FraudKast
The LexisNexis Risk Solutions FraudKast exposes fraud and theft across all types of government benefit programs. We seek to interview leading experts from both law enforcement, as well as agency investigators to understand and reveal nefarious methods against federal and state programs.
Examples of government fraud that will be included are DMV fraud, SNAP fraud, student loan fraud, social security fraud, state retirement fraud, housing fraud, Medicaid/Medicare, and Tax refund fraud, etc.
All guest experts are on the front lines of detecting, preventing, and fighting these types of government fraud.
FraudKast
Investigating Cyber Threats, Identity Fraud, and Bad Actors Targeting DMVs
Guests:
- Gerald F. Lackey, PhD, Commissioner, Virginia Department of Motor Vehicles
- Beau Hurley, Chief Information Security Officer, Virginia Department of Motor Vehicles
- Joseph Hill, Chief of Law Enforcement, Virginia Department of Motor Vehicles
This episode covers challenges facing DMVs today with a deep focus on intentional fraud. This is fraud at the counter committed by those coming in and the internal threats presented by employees that can sell licenses illegally. Speakers will also cover cyber fraud threats since the DMVs are moving services primarily online.
Dr. Lackey has more than 15 years of experience in collaborating with government agencies, customer groups, and Fortune 500 companies to develop winning strategies, optimize business processes, and deliver on strategic growth initiatives. He is currently guiding the Virginia Department of Motor Vehicles through a multi-year transformational journey to improve customer experience and reduce costs. In his previous role as VP of Business Optimization at GAF, the world's largest roofing manufacturer, Dr. Lackey led strategic growth projects and productivity efficiencies across the company. During his time at GAF, he built broad networks within the building materials manufacturing, distribution, and installation industry.
Prior to GAF, he had deep relationships with manufacturing companies and energy-related public sector agencies as an Associate Partner at McKinsey & Company. His business acumen and transformation skills shine through his ability to identify winning strategies and mobilize people to turn them into value for customers and citizens. Some of these include launching a new paper and packaging company post an acquisition of equals, making significant and sustainable cost reductions in an international packaging company, establishing a lean operation program for a North American oil company, and driving an organizational transformation at a multi-state public utility.
Dr. Lackey's experience driving agile product development teams, designing lean shared service organizations, and leading strategic growth initiatives have made him a force multiplier in several organizations. He leads with a clear vision, strong passion, and inquisitive approach that brings out the best in those around him. He is deeply experienced in designing, planning, and executing complex value creation work streams with the input and oversight of boards, C-suits, and external partners. Dr. Lackey received his Bachelor’s degree in Sociology and Spanish from Duke University and acquired his Ph.D. in Social Psychology from the University of North Carolina at Chapel Hill.
Narrator: Hello and welcome to the FraudKast brought to you by LexisNexis Risk Solutions, the series that shines a light on fraud and theft across numerous government benefit programs. FraudKast is hosted by Larry Benson, director of Strategic alliances for LexisNexis Risk Solutions Government Division, and the creator and principal author for the Fraud of the Day website. And now, here's Larry with today's guests.
Larry Benson: Welcome to the FraudKast. This is your host, Larry Benson. Today we're going to discuss how and why DMVs are transitioning to the web and the risks involved. They've been doing this for a long time, but now, there are transitions going on, different actors coming in, and modifications that need to be made to keep our systems secure. To do that, I've got 3 experts on the line with me.
One, Gerald Lackey, who's the Commissioner of the Virginia Division of Motor Vehicles. Beau Hurley, who's the Chief Information Security Officer, and Joe Hill, who is the Chief of Law Enforcement. Gentlemen, welcome.
Gerald Lackey, Beau Hurley, and Joe Hill: Thank you.
Larry Benson: So, let's start off by setting the stage. DMVs have a tough job. You guys do an awful lot of things.
You do licenses, you do permits, you do ID cards, you do vehicle registrations, revocations, suspensions, driver history, testing, all across millions of drivers, and in other cases and in certain states you have to deal with voting, etcetera. It is an enormous job and it's a really important job. So, what I want to do is I want to start looking at, where are we going with the web? Where are we going with security? How are DMVs dealing with this? Because more and more services are being requested by the constituents to go online for convenience, etc. But it opens the door for questionable characters coming in, so please jump in. Give me an idea of where we're going.
