<?xml version="1.0" encoding="UTF-8"?>        <rss version="2.0"
             xmlns:atom="http://www.w3.org/2005/Atom"
             xmlns:dc="http://purl.org/dc/elements/1.1/"
             xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
             xmlns:admin="http://webns.net/mvcb/"
             xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
             xmlns:content="http://purl.org/rss/1.0/modules/content/">
        <channel>
            <title>
									Identity Beyond IAM - NHIMG Forum				            </title>
            <link>https://nhimg.org/community/identity-beyond-iam/</link>
            <description>NHIMG Discussion Board</description>
            <language>en-US</language>
            <lastBuildDate>Thu, 09 Jul 2026 18:33:52 +0000</lastBuildDate>
            <generator>wpForo</generator>
            <ttl>60</ttl>
							                    <item>
                        <title>Loyalty fraud detection: are identity controls keeping up?</title>
                        <link>https://nhimg.org/community/identity-beyond-iam/loyalty-fraud-detection-are-identity-controls-keeping-up/</link>
                        <pubDate>Thu, 09 Jul 2026 15:32:56 +0000</pubDate>
                        <description><![CDATA[TL;DR: Loyalty accounts are being hacked, traded, and exploited because points now behave like transferable digital currency, while weak passwords, low customer vigilance, and delayed detect...]]></description>
                        <content:encoded><![CDATA[<blockquote>
<p><strong>TL;DR:</strong> Loyalty accounts are being hacked, traded, and exploited because points now behave like transferable digital currency, while weak passwords, low customer vigilance, and delayed detection let fraud persist for weeks, according to Comarch. The real governance issue is that loyalty programmes were built for engagement, not identity assurance, so fraud controls now have to operate without destroying the user experience.</p>
</blockquote>
<p><em>NHIMG editorial — based on content published by Comarch: LLMjacking and AI-powered fraud detection in loyalty programmes</em></p>
<h2>Questions worth separating out</h2>
<p><strong>Q: <a href="https://nhimg.org/faq/how-should-loyalty-programmes-reduce-account-takeover-risk-without-hurting-the-c/?utm_source=nhimg&amp;utm_medium=NHIForum">How should loyalty programmes reduce account takeover risk without hurting the customer experience?</a></strong></p>
<p><strong>A:</strong> Use a risk-based model that adds friction only when behaviour changes.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/why-do-loyalty-accounts-need-stronger-controls-than-most-consumer-profiles/?utm_source=nhimg&amp;utm_medium=NHIForum">Why do loyalty accounts need stronger controls than most consumer profiles?</a></strong></p>
<p><strong>A:</strong> Because they hold transferable value, not just personal data.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/what-do-teams-get-wrong-about-fraud-detection-in-loyalty-programmes/?utm_source=nhimg&amp;utm_medium=NHIForum">What do security teams get wrong about loyalty fraud detection?</a></strong></p>
<p><strong>A:</strong> They often assume the customer will notice the problem first.</p>
<h2>Practitioner guidance</h2>
<ul>
<li><strong>Apply risk-based step-up to redemption flows</strong> Require additional authentication for point transfers, high-value redemptions, profile changes, and account recovery so attackers cannot monetise a compromised login in a single session.</li>
<li><strong>Segment loyalty accounts by fraud value</strong> Prioritise stronger controls for accounts with high balances, frequent transfers, or premium reward access, because those are the profiles most likely to attract abuse.</li>
<li><strong>Tune detection around abnormal redemption patterns</strong> Monitor for <a href="https://nhimg.org/nhi-lifecycle-management-guide?utm_source=nhimg&amp;utm_medium=NHIForum">rapid point depletion</a>, login geography shifts, device changes, and repeated failed access attempts, then route those cases to manual review before payout.</li>
</ul>
<h2>What's in the full article</h2>
<p>Comarch's full article covers the operational detail this post intentionally leaves for the source:</p>
<ul>
<li>Specific examples of loyalty fraud patterns that MAIA is designed to detect in live programme data.</li>
<li>The decision flow for blocking an account, storing transactions, or escalating a case to the Contact Center.</li>
<li>How contextual signals and historical behaviour reduce false positives in day-to-day fraud operations.</li>
<li>The practical role of AI in supporting fraud teams without replacing human approval.</li>
</ul>
<p>&#x1f449; <strong><a href="https://www.comarch.com/trade-and-services/loyalty-marketing/blog/how-ai-strengthens-fraud-detection-in-loyalty-programs/?utm_source=nhimg&amp;utm_medium=NHIForum">Read Comarch's analysis of AI-driven loyalty fraud detection and account abuse →</a></strong></p>
<p><em>Loyalty fraud detection: are identity controls keeping up?</em></p>
<blockquote>
<p><strong>Explore further</strong></p>
