Tag Archives: digital identity

Government Anti-Fraud Efforts: They’re Still Siloed

When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.

Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.

But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.

Stop Identity Fraud and Identity Theft Bill

As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”

Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:

“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”

Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:

“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”

Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.

But let’s get to the meat of the bill:

“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”

The specifics:

  • The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
  • They can also use the grants to protect individuals from deepfake attacks.
  • Another purpose is to develop “interoperable solutions.”
  • A fourth is to replace vulnerable legacy systems.
  • The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.

But there are some limitations in how the funds are spent.

  • They can’t be used to require mDLs or eliminate physical driver’s licenses.
  • They can’t be used to “support the issuance of drivers licenses or
    identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)

The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.

And everything else

So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.

But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:

  • The Department of Justice, through the Federal Bureau of Investigation and the new Division for National Fraud Enforcement.
  • The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
  • The Federal Trade Commission (FTC).
  • The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
  • The U.S. Postal Inspection Service.
  • The Consumer Financial Protection Bureau.

These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.

And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.

  • What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
  • Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?

Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.

(And yes, I know that the Capitol is not north of the Washington Monument…yet.)

Google Gemini. Results may not be accurate.

Catching Up On Alaska’s Mobile ID

Thales issued this press release recently:

“Thales is pleased to announce its continued partnership with the State of Alaska Department of Motor Vehicles (DMV) with the launch of the Alaska Mobile ID. Seen as an innovative digital identity solution, it empowers residents to manage the use of their identification credentials securely and conveniently through their mobile devices.

“The Alaska Mobile ID leverages Thales’ sophisticated digital ID technology to provide Alaskans with a secure method for digital verification of their identity, age, and/or driving privileges. With this ‘cybersecurity by design’ solutioncitizens benefit from a quick and secure way to digitally verify their identity while safeguarding their personal information. It also enables selective disclosure, meaning only some attributes of residents’ identities can be electronically verified. As an example, with Alaska Mobile ID, residents will be able to prove they are above 21 without revealing their exact age, which is impossible with physical ID.”

So this is a wonderful advance for Alaska…even though Thales is foreign-owned. The 2022 Alaska HB389 died without passage.

ABI Research and Physical Credentials

Those of us embedded in the identity industry pay special attention to mobile credentials. Although I have wondered whether mobile ID adoption will decrease, we’ve assumed that digital identities will advance.

Just like the death of passwords.

You can see where this is going.

ABI Research has shared its predictions on 13 technology trends for 2026. I paid special attention to number 11.

“It is clear that digital-first identity systems are unlikely to become standard. Most governments will still rely heavily on physical credentials through 2026. Physical documents, such as diver’s licenses and passports, have long life spans. Physical security is already a proven technology, making it essential for continued trust and accessibility in the wake of ever-more sophisticated attack methods. ABI Research cybersecurity analysts view mobile ID as more of a companion to physical credentials.”

Oh, and number 12.

“Interest in biometric payment cards has waned due to high costs and complex onboarding. Zwipe’s bankruptcy in March 2025 is emblematic of this latest trend. To extract returns from their prior investments in biometrics, digital payment providers are pivoting to other markets like secure access and cold wallets. Going forward, the technology will shift from mainstream ambition to specialty use cases, with fewer launches expected in 2026.”

To see what these and the other 11 predictions mean, read the ABI Research article.

Are You a Marketer Who is Contributing to Identity Theft?

I still receive “snail mail” at home. And every time I look at it I get enraged.

In fact, I’m this close to opening most of the pieces of mail, removing the postage-free reply envelope, and returning it to the originator with the following message:

Thank you for contributing to rampant identity theft.

How do companies, possibly including YOUR company, contribute to identity theft? Read on.

Snail mail, a treasure trove of PII

Let me provide an example, heavily redacted, of something that I received in the (snail) mail this week. I won’t reveal the name of the company that sent this to me, other than to say that it is an automobile association that does business in America.

John Bredehoft

[HOME ADDRESS REDACTED]

John Bredehoft…

You and your spouse/partner are each eligible to apply for up to $300,000.00 of Term Life Insurance reserved for members – and with Lower Group Rates ROLLED BACK to 2018!

… SCAN THIS [QR CODE REDACTED] Takes you right to your personalized application

OR GO TO [URL REDACTED] and use this Invitation Code: [CODE REDACTED]

So that’s the first page. The second page includes a Group Term Life Insurance Application with much of the same information.

