I refrained from discussing this for a couple of days, but I was recently a victim of attempted financial identity fraud.
Well, SORT OF attempted identity fraud. I don’t know if this really counts, since I don’t know if the fraudster had my identity.
But the issue was resolved in less than 48 hours.
By the way, I have purposely changed the names of two of the companies I mention, to protect my PII. Which is a shame, because “Wildebeest Bank” went above and beyond in correcting the issue.
That doesn’t look right
Among its other services, Wildebeest Bank (not its real name) sends me an email whenever a purchase is made on my card, but my card is not present.
This is a fairly common occurrence. Among other things, my website, my business insurance, my business address, and my accounting software are all billed to my card.
But less than 48 hours ago, at 3:30 pm on Wednesday afternoon, I received an unexpected notice.
Your card was not present during a recent purchase
Your card was used to make a purchase at enron*publications us
We noticed your check card ending in 1234 was used to make a $8.48 purchase at enron*publications us today. The card wasn’t present at the time the purchase was made.
If you did not make this purchase, please call the nuber listed on the back of your card.
Log in to your account to review this transaction.
I didn’t recall making any $8.48 purchase, and once I looked up enron*publications us (not its real name), I realized that I definitely DIDN’T purchase anything from that company.
Before calling the bank, I double checked my account and found NO transaction for $8.48, even in a “pending” state.
So I called Wildebeest Bank
I called the number on the back of my card and connected with a woman in a call center who investigated why I got an email for a transaction that didn’t appear.
This is obviously not the Wildebeest Bank call center woman who helped me. But I’m sure she had a computer. By Earl Andrew at English Wikipedia – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17793658
After accessing several internal systems, the woman discovered that the purchase was attempted, but declined. The fraudster had my card account number, but didn’t have the correct expiration date.
Frankly, I’m not even sure if the fraudster had my name. Did the fraudster just punch in 16 digits and hope they would work?
Anyway, after this conversation, the woman from Wildebeest Bank transferred me to the fraud department.
The Fraud Department
So my call was transferred to the Fraud Department.
The man at the Fraud Department advised me to cancel the card and get a new one.
I was wondering how long this would take, since one of bills was going to be charged to my card in the next two weeks, and I didn’t want any hiccup from a denied card purchase.
Anti-Fraud Man explained that if I could go to a Wildebeest Bank branch by the next day (Thursday), I could get a new card immediately.
“Could I go today?” I asked.
“Sure,” he replied.
It was about 3:50 pm by that time, or 20 minutes since I received the initial email.
So I drove to the bank
I hopped in my car, drove to a local bank branch, and went to a desk.
You may recall that I started Bredemarket in the fall of 2020, right in the middle of COVID. When I opened my account, the bank WOULDN’T let me go to my local bank branch and I had to open the account remotely. Since then I’ve been in the bank branch several times; it’s a nice place.
Anyway, the fraud department had already cancelled my compromised card, so the man at the bank branch only had to issue me a temporary card and guide me through its activation. This temporary card would last me until the new card arrived in the mail. It had the same card number as the new card so I could temporarily use it for purchases, but the permanent card would have a different expiration date and security code.
I could have provided the temporary card’s number, expiration date, and security code to the company that was going to bill me in two weeks, but I preferred to wait until I received the permanent card. I asked the man at the bank branch how long that would take.
“I can expedite it,” he said.
I get a present at Box 259
Less than 48 hours later, on Friday morning, I was notified that I had a package at my business address.
Bredemarket’s mailing address is 1030 N Mountain Ave #259, Ontario CA 91762-2114.
As I guessed, it was the permanent card, which I immediately activated and provided to the companies that auto-bill me via my card.
Here’s the short version:
My bank (“Wildebeest Bank”) notified me of a questionable “card not present” purchase (from “enron*publications us”) at 3:30 pm on Wednesday.
By 3:50 pm (20 minutes later), the bank told me that the attempted purchase was declined, but cancelled the bank card anyway.
By 4:15 pm (45 minutes later), I had a new temporary bank card.
By Friday at noon (less than 48 hours later), I had my permanent bank card.
So everyone be sure to bank at Wildebeest Bank. No confusion when you bank with them!
Checking the purported identity against private databases, such as credit records.
