Author: John Lyons

John Lyons is an associate at AlterNation LLC a consulting firm specializing in making neighborhoods more safe (SafeGrowth), and terror/other crime threat risk assessment to critical infrastructure. Both services are based in science.

COSO Fraud Risk Management Guide: As good as it gets?

There is much discussion with recommendations from accountants, auditors and loss reduction specialists on linear controls to reduce misuses and abuses of benefits payment systems, occupational fraud, theft and corruption. This article posits that people and organizations are “complex systems” in their own right, and that we ought to pay attention to science deep diving into this world. The irregular and unpredictable nature of these workplace harms will remain a puzzle for everyone attempting to make their organization more secure until we collectively understand the dynamics of misuse, abuse and fraud.

To this end, the advocates of chaos theory deserve our attention. They assert twentieth century science will be remembered for three great things: relativity, quantum mechanics and chaos. Chaos is the study of the dynamics of complex systems. Common characteristics of chaos across disciplines include sensitivity to the tiniest changes in initial conditions, or seemingly random and unpredictable behavior that nevertheless follows precise rules. Chaos cuts away at the tenet of Newtonian physics – that the universe is an orderly and predictable place.

The Origin of Chaos

Chaos begins where most science stops. Until fairly recently, it wasn’t recognized that scientific reductionism, which offers great discoveries including quarks, unveiling secrets of chromosomes and mysteries of neurons suffers a special ignorance about disorder. Reductionist thinking can’t explain disorder in the atmosphere, in the turbulent sea, in oscillations of the heart and the brain, in the fluctuations of wildlife populations and, where we spend our energy, in the behavior of people in organizations.

With more powerful computing in the 1960s and 1970s, scientists in the United States and Europe began to find a way through disorder; to explain those things in science that could not previously be explained. Up until this time disorder had been written off as residual “noise” in experiments. Some mathematicians, physicists, biologists and chemists began seeking the relationships and connections between different kinds of this irregularity. Their curiosity led directly into the natural world – the shapes of clouds, the paths of lightning, the microscopic intertwining of blood vessels, the galactic clustering of stars, and even tipping points (Clifford Shearing ‘et al’) in human behavior.

Early chaos mathematicians and scientists created special techniques of using computers and special kinds of graphic images – pictures that capture fantastic and delicate structure underlying complexity. A new language has emerged: “fractals and bifurcations,” “intermittencies and periodicities,” “folded-towel diffeomorphisms and smooth noodle maps”.

Chaos Observed

Now chaos seems to be everywhere. A rising column of cigarette smoke breaks into swirls. A flag snaps back and forth in the wind. A dripping faucet goes from a steady pattern to a random one. Chaos appears in such things as the behavior of the weather, the behavior of an airplane in flight, the behavior of cars clustering on an expressway, the behavior of oil flowing in a pipe, in genetics, other biological sciences disciplines and the behavior of people.

Wrapping up, chaos lays strong claims to nonlinearity. It eliminates the myth of deterministic predictability. It breaks across the lines of historically separated disciplines. It shifts focus to the global nature of complex systems. It forces understanding the relationship between things and an eye for pattern; especially pattern that appears on different scales at the same time. Chaos requires a taste for randomness and complexity.

Diving into the lessons of chaos will force a shift in mindset from the parts to the whole. We should include other failing tenets applied in misuse, abuse and fraud prevention and reduction strategies. New science belies homo economicus: “Man” as a rational actor always acting in self interest. Psychologists point to just how predictably irrational we are, that we are reciprocally altruistic and that imitate each other faster than any other species on the planet. The notions of determinism and free will have been rebuffed, and there is deepening understanding of innate human behaviors, environmental triggers inducing bad behavior, the role of affect (emotions) in judgments and decisions, and fallibilities (heuristics bias) in the way people logic.

Where does this leave us in the counter-fraud game?

Introducing chaos and other new science predictably poses problems that defy accepted ways of playing the counter-fraud game, beginning with how we ought to think about other people-centered threats such as workplace sabotage and workplace violence.

Figuring out this stuff will have us want to turtle at times. But, if we don’t think about it, discuss it, and talk to those people who deeply understand chaos and other new sciences – we are likely to continue to fall farther behind the adaptability curve in a time of fast-paced scientific discoveries and change.

