Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of start-ups into giving him tens of millions of dollars. Bernard’s latest victim — a Norwegian startup hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

John Bernard is a pseudonym used by John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice and residing in Ukraine. Davies’ Bernard persona has fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments.

For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking investment opportunities. Bernard generated a stream of victims by offering extraordinarily generous finder’s fees for investment brokers who helped him secure new clients. But those brokers would eventually get stiffed as well because Bernard’s company would never consummate a deal.

In case after case, Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

But Bernard would adopt a slightly different approach to stealing from Freidig Shipping Ltd., a Norwegian company formed in 2017 that was seeking the equivalent of USD $100 million investment to bring its green fleet of 30 new offshore service vessels to fruition.

Journalists Harald Vanvik and Harald Berglihn from the Norwegian Business Daily write that through investment advisors in London, Bernard was introduced to Nils-Odd Tønnevold, co-founder of Freidig Shipping and an investment advisor with 20 years of experience.

“Both Bernard and Inside Knowledge appeared to be professionals,” the reporters wrote in a story that’s behind a paywall. “Bernard appeared to be experienced. He knew a lot about start-ups and got into things quickly. Credible and reliable was the impression of him, said Tønnevold.”

“Bernard eventually took on the role of principal investor, claiming he had six other wealthy investors on the team, including artist Abel Makkonen Tesfaye, known as The Weeknd, Uber founder Garrett Camp and Norilsk Nickel owner Russian Vladimir Potanin,” the Norwegian journalists wrote. “These committed to contribute $99.25 million to Freidig.”

So in this case Bernard conveniently claimed he’d come up with almost all of the investment, which came $750,000 short of the goal. Another investor, a Belgian named Guy Devos, contributed the remaining $750,000.

But by the spring of 2020, it was clear that Devos and others involved in the shipping project had been tricked, and that all the money which had been paid to Bernard — an estimated NOK 15 million (~USD $1.67 million) — had been lost. By that time the two co-founders and their families had borrowed USD $1.5 million, and had transferred the funds to Inside Knowledge.

“Further investigations indicated that Bernard was in fact a convicted and wanted Briton based in the Ukrainian capital Kiev,” the Norwegian Business Daily reported. “Guy Devos has sued Nils-Odd Tønnevold with a claim of 750,000 dollars because he believes Tønnevold has a responsibility for the money being transferred to Bernard. Tønnevold rejects this.”

Bernard’s scam is genius because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And because the best cons begin as an idea or possibility planted in the target’s mind.

What’s remarkable about Freidig Shipping’s fleecing is that we heard about it at all. In the first of this now five-part series, we heard from Jason Kane, an attorney who focuses on investment fraud. Kane said companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

“These are cases where you might win but you’ll never collect any money,” Kane said. “This seems like an investment twist on those fairly simple scams we all can’t believe people fall for, but as scams go this one is pretty good. Do this a few times a year and you can make a decent living and no one is really going to come after you.”

It does appear that Bernard took advantage of a stunning lack of due diligence by the Freidig co-founders. In this May 2020 post on Twitter — well after their funds had already been transferred to Bernard — Nils-Odd Tønnevold can be seen asking Uber co-founder Garrett Camp if he indeed had agreed to invest in his company:

John Clifton Davies, a.k.a. John Bernard, Jonathan Bibi, John Cavendish, is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail on suspicion of murdering his third wife on their honeymoon in India. The U.K. authorities later dropped the murder charges for lack of evidence. Davies currently resides with his fourth wife in or near Kyiv, Ukraine.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

In December 2021, researchers discovered a new ransomware-as-a-service named ALPHV (a.k.a. “BlackCat“), considered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust programming language. In this post, we’ll explore some of the clues left behind by a developer who was reputedly hired to code the ransomware variant.

According to an analysis released this week by Varonis, ALPHV is actively recruiting operators from several ransomware organizations — including REvil, BlackMatter and DarkSide — and is offering affiliates up to 90 percent of any ransom paid by a victim organization.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill wrote.

