Category: Security

Good Security is More than the Illusion of Security

In the wake of the attacks on the World Trade Center, the Pentagon and the downed hijacked airliner the U.S. Congress determined that some of the terrorists boarded commercial aircraft using fraudulently acquired state identification cards.

They are issued by Departments of Motor Vehicles (DMVs) for people without driver’s licenses.

As a consequence, the US Congress passed REAL ID.

In lieu of creating a national ID card, the purpose of Real ID is to upgrade security features and diligence standards in the issuance of driver’s licenses.

The Congress imposed a condition. If there was non-compliance with Real ID, after a grace period, the federal government would no longer accept the state issued document (i.e. boarding aircraft, access to federal buildings).

Almost twenty (20) years later, there are still issues with compliance in the middle of federal/state political dog fights.

At the least American governments attempt  to make the most relied upon means of identification more secure. There is room for adding new strategies to avoid a single point of failure.

I fear this is not the case in Canada.  Light years behind in concern about security, provincial issuers of driver’s licenses, and other identification tokens such as health cards, would have to be convinced to do more than the perfunctory screening procedures now it place.

Every government identification issuer makes security trade-offs. Their decision rests on finding the political balance between improved security,  the costs, and inconvenience to voters.

Canadian issuers of driver’s licenses and other tokens such as health cards are reasonably masterful at hood winking Canadians into believing that they take issuing means of identification security seriously. Things will predictably remain the same until some catastrophic physical or financial event induces change to their security mindset.

 

Police Security Checks: Efficient, Profitable – but does it make us more secure?

If your organization does name checks against police records, be aware of the security trade-offs made.

Police forces conduct name checks against police records as a paid public service. Names, dates of birth and sex are compared against local records, the records of other police services  where former addresses in these jurisdictions are provided, and the personal identifiers attached to the national criminal history files retained federally.

When you receive the results from the police check indicating there is no record, bear in mind of what you are actually being informed: The person is not know to police under the identify particulars provided. Nothing more.

If you work with youths and strive to mitigate potential threats posed by pedophiles, you must be aware of what a name record check is not telling you. The same with an employer conducting a hiring interview, or anyone else screening people for previous criminal activity.

A police name check does not affirm the applicant wasn’t investigated, arrested, convicted or otherwise came to the attention of police under a different identity.  Even then, methinks only the dullest of applicants known to police in another jurisdiction will disclose former addresses in these jurisdictions. Add to this, some police forces no longer require people apply in person.  They can do so electronically, which increases the threat. It his harder to lie and cheat while face to face.

Failing to recognize security trade-offs and complacency are the real threats. Nothing replaces vigilance – “eyes on the street” – whether observant parents, coaches and trainers in sports organizations, neighbors watching each other’s back yard, or employees reporting when they have concerns about a colleague. To do otherwise makes us less secure.

New Science and the Physical and Financial Harms Game

There is much discussion and recommendations made on linear controls to reduce predatory fraud attacks to benefits payment systems such as health care, and privileges such as drivers’ licenses – the de facto ID in most states and provinces.

Ancillary to predatory fraud problems, there are similar limitations with recommendations made to control internal-to-systems misuse, abuse, occupational fraud, theft and workplace sabotage.

This article posits organizations are “complex systems”, and that we ought to pay attention to science deep diving into this world. The irregular and unpredictable nature of physical and financial  harms inside organizations will remain a puzzle for everyone attempting to make their organization more secure if we don’t uptake new science.

To this end, advocates of chaos theory deserve our attention. They assert twentieth century science will be remembered for three great things: relativity, quantum mechanics and chaos.

Chaos cuts away at the tenet of Newtonian physics – that the universe is an orderly and predictable place. It is the science of dynamics in complex systems. Common characteristics of chaos across disciplines include sensitivity to the tiniest changes in initial conditions, or seemingly random and unpredictable behavior that nevertheless follows precise rules.

The Origin of Chaos

Chaos begins where most science stops. Until fairly recently, it wasn’t recognized that scientific reductionism, which offers great discoveries including quarks, unveiling secrets of chromosomes and mysteries of neurons, suffers a special ignorance about disorder. Reductionist thinking can’t explain disorder in the atmosphere, in the turbulent sea, in oscillations of the heart and the brain, in the fluctuations of wildlife populations and for our purposes, and where we should spend more energy understanding the behavior of people inside organizations.

With more powerful computing in the 1960s and 1970s, scientists in the United States and Europe began to find a way through disorder; to explain those things in science that could not previously be explained. Up until this time disorder had been written off as residual “noise” in experiments.

Some mathematicians, physicists, biologists and chemists began defining the relationships and connections behind irregularity. Their curiosity led directly into the natural world – the shapes of clouds, the paths of lightning, the microscopic intertwining of blood vessels, the galactic clustering of stars, and for our purpose research on tipping points (Clifford Shearing ‘et al’) in human behavior.