Checking the person’s driver’s license or other government document to ensure it’s real and not a fake.
Checking the purported identity against government databases, such as driver’s license databases. (What if the person presents a real driver’s license, but that license was subsequently revoked?)
Perform a “who you are” biometric test against the purported identity.
If you conduct all four tests, then you have used multiple factors of authentication to confirm that the person is who they say they are. If the identity is synthetic, chances are the purported person will fail at least one of these tests.
Do you fight synthetic identity fraud?
If you fight synthetic identity fraud, you should let people know about your solution.
My belief that everything on the Internet is true has been irrevocably shattered, all because of what an entertainment executive ordered in his spare time. But the Casey Bloys / “Kelly Shepherd” story is just a tiny bit of what is going on with synthetic identities. And X isn’t the only platform plagued by them, as my LinkedIn experience attests.
By the way, this blog post contains pictures of a lot of people. Casey Bloys is real. Some of the others, not so much.
Casey Bloys is the Chairman and CEO of HBO and Max Content. Bloys had to start a recent 2024 schedule presentation with an apology, according to Variety. After explaining how passionate he is about his programming, he went back in time a couple of years to a period that we all remember.
So when you think of that mindset, and then think of 2020 and 2021, I’m home, working from home and spending an unhealthy amount of scrolling through Twitter. And I come up with a very, very dumb idea to vent my frustration.
So why did Bloys have to apologize on Thursday? Because of an article that Rolling Stone published on Wednesday. The article led off with this juicy showbiz tidbit about Bloys’ idea for responding to a critic.
“Maybe a Twitter user should tweet that that’s a pretty blithe response to what soldiers legitimately go through on [the] battlefield,” he texted. “Do you have a secret handle? Couldn’t we say especially given that it’s D-Day to dismiss a soldier’s experience like that seems pretty disrespectful … this must be answered!”
(A note to my younger readers: Twitter used to be a popular social media service that no longer exists. It was replaced by X.)
Eventually Bloys found someone to create the “secret handle.” Sully Temori is now alleging wrongful termination by HBO (which is why we’re learning about these juicy tidbits, via court filings). But in 2021 he was an executive assistant who wanted to get ahead by pleasing his bosses.
Ms. Shepherd seems like a nice woman. A mom, a Texan, a herbalist and aromatherapist, and a vegan. (The cows love that last part.)
Most critically, Shepherd is a normal person, not one of those Hollywood showbiz folks. Although Shepherd, who never posted anything on her own, seems to have a distinct motivation to respond to critics of HBO shows. Take her first reply to a critic from (checks notes) Rolling Stone. (Two years later, Rolling Stone would gleefully report on this story. Watch out who you anger.)
Kelly’s other three replies were along the same lines.
All were short one-sentence blurbs.
Most were completely in lower case, because that’s how regular non-Hollywood folk tweet.
All were critical of those who were critical of HBO, accusing them of “shitting on a show about women,” getting their “panties in a bunch,” and being “busy virtue signaling.”
Hey, if I couldn’t eat hamburgers and my home was filled with weird herbs and aromas, I’d be a little mad too.
And then, a little over a week later, it was over, and Kelly Shepherd never tweeted again. Although Temori apparently performed other activities against HBO critics via other methods. Well, until he was terminated.
Did Kelly Shepherd open a LinkedIn account?
But as part of the plan to satisfy Casey Bloys’ angry whims, Kelly Shepherd acquired a social media account, which she could use as a possible proof of identity.
Even though we now know she doesn’t exist.
But X isn’t the only platform plagued with synthetic identities, and some synthetic identities can do much more than anger an entertainment reviewer.
Many of us on LinkedIn are regularly receiving InMails and connection requests (in my case, from profiles with pictures of beautiful women) who say that we are constantly recommended by LinkedIn, who tell us how impressive our profiles are, and who want to contact us outside of the LinkedIn platform via text message or WhatsApp.
Now perhaps some of these messages are from real people, but I seriously doubt that so many of the employees at John Q Wine & Liquor Winery in New York happen to have the last name “Walter.” And the exact same job title.
Ms. Walter is a pretty busy freelance general manager / director / content partnerships manager.