One concern about more malware shifting to Rust is that it is considered a much more secure programming language compared to C and C++, writes Catalin Cimpanu for The Record. The upshot? Security defenders are constantly looking for coding weaknesses in many ransomware strains, and if more start moving to Rust it could become more difficult to find those soft spots.

Researchers at Recorded Future say they believe the ALPHV/BlackCat author was previously involved with the infamous REvil ransomware cartel in some capacity. Earlier this month the Russian government announced that at the United States’ request it arrested 14 individuals in Russia thought to be REvil operators.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.”

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil.

WHO IS BINRS?

A confidential source recently had a private conversation with a support representative who fields questions and inquiries on several cybercrime forums on behalf of a large and popular ransomware affiliate program. The affiliate rep confirmed that a coder for ALPHV was known by the handle “Binrs” on multiple Russian-language forums.

On the cybercrime forum RAMP, the user Binrs says they are a Rust developer who’s been coding for 6 years. “My stack is Rust, nodejs, php, golang,” Binrs said in an introductory post, in which they claim to be fluent in English. Binrs then signs the post with their identification number for ToX, a peer-to-peer instant messaging service.

That same ToX ID was claimed by a user called “smiseo” on the Russian forum BHF, in which smiseo advertises “clipper” malware written in Rust that swaps in the attacker’s bitcoin address when the victim copies a cryptocurrency address to their computer’s temporary clipboard.

The nickname “YBCat” advertised that same ToX ID on Carder[.]uk, where this user claimed ownership over the Telegram account @CookieDays, and said they could be hired to do software and bot development “of any level of complexity.” YBCat mostly sold “installs,” offering paying customers to ability to load malware of their choice on thousands of hacked computers simultaneously.

There is also an active user named Binrs on the Russian crime forum wwh-club[.]co who says they’re a Rust coder who can be reached at the @CookieDays Telegram account.

On the Russian forum Lolzteam, a member with the username “DuckerMan” uses the @CookieDays Telegram account in his signature. In one thread, DuckerMan promotes an affiliate program called CookieDays that lets people make money by getting others to install cryptomining programs that are infected with malware. In another thread, DuckerMan is selling a different clipboard hijacking program called Chloe Clipper.

According to threat intelligence firm Flashpoint, the Telegram user DuckerMan employed another alias — Sergey Duck. These accounts were most active in the Telegram channels “Bank Accounts Selling,” “Malware developers community,” and “Raidforums,” a popular English-language cybercrime forum.

I AM DUCKERMAN

The GitHub account for a Sergey DuckerMan lists dozens of code repositories this user has posted online over the years. The majority of these projects were written in Rust, and the rest in PHP, Golang and Nodejs — the same coding languages specified by Binrs on RAMP. The Sergey DuckerMan GitHub account also says it is associated with the “DuckerMan” account on Telegram.

Sergey DuckerMan has left many accolades for other programmers on GitHub — 460 to be exact. In June 2020, for example, DuckerMan gave a star to a proof-of-concept ransomware strain written in Rust.

Sergey DuckerMan’s Github profile says their social media account at Vkontakte (Russian version of Facebook/Meta) is vk.com/duckermanit. That profile is restricted to friends-only, but states that it belongs to a Sergey Pechnikov from Shuya, Russia.

A look at the Duckermanit VKontakte profile in Archive.org shows that until recently it bore a different name: Sergey Kryakov. The current profile image on the Pechnikov account shows a young man standing closely next to a young woman.

KrebsOnSecurity reached out to Pechnikov in transliterated Russian via the instant message feature built into VKontakte.

“I’ve heard about ALPHV,” Pechnikov replied in English. “It sounds really cool and I’m glad that Rust becomes more and more popular, even in malware sphere. But I don’t have any connections with ransomware at all.”

I began explaining the clues that led to his VK account, and how a key cybercriminal actor in the ransomware space had confirmed that Binrs was a core developer for the ALPHV ransomware.

“Binrs isn’t even a programmer,” Pechnikov interjected. “He/she can’t be a DuckerMan. I am DuckerMan.”

