Identity/biometrics/technology marketing and writing services
I just posted the latest edition of my LinkedIn newsletter, “The Wildebeest Speaks.” It examines the history of deepfakes / likenesses, including the Émile Cohl animated cartoon Fantasmagorie, my own deepfake / likeness creations, and the deepfake / likeness of Sam Altman committing a burglary, authorized by Altman himself. Unfortunately, some deepfakes are NOT authorized, and that’s a problem.
Read my article here: https://www.linkedin.com/pulse/what-truth-bredemarket-jetmc/
(Part of the biometric product marketing expert series)
A recent PYMNTS article entitled “AI Voices Are Now Indistinguishable From Humans, Experts Say” includes the following about voice deepfakes:
“A new PLoS One study found that artificial intelligence has reached a point where cloned voices are indistinguishable from genuine ones. In the experiment, participants were asked to tellhuman voices from AI-generated ones across 80 samples. Cloned voices were mistaken for real in 58% of cases, while human voices were correctly identified only 62% of the time.”
Since you already read the title of this post, you know that I’m concentrating on the word “participants.”
The PLoS One experiment used PEOPLE to try to distinguish real voices from deepfake ones.
And people aren’t all that accurate. Never have been.
Before you decide that people can’t detect fake voices…
…why not have an ALGORITHM give it a try?
But to be fair, that wasn’t the goal of the PLoS One study, which specifically focused on human perception.
“Recently, an intriguing effect was reported in AI-generated faces, where such face images were perceived as more human than images of real humans – a “hyperrealism effect.” Here, we tested whether a “hyperrealism effect” also exists for AI-generated voices.”
For the record, the researchers did NOT discover a hyperrealism effect in AI-generated voices.
But if future deepfake voices sound realer than real, then we will REALLY need the algorithms to spot the fakes.
And if your company has a voice deepfake detection solution, I could have talked about it right now in this post.
Or on your website.
Or on your social media.
Where your prospects can see it…and purchase it.
And money in your pocket is realer than real.
Let’s talk. https://bredemarket.com/mark/
I was up bright and early to attend a Liminal Demo Day, and the second presenter was Proof. Lauren Furey and Kurt Ernst presented, with Lauren assuming the role of the agent verifying Kurt’s identity.
The mechanism to verify the identity was a video session. In this case, Agent Lauren used three methods:
One important note: Agent Lauren had complete control over whether to verify Kurt’s identity or not. She was not a mere “human in the loop.” Even if Kurt passed all the checks, Lauren could fail the identity check if she suspected something was wrong (such as a potential fraudster prompting Kurt what to do).
If you’ve been following my recent posts on identity assurance level, you know what happened next. Yes, I asked THE question:
“Another question for Proof: does you solution meet the requirements for supervised remote identity proofing (IAL3)?”
Lauren responded in the affirmative.
It’s important to note that Proof’s face authentication solution incorporates liveness detection, so there is reasonable assurance that the person’s fake is not a spoof or a synthetic identity.
So I guess I’m right, and that we’re seeing more and more IAL3 implementations, even if they don’t have the super-duper Kantara Initiative certification that NextgenID has.
I hate to use the overused t word (trust), but in this case it’s justified.
“Scammers are aware that people are more likely to open and read a text message rather than an email The open rates for text messages are more than 90% while the open rates for emails is less than 30%. In addition, many email providers have filters that are able to identify and filter out phishing emails while the filtering capabilities on text messages is much less. Additionally, people tend to trust text messages more than emails. Text message also may prompt a quick response before the targeted victim can critically consider the legitimacy of the text message.”
From Scamicide, https://scamicide.com/2025/09/18/scam-of-the-day-september-19-2025-treasury-refund-text-smishing-scam/
What I can’t figure out is WHY text messages have such a high level of t[REDACTED]. Does SMS feel more personal?
(Picture designed by Freepik.)
I’ve previously discussed the difference between Identity Assurance Level 2 (IAL2) and Identity Assurance Level 3 (IAL3). The key differentiator is that IAL3 requires either (1) in-person identity proofing or (2) remote supervised identity proofing.
Who can provide remote supervised identity proofing?
“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3.”
And there are others who can provide the equivalent of IAL3, as we will see later.
How do you supervise a remote identity proofing session?
