Tag Archives: fraud

My (Sort Of) Financial Identity Fraud Experience

I refrained from discussing this for a couple of days, but I was recently a victim of attempted financial identity fraud.

Well, SORT OF attempted identity fraud. I don’t know if this really counts, since I don’t know if the fraudster had my identity.

But the issue was resolved in less than 48 hours.

By the way, I have purposely changed the names of two of the companies I mention, to protect my PII. Which is a shame, because “Wildebeest Bank” went above and beyond in correcting the issue.

That doesn’t look right

Among its other services, Wildebeest Bank (not its real name) sends me an email whenever a purchase is made on my card, but my card is not present.

This is a fairly common occurrence. Among other things, my website, my business insurance, my business address, and my accounting software are all billed to my card.

But less than 48 hours ago, at 3:30 pm on Wednesday afternoon, I received an unexpected notice.

Your card was not present during a recent purchase

Your card was used to make a purchase at enron*publications us

We noticed your check card ending in 1234 was used to make a $8.48 purchase at enron*publications us today. The card wasn’t present at the time the purchase was made.

If you did not make this purchase, please call the nuber listed on the back of your card.

Log in to your account to review this transaction.

I didn’t recall making any $8.48 purchase, and once I looked up enron*publications us (not its real name), I realized that I definitely DIDN’T purchase anything from that company.

Before calling the bank, I double checked my account and found NO transaction for $8.48, even in a “pending” state.

So I called Wildebeest Bank

I called the number on the back of my card and connected with a woman in a call center who investigated why I got an email for a transaction that didn’t appear.

This is obviously not the Wildebeest Bank call center woman who helped me. But I’m sure she had a computer. By Earl Andrew at English Wikipedia – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17793658

After accessing several internal systems, the woman discovered that the purchase was attempted, but declined. The fraudster had my card account number, but didn’t have the correct expiration date.

Frankly, I’m not even sure if the fraudster had my name. Did the fraudster just punch in 16 digits and hope they would work?

Anyway, after this conversation, the woman from Wildebeest Bank transferred me to the fraud department.

The Fraud Department

So my call was transferred to the Fraud Department.

Not the man at Wildebeest Bank’s Fraud Department. And I bet the man who helped me didn’t have a cool beret like this guy. CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=245337

The man at the Fraud Department advised me to cancel the card and get a new one.

I was wondering how long this would take, since one of bills was going to be charged to my card in the next two weeks, and I didn’t want any hiccup from a denied card purchase.

Anti-Fraud Man explained that if I could go to a Wildebeest Bank branch by the next day (Thursday), I could get a new card immediately.

“Could I go today?” I asked.

“Sure,” he replied.

It was about 3:50 pm by that time, or 20 minutes since I received the initial email.

So I drove to the bank

I hopped in my car, drove to a local bank branch, and went to a desk.

Not the real person who helped me at my bank branch, but the real person was nice also. By Melwinsy – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=35660323.

You may recall that I started Bredemarket in the fall of 2020, right in the middle of COVID. When I opened my account, the bank WOULDN’T let me go to my local bank branch and I had to open the account remotely. Since then I’ve been in the bank branch several times; it’s a nice place.

Anyway, the fraud department had already cancelled my compromised card, so the man at the bank branch only had to issue me a temporary card and guide me through its activation. This temporary card would last me until the new card arrived in the mail. It had the same card number as the new card so I could temporarily use it for purchases, but the permanent card would have a different expiration date and security code.

I could have provided the temporary card’s number, expiration date, and security code to the company that was going to bill me in two weeks, but I preferred to wait until I received the permanent card. I asked the man at the bank branch how long that would take.

“I can expedite it,” he said.

I get a present at Box 259

Less than 48 hours later, on Friday morning, I was notified that I had a package at my business address.

Bredemarket’s mailing address is 1030 N Mountain Ave #259, Ontario CA 91762-2114.

As I guessed, it was the permanent card, which I immediately activated and provided to the companies that auto-bill me via my card.

Here’s the short version:

  • My bank (“Wildebeest Bank”) notified me of a questionable “card not present” purchase (from “enron*publications us”) at 3:30 pm on Wednesday.
  • By 3:50 pm (20 minutes later), the bank told me that the attempted purchase was declined, but cancelled the bank card anyway.
  • By 4:15 pm (45 minutes later), I had a new temporary bank card.
  • By Friday at noon (less than 48 hours later), I had my permanent bank card.

So everyone be sure to bank at Wildebeest Bank. No confusion when you bank with them!

Black wildebeest. By derekkeats – Flickr: IMG_4955_facebook, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=14620744.

Ransomware Doesn’t Celebrate a Holiday

Government Technology posted an article on a ransomware attack that affected Ardent Health Services facilities in multiple U.S. states, including Texas, Idaho, New Mexico, Oklahoma, New Jersey, and Kansas over Thanksgiving Day, requiring some ambulances to be diverted and some services suspended.

