6fabook – Bredemarket

The Bangladesh Identities Weren’t Synthetic Identities, But They Failed The “Somewhat You Why” Test

Andrew Austin at Sardine has written an eye-catching blog post that discusses a fraud ring exhibiting unusual patterns.

Some fraudsters use synthetic identities to fool systems, but good systems can catch the synths.
But other fraudsters use mules and other techniques that pass identity verification checks, because the people are REAL people.

Austin’s post discusses an example of the latter.

Sign-up patterns in Bangladesh

In this particular case (Example 3 of 3), a gig economy company had discovered a fraud ring operating out of Bangladesh, but the identities were those of real people. The investigator noticed something right off the bat:

“When we looked into it, something was off: all of the locations seemed to be clustered in a few small towns.”

But wait…it gets better.

“The fraudsters were going door-to-door and signing up anyone who was willing to share their information….

“Dozens of routes snaked through neighborhoods where new accounts were being created, each of them running from North to South and then back to their starting point on the next street over.”

It turns out that the fraudsters were going down each street, paying people to borrow their identities, and then moving on to the next street.

How identity factors (in the plural) identified the fraud

In Bredemarket’s view, this raised alarms surrounding two factors of identity verification and authentication.

The first was geolocation. Once the identities were plotted, it seems strange that all of the identities lined up down each street and on to the next street.
The second is what I call “somewhat you why.“ It’s reasonable to believe that if person A signs up for a service, their neighbors may sign up also. But it’s NOT reasonable to believe that people would sign up for the service in address order, moving from street to street. “No, Jim, 158 1st street can’t sign up for the service! 156 1st street hasn’t signed up yet!”

Now even if you don’t believe that “somewhat you why” is a real factor (Sardine prefers to talk about “device and behavior intelligence“), it’s clear that fraudsters were using the identities of real people to engage in a massive fraud scheme.

Look at the patterns, and you can discover from unusual ones.

And now a word from our sponsor

And if you’re wondering why I discuss SIX factors of identity verification and authentication (rather than five or three), check out my ebook “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket. Click on the image to purchase.

Non-Human Identity Verification

How do you verify non-human identities?

One of the reasons that I titled my ebook “Proving Humanity” is because the six (yes, six) factors of identity verification and authentication that I discuss only apply to identifying humans, and do not apply to non-human identities.

Again, so how do you verify non-human identities?

Cryptographics

One way is via cryptographics. As I discussed previously, the Secure Production Identity Framework For Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) provide non-person entities with “strongly attested, cryptographic identities.”

Problem solved, right?

As any human who has used a password knows, a single factor can be stolen. And that includes cryptographic factors.

Provenance

Which means that we have to look at provenance. But instead of looking at the provenance of an AI-generated image or video, we are looking at the provenance of an agent that performs actions. The network origin. The environment. The associated attributes. Is the agent running on a specific, authorized, and known virtual machine or container at a specific network address, or is it running…somewhere else?

Behavior

And if you’ve read my book, you know that human identities can be evaluated based upon their behavior (either tendencies or intent). You can also look at the behavior of agents. Is the agent acting at an unexpected time of day? Is it executing an unusually high volume of requests? Is it “scoping out the joint”?

Multi-factor authentication

Again, it’s possible to spoof one factor, but much harder to spoof multiple factors. And that applies to both humans and non-human agents.

Be safe out there.

Factor This Into Your Budget

Proving Humanity: The Six Factors of Identity Verification and Authentication.

Was your bank account hacked? Your tax return? Your health records?

How do banks, government agencies, and medical facilities protect your personally identifiable information (PII) from fraudsters?

By different methods, called FACTORS.

Understand these factors, how they work, and how they protect you.

Proving Humanity: The Six Factors of Identity Verification and Authentication

KYP (Know Your Publisher): Flattery Will Get You Everywhere

Jobseekers and independent contractors are ideal targets for fraud, but they’re not the only ones.

As Phyllis Chesler notes, writers are also prey to the fraudsters.

“[T]he most extensive scam imaginable was launched against me and against many other writers….

“Two women (or two men? Political prisoners in China–or Nigeria? Or even in Iran?) emailed me. Each impersonated a real editor and a real literary agent. This began on April 23rd and continued on through April 27th or April 28th. They appropriated the name of Marilyn Kreztner at Blackstone Publishing and Caitlin Mahony at William Morris Endeavor….

“Please understand: Given the realities of publishing, most writers are a desperate lot. And oh-so-vulnerable to flattery. If a publishing person praises our work–we melt. We glow. Writers specialize in Big Dreams.”

