GM, Welcome Back to the Dead Drop.

Last week we told you about a company called National Public Data. A background check outfit run out of Florida by a single operator. Net worth of a used 1998 Honda Civic. Sitting on 270 million Social Security numbers like a child sitting on a landmine, not understanding what was underneath him until the whole thing went up. We told you about $20.9 billion in estimated losses from four breaches, and how that number was a rounding error.

We ended with a promise. This week we go deeper. Into the poisoned verification pipeline, how breached data doesn't just enable theft but makes the systems built to stop theft fundamentally unreliable.

The picture is worse than I told you.

Somewhere right now, a woman is calling her bank. She forgot her password. The system kicks her to a security check. Mother's maiden name. Street address in 2017. The lender who held her auto loan three years ago.

She gets the second question wrong. She lived at two addresses that year and picked the wrong one. The system locks her out of her own money.

Somewhere else, a man in a rented apartment in Dnipro, Ukraine is opening a credit card in her name. He bought her complete identity profile, Social Security number, every address since college, her mother's maiden name, the VIN of her last three vehicles, for eleven dollars on a Telegram channel. He gets every question right on the first attempt.

This is knowledge-based authentication. KBA. The backbone of identity verification in the United States for more than twenty years. Built on the premise that only you know the intimate details of your own life.

That premise died quietly, somewhere around 2017. Nobody held a funeral. The body is still propped up at the conference table.

In 2024, data compromises generated more than 1.7 billion victim notices in the United States. The population is 334 million. Every adult in this country has had their identity data breached multiple times, through multiple vectors, across multiple years. In 2025, another 2.6 billion compromised records surfaced globally. A single data dump in June contained 16 billion credentials sitting in one place like a public library for criminals.

SentiLink analyzed more than 236 million account applications in the first half of 2025 and confirmed what anyone paying attention already suspected: a well-prepared fraudster can answer KBA security questions more accurately than the legitimate account holder. You stumble. You forget which address the system has on file from nine years ago. The criminal does not hesitate. He has the answer sheet. Purchased in bulk. Indexed and searchable. He answers with the calm confidence of a student who stole the test the night before, except the school left the test on the sidewalk and charged a dollar to anyone who wanted to pick it up.

The TransUnion 2025 State of Omnichannel Fraud Report confirmed it from the other side of the table: 58% of business leaders across financial services reported an increase in criminals using stolen personal information to pass KBA challenges. Not exploiting a software bug. Not running a zero-day. Just answering the questions correctly, because they bought the answers for less than the cost of lunch.

In July 2025, NIST published Special Publication 800-63-4 and put it in writing: KBA does not constitute an acceptable secret for digital authentication. Done. Unacceptable.

Today, more than 80% of banking call centers still use security questions as their primary verification method.

The government published the obituary. The industry filed it in a drawer and went back to asking your mother's maiden name. Because upgrading costs money. Because KBA is woven into legacy systems like rot in old timber. Because it is convenient, which is the word institutions use when they mean cheap.

And the poisoning never stopped. The breaches were the earthquake. Infostealers are the aftershocks, and they have not stopped shaking. The 2025 Verizon DBIR documented the infostealer economy in detail: malware that vacuums up saved passwords, session cookies, and authentication tokens from compromised devices, packages them into "logs," and distributes them through tiered criminal marketplaces. 54% percent of organizations that ended up on ransomware extortion sites had their credentials circulating in infostealer logs before the attack. The credentials were already for sale. The ransomware was just the monetization event. And 46% of compromised devices with corporate logins were unmanaged, personal machines employees used to access work systems. The company never controlled the security. The infostealers were already there, waiting on the kitchen table.

The well is not just poisoned from old breaches. It is being poisoned right now, continuously, through a supply chain that never closes.

Here is where the optimist raises a hand. Fine, KBA is dead, but we have modern digital identity verification now. Biometrics. Document scanning. Liveness detection. The upgrade fixes this.

