ID.me – A Major Risk To Public Privacy?

A guest editorial by Brett Johnson, Member of the SCARS Advisory Board

In Brett’s own words (with minor corrections for spelling since Google penalizes us for spelling errors)

We present this as is because the topics raised are important for all consumers regardless of where they are. More and more technology is infringing on our right to our own data. Whether this is in the U.S. or anywhere, we all must be aware of the risks and advocate for more controls on who has access to our data, what they can do with it, and their security to safeguard it!

We encourage you to read the horror stories from the victims of this company and their technology. This is truly tragic. We also encourage you to contact your congressmen and women about this! Something has to be done to really help the victims!

Here is a link to the complaints on the Better Business Bureau website: ID.ME, Inc. | Complaints | Better Business Bureau® Profile (bbb.org)

– – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Per Brett Johnson …

An Open Letter to ID.me and the Government Agencies Using Them

It is simple. But it is effective.

That’s the best type of scam. KISS. Keep. It. Simple. Stupid. That way less shit screws up. Simple means successful. Simple means profit.

Stealing unemployment benefits from States has been simple. It started no security in place. Fraudsters could use someone’s social security number, date of birth, a prepaid debit card and steal $60k a week. And yes, Virginia, those fraudsters would get away with it.

Unemployment fraud was the way to go. Far safer than PPP fraud. Those PPP Idiots were getting popped every day. And every day a news story about some idiot getting a million-plus through PPP fraud and buying a Piece of Shit Maserati. Then pics of the Maserati being seized, and the idiot frog-marched off to prison.

Nope. No Sir. Unemployment Fraud. That was the way to go. No prison. No Piece of Shit Maserati. But lots of money. Lots of Bank.

For a solid six months no security. Then States figure they need to do something about the Billions being stolen. Billions. That deserves a capital “B”. Enter the new kid on the block, ID.me. New kid– hadn’t really seen fraud before. But they did see opportunity. And they took it. ID.me signed on to provide identity verification services for 33 US States.

Last time I checked ID.me was valued at $1.4 Billion. Again, that capital “B”. Expensive company. Must be doing something right. Someone forgot to tell the fraudsters that.

Fraudsters passed through the ID.me verification process using 3D printed masks, browser extensions, pre-texts, a fake ID attached to a Crackhead, Social Engineering, and more.

Did I say Social Engineering?

It’s simple. But it is effective. KISS. Keep it simple. Don’t be stupid. Simple means success. Simple means profit.

A criminal pretends to be an employer and posts a job advertisement on Indeed, Monster, or some other job hunt site. A Potential Victim responds.  Or maybe a fraudster combs through posted resumes and reaches out to a Potential Victim.

The interview? Virtual. Not uncommon. The Pandemic means a lot of interviews are through Skype, Zoom, Google Hangouts.

The Potential Victim goes through the interview. They are told they got the job. Time for onboarding. Gotta verify your identity. We use ID.me. The Potential Victim heads over to the real ID.me website and verifies their identity.

End result?

Gotcha. The fraudster has just tricked the Potential Victim into verifying their info for Unemployment benefits. The Crook then takes his prepaid debit card to the nearest ATM and enjoys the evening.

Simple. But effective. Much more effective than a Fake ID Crackhead or printed mask. Got the real person verifying themselves.

Done properly? The Potential Victim wouldn’t even know they had been victimized.

Thing is? That Potential Victim? She has a name. Her name is Claire. She is a victim of identity theft. She has been victimized. Not surprising. What is surprising is that Claire would be further victimized by ID.me and the CEO, Blake Hall.

A few weeks ago, I wrote an article on Linkedin which called out ID.me for shoddy, suspect practices. https://www.linkedin.com/pulse/states-using-idme-stop-fraud-aka-moral-abiguity-brett-johnson/

Turns out ID.me, the company, was having an Identity Crises. ID.me couldn’t decide whether it was a Marketing Company or a Security Company. Someone forgot to tell ID.me you couldn’t serve two masters.  ID.me was providing ID verification services for 33 States. People applying for unemployment benefits in those states were forced to give their identity information to ID.me to receive the benefits to which they were entitled. ID.me then sold some of that “customer” data to 3rd party advertisers. No opting out. Evidently the states hadn’t stopped to read the Terms of Service over at ID.me. No one reads the TOS. Except criminals. Sometimes former criminals like me. I read it. I raised hell about it.

