Friday, July 31, 2020

I was approved for a $100K HELOC loan using the Colorado Digital ID™

Are you using your Colorado Digital ID™ for purchases and services requiring identification within our state? It’s a convenient, legal form of identification that’s with you all the time on your smartphone! As the myColorado project manager, I might be a little biased, but when I’m out and about, I take every opportunity possible to see which Colorado businesses are accepting the Digital ID. Below are just a few examples I discovered! 

Colorado Digital ID Use Case


My husband and I were sitting on the patio of a German restaurant here in beautiful Colorado enjoying a couple of pilsners when we heard a small commotion across from us. The server was asking a young man to provide his ID to serve him alcohol. He was seated at the table with what appeared to be his older brother and their parents, and they were telling the server that he was over 21 years old. After several minutes of back and forth, the frustrated young man stood up, grabbed his phone, and stomped off to his car in search of his wallet and physical driver license. I wanted to sprint over and let him know all about the Colorado Digital ID that’s stored in the myColorado™ mobile app Wallet. It’s simple to set up and use, and it’s an official form of identification backed by Executive Order B 2019 013, signed by Governor Polis on October 30, 2019.


I had an experience similar to my friend at the German restaurant - I had left my wallet at home, but the Digital ID came to my rescue. Our washing machine had given up after 15 years and the dryer was holding on by a thread. My husband and I headed to a major hardware store in the area in search of replacements. After we chose what we wanted, the store clerk offered us a 12-month interest-free option for current customers. My husband had never set up an account with them, so they had to use my profile to take advantage of the offer. Often, I don’t bring my wallet when shopping with my husband, and this was the case on that day. Therefore, I showed my Digital ID to help the store clerk find my account and he didn’t flinch! The clerk diligently verified the information on my Digital ID with his computer records and within minutes I was approved to purchase a brand new washer and dryer. 


Next, loaded with confidence, I decided to put a bank to the test. My husband and I had applied for a $100,000 home equity line of credit, or HELOC. When the time came to close on the loan, we were directed to a conference room at the bank to sign documents and present our IDs. While this time I had my physical ID tucked away in my purse, I was not going to pull it out unless absolutely necessary. (Note: The Executive Order states that merchants may accept the Digital ID, but are not required to at this time.) The bank official asked us for our IDs to take a photocopy of them. I showed my Colorado Digital ID on my iPhone. A bit puzzled, the banker called a notary public into the conference room to validate our identity and proceed with loan execution. I realized that by presenting a Digital ID, no hard copies of my physical ID would be taken. Therefore, this was a more secure process to protect my identity since a hard copy of my physical ID would not end up in a folder in the bank's files.


A digital form of identity is here to stay, grow, and evolve. In the last couple of years, I have noticed that friends and family members are increasingly leaving their wallets behind and carrying only their smartphones since many financial transactions can be conducted digitally without a physical debit or credit card. The same goes for providing proof of age, address, and identity here in Colorado! When ordering a drink at a local bar or restaurant, making big purchases, or applying for a loan, you can rely on the Digital ID.

Download myColorado and set up your Colorado Digital ID today! For more information, visit


How to set up your Colorado Digital ID:

  • Download the myColorado app on your smartphone from the Apple App or Google Play store
  • Scan the PDF 417 barcode of the back of your physical driver license or state ID card
  • Create an account and get authenticated to access your Digital ID
  • Start showing your Digital ID as proof of identity, age, and residency within Colorado

Note: Because the Digital ID is new and is not accepted everywhere yet, be sure to carry your physical driver license or state ID card wherever you go.

Today’s blog comes from Olga Klinger, Project Manager with OIT’s Customer Office.

Friday, July 24, 2020

The Great Toilet Paper Cyber Hack of 2020: Part 2 - Lessons Learned

Stop! Before proceeding, check out Part 1 of the Great Toilet Paper Cyber Hack of 2020 - posted on July 10, 2020.

Lessons Learned

When I reached out to Hal several weeks later to ask all the questions that kept nagging me about this activity, I learned that Hal had taken several actions to ensure this would never happen again. Hal and I agreed that we should share those as lessons learned.

1) Shop From Known Merchants

As mentioned in Part 1, it’s always best to be suspicious of unsolicited advertisements on social media sites, in emails, and anyplace encountered. No doubt, many of these sites are legitimate with legitimate products to sell; however, as Hal experienced, many of these are created for malicious purposes. Some of these purposes might include:
  • obtaining your credit card, your password, or other personal information;
  • enticing you to donate to a fake charitable cause;
  • or to download malware onto your system.