We all know what happens to species that fail to adapt. Their numbers decline towards extinction.

Police Security Checks: Efficient, Profitable – but does it make us more secure?

If your organization does name checks against police records, be aware of the security trade-offs made.

Police forces conduct name checks against police records as a paid public service. Names, dates of birth and sex are compared against local records, the records of other police services  where former addresses in these jurisdictions are provided, and the personal identifiers attached to the national criminal history files retained federally.

When you receive the results from the police check indicating there is no record, bear in mind of what you are actually being informed: The person is not know to police under the identify particulars provided. Nothing more.

If you work with youths and strive to mitigate potential threats posed by pedophiles, you must be aware of what a name record check is not telling you. The same with an employer conducting a hiring interview, or anyone else screening people for previous criminal activity.

A police name check does not affirm the applicant wasn’t investigated, arrested, convicted or otherwise came to the attention of police under a different identity.  Even then, methinks only the dullest of applicants known to police in another jurisdiction will disclose former addresses in these jurisdictions. Add to this, some police forces no longer require people apply in person.  They can do so electronically, which increases the threat. It his harder to lie and cheat while face to face.

Failing to recognize security trade-offs and complacency are the real threats. Nothing replaces vigilance – “eyes on the street” – whether observant parents, coaches and trainers in sports organizations, neighbors watching each other’s back yard, or employees reporting when they have concerns about a colleague. To do otherwise makes us less secure.

Don’t Get Hood Winked by Identification Issuing Security Theater

OLYMPUS DIGITAL CAMERA

I recently came across an Internet discussion page where aggrieved parties were upset receiving letters that they had 30 days to surrender their Red and White health card for a new photo health card. The immediate observation is that we are over 20 years into this transition. Secure cards can’t be all that important to government. Health care cards and driver’s licenses are issued by Service Ontario, a centralized government service combining government offices with vendors.

Most people are who they say they are. They reside where they say they reside. They will tell you what you need to know to obtain your service. If you ask for a  driver’s license to manage reputation risk when attacked, you are likely okay. If you request identification to manage the threats from dependency on documents to do business with people you don’t personally know, you likely haven’t mitigated the threats posed by deceptive people and criminal organizations.

It is less complicated for government to deal with the perception of security with hyperbole an bells and whistles, than it is the reality of security. Increasing diligence costs money and time. Voters don’t like to be too inconvenienced in proving they are who they say they are. They don’t like standing in line waiting to receive that which they seek. Service Ontario is an organization established to reduce inconvenience and costs.

This article digs a little deeper to dispel some myths in the Ontario government’s “trusted”[1] identification issuing systems.

Applicants for a photo health card and driver’s licenses must provide proof of status and proof of residency.

Proof of status documents affirm a record is retained by the issuer of status in Canada. This includes status by right of birth (ie. birth certificate) and status by law or privilege (ie. permanent resident card). The Ontario government does not “authenticate” these documents as posited by some. They validate the personal information on the proof of status document against the record of the issuer and with birth certificates only those issued by Ontario. A genuine or counterfeit/stolen birth certificate from another province, or a birth certificate for someone no longer living in Ontario, or who died outside the province, will get the job done. More sophisticated rings purchase stolen personal identifiers to add counterfeit blanks.

Applicants for health cards and driver’s licenses are also asked for documents establishing proof of residency. Even if these documents aren’t counterfeit, it doesn’t mean the applicant lives at the address indicated. No one, has actually verified that people physically reside at this address. Drop mail addresses are a common strategy used by deceptive people living outside the province/country and organized crime groups.

The photo image on the health card and driver’s license are good for security optics, but relatively ineffective. Research affirms human’s fair not much better than pure chance at positively associating the bearer of a photo ID on an identification card, with the image, and even less when the bearer is a person from a different race. This is painfully obvious to front line people relying on photo ID.

Ask Service Ontario how much training they provide to front line employees in detecting counterfeit documents?  What type of equipment is used? How do they develop employee skills in detecting the deception necessary to pass of bogus documents without raising suspicion? Listen for equivocation in their response to your questions.

Despite what Service Ontario tells you about the integrity of their tokens’  (ie. health card/driver’s licence), if you are concerned about personation (pretending to be someone else) and synthetic identity fraud, your employees  must ask themselves:

  • Is the document genuine?
  • Was it legitimately obtained, or under fraudulent circumstances?
  • Even if genuine and legitimately obtained, is it in hands of the person it was issued to, and not lost/stolen or loaned?