ID.me modified their terms of service. Still pretty much the same, a bit more nuanced. Now there is a link to “Opt Out”. But since no one except criminals read the TOS who will ever know?

I have a real problem with states forcing an individual who is entitled to benefits to give their information and identity to a private company which then sells customer data to advertisers.

Me a former criminal. Who would have ever thought I’d become a privacy advocate?

I also raised Hell about those legitimate people trying to claim benefits who couldn’t because the ID.me system wouldn’t verify them and that it was impossible to speak to a human being at the company once declined. It happened to more people than we will ever know about. ID.me announced they were hiring an additional 7500 customer service representatives to address “Issues”.

Issues. New Kid on The Block, you know? Identity Crises and all that. Lot of money on the table. Lot of that stuff still going on today.

Back to Claire, though. Did you forget this is about her?

Claire gets conned. She’s angry. She’s hurt. To this day I’m not sure Claire fully understands how the scheme works. Why would she? She isn’t a security pro. She isn’t a criminal. No surprise she doesn’t fully understand the scam.

Me? I know how the scam works. So does ID.me CEO, Blake Hall. Blake has had a crash course in fraud over the past few months. He’s made a lot of money, yes. But he’s also been educated on what real fraud looks like when it comes knocking. The scam Claire fell victim to? Blake has been seeing it for a while. So much so that ID.me has warnings that pop up which attempt to warn potential victims. Before the victim clicks “Submit Photo” a message pops up saying that the session is being used to apply for State Benefits. If the user doesn’t recognize the transaction don’t click.

Quick commentary? That ID.me delays warning the individual is poor security. My educated guess is that ID.me waits until that point so they can capture as much data as possible. But that increases the chance the victim won’t know it’s a scam. Spend 45 minutes trying to get a snapshot approved (It’s common) and the user may be so stressed and angry they just click on through without reading. It happens. More important? A simple Social Engineering Pre-Text ensures most victims would click on through even if they had read the warning.

Three parties: ID.me, the crooks, and Claire. Claire is the only one not well versed in this scam. Claire reaches out to Blake Hall, CEO of ID.me. Hall agrees to speak to Claire. Claire mentions this to me. I tell her I suspect Hall will make things right with her. He’s the CEO. He will do the right thing.

I did not expect what followed.

Claire gets tricked into confirming her identity through a legitimate platform. She reaches out to the CEO of that platform who agrees to speak to her. How should the CEO handle it? What is the proper way to respond to a victim? Show empathy? Blame the victim?

If I were the victim, I’d appreciate the empathy approach:

“Sorry this happened to you. We are going to do everything we can to assist. We are aware of this problem and are working on it. We have notified law enforcement and are pursuing the matter. I understand you are upset. I would be upset as well. We are so sorry this happened to you. I’ll have my head of fraud reach out directly to you.”  Yada, yada, yada. Blah, blah, blah.

Truthfully? It may be a Bullshit response, but it is a response which is appreciated from a victim’s point of view. It shows the company is at least putting forth some effort.

I have a problem with Victim Blaming/ Shaming. Probably it is because I spent so much of my life victimizing others. Things are different these days. The only person responsible for a crime is the criminal. Never the victim. To blame or shame a victim further victimizes them. It is one of the worst things to do to a victim of a crime. Blake Hall does this.

The response of the CEO of ID.me?

–our fraud team is investigating the account. You should never provide personal information or sensitive documents to someone you don’t know via social media. Our team is aware of the situation and will follow up.

–You provided the sensitive information and took the actions, Claire. We only receive data from the user going through. It’s unfortunate that you were tricked and helped the attackers

–It’s unfortunate you were tricked.

–You took those actions.

–Claire (responding)– None of THAT happened through social media! Are you just afraid to take responsibility?

 Blake (to Claire above)– Not for your actions.

–it wasn’t a third party. It was you.

–They cant do it without the actual owner of the identity helping them.

–Listen, Claire, I am sorry that you are a victim of social engineering. That is truly awful. At the same time, social engineering can only happen when the legitimate owner of the identity (you) actively helps the attacker.