In Hal’s case, he got a double dose - the site he accessed sold him a fraudulent product and downloaded malware onto his system.

Another point - pay attention to where the items are coming from and where the business is located. Unless you specifically desire a foreign-made product, it’s probably safer to buy from U.S. suppliers.

2) Use Two-Factor Authentication

Use two-factor authentication on all accounts where it is offered, such as social media, bank, shopping, and - most importantly - email accounts. This will help prevent access to your accounts should your credentials be stolen. Additionally, never reuse your passwords across multiple accounts. If the account credentials for one site are obtained, you don’t want them to be used to compromise other accounts.

3) Don’t Store Account Credentials in Your Browser

This one is challenging, I know, but refrain from allowing your browser to store your account credentials. It may seem a convenience but as Hal experienced, if an attacker gains access to your computer, it’s relatively easy to extract and decrypt those credentials out of your browser. Even a rookie can do it! Use a password manager to safeguard your passwords, and ensure you authenticate to that tool using two-factor authentication.

4) Lock Your Computer

Additionally, Hal mentioned that he now locks his computer when he isn’t using it, and for good measure, he never leaves his browser windows open and logged in to his accounts.

5) Backup Your Files

Reloading his computer didn’t concern Hal at all because he had a regular backup schedule and was confident he wouldn't lose any important pictures, documents, or other data. I know many people who back up their data to a cloud service, and many others who use a USB-connected drive. Either of these will work as long as you appropriately safeguard access to your backups. This means two-factor authenticated access to your cloud provider, or ensuring that you disconnect the USB drive and store it somewhere safe. Do not keep it connected to your computer or in your laptop bag once you are done with the backup!

A Happy Ending

Hal assured me that his reloaded computer is working better than ever and that he’s confident this will not happen to him again. Additionally, his cabinets are now stocked full of Charmin Ultra Soft Mega rolls - the authentic product! He committed to never allow his supply get low enough during a global crisis to be tempted to order from any previously unheard of Chinese site! Oh, and subsequently, we learned that Charmin makes their product right here in the U.S.A., so there is no need to send away to China to get this essential product!

Today's blog comes from State of Colorado Chief Information Security Officer Debbi Blyth.

Friday, July 10, 2020

The Great Toilet Paper Cyber Hack of 2020: Part 1

A friend of mine told me this story about how his computer was hacked in his search for toilet paper. This occurred in late March 2020 - when toilet paper was non-existent in stores across the nation. My friend “Hal” (not his real name) told me that he found some Charmin Ultra Soft toilet paper available for purchase online. He did some price comparison and found it to be a fair price - not gouging and not cheap, but reasonably priced. There was nothing unusual to indicate that it might not be authentic, so he ordered it. He was expecting a package of 60 Mega rolls, which should last a while.

Within a day his credit card company informed him that he had attempted to make a purchase from a company in China - it was the toilet paper purchase! Hal authorized it, figuring that is probably where Charmin is made or that it might simply be the only company or warehouse where Charmin was still in existence. And realizing at that point, that the Charmin was coming from China, Hal prepared to wait for his toilet paper. Note: Being the good friend that I was, at this point, I brought him a package of toilet paper!

A couple of weeks later, Hal was out shopping - probably for toilet paper - and kept receiving unrequested second-factor access codes from his bank and retirement account providers. That was a clear tip-off that someone was attempting to access those accounts. He came home to discover some very unusual activity had occurred on his computer while he was out. He noticed that several browser sessions were open using a browser that he didn’t typically use, and that these browser windows were logged into a few of his accounts! He immediately took the computer to his local computer center to have it reloaded; they confirmed that malware was present on the system.

Over the next several weeks, Hal worked with his credit card company, Amazon, and PayPal to have fraudulent charges reversed, and with his bank and retirement account providers to change account information and reset credentials. Additionally, he changed all the passwords saved in his browser and implemented two-factor authentication on all of his accounts. The total charges to be reversed were in excess of $1,000 and this consumed almost two full weeks of Hal’s time! Fortunately, the world had recently gone into quarantine-lockdown, so Hal didn’t have a lot of other things to do.

Adding to the time, delay, and frustration was the fact that most merchant and bank employees had become remote and were not immediately reachable by phone. Almost all of these inquiries and transactions had to be done by email, with return calls by phone, adding hours and days of delay.

