Page 14 of PDF:

[The OLA] did not find evidence to substantiate Stillman’s allegation that there is $100 million in CCAP fraud annually. We did, on the other hand, find that the state’s CCAP fraud investigators generally agree with Stillman’s opinions about the level of CCAP fraud, as well as why it is so pervasive.

(Stillman is a line level investigator who gave a media statement which was explosive. Swanson, who authored in the internal memo, was his manager.)

I do mention that other officials only agreed to characterize as fraud fraud which had resulted in convictions. We now, years later, have nine figures just from the convictions (and guilty pleas). These officials pointedly refuse to put any number on fraud other than the number incident to convictions.

Moreover: you should be very clearly correct if you accuse someone of citing a document as making claims it does not say. That is a serious accusation. BAM's citation of this piece is "the state’s own investigators believed that, over the past several years, greater than fifty percent of all reimbursements to daycare centers were fraudulent." This is _absolutely true_ and _is in the report as claimed_.

Spent about 30 minutes consulting the report you mention, OP's post, and your reply, and there's clearly issues.

In the essay, you wrote that industrial-scale fraud is "beyond intellectually serious dispute," cited the OLA report, and presented the 50% figure as the finding that "staggers the imagination." (this should have been a tell)

When challenged, you retreat to: "My citation that investigators believed this is absolutely true."

Those are completely different claims. "An investigator believed X" is not "X is beyond intellectually serious dispute" — especially when the same report on the same pages says:

- The OLA itself: "We did not find evidence to substantiate the allegation" (p. 5)

- The DHS Inspector General: "I do not trust the allegation that 50 percent of CCAP money is being paid fraudulently" (p. 12)

- The investigators themselves had "varying levels of certainty — some thought it could be less, and some said they did not have enough experience to have an opinion" (p. 9)

- Swanson explicitly used "a view that does not require the kind of proof needed in a criminal or administrative proceeding" (p. 10), counting the entire payment to any center with poorly-supervised kids as "fraud"

That's not "beyond intellectually serious dispute." It is, literally, a documented dispute, inside the very report you cite as settling the matter.

And "nine figures from convictions"? That's Feeding Our Future, a federal food nutrition program. The OLA report is about CCAP, a state childcare program. Proven CCAP fraud remains at $5-6 million. You're retroactively validating a CCAP claim with convictions from a different program.

But look at what's happened across this exchange:

Essay: Industrial-scale CCAP fraud is "beyond intellectually serious dispute." The evidence: the OLA report shows investigators believed 50%+ of reimbursements were fraudulent.

When challenged that the OLA explicitly could not substantiate $100M and proven fraud was $5-6M: you retreat to "my citation that investigators believed this is absolutely true and is in the report as claimed."

When challenged that "investigators believed X" ≠ "X is beyond intellectually serious dispute" — especially when the same report documents the IG saying "I do not trust the allegation," DHS leadership calling $100M "not credible," investigators having "varying levels of certainty" with some having "not enough experience to have an opinion," and the OLA itself saying "we cannot offer a reliable estimate": you pivot to FoF operator overlap.

You still haven't addressed the actual critique. The overlap proves that some fraudsters work across programs. Not disputed, not surprising, and consistent with your essay's point about fraud lifecycles. What it doesn't do is retroactively substantiate Swanson's 50% CCAP figure. His methodology, spelled out in the very email the OLA appended, counted all payments to any center where children were poorly supervised as 100% fraudulent, a standard he himself distinguished from "the kind of proof needed in a criminal or administrative proceeding." FoF fraud was fabricating meal claims for meals never served. CCAP fraud is billing for children not present. Different programs, different billing mechanisms, different oversight bodies (MDE vs. DHS), different proven scales by orders of magnitude. That some of the same people ran both doesn't collapse the distinction.

"CCAP is also funded by federal block funding" seems designed to blur a line that matters. Many programs are federally funded. That doesn't make convictions in one program evidence of the fraud rate in another.

Here's what's frustrating: I think the essay's core argument is genuinely strong, and it doesn't need the overclaim. The OLA report is already damning on its own honest terms: proven fraud of $5-6M in a program with paper sign-in sheets prosecutors called "almost comical," no electronic attendance verification, 60-day billing windows, a certification statement removed from billing forms in 2013, and the investigators themselves saying centers "open faster than they can close the existing ones down." The report makes it clear fraud was likely substantially higher than proven convictions. That's already a devastating indictment of program oversight. Your argument about base rates, weak controls, and Shirley fishing in a troubled pond all follows from that, from the report as it actually reads.

