States Using ID.me to Stop Fraud: aka Moral Ambiguity

Guest Editorial by Brett Johnson
Keynote Speaker and Consultant on Cybersecurity & Cybercrime, and Global Identity Theft Expert, Advisory Board Member – AnglerPhish.com

In a bit of a mood today.

For New Victims – Click Here For The Information You Need Now!
• • •
Are You A Money Mule?  –  Click Here To Find Out Now!

The following is a guest editorial for the benefit of our readers, and only reflects the views of the author!

I’m in a bit of a mood today!

You see, I expect Fraudsters to commit fraud. It’s what they do. It’s what I did. I respect that while not liking it and being firmly against it. What I don’t like or expect or even respect is when the solution further victimizes the victims.

Unemployment Fraud. Fraudsters have been eating it alive for months. It’s what they do. I’m seeing 16 year-olds on Telegram bragging about stealing $60k a week doing it. That’s $240,000 a month, $3.1 Million in a year. And I’m going to tell you the Truth no one else will–That kid is not going to get caught. Most these guys will NEVER be caught. That’s the Truth no one is supposed to say. Does Crime Pay? It damn sure does.

Initially, there was no security in place. NONE. All a fraudster needed was PII, someone’s social security number and date of birth. Attach an address and Google Voice Number and you were good to go. Just needed an instrument of deposit: Greendot Prepaid Card, Chime Account, CashApp. Fraudsters LOVE CashApp. Cha-Ching.

That was it. No security or verification in place whatsoever. File 1000 claims using the same IP? Absolutely. No one was checking.

States lost BILLIONS. Money which could be used for the good of everyone in the state–gone forever. They finally implemented security. But they did it piecemeal, without understanding the criminals hitting their systems. My type of criminals. The criminals who understood identity theft, who knew how to properly commit those crimes. The types of criminals who had been circumventing for years the types of security states were implementing. It went as one would expect:

First Security Attempt: Security Questions. KBA. Knowledge. Based. Authentication. The questions asked when you open an account or change info on an existing account. The questions fraudsters have been answering for decades when they take over your accounts and steal your money. Easy answers to obtain. Easy security to bypass. Well, shit. That didn’t work.

Second Security Attempt: Send in Document Scans proving identity, bank account, address, etc. Easy enough to fake. Fraudsters been doing that one for years. One can buy fake doc packages for under $50 on the darkweb. And the document quality? Approaching 1:1 with the real thing. STRIKE TWO. Fraudsters screamed and laughed, “What else you got?!”

Third Security Measure: Send in a selfie holding the driver license. SecondEyeSolution does that all day long for $30. NEXT!

OK. How bout liveness detection? A live video holding the ID. How bout that? Hmm. Sounds good. Well, until I go down and grab me a crackhead, a burner phone, and a fake driver license with the crackhead’s picture on it. Works like a charm. And yes, that shit really does work.

Like I said, I’m in a mood today. All of that is expected. And truthfully, as those security measures are implemented some criminals dropped off at each stage. Not all. Not by a long shot. The ones who remained were just more skilled.

Oddly enough, I’m not here to talk about those fraudsters today. I’m here to talk about desperation. One should never act out of desperation. It often results in bad choices.

See–I’m in a mood today. And it’s not because of the fraudsters. I expect them to do what they do. What I don’t expect is for the solution to come with questionable consequences.

33 States currently use ID.me as security to stop unemployment fraud.

Now, I could talk about how there are currently 3 work-arounds fraudsters are bragging about online that defeats ID.me (including the crackhead anecdote above), but I’m not gonna do that. I’ve not tested the workarounds and EVERY security measure has a workaround. So no need to pick at that.

I’m not going to mention the multitude of people legitimately filing for unemployment benefits who are unable to receive them due to the friction caused by the ID.me system. And Oh, Boy–Is there friction! Legitimate people denied for weeks the benefits they need to survive because of the inability to pass the document submission or the impossible nature of speaking to a live person at ID.me. Nah, I wont mention that–even though I should. Well, I mean I did just mention it. And I’ll throw a link in as well of just one person’s story. https://abc11.com/idme-unemployment-id-me-my/10498998/

Nah, my issue is I read the Terms of Service and Privacy Statement over at ID.me. Yeah. I know, only criminals and attorneys read such things. I’m an ex-criminal. I guess that counts.

I’m in a mood today because I have a real problem with States FORCING applicants to register with ID.me in order to receive the benefits to which they are entitled. Want your unemployment check? Well, ID.me wants all of your data, all of your information. That’s the price of getting the benefits those states owe you.

From ID.me Terms & Conditions

I have a real problem with applicants that have been forced to register at ID.me in order to get their benefits then having their data used by ID.me to sell advertising to those same applicants.

From ID.me Terms & Conditions

So yeah. I’m in a mood. I’ve other issues with this whole scenario which I could spend time hashing out. But bottom line is there is a LOT of moral abiguity here. People forced to use a system which then forces them to give up all their data in order to get a benefit they are entitled to. And then the system uses that data to additionally profit. Seems there isn’t much choice on the part of the applicant.

So yeah, Im in a mood today.

Brett Johnson!