BK: Right. Well, according to Flashpoint, the Telegram user DuckerMan also used the alias Sergey Duck.

Sergey: Yep, that’s me.

BK: So you can see already how I arrived at your profile?

Sergey: Yep, you’re a really good investigator.

BK: I noticed this profile used to have a different name attached to it. A ‘Sergey Kryakov.’

Sergey: It was my old surname. But I hated it so much I changed it.

BK: What did you mean Binrs isn’t even a programmer?

Sergey: I haven’t found any [of] his accounts on sites like GitHub/stack overflow. I’m not sure, does binrs sell Rust Clipper?

BK: So you know his work! I take it that despite all of this, you maintain you are not involved in coding malware?

Sergey: Well, no, but I have some “connections” with these guys. Speaking about Binrs, I’ve been researching his personality since October too.

BK: Interesting. What made you want to research his personality? Also, please help me understand what you mean by “connections.”

Sergey: I think he is actually a group of some people. I’ve written him on telegram from different accounts, and his way of speaking is different. Maybe some of them somehow tied with ALPHV. But on forums (I’ve checked only XSS and Exploit) his ways of speaking are the same.

BK: …..

Sergey: I don’t know how to explain this. By the way, binrs now is really silent, I think he’s lying low. Well, this is all I know.

No doubt he is. I enjoyed speaking with Sergey, but I also had difficulty believing most of what he said. Also, I was bothered that Sergey hadn’t exactly disputed the logic behind the clues that led to his VK account. In fact, he’d stated several times that he was impressed with the investigation.

In many previous Breadcrumbs stories, it is common at this point for the interviewee to claim they were being set up or framed. But Sergey never even floated the idea.

I asked Sergey what might explain all these connections if he wasn’t somehow involved in coding malicious software. His answer, our final exchange, was again equivocal.

“Well, all I have is code on my github,” he replied. “So it can be used [by] anyone, but I don’t think my projects suit for malwares.”

What’s worse than finding out that identity thieves took out a 546 percent interest payday loan in your name? How about a 900 percent interest loan? Or how about not learning of the fraudulent loan until it gets handed off to collection agents? One reader’s nightmare experience spotlights what can happen when ID thieves and hackers start targeting online payday lenders.

The reader who shared this story (and copious documentation to go with it) asked to have his real name omitted to avoid encouraging further attacks against his identity. So we’ll just call him “Jim.” Last May, someone applied for some type of loan in Jim’s name. The request was likely sent to an online portal that takes the borrower’s loan application details and shares them with multiple prospective lenders, because Jim said over the next few days he received dozens of emails and calls from lenders wanting to approve him for a loan.

Many of these lenders were eager to give Jim money because they were charging exorbitant 500-900 percent interest rates for their loans. But Jim has long had a security freeze on his credit file with the three major consumer credit reporting bureaus, and none of the lenders seemed willing to proceed without at least a peek at his credit history.

Among the companies that checked to see if Jim still wanted that loan he never applied for last May was Mountain Summit Financial (MSF), a lending institution owned by a Native American tribe in California called the Habematelol Pomo of Upper Lake.

Jim told MSF and others who called or emailed that identity thieves had applied for the funds using his name and information; that he would never take out a payday loan; and would they please remove his information from their database? Jim says MSF assured him it would, and the loan was never issued.

Jim spent months sorting out that mess with MSF and other potential lenders, but after a while the inquiries died down. Then on Nov. 27 — Thanksgiving Day weekend — Jim got a series of rapid-fire emails from MSF saying they’ve received his loan application, that they’d approved it, and that the funds requested were now available at the bank account specified in his MSF profile.

Curiously, the fraudsters had taken out a loan in Jim’s name with MSF using his real email address — the same email address the fraudsters had used to impersonate him to MSF back in May 2021. Although he didn’t technically have an account with MSF, their authentication system is based on email addresses, so Jim requested that a password reset link be sent to his email address. That worked, and once inside the account Jim could see more about the loan details:

Take a look at that 546.56 percent interest rate and finance charges listed in this $1,000 loan. If you pay this loan off in a year at the suggested bi-weekly payment amounts, you will have paid $3,903.57 for that $1,000.