It does not. And understanding why is the most important thing I will tell you today.

NIST 800-63-4 requires identity proofing at IAL2 for meaningful financial and government transactions. The modern provider scans your driver's license, matches your selfie, confirms you are a living human being and not a photograph held up to a camera. Real progress.

But then it has to verify that the biographical information on your license, or that you provide, matches a real identity in the real world. And to do that, it queries the same data brokers that have been breached beyond recognition.

LexisNexis. TransUnion. Experian. These are the "authoritative sources." These are the reference databases against which your identity is confirmed. And they are not clean repositories of verified truth. They are warehouses of accumulated data, much of it harvested from the same ecosystem that produced the breaches, stored in what I will politely call a poisoned state.

When a criminal builds a synthetic identity and that identity accumulates credit history, it does not exist only in the criminal's hands. It exists in Experian's files. In TransUnion's records. The synthetic person develops a data profile indistinguishable from a real one, because the systems that are supposed to be the source of truth have absorbed the lie and made it part of the record.

So the modern provider scans a fraudulent document, runs the biographical details against Experian, gets a match, and confirms the identity. The biometric passed. The liveness check passed. The document looked authentic. And the reference data confirmed it all, because the reference data itself is contaminated.

You cannot build a trustworthy verification system on top of an untrustworthy data foundation. You are just building a more expensive lock for a door with no frame.

The poisoned well does not only let criminals impersonate you. It lets them build people who have never existed.

A criminal takes a real Social Security number, usually belonging to a child or an elderly person, someone who will not check their credit for years, and stitches it together with invented details. A new name. A fabricated birthday. Sumsub documented a 311% increase in synthetic identity document fraud between early 2024 and early 2025. 1 in 5 first-party frauds they detected involved a synthetic identity.

Think about what that means for the child. A three-year-old has her Social Security number stolen. A criminal pairs it with a fabricated adult identity. Over ten years, that synthetic person opens credit cards, takes out auto loans, builds credit history, maxes everything out, and disappears. The girl turns eighteen, applies for her first student loan, and discovers someone has already lived an entire financial life in her name. That life is in ruins. The ruins are hers to clean up.

There were families, not so long ago, who lost their land to forces they could not see or name. Banks and drought and policy written in distant rooms. This is the modern version. Except the land is your identity, the forces are algorithmic, and the dust storm is made of data.

Now add AI. Generative tools fabricate consistent personal details, synthetic social media profiles, and document scans that pass automated checks. What once took a skilled criminal months can now be accomplished by automation stacks producing hundreds of synthetic identities per day. The assembly line does not sleep. It scales with the same efficiency that Silicon Valley celebrates in every other context.

And then there are deepfakes. In our healthcare fraud series, we reported that criminals in an Illinois case used AI-generated audio to fabricate the voices of Medicare beneficiaries consenting to medical equipment. They submitted $703 million in fraudulent claims. Medicare paid $418 million before anyone noticed. Criminals manufactured human consent out of thin air, and the system paid out nearly half a billion dollars.

Apply that to banking. An AI agent calls customer service armed with breached data and a cloned voice. KBA questions answered instantly, with machine precision, in a voice built from recordings of the actual account holder. Every signal the system was designed to evaluate, knowledge, voice, confidence, synthetically reproduced.

Freeze your credit. Today. Place a freeze with Equifax, Experian, and TransUnion. It is free. It prevents new accounts from being opened in your name. This is the single most effective defensive action available, and most people have not done it because nobody explained it in plain language. I just did.

Freeze the credit of everyone you love who is not watching their own. Your children. Your elderly parents. Synthetic fraud targets people who are not monitoring their files. A three year old cannot check her own credit report. You can freeze it for her.

Lie to your security questions. Every service that asks you to set security questions is asking you to create a lock whose key is already in criminal hands. Stop answering truthfully. Your mother's maiden name is "TurquoiseElephant7." The street you grew up on is "QuantumOrange." Use a password manager to store the answers. Criminals cannot Google what does not exist.