Sometime during account cleanup, the long-awaited toilet paper arrived! It came in a box about the size of a shoebox. 60 Mega rolls of toilet paper fit in a box the size of a shoebox!!! So much for lasting a while! So Hal taped the package back together and sent it back to whence it came!

Hal realized that his computer hack and the fraudulent “Charmin” toilet paper from China were related, and he’s confident that when he visited the site to order the toilet paper - or when he returned to check the status of his order - he also received malware. What is interesting is that a few weeks had elapsed from when Hal ordered the toilet paper and when the attacker became noticeably active on Hal’s computer.

Digging A Bit Deeper

When I asked Hal how he came upon this site from which he ordered the toilet paper he said that he saw an advertisement on social media. Ah-ha! One lesson learned: never click on advertisements you see on social media sites. Always shop from known and reputable sources. A typical indicator of fraud is that the item is priced significantly lower than its alternatives. In other words, if the price seems too good to be true, be wary. In this case, 
that particular warning flag was not present.

But this issue nagged at me for several weeks as I thought about how the attacker used a completely separate browser on Hal’s computer, a browser that Hal does not use, to access Hal’s accounts. So I reached back out to Hal and asked a few more questions…

Of course, all my questions would have been easily answered if we could have obtained a forensic examination of Hal’s computer. But Hal had already dropped it off at the computer center and his computer had been reloaded before he told me about the issue.

I determined two potential scenarios in which access to Hal’s accounts may have occurred... 

Scenario #1: Keylogger

The attacker may have installed keylogger software on Hal’s computer and simply captured passwords when he logged in to his accounts. This could certainly explain why there were a few weeks of dormancy before the attacker became active - he had to wait for Hal to log in to collect account credentials.

But Hal told me that he typically saves his password in his browser, and uses those saved credentials when accessing his accounts so he doesn’t have to remember the password. So while a keylogger may have been installed, it wasn’t likely the source of the password collection.

Scenario #2: Browser Password Extraction

A scenario started to form in my mind that somehow Hal’s passwords were extracted from the browser he typically uses. I could see this in a physical scenario in which I might be logged in to my computer with my preferred browser open, and then walk away without locking my computer. Someone (officemate or housemate) could potentially get on my machine, navigate to Amazon, and log in as me since the credentials would be automatically populated by my browser (assuming I had them saved). However, they would have to use the browser that I typically use. This scenario would not work if they attempted to access Amazon using a completely different browser. Was the attacker just showing off?

Another thought. If my officemate or housemate wanted to know what my Amazon account password was, they could access the security setting on my browser and “see” my password! But as I chatted with Hal about this, he reminded me that the attacker would have to know my master password in order to see the passwords saved for each account.

All of the components of the scenario I described above are related to a person attempting to access the computer physically, in person. Similarly, in the virtual world, the attacker would have to remotely access the system, pose as Hal, and either use the currently running browser or launch a new instance of Hal’s favorite browser. This would have likely worked with the remote access the attacker had, but Hal saw no evidence of the attacker having used the browser he left open. And if the attacker did take over the running browser, why would he go to the trouble of using a completely separate browser to log in to Hal’s accounts? It would be a silly and unnecessary step!

It occurred to me that this attacker was a one-trick pony. He had a tool that he liked to use to extract the passwords out of the most common types of browsers, including the one that Hal typically uses. And like Hal, this attacker had a preferred browser too, and it was a browser that Hal doesn’t use. In fact, that browser application didn’t even exist on Hal’s computer before the attack, so the attacker actually installed it!

When Hal visited the toilet paper advertising site, unbeknownst to him, he downloaded malware, which was executed using Hal’s privileges. This malware was likely a remote access program, and since it was running with Hal’s permissions, it looked to the system as if it was Hal. This attacker then loaded his own toolkit onto Hal’s computer. The toolkit consisted of a piece of software designed to retrieve and decrypt passwords from specific types of browsers, and it also included the browser application that the attacker likes to use.

The attacker’s software allowed him to issue a command, posing as Hal, to run a process extracting all the valuable information out of Hal’s browser, including his browsing history, bookmarks, and web browsing cookies. Most damaging, this software also retrieved all of the encrypted account data out of the browser, and decrypted it into a plaintext file. This file, now accessible to the attacker, contained a list of all of the sites (URLs) for which Hal had stored access credentials in his browser, including his username and password for each!

A Rookie!

