President (To Win Colorado) See Full Big Line

(D) Kamala Harris

(R) Donald Trump

80%

20%

CO-01 (Denver) See Full Big Line

(D) Diana DeGette*

(R) V. Archuleta

98%

2%

CO-02 (Boulder-ish) See Full Big Line

(D) Joe Neguse*

(R) Marshall Dawson

95%

5%

CO-03 (West & Southern CO) See Full Big Line

(D) Adam Frisch

(R) Jeff Hurd

50%

50%

CO-04 (Northeast-ish Colorado) See Full Big Line

(R) Lauren Boebert

(D) Trisha Calvarese

90%

10%

CO-05 (Colorado Springs) See Full Big Line

(R) Jeff Crank

(D) River Gassen

80%

20%

CO-06 (Aurora) See Full Big Line

(D) Jason Crow*

(R) John Fabbricatore

90%

10%

CO-07 (Jefferson County) See Full Big Line

(D) B. Pettersen

(R) Sergei Matveyuk

90%

10%

CO-08 (Northern Colo.) See Full Big Line

(D) Yadira Caraveo

(R) Gabe Evans

70%↑

30%

State Senate Majority See Full Big Line

DEMOCRATS

REPUBLICANS

80%

20%

State House Majority See Full Big Line

DEMOCRATS

REPUBLICANS

95%

5%

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
July 18, 2010 06:40 PM UTC

Colorado Secretary of State responds to identity theft questions

  • 35 Comments
  • by: DavidThi808

Reply from Rich Coolidge (SoS Office):

David,

First of all, thanks for helping us get the word out on this new criminal activity. As soon as Buescher was alerted to this crime, he met with CBI and the Colorado Bar Association’s business advisory group. The most immediate safeguard was the email notification system. As you know, implementing user names and passwords for 800,000 businesses will take time and resources. We would need to designate an additional call center just to accommodate resetting these user names and passwords. Not to mention, we would somehow need to verify the person on the other end of the phone is authorized to have access to that password and user name. This is more of a long term option that we’ll continue to debate.

This is certainly the challenge to identity theft. Thieves previously were breaking into people’s mailboxes and stealing their mail. Instead of mandating locked mailboxes, educating people about the crime and reminding them to watch their credit reports helped to reduce the number of crimes.

Also, as a registered agent yourself, if someone tries to change your business’s information without authorization, the thief has committed a felony. The email notification will help us track down and prosecute the offender before financial damage is done. This isn’t a crime that can be committed overnight. This information needs to be picked up by credit agencies and other information is needed before a credit application can be completed successfully.

I’m happy to continue to answer any questions you might have related to this issue. Buescher and others are committed to continuing our outreach efforts to alert these business owners to the crime and explaining the immediate safeguard available. Again, thanks for helping us get the word out. Obviously in the future, I’m happy to respond before you publish your diary.

Rich

From the Secretary of State’s Office h/t to Jim Thomas

The criminals manipulate targeted business filing records at the Secretary of State’s office by changing a business’s information in order to imply that they have a legitimate stake in the company. These identity thieves use this maliciously altered information along with other records to apply for lines of credit from major retailers. Before the company’s actual owner or agent realizes what has happened, the business starts to receive calls from debt collectors and suffers damage to its credit report.

So I went to the SoS website, and went to change the registered agent for my company. I went through every step except the final submit and at no time did it request any login from me. As far as I can verify, any company can have it’s corporate info hijacked at any time by anyone on the web.

But not to worry, Bernie Buescher is on the job and has a solution:

Most businesses operating in Colorado must register their names and list a local physical address with the Secretary of State’s online business filing system. This on-line filing system also allows business owners to make changes or corrections to business information and access other functions, including an e-mail notification service. This e-mail notification service provides instant notification of any change to a business’s record. If an unauthorized change is made to a record, this instant e-mail notification will allow a business owner to take quick action to help stop the crime before any real damage is done and provide law enforcement time to act.

“The most effective and simple way for businesses to protect themselves is through these automated email notifications,” Buescher said. “There’s no limit to how many email addresses can be included for each business, so include your attorney, your accountant, your banker, whoever.”

Are you fucking kidding me? Your solution is to allow identity thieves to continue to impersonate companies – but to try and undo it fast enough that it won’t matter. I like Bernie a lot but this is totally brain-dead.

Look, if requiring a login to change company info is beyond the technical skills of the programming talent available to the SoS, then turn the server off. Leaving the door wide open would get any private company sued – and deservedly so.

Second, this is a job killer. If my company ends up having to pay $75,000.00 due to identity theft, we hire one less person this year. One more unemployed is no big deal (except to that one person), but if this happens to a thousand companies, that’s a thousand jobs.

Third, this reinforces the impression many businesses have that the state hates private business. Causing businesses to expend extra effort and helping criminals target them is not a pro-business attitude. (Trust me, it isn’t.)

ps – If you own a business, go here to sign up to be notified when the SoS office has assisted an identity thief to target your company.