Jim contacted MSF as soon as they opened the following week and found out the money had already been dispersed to a Bank of America account Jim didn’t recognize. MSF had Jim fill out an affidavit claiming the loan was the result of identity theft, which necessitated filing a report with the local police and a number of other steps. Jim said numerous calls to Bank of America’s fraud team went nowhere because they refused to discuss an account that was not in his name.

Jim said MSF ultimately agreed that the loan wasn’t legitimate, but they couldn’t or wouldn’t tell him how his information got pushed through to a loan — even though MSF was never able to pull his credit file.

Then in mid-January, Jim heard from MSF via snail mail that they’d discovered a data breach.

“We believe the outsider may have had an opportunity to access the accounts of certain customers, including your account, at which point they would be able to view personal information pertaining to that customer and potentially obtain an unauthorized loan using the customer’s credentials,” MSF said.

MSF said the personal information involved in this incident may have included name, date of birth, government-issued identification numbers (e.g., SSN or DLN), bank account number and routing number, home address, email address, phone number and other general loan information.

Nevermind that his information was only in MSF’s system because of an earlier attempt by ID thieves: The intruders were able to update his existing (never-deleted) record with new banking information and then push the application through MSF’s systems.

“MSF was the target of a suspected third-party attack,” the company said, noting that it was working with the FBI, the California Sheriff’s Office, and the Tribal Commission for Lake County, Calif.  “Ultimately, MSF confirmed that these trends were part of an attack that originated outside of the company.”

MSF has not responded to questions about the aforementioned third party or parties that may be involved. But it is possible that other tribal lenders could have been affected: Jim said that not long after the phony MSF payday loan was pushed through, he received at least three inquiries in rapid succession from other lenders who were all of a sudden interested in offering him a loan.

In a statement sent to KrebsOnSecurity, MSF said it was “the victim of a malicious attack that originated outside of the company, by unknown perpetrators.”

“As soon as the issue was uncovered, the company initiated cybersecurity incident response measures to protect and secure its information; and notified law enforcement and regulators,” MSF wrote. “Additionally, the company has notified individuals whose personal identifiable information may have been impacted by this crime and is actively working with law enforcement in its investigation. As this is an ongoing criminal investigation, we can make no additional comment at this time.”

According to the Native American Financial Services Association (NAFSA), a trade group in Washington, D.C. representing tribal lenders, the short-term installment loan products offered by NAFSA members are not payday loans but rather “installment loans” — which are amortized, have a definite loan term, and require payments that go toward not just interest, but that also pay down the loan principal.

NAFSA did not respond to multiple requests for comment.

Nearly all U.S. states have usury laws that limit the amount of interest a company can charge on a loan, but those limits traditionally haven’t applied to tribal lenders.

Leslie Bailey is a staff attorney at Public Justice, a nonprofit legal advocacy organization in Oakland, Calif. Bailey says an increasing number of online payday lenders have sought affiliations with Native American tribes in an effort to take advantage of the tribes’ special legal status as sovereign nations.

“The reason is clear: Genuine tribal businesses are entitled to ‘tribal immunity,’ meaning they can’t be sued,” Bailey wrote in a blog post. “If a payday lender can shield itself with tribal immunity, it can keep making loans with illegally-high interest rates without being held accountable for breaking state usury laws.”

Bailey said in one common type of arrangement, the lender provides the necessary capital, expertise, staff, technology, and corporate structure to run the lending business and keeps most of the profits. In exchange for a small percent of the revenue (usually 1-2%), the tribe agrees to help draw up paperwork designating the tribe as the owner and operator of the lending business.

“Then, if the lender is sued in court by a state agency or a group of cheated borrowers, the lender relies on this paperwork to claim it is entitled to immunity as if it were itself a tribe,” Bailey wrote. “This type of arrangement — sometimes called ‘rent-a-tribe’ — worked well for lenders for a while, because many courts took the corporate documents at face value rather than peering behind the curtain at who’s really getting the money and how the business is actually run. But if recent events are any indication, legal landscape is shifting towards increased accountability and transparency.”

