Reply from Rich Coolidge (SoS Office):
David,
First of all, thanks for helping us get the word out on this new criminal activity. As soon as Buescher was alerted to this crime, he met with CBI and the Colorado Bar Association’s business advisory group. The most immediate safeguard was the email notification system. As you know, implementing user names and passwords for 800,000 businesses will take time and resources. We would need to designate an additional call center just to accommodate resetting these user names and passwords. Not to mention, we would somehow need to verify the person on the other end of the phone is authorized to have access to that password and user name. This is more of a long term option that we’ll continue to debate.
This is certainly the challenge to identity theft. Thieves previously were breaking into people’s mailboxes and stealing their mail. Instead of mandating locked mailboxes, educating people about the crime and reminding them to watch their credit reports helped to reduce the number of crimes.
Also, as a registered agent yourself, if someone tries to change your business’s information without authorization, the thief has committed a felony. The email notification will help us track down and prosecute the offender before financial damage is done. This isn’t a crime that can be committed overnight. This information needs to be picked up by credit agencies and other information is needed before a credit application can be completed successfully.
I’m happy to continue to answer any questions you might have related to this issue. Buescher and others are committed to continuing our outreach efforts to alert these business owners to the crime and explaining the immediate safeguard available. Again, thanks for helping us get the word out. Obviously in the future, I’m happy to respond before you publish your diary.
Rich
From the Secretary of State’s Office h/t to Jim Thomas
The criminals manipulate targeted business filing records at the Secretary of State’s office by changing a business’s information in order to imply that they have a legitimate stake in the company. These identity thieves use this maliciously altered information along with other records to apply for lines of credit from major retailers. Before the company’s actual owner or agent realizes what has happened, the business starts to receive calls from debt collectors and suffers damage to its credit report.
So I went to the SoS website, and went to change the registered agent for my company. I went through every step except the final submit and at no time did it request any login from me. As far as I can verify, any company can have it’s corporate info hijacked at any time by anyone on the web.
But not to worry, Bernie Buescher is on the job and has a solution:
Most businesses operating in Colorado must register their names and list a local physical address with the Secretary of State’s online business filing system. This on-line filing system also allows business owners to make changes or corrections to business information and access other functions, including an e-mail notification service. This e-mail notification service provides instant notification of any change to a business’s record. If an unauthorized change is made to a record, this instant e-mail notification will allow a business owner to take quick action to help stop the crime before any real damage is done and provide law enforcement time to act.
“The most effective and simple way for businesses to protect themselves is through these automated email notifications,” Buescher said. “There’s no limit to how many email addresses can be included for each business, so include your attorney, your accountant, your banker, whoever.”
Are you fucking kidding me? Your solution is to allow identity thieves to continue to impersonate companies – but to try and undo it fast enough that it won’t matter. I like Bernie a lot but this is totally brain-dead.
Look, if requiring a login to change company info is beyond the technical skills of the programming talent available to the SoS, then turn the server off. Leaving the door wide open would get any private company sued – and deservedly so.
Second, this is a job killer. If my company ends up having to pay $75,000.00 due to identity theft, we hire one less person this year. One more unemployed is no big deal (except to that one person), but if this happens to a thousand companies, that’s a thousand jobs.
Third, this reinforces the impression many businesses have that the state hates private business. Causing businesses to expend extra effort and helping criminals target them is not a pro-business attitude. (Trust me, it isn’t.)
ps – If you own a business, go here to sign up to be notified when the SoS office has assisted an identity thief to target your company.
Update: ThillyWabbit asked me to include the following from the press release:
Our aim is to shut down all the avenues used as part of this elaborate scheme.”
If the SoS sincerely means that – they can turn off that functionality on their website today. That will take 5 minutes. (If reconfiguring the JSP pages is beyond the ability of your IT staff, call me – I’ll drive down and do it for you.)
You must be logged in to post a comment.
BY: Air Slash
IN: Weekend Open Thread
BY: Air Slash
IN: Weekend Open Thread
BY: Air Slash
IN: The Colorado Republican Party Has Become a Hindrance for Republican Candidates
BY: Air Slash
IN: The Colorado Republican Party Has Become a Hindrance for Republican Candidates
BY: Air Slash
IN: The Colorado Republican Party Has Become a Hindrance for Republican Candidates
BY: harrydoby
IN: Weekend Open Thread
BY: JohnInDenver
IN: Weekend Open Thread
BY: MichaelBowman
IN: Weekend Open Thread
BY: Duke Cox
IN: Weekend Open Thread
BY: coloradosane
IN: Weekend Open Thread
Subscribe to our monthly newsletter to stay in the loop with regular updates!