Update: ThillyWabbit asked me to include the following from the press release:

Our aim is to shut down all the avenues used as part of this elaborate scheme.”

If the SoS sincerely means that – they can turn off that functionality on their website today. That will take 5 minutes. (If reconfiguring the JSP pages is beyond the ability of your IT staff, call me – I’ll drive down and do it for you.)

Should SoS leave business records open?

View Results

Loading ... Loading ...

Tweet
Share

Comments

35 thoughts on “Colorado Secretary of State responds to identity theft questions

  1. .

    Having business experience doesn’t make a politician a genius, but it can help them understand the challenges that businesses face.  

    I have a neighbor who believes that all businesses are evil and out to cheat the common man.  He wants the government to regulate every aspect of business, including capping profits and taking away intellectual property if not properly exploited.  

    Wealth is created by business, and without that foundation there can be no taxes, no wages and no government programs.  Unless people are able to grow all of their own food and weave all their own clothes, and I guess design and fabricate their own BlackBerry, America needs its businesses.

    Just because very large businesses often leverage the power they accrue by buying politicians to act in their (the business’s) best interests, that doesn’t mean that business is inherently evil.  They are just exploiting pols who are easily corruptible.  

    Not an argument to blame business; an argument to change politicians every once in a while.

    .

  2. Nevertheless, the press release explicitly said that notification is just “step one” and that their “aim is to shut down all the avenues used as part of this elaborate scheme.”

    Your failure to mention that is dishonest.

    1. And the bank said that their aim is to eventually shut down that ability. Would you then say OK? Eventually is of no help to the businesses being robbed today.

      And the fact that the paper system is brain-dead is no excuse for duplicating that lack of verification online. That is doubling down on stupid.

      Bottom line is if any private business was taking this approach with people’s financial info, we would all be raising holy hell and Suthers would be suing them.

  3. Funny how you haven’t mentioned that once in your tirade but it’s noted in both of your links.

    Today, Colorado Secretary of State Bernie Buescher and Attorney General John Suthers joined area business leaders to warn Coloradans about the latest scam targeting the state’s businesses.

  4. NO evidence of anyone being defrauded or losing ten cents over this.

    Very simple solution.  Give your email address. If a scamster tries to do something nefarious than you get an email and you report the guy to the authorities.  Bottom line is that no one is going to do this when they realize they will be quickly caught and arrested.

    Come on this is a search for a solution to a problem that does not exist.

    1. In place already is a fail safe security measure. Register your e-mail and the second a scamster tries to do something you get an email.

      Much ado about a problem that does not exist.  

    2. This was also all over the news and they had numerous reporters questioning them about it. I doubt I’ll get any different answers from them.

      What’s interesting is if a Republican is pinged for anything, everyone here will immediately pile on. But pinging a Democrat you support – how dare someone write a flame-throwing diary!!!

      I support Bernie too. I’ve donated to his campaign. I’ll donate more if it looks close come November. But that doesn’t mean we should give him a pass on every issue.

      1. you’re mocking their joint effort, so presumably your comments would apply to both.  And I don’t think Ralphie is asking you to give anyone a pass as much as he is asking you to learn first, then deal out the “pinging.”

        1. There’s a security hole elsewhere in the state government and he’s stepped up to do what he can to address it. Maybe he should be exerting pressure on the SoS office to close the hole now, but the responsibility for the problem does not rest with him IMO.

  6. The Attorney General and the Secretary of State discovered a problem with how business records have been treated throughout Colorado history, notified the public about it, implemented an immediate short-term plan and said they planned on continuing to develop solutions long term.

    David had someone else send the press release, read about a problem that would never have occurred to him except that the Attorney General and the Secretary of State told him about it, decided he could do both their jobs better than they could without really doing any of the background work to discover why the Attorney General and Secretary of State took the approach they did, and then took to the internet to mock them for it.

    I don’t know any more than David does about the situation, but it seems to me that instantly establishing a login system without anyone having login credentials isn’t all that simple.  If you just ask people to establish credentials the next time they log in, identity thieves can do that too.  If you  require people to come down and prove their identity next time they want to file anything using genuine signatures and photo ids, you’ve now opened yourself up to complaints (perhaps from David) that you’ve added a “new layer of bureaucracy and red tape” on top of what used to be a simple process.

    None of this is the point of course.  The point is sarcastically criticizing without working to find all the facts, and in fact relying entirely upon information that the hard work of the Attorney General’s and Secretary of State’s offices provided to you, is simply being a malcontent.  Presuming future action is just a “throw away” without, you know, asking what future action is planned, is criticizing out of willful ignorance.  

    It may be that the Secretary of State and Attorney General are not responding to this problem that they are working to bring to the public’s attention in the proper manner.  But seeing as no one here seems to actually know enough to make that judgment, I’m going to go with the people actually working to solve problems over those who want to dish out criticism without doing the work to figure out how things might be improved.

      2. Go ahead and ask that question before saying anyone “helps identity thieves.”  I’d imagine one answer could be a Colorado business in Durango might just need to close a deal of some kind tomorrow and need to change their registered agent to do it, and had no plan to get someone over to Denver to get that done.  But as I say above, I don’t know.