Early chaos mathematicians and scientists created special techniques using computers and special kinds of graphic images – pictures that capture fantastic and delicate structure underlying complexity. A new language has emerged: “fractals and bifurcations,” “intermittencies and periodicities,” “folded-towel diffeomorphismsand smooth noodle maps”.

Chaos Observed

Now chaos seems to be everywhere. A rising column of cigarette smoke breaks into swirls. A flag snaps back and forth in the wind. A dripping faucet goes from a steady pattern to a random one. Chaos appears in such things as the behavior of an airplane in flight, the behavior of cars clustering on an expressway, the behavior of oil flowing in a pipe, in genetics, other biological sciences disciplines and the behavior of people.

Wrapping up, chaos lays strong claims to nonlinearity. It eliminates the myth of deterministic predictability. It breaks across the lines of historically separated disciplines. It shifts focus on the global nature of complex systems. It forces understanding the relationship between things and an eye for pattern; especially pattern that appears on different scales at the same time. Chaos requires a taste for randomness and complexity.

Diving into the lessons of chaos will force a shift in mindset from the parts to the whole. New science belies homo economicus: “Man” as a rational actor always acting in self interest. Psychologists point to just how predictably irrational we are, that we are reciprocally altruistic and that we imitate each other faster than any other species on the planet.

The notions of determinism and free will have been rebuffed, and there is deepening understanding of innate human behaviors, environmental triggers inducing bad behavior, the role of affect (emotions) on perception, on intuition in judgments and decision-making, and fallibility  (heuristics bias) in the way we logic.

Summary

Introducing chaos and other new science predictably poses problems that defy accepted ways we play the counter-fraud game.

Figuring out this stuff will have us want to turtle at times. But, if we don’t think about it, discuss it, and talk to those people who deeply understand chaos and other new sciences – we are likely to continue to fall farther behind the adaptability curve in a time of fast-paced scientific discoveries and change.

Contributed by John Lyons, Partner, The ATRiM Group and tranzform associate

Driver’s License as “ID” at Critical Infrastructure?

Most people are who they say they are.  Just ask them and they will tell you.

The question is whether demanding a driver’s license to prevent false personation and identity fraud actually make us more safe from those attempting to deceive us?

It may be sufficient in some entities to accept a driver’s license as proof someone is who they say they are, especially where the consequences of a security breach are not all that threatening. But, this is not always the case, and no-more-so than with critical infrastructure where a security breach could have catastrophic consequences. This was precisely the case with the 911 attacks on the World Trade Center and the Pentagon.

The original purpose of a driver’s license was to affirm the bearer is granted the privilege to operate a motor vehicle. Yet, buried deep in a defense appropriations bill, REAL ID of 2005 was enacted by the U.S. Congress to elevate the state-issued driver’s licenses to a de facto national ID card. Those of you who read our May 5, 2017 post know we limit the term “ID” to proof of status documents, which the driver’s license is not.

It is hard to argue with Bruce Schneier’s lament that this is a lousy security trade-off. Accepting a driver’s license as proof someone is who they say they are, is to accept the Department of Motor Vehicle’s Branch front line clerk was not duped when presented fraudulently acquired, counterfeit, forged, stolen or shared proof of status documents. This is not all that hard to according to the United States General Accounting Office field audits.

And, this is not to mention the challenges faced from the corruption of front line employees and their supervisors who don’t have all that much a stake when tempted to do bad things.

Here are some examples:

  • In March 2011 a Chattanooga grand jury returned a two count indictment against a State of Tennessee Department of Motor Vehicles employee for conspiring to unlawfully issue driver’s licenses.
  • Police arrested at least seven employees at the state license bureau in Delray Beach. They accepted bribes in exchange for putting drivers licenses in the hands of more than 1,500 persons who shouldn’t have them
  • A Texas Department of Public Safety employee is arrested in Houston as the result of an undercover sting operation for taking bribes and issuing driver’s licenses
  • A former Concord, New Hampshire Department of Motor Vehicles employee plead guilty to taking bribes.This employee is alleged to have exchanged up to 70 driver’s licenses for $500, without asking for proper documentation
  • A former Stevens Point, Wisconsin DMV employee was indicted for erroneously issuing driver’s licenses to about 70 people.  The employee allegedly accepted bribes in exchange for inputting false information into the DMV’s computer system

The driver’s license doesn’t replace requesting proof of status documents. But it is hugely complimentary when there are red flag indicators of deception noted from the nonverbal and verbal behavior of the presenter.

The driver’s license points the skilled interviewer to a biographical record of transactions between the record holder and the driver’s license issuer. A legitimate driver’s license record holder ought to be able to volunteer some of the details of these transactions without influence or prompting.