But "likely substantially higher than $5-6M, in a program with terrible controls" is a very different claim than "50%+ fraud, beyond intellectually serious dispute." Your essay presents the latter. The report supports the former. And the gap matters, because the essay is being read right now, today. in a context where the president is calling Somalis "garbage," prosecutors are throwing out $9 billion estimates in press conferences, and five states just had billions in child care funding frozen. Overstating what the evidence supports isn't a minor rhetorical choice in that environment. It's exactly the kind of epistemic failure the essay warns about when it talks about "irresponsible demagogues" filling the vacuum.

You keep wanting to make me "own" the CCAP's estimate. I will not reciprocally try to make you "own" $5 million, because I am charitable and because history has been unkind to the officials who made it.

I do ask you to own: "Minnesota HAS NOT suffered industrial-scale fraud across several social programs." Otherwise this is judging a high school debate competition, and I've had better.

But your essay doesn't just claim fraud exists: it presents the 50% figure as the evidence that "staggers the imagination" and makes the case "beyond intellectually serious dispute." That's not parenthetical color. The paragraph is load-bearing on that number.

You charitably won't make me own $5M. I never claimed it. I've said in every reply the real number is likely substantially higher. My point has been the same throughout: you presented a disputed estimate as settled, from a report that explicitly could not settle it - in which the IG rejected it, DHS leadership called it not credible, the OLA said it "cannot offer a reliable estimate.", and the source themself named their lack of a standard beyond a vibe.

The essay is 5,000 words on why epistemic standards matter in fraud investigation. The critique is the essay's own standard, applied to the essay. You should apologize for the high school debate comment.

It's an insightful point, but it seems consistent with those epistemic standards that it's unimportant whether the 50% figure is valid in retrospect. The observation of "industrial-scale fraud" is sufficient to act, it doesn't need a retrospectively validated 50% figure and he would like you to get all the way off his back about it.

I am not. I am repeatedly enthused about it. You are in fact, parroting positive things I am saying about it.

I am on Hacker News, responding to him responding to a critic on a particular point.

No notes on the fraudsters pardoned by this current admin of course.

But, on the other hand, I suppose intellectually serious dispute requires both sides to be intellectually serious. One good step in that direction would be to arrange one's citations such that they are supporting the claims you are citing them for.

I will also remark, as others have, that it's odd to make a big deal about this particular fraud when there's a lot more fraud happening a lot more obviously in a lot more of the nation. This is not to question Minnesota officials who are, rightly and appropriately, investigating suspected fraud in their zone of investigation; but it is worth questioning voices who have, apropos of nothing I can discern, made decisions about what's important to talk about and what isn't, and further made decisions to misrepresent allegations in alignment with people who very aggressively lie for evil reasons. As others have pointed out, the essay's core is seemingly cromulent, and it doesn't need you to do that.

You are welcome to your own opinion as to what could motivate a publication which routinely writes about fraud and finance to write about fraud and finance. Past issues you may enjoy include a year-long investigation into a single incident of fraud in NYC, a topological look at the fraud supply chain in credit cards, discussions of how the FTX fraud was uniquely enabled by their partner bank failing to properly configure their AML engine, and similar. </LLC voice>

How many people do you think would hit that bar in the industry? Hundreds? I have hundreds of letters with numbers attached to them to say nothing of how many people simply negotiate, get the comp bump, and do not feel the need to email me about it.

I'm not trying to say all that matters an outsized profile. I agree that if you have that rare intersection of: 1. acing the interview, 2. a strong background with well-known companies, and 3. (critically) are job-hunting during a hiring bull market, to the point where the company cannot pick-and-choose, and they feel they must hire you, then sure, negotiation will bear some fruit. OR, if you managed to get multiple offers. I think a lot of us have never seen either of those situations.

We're struggling to find the motive or intended outcome by the attacker(s).

The highest likelihood for me is that they're doing card/credential testing. They have either stolen or purchased a large number of stolen credentials. Those credentials are worth more individually if they are known to function. They can use any business on the Internet which sells anything and would tell someone "Sorry, can't sell you that because I couldn't charge your account/card/etc. Do you have another one?" to quickly winnow their set of credentials into a pile of ones which haven't been canceled yet and another pile. Another variation of this attack is their list is "literally just enumerate all the cards possible in a range and try to sift down to the cards that actually exist."

After sifting through to find the more valuable cards, they sell this onto another attacker at higher price of the mixed-working-and-not-working cards, or they pass it to their colleague who will attempt to hit the cards/creds for actual money.

Digital items are useful because people selling them have high margins and have lower defenses against fraud as a result. Cheap things, especially cheap things where they can pick their price, are useful because it is less likely to trigger the attention of the card holder or their bank. (This is one reason charities get abused very frequently, because they will often happily accept a $1 or lower donation, even one which is worth less than their lowest possible payment processing cost.) The bad guys don't want to be noticed because the real theft is in the future, by them or (more likely) by someone they sell this newly-more-valuable card information onto.