        If you’d written a diary with the title “Secretary of State Warns of Identity Theft Scheme, but Questions Remain,” that would be one thing.  I don’t think anything is wrong with asking questions, but there is no value whatsoever in dropping f-bombs and using inflammatory titles to criticize without actually doing any work to figure out what the answer to your “very simple” question happens to be.

        1. I would agree with you. And that is what I have done in those cases. But this has been out there and they have been questioned by the news media.

          What bothers me is they didn’t turn it off as soon as they discovered this problem. That’s rule #1 for IT security issues.

          1. of shutting the system down?  Can it be done without interfering with the operations of business in Colorado?  

            I’d actually accept the criticism more if you had discovered the problem yourself and asked them why it was done that way.  Here, you didn’t, you just heard some of information about the response to a problem, had some questions, didn’t wait to hear the answers because somebody else got to ask different questions, and took to blasting the Secretary of State in the most cynical of terms (helps identity thieves).  

  8. .

    David highlights some governmental stupidity that puts every Colorado business at risk, and criticizes a Democratic politician in the process.  

    CoPols response: lambaste David for being mean to the Democratic Pol.

    .

    1. If the system is stupid, it was stupid when Secretary of State Buescher received it from (Republican) Secretary of State Coffman.  If the response is stupid, its stupid when vouched for by (Republican) Attorney General Suthers.

      And again, if “every Colorado business [is] at risk,” they’ve been at risk for years.  These are the people working to fix it, and they’re being blasted for trying to fix the problem.  They could have sat on their hands and neither you nor David would have had much to say about it today.  Perhaps they could be doing better, but until anyone else has a comprehensive alternative based on all the actual facts, I hesitate to lambaste the solution on the table.

      Umm…I mean…Democrats good…everyone else bad.

      1. .

        SOS response: but that would be hard to do.  

        This problem arose probably under a Republican SOS.  Industry standards for IT security weren’t so robust back then.  

        After Congress passed FISMA in ? 2003 ?, I remember the Feds rolling out some new FIPS standards in ? 2005 ?  

        As we learn more about the threats, we ratchet up defenses.  SOS knows this threat, and has taken a laughable approach to security.  Counting on businesses to sign up for and then respond to the emial alerts is pretty darn close to sitting on their hands, far as I can tell.  David calls them on it.  Good for David.  

        I guess my bottom line is, while I applaud the SOS for figuring out, after some number of complaints, that there is a systemic problem with their internal operations, I’m unhappy that they don’t immediately shut down this vulnerability while they work on a long-term fix.  I know a lot of business owners myself who are not computer- or internet-savvy.

        .  

        .

        1. What effect on business would a shut down have?  Would that effect outweigh the risk?  And if you see the response above, no one is saying “that would be hard.”  That’s David paraphrasing an answer to a different question.  If you feel like you know enough to judge, fine, fire away.  I just haven’t seen evidence of it.

          1. They don’t discuss the trade-offs of turning off their online store vs the identity theft – they turn the system off until they correct the problem.

            About once a year one of my credit cards is immediately cancelled and I get an email saying a new one is on the way because of a security breach they have had. They don’t ask if it’s ok to cancel the old card, they do it.

            This is one of the fundamental rules of security, you disable holes immediately. The only time you delay is if the hole is not known outside of the responsible party and the person reporting it. Then you can take a couple of days.

            But if it’s known – you close the vulnerability immediately.

            1. but in a private company, all you lose is the ability for someone to do business with you.  When you shut down a mandatory business registration system at the state level, it seems like the effect could be broader, including the ability of unrelated businesses to do business with each other, although, as I’ve said I don’t know.

              I’ll quit now, I’ve said my piece.  Personally, I think the attitude and the approach is uncalled for, but this being America and all, its always ultimately up to you to choose your attitude and approach when it comes to speaking out.

    1. First off, that’s rough that your EX uses this to cause problems.

      Second, has the SoS been aware of this since 2003? If so, then… Well words fail me on how to describe leaving this hole open that long.

  10. From Rich’s reply above (bold added):

    As you know, implementing user names and passwords for 800,000 businesses will take time and resources. … This is more of a long term option that we’ll continue to debate.

    I read that as they may decide to leave it as is, and are not presently working on adding a login requirement.  

    1. In addition to the annual report to the SOS, nonprofit organizations have to annually update their charitable solicitations registration through the SOS’s Web site. Usernames and passwords are required for this process. I also don’t understand why it so difficult to add those functions to other areas of the SOS’s Web site.

Leave a Comment

Recent Comments


Posts about

Donald Trump
SEE MORE

Posts about

Rep. Lauren Boebert
SEE MORE

Posts about

Rep. Yadira Caraveo
SEE MORE

Posts about

Colorado House
SEE MORE

Posts about

Colorado Senate
SEE MORE

52 readers online now

Newsletter

Subscribe to our monthly newsletter to stay in the loop with regular updates!