As for her colleague Ms. Alice Walter, she has more experience (having started in 2018) but also has an extensive biography that begins:
The United States is a country with innovative challenges, and there is more room for development in the wine industry at John Q Wine & Liquor Winery. I am motivated and love to learn, and like to be exposed to more different cultures, and hope to develop more careers in my future life.
And you can check out Maria Walter’s profile if you’re so inclined. Or at least check out “her” picture.
Now none of the Walters women tried to contact me, but another “employee” (or maybe it was a “freelancer,” I forget) of this company tried to do so, which led my curious nature to discover yet another hive of fake LinkedIn profiles.
Sadly, one person from this company is a second-degree connection, which means that one of my connections accepted “her” connection request.
Synthetic identities are harmless…right?
Who knows what Karina, Alice, and Maria will do with their LinkedIn profiles?
Will they connect with other professionals?
Will they ask said professionals to move the conversation to SMS or WhatsApp, for whatever reason?
Will they apply for new jobs, using their impressive work history? A 98.8% customer satisfaction rate while managing 1,800 sub-partnerships is remarkable.
Will they apply for bank accounts…or loans?
The fraud possibilities from fake LinkedIn accounts are endless, and could be very costly for any company who falls for a fake synthetic identity. In fact, FiVerity reports that “in 2020, an estimated $20 billion was lost to SIF” (synthetic identity fraud). Which means that LinkedIn account holders and Partnerships Managers Karina, Alice, and Maria Walter could make a LOT of money.
Now banks and other financial institutions have safeguards to verify financial identities of people who open accounts and apply for loans, because fraud reduction is critically important to financial institutions.
Social media companies? Identity is only “important” to them.
They don’t even care about uniqueness (as Worldcoin does), evidenced by the fact that I have more than two X accounts (but none in which I portray a female Texas mom and vegan).
So if someone comes up to you on X or LinkedIn, remember that all may not be as it seems.
Money 20/20 is taking place in Las Vegas, Nevada, USA from Sunday, October 22 to Wednesday October 25.
While I am not in Las Vegas, Bredemarket will monitor the goings-on and share relevant news on Facebook (Bredemarket Identity Firm Services group), Instagram (Bredemarket), LinkedIn (Bredemarket Identity Firm Services page), bredemarket.com, and elsewhere.
I just made an exception to my “no bots on the first draft” approach. (The Product Marketing Alliance made me do it.)
The setting
I recently attended the Product Marketing Alliance’s “Masters of Product Marketing” webinar, and the Wednesday morning (my time) workshop was led by Elliott Rayner of ARION.
The title? “Workshop – AI-powered storytelling: the definitive guide.”
Red flags. The “temperamental writer” side of me always reacts negatively at the suggestion that a person turn the writing process over to a bot.
Here is the generic prompt that Rayner shared with the workshop participants (note that this should be Christopher Booker, not Charles Brooker; generative AI figured things out anyway):
“Using Charles Brooker’s plot framework “Overcoming the monster” can you write a product campaign narrative for the brand BLANK who are on a mission to BLANK. Please place focus on the customer overcoming the pain paint of BLANK within the market segment of BLANK”
From the Product Marketing Alliance workshop
My prompt
So I took the prompt above and modified it for Bredemarket.
“Using Charles Brooker’s plot framework “Overcoming the monster” can you write a product campaign narrative for the brand Bredemarket who are on a mission to equip customers with superior marketing content. Please place focus on the customer overcoming the pain paint of addressing customer needs within the market segment of financial services”
While Elliott used ChatGPT for his generative AI engine, I used Bard. The next section contains Bard’s response to the prompt above.
Bredemarket: Overcoming the Monster of Marketing
Plot:
Once upon a time, in the competitive and ever-changing world of financial services, there lived a company called Bredemarket. Bredemarket’s mission was to equip customers with superior marketing content, but they faced a daunting challenge: how to address the pain point of addressing customer needs within a complex and ever-evolving market segment?
Bredemarket knew that the key to overcoming this monster was to create marketing content that was both informative and engaging. They needed to create content that would educate customers about their products and services, while also inspiring them to take action.
To do this, Bredemarket assembled a team of experienced and talented marketers who were experts in the financial services industry. Together, they developed a comprehensive content strategy that included a variety of formats, such as blog posts, infographics, e-books, and videos.