Gerald Lackey: Well, Larry, thank you again for having us on the Kast again. I'll chime in quickly and then I'll let my two experts here really speak to some of what they're facing on the crime front and prevention front. But I think what we used to do was correct. More customers want to self-service. They don't want to come into a DMV and stand in line. It's not novel or new, but the things that they're asking us to let them do online in terms of get a driver's license or register a vehicle are more sensitive than they were before. And so that raises with it a higher level of risk and while customer service is our passion, the issue is that we need to always take account of the minute you put a system out there, the minute you put something that's supposed to be useful to the average citizen, you have bad actors trying to exploit it and they tend to come in two forms for us. One is a lot of bad actors want access to our data, and that is not just domestic, but a lot of foreign governments trying to infiltrate DMV data. It's very sensitive data, gives you access to a lot of information that then can be used to identify you and or pretend to be you online. The other way that we're seeing a lot of fraud happen is from the bad guys out there using online marketplaces and online technology to try to commit crimes that have been around forever, like vehicle theft. So, you know, I'll let my experts talk a little bit about what they've seen and how they're defending us. But both sides are deploying our important customer service and also security.
Beau Hurley: I can chime in on the cyber side of the House. So from a cyber side of the house, the more transactions that we have online, the larger the threat landscape, our attack surfaces. One of the things that we've seen recently here is the overseas activity has been increasing, especially during election years or other times where there's significant events happening. Again, election's a big one for us, but we also have, during hurricanes or other national disasters.
Joe Hill: So, it's important for us to collaborate with other department motor vehicles. Other areas that have information that is interesting to these fraudsters and with other law enforcement. So we're being trusted with securing this information. So the fraudsters are looking at us through a couple of different ways, one looking to get into our systems and get information that they're not entitled to and the other is to input information that they're not entitled to. As the Commissioner mentioned, stolen vehicles is a big concern here recently, so if someone steals a vehicle and they need to get a legitimate registration. So they may create an identity of a vehicle that does not exist and they try to get that into our system, so that it would appear that they have legitimate title and registration.
Larry Benson: So you're telling me, Joe, that they're going to create a VIN and they're going to try and put that into your system so they can drive around with that vehicle? And I'm assuming it's not just one VIN, it would probably be a whole stack of VINs.
Joe Hill: Yes, that's one of the things the fraudsters do is they do create VINs.
That's where the collaboration with AAMVA has some good tools for us, the National Motor Vehicle Title Information System. So we can compare across states. We get a VIN if someone comes in and we can see the history of that vehicle, where that should be. If they're coming in, if they've already created the title somewhere else and they're coming in with a title that is a different state than what that database tells us is on record. Then obviously that's a red flag. Investigate that.
Larry Benson: OK. Go ahead, Gerald.
Gerald Lackey: Well, I was going to add, one of the interesting things that chief is talking about. There is, this is not your average individual stealing a vehicle, right? When you're getting into the level of, they're trying to clone VINs and input them in the system, you're talking organized crime. You're talking well-funded, organized crime that has tentacles into drug trafficking, human trafficking, and other kinds of theft. So, we're up against sophisticated bad actors, not your novice on the street that we typically think about when we think about a stolen vehicle.
Larry Benson: Mm-hmm. Now are the services right now that you can't put online, but you think in the future will migrate in that direction?
Gerald Lackey: Beau, that would be a great one for you to take.
Beau Hurley: Yes, but again, with any new system we're bringing online, we've got to balance the risk on it. I'm not aware of anything that's in the hopper today that I have available. What we're actually looking at today is, because of our high stringent controls and the security controls we have here in the Commonwealth, probably some of the highest in the nation, we're looking at the amount of friction we're putting on some of these transactions and we're trying to find that right balance between, you know, what's a good security posture versus the right amount of friction that we put on something, for customer ease. We're looking at some of our transactions that we have today, that potentially be separated to two separate transactions. One more of the low friction and then reserving that high friction for a higher level of authentication. So we're actually got a project right now, we’re reevaluating all of our present online transactions and rating them by risk and determining if there's some way for us to better serve the customers. Going back to something we talked about earlier was the evolving number of transactions, our presence. And the more transactions we put online, the larger the threat landscape is for us. One of the things, you know, that over the years has really changed. So when I first arrived at the DMV with the 30 to 40 transactions they had online, we hosted most of those ourselves. Well, because of our goal to provide as much service as possible online, we've engaged a lot of vendors and these vendors now are hosting some of our more sensitive applications. We have the same requirements for them as we do for ourselves, so that increased our threat landscape quite a bit. And it's not just us, it's also our partners, those that we deal with in other territories. Again, it could be another DMV in another state that's expanding their online presence, and it could have an impact, a negative impact on us. Same thing with all of our services, actually.