.
Having business experience doesn’t make a politician a genius, but it can help them understand the challenges that businesses face.
I have a neighbor who believes that all businesses are evil and out to cheat the common man. He wants the government to regulate every aspect of business, including capping profits and taking away intellectual property if not properly exploited.
Wealth is created by business, and without that foundation there can be no taxes, no wages and no government programs. Unless people are able to grow all of their own food and weave all their own clothes, and I guess design and fabricate their own BlackBerry, America needs its businesses.
Just because very large businesses often leverage the power they accrue by buying politicians to act in their (the business’s) best interests, that doesn’t mean that business is inherently evil. They are just exploiting pols who are easily corruptible.
Not an argument to blame business; an argument to change politicians every once in a while.
.
Nevertheless, the press release explicitly said that notification is just “step one” and that their “aim is to shut down all the avenues used as part of this elaborate scheme.”
Your failure to mention that is dishonest.
And the bank said that their aim is to eventually shut down that ability. Would you then say OK? Eventually is of no help to the businesses being robbed today.
And the fact that the paper system is brain-dead is no excuse for duplicating that lack of verification online. That is doubling down on stupid.
Bottom line is if any private business was taking this approach with people’s financial info, we would all be raising holy hell and Suthers would be suing them.
Nothing they do or fail to do justifies you being dishonest.
FWIW – I took that as a throw-away statement that means they’ll maybe do something someday. But as you think it means they will take effective steps ASAP, I added it.
Funny how you haven’t mentioned that once in your tirade but it’s noted in both of your links.
That both are warning business owners about the state assisting identity thieves? What specifically do you think I should add?
NO evidence of anyone being defrauded or losing ten cents over this.
Very simple solution. Give your email address. If a scamster tries to do something nefarious than you get an email and you report the guy to the authorities. Bottom line is that no one is going to do this when they realize they will be quickly caught and arrested.
Come on this is a search for a solution to a problem that does not exist.
Those who say it’s no big deal…
And those who have been the victim of identity theft.
You left them out.
Before writing this flame-throwing diary and promoting it yourself?
No wonder the State doesn’t do business with you.
In place already is a fail safe security measure. Register your e-mail and the second a scamster tries to do something you get an email.
Much ado about a problem that does not exist.
This was also all over the news and they had numerous reporters questioning them about it. I doubt I’ll get any different answers from them.
What’s interesting is if a Republican is pinged for anything, everyone here will immediately pile on. But pinging a Democrat you support – how dare someone write a flame-throwing diary!!!
I support Bernie too. I’ve donated to his campaign. I’ll donate more if it looks close come November. But that doesn’t mean we should give him a pass on every issue.
you’re mocking their joint effort, so presumably your comments would apply to both. And I don’t think Ralphie is asking you to give anyone a pass as much as he is asking you to learn first, then deal out the “pinging.”
There’s a security hole elsewhere in the state government and he’s stepped up to do what he can to address it. Maybe he should be exerting pressure on the SoS office to close the hole now, but the responsibility for the problem does not rest with him IMO.
The Attorney General and the Secretary of State discovered a problem with how business records have been treated throughout Colorado history, notified the public about it, implemented an immediate short-term plan and said they planned on continuing to develop solutions long term.
David had someone else send the press release, read about a problem that would never have occurred to him except that the Attorney General and the Secretary of State told him about it, decided he could do both their jobs better than they could without really doing any of the background work to discover why the Attorney General and Secretary of State took the approach they did, and then took to the internet to mock them for it.
I don’t know any more than David does about the situation, but it seems to me that instantly establishing a login system without anyone having login credentials isn’t all that simple. If you just ask people to establish credentials the next time they log in, identity thieves can do that too. If you require people to come down and prove their identity next time they want to file anything using genuine signatures and photo ids, you’ve now opened yourself up to complaints (perhaps from David) that you’ve added a “new layer of bureaucracy and red tape” on top of what used to be a simple process.
None of this is the point of course. The point is sarcastically criticizing without working to find all the facts, and in fact relying entirely upon information that the hard work of the Attorney General’s and Secretary of State’s offices provided to you, is simply being a malcontent. Presuming future action is just a “throw away” without, you know, asking what future action is planned, is criticizing out of willful ignorance.
It may be that the Secretary of State and Attorney General are not responding to this problem that they are working to bring to the public’s attention in the proper manner. But seeing as no one here seems to actually know enough to make that judgment, I’m going to go with the people actually working to solve problems over those who want to dish out criticism without doing the work to figure out how things might be improved.
Why didn’t they turn this functionality off until they get it fixed?
But that wasn’t good enough for you.