Bredemarket’s content was also highly targeted. They took the time to understand the needs of their target audience and created content that was specifically relevant to them. This approach helped Bredemarket to build trust and credibility with their customers.
Over time, Bredemarket’s content marketing efforts began to pay off. They saw an increase in website traffic, leads, and sales. Their customers were also more engaged and satisfied than ever before.
Conclusion:
Bredemarket’s story is a testament to the power of content marketing. By creating informative and engaging content that addresses customer needs, Bredemarket was able to overcome the monster of marketing and achieve success.
How Bredemarket can help financial services companies overcome the monster of marketing:
Bredemarket understands the unique challenges that financial services companies face when it comes to marketing. That’s why they offer a variety of services that can help companies overcome these challenges and achieve their marketing goals.
Bredemarket’s services include:
Content strategy development
Content creation
Content distribution
Content marketing analytics
Bredemarket also offers a variety of industry-specific content packages that are specifically designed for financial services companies. These packages include content that covers a wide range of topics, such as:
Financial planning
Retirement planning
Investing
Insurance
Mortgages
If you’re a financial services company that’s struggling to address customer needs with your marketing content, Bredemarket can help. With their expertise and experience in the financial services industry, they can help you create content that is both informative and engaging, and that will help you achieve your marketing goals.
My observations on the result above
So here’s what I think of Bard’s work.
If I took time to improve the prompt, I probably could have received a better result. I’ve previously said that you may have to go through five iterations of a generative AI prompt to get satisfactory results, which led to my conclusion that AI yields results in five minutes (and that humans will therefore be pressured to yield quick results also). So if I took the time to tweak the prompt, rather than just going with the first result I received, I’d get a better story. For example, rather than using the term “financial services,” perhaps I should have used “financial identity verification” to hone in on my interest in financial identity.
Hallucination is rampant in the text. When generative AI doesn’t know something, it loudly asserts what it doesn’t know. Bard obviously doesn’t know a lot about Bredemarket, but it loudly proclaimed that I provide “retirement planning.” (If I knew anything about retirement planning, I’d retire by now.) And the idea of the “team of experienced and talented marketers” is kinda sorta inaccurate. You just have me.
The tone of voice is all wrong. One reason that I would never use this result for real is because it is not in Bredemarket’s conversational tone of voice. And it would be unusual for me to tell an odyssey. I’ll leave that to John Sculley. To get Bard to write like me, perhaps I can design a prompt that includes the words “mention wildebeests a lot in the response.”
Despite these drawbacks, the exercise was helpful as a brainstorming tool. It provides a framework that would allow me to write a REAL post about how Bredemarket can help financial firms (and vendors to such firms) communicate a customer-focused message about financial identity.
So in the end, it was a worthwhile exercise.
Postscript
This isn’t the first time that I’ve written about the song “The Girl and the Robot.” Roughly a decade ago, I wrote a piece for the online MungBeing Magazine entitled “Robots Dot Txt.” This wasn’t about the official video for the song, but another video documenting a “live” performance of the song.
So in the Senkveld performance, Robyn and Röyksopp (and Davide Rossi and Anneli Drecker, not present on stage but present nevertheless) make me happy by becoming flesh-and-blood robots themselves, capably performing a variety of often complex human tasks that were programmed in a recording studio several months previously.
Yes, I’m stealing the Biometric Update practice of combining multiple items into a single post, but this lets me take a brief break from identity (mostly) and examine three general technology stories:
Advances in speech neuroprosthesis (the Pat Bennett / Stanford University story).
The benefits of Dynamic Media for Adobe Enterprise Manager users, as described by KBWEB Consult.
The benefits of graph databases for Identity and Access Management (IAM) implementations, as described by IndyKite.
Neuroprosthetics “is a discipline related to neuroscience and biomedical engineering concerned with developing neural prostheses, artificial devices to replace or improve the function of an impaired nervous system.
Various news sources highlighted the story of amyotrophic lateral sclerosis (ALS) patient Pat Bennett and her somewhat-enhanced ability to formulate words, resulting from research at Stanford University.
Because I was curious, I sought the Nature article that discussed the research in detail, “A high-performance speech neuroprosthesis.” The article describes a proof of concept of a speech brain-computer interface (BCI).