By Mangocove – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=133200606

Government Technology observed:

The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted

From https://www.govtech.com/security/ransomware-impacts-health-care-systems-in-six-states

And it’s not like the hackers are necessarily having to pass up on their turkey dinner. Few if any holidays are universal, and over 7 billion people (including many hackers) did NOT celebrate Thanksgiving last Thursday.

Does this mean that companies need to INCREASE security staff during holiday periods?

Login.gov and IAL2 #realsoonnow

Back in August 2023, the U.S. General Services Administration published a blog post that included the following statement:

Login.gov is on a path to providing an IAL2-compliant identity verification service to its customers in a responsible, equitable way. Building on the strong evidence-based identity verification that Login.gov already offers, Login.gov is on a path to providing IAL2-compliant identity verification that ensures both strong security and broad and equitable access.

From https://www.gsa.gov/blog/2023/08/18/reducing-fraud-and-increasing-access-drives-record-adoption-and-usage-of-logingov

It’s nice to know…NOW…that Login.gov is working to achieve IAL2.

This post explains what the August 2023 GSA post said, and what it didn’t say.

But first, I’ll define what Login.gov and “IAL2” are.

What is Login.gov?

From https://login.gov/

Here is what Login.gov says about itself:

Login.gov is a secure sign in service used by the public to sign in to participating government agencies. Participating agencies will ask you to create a Login.gov account to securely access your information on their website or application.

You can use the same username and password to access any agency that partners with Login.gov. This streamlines your process and eliminates the need to remember multiple usernames and passwords.

From https://www.login.gov/what-is-login/
From https://www.gsa.gov/about-us/organization/federal-acquisition-service/technology-transformation-services

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Why would agencies implement Login.gov? Because the agencies want to protect their constituents’ information. If fraudsters capture personally identifiable information (PII) of someone applying for government services, the breached government agency will face severe repurcussions. Login.gov is supposed to protect its partner agencies from these nightmares.

How does Login.gov do this?

  • Sometimes you might use two-factor authentication consisting of a password and a second factor such as an SMS code or the use of an authentication app.
  • In more critical cases, Login.gov requests a more reliable method of identification, such as a government-issued photo ID (driver’s license, passport, etc.).

What is IAL2?

At the risk of repeating myself, I’ll briefly go over what “Identity Assurance Level 2” (IAL2) is.

From https://pages.nist.gov/800-63-3/sp800-63a.html

The U.S. National Institute of Standards and Technology, in its publication NIST SP 800-63a, has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2

So in its simplest terms, IAL2 requires evidence of a verified credential so that an online person can be linked to a real-life identity. If someone says they’re “John Bredehoft” and fills in an online application to receive government services, IAL2 compliance helps to ensure that the person filling out the online application truly IS John Bredehoft, and not Bernie Madoff.

As more and more of us conduct business—including government business—online, IAL2 compliance is essential to reduce fraud.

One more thing about IAL2 compliance. The mere possession of a valid government issued photo ID is NOT sufficient for IAL2 compliance. After all, Bernie Madoff may be using John Bredehoft’s driver’s license. To make sure that it’s John Bredehoft using John Bredehoft’s driver’s license, an additional check is needed.

This has been explained by ID.me, a private company that happens to compete with Login.gov to provide identity proofing services to government agencies.

Biometric comparison (e.g., selfie with liveness detection or fingerprint) of the strongest piece of evidence to the applicant

From https://network.id.me/article/what-is-nist-ial2-identity-verification/

So you basically take the information on a driver’s license and perform a facial recognition 1:1 comparison with the person possessing the driver’s license, ideally using liveness detection, to make sure that the presented person is not a fake.

From https://www.nist.gov/news-events/news/2023/09/whats-wrong-picture-nist-face-analysis-program-helps-find-answers

So what?

So the GSA was apparently claiming how secure Login.gov was. Guess who challenged the claim?

The GSA.

Now sometimes it’s ludicrous to think that the government can police itself, but in some cases government actually identifies government faults.

Of course, this works best when you can identify problems with some other government entity.

Which is why the General Services Administration has an Inspector General. And in March 2023, the GSA Inspector General released a report with the following title: “GSA Misled Customers on Login.gov’s Compliance with Digital Identity Standards.”

From the GSA Inspector General.

The title is pretty clear, but Fedscoop summarized the findings for those who missed the obvious:

As part of an investigation that has run since last April (2022), GSA’s Office of the Inspector General found that the agency was billing agencies for IAL2-compliant services, even though Login.gov did not meet Identity Assurance Level 2 (IAL2) standards.

GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though Login.gov is not IAL2 compliant, according to the watchdog.

From https://fedscoop.com/gsa-login-gov-watchdog-report/

So now GSA is explicitly saying that Login.gov ISN’T IAL2-compliant.

Which helps its private sector competitors.