PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device

(Important July 30 update here.)

(Imagen 4)

The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.

Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:

“Cross device authentication allows a user to sign in with their device using a QR code. 

“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.

“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”

What could go wrong? Well, according to Expel, plenty:

“After entering their username and password on the phishing site, the user was presented with a QR code…. 

“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.

“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”

Presumably the FIDO Alliance will address this soon.

Mountain Avenue Rite Aid is Closing in Five Days

Update to my July 2 Bredemarket blog post.

As of July 21, the Rite Aid at 4th and Mountain in Ontario, California IS closing. In the next five days.

No Thrifty Ice Cream here.

And while the Thrifty Ice Cream counter at this store is empty, at least the Thrifty company survives.

No pharmacy pick up either.

More pictures below. Avoid if store closings depress you.

Aisles mostly bare, some store fixtures disassembled.
And they’re for sale.

Making Case Studies (and Other Content) Specific So Prospects Act

(Imagen 4)

Tech CMOs want to move their prospects to act and buy world-changing offerings (products or services) from their firms…and I want to move my tech CMO prospects to act and buy marketing and writing services from Bredemarket. So tech CMOs, I definitely feel your pain. But how can you move your prospects…and how can I move you?

Failure of a vague problem, solution, and results

In my recent post about converting an end customer interview into a case study, I discussed a “problem, solution, results” simple case study outline.

Justin Welsh just discussed the same thing, but with better words.

“I copy/pasted a spreadsheet of over 100 posts I’ve written that created real impact for my readers into ChatGPT, and I found a pattern:

“Specific struggle + specific transformation = lasting change

“Not some vague tension. Not a generic transformation. Specific moments where everything shifted.”

My specific solution

Of course the dozen case studies I ghostwrote for my client were implicitly specific. But it’s helpful to make that word “specific” explicit.

Imagen 4.
  • Because my client had a specific problem. The client needed its prospects to understand how its offering could solve nagging prospect problems. Riots. Car thefts. Robberies.
  • And my client had a specific solution. I can’t reveal the solution without giving the client away, but let’s just say the the solution simultaneously addressed the end customers’ dual needs of speed and accuracy, as well as other end customer concerns.
  • As for specific results, I confess I don’t know. In this case my client never got back to me and said, “John, case study 3 attracted a prospect that ended up buying an annual contract.” And my primary contact at the client subsequently moved to another firm. But the fact that the client stuck with me for a dozen case studies and some subsequent NIST FRTE analysis work indicates that I did something right.

You see what I did there. Well, as much as I could while preserving my ghostwriter status and my client’s anonymity.

What is your specific problem?

This section of the blog post is specifically addressed to tech CMOs and other marketers. The rest of you can skip this part and watch this entertaining video instead.

Imagen 4.

Now I know I’ve loaded this post with links to previous Bredemarket content that addresses the…um…specific topics in much more detail. Maybe you clicked on the links, or maybe you didn’t. I will find out.

But if you are ready to move forward, this is the one link you need to click. (“Now you tell me, John!”) It lets you set up a meeting with Bredemarket to discuss your specific needs.

It’s All About Me 1: Biometric Product Marketing Expert

Lately I’ve been so busy promoting my Bredemarket marketing and writing consultancy that I’ve neglected to promote me, John E. Bredehoft.

So my first “It’s All About Me” (IAAM, for those in the know) focuses on my self-declaration as the biometric product marketing expert.

Some of you may have seen a similar reel targeted to Bredemarket consulting clients (identity/biometric marketing leaders). Actually there are two Bredemarket reel versions because of a landing page change. The existence of three reels shows my dedication to repurposing.

But none of the three versions is meaningful to cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric).

Hence Part Two.

Biometric product marketing expert.

U.S. Department of Homeland Security Organization…For Now, Anyway

Both identity/biometric industry professionals and the general public have an intense interest in the U.S. Department of Homeland Security (DHS). This isn’t a new interest, but has persisted since the Department was created.

But it’s important to remember that DHS has a bunch of different components, ranging from U.S. Immigration and Customs Enforcement (ICE) to the Federal Emergency Management Agency (FEMA) to the U.S. Coast Guard.

And you don’t want to get them confused. You really don’t.

