At a glance.
- Are biometrics any safer than old-fashioned passwords?
- With “deep nude” tech, sextortionists run rampant in India.
- Montrose Regional Health data breach.
Are biometrics any safer than old-fashioned passwords?
Though many consider the use of biometric data like iris scans or fingerprints for login credentials a more secure method than traditional passwords, the fact is that biometric data, just like passwords, are ultimately turned into code, which can be easily exfiltrated by attackers. The researchers at Intel 471 say cybercriminals are increasingly targeting biometric data for theft, using it as leverage in extortion operations or selling it on the dark web to other criminals looking to create fake documents to conduct illegal immigration or property fraud. And the illicit activity extends beyond simply stealing fingerprints or iris scans; some criminals have found ways to exploit vulnerabilities in behavior-based anti-fraud systems, resetting behavioral pattern parameters to infiltrate protected systems.
With “deep nude” tech, sextortionists run rampant in India.
The Times of India reports that sextortion operations, in which attackers threaten to publish explicit material, are on the rise, with reports of more than five hundred cases of sextortion in India a day. In one incident, a cybercriminal used “deep fake” technology to blackmail members of the Legislative Assembly in Mumbai, extorting over Rs 20 lakh before he was arrested. In another, a former cabinet minister was compelled to fork over Rs 2.5 lakh to a cybercriminal who posed as a woman in order to engage the victim in sending explicit text messages. Experts say sextortion has evolved over time from ex-lovers targeting women with the threat of leaking “revenge porn,” to attackers using sophisticated “deep nude” artificial intelligence to create fake explicit photos of any target they like.
Montrose Regional Health data breach.
Montrose Regional Health, a healthcare service provider in the US state of Colorado, has disclosed a data incident in which an intruder gained unauthorized access to employee email accounts. Though it’s unclear whether any private data was viewed, the accounts may have contained patient info including names, inpatient/outpatient status, internal patient account number, service date, treatment costs and codes, provider name, or health insurance provider. Out of an abundance of caution, Montrose has reset account passwords and is advising potentially impacted individuals to be on the alert for any unusual activity in their account statement or benefit forms.
Erich Kron, security awareness advocate at KnowBe4, commented on the incident as another case of email serving as an attack vector:
“Email is used as a conduit for a significant amount of work in many industries, especially healthcare. This sensitive information can be used by bad actors to file false claims against insurance, demand payment from the unsuspecting victims for services that were not proved, and even to steal the patient’s identity. In addition to the issues related to personal information theft, once in a legitimate email account, cybercriminals can use those accounts to attack other employees, or even vendors, using the trust inherent in a legitimate email account, making the likelihood of creating more victims greater.
"To protect against these attacks, employees should be educated on the value of their email account and the sensitivity of what is included in emails, as well as learn how to spot and report suspected phishing attacks, a prime way bad actors gain access to these accounts. In addition, employees need to understand the danger of reusing passwords and using simple passwords to secure accounts both personally and within the organization.”