This hit the company I used to run back in the day, also on Paypal, and was quite frustrating. I solved it by adding a few heuristics to catch and giving a user matching those heuristics the product for free, with the usual message they got in case of a successful sale. This quickly spoils your website for the purpose they're trying to use it for, and the professional engineering team employed to abuse you experiences thirty seconds of confusion and regret before moving to the next site on their list. Back in the day, the bad guys were extremely bad at causing their browser instance to even try to look like a normal user in terms of e.g. pattern of data access prior to attempting to buy a thing.

Hope some of that is useful. Best of luck and skill. You can eventually pierce through to Paypal's attention here and they may have options available contingent on you being under card/credential testing attack, or they might not. I was not successful in doing so back in the day prior to solving the problem for myself.

Would also recommend building monitoring so you know this is happening in the future before the disputes roll in. Note that those disputes might be from them or from the legitimate users depending on exactly what credentials they have stolen, and in the case they are from legitimate users, you may not have caught all of the fraudulent charges yet. (Mentioning because you said "all of the charges" were disputed.) If I were you I'd try to cast a wider net and pre-emptively refund or review things in the wider net, both because the right thing to do and also because you may be able to head off more disputes later as e.g. people get their monthly statements.

To fix it, I had to proxy that unreliable SaaS software to implement CAPTCHAs and stronger bot detection. It was essentially a MITM-style proxy but for protection. It was fun to implement

So presumably yes

I’d look into fingerprinting (https://github.com/fingerprintjs/fingerprintjs), block by ASN if it makes sense for your business (does OVH really need access to my SaaS?), use an active disposable email checker and possibly flag risky orders for manual payment capture if at all possible.

You'll need to find some way to fingerprint to classify users into risk buckets and then treat them differently based on the bucket: blackhole, high friction verification, and likely safe are three reasonable buckets.

Cloudflare has tools that can help identify bots, much of this can be offloaded onto them.

A direct quote:

> Initially, I was afraid that I wouldn’t be able to afford my taxes this year, but then my accountant told me I could write off losses due to theft. So from a financial standpoint, I’ll survive, as long as I don’t have another emergency — a real one — anytime soon.

I quote several more bits from the piece verbatim.

A much better signal is that when she reflects on how the stolen $50k could have been used, she imagines: "I could have paid for over a year’s worth of child care up front. I could have put it toward the master’s degree I’ve always wanted. I could have housed multiple families for months." Sure, just because she didn't say "I could have paid off my mortgage/student/car loans" doesn't mean she doesn't have those. But it's a far stretch to assert that her written viewpoint sounds like a typical middle-class/upper-middle-class American, nevermind definitively excludes her from being rich (or at least belonging to one of the hundreds of thousands of millionaire households in New York).

I had some doubts that the story, as presented, was true. I did what I hear journalists do, and went out and reported the story. Some people apparently believe this was an aggressive action, and some people believe that the original story was strictly true, and I can understand either of those beliefs separately but holding both at the same time seems tricky.

I did not believe that New York Magazine was complicit. I harbored the suspicion that they might be incompetent. This suspicion was exacerbated by unambiguous evidence of them being incompetent, in failing to detect that a 17 year old claiming to have made $72 million trading stocks, and then doubling down on that story because their fact-checker had passed it.

You have made, in this thread, several claims that I am wildly miscalibrated with respect to banking procedure. I do not believe I am. For example, I seem to be able to make confident predictions like "Oh, if the teller window is on the second floor, that narrows the selection of bank branches sufficiently to be probably uniquely identifying given any other piece of information" and be proven retrospectively right on those predictions.

If you would like to take issue with my other claims about banking procedure, pick the one that looks fishiest to you, and then propose odds.

C'mon, what scenario do you have in mind where New York magazine "materially disavows the article" [0] but the writer, Cowles, is not guilty of fabulism (presenting a creative writing exercise as non-fiction would count as that level of deception)?

> You have made, in this thread, several claims that I am wildly miscalibrated with respect to banking procedure.

