When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.
Google Gemini.
I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.
But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.
Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.
If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.
It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.
And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?
While Bredemarket only conducts business in the United States (with one exception), my clients have no such constraints.
Who are my client’s prospects?
Because of my extensive business-to-government (B2G) experience, I often work with clients that sell products and services to government agencies throughout the world. Well, except to North Korea and a few other places.
And as those clients (or their marketing and writing consultants) identify their public sector prospects, terminology becomes an issue.
And they have to answer questions such as “which government agency or agencies in Country Y potentially use biometric authentication for passengers approaching a gate in an airline terminal?”
Hint: chances are it’s NOT called the “department of transportation.”
Ministry
Add one factor that is foreign (literally) to this United States product marketing consultant.
Many of these countries have MINISTRIES.
No, not religious ministers or preachers.
Billy Graham. By Warren K. Leffler – This image is available from the United States Library of Congress’s Prints and Photographs divisionunder the digital ID ppmsc.03261.This tag does not indicate the copyright status of the attached work. A normal copyright tag is still required. See Commons:Licensing., Public Domain, https://commons.wikimedia.org/w/index.php?curid=905632.
When I say “Minister” here I refer to government officials, often from the country’s legislature, who manage a portfolio of agencies that are the responsibility of a Minister.
Sisa
Let’s take one ministry as an example: Sisäministeriö. Oops, Finland’s Ministry of the Interior. This one ministry is currently headed by Mari Rantanen of the Finns Party (part of a four-party coalition ruling Finland).
“Minister Rantanen is also responsible for matters related to integration covered by the Labour Migration and Integration Unit of the Ministry of Economic Affairs and Employment.”
Back to Interior. One huge clarification for U.S. people: other countries’ ministries of the interior bear no relation to the U.S. Department of the Interior, which concerns itself with parks and Native Americans and stuff. Minister Rantanen’s sphere of responsibility is quite different:
“Under the Government Rules of Procedure, the Ministry of the Interior is responsible for:
public order and security, police administration and the private security sector
general preconditions for migration and regulation of migration, with the exception of labour migration, as well as international protection and return migration
Finnish citizenship
rescue services
emergency response centre operations
border security and maritime search and rescue services
national capabilities for civilian crisis management
joint preparedness of regional authorities for incidents and emergencies.”
These responsibilities result in this organization…whoops, organisation.
Border Guard Department, which is the national headquarters for the Border Guard
Administration and Development Department
The units reporting directly to the Permanent Secretary are the International Affairs Unit and Communications Unit.
Directly under the Permanent Secretary are also guidance of Civilian Intelligence and the Finnish Security and Intelligence Service, Internal Audit and Advisory Staff to the Permanent Secretary
So, who’s gonna buy your biometric product or service in each of the 200 or so countries in which you may conduct business?
If your security software enforces a “no bots” policy, you’re only hurting yourself.
Bad bots
Yes, there are some bots you want to keep out.
“Scrapers” that obtain your proprietary data without your consent.
“Ad clickers” from your competitors that drain your budgets.
And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).
Good bots
But there are some bots you want to welcome with open arms.
Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.
Buybots
And what about the buybots—those AI agents designed to make legitimate purchases?
Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.
Do you want to keep legitimate buyers from buying just because they’re non-human identities?
(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)
Nobots
According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”
Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.
Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)
The five rules
In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:
1. Nearly all fraud is based on impersonation.
2. Never expose your fraud prevention techniques.
3. Preventing fraud usually increases friction.
4. Fraud prevention is a business strategy.
5. Whatever you do, fraudsters will adapt to it.
All good points. But I want to dig into rule 2, which is valid…to a point.
Rule 2
If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.
In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.
But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.
Biometric time cards
One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.
Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.
And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.
In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.
But if there’s no law to the contrary, obfuscate at will.
Communicating your anti-fraud solution
Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.
That’s where Bredemarket can help.
As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.
And I can help your firm also.
Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.
Is it only smartphone game app users who are inundated with an unrelenting barrage of Kalshi ads?
If nothing else, the barrage inspired me to research Designated Contract Markets (DCMs). A DCM is a status granted and regulated by the Commodity Futures Trading Commission (CFTC), a federal agency. As such, Kalshi argues that it is exempt from state gaming regulations because it’s not hosting gambling. It’s hosting futures trading.
Gemini.
But Kalshi and similar apps such as Polymarket are opposed by DraftKings, FanDuel, and other sports betting apps. They make no pretense of “trading futures,” but comply with state-level gambling regulations, and use geolocation to prohibit mobile sports betting in states such as California where it is illegal.
And both are opposed by Native American casinos governed by the Indian Gaming Regulatory Act (IGRA) of 1988, which allows sovereign tribal nations to host traditional Indian games.
And they are opposed by other card houses, racetracks, bingo games, and state sponsored lotteries.
And all are opposed by the traditional Las Vegas casinos…except when they themselves host mobile apps and strike licensing deals with Native American casinos.
But the mobile app variants not only deal with geolocation, but also digital identity verification and age verification.
And employment verification or non-verification to ensure that football players aren’t betting on football games.
Gemini.
Plus authentication to open the app and ensure Little Jimmy doesn’t open it.
Gemini.
There are all sorts of gaming identity stories…and Bredemarket can help identity/biometric marketers tell them.
Some of us authenticate ourselves to unlock our smartphones. Others authenticate to access confidential corporate information. A few authenticate to wield the power to annihilate the world.
The football and the biscuit
In the United States, the President (Commander-in-Chief) has a “biscuit.”
Google Gemini.
“The nuclear biscuit is a card with authentication codes that acts as the President’s personal key to unlocking America’s nuclear arsenal.
“The biscuit acts a lot like a two-factor authentication device or app. Its codes are updated regularly, and it works in connection with the nuclear football to verify the President’s identity. Without the biscuit, the President can’t order a nuclear strike, even if they have the football itself.”
“Something you have is quite an obvious one, you needed to have the actual Biscuit and the codes within.
“Something you know is when you opened the Biscuit. It had many codes printed on the cards and all were false apart from one. The President would have been told the position of the real code when he first took office. He would also be told each time the Biscuit was changed.
“For something you are, the phone line the President would need to contact has no number. It can only be contacted via a secure military phone. This phone would be handed to the President by one of his security team who would obviously not hand this phone to anyone but the President.”
Now you can argue that the phone line is not a TRUE something you are factor. A devious security team member could hand the phone to someone who SOUNDS like the President.
And there’s another complication.
Passing the football
Let’s say that a President is away from Washington. Say, at a school in Florida.
And all of a sudden attacks are launched in multiple U.S. cities.
What if an attack were launched in Florida, incapacitating the President, either temporarily of permanently?
In such an attack, the country and the world cannot afford to wait for hours for the football to be flown to wherever Richard Cheney is.
“Believing that the vice president should be a partner in national security policymaking, President Jimmy Carter assigned a football to Vice President Walter Mondale and this became the practice for future U.S. administrations.”
Outside the U.S. Russia has a similar system called the “Cheget,” and other nuclear countries presumably have similar procedures to authenticate the persons or persons authorized to launch nuclear weapons.
Your football and biscuit
If you are an identity vendor or customer, you may have your own authentication and authorization procedures. While a breach of your procedures won’t result in the annihilation of civilization, it could create its own damage.
Do you need help describing the security of your identity solution?
Bredemarket 