“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”
Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.
Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.
Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.
The solution is simple: eliminate the humans.
Eliminating the human element
Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?
Well, you can social engineer the bot NPEs also.
Birthday MINJA
Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.
“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….
“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”
Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.
What about the NPE bots?
“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.
“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”
Educating your users
Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.
But what if you can’t? What if your resources are already stretched thin?
If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer
Scammers tried to extract information from Ann Stephens, but she refused to give them the stuff they wanted: Social Security digits, her home address, or her bank account information.
Ann Stephens taking a scammer call at work.
The only information she provided was her work address.
At the time (2019), she was a police captain in Apex, North Carolina.
Oops.
She retired in 2022. And presumably continues to handle fraudsters, to their detriment.
And one more thing…
The formal announcement is embargoed until tomorrow, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
H/T Donal Greene for this story of non-person entities that were really people.
“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”
News about iProov. According to Metropoler, the company discovered a dark web group in Latin America.
The group is
“amassing a substantial collection of identity documents and corresponding facial images, specifically designed to defeat Know Your Customer (KYC) verification processes. Rather than traditional theft, these identities may have been obtained through compensated participation, with individuals willingly providing their image and documentation in exchange for payment.”
To uncover such fraudulent activity, a mere government ID to selfie comparison is not enough, since both are from a real person. You need more sophisticated checks such as liveness detection, which iProov offers. You can find iProov’s ISO 30107-3 Presentation Attack Detection Level 2 confirmation letters on iBeta’s page.
But why?
Why would anyone sell their identity, either legitimately (to the World ex Worldcoin folks) or illegitimately (to this dark web outfit)?
Sadly, desperation. If you have a basic need to eat, who cares who is using your ID and what they’re doing with it?
So I checked out Coauthor’s me-too LinkedIn-themed copycat of Spotify Wrapped, like many of you did. Here’s the (unedited) post it wrote for me—not too bad:
= = =
Here’s my 2024 LinkedIn Rewind, by Coauthor.studio:
After 30 years in identity and biometrics, 2024 showed me that verification only goes so far. The real challenge isn’t just confirming who someone is – it’s understanding what they might do.
From employment fraudsters with verified credentials to healthcare imposters with stolen birthdates, this year proved that identity verification alone can’t prevent deception. But it also showed how combining technical expertise with human insight can help protect organizations and individuals.
Key observations from 2024:
Identity verification without intent analysis is incomplete
Employment fraud evolves faster than verification methods
Through Bredemarket, I delivered over 100 content and analysis projects helping organizations navigate these challenges. I also conducted research on employment fraud tactics and moderated communities helping others avoid scams.
Looking ahead: 2025 will require even more sophisticated approaches to identity verification and fraud prevention. The fraudsters aren’t going away – but neither am I. I’ll continue helping organizations implement effective identity strategies while advocating for ethical AI use and employment practices.
To the wildebeests following along: remember that verification is just the start. The real value comes from understanding intent and building trust.
#fraud #identity #security #productmarketing
—
Get your 2024 LinkedIn Rewind! Go to coauthor.studio
“Bitcoin can be sent and received anywhere in the world, as long as there is an internet connection. This could be useful in a scenario where traditional banking systems fail and access to financial services is limited.”
But an internet connection isn’t the only thing you need to trade crypto.
You also need a crypto exchange, or some other way to trade crypto.
And if that crypto exchange is hacked or goes bankrupt, you may lose your crypto…and there’s no FDIC.
A self custodial hardware wallet sounds great…at first. All you have to do is take your hardware wallet and walk up to the dude in camouflage selling canned Spam and holding his own hardware wallet. OK. Now trade it. On your own. With no help from a peer-to-peer (P2P) trading platform or a decentralized exchange. Google Gemini:
“Hardware wallets are primarily security devices, not trading platforms. They don’t have the functionality to directly swap one cryptocurrency for another….Directly exchanging crypto would require complex cryptographic operations and blockchain interactions, which are not typically handled by hardware wallets.”
I don’t know about you, but I don’t know how to interact with the blockchain all by myself without help. And very few people do. And even those who know this stuff are mostly helpless if the internet is non-operational.
So if the banks fail and/or some other catastrophe takes place, don’t count on crypto to survive.
Frankly we do better when there’s NOT a catastrophic event, protections guard us from fraud, and the bad effects of a fake identity are minimized.
I refrained from discussing this for a couple of days, but I was recently a victim of attempted financial identity fraud.
Well, SORT OF attempted identity fraud. I don’t know if this really counts, since I don’t know if the fraudster had my identity.
