Tag Archives: security

What Coauthor “Wrapped” About My LinkedIn Activity

So I checked out Coauthor’s me-too LinkedIn-themed copycat of Spotify Wrapped, like many of you did. Here’s the (unedited) post it wrote for me—not too bad:

= = =

Here’s my 2024 LinkedIn Rewind, by Coauthor.studio:

After 30 years in identity and biometrics, 2024 showed me that verification only goes so far. The real challenge isn’t just confirming who someone is – it’s understanding what they might do.

From employment fraudsters with verified credentials to healthcare imposters with stolen birthdates, this year proved that identity verification alone can’t prevent deception. But it also showed how combining technical expertise with human insight can help protect organizations and individuals.

Key observations from 2024:

  • Identity verification without intent analysis is incomplete
  • Employment fraud evolves faster than verification methods
  • Healthcare identity remains dangerously vulnerable
  • The best fraud prevention combines technology and psychology
  • Product marketing must address both verification and trust

Three posts that captured these themes:

“Employment Fraud and Identity Verification”

On why verifying someone’s identity only goes so far

https://www.linkedin.com/feed/update/urn:li:activity:7268454996734545921/

“Rich Powaza’s Disappearance” 

Real consequences of fraudulent behavior

https://www.linkedin.com/feed/update/urn:li:activity:7253092940393193472/

“Get Off My Lawn”

Changing workplace norms and responsibilities

https://www.linkedin.com/feed/update/urn:li:activity:7262320817898758145/

Through Bredemarket, I delivered over 100 content and analysis projects helping organizations navigate these challenges. I also conducted research on employment fraud tactics and moderated communities helping others avoid scams.

Looking ahead: 2025 will require even more sophisticated approaches to identity verification and fraud prevention. The fraudsters aren’t going away – but neither am I. I’ll continue helping organizations implement effective identity strategies while advocating for ethical AI use and employment practices.

To the wildebeests following along: remember that verification is just the start. The real value comes from understanding intent and building trust.

#fraud #identity #security #productmarketing

Get your 2024 LinkedIn Rewind! Go to coauthor.studio 

Black Friday Fraud Reduction?

Black Friday fraud dipped in 2024? Maybe good news…maybe not.

Frank on Fraud shared a TransUnion report of a 30% decrease in fraud on Black Friday this year. (Links below.)

This in turn was shared and analyzed by Hilton McCall, who noted several theories as to why fraudsters apparently took Black Friday off.

“Tighter fraud prevention measures by merchants and platforms.”

That’s good news.

“Shifting fraud tactics targeting other high-value days like Cyber Monday.”

“A possible focus on new fraud methods, like account takeovers and loyalty point scams, rather than traditional purchase fraud.”

That’s bad news.

Remain vigilant—and if your firm offers a fraud-fighting solution, share your message.

Frank on Fraud: https://frankonfraud.com/fraud-trends/fraudster-vacation-fraud-plunges-on-black-friday/

TransUnion: https://www.globenewswire.com/news-release/2024/12/05/2992306/0/en/New-TransUnion-Analysis-Finds-More-Than-4-of-U-S-Attempted-Ecommerce-Transactions-Between-Thanksgiving-and-Cyber-Monday-Suspected-to-be-Fraudulent.html

Hilton McCall: https://www.linkedin.com/posts/hilton-mccall_fraudprevention-blackfriday-cybersecurity-activity-7272611182727909376-lsyD

Survey Says

So Deloitte announced the results of a survey earlier this month.

“The fifth annual Deloitte “Connected Consumer” survey reveals that consumers have a positive perception of their technology experiences and are increasingly embracing GenAI. However, they are determined to seek balance in their digital lives and expect trust, accountability, and transparency from technology providers.”

Deloitte conducted the survey BEFORE the RIBridges hack.

On the RIBridges Benefits System Hack

I originally worked with state benefits systems during my years at Printrak, and have performed analysis of such systems at Bredemarket. These systems store sensitive personal data of many Americans, including myself. And they are therefore a target for hackers.

The hack at RIBridges

A huge benefits system was hacked in Rhode Island, according to the State.

“On December 5, the State was informed by its vendor, Deloitte, that the RIBridges data system was the target of a potential cyberattack….”

That was just the beginning.

“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte. On December 11, Deloitte confirmed that there is a high probability that the implicated folders contain personally identifiable information from RIBridges. On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.”