I’m convinced that this attacker was a rookie, not a professional hacker. Here are a couple of reasons why...

Obvious Actions

The attacker used the browser he loaded on Hal’s system to attempt to get into Hal’s accounts. This activity could have been observed at any time, by Hal! A professional hacker would have retrieved the file containing the decrypted account credentials and moved it to another system. Professional hackers often automate many of these actions so they can retrieve as many account credentials from as many people as possible, in the shortest time duration. And whether or not they use the data themselves, it often ends up for sale on illegal sites. 

Didn’t Hide His Tracks

Most likely Hal caught the attack in action, which is why he saw the browser, and why the malware was observed by the computer center. A professional attacker typically erases all tracks of his existence to lessen the risk of detection and give him more time to make money or purchases using the stolen data.

Daytime Activity

Had the attacker waited until typical North American “sleeping” hours, Hal might not have caught the activity for a while and the attacker would have had more time to access more accounts. 

Triggering Fraud Detection Systems

The attacker kept attempting to get into Hal’s bank and retirement accounts, even though the authentication process kept prompting for the two-factor authentication code. This alerted the account providers that the accounts were being attacked, and they took immediate action to safeguard the account. This also tipped off Hal that someone was attempting to access his accounts.

Stay tuned for "Lessons Learned" in Part 2, coming next week.....

Today's blog comes from State of Colorado Chief Information Security Officer Debbi Blyth.

Thursday, July 2, 2020

Have a happy & responsible 4th of July!

The beginning of the state’s new fiscal year also coincides with the 4th of July holiday. With the COVID-19 pandemic still upon us, the State of Colorado wants you to have a fun but responsible holiday weekend. Whether you are enjoying Colorado’s great, vast outdoors or celebrating with a classic cookout, the state has provided some additional steps to keep one another and our communities safe. 
  • Make it safer - if you choose to participate in in-person activities, keep it small, keep your distance from others, wash your hands frequently, and wear a mask. Don’t be afraid to change your plans if you feel uncomfortable about the risk.
  • Know before you go - check fire bans and local COVID-19-related rules at your destination. If you plan to play in the great outdoors be prepared with appropriate supplies.
  • Prevent fires - It’s fire season, and this year we need to be even more careful due to added threats due to COVID-19. We want to prevent situations where people have to evacuate their homes, firefighters have to deploy to camps, and smoke worsens summer air quality (and the impacts on people already at risk for breathing difficulty). This year, skip the fireworks and campfires.
Together we can slow the spread of the virus and help preserve the vast, great, outdoors where we all love to play.

How to spend the holiday weekend responsibly outdoors -

  • Remember to play it safe and be respectful outside. While using this opportunity to spend time outdoors, please do so safely and responsibly. Our first responders and search and rescue teams are all facing these challenges along with us. Please avoid high-risk or remote activities, as accidents stemming from these types of activities may require extensive resources. Colorado Search and Rescue teams are prepared and ready to respond but could become overloaded if the number of calls increases and the number of available responders decreases.
  • Visit the Care for Colorado website where you will find a fun, one-minute animated video called Steps to Care for Coloradans and the Are you Colo-Ready? Responsible Travel Edition brochure designed especially for those using Colorado's trails.
How to reduce your risk this holiday -
  • The safest thing, for everyone, is to minimize your exposure to others. Activities like camping with people from your household using your equipment are lower risk than activities that involve more interpersonal interaction.
  • We do know there are risks associated with travel. Think through your travel plans. Make sure your plans are comfortable for you and your family. We want people to make summer plans in the great outdoors.
  • If you do travel, make sure that you understand and follow the rules at your destination.
  • Your mask is your passport to the Colorado you love. Make sure that you take it with you and wear it. Follow social distancing guidelines and wash your hands frequently.
  • Those looking to explore the outdoors should check out COTREX to see what trails, trailheads and activities are permissible on state and federal public lands, and what isn’t crowded.
How families can safely have holiday cookouts and gatherings -
  • Summer gatherings this holiday should look different compared to a typical summer. It’s important to keep your distance and keep gatherings small. We’re asking you to continue to have less interactions with less people and do so in a safe way by wearing a face covering, remaining 6ft away from others, and washing your hands frequently. Additionally, being in an outdoor environment is ideal - we have the benefit of climate and sunshine to modify/decrease transmission.
Please be sure to spread the word to your coworkers, friends, and family.

Today's blog comes from OIT Chief Information Officer and Executive Director, Dr. Theresa M. Szczurek