Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Android Pay becomes Google Pay https://www.mobilepaymentstoday.com/news/google-pay-officially-debuts/
• VISA says EMV cards drove 70% fraud reduction https://www.darkreading.com/endpoint/visa-emv-cards-drove-70--decline-in-fraud-/d/d-id/1331119?_mc=rssxdrredtauddrx_x-rss-simple

Breaches / Leaks

• Australian insta-pay leaks phone numbers https://www.theregister.co.uk/2018/02/19/payidaccidentalreversetelephonenumber_lookup/
• Town of Richmond Hill leaks residents data after upgrade  https://www.yorkregion.com/news-story/8148903-richmond-hill-discovers-data-breach-that-exposed-residents-information/

Laws & Regulations / Standards

• Draft US Data Security Bill undermines stronger state laws https://epic.org/2018/02/house-draft-data-security-bill.html
• EFF criticizes National Academy of Sciences Cryptography for Decision Makers report for asking the wrong questions https://www.eff.org/deeplinks/2018/02/new-national-academy-sciences-report-encryption-asks-wrong-questions
• Supreme Court refuses to hear breach case https://www.databreachtoday.com/supreme-court-wont-review-carefirst-data-breach-case-a-10669
• DCMA and the bizarre world of “use exemptions” https://www.eff.org/deeplinks/2018/02/did-congress-really-expect-us-whittle-our-own-personal-jailbreaking-tools
• Troubling NY court ruling that embedding links can infringe copyright https://www.eff.org/deeplinks/2018/02/federal-judge-says-embedding-tweet-can-be-copyright-infringement
• Michael Giest’s continuing series on the problems with Bell’s Fairplay Canada proposal http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-7-likely-expansion-block-list-non-ip-issues/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-8-ineffectiveness-website-blocking/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-9-violates-canadian-net-neutrality-rules/

Bugs / Design Flaws

• iPhone messenger crash loop caused by single character https://thehackernews.com/2018/02/crash-iphone-text.html
• Spectre and Meltdown lawsuits: Intel facing 32 https://www.databreachtoday.com/intel-faces-32-spectremeltdown-lawsuits-a-10663 and AMD facing 4 https://www.theregister.co.uk/2018/02/21/amdspectrelawsuits/
• More on why the chip makers kept Meltdown and Spectre quiet for so long https://www.theregister.co.uk/2018/02/23/meltdownspectreletterstocongress/
• Microsoft unable to fix Edge before Google Project Zero disclosure deadline expired https://www.theregister.co.uk/2018/02/20/googlerevealsedgebugthatmicrosofthashadtrouble_fixing/

Privacy

• Citizen lab study on consumer personal data requests in Canada https://citizenlab.ca/2018/02/approaching-access-look-consumer-personal-data-requests-canada/

Hacking / Malware / Cybercrime

• UK seeing increase in contactless fraud http://www.telegraph.co.uk/news/2018/02/24/contactless-card-fraud-overtakes-cheque-scams-first-time/
• Former ICE lawyer abuses access for identity theft https://www.theregister.co.uk/2018/02/15/formericechiefcounselidentity_theft/
• Tax Fraud Scammers filing fake claims then strong-arming victims to return the money https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/
• Spyware vendor’s servers wiped again https://motherboard.vice.com/en_us/article/3k7a5k/hacker-wipes-spyware-retina-x-flexispy
• Malware is so yesterday when business email compromise is so profitable https://gizmodo.com/hackers-steal-millions-by-ditching-malware-to-sidestep-1823187933
• Edmonto businesses hit for $1.5M http://edmontonjournal.com/news/crime/edmonton-businesses-suffer-1-5-million-in-damages-in-cybercrime
• Creepy pervs using breastfeeding awareness to get breast photos https://www.baytoday.ca/local-news/dont-fall-for-this-one-ladies-man-seeks-pictures-of-breasts-846494

Other Security / Risk

• 4 Myths hindering security https://www.helpnetsecurity.com/2018/02/20/myths-hampering-cybersecurity-maturity/
• Troy Hunt on the perceived value of EV certificates https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/
• Why your site needs HTTPS https://doesmysiteneedhttps.com/
• Supporting the Secure Elections Act https://www.schneier.com/blog/archives/2018/02/electionsecuri2.html
• Voting (and other) machines and the myth of private Internets https://freedom-to-tinker.com/2018/02/22/are-voting-machine-modems-truly-divorced-from-the-internet/
• Troy Hunt launches “Pwned Passwords (v2)” https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2
• In a world of audit fatigue it’s easy to forget that not all audits measure the same things and passing one is no guarantee of passing another https://controlgap.com/blog/sox-vs-pci-compliance/
• Breaches, liability, and reasonable expectations in the modern world https://www.darkreading.com/partner-perspectives/f5/security-liability-in-an-assume-breach-world/a/d-id/1331100
• Canadian government to invest heavily in Cybersecurity http://www.cbc.ca/beta/news/politics/budget-billion-cyber-security-1.4547685
• The SEC updated their  cyber security guidance https://www.databreachtoday.com/sec-releases-updated-cybersecurity-guidance-a-10678
• Some guidance on factory resetting https://www.ncsc.gov.uk/blog-post/updating-our-factory-reset-guidance
• Crypto-miner’s equipment disrupted T-Mobile LTE network https://arstechnica.com/information-technology/2018/02/bitcoin-miner-in-nyc-home-interfered-with-t-mobile-network-fcc-says/
• Locking down Powershell https://www.databreachtoday.com/locking-down-powershell-to-foil-attackers-3-essentials-a-10662
• The Russians are inarguably expert at information warfare, here’s a look at how they’re using that capability https://www.databreachtoday.com/anatomy-russian-information-warfare-campaign-a-10675
• A disturbing variation and escalation of old mail-order style pranking turned harassment https://www.schneier.com/blog/archives/2018/02/harassmentbyp.html
• Security trumping convenience https://www.engadget.com/2018/02/16/how-security-became-more-important-than-convenience/
• Retail store closing expected to rise in 2018 http://www.businessinsider.com/store-closures-in-2018-will-eclipse-2017-2018-1
• Why data security should be a priority for retailers https://securityintelligence.com/why-data-security-should-be-at-the-top-of-every-retailers-shopping-list/
• Service provider refuse to allow audit https://www.databreachtoday.com/health-net-cited-for-refusing-security-audit-a-10676
• Apple devices in repair center making 911 calls, possibly apple watches https://www.theguardian.com/technology/2018/feb/23/apple-devices-hundreds-false-911-emergency-calls-refurbishment-centre
• US Boarder patrol hasn't been validating e-passport digital signatures https://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-years

Off-Topic

• Overreaction? Weapons of math destruction? Low grade societal PTSD? http://www.miamiherald.com/article201604224.html
• Standing desks not as beneficial as previously thought http://www.telegraph.co.uk/science/2018/02/23/standing-desks-increase-pain-slow-mental-ability-new-study/
• Furthest ever supernova detected 10B light years away http://www.syfy.com/syfywire/a-superluminous-supernova-seen-more-than-10-billion-light-years-away
• XKCD on the Simpsons https://xkcd.com/1959/