In 2017, the Consumer Financial Protection Bureau sued four tribal online payday lenders in federal court — including Mountain Summit Financial — for allegedly deceiving consumers and collecting debt that was not legally owed in many states. All four companies are owned by the Habematolel Pomo of Upper Lake.

The CFPB later dropped that inquiry. But a class action lawsuit (PDF) against those same four lenders is proceeding in Virginia, where a group of plaintiffs have alleged the defendants violated the Racketeer Influenced and Corrupt Organizations Act (RICO) and Virginia usury laws by charging interest rates between 544 and 920 percent.

According to Buckley LLP, a financial services law firm based in Washington, D.C., a district court dismissed the RICO claims but denied the defense’s motion to compel arbitration and dismiss the case, ruling that the arbitration provision was unenforceable as a prospective waiver of the borrowers’ federal rights and that the defendants could not claim tribal sovereign immunity. The district court also “held the loan agreements’ choice of tribal law unenforceable as a violation of Virginia’s strong public policy against unregulated lending of usurious loans.”

Buckley notes that on Nov. 16, 2021, the U.S. Court of Appeals for the Fourth Circuit upheld the district court ruling, concluding that the arbitration clauses in the loan agreements “impermissibly force borrowers to waive their federal substantive rights under federal consumer protection laws, and contained an unenforceable tribal choice-of-law provision because Virginia law caps general interest rates at 12 percent.”

Jim said he learned of the Thanksgiving weekend MSF loan only because the hackers apparently figured it was easier to push through loans using existing MSF customer account information than it was to alter anything in the records other than the bank account for receiving the funds.

But had the hackers changed the email address, Jim might have first found out about the loan when the collection agencies came calling. And by then, his exorbitant loan would be in default and racking up some wicked late charges.

Jim says he’s still hopping mad at MSF, and these days he’s just waiting for the other shoe to drop.

“They issued this loan in my name without verification and without even checking my credit at all, even though they were already on notice that they shouldn’t have been dealing with me from the May incident,” Jim said. “I still feel like I’m going to get that call at some point from a collection agency asking why I haven’t been making payments on some installment loan I never asked for.”

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan  — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. All of the credentials being sold by Accountz provide access to services that in turn sell access to stolen information or hijacked property, as in the case of “bot shops” that resell access to infected computers.

One example is Genesis Market, where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. Genesis even offers a custom-made web browser where you can load authentication cookies from botted PCs and waltz right into the account without having to enter a username or password or mess with multi-factor authentication.

Accountz is currently selling four different Genesis logins for about 40-50 percent of their unspent balances. Genesis mostly gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites. Likewise, it appears Accountz also derives much of its stock from a handful of resellers, who presumably are the same ones doing the cybercrime service account cracking.

In essence, Accountz customers are paying for illicit access to cybercrime services that sell access to compromised resources that can be abused for cybercrime. That’s seriously meta.

Accountz says its inventory is low right now but that it expects to offer a great deal more stock in the coming days. I don’t doubt that’s true, and it’s somewhat remarkable that services like this aren’t more common: From reporting my “Breadcrumbs” series on prominent cybercrime actors, it’s clear that a great many cybercriminals will use the same username and password across multiple services online.

What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication. That’s probably because so few customers supply their real contact information when they sign up. As a result, it is often far easier for customers to simply create a new account than it is to regain control over a hacked one, or to change a forgotten password. On top of that, most shops have only rudimentary tools for blocking automated login attempts and password cracking activity.

It will be interesting to see whether any of the cybercrime shops most heavily represented in the logins for sale at Accountz start to push back. After all, draining customer account balances and locking out users is likely to increase customer support costs for these shops, lower customer satisfaction, and perhaps even damage their reputations on the crime forums where they peddle their wares.

Oh, the horror.

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.