Jan 02 2023

3 important changes in how data will be used and treated

Category: Data Breach,Data mining,data securityDISC @ 11:51 am

Regula has presented their vision of the developments that will shape the industry’s landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.

While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.

Still, the security of the digital IDV process is the number one concern that is forming the industry’s landscape and driving the majority of significant changes.

Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudsters’ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:

  • Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
  • This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
  • Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.

When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.

Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.

Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.

“The good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of how many resources fraudsters will be willing to invest. At the moment, when they’re ready to spend significant amounts of money per deepfake, it’s a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,” notes Ihar Kliashchou, CTO at Regula.

In relation to this year’s trending topics — digital identity and decentralized identity — the company’s experts have their own take on that:

  • In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, we’re already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
  • The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in people’s minds with crypto, and the FTX crash that has happened in the last couple of months has undermined people’s trust in it.


Infosec books
 | InfoSec tools | InfoSec services

Tags: data security


Oct 20 2021

China-linked LightBasin group accessed calling records from telcos worldwide

Category: Data Breach,Data mining,data securityDISC @ 8:20 am

A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.

“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”

The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.

The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.

The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).

Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.


Jun 18 2020

Facebook sues developer over alleged data scraping abuse

Category: Data mining,data securityDISC @ 10:36 am

The lawsuit alleges that a data scraper took login credentials from about 5,500 people and then harvested phone numbers of their friends.

Source: Facebook sues developer over alleged data scraping abuse



What Is Web/Data Scrapping ? How To Scrap Large Data From A Website
httpv://www.youtube.com/watch?v=bp73TqGcY9c



Would like to know more on InfoSec Awareness…

Download a Security Risk Assessment steps paper!

Download a vCISO template

Subscribe to DISC InfoSec blog by Email






Nov 03 2011

Knowledge Management finally gets it’s own book: WKIDM

Category: Data mining,data securityDISC @ 9:11 am

by Melanie Watson
That’s right, Knowledge Management finally has it’s own book: Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM).

The primary role of Knowledge Management is to “improve the quality of decision making” by making sure that information throughout the Service Lifecycle is accurate, reliable and trustworthy. This book covers all four areas of knowledge: data, information, knowledge and wisdom.

This book, (endorsed by the OGC – the creators of the ITIL methodology) provides a comprehensive and much-needed source of information on data and information management. It examines the effective production, coordination, storage, retrieval, dissemination and management of information from internal and external sources.

Information Lifecycle Support: Wisdom, Knowledge, Information and Data Management (WKIDM)




Tags: it service management, ITIL, ITSM


Jul 27 2011

Tim O’Reilly: The Future of Business Intelligence is Now

Category: Data miningDISC @ 10:15 am

When Tim O’Reilley talks, it’s better for all to listen very very carefully! This man is absolute visionary! I still remember how shocked I was at first, when he answered that the next big innovation(or change) is the off-line shopping! He is so damn right…