And despite some lingering suspicions, Chesler sent some of her work to both people. But before she could send $700 for an editorial consultant to “improve” her work, Chesler had already contacted the real Blackstone Publishing and the real Wiolliam Morris Endeavor and confirmed that these were not the real Kreztner or Mahony.

If you’re a writer, you must check the site Chesler recommended, Writer Beware. It include a detailed post about this sort of scam, including examples of the scammer communications.

Reminder: while I write books, mine aren’t sold by publishing houses. Visit my Gumroad site to purchase my ebook, “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Proof of Humanity Does Not Prove Identity

If you have a database of people worldwide, you can use irises to see whether someone is in the database or not.

This lets you buy the world a Coke. One per person.

But it doesn’t tell you WHO they are.

For that you need to test them against the factors of identity verification and authentication.

All six of them.

Learn more. Purchase the ebook.

Proving Humanity, the Video

Finished the promo video for my ebook “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Proving Humanity, the Video.

Learn more at: https://bredemarket.com/proving-humanity-book/

Purchase My New Ebook On the Six Factors of Identity Verification and Authentication

I revealed a few days ago that I’ve been writing an ebook since last December. I finally finished it and priced it—not at $100,000 per copy, but at a much more reasonable $4.96.

The topic? Proving humanity.

Despite the ever-increasing number of bots, I value humanity and think that a human brings something that a bot never could.

But before we stop relying on bots and start relying on humans, we need to know whether those humans are real, or if they are bots themselves.

To do this, we have to know who those humans are.

And we perform this via identity verification and authentication.

My ebook addresses this. It’s called “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

And yes, I said SIX factors. Read the book.

To learn more about the book, visit my information page.

Or go directly to my Gumroad page and buy the book for the aforementioned $4.96 price.

Factors Are Independent

One important thing about factors is that they are independent of each other.

The fact that a person has a particular password bears no relation to the fact that a person has a particular fingerprint ridge structure.

And even modalities within a factor may be independent of each other. When Motorola sold its Biometric Business Unit to Safran in 2009, I joined a company (MorphoTrak) that promoted three biometric modalities: finger, face, and iris. While all three biometrics came from the same person, there was no relationship between any of them. Knowing a person’s right forefinger did not tell you what the person’s iris was like. (But beware: driver’s licenses and passports share information, such as dates of birth.)

If you have a critical security issue, you don’t want to depend upon just one factor, or one modality.

Double or triple them up by requiring multiple identity verifications and authentications with unrelated modalities and factors.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Why Are Identity Verification and Authentication Critically Important?

Imagine if we didn’t have identity verification and authentication.

I could walk into a luxury car dealership and buy a car, telling the salesperson that my name is Bill Gates. I could buy the car, and Gates would get the bill.

Sounds great…until someone impersonates YOU and gets YOUR money.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

How to Figure Out Someone’s Mother’s Maiden Name

Something you know…and that someone else knows. It can happen.

Many systems require more than one knowledge-based modality, which is why they sometimes ask for other things like your mother’s maiden name.

This of course is not foolproof. Your sister that hates your guts, for example, obviously knows your mother’s maiden name. And even complete strangers, especially those with nefarious intent, can deduce your personal information.

Let me introduce you to Doug.

How Doug learned Donna’s mother’s maiden name…and more

Assume that Doug wants to hack Donna’s account but needs some personal information to do so. This is somewhat tough, since Donna’s Facebook account is private and can only be seen by her friends. Well, Doug knows that Belle is a friend of Donna’s, and Belle’s Facebook password is “password1.” Problem solved.

Doug uses Belle’s account to read Donna’s posts and finds some remarkably interesting ones. Not that she’s posting her Social Security Number or anything, but what did she post?

“Happy birthday to my mom!” (This particular post was loved by Jane Davis, who wrote “Thank you dear daughter.”)
“Happy 30^th birthday to me!”
“Hey, look at this picture of my new driver’s license. My picture actually looks halfway decent.”
“Hey, look at this picture of my senior citizen bus pass. Yeah, I’m old.”
“I cried when I looked at this old picture of my dog Scamper, taken in front of my childhood home on Mulberry Street.”

If you’re keeping score at home, Doug now knows the following information about Donna:

Her mother’s maiden name.
Her date of birth (from her birthday post and her driver’s license picture; her senior citizen’s bus pass doesn’t have her birthdate but does have her birthday).
Her driver’s license number.
The name of her favorite pet.
The name of the street she lived on as a child.

More than enough for Doug to impersonate Donna.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”