[1] http://www.health.gov.on.ca/english/providers/pub/ohip/ohipvalid_manual/ohipvalid_manual.pdf

New Science and the Physical and Financial Harms Game

There is much discussion and recommendations made on linear controls to reduce predatory fraud attacks to benefits payment systems such as health care, and privileges such as drivers’ licenses – the de facto ID in most states and provinces.

Ancillary to predatory fraud problems, there are similar limitations with recommendations made to control internal-to-systems misuse, abuse, occupational fraud, theft and workplace sabotage.

This article posits organizations are “complex systems”, and that we ought to pay attention to science deep diving into this world. The irregular and unpredictable nature of physical and financial  harms inside organizations will remain a puzzle for everyone attempting to make their organization more secure if we don’t uptake new science.

To this end, advocates of chaos theory deserve our attention. They assert twentieth century science will be remembered for three great things: relativity, quantum mechanics and chaos.

Chaos cuts away at the tenet of Newtonian physics – that the universe is an orderly and predictable place. It is the science of dynamics in complex systems. Common characteristics of chaos across disciplines include sensitivity to the tiniest changes in initial conditions, or seemingly random and unpredictable behavior that nevertheless follows precise rules.

The Origin of Chaos

Chaos begins where most science stops. Until fairly recently, it wasn’t recognized that scientific reductionism, which offers great discoveries including quarks, unveiling secrets of chromosomes and mysteries of neurons, suffers a special ignorance about disorder. Reductionist thinking can’t explain disorder in the atmosphere, in the turbulent sea, in oscillations of the heart and the brain, in the fluctuations of wildlife populations and for our purposes, and where we should spend more energy understanding the behavior of people inside organizations.

With more powerful computing in the 1960s and 1970s, scientists in the United States and Europe began to find a way through disorder; to explain those things in science that could not previously be explained. Up until this time disorder had been written off as residual “noise” in experiments.

Some mathematicians, physicists, biologists and chemists began defining the relationships and connections behind irregularity. Their curiosity led directly into the natural world – the shapes of clouds, the paths of lightning, the microscopic intertwining of blood vessels, the galactic clustering of stars, and for our purpose research on tipping points (Clifford Shearing ‘et al’) in human behavior.

Early chaos mathematicians and scientists created special techniques using computers and special kinds of graphic images – pictures that capture fantastic and delicate structure underlying complexity. A new language has emerged: “fractals and bifurcations,” “intermittencies and periodicities,” “folded-towel diffeomorphismsand smooth noodle maps”.

Chaos Observed

Now chaos seems to be everywhere. A rising column of cigarette smoke breaks into swirls. A flag snaps back and forth in the wind. A dripping faucet goes from a steady pattern to a random one. Chaos appears in such things as the behavior of an airplane in flight, the behavior of cars clustering on an expressway, the behavior of oil flowing in a pipe, in genetics, other biological sciences disciplines and the behavior of people.

Wrapping up, chaos lays strong claims to nonlinearity. It eliminates the myth of deterministic predictability. It breaks across the lines of historically separated disciplines. It shifts focus on the global nature of complex systems. It forces understanding the relationship between things and an eye for pattern; especially pattern that appears on different scales at the same time. Chaos requires a taste for randomness and complexity.

Diving into the lessons of chaos will force a shift in mindset from the parts to the whole. New science belies homo economicus: “Man” as a rational actor always acting in self interest. Psychologists point to just how predictably irrational we are, that we are reciprocally altruistic and that we imitate each other faster than any other species on the planet.

The notions of determinism and free will have been rebuffed, and there is deepening understanding of innate human behaviors, environmental triggers inducing bad behavior, the role of affect (emotions) on perception, on intuition in judgments and decision-making, and fallibility  (heuristics bias) in the way we logic.

Summary

Introducing chaos and other new science predictably poses problems that defy accepted ways we play the counter-fraud game.

Figuring out this stuff will have us want to turtle at times. But, if we don’t think about it, discuss it, and talk to those people who deeply understand chaos and other new sciences – we are likely to continue to fall farther behind the adaptability curve in a time of fast-paced scientific discoveries and change.