Larry Benson: So what percentage of transactions would you guess that you actually service online versus at the brick and mortar facilities? Is it 10%? Is it 50%? I'm just kind of curious as to how much has transitioned on. If you could just ballpark a number because I know it won't be perfect.
Gerald Lackey: Beau, you may have a number. What I’ll tell you, the most common online transactions are either your address change, your reissuing of an existing license, or the most common one is your registration renewal for your vehicle. Those tend to be our most common transactions. A lot of other stuff, people still come into the service center for. Beau, was that, would you characterize it differently?
Beau Hurley: I agree with that. And again, I don't have the numbers in front of me right now.
I can tell you it's been increasing year over year as we do this. And especially during the pandemic, we had a huge balloon at that time period where we're forcing people to do everything online. Even post pandemic, things have reverted back to in person some transactions, but some have remained predominantly online, and again the ones Gerald cited, those were it.
Gerald Lackey: I do think it's about 45%. Now don't hold me to that, but I think it's around 45% if you just did transaction to transaction and a lot of that is, you know, large volume. It's the registration renewals that make up a big chunk of that.
Larry Benson: Makes sense. I would think anything like that would all be done online or virtually all be done online. Now, do you have kiosks deployed?
Gerald Lackey: No, we do not. Those were tried out a couple decades ago. They didn't seem to be very successful. We've talked about it before, but again a lot of the kiosks, that self service could be done, the same things that you would let somebody do at a kiosk, you could likely have them do online. Yeah, it’s like the extra set of security, like a Real ID for example, can't be processed in a kiosk. You have to physically hand a human being documentation.
Larry Benson: Yeah, that's the Real ID requirement. Question is, do you ever foresee that going online where there is no need for a brick and mortar anymore?
Gerald Lackey: I do. But to me, that's going to tie into something else that you see only a handful of DMVs, including Virginia, are doing right now, which is mobile ID. Giving you the ability to create a digital image of yourself and that also then allows us, there are companies that are coming up, that allow us to use that same technology like you unlock your iPhone or your Android with facial recognition. Bounce that against your digital image and confirm that it's you. That level of security. It's still rather new and I think as that becomes more ubiquitous, I would expect that people would allow folks to do those transactions online, because now you know who you're actually interacting with. That's the biggest danger right now is we don't really know who's on the other end of that computer.
Larry Benson: Sure. Now Joe, from a law enforcement side, as we move towards mobile driver’s licenses, do you see a challenge where some states don't accept them, some states do? And now all of a sudden as a Virginia driver goes out to Oklahoma and gets pulled over, he's got a digital license. Do you foresee a challenge there?
Joe Hill: I do foresee some challenges there. Law enforcement has been slow to adopt these, recognizing the mobile driver's license just because some of the challenges that come with it, and handling the person's phone and the privacy concerns, those sorts of things. So really for this to be ubiquitous, as the Commissioner mentioned, I think we would need to come up with some kind of standard and for law enforcement to all get on the same page and recognizing those mobile driver’s licenses from the different states.
Larry Benson: So as we move towards mobile driver’s licenses and new technologies, what do you foresee is the risk? Because it always seems as though as we transition from one level of technology to the next, the fraudsters are right there behind us, on our heels with, “Hey, I'll do this to get around this solution” and it opens the door for additional challenges.
Joe Hill: There will be some additional challenges. As with anything, any information on an electronic device, obviously you have to be concerned about the security of that information on that device. The encryption of the information, whether it's at rest or in transit, are a couple of the concerns that we have. But it's nothing new to us. Even with the physical driver's license there are risks with that. We’ve historically seen people get driver's licenses in their brother's name or in their sister's name, those sorts of things. It's just a different set of risks. Well, actually mitigates some of the risks as well. One of the problems with the physical card and showing identification to some entities. That has a lot of information, of personal identifiable information, that you might not want to share with some people.
So that's one of the positives about the mobile driver's license or mobile ID, is that you can limit the information you show depending upon who you're trying to share that information with.
Larry Benson: Makes sense. So where are we going with this technology? What's the next step?
Mobile driver’s licenses obviously is one. Putting more services online. Checks and balances have to go in place. What are the next things that we can anticipate?
