to monitor user activities, move to multi-factor authentication, and get security more involved with IAM decisions.

In The Future, Retail Commerce Platforms Will Be Built With DevOps, Microservices and Identity (ForgeRock, Nov 08 2017)
A variant of the service-oriented architecture (SOA) architectural style that structures an application as a collection of loosely coupled services, microservices also parallelizes development by enabling small autonomous teams to develop, deploy and scale their respective services independently, which makes building e-commerce applications faster and easier, capable of operating at extremely high scale with the ability to change or evolve services in a much more agile way.

A Review of the Best News of the Week on Identity Mgt & Web Fraud

Equifax Reopens Salary Lookup Service (Krebs on Security, Nov 02 2017)
Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”

FaceID is Brilliant Because It’s Subtraction Instead of Addition (Daniel Miessler, Oct 31 2017)
“I think one of the best ways to think about the advancement that FaceID represents is to realize that it’s removing an action instead of adding one. True perfection is achieved not when you have nothing left to add, but when you have nothing left to take away. ~ Antoine de Saint-Exupery”

Are You Easily Tricked? Take Our Halloween Fraud Quiz To Find Out! (Riskified Blog, Oct 30 2017)
Fraudsters employ all sorts of tricks to deceive online retailers and get away with eCommerce fraud. Take the quiz, based on data from real orders, to find out if you’re easily tricked, or could cut it as a fraud analyst!

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

Heart Size: Yet Another Biometric (Schneier on Security, Nov 02 2017)
Turns out that heart size doesn’t change throughout your adult life, and you can use low-level Doppler radar to scan the size — even at a distance — as a biometric.

How to wear your password on your sleeve, literally (Naked Security – Sophos, Nov 02 2017)
Scientists store digital passwords and IDs in clothing. A dress with an electronic display you can control via your smartphone? Trippy. Clothing made with photoluminescent thread and embedded eye-tracking technology that’s activated by spectators’ gaze?

The Best Authentication Technology Might Be Your Own Fingers (Co.Design (blog), Nov 01 2017)
Scientists at the Department of Electrical and Computer Engineering at Rutgers University-New Brunswick have developed a new technology that uses an extremely simple mechanism to turn any solid surface into an authentication surface.

Identity Theft Ring Hit with Credit Card Fraud Indictment (Dark Reading, Oct 27 2017)
The ID theft ring allegedly purchased thousands of stolen credit card and debit card numbers and then encoded that information, along with identities belonging to real people, onto forged credit cards, the DOJ claims.

Security Sense: How Do You Do Knowledge Based Authentication When All Knowledge is Public? (Windows IT Pro, Oct 30 2017)
How do you authenticate people based on data attributes they know when that very information is continually popping up in data breaches? It’s a hard problem with no easy answers.

Virtual Identity Management (JumpCloud, Oct 30 2017)
Over the last two decades, the identity and access management space has remarkably stayed the same. Is the future of IAM virtual identity management? [said by the virtural identity mgt vendor…still, it’s an interesting read]

Slack Plugs ‘Severe’ SAML User Authentication Hole (Threatpost, Oct 27 2017)
Cloud-based communications platform Slack finished patching a severe security hole Thursday affecting portions of its platform that used Security Assertion Markup Language for user authentication.

Don’t Be Catfished: Protecting Yourself From New Account Fraud (Security Intelligence, Oct 31 2017)
Cybercriminals are getting savvier, leveraging stolen identity details to catfish banks and open completely new accounts under fake or stolen names and bypassing common red flags by waiting to use them. This is mostly a marketing piece about Trusteer’s offering, but is interesting for awareness of how some firms are dealing with account takeover.

Massive Identity Data Exposure Leads to Rising Tides of New Account Fraud — What’s Next? (Security Intelligence, Oct 31 2017)
By definition, NAF takes place within 90 days of a new account being opened. Most savvy criminals patiently wait at least 30 days before using the account to bypass common red flags that rely on account age to detect suspicious activity.

How Staples is Fighting eCommerce Fraud this Holiday Season (Whitepages Pro, Oct 30 2017)
Whitepages Pro is talking to fraud managers at major online retailers who have been through it all before. Elie Chemaly from Staples joined us for the second in a webinar series. (Registration required)

Update: Possibly everyone in Malaysia had their mobile records stolen (SC Magazine, Nov 01 2017)
It is possible that everyone in Malaysia may have had their mobile phone records stolen and put up for sale on the Dark Web. This Halloween, we’ve decided to put our readers to the test! Take our quiz, based on data from real orders we’ve reviewed, to find out if you’re easily tricked, or could cut it as a fraud analyst!

The internet of identities is coming and will bring massive IAM changes (CSO Online, Nov 01 2017)
New demands for scale, security and machine learning will support massive proliferation of internet-connected devices.

AI joining the anti-fraud beat as financial-services CIOs fight rising fraud (CSO Online, Nov 01 2017)
Steadily growing rates of fraud are driving APAC financial-services institutions to embrace new technologies at a world-leading pace as they tap into machine-learning tools designed to pinpoint telltale signs of fraudulent activity.

Image management in identity management: a picture paints a thousand words (CSO Online, Oct 31 2017)
Image management can give us the tools to secure and optimize image-based PII.

Introducing LastPass Support for OpenYOLO (The LastPass Blog, Nov 02 2017)
Last year Google introduced their OpenYOLO API that makes it easier for developers to create apps that automatically fill credentials with password managers like LastPass. This means passwords on mobile apps get a whole lot easier, and LastPass now supports OpenYOLO for Android.

Introducing the Sift Science Digital Trust Platform (Sift Science Blog, Nov 01 2017)
Sift Science announces its Digital Trust Platform, a holistic way for online businesses to maximize their revenue with legitimate users while protecting both themselves and their customers from the ever-expanding attack vectors of fraud and abuse.

Introducing the Definitive Guide to Digital Identity #NextGenID (ThreatMetrix, Nov 01 2017)
The Guide was created to further the understanding of digital identity as an important new form of user verification and authentication in digital channels. It provides guidance on how businesses of all sizes can use digital identities to grow profitably on digital channels while minimizing the risks associated with cybercrime.