“The camera(s) a CSP [Credential Service Provider] employs to monitor the actions taken by a remote applicant during the identity proofing session should be positioned in such a way that the upper body, hands, and face of the applicant are visible at all times.”
But that doesn’t matter with me now. What matters to me is WHEN we need remote identity proofing sessions.
Mitek Systems’ Adam Bacia provides one use case:
“IAL3 is reserved for high-risk environments such as sensitive government services.”
So that’s one use case.
But there is another.
Governments aren’t the only entities that need to definitively know identities in critically important situations.
What about banks and other financial institutions, which are required by law to know their customers?
Now it’s one thing when one of my Bredemarket clients used to pay me by paper check. Rather than go to the bank and deposit it in person at a teller window (in person) or at an ATM (remote supervised), I would deposit the check with my smartphone app (remote unsupervised).
Now the bank assumed a level of risk by doing this, especially since the deposited check would not be in the bank’s physical possession after the deposit was completed.
But guess what? The risk was acceptable for my transactions. I’m disclosing Bredemarket company secrets, but that client never wrote me a million dollar check. Actually, none of my clients has ever written me a million dollar check. (Perhaps I should raise my rates. It’s been a while. If I charge an hourly rate of $100,000, I will get those million dollar checks!)
So how do financial institutions implement the two types of IAL3?
Regarding IAL3 and banks, in-person transactions are supported in certain cases, even with the banks’ moves to close branches.
“If you need to initiate a funds transfer payment, an authorized signer for your account may also initiate funds (wire) transfers at any Chase branch.”
Note the use of the word “may.” However, if you don’t want to go to a branch to make a wire transfer, you have to set up an alternate method in advance.
What about remote supervised transactions at financial institutions, where you are not physically present, but someone at the bank remotely sees you and everything you do? Every breath you take? And every move you make? Etcetera.
It turns out that the identity verification providers support video sessions between businesses (such as banks) and their customers. For example, Incode’s Developer Hub includes several references to a video conference capability.
To my knowledge, Incode has not publicly stated whether any of its financial identity customers are employing this video conference capability, but it’s certainly possible. And when done correctly, this can support the IAL3 specifications.
For high-risk transactions such as ones with high value and ones with particular countries, IAL3 protects both the financial institutions and their customers. It lessens the fraud risk and the possible harm to both parties.
Some customers may see IAL3 as an unnecessary bureaucratic hurdle…but they would feel differently if THEY were the ones getting ripped off.
This is why both financial institutions and identity verification vendors need to explain the benefits of IAL3 procedures for riskier transactions. And do it in such a way that the end customers DEMAND IAL3.
To create the content to influence customer perception, you need to answer the critically important questions, including why, how, and benefits. (There are others.)
And if your firm needs help creating that content, Underdog is here.
I mean Bredemarket is here.
Visit https://bredemarket.com/mark/ and schedule a time to talk to me—for free. I won’t remotely verify your identity during our videoconference, but I will help you plan the content your firm needs.
A supposed recruiter on LinkedIn with 2 names (Adriana, and Linda) and only 2 connections (whoops, now 3) tried to scam a friend of mine.
But my friend smelled a rat.
Another employment scammer.
Know your recruiter!
(Hiring rat picture from Imagen 4)
(CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=245337.)
The names and identification numbers have been changed to protect my PII.
Early this morning, I received an email from my bank, Wildebeest Bank.
Your Wildebeest Bank debit card transaction was declined.
A transaction on your debit card ending in 1234 was declined.
So I went to my Wildebeest Bank app to see what company tried to charge to my card, and how much they tried to charge. But I found nothing.
Then I realized that my debit card does NOT end in 1234, but in 5678. I’ve had that debit card since…well, since May 2024, when “enron*publications us” fraudulently charged $8.28 to my card that DID end in 1234.
Wildebeest Bank cancelled that card immediately and issued a new one.
And no one tried to use that old card until today.
And Wildebeest Bank just laughed at the attempt, not even bothering to inform me of the details.
We’re all familiar with the morphing of faces from subject 1 to subject 2, in which there is an intermediate subject 1.5 that combines the features of both of them. But did you know that this simple trick can form the basis for fraudulent activity?
Back in the 20th century, morphing was primarily used for entertainment purposes. Nothing that would make you cry, even though there were shades of gray in the black or white representations of the morphed people.