Any number of excuses for Hall’s behavior could be put forth. Maybe he was tired. Maybe he was stressed at all the bad press ID.me has received. Maybe Claire was the 493 person that day who had the exact same problem. Maybe Claire rubbed him the wrong way. Maybe he was suffering from diarrhea. Anything.

The Truth? The Truth is that response from the CEO of a Billion-dollar company in the business of protecting people is unacceptable. Nothing justifies blaming the victim.

Did you forget this is an open letter? Yeah, I kind of did too. For those who may not know– an open letter, while addressed to a specific person or audience, is meant to be read by others. Guess the recipients are more rhetorical than anything.

Guess this Open Letter is a bit different.

I do want this letter read by others. But I also want it read by the recipients in the title.

Blake Hall should apologize to Claire for his attitude and for placing the blame on her. She’s the victim here. Hall needs to realize that and show some empathy. In fact, he should apologize to a lot of people.

I do not think ID.me should apologize for the way its business is ran. I disagree with the model strongly. But their business is theirs. They can run it the way they want.

That’s why this letter is also addressed to the government agencies which have signed on ID.me. They should consider their choice. ID.me has stopped some fraud, no doubt in that. My opinion not the numbers they claim, but it is their story so let them tell it. Fact is, they have stopped some fraud. But at what price?

How many legitimate people have been denied benefits because the ID.me system refused to verify those individuals and then made it impossible for declined individuals to contact a human so the problem could be fixed?

Ans: More than you know.

How many people have been forced to give up their information to a company which then sells that customer data to advertisers in order to receive benefits to which they are entitled?

Ans: More than you know.

How many victims has the CEO of ID.me blamed for being victimized?

Ans. More than you know.

I can’t tell you who to do business with. Not my job. But do you really want to do business with a company that treats law-abiding citizens in such a way? Do you really want to do business with a company that treats people in need in such a way? Do you really want to do business with a company that treats victims in such a way?

There are other companies out there that do a better job that don’t do any of those things.

__________________________________________________________________________

Claire was kind enough to send me the complete conversation logs. I’ve included it here for anyone who wishes to read it.

The entire conversation follows. The conversation is in italics. I make comments along the way. In brackets. Bold type. I have edited out the time marks, Claire’s last name, and the line breaks and extraneous data which made this convo unreadable. Bear in mind this chat takes place over a 3-day span. Also bear in mind that Claire is the victim here. She is upset, angry, hurt. She doesn’t really understand the way the crime happened. As such, it is understandable that at times she lashes out at Hall. Hall is the professional here. He is also fully aware of the scam and how it operates.

The convo starts out as one would expect—

Blake Hall– Hi Claire, we will help you. What email did you use to sign-up?

Claire— [email edited] I still have the text that they use. I can get that to you if you would l like. what can you do to help me? I need to get my id un-verified! these criminals have my verified id and God only knows what they will do with it. you have criminals using, what seems like, a well intentioned platform. please, help me to stop this, at least for me, then for others and then possibly to find them using your platform. i copied and pasted every conversation that i have had regarding id.me. i will not sit idly by while a couple of thugs screw me over.

Blake Hall–Please send me the text, yes.

Claire– I will do that today after work. I have email addresses and a phone number [edited] using the name Doreen Mcdonald. Emails used heidiblommel.centracare.com and another that lll have to send you later. This all took place over Google chat hangouts formerly . The names I will provide you with are actuwl employees of centracare being used fraudulently by these people. They also claimed to have found my info resume etc on RI Workforce. This is very well done and these people are using your platform! Amazing. I have photos of the 2 that interviewed and I boarded me. Not sure if they are 9f the real people or the criminals themselves. They night be that stupid! Not sure if I gave you the phone

[Like I said, the convo starts out exactly as anyone would suspect. But remember, Claire is upset. She is the victim here. She really doesn’t understand the nuance of what’s happened, how the scam has actually worked. She places some of the blame on ID.me. Realize too, the above convo takes place over 24 hours and in snippets. I’ve edited out the breaks to make it easier to read. ]

[Hall goes 12 hours without responding to Claire. Understandable. He’s a CEO. He’s busy. He has shit to do. Claire is upset though. She wants something done. Last she heard from Blake he said to send her the text. After 12 hours, Claire sends Blake a message]

Claire– What now? Sooner than later. I know someone from sbg TV has been in touch with your organization. Please contact me asap!