And there’s the aforementioned return envelope…with my name and address helpfully preprinted on the envelope.

What could go wrong?

Google Gemini.

Dumpster divers

Now obviously the sender hopes that I fill out the form and return it. But there is a very good chance that I will NOT respond to this request, in which case I have to do something with all these papers with personally identifiable information (PII).

Obviously I should shred it.

But what if I don’t?

And some dumpster diver rifles through my trash?

  • Perhaps the dumpster diver will just capture my name, address, and other PII and be done with it.
  • Or perhaps the dumpster diver will apply for term life insurance in my name and do who knows what.

Thanks, sender, you just exposed me to identity theft.

But there’s another possible point at which my identity can be stolen.

Mailbox diverters

What if this piece of snail mail never makes it to me?

  • Maybe someone breaks into my mailbox, steals the mail, and then steals my identity.
  • Or maybe someone breaks into a mail truck, or anywhere on the path from the sender to the recipient.

Again, I’ve been exposed to identity theft.

All because several pieces of paper are floating around with my PII on it.

Multiply that by every piece of mail sent to every person, and the PII exposure problem is enormous.

Email marketers, you’re not off the hook

Now I’m sure some of you are in a self-congratulatory mood right now.

John, don’t tarnish us with the same brush as junk mailers. We are ecologically responsible and don’t send snail mails any more. We use email, eliminating the chance of pieces of PII-laden paper floating around.

Perhaps I should break the news to you.

  • Emails are often laden with the same PII that you find in traditional snail mail, via printed text or “easy to use” web links.
  • Emails can be stolen also.
Google Gemini.

So you’re just as bad as the snail mailers.

What to do?

If you’re a marketer sending PII to your prospects and customers…

Stop it.

Don’t distribute PII all over the place.

Assume that any PII you distribute WILL be stolen.

Because it probably will.

And if you didn’t know this, it won’t make your prospects and customers happy.

Proof of IAL3

I was up bright and early to attend a Liminal Demo Day, and the second presenter was Proof. Lauren Furey and Kurt Ernst presented, with Lauren assuming the role of the agent verifying Kurt’s identity.

The mechanism to verify the identity was a video session. In this case, Agent Lauren used three methods:

  • Examining Kurt’s ID, which he presented on screen.
  • Examining Kurt’s face (selfie).
  • Examining a credit card presented by Kurt.

One important note: Agent Lauren had complete control over whether to verify Kurt’s identity or not. She was not a mere “human in the loop.” Even if Kurt passed all the checks, Lauren could fail the identity check if she suspected something was wrong (such as a potential fraudster prompting Kurt what to do).

If you’ve been following my recent posts on identity assurance level, you know what happened next. Yes, I asked THE question:

“Another question for Proof: does you solution meet the requirements for supervised remote identity proofing (IAL3)?”

Lauren responded in the affirmative.

It’s important to note that Proof’s face authentication solution incorporates liveness detection, so there is reasonable assurance that the person’s fake is not a spoof or a synthetic identity.

So I guess I’m right, and that we’re seeing more and more IAL3 implementations, even if they don’t have the super-duper Kantara Initiative certification that NextgenID has.

Unlocking High-Value Financial Transactions: The Critical Role of Identity Assurance Level 3 (IAL3)

(Picture designed by Freepik.)

I’ve previously discussed the difference between Identity Assurance Level 2 (IAL2) and Identity Assurance Level 3 (IAL3). The key differentiator is that IAL3 requires either (1) in-person identity proofing or (2) remote supervised identity proofing.

Who and how to use IAL3

Who can provide remote supervised identity proofing?

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3.”

And there are others who can provide the equivalent of IAL3, as we will see later.

How do you supervise a remote identity proofing session?

“The camera(s) a CSP [Credential Service Provider] employs to monitor the actions taken by a remote applicant during the identity proofing session should be positioned in such a way that the upper body, hands, and face of the applicant are visible at all times.”

But that doesn’t matter with me now. What matters to me is WHEN we need remote identity proofing sessions.

Mitek Systems’ Adam Bacia provides one use case:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

So that’s one use case.

But there is another.

When to use IAL3 for financial transactions

Governments aren’t the only entities that need to definitively know identities in critically important situations.

What about banks and other financial institutions, which are required by law to know their customers?

Now it’s one thing when one of my Bredemarket clients used to pay me by paper check. Rather than go to the bank and deposit it in person at a teller window (in person) or at an ATM (remote supervised), I would deposit the check with my smartphone app (remote unsupervised).

