When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.
Google Gemini.
I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.
But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.
Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.
If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.
It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.
And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?
“The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).
“PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.”
Although frankly it’s not a good idea to sell PII to our friends either, but that’s another topic.
Bredemarket has adopted two tactics to cut through the slop and ensure my clients’ messages reach those who need to hear it.
Tactic 1: Before I write, I ask
To bound the message I am about to create for an identity/biometric client (or any client), I ask a number of questions. These questions ensure that the question addresses the right people, their concerns, and their fears. I’ve shared seven of my questions elsewhere.
Seven Questions Your Content Creator Should Ask You.
When all the questions are answered, I have a clear roadmap to start writing.
I don’t feed the answers to Bredebot and have it churn out something. I pick the words myself.
Rewrite this. Don’t write it.
Now perhaps I might use generative AI to tweak a phrase or two, but I remain in complete control of the entire creative process.
The result?
I believe, and my clients also believe, that this careful approach to content results in pieces that are differentiated from the mass-churned content of others.
So my clients stand out and aren’t confused with their competitors.
After all, even though Bredebot fakes thirty years of experience in identity and biometrics, it doesn’t really have such experience. I do. That’s why I’m the biometric product marketing expert.
So if you want me, not a bot, to polish your biometric product marketing sentences “until they shine,” let’s talk about how we can move forward.
If you’re an identity/biometric marketing leader who requires content, proposal, and analysis expertise from a biometric product marketing expert, make sure you read the following:
I’m putting myself in the shoes of someone reading stuff on LinkedIn or Facebook.
At one point, the reader may encounter a reference to “Bredemarket.”
At another point, the reader may encounter a reference to “Bredemarket Identity Firm Services.”
Are “Bredemarket” and “Bredemarket Identity Firm Services” two separate entities?
No.
They overlap.
“Bredemarket” is my actual company that provides marketing and writing services (content, proposals, analysis) to identity, biometric, technology, and general business firms in California’s Inland Empire and throughout the United States.
Identity/biometric marketing leaders have a lot on their hands, and the last thing they need is more work. Even if you outsource your product marketing, you must manage the resources.
Rather than do this yourself, why not let your competitors do it?
Imgflip.
If your competitors market your identity/biometric product…
One: You save money. Why spend hundreds or thousands of dollars on go-to-market or sales enablement materials? Let your competitors incur those costs.
Two: You save time. The best product marketing initiatives occur in a joint process between the marketing leader and the product marketing consultant. But this requires commitment on your part: in initial project definition, draft review, and final publication.
Three: You save trouble. If your product marketing content has an effective call to action, there is the danger that a prospect may act on it, creating more work for your sales organization.
You can save money, time, and trouble by your silence. Let your competitors bear the burden of defining your product to your prospects. They will be more than happy to do so.
In fact, you should strongly encourage your competitors to contact Bredemarket about their identity/biometric product marketing needs. Bredemarket will make your competitors spend money and stay busy during and after content creation.
If the identity you’re protecting is important, knowledge-based authentication (KBA) isn’t sufficient to protect it. There’s an example of a KBA failure that I originally discussed in 2024 in a “The Wildebeest Speaks” article, but since I’m citing it again on LinkedIn I might as well mention it here.
Consider the following four criteria:
The person is a famous musician.
The person uses a particular first and last name.
The person is of a particular nationality.
The person plays a particular musical instrument.
That’s not enough to identify an individual.
Just ask the famous musician Mick Jones, the English guitarist.
Here he is (on the left) playing guitar for the song “Urgent.” (Or, more accurately miming to a previous recording. The recording included Junior Walker and Thomas Dolby, but the video did not.)
And here is Jones again, playing guitar and singing “Should I Stay Or Should I Go.”
“Wait a minute, John!” you’re saying. “Those are two different bands and two different people!”
“By 1974 we found in Spooky [Tooth] that we were getting a better reception in the States than back home in Britain, so made a collective decision to relocate to New York….
“[After Gary Wright quit Spooky Tooth] I [Mick Jones the English guitarist] was left high and dry in New York, and without a clue as to what my next move was going to be. I seriously considered returning to England and starting over a whole new career, such as going to medical school or becoming a dentist. The second option was the most attractive to me, because it took less time to qualify and paid good money.”
But dentistry’s loss was music’s gain, as Jones assembled two other British people and three Americans into a band called Foreigner.
And considering that the other Mick Jones was kicked out of the Clash, we can figure out how THAT band got its name.
Anyway, “Mick Jones the English guitarist” remains my favorite example of a knowledge-based authentication failure.
Grok.
Because you need multiple ways to verify and authenticate identities. I should know.
I’ve previously noted that one possible sign of a scammer is when they don’t initiate a LinkedIn connection to you, but instead want you to initiate a LinkedIn connection to them. When a scammer is scamming, they can’t blow through a few thousand connection requests every day, so it’s better if the victims initiate the connection request themselves.
I immediately thought of this when I received an email from a Gmail account to one of my odd accounts entitled “Thinking of connecting.”
Um…why not just do it?
Here’s the text with the scammer’s alleged name changed:
“I saw your profile on LinkedIn and wanted to say hello. I’m Melania.
“I’ve always been interested in learning about different professional paths. This is just a friendly intro for the start of the week—no expectations on my end.”
Obviously I didn’t respond. Because I have no idea who the Gmail account holder REALLY is.
A day later, I received a second message that included the following:
“Things are actually pretty smooth and manageable on my end as the Operations Manager at Estée Lauder, so I’ve had some extra time to catch up with my network. I’d love to hear how your side of the world is treating you whenever you have a moment.”
Again, I didn’t respond. I didn’t even ask for “Melania’s” Estee Lauder email address (again, the emails are from a Gmail account).
Then we got to day three. Remember how Melania said she had viewed my LinkedIn profile? This was the next question she asked:
“Is it snowing where you are?”
Obviously she hadn’t read anything, and I was getting bored, so I blocked her from all email addresses.
Bredemarket 