Contributed by John Lyons, Partner, The ATRiM Group and tranzform associate

Driver’s License as “ID” at Critical Infrastructure?

Most people are who they say they are.  Just ask them and they will tell you.

The question is whether demanding a driver’s license to prevent false personation and identity fraud actually make us more safe from those attempting to deceive us?

It may be sufficient in some entities to accept a driver’s license as proof someone is who they say they are, especially where the consequences of a security breach are not all that threatening. But, this is not always the case, and no-more-so than with critical infrastructure where a security breach could have catastrophic consequences. This was precisely the case with the 911 attacks on the World Trade Center and the Pentagon.

The original purpose of a driver’s license was to affirm the bearer is granted the privilege to operate a motor vehicle. Yet, buried deep in a defense appropriations bill, REAL ID of 2005 was enacted by the U.S. Congress to elevate the state-issued driver’s licenses to a de facto national ID card. Those of you who read our May 5, 2017 post know we limit the term “ID” to proof of status documents, which the driver’s license is not.

It is hard to argue with Bruce Schneier’s lament that this is a lousy security trade-off. Accepting a driver’s license as proof someone is who they say they are, is to accept the Department of Motor Vehicle’s Branch front line clerk was not duped when presented fraudulently acquired, counterfeit, forged, stolen or shared proof of status documents. This is not all that hard to according to the United States General Accounting Office field audits.

And, this is not to mention the challenges faced from the corruption of front line employees and their supervisors who don’t have all that much a stake when tempted to do bad things.

Here are some examples:

  • In March 2011 a Chattanooga grand jury returned a two count indictment against a State of Tennessee Department of Motor Vehicles employee for conspiring to unlawfully issue driver’s licenses.
  • Police arrested at least seven employees at the state license bureau in Delray Beach. They accepted bribes in exchange for putting drivers licenses in the hands of more than 1,500 persons who shouldn’t have them
  • A Texas Department of Public Safety employee is arrested in Houston as the result of an undercover sting operation for taking bribes and issuing driver’s licenses
  • A former Concord, New Hampshire Department of Motor Vehicles employee plead guilty to taking bribes.This employee is alleged to have exchanged up to 70 driver’s licenses for $500, without asking for proper documentation
  • A former Stevens Point, Wisconsin DMV employee was indicted for erroneously issuing driver’s licenses to about 70 people.  The employee allegedly accepted bribes in exchange for inputting false information into the DMV’s computer system

The driver’s license doesn’t replace requesting proof of status documents. But it is hugely complimentary when there are red flag indicators of deception noted from the nonverbal and verbal behavior of the presenter.

The driver’s license points the skilled interviewer to a biographical record of transactions between the record holder and the driver’s license issuer. A legitimate driver’s license record holder ought to be able to volunteer some of the details of these transactions without influence or prompting.

What You Should Know About Means of Identification

Can you see through the deception?

Since the mid 1990s much media attention is drawn to “identity theft” and what consumers can do to prevent victimization. It is rare that a clear distinction is drawn between theft (the supply) and unlawful use (the demand) for personal information. A lack of clarity at times creates confusion and underachieving counter strategies. Although the problems intersect, the prevention strategies for each are not the same and, generally, the responsibilities for reducing the threats of each fall to different people.

What we do know: As long as the effort is worth the potential gain, and the malfeasors don’t feel vigilance or certainty of getting caught in the act each and every time the attack, this problem is unlikely to go away.

Police learn the folly of perfunctory acceptance of identification at face value early in their career. They experience firsthand the difficulty of detecting the new generation of counterfeit documents. They frequently encounter fraudulently obtained government identification. They routinely seize stolen and false documents during money laundering, drug trafficking, human trafficking, stock market manipulation, mortgage fraud and transnational organized crime investigations. They discover those avoiding detection or arrest don’t reside at the address on their driver’s license. Try arresting someone from a photograph and it doesn’t take long to realize how difficult it can be to make a positive association – much less a small image on an identification card. People routinely doing photo to bearer comparisons intuitively get this. Maybe this is why you don’t feel vigilance at the ticket agent counter or security when boarding an aircraft.