Now the bank assumed a level of risk by doing this, especially since the deposited check would not be in the bank’s physical possession after the deposit was completed.

But guess what? The risk was acceptable for my transactions. I’m disclosing Bredemarket company secrets, but that client never wrote me a million dollar check. Actually, none of my clients has ever written me a million dollar check. (Perhaps I should raise my rates. It’s been a while. If I charge an hourly rate of $100,000, I will get those million dollar checks!)

So how do financial institutions implement the two types of IAL3?

In-person

Regarding IAL3 and banks, in-person transactions are supported in certain cases, even with the banks’ moves to close branches.

“If you need to initiate a funds transfer payment, an authorized signer for your account may also initiate funds (wire) transfers at any Chase branch.”

Note the use of the word “may.” However, if you don’t want to go to a branch to make a wire transfer, you have to set up an alternate method in advance.

Remote supervised

What about remote supervised transactions at financial institutions, where you are not physically present, but someone at the bank remotely sees you and everything you do? Every breath you take? And every move you make? Etcetera.

It turns out that the identity verification providers support video sessions between businesses (such as banks) and their customers. For example, Incode’s Developer Hub includes several references to a video conference capability. 

To my knowledge, Incode has not publicly stated whether any of its financial identity customers are employing this video conference capability, but it’s certainly possible. And when done correctly, this can support the IAL3 specifications.

Why to use IAL3 for financial transactions

For high-risk transactions such as ones with high value and ones with particular countries, IAL3 protects both the financial institutions and their customers. It lessens the fraud risk and the possible harm to both parties.

Some customers may see IAL3 as an unnecessary bureaucratic hurdle…but they would feel differently if THEY were the ones getting ripped off.

This is why both financial institutions and identity verification vendors need to explain the benefits of IAL3 procedures for riskier transactions. And do it in such a way that the end customers DEMAND IAL3.

To create the content to influence customer perception, you need to answer the critically important questions, including why, how, and benefits. (There are others.)

And if your firm needs help creating that content, Underdog is here.

I mean Bredemarket is here.

Visit https://bredemarket.com/mark/ and schedule a time to talk to me—for free. I won’t remotely verify your identity during our videoconference, but I will help you plan the content your firm needs.

Battling deepfakes with…IAL3?

(Picture designed by Freepik.)

The information in this post is taken from the summary of this year’s Biometrics Institute Industry Survey and is presented under the following authority:

“You are welcome to use the information from this survey with a reference to its source, Biometrics Institute Industry Survey 2025. The full report, slides and graphics are available to Biometrics Institute members.”

But even the freebie stuff is valuable, including this citation of two concerns expressed by survey respondents:

“Against a backdrop of ongoing concerns around deepfakes, 85%
agreed or agreed strongly that deepfake technology poses a
significant threat to the future of biometric recognition, which
was similar to 2024.
“And two thirds of respondents (67%) agreed or agreed strongly
that supervised biometric capture is crucial to safeguard against
spoofing and injection attacks.”

Supervised biometric capture? Where have we heard that before?

IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

Now remote supervised enrollment and even in-person supervised enrollment is not a 100.00000% guard against deepfakes. The subject could be wearing a REALLY REALLY good mask. But it’s better than unsupervised enrollment.

How does your company battle deepfakes?

How do you tell your clients about your product?

Do you need product marketing assistance? Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers

When Prospects Ask Technical Marketers the Tough Questions

Some technical marketers are expert at spinning soft fluffy stories about how their AI-powered toilet paper can cure cancer…which can be very persuasive as long as the prospects don’t ask any questions.

  • For example, let’s say you’re telling a Chick-fil-A in Kettering, Ohio that you’ll keep 17 year olds out of their restaurant. Are you ready when the prospect asks, “How do you KNOW that the person without ID is 17 years and 359 days old, and is not 18?”
  • Or let’s say you’re telling a state voter agency that you’ll enforce voter ID laws. Are you ready when the prospect asks, “How do you KNOW that the voter ID is real and not fake? Or that it is fake and not real?”

Be prepared to answer the tough questions. Expert testimonials. Independent assessments of your product’s accuracy. Customer case studies.

Analyze your product’s weaknesses. (And the threats, if you’re a SWOT groupie.)

And call in the expert help.

Stop losing prospects! Use Bredemarket content for tech marketers