What You Should Know About Means of Identification

Can you see through the deception?

Since the mid 1990s much media attention is drawn to “identity theft” and what consumers can do to prevent victimization. It is rare that a clear distinction is drawn between theft (the supply) and unlawful use (the demand) for personal information. A lack of clarity at times creates confusion and underachieving counter strategies. Although the problems intersect, the prevention strategies for each are not the same and, generally, the responsibilities for reducing the threats of each fall to different people.

What we do know: As long as the effort is worth the potential gain, and the malfeasors don’t feel vigilance or certainty of getting caught in the act each and every time the attack, this problem is unlikely to go away.

Police learn the folly of perfunctory acceptance of identification at face value early in their career. They experience firsthand the difficulty of detecting the new generation of counterfeit documents. They frequently encounter fraudulently obtained government identification. They routinely seize stolen and false documents during money laundering, drug trafficking, human trafficking, stock market manipulation, mortgage fraud and transnational organized crime investigations. They discover those avoiding detection or arrest don’t reside at the address on their driver’s license. Try arresting someone from a photograph and it doesn’t take long to realize how difficult it can be to make a positive association – much less a small image on an identification card. People routinely doing photo to bearer comparisons intuitively get this. Maybe this is why you don’t feel vigilance at the ticket agent counter or security when boarding an aircraft.

Finally, experienced police don’t focus on the ID. They focus on the presenter. They begin every interview with total belief in what they are being told. They know that their person of interest’s reality – whether to be truthful or deceptive – is found in the context of the language they speak in response to questions. Police will also watch for changes in nonverbal behavior. They trust their training, experience and instincts when something doesn’t make sense, or doesn’t feel quite right. Then they drill down to verify or refute concerns they might have.

This article for critical infrastructure risk managers, prevention and security specialists offers some key threats to think about in the design of identification harms prevention, with some suggestions for upping your identification security game.

Rule # 1: Don’t get trapped by security hyperbole 

Be mindful that:

  • Secure document manufacturers routinely upgrade security features in identification blanks. These blanks are enhanced with tamper-proof features added when they are validated with personal identifiers and registration numbers. Yet, even document examiners struggle to detect a new generation of counterfeits at first blush. They often have to use advanced technical aids
  • Thanks to the internet, unlawfully acquired legitimate personal identifiers and social security numbers are hacked, purchased and resold on an international scale. They are added to the counterfeit blanks. The result, know data verification checks don’t “authenticate” the document as some posit. What they do is affirm the issuer has a record, based on the information provided. Nothing more.
  • Some identification issuers are either unaware or misspeak about the residual threats posed by the security trade-offs they make. Therefore, good security from dependency on identification must be layered to avoid a single point of failure
  • Proof of address documentation doesn’t affirm someone resides at an address. Nobody physically checks. At best you know where the presenter receives some mail
  • People swearing under oath to something being true doesn’t make it true, only that they are swearing it to be true
  • Scientific studies show people aren’t much better than pure chance at positively associating a photo ID with the document bearer than they seen physically in the past, and even worse if the person is from a different race
  • Outlier attacks on privileges (i.e. driver’s license), benefits (i.e. medical care) and services (i.e. mortgages) are insidious. They can go on for months and even years without being detected

Rule # 2: Know what each type of identification is telling you and, more importantly, what it isn’t telling you. 

In deciding which forms of identification to request, consider three characteristics which form a human identity (attributed, biographical, bio-metrical). Know what each tells you:

Attributed Identity

Identification documents (ID) point you to a record of personal identifiers retained by government as proof of status in the country of issue. This is the bed rock of any identification management system.

There are two categories of attributed identity.

Status by “right of birth”: Records retained regionally on persons born inside the country, or federally retained records of children born to citizens outside the country. In most jurisdictions these birth records include a long form containing additional legislated information for registering a birth. These records are not linked inter-provincially (Cda) or inter-state (US).

Status by “law or privilege”: Immigration and citizenship records retained by the federal government in Canada and the U.S.  Today’s immigration and citizenship records include a biometric (i.e. photograph, fingerprints).

You should be able to trace every other legitimate government form of identification back to a record of status. These include  travel documents issued by national governments and some United Nations designated agencies, and identification tokens (i.e. driver’s license, medical health card, social security number).

Accepting travel documents and identification tokens as proof someone is who they say they means accepting the security trade-offs made by the issuer. This may be an appropriate risk to accept in some case such as  consumer fraud, but more risky when a security compromise might have catastrophic consequences (i.e. terrorist/anarchist access to transportation, water treatment plants, nuclear facilities etc).

Biographical Identity

A biographical identity is a transaction-based record accumulating over time. It is the details of someone’s interaction with the record holder. Examples include tax files, credit ratings records and a driver’s license abstract. These records are powerful aids in the hands of skilled interviewers.