Gerald Lackey: I don't have a crystal ball, but I would say if you look over the next, I think it'll take 10 to 15 years, but the word I have is seamless interoperability. What does that mean? That means when I move from Maryland to Virginia, I don't have to visit the Virginia DMV. My mobile ID translates right into a Virginia ID because it goes through a trusted third party, what we call the Digital Trust Service at AAMVA. I would imagine that I'd be able to transfer my vehicles the same way. They're in a digital database in Maryland. Once I've verified who I am, and I've verified the vehicle has a valid VIN, and I've got the history of its title, I just transfer that from being in Maryland to being in Virginia. So I imagine this to be able to move across states a lot easier than we do today, because it's still very paper and in-person based. But I think that degree of interoperability will require many of the states to be on the system, and historically every new system that's been rolled out by our national group called AAMVA has taken 10 to 15 years to get full adoption. Some of that's funding, some of that's politics. But I do see us getting to that point. And then after that you have international interoperability and those conversations are already taking place. Virginia is in conversations with other countries at the moment to offer interoperable driver's licenses. It's not about mobile drivers licenses yet, but that would be a logical next step at that point.
Larry Benson: Mm-hmm. Have you had discussions with Puerto Rico? Because we all know that Puerto Rican birth certificates, and fraud coming through there by people that have gone in, take an identity, gotten a birth certificate of some innocent citizen of Puerto Rico, and then shown up in the states claiming that they’re that individual, that has been a problem for the last 50 years and we still haven't addressed it. Have you guys been able to crack that code, so to say?
Gerald Lackey: Well, I can't comment on any ongoing conversations, but what I would say is that the issue of birth certificates, broadly, in the United States, is difficult. You don't have 50 different ones.
You have 50 times 10. You have hundreds of different, and I know, you all know that very well, and that issue alone, you have one individual who's had 12 months or less of training at the front line that is supposed to determine whether or not the piece of paper they're holding in their hand from Missouri in 1972 is valid or not. And it's almost impossible for that individual without the support of additional technology to even be able to do that.
Larry Benson: Yep, I agree. Big, big problem. Been going on for an awfully long time. Other technologies that you see coming down the road that impact your agency?
Gerald Lackey: Beau, what do you think?
Beau Hurley: For me, autonomous vehicles. You know, when that comes around, talking about these autonomous vehicles and how we actually register vehicles today, how we license vehicles today, is going to change.
Gerald Lackey: Great point.
Larry Benson: It's interesting, Gerald, when you mentioned that through AAMVA, a license could transfer from state to state. Some people would look at that and go, wait a minute, that's like a national ID card.
Gerald Lackey: But I would say the issuing authority is still the state that you live in, right? And so, a national ID card, that's the federal government that would be responsible for your data as opposed to where we have it now, is, it's a state responsibility. So it should move seamlessly as if it were something that was national, but I think each state would still have its own data privacy laws and protections and policies regarding that. So I see it from a customer perspective as being useful, but not pushing us all the way to a federal ID.
Larry Benson: Yeah. Well, like you said, 10 to 15 years for adoption, like we're seeing with things like state to state, etc. It takes a while to get everybody on board. Not an easy task. What other things do we need to cover here to help educate our brethren across the country?
Beau Hurley: One of the new ones for me is AI. Again, we've been using AI or things related to AI like machine learning for years now to be able to look at our firewalls, analyze those, stop the bad guys based on patterns. But now AI is also being used by the nefarious actors now to generate scripts to be able to get access to it. It no longer takes someone who's been to college to learn C# or another language to be able to write the scripts necessary to break in. Now they can just ask their AI, hey, how do I get around this? What do I do with this vulnerability? So now instead of having several skilled hackers out there that maybe target me today, I've now got 1,000 people that are equipped with AI who are banging away at me.
Larry Benson: Wow, it all of a sudden changes the dynamic, by orders of magnitude.
Beau Hurley: And the other big one too is supply chain management. I mentioned earlier, all the services that we're putting online, we're relying upon vendor relationships. We've got partners helping us to with these services. While we do everything we can to be able to make sure that they're following the same stringent security controls that we have, and we do the typical reporting oversight, SoC reports, all that stuff. There's also that possibility of someone inserting something within that supply chain, and then that supply chain, you know, leads to a compromise that's somewhere that could be 3, 4, 5 levels down from us, but it has a huge impact on our operations.
Larry Benson: Well, that's what I believe happened in Louisiana and Oregon, where they both got hacked and they lost all the licenses. Talk about devastating.
Beau Hurley: Exactly. And that was with a third-party product for them too. Absolutely right.
Larry Benson: What's that, Gerald?