I am very confident that you know far more about banking policy and conventions than I do. So when you assert that the facts of NYMag do not seem reconcilable with the reality of American banking, I'm happy to take your word for it. Now that you've essentially retracted that doubt, a doubt so strong that you were willing to spend thousands of dollars to investigate it over a year, I'm very confused about your priors. Was Cowles being richer than you had thought possible your only flawed assumption? Like if she had only written "btw I'm from a rich family and I live in an owner-occupied home in Brooklyn", that alone would have been enough to resolve the many issues you raise about the unlikeliness of a $50k cash withdrawal? What's the threshold of wealth in which that $50k transfer is given cursory approval? Is the $50k easy because she's a one-percenter? Would it be easy if she is/were merely in the top 5% or 10% of household wealth

One of my main frustrations about your writeup is that it sets up these questions and then fails to answer them, as if the fact of Cowles' unspecified wealth is alone the self-evident answer? Speaking as a layperson, I assume that being a 30-something living in New York who had $80,000 in savings and checkings alone -- which she explicitly states in her article -- would be enough to qualify for a no-hold-up same day $50k withdrawal from a New York bank. Is that not the case?

> I had some doubts that the story, as presented, was true. I did what I hear journalists do, and went out and reported the story

And genuine kudos to you, the world would be a better place if "trust, but verify" were our default modes of operation. I guess what bugs me is that your article opens with a detailed examination of how NYMag fumbled that 2014 profile of a teenage millionaire, but you end your own investigation after being apparently satisfied with a fact-check that seems almost as facile as the one purportedly done for their retracted 2014 profile.

Presume a universe in which Cowles did indeed publish a fabrication; it would require an extreme motivation for her to risk torching her career and in such a highly public and scrutinized fashion. Such a motivated person could easily put in the work to make sure that the bank they allude to vaguely fits the description they choose to publish (tbh, we should ask ourselves why would an ostensible fabricator would even choose to publish that "upstairs" detail, when they can easily formulate a description that vaguely applies to a dozen New York banks?). The fact that it's in a police report is, as you say, not a big deal given the light consequences of a false police report (and not a big deal, especially compared to the consequences of career suicide).

> This would be a very different piece if that police report, or any other documentation at a trusted institution, named e.g. 266 Broadway instead.

Why exactly would it be different? What if she had named 266 Broadway to the police, and omitted literally just a single word from her published article ("upstairs"); how would that change the thrust of your dogged investigation, which seems so premised on your knowledge and assumptions of the banking system? So many words and so much effort (again, kudos to putting in the infuriating work needed to get the NYPD to respond) are devoted to this one detail that one can't help but think it was a significant factor in quelling your doubt. Ironically, it reminds me of the strategy that Cowles' alleged scammers used: provide her with seemingly hard-to-know real world information (her SSN, her physical address, that her "2-year-old son was playing in [her] living room") to lull her into believing something much more significant (that the scammer is a CIA agent about to arrest her husband).

You aren't scamming us of course (hey it's not your fault for us choosing to read your article). But asserting that this second-story bank detail is worth attention, implying that a fabulising Cowles wouldn't have put that much thought into her lie, feels like a disservice to the rigorous investigation that your article promises. And without an equally significant number of words dedicated to how you may or may not have had miscalibrated assumptions wrt banking procedure, this is why your article feels incredibly frustrating.

[0] https://manifold.markets/patio11/will-new-york-magazine-walk...

I'm no banking expert, but I'm pretty sure no-hold same day withdrawals of that size need much more than that. I wouldn't be surprised if her family has contracted with Bank of America for private banking and family office services, which is usually economical around the $10M assets under management mark (wikipedia says 50M[1] but I've seen lower numbers cited in FatFIRE). In which case the savings and checking figure is essentially nominal, as the wealth is there, but tied up for estate planning (read: tax minimization) purposes; if someone needs money, family offices can set up credit lines. I imagine in that scenario they're basically paying themselves interest.

In any case I doubt any bank is willing to publicly state what the thresholds are in a way anyone could cite, for fear of scammers using that info against them or their clients.

[1]: https://en.wikipedia.org/wiki/Family_office

The reason why I think the threshold may be much lower than what Patrick insinuates it to be, is because similar big cash scams have been reported by people seemingly much poorer than the NYMag columnist:

https://www.wate.com/news/top-stories/knoxville-woman-loses-...

> What happened next is tragic for Colleen as she went to her bank. “I told him how much I had in there and he told me to withdraw everything but the $700. I told the lady I need to withdraw $19,000. I said I needed it cash.” Colleen said.

$19,000 is of course less than $50k, but it's still well above the $10k anti-laundering reporting threshold, and it involves a victim in Knoxville for whom that $19k represented her "life savings", yet it seems the bank didn't stop her from a same-day total withdrawal.

(note: this Knoxville incident happened in Dec. 2024, so it's of course possible the victim is perpetrating a copycat fabrication after reading the NYMag article)

After reading the article, sure, I can see that that's what was implied, but I can only say that it wasn't clear enough for me. I still enjoyed it for what it is, but I think I could have enjoyed it more if primed differently.