RIBridges is…um…a bridge from Rhode Island residents to various Federally sponsored but State administered benefits programs, including:

  • Medicaid,    
  • Supplemental Nutrition Assistance Program (SNAP),    
  • Temporary Assistance for Needy Families (TANF),    
  • Child Care Assistance Program (CCAP),    
  • Health coverage purchased through HealthSource RI   
  • Rhode Island Works (RIW),    
  • Long-Term Services and Supports (LTSS), and    
  • General Public Assistance (GPA) Program

State benefits systems such as RIBridges are complex and often hosted on old infrastructure that requires modernization. (“Modernization” is a great buzzword to use to toss around when describing aging state computer systems, as I know from my years working with driver’s license and biometric identification systems.) The older and more complex the system, the easier to hack.

The history of RIBridges

This complexity is certainly true of Deloitte’s hacked RIBridges system.

As StateScoop noted in 2021:

“Gov. Daniel McKee…said the state will pay the firm $99 million over the next three years to manage and build out the RIBridges computer system….The firm has been developing the software, which handles the state’s Medicaid, SNAP and other welfare programs, since 2016, though delays and errors during (previous Governor) Raimondo’s administration caused the state to overspend by at least $150 million as of 2019, the last time the state renewed Deloitte’s contract.”

Why is Deloitte’s performance less than ideal? Anthony Kimerv of Biometric Update explains the issues facing RIBridges.

“Federal agencies, including the federal Centers for Medicare and Medicaid Services, had warned Rhode Island before the system’s launch that it was not ready for deployment….RIBridges proceeded despite clear operational risks, leading to immediate and widespread problems. The launch resulted in significant disruptions to benefits distribution, with thousands of residents experiencing delays in receiving critical assistance. Backlogs soared, with more than 20,000 cases piling up due to system malfunctions.”

After much time and effort the backlogs decreased, but the treasure trove of personally identifiable information (PII) remained a target.

“As a central repository for sensitive personal data, including financial information and health records, RIBridges became a potential target for cyberattacks. Security audits revealed vulnerabilities in the system’s defenses….Cybercriminals exploited weaknesses in RIBridges to access sensitive data. The attackers bypassed existing security measures, inserted malicious code, and obtained unauthorized access. The breach exposed flaws in the system’s technical defenses and highlighted issues with its oversight and vendor management.”

The consequences for RIBridges applicants

So now the system is down, applicants are using paper forms, and a cyber criminal is requesting a payout.

(Image by Google Gemini)

Delivery Packages and Geolocation in Residential Neighborhoods

Today’s musings concern delivery packages and geolocation, and may be pertinent if you receive a residential delivery this month. You know, maybe a present or something.

Let’s say you receive a package at your house, the delivery driver takes a picture of your package on your porch as proof of delivery…and the package is subsequently stolen by a porch pirate before you get it.

“Hey, you’re out of luck,” the company may say. “The package was delivered.”

How long will it be until security professionals advise you to NEVER EVER EVER HAVE RETAILERS DELIVER PACKAGES TO YOUR HOME? Use a locker or a staffed business address, but treat residential delivery as EVIL…just like public wi-fi.

Or perhaps expensive packages could be equipped with geotagging…like your luggage. I know that delivery companies hate geolocation as much as airlines do…but it’s a thought.

(Thanks to the anonymous victim of a porch pirate who inspired this. AI-generated image by Google Gemini.)

Insecurity

I didn’t write this. Google Gemini wrote this. (And created the image.)

“In essence, identity is the foundation upon which security is built. A strong, well-managed identity infrastructure is essential for protecting digital assets and preventing unauthorized access. By understanding the overlaps between identity and security, organizations can implement robust security measures that safeguard both their digital assets and the privacy of their users.”

So now take a moment and think about security WITHOUT identity. 

And shudder.

Secure is a Verb

How can you anticipate the unexpected?

  • Such as a plane that isn’t in the sky, but lodged in a skyscraper?
  • Or a pressure cooker that isn’t inside in a kitchen, but outside in a backpack?
  • Or an illness that suddenly appears when no such illness previously existed?
  • Or something that mimics a bodily illness, such as a computer virus or denial of service attack?

To anticipate the unexpected, you need to plan beforehand, assess during, and quickly correct afterwards.