Here we demonstrate a speech-to-text BCI that records spiking activity from intracortical microelectrode arrays. Enabled by these high-resolution recordings, our study participant—who can no longer speak intelligibly owing to amyotrophic lateral sclerosis—achieved a 9.1% word error rate on a 50-word vocabulary (2.7 times fewer errors than the previous state-of-the-art speech BCI2) and a 23.8% word error rate on a 125,000-word vocabulary (the first successful demonstration, to our knowledge, of large-vocabulary decoding). Our participant’s attempted speech was decoded at 62 words per minute, which is 3.4 times as fast as the previous record8 and begins to approach the speed of natural conversation (160 words per minute9).
For Bennett, the (ALS) deterioration began not in her spinal cord, as is typical, but in her brain stem. She can still move around, dress herself and use her fingers to type, albeit with increasing difficulty. But she can no longer use the muscles of her lips, tongue, larynx and jaws to enunciate clearly the phonemes — or units of sound, such as sh — that are the building blocks of speech….
After four months, Bennett’s attempted utterances were being converted into words on a computer screen at 62 words per minute — more than three times as fast as the previous record for BCI-assisted communication.
Now let’s shift to companies that need to produce marketing collateral. Bredemarket produces collateral, but not to the scale that big companies need to produce. A single company may have to produce millions of pieces of collateral, each of which is specific to a particular product, in a particular region, for a particular audience/persona. Even Bredemarket could potentially produce all sorts of content, if it weren’t so difficult to do so:
An Instagram carousel post about the Bredemarket 400 Short Writing Service, targeted to voice sales executives in the identity industry.
A TikTok reel about the Bredemarket 400 Short Writing Service, targeted to marketing executives in the AI industry.
All of this specialized content, using all of these different image and video formats? I’m not gonna create all that.
But as KBWEB Consult (a boutique technology consulting firm specializing in the implementation and delivery of Adobe Enterprise Cloud technologies) points out in its article “Implementing Rapid Omnichannel Messaging with AEM Dynamic Media,” Adobe Experience Manager has tools to speed up this process and create correctly-messaged content in ALL the formats for ALL the audiences.
One of those tools is Dynamic Media.
AEM Dynamic Media accelerates omnichannel personalization, ensuring your business messages are presented quickly and in the proper formats. Starting with a master file, Dynamic Media quickly adjusts images and videos to satisfy varying asset specifications, contributing to increased content velocity.
A graph database, also referred to as a semantic database, is a software application designed to store, query and modify network graphs. A network graph is a visual construct that consists of nodes and edges. Each node represents an entity (such as a person) and each edge represents a connection or relationship between two nodes.
Graph databases have been around in some variation for along time. For example, a family tree is a very simple graph database….
Graph databases are well-suited for analyzing interconnections…
To see how this applies to identity and access management (IAM), I’ll turn to IndyKite, whose Lasse Andersen recently presented on graph database use in IAM (in a webinar sponsored by Strativ Group). IndyKite describes its solution as follows (in part):
A knowledge graph that holistically captures the identities of customers and IoT devices along with the rich relationships between them
A dynamic and real-time data model that unifies disconnected identity data and business metadata into one contextualized layer
Yes, I know that every identity company (with one exception) uses the word “trust,” and they all use the word “seamless.”
But this particular technology benefits banking customers (at least the honest ones) by using the available interconnections to provide all the essential information about the customer and the customer’s devices, in a way that does not inconvenience the customer. IndyKite claims “greater privacy and security,” along with flexibility for future expansion.
In other words, it increases velocity.
What is your technology story?
I hope you provided this quick overview of these three technology advances.
But do you have a technology story that YOU want to tell?
Perhaps Bredemarket, the technology content marketing expert, can help you select the words to tell your story. If you’re interested in talking, let me know.
Victoria Gardens, Rancho Cucamonga, California, August 12, 2023.
Can someone pretend to be you if they have no idea who you are?
It’s been a couple of weeks since I last addressed Worldcoin’s activities, but a lot has happened in Kenya, and now in Argentina also. Here’s a succinct (I hope) update that looks beyond the blaring headlines to see what is REALLY happening.
And, at the end of this post, I address what COULD happen if a fraudster “cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face.” Hey, you have to consider ALL the use cases.