Gerald Lackey: I was going to say, one of the other things that concerns me is there's a lot of pressure, especially from private industry, to move quickly into a lot of this online digital space. E-Titling is one of those efforts where they, you know, from a dealership perspective, they want to make it seamless and online and easy. But the flip side that we find ourselves constantly sort of discussing or debating with them is how fast is too fast? How fast is going to expose you to risk that, while you as an individual entity may not be concerned about, we as public servants have to be concerned about because the average citizen is being put at risk at that, in that, situation. So it's a constant tug of war right now, I think, between some of the momentum that's out there with this technology, especially in the hands of private sector. And the public sector, who certainly don't want to stand in its way, but we do need to shape that future so that it's a safe and secure one, not just a convenient service one.
Larry Benson: That's kind of like what Beau was alluding to, you can introduce a level of friction, but if you go too far with it then you've got the public complaining it's too difficult to use even though you're using it to actually protect them. And it's a difficult balance to figure out.
Joe Hill: Yeah, anytime you're considering security issues, that balance is very important because you can lock down things to the point of people not being able use them, so you have to be conscious of that.
Larry Benson: Absolutely. What you guys do is a tough job and this adds just another level to it. It's a balancing act all the way around, and of course you've got the usual actors that come into a brick and mortar and they're using somebody else's identity. The other challenge being you've got internal risks and you run into that from time to time, and every state's got them.
Gerald Lackey: The human factor, I think Beau would tell you that a lot of the human factor in fraud is huge. I mean, you can turn one individual who has access to our sensitive systems, for whatever reason, blackmail, opportunity, whatever. That person can introduce harmful malware to our system, which then infiltrates it. And we have to constantly be on the lookout for that. Or they can just be processing things, you know, illegally. And we're constantly looking at transaction data to pick up patterns and things like that. So it's not always a foreign actor sitting across the ocean, it’s sometimes somebody sitting downstairs.
Larry Benson: Yeah, exactly. The challenge is it has gotten so easy because everybody's got this little thing called a cell phone and all they have to do is bring up a screen, snap a picture of it and either text it or e-mail it out of the office.
Beau Hurley: And to the point, again, it's not just, you know, when you talk about insider threats, for me, it's not just our internal DMV employees or contractors we have embedded here in the building, but it's also those that are our partners. We partner with other state agencies. We partner with other entities, companies, that we share a lot of data. It's hard for me to be able to provide the right oversight on how an external entity is managing my data and access to it. From our side, we develop patterns. We look at the user behavior patterns of that company or that individual, but again, if someone is slowly increasing their usage of our data, to me it looks like a good trend. On the other end, again, I don't have that visibility, but maybe they're doing something fraudulent on that side.
Larry Benson: Sure. And you're assuming that those partners are good partners. Yeah, you have to keep an eye on them, but you've only got so many resources to work with.
Beau Hurley: Yeah, and to that end, we've taken some initiatives. We do seed our data that we share with other entities. So we do have fictitious records that are out there and I do have tools and monitor for those. So we do our best with what we can for determining, you know, indicators of compromise.
But it's a huge job and it keeps growing.
Larry Benson: Well as you add partners, which you will probably have to do over time because the technology's changing, you're just adding more challenges. Anything else?
Joe Hill: I want to say something about the collaboration. Again, I think that's an important piece of combating fraud is the collaboration not only with the industry partners and businesses, but I think AAMVA has really done a lot to help motor vehicle administrations share information, and talk about
fraud, and examine those sorts of risks that we have. We have a monthly call with our law enforcement and others in AAMVA and we discuss fraud in different states, so some of us may have ideas to help mitigate those things for other agencies. We also may get ahead of things that we had not considered that we learn through that monthly call.
Larry Benson: Yeah, they've done a great job of putting together fraud task forces, different technologies, everything from S solve to state to state. The stuff that you were mentioning before, Joe, about being able to monitor for VINs etcetera. They've been critical to the whole country to make this all work together. All right, gentlemen, I'd like to thank you for your time. Gerald, Beau, and Joe, your expertise is very valuable, and we certainly appreciate it, and I hope to speak with you in the near future. You guys have a great day. Thank you.
Gerald Lackey, Beau Hurley, and Joe Hill: Thank you, Larry.
Larry Benson: All right. Take care guys.
Narrator: Thank you for listening to this episode of the FraudKast. If you're interested in learning more, head over to our website at FraudKast.com for more episodes, transcripts and social media links. And remember that's FraudKast with a “K”, not a “C”. And to stay current on what's occurring in the world of fraud, be sure to check out Fraudoftheday.com.
