Here's Volume 3 of ThreatWatch: ​A Roundup of the Best Fraud and Security Stories from around the Web. Every two weeks we'll choose a handful of news articles from the reporters we follow who write about the threat landscape - whether it's a newly discovered security breach or insight into how new technologies and systems are being utilized to make the Web safer for consumers.

Experts: Bots Could Herald Third Revolution in Warfare (InfoSecurity Magazine by @philmuncaster)

AI and robotics specialists are claiming that industrial and commercial robots could be considered a major insider threat. Research firm, IOActive believes that the robots “could be exploited to steal sensitive corporate information, spy on users or even launch physical attacks.” One of the concerns presented in the article is that these robots could be hacked to capture and leak audio and video or even cause harm to humans working on a factory floor if safety features are bypassed.

I was hacked (​TechCrunch by @johnbiggs)

Writer for TechCrunch, John Biggs, tells his story of hackers taking over his phone, changing all of his passwords (bypassing accounts with 2FA) and then proceeding to ask all of his friends to give him money in the form of bitcoin at the bequest of his dying father. Luckily, none of his friends took the bait and he was able to take control of his accounts fairly quickly. He recommends steps to take to prevent this from happening to you, including additional layers of security.

NIST: In mobile authentication, think hardware, not software (​ComputerWorld by @eschuman)

The National Institute of Standards and Technology (NIST) is working to bolster security and authentication on desktops and mobile devices, particularly in the e-commerce space due to the rise in hacks targeted at technology. The article also brings up the issue of authenticating devices rather than users and that retailers might opt for less security and more convenience.

New Trojan malware campaign sends users to fake banking site that looks just like the real thing (ZDNet by @dannyjpalmer)

Trojan malware is sending users to the fake banking site of the UK’s largest banks, Lloyd’s Bank. The site looks exactly like the real Lloyd’s Bank website- with the correct URL of the online bank and a legitimate SSL certificate, so a user may not suspect they're being tricked. The attacker is able to see and steal the victim's online banking credentials and security codes, and then steal their money and data too. Security experts are warning users to be on high alerts for malware like Trickbot.

Hackers See Privileged Accounts as Best Route to Sensitive Data​ (InfoSecurity Magazine by @wirelesswench)

A survey that came out of Black Hat found that fastest way for hackers to get access to critical data is through privileged accounts. 27% of respondents indicated that access to user email accounts was the easiest path to disclosing sensitive data. The article did say however, that multi-factor authentication (MFA) is one of hackers biggest obstacles with encryption following close behind. Joseph Carson, chief security scientist, is quoted saying “Hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities. More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data.”

Most Small to Mid-Sized Organizations Don't Use Multi-Factor Authentication (eSecurity Planet by @jeffwriter)

KnowBe4, a security awareness training platform, surveyed 2,600 IT professionals and found that 38% of large organizations do not use multi factor authentication and 62% of small to medium organizations also do not use MFA to protect their users and data. The article also reported on the weaknesses in password security. KnowBe4 CEO Stu Sjouwerman said “Passwords are a known weakness in corporate security and have come under more intense scrutiny recently. Most organizations have password enforcement in place, but most aren't taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication.”