If you go the the DHS website and visit the Organizational Chart page, you can download a PDF of the organizational chart. As of November 8, 2023. (We’ll return to that.) As a help, here’s an image showing the organizational chart.

DHS organizational chart as of November 8, 2023.

The chart is mostly filled with a myriad of offices that don’t interest most people. I don’t think political activists really care about the Office of Public Affairs.

The sexy stuff can be found in the 8 boxes at the bottom of the organizational chart. These include:

  • U.S. Immigration and Customs Enforcement (ICE).
  • U.S. Customs and Border Protection (CBP).
  • U.S. Citizenship and Immigration Services (USCIS).
  • Federal Emergency Management Agency (FEMA).
  • U.S. Secret Service.
  • Cybersecurity and Infrastructure Security Agency (CISA).
  • Transportation Security Administration (TSA).
  • U.S. Coast Guard.

Remember remember remember that these are separate agencies, and each one has its own mission that is separate from the missions of the other agencies. So don’t try to complain to the Coast Guard about what ICE does or doesn’t do; the Coast Guard doesn’t care. In fact it’s highly likely that the people in the Coast Guard think that the people in ICE are a bunch of bozos. And vice versa. Even for the agencies that supposedly work together, such as ICE, CBP, USCIS, and TSA.

During my years with IDEMIA and its corporate predecessors, and during my time as a consultant at Bredemarket, I have dealt with many of these agencies and helped them achieve their missions.

But there’s one part of DHS that is of prime concern to me…and you can’t see it on the org chart, right above the Chief Financial Officer and Chief Information Officer.

What about OBIM?

As a biometric product marketing expert, I obviously have an intense interest in the Office of Biometric Identity Management, or OBIM. This office self-identifies as follows:

The Office of Biometric Identity Management (OBIM) leads the U. S. Department of Homeland Security (DHS) in the advancement of identity for a safer world and improved quality of life through the development and refinement of solutions to improve how identities are verified and managed. In this role, OBIM delivers biometric compare, store, share, and analyze services to DHS and mission partners. The need for biometrics continues to grow among DHS Components; interagency stakeholders (e.g., the Departments of State, Justice, and Defense); state, local, tribal and territorial entities; the Intelligence Community; and international mission partners. Biometric and identity services support critical national security priorities, including counterterrorism and immigration. OBIM is focused on delivering capabilities, services, and expertise that provide identity assurance for decision making. OBIM’s overall goals and priorities include continuing to design and deliver biometric and identity services, strengthening collaboration and coordination of with all DHS partners, and pursuing advancements in biometric technology and identity solutions to enable DHS operational missions.

So both because of its role within DHS and its role with other federal, state, local, and international government agencies, OBIM is key to biometric use. If you’ve heard of IDENT, OBIM is involved in that. If you’ve heard of HART, OBIM is involved in that.

The reason that OBIM is not on the displayed org chart is because it’s a component of another entity, the Management Directorate. It’s on the left side of the org chart,

And by the way, OBIM may go away

As I mentioned earlier in this post, the displayed org chart is dated November 8, 2023. Since that day we have transitioned to a new President who is keenly interested in the work of DHS, and who may alter the displayed organizational chart.

One potential change is already public knowledge. Biometric Update:

“As the U.S. federal government expands its use of biometric technologies to manage everything from border security to federal benefits, an internal debate over the future of the Department of Homeland Security’s (DHS) Office of Biometric Identity Management (OBIM) has emerged as a flashpoint. Conversations inside the Trump administration, believed to be led by influential White House adviser Stephen Miller, have fueled concerns about the potential consolidation of OBIM under the direct control of U.S. Customs and Border Protection (CBP).”

As you can imagine, the consequences could be dramatic.

“‘There is a good chance that OBIM will be forced into CBP, which will mean that the 40-plus stakeholders that OBIM currently has could well be treated secondarily to the CBP-centric border mission,’ one source told Biometric Update on condition of anonymity, adding, ‘That would not be a great outcome.'”

You have to wonder whether the anonymous source was from an international agency, worried that CBP wouldn’t care about its homeland security needs.

Or maybe a tribal agency with the same concern.

Or maybe the FBI, who could fear that CBP wouldn’t care about law enforcement.