Finally, experienced police don’t focus on the ID. They focus on the presenter. They begin every interview with total belief in what they are being told. They know that their person of interest’s reality – whether to be truthful or deceptive – is found in the context of the language they speak in response to questions. Police will also watch for changes in nonverbal behavior. They trust their training, experience and instincts when something doesn’t make sense, or doesn’t feel quite right. Then they drill down to verify or refute concerns they might have.

This article for critical infrastructure risk managers, prevention and security specialists offers some key threats to think about in the design of identification harms prevention, with some suggestions for upping your identification security game.

Rule # 1: Don’t get trapped by security hyperbole 

Be mindful that:

  • Secure document manufacturers routinely upgrade security features in identification blanks. These blanks are enhanced with tamper-proof features added when they are validated with personal identifiers and registration numbers. Yet, even document examiners struggle to detect a new generation of counterfeits at first blush. They often have to use advanced technical aids
  • Thanks to the internet, unlawfully acquired legitimate personal identifiers and social security numbers are hacked, purchased and resold on an international scale. They are added to the counterfeit blanks. The result, know data verification checks don’t “authenticate” the document as some posit. What they do is affirm the issuer has a record, based on the information provided. Nothing more.
  • Some identification issuers are either unaware or misspeak about the residual threats posed by the security trade-offs they make. Therefore, good security from dependency on identification must be layered to avoid a single point of failure
  • Proof of address documentation doesn’t affirm someone resides at an address. Nobody physically checks. At best you know where the presenter receives some mail
  • People swearing under oath to something being true doesn’t make it true, only that they are swearing it to be true
  • Scientific studies show people aren’t much better than pure chance at positively associating a photo ID with the document bearer than they seen physically in the past, and even worse if the person is from a different race
  • Outlier attacks on privileges (i.e. driver’s license), benefits (i.e. medical care) and services (i.e. mortgages) are insidious. They can go on for months and even years without being detected

Rule # 2: Know what each type of identification is telling you and, more importantly, what it isn’t telling you. 

In deciding which forms of identification to request, consider three characteristics which form a human identity (attributed, biographical, bio-metrical). Know what each tells you:

Attributed Identity

Identification documents (ID) point you to a record of personal identifiers retained by government as proof of status in the country of issue. This is the bed rock of any identification management system.

There are two categories of attributed identity.

Status by “right of birth”: Records retained regionally on persons born inside the country, or federally retained records of children born to citizens outside the country. In most jurisdictions these birth records include a long form containing additional legislated information for registering a birth. These records are not linked inter-provincially (Cda) or inter-state (US).

Status by “law or privilege”: Immigration and citizenship records retained by the federal government in Canada and the U.S.  Today’s immigration and citizenship records include a biometric (i.e. photograph, fingerprints).

You should be able to trace every other legitimate government form of identification back to a record of status. These include  travel documents issued by national governments and some United Nations designated agencies, and identification tokens (i.e. driver’s license, medical health card, social security number).

Accepting travel documents and identification tokens as proof someone is who they say they means accepting the security trade-offs made by the issuer. This may be an appropriate risk to accept in some case such as  consumer fraud, but more risky when a security compromise might have catastrophic consequences (i.e. terrorist/anarchist access to transportation, water treatment plants, nuclear facilities etc).

Biographical Identity

A biographical identity is a transaction-based record accumulating over time. It is the details of someone’s interaction with the record holder. Examples include tax files, credit ratings records and a driver’s license abstract. These records are powerful aids in the hands of skilled interviewers.

Biometric Information

Biometric verification is any means by which a person can be uniquely, physically identified by with a biological trait. Unique identifiers include fingerprints, hand geometry, retina and iris patterns, voice waves, DNA, and signatures. The most common form of proof of status, birth certificates, aren’t linked to a biometric.

Solutions

There are prevention strategies from the security trade-offs made by identification issuers which help mitigate threats posed by fraudulently acquired, counterfeit/forged and stolen/loaned identification:

  1. Increase the feeling of risk at the point-of-service with a message of vigilance
  2. Apply behavioral insights to the application process
  3. Improve detection with education and training on non verbal “red flag” patterns of human behavior
  4. Hire people who are emotionally intelligent, improve frontline judgment and decision making
  5. Work from a well thought out information gathering plan
  6. Implement policy and guidelines for escalating front-line concerns for more in-depth review
  7. Encourage a continuous learning environment with timely feedback to front-line judgments and decisions on escalated events