Interrogate your bank. Ask how they verify your identity when you call. If the answer is security questions, push for app-based authentication, callback verification, or voice biometrics. If they have nothing, consider whether an institution guarding your money with a system the federal government has declared unacceptable deserves to keep guarding it.

The American identity verification system was built on shared secrets. Your mother's maiden name. Your first car. The street where you were a child, before the world became complicated in ways you did not yet understand.

Those secrets are not secrets anymore. They are inventory, warehoused on criminal servers, bought and sold in bulk. The system that was supposed to protect you by asking questions only you could answer now protects no one. The criminal answers them better than you do. And the modern systems built to replace KBA still verify your identity against databases that have been poisoned for a decade. The new lock sits on the same broken door.

Somewhere tonight, a woman who lived at two addresses in 2017 is locked out of her own bank account while a man in a rented apartment halfway around the world buys a car in her name.

The system is not broken. It was designed for a world where your secrets were still secret, where your data was still yours, where the institutions that collected it could be trusted to protect it.

That world is gone. It left quietly, and it is not coming back.

There is an old line, older than any of us: the first casualty of war is the truth.

Right now, as the conflict between Israel, the United States, and Iran reshapes the Middle East, real people are in real danger. Families displaced. Communities shattered. People grieving, afraid, and desperate for information they can trust. That desperation is sacred. It should be met with honesty and aid.

Instead, it is being met with email scams.

Bitdefender's Antispam Lab published findings this week identifying at least seven distinct fraud campaigns exploiting the crisis, every one of them following the same template that has been separating people from their money since the early days of the internet. The Nigerian Prince did not die. He just updated his passport.

The structure has not changed in twenty years. A stranger contacts you with an urgent, emotionally charged story involving money trapped in a dangerous place. They need your help to move it. They promise you a cut. All you have to do is respond, provide some personal information, and cover a small administrative fee. That fee is the product. You are the customer. The money does not exist.

One email claims to be from the lawyer of the eldest son of the late Supreme Leader of Iran, seeking help claiming secret funds deposited in Turkey before officials seize them. Another features a supposed Powerball winner offering $2.5 million to "randomly selected individuals" as humanitarian support. Because that is how lottery winners operate. They email strangers. A third poses as a government representative seeking help relocating $1.9 billion. Billion, with a B. Sent to your Gmail.

Bitdefender noted the execution is sloppy across all seven campaigns: grammar mistakes, conflicting details, timeline errors. The lab called it an "early testing phase," which is the polite way of saying the criminals are A/B testing your inbox to see which storyline gets the most replies before they build the polished version.

This is the part that should make you angry, not just cautious.

These scams do not operate in a vacuum. They poison the well for legitimate relief efforts. Every fraudulent charity email makes someone less likely to donate to a real one. Every fake "displaced family" narrative makes real displaced families less believable. The scammers are not just stealing money. They are stealing trust, the very resource people in crisis need most. The first casualty of war is the truth, and these people are looting the body.

Bitdefender tracked the identical pattern during Ukraine. Before that, COVID. Before that, Syria. The psychology never changes because human nature never changes. War creates fear. Fear creates urgency. Urgency overrides critical thinking. The sloppy versions circulating now will evolve. The grammar will clean up. Fake charity websites with professional design will appear. Social media ads will push donation links that look legitimate until you check the URL. The testing phase always gives way to the production run.

If you want to help people affected by this conflict, and you should, go directly to established humanitarian organizations. Type the URL yourself. Do not click a link from an email, a text, or a social media ad. The International Committee of the Red Cross, Doctors Without Borders, UNHCR. These organizations do not email strangers asking for Bitcoin.

The Nigerian Prince has survived every conflict, every pandemic, and every technological revolution of the last quarter century. He will survive this one too. The only variable is whether you let him into your wallet.

The first casualty of war is the truth. Do not let the second casualty be your bank account.