<p><a href="/community/?utm_source=nhimg&amp;utm_medium=NHIForum">View Full Forum →</a>  |  <a href="/nhi-training/?utm_source=nhimg&amp;utm_medium=NHIForum">NHI Foundation Course →</a></p>
</blockquote>]]></content:encoded>
						                            <category domain="https://nhimg.org/community/identity-beyond-iam/">Identity Beyond IAM</category>                        <dc:creator>Mr NHI</dc:creator>
                        <guid isPermaLink="true">https://nhimg.org/community/identity-beyond-iam/loyalty-fraud-detection-are-identity-controls-keeping-up/</guid>
                    </item>
				                    <item>
                        <title>Email security guidance and password managers: what teams should do</title>
                        <link>https://nhimg.org/community/identity-beyond-iam/email-security-guidance-and-password-managers-what-teams-should-do/</link>
                        <pubDate>Thu, 09 Jul 2026 15:24:38 +0000</pubDate>
                        <description><![CDATA[TL;DR: ACSC’s email security guidance stresses MFA, domain protection, email authentication, and limiting exposed personal information, but Bitwarden argues the advice should more directly e...]]></description>
                        <content:encoded><![CDATA[<blockquote>
<p><strong>TL;DR:</strong> ACSC’s email security guidance stresses MFA, domain protection, email authentication, and limiting exposed personal information, but Bitwarden argues the advice should more directly emphasise strong, unique passwords and password managers to reduce compromise impact. The real governance gap is not awareness alone, but making password hygiene operational and easy to follow.</p>
</blockquote>
<p><em>NHIMG editorial — based on content published by Bitwarden on ACSC email security guidance and password recommendations</em></p>
<h2>Questions worth separating out</h2>
<p><strong>Q: <a href="https://nhimg.org/faq/how-should-organisations-reduce-account-takeover-risk-in-email-channels/?utm_source=nhimg&amp;utm_medium=NHIForum">How should security teams reduce email account takeover risk?</a></strong></p>
<p><strong>A:</strong> Security teams should combine MFA with strong, unique passwords, password managers, and recovery-path monitoring.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/why-do-email-accounts-need-stronger-controls-than-ordinary-user-accounts/?utm_source=nhimg&amp;utm_medium=NHIForum">Why do email accounts need stronger controls than ordinary user accounts?</a></strong></p>
<p><strong>A:</strong> Email accounts often sit inside password reset flows, business communications, and identity verification processes.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/what-do-organisations-get-wrong-about-password-guidance/?utm_source=nhimg&amp;utm_medium=NHIForum">What do organisations get wrong about password guidance?</a></strong></p>
<p><strong>A:</strong> They often bury the most important advice behind multiple pages or present it as secondary to other controls.</p>
<h2>Practitioner guidance</h2>
<ul>
<li><strong>Make email accounts high-value identity assets</strong> Apply stronger monitoring, recovery protections, and access review to business email accounts because they are commonly used to reset other identities and authorize trust decisions.</li>
<li><strong>Standardise unique password use with managers</strong> Deploy password managers for staff and contractors, then enforce <a href="https://nhimg.org/top-10-non-human-identity-issues?utm_source=nhimg&amp;utm_medium=NHIForum">unique credentials for every service</a> so a single leak does not spread across the account estate.</li>
<li><strong>Simplify MFA and password guidance</strong> Put MFA, strong passphrases, and password manager guidance on the same primary security page so users do not need to follow a chain of links to find the basics.</li>
</ul>
<h2>What's in the full article</h2>
<p>Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:</p>
<ul>
<li>Bitwarden’s comparison of agency advice versus current NIST-aligned password guidance for everyday users and SMBs</li>
<li>The specific reasoning behind its ranking of the ACSC email security guidance</li>
<li>The additional resources it points readers to on password security and account protection</li>
<li>The broader State of Password Security context it uses to compare security-agency recommendations</li>
</ul>
<p>&#x1f449; <strong><a href="https://bitwarden.com/blog/email-security-tips-from-the-australian-cyber-security-centre/?utm_source=nhimg&amp;utm_medium=NHIForum">Read Bitwarden’s analysis of ACSC email security guidance and password advice →</a></strong></p>
<p><em>Email security guidance and password managers: what teams should do?</em></p>
<blockquote>
<p><strong>Explore further</strong></p>
<p><a href="/community/?utm_source=nhimg&amp;utm_medium=NHIForum">View Full Forum →</a>  |  <a href="/nhi-training/?utm_source=nhimg&amp;utm_medium=NHIForum">NHI Foundation Course →</a></p>
</blockquote>]]></content:encoded>