[Blake responds. I won’t say it’s because of the threat of TV, but I am told Mr. Hall is now set to be interviewed on the show along with Claire]

Blake– Claire, our fraud team is investigating the account. You should never provide personal information or sensitive documents to someone you don’t know via social media. Our team is aware of the situation and will follow up.

[Let the Victim Shaming/ Blaming begin. Again, Claire is new to this. Claire knows she has been victimized but she isn’t aware of all the nuances of this crime. Blake is. Blake is aware that criminals have been using his platform to commit this exact crime. For a while. Blake has much more knowledge than Claire about this. And Blake’s response is to start laying the blame at Claire’s feet. Claire reacts, angry, hurt. A bit indignant.]

Claire—I didn’t I provided it on your application! Who do you think you are talking to? Its your application that was used Blake!!!!

Blake– You provided the sensitive information and took the actions, Claire. We only receive data from the user going through. It’s unfortunate that you were tricked and helped the attackers. We will work with the government agencies involved to unwind it.

[I read that as condescending. Really love the “Helped the Attackers” line]

Claire– It wasnt via social media. You think Id bug you if it wasnt your app in the middle of all of this. You need to accept responsibility where it lies! Im not an idiot and you have made me very angry! How dare you. It is your application that is being used in criminal activity. I know you work with the government and could care less. This is on you Blake.

Blake– You said it happened via Google Chat correct? It’s a job scam. You provided them with your ID right? And clicked a link when they asked you to?

Claire–No they had me get into your application action, scan my license and took a scan of my face.

Blake– Exactly. You took those actions.

[No empathy. No sympathy. Just telling her it is her fault.]

Claire– None of THAT happened through social media! Are you just afraid to take responsibility?

Blake– Not for your actions.

[“Not for your actions.” Hall means You did this Claire, placing the blame on her. He neglects to tell her this is a common scam on ID.me. To Hall, his platform doesnt have a problem. Its all the people using it thats causing the issue. It’s their fault. It’s Claire’s fault]

Claire– The verification of my identity happened on your app. What the fuck!

Blake— Right. And it wasn’t a third party. It was you.

[Blame.]

Claire– You need a humility lesson its your app that verified my fucking identity!!!! What are you talking about? Listen you can fix it or I sue you! You are liable if I am harmed and I can prove negligence. Were arguing over arguing and not getting anywhere and I am very upset at this point. I am more than willing to take responsibility for my stupidity how about you? You picked the wrong person to be condescending too Blake!

Blake– It’s unfortunate you were tricked.

Claire– You are smug arent you! I was tricked and my I was verified with your app by criminals. Wht is it so hard to deal with? Just fix it and have someone call me. You sir are a joke. Just because you work for the government means nothing! I was tricked and Im being bullshitted by you! Fix it let me know or have someone who isnt such a jerk contact me. Im interviewing with NBC and right now, its more looking good for you. I copy and paste every conversation! Every word!

[Here Claire sends over what popped up when she was tricked into verifying her identity through ID.me]

This message is from ID.me. Your identity is being used to log in to California EDD to apply for government benefits or healthcare services. Do not click this link if you do not recognize this transaction. Please click the following link to upload a picture of your document. https://verify.id.me/en/phone/KLRigIZZ

Claire– this is the text i received after your application scanned my license and my face. would you like to continue to think that this application is so great? people are going to use everything and anything you and whoever else puts out there. your application is being used for criminal activity. I know you are interviewing with channel 10 wjar next week. i wouldnt bad mouth me if i were you Blake. you are not the criminal but its so readily available that anyone can use it. there are tons of complaints about this application and the lack of response to people who are asking for help. you may tell your store but the fact remains that your application is being used and actively being used in criminal activity and you are unwilling to assure me that you or your organization will help me. you have my phone number why hasnt anyone called? an investigation needs to be done asap!!!! this requires a sense of urgency!!! dont you get it? this is my life! my life thats being effected and all you can do is lecture me????

Blake– Listen, Claire, I am sorry that you are a victim of social engineering. That is truly awful. At the same time, social engineering can only happen when the legitimate owner of the identity (you) actively helps the attacker.

[Gotta say, I’m not a fan of Blake saying “Actively helps the Attacker”. Thats the second time he told her that she helped the attackers. Note: We are ALL susceptible to Social Engineering. “Actively” implies she is to blame for the crime. She isn’t. she is the victim.]