Biometric Information

Biometric verification is any means by which a person can be uniquely, physically identified by with a biological trait. Unique identifiers include fingerprints, hand geometry, retina and iris patterns, voice waves, DNA, and signatures. The most common form of proof of status, birth certificates, aren’t linked to a biometric.

Solutions

There are prevention strategies from the security trade-offs made by identification issuers which help mitigate threats posed by fraudulently acquired, counterfeit/forged and stolen/loaned identification:

  1. Increase the feeling of risk at the point-of-service with a message of vigilance
  2. Apply behavioral insights to the application process
  3. Improve detection with education and training on non verbal “red flag” patterns of human behavior
  4. Hire people who are emotionally intelligent, improve frontline judgment and decision making
  5. Work from a well thought out information gathering plan
  6. Implement policy and guidelines for escalating front-line concerns for more in-depth review
  7. Encourage a continuous learning environment with timely feedback to front-line judgments and decisions on escalated events

How Tranzform Security Can Help You Reduce Insurance Fraud

Health care spending accounts for 17.8% of GDP in the United States. In Canada total health care spending is reported to be 11% of GDP.

The dispensing of health care uniquely depends of a healthy relationship between health care plan administrators and diagnosing physicians prescribing access to the benefits and services of the plan. In some circumstances, other types of insurance (i.e., property and casualty and workplace insurance) draw on these same resources from dispensing medical benefits and services of their plans.

Diagnosing physicians are expected to diagnosis illnesses and injuries accurately, and to prescribe only necessary services. These physicians, as well as other regulated professionals, are guided by controls to assure the billing integrity of the system. When plan administrators have deception concerns beyond billing integrity issues, they may make referrals for investigation. Wrong-doing can end up at civil and/or criminal proceedings.

Physicians are the gatekeepers for access to the plans. Their influence and the importance of their cooperation can not be overstated. No group is better positioned to offer advice on reducing waste, misuse and abuse to a wide range of health care products and services (i.e., pharmaceuticals, hospitalization, rehabilitation, durable medical equipment, home care, physio therapy etc).

Controlling waste, misuse, and abuse of health care resources is foremost a people challenge. Without trust and cooperation between plan administrators and diagnosing physicians to control waste, misuse and abuse, plans will continue to be exposed to avoidable financial harms. Yet, it is still inevitable that some will cheat the system when tempted, and from a range of environmental pressures. The science is in how you treat mostly honest people. Believe us, their contemporaries are watching. 

Why Work with Us?

We think of insurance plans as complex systems. We draw on two bodies of expertise: i) Behavioral Insights teams to control diagnosing and other practitioner billing incidents when people are tempted to do bad things, ii) Data Science teams early detection of high risk hot spots and patterns, and iii) Situational Crime Prevention Science teams to detect, prevent and reduce predatory criminal fraud; and 

Applying Behavioral Insights to Temptations

Our behavioral insights team operates with specific beliefs about trusted diagnosing and services partners: 

  • With the exception of a few, most people are moral and who, from time to time, do bad things when tempted;
  • Early detection and correction is critical. Once the Rubicon has been crossed from billing integrity to cheating a little bit, it becomes easier to rationalize escalating bad behavior, and no-more-so than in environments which offer excuses;
  • Diagnosing physicians are the gatekeepers. They are the eyes and ears of the system, offering boundless opportunity to minimize waste, misuse and abuse of the plan (i.e., beneficiary entitlement, medical identity fraud, pharmaceuticals, hospitalization, rehabilitation, durable medical products, home care etc.);
  • There is no cooperation in preserving the system without mutual respect and trust between plan administrators and trusted billing providers, and
  • The language used and actions taken against mostly honest people in the trusted billing ecosystem are not the same as for predatory fraud attacks by people without moral conscience.

From the science on “tit for tat” (reciprocal altruism) it is predictable that most physicians are willing to  cooperate with plan administrators in reducing losses from waste, misuse and abuse. But they will expect cooperation in return. Building and sustaining trust and cooperation is complex. It is dynamic – it never ends.

A Problem-solving to Fraud Controls for Countering Predators

Predatory fraud attacks from outside the system, and by the few morally bankrupt inside the System, is a problem of a different nature. These are people without moral conscience.

We apply the problem-solving skills and lessons learned from situational crime prevention to identify and reduce fraud attacks.

We teach the insurance sector how to develop Stakeholder partnerships, and how to engage teams of expertise in identifying and attacking the root causes of potential fraud trends, hot spots, trends and patterns.

We introduce our clients to a Situational Health Care Fraud Prevention Matrix  designed from years of research and experience with health care fraud controls. Using this model, enforcement is applied as one of multiple intervention tools for reducing fraud problems.