But Godley, Creme, and Jackson weren’t trying to commit fraud. As I’ve previously noted, a morphed picture can be used for fraudulent activity. Let me illustrate this with a visual example. Take a look at the guy below.
Does this guy look familiar to you? Some of you may think he kinda sorta looks like one person, while others may think he kinda sorta looks like a different person.
The truth is, the person above does not exist. This is actually a face morph of two different people.
Now imagine a scenario in which a security camera is patrolling the entrance to the Bush ranch in Crawford, Texas. But instead of having Bush’s facial image in the database, someone has tampered with the database and inserted the “Obushama” image instead…and that image is similar enough to Barack Obama to allow Obama to fraudulently enter Bush’s ranch.
Or alternative, the “Obushama” image is used to create a new synthetic identity, unconnected to either of the two.
But what if you could detect that a particular facial image is not a true image of a person, but some type of morph attempt? NIST has a report on this:
“To address this issue, the National Institute of Standards and Technology (NIST) has released guidelines that can help organizations deploy and use modern detection methods designed to catch morph attacks before they succeed.”
The report, “NIST Interagency Report NISTIR 8584, Face Analysis Technology Evaluation (FATE) MORPH Part 4B: Considerations for Implementing Morph Detection in Operations,” is available in PDF form at https://doi.org/10.6028/NIST.IR.8584.
And a personal aside to anyone who worked for Safran in the early 2010s: we’re talking about MORPH detection, not MORPHO detection. I kept on mistyping the name as I wrote this.
Know your business, today’s edition.
I knew I was asking for trouble when I answered a simple question of whether I used Quickbooks.
Sure enough, I subsequently received a call from the Quickbooks Support Department.
After wasting his time for a few minutes, I asked for his Intuit email address.
He didn’t have one. Just a Quickbooks Support email address.
So I just blocked a number from the 207 area code. Which is in Maine, the hotbed of Intuit activity.
Perhaps instead of his Intuit email address, I should have asked him to consent to a biometric scan that matches against Intuit employee records.
(Imagen 4)
In the latest Know Your Business brouhaha, the Treasury Inspector General for Tax Administration (TIGTA) has questioned some potential gaps in the assignment of an Employer Identification Number, or EIN.
It seems that some so-called “businesses” are using an EIN as a facade for illegal activity…and insufficient identity assurance is preventing the fraudsters from being caught.
What is an EIN? In the same way that U.S. citizens have Social Security Numbers, U.S. businesses have Employer Identification Numbers. It’s not a rigorous process to get an EIN; heck, Bredemarket has one.
But maybe it needs to be a little more rigorous, according to TIGTA.
“EINs are targeted and used by unscrupulous individuals to commit fraud. In July 2021, we reported that there were hundreds of potentially fraudulent claims for employer tax credits….Further, in April 2024, our Office of Investigations announced that it helped prevent $3.5 billion from potentially being paid to fraudsters. Our special agents identified a scheme where individuals obtained an EIN for the sole purpose of filing business tax returns to improperly claim pandemic-related tax credits.”
Yes, that’s $3.5 billion with a B. That’s a lot of fraud.
Perhaps the pandemic has come and gone, but the temptation to file fraudulent business tax returns with an improperly-obtained EIN continues.
So how does the Internal Revenue Service (IRS) gatekeep the assignment of EINs?
By specifying an Identity Assurance Level (IAL) before assigning an EIN.
Specifically, Identity Assurance Level 1.
“In December 2024, the IRS completed the annual reassessment of the Mod IEIN system. The IRS rated the identity proofing and authentication requirements at Level 1 (the same level as the initial assessment in January 2020).”
If you’ve read the Bredemarket blog or other biometric publications, you know that IAL1 is, if I may use a technical term, a “nothingburger.” The National Institute of Standards and Technology (NIST) says this about IAL1:
“There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.”
If that isn’t a shady way to identity a business, I don’t know what is.
These days it’s probably unreasonable to require every business to use Identity Assurance Level 3 (discussed in the Bredemarket post “Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough“) to obtain an EIN. As a reminder, IAL3 requires either in-person or supervised proof of identity.
But I agree with TIGTA’s assertion that Identity Assurance Level 2, with actual evidence of the real-world identity, should be the minimum.
And if your identity/biometric firm offers a product that conforms to IAL2 or IAL3, and you need assistance creating product marketing content, talk to Bredemarket.
Bredemarket