Or maybe ICE, who could worry that CBP would prioritize tarrifs and border protection over immigration enforcement. Because border protection and immigration enforcement are two separate tasks, which is why there are two separate agencies in the first place.

In summary, don’t just talk about a monolithic DHS. Know the players. And which players may strike out in the future.

When Social Platforms Convert Users Into Identity Verification Salespeople

(Imagen 4)

(Author’s preface: I was originally going to schedule this post for the middle of next week. But by the time I wrote it, the end of the post referenced a current event of astronomical proportions. Since said current event may be forgotten by the middle of next week, I am publishing it now.)

As a proponent of identity verification and a biometric product marketing expert I should like this…but I don’t.

I got the message and the message is clear

You get a message on a platform from someone you don’t know. The message may look something like this:

“John ,

“I hope this message finds you well. I came across your profile and was truly impressed by your background. While I’m not a recruiter, I’m assisting in connecting talented professionals with a startup that is working on a unique initiative.

“Given your experience, I believe you could be a fantastic fit for their senior consultant role. If you’re open to exploring this opportunity, I’d be happy to share more details and introduce you to the team directly. Please let me know if you’re interested!”

Let’s count the red flags in this message, which is one I actually received on May 30 from someone named David Joseph:

  • The author was truly impressed by my background, but didn’t cite any specifics about my background that impressed them. This exact same message could be sent to a biometric product marketing expert, a nuclear physicist, or a store cashier.
  • The author is not a recruiter, but a connector who will presumably pass me on to someone else. Why doesn’t the “someone else” contact me directly?
  • The whole unidentified startup working on a unique initiative story. Yes, some companies operate as stealth firms before revealing their corporate identity. Amway. Prinerica. Countless MLMs with bad reputations. Trust me, these initiatives are not unique.
  • That senior consultant title. Not junior consultant. Senior consultant. To make that envelope stuffing role even more prestigious.

I got the note and the note is even clearer

But I wasn’t really concerned with the message. I get these messages all the time.

So what concerned me?

The note attached to the message by the platform that hosted the message.

“Don’t know David? Ask David to verify their profile information before responding for added security.”

The platform, if you haven’t already guessed, is LinkedIn, the message a LinkedIn InMail.

Let’s follow the trail.

  • LinkedIn let “David” use the platform without verifying his identity or verifying that Randstad is truly his employer as his profile states.
  • LinkedIn sold “David” a bunch of InMail credits so that he could privately share this unique opportunity.
  • Now LinkedIn wants me to do its dirty work and say, “Hey David, why don’t you verify your profile?”

Now the one thing in LinkedIn’s favor is that LinkedIn—unlike Meta—lets its users verify their profiles for free. Meta charges you for this.

But again, why should I do LinkedIn’s dirty work?

Why doesn’t LinkedIn prevent users from sending InMails unless their profiles are verified?

The answer: LinkedIn makes a ton of money selling InMails to people without verified profiles. And thus makes money off questionable businesspeople and outright scammers.

Instead of locking down the platform and preventing scammers from joining the platform in the first place.

It’s like LinkedIn openly embraces scammers.

And everyone knows it.

Imagen 4.

Can I Hire Myself?

In addition to client work, Bredemarket performs a ton of self-promotion.

For example, over the last three months I have published at least one Bredemarket blog post each day.

I charge clients $500 for the average blog post.

Bredemarket 400 Short Writing Service (June 2022)Download

What if I charged MYSELF $500 per blog post?

But ignore that part. What if I made $500 for every self-promotional blog post I wrote?

I’d be sitting pretty.

Wombats Don’t Have Fingerprints, But Koalas Do

(Part of the biometric product marketing expert series)

If you follow the Bredemarket blog, you know that it is populated by iguanas, wildebeests, and wombats.

None of which have fingerprints, which are restricted to primates…mostly.

It turns out that the wombat’s close relative, the koala, DOES have fingerprints.

Why?

Convergent evolution, which happens when unrelated animals (in this case primates and koalas) evolve identically in response to similar evolutionary pressures.

“Koalas are famously picky eaters who seek out eucalyptus leaves of a specific age. And…koalas may also need to grasp in similar ways to humans….

“The friction and sensitivity fingerprints afford may help them simultaneously hang onto trees and do the delicate work of picking particular leaves and discarding others—but hopefully not near a crime scene.”