According to the AAIP, an entity like Worldcoin must register with the AAIP, provide information about its data processing policy, and indicate the purpose for collecting sensitive data and the retention period for such data. Additionally, the agency requires details of the security and confidentiality measures applied to safeguard personal information. The AAIP did not confirm whether Worldcoin complies with the standards.
Worldcoin told CoinDesk in an emailed statement that “the project complies with all laws and regulations governing the processing of personal data in the markets where Worldcoin is available, including but not limited to Argentina’s Personal Data Protection Act 25.326.”
But what is this “personal data” that concerns Argentina so much?
The data that Worldcoin collects
Now a number of companies need to comply with local privacy regulations in numerous countries, and Worldcoin obviously must obey the law in the countries where it conducts business, including laws about personally identifiable information (PII). For illustration, here is an incomplete list of examples of PII, compiled by the University of Pittsburgh:
Name: full name, maiden name, mother’s maiden name, or alias
Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
Personal address information: street address, or email address
Personal telephone numbers
Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
Biometric data: retina scans, voice signatures, or facial geometry
Information identifying personally owned property: VIN number or title number
Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
To my knowledge, Worldcoin acquires PII in two separate instances: when downloading the World App, and when registering at an Orb.
Data collected by the World App
First, Worldcoin collects data when you download the World App. The data that is collected by the iOS version of the World App includes a user ID, the user’s coarse location, a name, contacts, and a phone number. I’ll admit that the collection of contacts is a little odd, but let’s see what happens to that data later in the process.
Your biometric data is first processed locally on the Orb and then permanently deleted. The only data that remains is your iris code. This iris code is a set of numbers generated by the Orb and is not linked to your wallet or any of your personal information. As a result, it really tells us — and everyone else — nothing about you. All it does is stop you from being able to sign up again.
But what about the second use case, in which the user consents to have Worldcoin retain information (so that the user does not have to re-enroll if they get a new phone)?
Your biometric data is first processed locally on the Orb and then sent, via encrypted communication channels, to our distributed secure data stores, where it is encrypted at rest. Once it arrives, your biometric data is permanently deleted from the Orb.
Regardless of whether biometric data is retained or not, other PII isn’t even collected at the Orb:
Since you are not required to provide personal information like your name, email address, physical address or phone number, this means that you can easily sign up without us ever knowing anything about you.
“But John,” you’re saying, “names and phone numbers are not collected at the Orb, but names and phone numbers ARE collected by the World App. So how are the name, phone number, user ID, and ‘iris code’ linked together?” Let me reprint what Worldcoin says about the app:
Your Worldcoin App is your self-custodial wallet. That means, just like a physical wallet, that no banks, governments or corporations can do anything to it — like lose or freeze your money — you’re in complete control.
You also don’t need to enter any personal information to get or use the App. But even if you do, you can rest assured that, unlike others, we will never sell or try to profit from your personal information.
So apparently, while the World App asks for your name, it is not a mandatory field. I just confirmed this on my World App (which I enabled on May 16, without orb verification); the only identifying information that I could find was my phone number and my user ID.
And I’m assuming that if I were to enroll at an Orb, the iris code would be linked to my user ID.
Depending upon Worldcoin’s internal architecture:
It’s possible that the iris code could be linked to my phone number, either intentionally or unintentionally. But even if it is, an iris code in and of itself is useless outside of the Worldcoin ecosystem. In the same way that an Aware, IDEMIA, NEC, or Thales fingerprint template (not the fingerprint image) can’t be used to generate a full fingerprint image, a Worldcoin iris code can’t be used to generate a full iris image.
If I choose the “with data custody” option, my biometric images could be linked to my phone number. Again, they could be linked either intentionally or unintentionally. If such a linkage exists, then that IS a problem. If a user chooses to back up both their World App data and their Orb biometric image data with Worldcoin (and again, the user must CHOOSE to back up both sets of data), how does Worldcoin ensure that the two sets of data can’t be linked?
Presumably Argentina’s AAIP will investigate Worldcoin’s architecture to ensure that there are no financial identity threats.
Which leads us to Kenya.
Kenya and data protection laws
When we last visited Kenya and Worldcoin on August 2, the government had announced that “(r)elevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities, the safety and protection of the data being harvested, and how the harvesters intend to use the data.”