Claire– i do not consider myself a victim

Blake– We have robust anti-social engineering controls to help make you aware of the scam. In the link you clicked, there is messaging to make clear that the identity verification event is tied to a government agency — not to a job offer. We also follow up with additional information to confirm that the email registered is under your control. So, you can report fraud if youve been tricked.

[True. ID.me does have these things in place. But they don’t appear until AFTER data is gathered.]

Claire– i took part in something unfortunate and all i am trying to say to you is that you need to find out who these criminals are. they are using your application and they are using it to defraud the government of which you are a contractor.

Blake– They cant do it without the actual owner of the identity helping them. And, like a bank, we have multiple messages and alerts to let people like you understand how your identity was actually used. When you report fraud, we work with the government to stop the fraud and to run down these rings.

[“Helping”. Blake Hall, CEO MEANS: You helped them Claire. You are to blame for this.]

Claire– you are truly amazing. i thought is was legit. it was a job. you always have to give this information whether it’s in person, fax or email. chat is just another vehicle for that. all i am saying is that you should find these people. you may have safeguards in place but a criminal element is operating within those safeguards. with that said, how will you proceed? i want my id unverified if that is at all possible. is that possible? when will someone from your organization reach out? and let me tell you this, if you go on channel10 and lay all of the blame on us little guys, i would advise against it. rhode island is a funny place and people here will hate you and if you intend to get this government to work with id.me, i have the governors ear. ha ha ha you say! this is a very small state and everyone knows everyone else. and let me tell you this, if you go on channel10 and lay all of the blame on us little guys, i would advise against it. rhode island is a funny place and people here will hate you and if you intend to get this government to work with id.me, i have the governors ear. ha ha ha you say! this is a very small state and everyone knows everyone else.

Blake– My fraud team is already on it. We can see the social engineering.

[Highly unlikely]

Claire– what does that mean, they can see the social engineering. pretend im 7 years old and i know nothing. sorry, anything… what specifically can be done to help me? you know my brother who used to work from northrup grumman, hes an engineer and we talked about this. out of everything that i told him the only thing that would have caused him doubt was the gmail address. not the chat, not even the id.me part. lots of firms use gmail and it wouldt have alarmed him. he had some extremely high level clearance he worked communications on the stealth bomber so he is pretty technically savvy. you dont have an answer do you? you don’t know how you can help me, right?

[Claire calls him on it. She isn’t well versed in scams, but she does know that anyone could fall for this. Hell, Im one of the best Social Engineers on the planet and I likely would. Add in that ID.me doesn’t come with a warning until after verification info is sent to them. A potential victim might not suspect a scam until that point. At that point they’ve been so concentrated on getting the ID photos submitted that they are likely to just click on the continue link instead of paying much attention to what it says and what the warning may be. Also figure that the scammer may attempt to pre-text the victim to get them to click the link. How? Maybe as simple as telling the victim that it verifies through the Unemployment Office in order to set up their benefits, blah, blah, blah. It wouldn’t take much.]

[TIME PASSES]

Claire– Now what? Havent heard from anyone from your organization yet. Will you help me or not?

[TIME PASSES]

Claire– hey Blake your folks are lying on facebook! why havent i heard from you as to how you are going to fix my id.me situation? time to you know what or get off the pot. i am not saying you are criminal or that your platform is criminal just that it has been used criminally. there is a difference. what are you going to do to fix this? someone out there is going to get unemployment benefits using my facial scan, the id.me facial scan and my identity will be validated. what are you going to do to stop that from being used? please respond asap. wednesdays interview is coming fast.

Claire– so, people who are really unemployed have been locked out of their benefits because of your application. sleep well at night blake? these poor people are trying to live and you and your staff sit back and do absolutely nothing to help them. you and your organization are all over the media. I doesn’t even know who you are. but if i have my say, your application will NOT be used here. do you have any idea what is happening out there as your staff refuse to help or maybe better put, unable to help… why havent you answered me???? wednesday is coming fast…

Claire– https://www.bbb.org/us/va/mclean/profile/government-contractors/idme-inc-0241-236003677/complaints

WOW, youve know about issues with your platform for quite some time. not looking good here!

[I left the Better Business Bureau url in case anyone was interested in reading a few of the bad reports regarding ID.me. ]