Security News

IRS offers non-biometric option

Plus, New York builds a statewide cybersecurity hub and Amazon cracks down on fake reviews.

The IRS said this week that “a new option in the agency’s authentication system is now available for taxpayers to sign up for online accounts without the use of any biometric data, including facial recognition.” The announcement comes in response to the backlash at a recent requirement by the agency that all users setting up online accounts with the IRS must be registered through ID.me, a verification platform requiring a video selfie for facial recognition purposes. “Biometrics can be a useful and convenient way to authenticate users,” commented Avast Security Evangelist Luis Corrons. “However, having to upload your biometric data is something most users don't feel comfortable with, and it is really understandable given the number of security breaches that happen on a daily basis.” To quell privacy concerns, the agency now offers an option to verify user identity through a live, virtual interview with ID.me agents. For more on this story, see CNET

Peloton goes down for 4 hours

Exercisers everywhere hit a snag Tuesday morning when Peloton, the popular internet-based stationary bike workout network, went dark at approximately 10:50 a.m. EST on February 22. According to TechRadar, the blackout may have been the result of an ongoing Amazon Web Services (AWS) outage, which affected Slack users as well. Peloton uses AWS to power its online classes and live workouts. On its status page, Peloton did not give any reason for the service interruption but reported at 2:46 EST that “the issue with accessing Peloton services has been resolved. We apologize for any impact this may have had on your workout.”

Cybersecurity center opens in New York

New York governor Kathy Hochul announced that a new centralized cybersecurity hub known as the Joint Security Operations Center will be located in Brooklyn and serve as the headquarters for statewide cybersecurity intelligence and operations. The joint effort involves the mayors of New York City, Albany, Buffalo, Rochester, Syracuse, and Yonkers. The center will be composed of experts from federal and law enforcement entities, representatives from local and county governments, and New York City Cyber Command (NYC3), a body of cyber defense experts from over 100 agencies. For more on this story, see ZDNet.

Phishing malware bypasses MFA with screen sharing

A security researcher known as mr.d0x has discovered a method by which attackers could use a new phishing technique to bypass multi-factor authentication (MFA) through secret screen sharing. Using noVNC remote access hardware, mr.d0x was able to stage an attack where his own browser displayed the login prompts that the victim saw on their screen. When the victim filled in their credentials, the actual fields were being filled in on mr.d0x’s screen. While this kind of attack has not yet been spotted in the wild, researchers think it is likely to be seen soon. See Bleeping Computer for more. 

Amazon sues “fake review brokers”

In lawsuits aimed at shutting them down, Amazon has called the companies AppSally and Rebatest “major fake review brokers…who helped mislead shoppers by having their members try to post fake reviews in stores such as Amazon, eBay, Walmart, and Etsy.” Amazon alleges the companies orchestrated the posting of incentivized and misleading reviews in exchange for money or free products. In a press release this week, Amazon said that an in-depth investigation into both companies revealed they collectively had more than 900,000 members willing to write fake reviews. “Amazon strictly prohibits incentivized or fake reviews and uses a combination of machine learning technology and skilled investigators to detect, prevent, and remove them,” the press release states.

This week’s ‘must-read’ on The Avast Blog

With the right support, many older people would venture into the digital world. Let’s explore how the digital freedom of elders can be improved and maintained.