Those investigations continue, Worldcoin’s Kenya offices have been raided, and Parliament is angry at the regulatory authorities…for not doing enough. The article that reports this states that the Data Protection Unit feels it is not responsible for investigating the “core business” of the registered companies, but Parliament feels otherwise.
The article also makes another interesting statement:
…the office failed to conduct background checks on the company, whose operations have been banned in both the United States of America (USA) and Germany.
Now what I CAN’T do is obtain some Worldcoin when I register my irises.
In addition, Worldcoin tokens (“WLD”) are not intended to be available for use, purchase, or access by US persons, including US citizens, residents, or persons in the United States, or companies incorporated, located, or resident in the United States, or who have a registered agent in the United States. We do not make WLD available to such US persons. Furthermore, you agree that you will not sell, transfer or make available WLD to US persons.
I continued on a darker vein: What if a criminal mastermind decided to cut out someone’s eyes, and use them to steal their identity?
The Orb engineer told me that it wouldn’t work. This Orb needs to see alive, blinking eyes, and a human face that is real attached to them. A picture of someone’s eyes won’t scan, robot eyes won’t scan, canine eyes won’t scan.
But then I got him.
If you cut off someone’s face, including gouging out their eyes, and then you draped it all over your own face, could you register as them with a Worldcoin scanner and steal their identity?
Yes.
Although he promised that the Worldcoin R&D team has not tested this particular edge case.
Does your firm fight crooks who try to fraudulently use synthetic identities? If so, how do you communicate your solution?
This post explains what synthetic identities are (with examples), tells four ways to detect synthetic identities, and closes by providing an answer to the communication question.
While this post is primarily intended for identity firms who can use Bredemarket’s marketing and writing services, anyone else who is interested in synthetic identities can read along.
What are synthetic identities?
To explain what synthetic identities are, let me start by telling you about Jason Brown.
Jason Brown wasn’t Jason Brown
You may not have heard of him unless you lived in Atlanta, Georgia in 2019 and lived near the apartment he rented.
Jason Brown’s renting of an apartment isn’t all that unusual.
If you were to visit Brown’s apartment in February 2019, you would find credit cards and financial information for Adam M. Lopez and Carlos Rivera.
Now that’s a little unusual, especially since Lopez and Rivera never existed.
For that matter, Jason Brown never existed either.
A Georgia man was sentenced Sept. 1 (2022) to more than seven years in federal prison for participating in a nationwide fraud ring that used stolen social security numbers, including those belonging to children, to create synthetic identities used to open lines of credit, create shell companies, and steal nearly $2 million from financial institutions….
Cato joined conspiracies to defraud banks and illegally possess credit cards. Cato and his co-conspirators created “synthetic identities” by combining false personal information such as fake names and dates of birth with the information of real people, such as their social security numbers. Cato and others then used the synthetic identities and fake ID documents to open bank and credit card accounts at financial institutions. Cato and his co-conspirators used the unlawfully obtained credit cards to fund their lifestyles.
Talking about synthetic identity at Victoria Gardens
Here’s a video that I created on Saturday that describes, at a very high level, how synthetic identities can be used fraudulently. People who live near Rancho Cucamonga, California will recognize the Victoria Gardens shopping center, proof that synthetic identity theft can occur far away from Georgia.
Note that synthetic identity theft different from stealing someone else’s existing identity. In this case, a new identity is created.
So how do you catch these fraudsters?
Catching the identity synthesizers
If you’re renting out an apartment, and Jason Brown shows you his driver’s license and provides his Social Security Number, how can you detect if Brown is a crook? There are four methods to verify that Jason Brown exists, and that he’s the person renting your apartment.
Method One: Private Databases
One way to check Jason Brown’s story is to perform credit checks and other data investigations using financial databases.
Did Jason Brown just spring into existence within the past year, with no earlier credit record? That seems suspicious.
Does Jason Brown’s credit record appear TOO clean? That seems suspicious.
Does Jason Brown share information such as a common social security number with other people? Are any of those other identities also fraudulent? That is DEFINITELY suspicious.
This is one way that many firms detect synthetic identities, and for some firms it is the ONLY way they detect synthetic identities. And these firms have to tell their story to their prospects.
If your firm offers a tool to verify identities via private databases, how do you let your prospects know the benefits of your tool, and why your solution is better than all other solutions?