						                            <category domain="https://nhimg.org/community/identity-beyond-iam/">Identity Beyond IAM</category>                        <dc:creator>NHI Mgmt Group</dc:creator>
                        <guid isPermaLink="true">https://nhimg.org/community/identity-beyond-iam/email-security-guidance-and-password-managers-what-teams-should-do/</guid>
                    </item>
				                    <item>
                        <title>Credential stuffing and password reuse: what do teams need to change?</title>
                        <link>https://nhimg.org/community/identity-beyond-iam/credential-stuffing-and-password-reuse-what-do-teams-need-to-change/</link>
                        <pubDate>Thu, 09 Jul 2026 15:21:52 +0000</pubDate>
                        <description><![CDATA[TL;DR: Credential stuffing remains effective because attackers can automate millions of login attempts against reused credentials, and New York’s attorney general found more than one million...]]></description>
                        <content:encoded><![CDATA[<blockquote>
<p><strong>TL;DR:</strong> Credential stuffing remains effective because attackers can automate millions of login attempts against reused credentials, and New York’s attorney general found more than one million accounts compromised across 17 well-known companies, according to Bitwarden. Password policy alone is not enough when account takeover can scale faster than user behaviour changes.</p>
</blockquote>
<p><em>NHIMG editorial — based on content published by Bitwarden: State of Password Security and the New York Attorney General's credential stuffing alert</em></p>
<h2>Questions worth separating out</h2>
<p><strong>Q: <a href="https://nhimg.org/faq/how-should-security-teams-reduce-credential-stuffing-risk-across-user-and-machin/?utm_source=nhimg&amp;utm_medium=NHIForum">How should security teams reduce credential stuffing risk across user accounts?</a></strong></p>
<p><strong>A:</strong> Teams should reduce credential stuffing risk by combining unique-password enforcement, phishing-resistant MFA, rate limiting, bot detection, and alerting on abnormal sign-in patterns.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/why-do-stolen-credentials-still-matter-in-environments-with-mfa/?utm_source=nhimg&amp;utm_medium=NHIForum">Why does password reuse still matter if MFA is enabled?</a></strong></p>
<p><strong>A:</strong> Password reuse still matters because MFA coverage is rarely universal, and some sessions, device flows, or helpdesk processes can be abused around it.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/what-do-security-teams-get-wrong-about-valid-credentials/?utm_source=nhimg&amp;utm_medium=NHIForum">What do security teams get wrong about credential stuffing?</a></strong></p>
<p><strong>A:</strong> Many teams treat credential stuffing as a consumer behaviour problem when it is also an identity control problem.</p>
<h2>Practitioner guidance</h2>
<ul>
<li><strong>Eliminate password reuse at the identity source</strong> Require <a href="https://nhimg.org/top-10-non-human-identity-issues?utm_source=nhimg&amp;utm_medium=NHIForum">unique passwords through approved password managers</a> and remove exceptions that allow memorised reuse for privileged or high-risk accounts.</li>
<li><strong>Enforce MFA where credential stuffing is most profitable</strong> Prioritise <a href="https://nhimg.org/the-ultimate-guide-to-non-human-identities?utm_source=nhimg&amp;utm_medium=NHIForum">phishing-resistant MFA for remote access</a>, administrative accounts, and any account that can initiate payments, data export, or policy changes.</li>
<li><strong>Instrument sign-in telemetry for automation patterns</strong> Detect rapid retry bursts, distributed login attempts, impossible travel, and repeated failures followed by success.</li>
</ul>
<h2>What's in the full article</h2>
<p>Bitwarden's full article covers the practical password security advice and report context this post intentionally leaves at the source:</p>
<ul>
<li>Agency-by-agency scoring and the criteria used to rank federal password guidance</li>
<li>The full set of consumer recommendations, including password managers, 2FA, and breach alerts</li>
<li>The detailed assessment of where federal advice aligns with NIST guidance and where it falls short</li>
<li>Practical examples of how to interpret the New York Attorney General's alert in day-to-day account security</li>
</ul>
<p>&#x1f449; <strong><a href="https://bitwarden.com/blog/new-york-takes-on-credential-stuffing-and-passwords/?utm_source=nhimg&amp;utm_medium=NHIForum">Read Bitwarden's assessment of password security guidance and credential stuffing →</a></strong></p>
<p><em>Credential stuffing and password reuse: what do teams need to change?</em></p>
<blockquote>
<p><strong>Explore further</strong></p>
<p><a href="/community/?utm_source=nhimg&amp;utm_medium=NHIForum">View Full Forum →</a>  |  <a href="/nhi-training/?utm_source=nhimg&amp;utm_medium=NHIForum">NHI Foundation Course →</a></p>
</blockquote>]]></content:encoded>
						                            <category domain="https://nhimg.org/community/identity-beyond-iam/">Identity Beyond IAM</category>                        <dc:creator>NHI Mgmt Group</dc:creator>