What is on tomorrow’s calendar? And why are you pushing it out to next year?

Treat “secure” as a verb, not an adjective. A critically important verb.

(Pressure cooking image CC BY-SA 2.0)

The Single Solution Microsoft E5 License vs. Best-in-class Individual Solutions

The phrase of the day is “Microsoft E5 License.”

Identity Jedi used is in the 82nd edition of his newsletter.

The biggest threat to every single vendor in the identity space right now are the following words: Microsoft E5 License.

If you read that and shuddered, I’m sorry.

The argument for a single solution

From https://www.microsoft.com/en-us/microsoft-365/enterprise/e5.

Sounds scary. But isn’t Microsoft here to help? Threatscape makes the case.

The cohesive suite of security and productivity solutions provided by an E5 licence can significantly streamline your technological landscape, doing away with a number of on-premises and SaaS tools.

While many organisations opt for the lower-cost E3 licence, they may find this soon requires a supplementary selection of single-solution tools from alternate vendors to patch gaps in its capabilities.

Too many solutions means confusion, an often-disjointed workflow, potential overlap and overspend, and crucially, increased security risk.

By consolidating your collaboration, productivity, automation, and security solutions into a single trusted vendor platform, IT management becomes simplified, redundant solutions can be axed, and ROI can be better measured.

The Microsoft E5 Security Components

So you get everything from a single source with no finger pointing. What could go wrong?

Plenty, according to those who still think of Microsoft as an evil empire.

By Lucasfilm – Star Wars Episode VI: Return of the Jedi, Fair use, https://en.wikipedia.org/w/index.php?curid=38430548.

Let’s return to the Identity Jedi.

Microsoft is making a compelling case to businesses to consolidate into the Microsoft umbrella of products. The ease of use, and financial motives just make too much sense. Now do those customers get a great IAM experience with that? Meh…kinda. Entra SSO is solid product, Active Directory/EntraID is solid, MIM…well….we don’t talk about MIM.

Microsoft Identity Manager

Well, I will talk about MIM, or Microsoft Identity Manager.

From https://learn.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync

Actually, we’re talking about Microsoft Identity Manager 2016.

Microsoft Identity Manager (MIM) 2016 builds on the identity and access management capabilities of Forefront Identity Manager (FIM) 2010 and predecessor technologies. MIM provides integration with heterogeneous platforms across the datacenter, including on-premises HR systems, directories, and databases.

MIM augments Microsoft Entra cloud-hosted services by enabling the organization to have the right users in Active Directory for on-premises apps. Microsoft Entra Connect can then make available in Microsoft Entra ID for Microsoft 365 and cloud-hosted apps

Is it any good? Sources say that, from a quantitative perspective, Gartner Peer Insights ranks several products higher than MIM’s 4.3 rating, including:

  • Okta Advanced Server Access (4.4)
  • Ivanti Security Controls (4.5)
  • One Identity Active Roles (4.7)
  • Imprivata’s SecureLink Customer Connect (4.8)
  • Bravura Safe (5.0, 1 rating)

The argument against a single solution

But what of the argument that it’s better to get everything from one vendor? Other companies will tout their best-in-class products. While you’ll end up with a possibly disjointed solution, the work will get done more accurately.

In the end, it’s up to you. Do you want a single solution that is “good enough” and is already pre-made, or do you want to take the best solution from the best-in-class vendors and roll your own?

Authenticator Assurance Levels (AALs) and Digital Identity

(Part of the biometric product marketing expert series)

Back in December 2020, I dove into identity assurance levels (IALs) and digital identity, subsequently specifying the difference between identity assurance levels 2 and 3. These IALs are defined in section 4 of NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing Requirements.

It’s past time for me to move ahead to authenticator assurance levels (AALs).

Where are authenticator assurance levels defined?

Authenticator assurance levels are defined in section 4 of NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. As with IALs, the AALs progress to higher levels of assurance.

  • AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
  • AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
  • AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”

This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.

Which authenticator assurance level should you use?

NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.

The AAL CYOA from https://pages.nist.gov/800-63-3/sp800-63-3.html#63Sec6-Figure2.

One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).

So what?

Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?

Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?

  • Could the fraudster cause financial loss to a government agency?
  • Threaten personal safety?
  • Commit civil or criminal violations?
  • Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?

If some or all of these are true, then a high authenticator assurance level is VERY beneficial.