Method Two: Check That Driver’s License (or other government document)
What about that driver’s license that Brown presented? There are a wide variety of software tools that can check the authenticity of driver’s licenses, passports, and other government-issued documents. Some of these tools existed back in 2019 when “Brown” was renting his apartment, and a number of them exist today.
Maybe your firm has created such a tool, or uses a tool from a third party.
If your firm offers this capability, how can your prospects learn about its benefits, and why your solution excels?
Method Three: Check Government Databases
Checking the authenticity of a government-issued document may not be enough, since the document itself may be legitimate, but the implied credentials may no longer be legitimate. For example, if my California driver’s license expires in 2025, but I move to Minnesota in 2023 and get a new license, my California driver’s license is no longer valid, even though I have it in my possession.
Why not check the database of the Department of Motor Vehicles (or the equivalent in your state) to see if there is still an active driver’s license for that person?
The American Association of Motor Vehicle Administrators (AAMVA) maintains a Driver’s License Data Verification (DLDV) Service in which participating jurisdictions allow other entities to verify the license data for individuals. Your firm may be able to access the DLDV data for selected jurisdictions, providing an extra identity verification tool.
If your firm offers this capability, how can your prospects learn where it is available, what its benefits are, and why it is an important part of your solution?
Method Four: Conduct the “Who You Are” Test
There is one more way to confirm that a person is real, and that is to check the person. Literally.
If someone on a smartphone or videoconference says that they are Jason Brown, how do you know that it’s the real Jason Brown and not Jim Smith, or a previous recording or simulation of Jason Brown?
This is where tools such as facial recognition and liveness detection come to play.
You can ensure that the live face matches any face on record.
You can also confirm that the face is truly a live face.
In addition to these two tests, you can compare the face against the face on the presented driver’s license or passport to offer additional confirmation of true identity.
Now some companies offer facial recognition, others offer liveness detection, others match the live face to a face on a government ID, and many companies offer two or three of these capabilities.
One more time: if your firm offers these capabilities—either your own or someone else’s—what are the benefits of your algorithms? (For example, are they more accurate than competing algorithms? And under what conditions?) And why is your solution better than the others?
This is for the firms who fight synthetic identities
While most of this post is of general interest to anyone dealing with synthetic identities, this part of this post is specifically addressed to identity and biometric firms who provide synthetic identity-fighting solutions.
When you communicate about your solutions, your communicator needs to have certain types of experience.
Industry experience. Perhaps you sell your identity solution to financial institutions, or educational institutions , or a host of other industries (gambling/gaming, healthcare, hospitality, retailers, or sport/concert venues, or others). You need someone with this industry experience.
Solution experience. Perhaps your communications require someone with 29 years of experience in identity, biometrics, and technology marketing, including experience with all five factors of authentication (and verification).
Communication experience. Perhaps you need to effectively communicate with your prospects in a customer focused, benefits-oriented way. (Content that is all about you and your features won’t win business.)
If you haven’t read a Bredemarket blog post before, or even if you have, you may not realize that this post is jam-packed with additional information well beyond the post itself. This post alone links to the following Bredemarket posts and other content. You may want to follow one or more of the 13 links below if you need additional information on a particular topic:
Here’s my latest brochure for the Bredemarket 400 Short Writing Service, my standard package to create your 400 to 600 word blog posts and LinkedIn articles. Be sure to check the Bredemarket 400 Short Writing Service page for updates.
Monroe County Sheriff’s deputies found eight debit cards and three driver’s licenses belonging to other people in (Jamal Denzel) Austin’s possession during a traffic stop for reckless driving and failing to maintain lane on Jan. 19, 2020. A subsequent investigation revealed that Austin, who worked at an Atlanta club, had used two stolen identities to register two separate fictious (sic) businesses with the Georgia Secretary of State’s Office to obtain two Capital One business credit cards with credit limits of $30,000 and $20,000.
The investigation, which also included participation by the United States Secret Service and other local, state, and federal agencies, also uncovered a stolen $49,000 check.
Well, Austin lost the stolen money and his freedom. He was sentenced to 48 months in federal prison.
Now I’ll grant the early stages of this investigation aren’t as sexy as other fraud detection methods, but it worked.
Bredemarket 