                        <guid isPermaLink="true">https://nhimg.org/community/identity-beyond-iam/credential-stuffing-and-password-reuse-what-do-teams-need-to-change/</guid>
                    </item>
				                    <item>
                        <title>AI-resistant challenge design: are your challenge controls keeping up?</title>
                        <link>https://nhimg.org/community/identity-beyond-iam/ai-resistant-challenge-design-are-your-challenge-controls-keeping-up/</link>
                        <pubDate>Thu, 09 Jul 2026 15:20:50 +0000</pubDate>
                        <description><![CDATA[TL;DR: Challenge-response systems built around photographic recognition are structurally fragile because modern AI and agentic AI can learn, iterate, and generalise across narrow solving spa...]]></description>
                        <content:encoded><![CDATA[<blockquote>
<p><strong>TL;DR:</strong> Challenge-response systems built around photographic recognition are structurally fragile because modern AI and agentic AI can learn, iterate, and generalise across narrow solving spaces at scale, according to Arkose Labs. The security issue is not just stronger bots, but challenge architecture that still assumes attackers will stay human-speed and human-shaped.</p>
</blockquote>
<p><em>NHIMG editorial — based on content published by Arkose Labs: AI-resistant challenge design and the MatchKey analysis</em></p>
<h2>Questions worth separating out</h2>
<p><strong>Q: <a href="https://nhimg.org/faq/how-should-security-teams-design-challenge-response-controls-against-agentic-ai-/?utm_source=nhimg&amp;utm_medium=NHIForum">How should security teams design challenge-response controls against agentic AI automation?</a></strong></p>
<p><strong>A:</strong> They should design for diversity, not just difficulty.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/why-do-photographic-captchas-fail-against-modern-ai-driven-abuse/?utm_source=nhimg&amp;utm_medium=NHIForum">Why do photographic CAPTCHAs fail against modern AI-driven abuse?</a></strong></p>
<p><strong>A:</strong> They fail because image-recognition tasks sit inside the capability range of widely available vision models.</p>
<p><strong>Q: <a href="https://nhimg.org/faq/how-do-teams-know-whether-an-anti-bot-control-is-actually-working/?utm_source=nhimg&amp;utm_medium=NHIForum">How do teams know whether an anti-bot control is actually working?</a></strong></p>
<p><strong>A:</strong> They should look beyond pass or fail rates and examine campaign adaptation, retry patterns, and how quickly attackers improve after feedback.</p>
<h2>Practitioner guidance</h2>
<ul>
<li><strong>Audit challenge solving space breadth</strong> Test whether your current challenge design relies on a narrow set of photographic or classification tasks that a pretrained model can learn cheaply.</li>
<li><strong>Measure resilience against adaptive automation</strong> Run red-team simulations where an autonomous solver receives feedback across multiple sessions and adjusts strategy without human intervention.</li>
<li><strong>Treat interaction behaviour as an identity signal</strong> Correlate challenge outcomes with <a href="https://nhimg.org/the-ultimate-guide-to-non-human-identities?utm_source=nhimg&amp;utm_medium=NHIForum">behavioural texture</a> inside the session, especially when device fingerprint, IP reputation, or token context already appear trustworthy.</li>
</ul>
<h2>What's in the full article</h2>
<p>Arkose Labs' full analysis covers the operational detail this post intentionally leaves for the source:</p>
<ul>
<li>The session telemetry and attacker-behaviour patterns behind MatchKey's design choices.</li>
<li>The specific reasoning tasks and challenge formats used to widen the solving space.</li>
<li>The adversarial testing approach used to evaluate current multimodal model performance.</li>
<li>The implementation detail behind attacker-cost modelling and control tuning.</li>
</ul>
<p>&#x1f449; <strong><a href="https://www.arkoselabs.com/blog/ai-resistant-challenge-design-matchkey?utm_source=nhimg&amp;utm_medium=NHIForum">Read Arkose Labs' analysis of AI-resistant challenge design and agentic AI abuse →</a></strong></p>
<p><em>AI-resistant challenge design: are your challenge controls keeping up?</em></p>
<blockquote>
<p><strong>Explore further</strong></p>
<p><a href="/community/?utm_source=nhimg&amp;utm_medium=NHIForum">View Full Forum →</a>  |  <a href="/nhi-training/?utm_source=nhimg&amp;utm_medium=NHIForum">NHI Foundation Course →</a></p>
</blockquote>]]></content:encoded>
						                            <category domain="https://nhimg.org/community/identity-beyond-iam/">Identity Beyond IAM</category>                        <dc:creator>NHI Mgmt Group</dc:creator>
                        <guid isPermaLink="true">https://nhimg.org/community/identity-beyond-iam/ai-resistant-challenge-design-are-your-challenge-controls-keeping-up/</guid>
                    </item>
							        </channel>
        </rss>
		