But the issue was resolved in less than 48 hours.
By the way, I have purposely changed the names of two of the companies I mention, to protect my PII. Which is a shame, because “Wildebeest Bank” went above and beyond in correcting the issue.
That doesn’t look right
Among its other services, Wildebeest Bank (not its real name) sends me an email whenever a purchase is made on my card, but my card is not present.
This is a fairly common occurrence. Among other things, my website, my business insurance, my business address, and my accounting software are all billed to my card.
But less than 48 hours ago, at 3:30 pm on Wednesday afternoon, I received an unexpected notice.
Your card was not present during a recent purchase
Your card was used to make a purchase at enron*publications us
We noticed your check card ending in 1234 was used to make a $8.48 purchase at enron*publications us today. The card wasn’t present at the time the purchase was made.
If you did not make this purchase, please call the nuber listed on the back of your card.
Log in to your account to review this transaction.
I didn’t recall making any $8.48 purchase, and once I looked up enron*publications us (not its real name), I realized that I definitely DIDN’T purchase anything from that company.
Before calling the bank, I double checked my account and found NO transaction for $8.48, even in a “pending” state.
So I called Wildebeest Bank
I called the number on the back of my card and connected with a woman in a call center who investigated why I got an email for a transaction that didn’t appear.
This is obviously not the Wildebeest Bank call center woman who helped me. But I’m sure she had a computer. By Earl Andrew at English Wikipedia – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=17793658
After accessing several internal systems, the woman discovered that the purchase was attempted, but declined. The fraudster had my card account number, but didn’t have the correct expiration date.
Frankly, I’m not even sure if the fraudster had my name. Did the fraudster just punch in 16 digits and hope they would work?
Anyway, after this conversation, the woman from Wildebeest Bank transferred me to the fraud department.
The Fraud Department
So my call was transferred to the Fraud Department.
The man at the Fraud Department advised me to cancel the card and get a new one.
I was wondering how long this would take, since one of bills was going to be charged to my card in the next two weeks, and I didn’t want any hiccup from a denied card purchase.
Anti-Fraud Man explained that if I could go to a Wildebeest Bank branch by the next day (Thursday), I could get a new card immediately.
“Could I go today?” I asked.
“Sure,” he replied.
It was about 3:50 pm by that time, or 20 minutes since I received the initial email.
So I drove to the bank
I hopped in my car, drove to a local bank branch, and went to a desk.
You may recall that I started Bredemarket in the fall of 2020, right in the middle of COVID. When I opened my account, the bank WOULDN’T let me go to my local bank branch and I had to open the account remotely. Since then I’ve been in the bank branch several times; it’s a nice place.
Anyway, the fraud department had already cancelled my compromised card, so the man at the bank branch only had to issue me a temporary card and guide me through its activation. This temporary card would last me until the new card arrived in the mail. It had the same card number as the new card so I could temporarily use it for purchases, but the permanent card would have a different expiration date and security code.
I could have provided the temporary card’s number, expiration date, and security code to the company that was going to bill me in two weeks, but I preferred to wait until I received the permanent card. I asked the man at the bank branch how long that would take.
“I can expedite it,” he said.
I get a present at Box 259
Less than 48 hours later, on Friday morning, I was notified that I had a package at my business address.
Bredemarket’s mailing address is 1030 N Mountain Ave #259, Ontario CA 91762-2114.
As I guessed, it was the permanent card, which I immediately activated and provided to the companies that auto-bill me via my card.
Here’s the short version:
My bank (“Wildebeest Bank”) notified me of a questionable “card not present” purchase (from “enron*publications us”) at 3:30 pm on Wednesday.
By 3:50 pm (20 minutes later), the bank told me that the attempted purchase was declined, but cancelled the bank card anyway.
By 4:15 pm (45 minutes later), I had a new temporary bank card.
By Friday at noon (less than 48 hours later), I had my permanent bank card.
So everyone be sure to bank at Wildebeest Bank. No confusion when you bank with them!
Government Technology posted an article on a ransomware attack that affected Ardent Health Services facilities in multiple U.S. states, including Texas, Idaho, New Mexico, Oklahoma, New Jersey, and Kansas over Thanksgiving Day, requiring some ambulances to be diverted and some services suspended.
The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted.
And it’s not like the hackers are necessarily having to pass up on their turkey dinner. Few if any holidays are universal, and over 7 billion people (including many hackers) did NOT celebrate Thanksgiving last Thursday.
Does this mean that companies need to INCREASE security staff during holiday periods?
Bredemarket 