If I get an answer I will of course post it here. But on the news last night it basically came down to “that was too difficult.”
and didn’t wait for an answer.
This lacks it. It should be demoted to a regular diary like all the rest of the half-cocked blowhards.
Go ahead and ask that question before saying anyone “helps identity thieves.” I’d imagine one answer could be a Colorado business in Durango might just need to close a deal of some kind tomorrow and need to change their registered agent to do it, and had no plan to get someone over to Denver to get that done. But as I say above, I don’t know.
If you’d written a diary with the title “Secretary of State Warns of Identity Theft Scheme, but Questions Remain,” that would be one thing. I don’t think anything is wrong with asking questions, but there is no value whatsoever in dropping f-bombs and using inflammatory titles to criticize without actually doing any work to figure out what the answer to your “very simple” question happens to be.
I would agree with you. And that is what I have done in those cases. But this has been out there and they have been questioned by the news media.
What bothers me is they didn’t turn it off as soon as they discovered this problem. That’s rule #1 for IT security issues.
of shutting the system down? Can it be done without interfering with the operations of business in Colorado?
I’d actually accept the criticism more if you had discovered the problem yourself and asked them why it was done that way. Here, you didn’t, you just heard some of information about the response to a problem, had some questions, didn’t wait to hear the answers because somebody else got to ask different questions, and took to blasting the Secretary of State in the most cynical of terms (helps identity thieves).
.
David highlights some governmental stupidity that puts every Colorado business at risk, and criticizes a Democratic politician in the process.
CoPols response: lambaste David for being mean to the Democratic Pol.
.
If the system is stupid, it was stupid when Secretary of State Buescher received it from (Republican) Secretary of State Coffman. If the response is stupid, its stupid when vouched for by (Republican) Attorney General Suthers.
And again, if “every Colorado business [is] at risk,” they’ve been at risk for years. These are the people working to fix it, and they’re being blasted for trying to fix the problem. They could have sat on their hands and neither you nor David would have had much to say about it today. Perhaps they could be doing better, but until anyone else has a comprehensive alternative based on all the actual facts, I hesitate to lambaste the solution on the table.
Umm…I mean…Democrats good…everyone else bad.
.
SOS response: but that would be hard to do.
This problem arose probably under a Republican SOS. Industry standards for IT security weren’t so robust back then.
After Congress passed FISMA in ? 2003 ?, I remember the Feds rolling out some new FIPS standards in ? 2005 ?
As we learn more about the threats, we ratchet up defenses. SOS knows this threat, and has taken a laughable approach to security. Counting on businesses to sign up for and then respond to the emial alerts is pretty darn close to sitting on their hands, far as I can tell. David calls them on it. Good for David.
I guess my bottom line is, while I applaud the SOS for figuring out, after some number of complaints, that there is a systemic problem with their internal operations, I’m unhappy that they don’t immediately shut down this vulnerability while they work on a long-term fix. I know a lot of business owners myself who are not computer- or internet-savvy.
.
.
What effect on business would a shut down have? Would that effect outweigh the risk? And if you see the response above, no one is saying “that would be hard.” That’s David paraphrasing an answer to a different question. If you feel like you know enough to judge, fine, fire away. I just haven’t seen evidence of it.
They don’t discuss the trade-offs of turning off their online store vs the identity theft – they turn the system off until they correct the problem.
About once a year one of my credit cards is immediately cancelled and I get an email saying a new one is on the way because of a security breach they have had. They don’t ask if it’s ok to cancel the old card, they do it.
This is one of the fundamental rules of security, you disable holes immediately. The only time you delay is if the hole is not known outside of the responsible party and the person reporting it. Then you can take a couple of days.
But if it’s known – you close the vulnerability immediately.
but in a private company, all you lose is the ability for someone to do business with you. When you shut down a mandatory business registration system at the state level, it seems like the effect could be broader, including the ability of unrelated businesses to do business with each other, although, as I’ve said I don’t know.
I’ll quit now, I’ve said my piece. Personally, I think the attitude and the approach is uncalled for, but this being America and all, its always ultimately up to you to choose your attitude and approach when it comes to speaking out.
all the time. This has been problem since at least 2003…
First off, that’s rough that your EX uses this to cause problems.
Second, has the SoS been aware of this since 2003? If so, then… Well words fail me on how to describe leaving this hole open that long.
From Rich’s reply above (bold added):
I read that as they may decide to leave it as is, and are not presently working on adding a login requirement.
In addition to the annual report to the SOS, nonprofit organizations have to annually update their charitable solicitations registration through the SOS’s Web site. Usernames and passwords are required for this process. I also don’t understand why it so difficult to add those functions to other areas of the SOS’s Web site.