A Review of the Best News of the Week on Identity Mgt & Web Fraud

How to Evaluate a Possible Apple Face ID (Securosis Blog, Aug 03 2017)
“Apple accidentally released the firmware for their upcoming HomePod. Filled with references to other upcoming products and technologies, the firmware release makes it reasonably probable that Apple will release an updated iPhone without a Touch ID sensor, relying instead on facial recognition.”

Inside India’s Cybercrime Boom (ThreatMetrix, Aug 08 2017)
India’s digital transformation may be the closest thing to an overnight success the world has ever seen…As a nation’s online transaction volume grows, so does cybercrime….

6 Reactions to the Cisco 2017 Midyear Cybersecurity Report: Part 2 (Centrify Blog, Aug 08 2017)
“Last week, I discussed the first three reactions I had to the “Cisco 2017 Midyear Cybersecurity Report.” I discussed how vendor consolidation is increasing, how spyware is being branded as malware and how detection of threats is continuously improving.”…

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

What’s the ROI on attribute-based access control? (CSO Online, Aug 07 2017)
Gebel (from Axiomatics) shares four misconceptions around ABAC and his truth to help readers understand differing opinions so that decision makers can find their truth, which is probably somewhere in the middle….

Hackers: Privileged Accounts Provide Fastest Access to Sensitive, Critical Data (Dark Reading, Aug 09 2017)
Thycotic’s Black Hat survey: nearly one third (32 percent) of respondents state that accessing privileged accounts was the number one choice for the easiest and fastest way to get access to critical data, followed closely by 27 percent indicating access to user email accounts was the easiest path to disclosing sensitive data….

The ABCs of Identity Management (CSO Online, Aug 09 2017)
What is identity management? Broadly speaking, identity management systems (also known as identity and access management, or IAM, systems) enable the……

Privileged Access Management: A Matrix Approach for Account Ranking and Prioritization (CyberArk, Aug 02 2017)
“…exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account…”…

What to look for in Multi-factor Authentication (OneLogin Blog, Aug 01 2017)
What to look for in Multi-factor Authentication? Look for more companies like OneLogin providing a prompt on a device: “Access Requested. Do you approve or deny?”…

WWPass releases free PassHub password manager to protect user credentials (WWPass, Aug 03 2017)
Unlike other password managers that require an additional master password or optional multi-factor authentication, PassHub is only accessible through WWPass’ PassKey Lite app, ensuring the highest level of security and convenience for customers….

ICYMI: No ID number, no passport from 2018 — Nigeria (Punch Newspapers, Aug 03 2017)
The Nigeria Immigration Service says from January 1, 2018, anybody without the National Identification Number, issued by the National Identity Management Commission, will not be able to procure Nigerian passport.

---

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

---

2016 Social, Passwordless and SSO Data: What Can We Learn? (Auth0 Blog, Jul 31 2017)
Username and password still dominates, but not for long…

Identity Security at Black Hat USA 2017 (Identropy Blog, Aug 02 2017)
“…using corporate infrastructure like Active Directory (AD) domain controllers to serve as bases for attacks (AD botnet anyone?). AD controllers are critical infrastructure for a company and a compromise can have serious impacts. So, how does this newly discovered exploit work?”…

One-Time Passcodes for Two-Factor Mobile Authentication: A Fast or Slow Death? (IDology, Aug 02 2017)
Instead of a SMS OTP, users get a SMS with a link to verify….

Better experience for SMS 2-Step Verification users with Google prompt (G Suite Update Alerts, Jul 19 2017)
In February 2017, we revamped Google prompt for 2-Step Verification (2-SV), giving users a better option to keep their accounts safe….

Enterprise Authentication Comes to the Cloud: Introducing Our Newest Solution, IntelliTrust (Entrust, Jul 19 2017)
Entrust Datacard launched IntelliTrust as a cloud-based auth solution. Included among its many capabilities, for example, is proximity-based smart card emulation for hands-free access to physical buildings and desktop computers. …

Forrester Wave Report: ThreatMetrix and the Revolution in Risk-Based User Authentication (ThreatMetrix, Jul 19 2017)
Has account takeover (ATO) met its match in digital identity? With ATO attacks on the rise, a revolution in risk-based authentication (RBA) is rapidly replacing outdated password-based systems with context-aware risk analysis. …

Six Degrees of Marketing Identity (Gartner Blog Network, Jul 21 2017)
An excerpt from an upcoming Gartner report, “What Marketers Need to Know About Managing Identity”…

Opinion Piece: How the Blockchain Could Change The Idea of Identity (Auth0 Blog, Jul 07 2017)
Better information and transaction storage could mean big things….

Dashlane, Researcher at Odds Over Potential Privilege Escalation Vulnerability (Threatpost, Jul 24 2017)
Researcher Paulos Yibelo said that Dashlane elected not to patch a vulnerability he disclosed more than a year ago in all versions of the password manager application….

Why NIST Recommendations Will Simplify the Online Experience (LastPass Blog, Jul 27 2017)
The recommendations included decreasing both password complexity and the volume of forced password changes while checking passwords against regularly used credentials. …

Two-factor authentication is a mess (The Verge, Jul 10 2017)
For years, two-factor authentication has been the most important advice in personal cybersecurity — one that consumer tech companies were surprisingly slow to recognize. The movement seemed to coalesce in 2012, after journalist Mat Honan saw hackers ……

Two-factor FAIL: Chap gets pwned after ‘AT&T falls for hacker tricks (The Register, Jul 12 2017)
This is getting stupid now – time to dump SMS and switch to code-generating apps or tokens…

Login-stealing phishing sites conceal their evil with lots of hyphens in URL (Ars Technica, Jun 15 2017)
Compromised domains target Android users with fake login pages for cloud services….

Rethinking Access Management: A Modern Approach for A Modern Workforce (CSO Online, Jul 12 2017)
With a more modern workforce armed with mobile devices and a work-anywhere-anytime mentality, it’s time to rethink your approach to access management. …

Dealing with NIST’s about-face on password complexity (Network World Security, Jun 27 2017)
In the last few years, we’ve been seeing some significant changes in the suggestions that security experts are making for password security. While previous guidance increasingly pushed complexity in terms of password length, the mix of characters used, controls over password reuse, and forced periodic changes, specialists have been questioning whether making passwords complex wasn’t actually working against security concerns rather than promoting them….

Is Password Masking On the Way Out? (Schneier on Security, Jul 19 2017)
Slashdot asks if password masking — replacing password characters with asterisks as you type them — is on the way out. I don’t know if that’s true, but I would be happy to see it go. Shoulder surfing, the threat is defends against, is largely nonexistent. And it is becoming harder to type in passwords on small screens and annoying……

Authentication and Anomaly Detection: 3 Ways to Identify When an Access Request Isn’t What It Seems (CSO Online, Jul 18 2017)
Anomaly detection is about recognizing risky situations involving access requests that are not legitimate, allowing you to take appropriate action. Your multi-factor authentication solution should have baseline capabilities to help you do just that….