If your security software enforces a “no bots” policy, you’re only hurting yourself.
Bad bots
Yes, there are some bots you want to keep out.
“Scrapers” that obtain your proprietary data without your consent.
“Ad clickers” from your competitors that drain your budgets.
And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).
Good bots
But there are some bots you want to welcome with open arms.
Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.
Buybots
And what about the buybots—those AI agents designed to make legitimate purchases?
Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.
Do you want to keep legitimate buyers from buying just because they’re non-human identities?
(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)
Nobots
According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”
Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.
Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)
The five rules
In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:
1. Nearly all fraud is based on impersonation.
2. Never expose your fraud prevention techniques.
3. Preventing fraud usually increases friction.
4. Fraud prevention is a business strategy.
5. Whatever you do, fraudsters will adapt to it.
All good points. But I want to dig into rule 2, which is valid…to a point.
Rule 2
If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.
In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.
But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.
Biometric time cards
One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.
Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.
And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.
In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.
But if there’s no law to the contrary, obfuscate at will.
Communicating your anti-fraud solution
Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.
That’s where Bredemarket can help.
As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.
And I can help your firm also.
Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.
Is it only smartphone game app users who are inundated with an unrelenting barrage of Kalshi ads?
If nothing else, the barrage inspired me to research Designated Contract Markets (DCMs). A DCM is a status granted and regulated by the Commodity Futures Trading Commission (CFTC), a federal agency. As such, Kalshi argues that it is exempt from state gaming regulations because it’s not hosting gambling. It’s hosting futures trading.
Gemini.
But Kalshi and similar apps such as Polymarket are opposed by DraftKings, FanDuel, and other sports betting apps. They make no pretense of “trading futures,” but comply with state-level gambling regulations, and use geolocation to prohibit mobile sports betting in states such as California where it is illegal.
And both are opposed by Native American casinos governed by the Indian Gaming Regulatory Act (IGRA) of 1988, which allows sovereign tribal nations to host traditional Indian games.
And they are opposed by other card houses, racetracks, bingo games, and state sponsored lotteries.
And all are opposed by the traditional Las Vegas casinos…except when they themselves host mobile apps and strike licensing deals with Native American casinos.
But the mobile app variants not only deal with geolocation, but also digital identity verification and age verification.
And employment verification or non-verification to ensure that football players aren’t betting on football games.
Gemini.
Plus authentication to open the app and ensure Little Jimmy doesn’t open it.
Gemini.
There are all sorts of gaming identity stories…and Bredemarket can help identity/biometric marketers tell them.
In late 2019 and early 2020 I was working on a project promoting biometric entry at sports facilities and concert venues…until a teeny little worldwide pandemic shut down all the sport and concert venues.
Some of you may remember that a pivotal day during that period was March 11, 2020. Among many many other things, this was the day on which basketball fans awaited the start of a game.
“8 p.m. [ET; 7 p.m. local time]: In Oklahoma City, it was just another game day for Nerlens Noel and his Thunder teammates, who were warming up to play the visiting Utah Jazz.”
The day soon became abnormal after a meeting between NBA officials and the two coaches. Unbeknownst to the crowd, the officials and coaches were discussing a medical diagnosis of Rudy Gobert. (That’s another story.)
“8:31 p.m. [ET]: Teams were sent back to their locker rooms but the crowd at Chesapeake Energy Arena weren’t informed of the cancellation immediately. Instead, recording artist Frankie J, the intended halftime entertainment, put on his show, while officials decided how to break the news.”
Eight minutes later, the crowd was instructed to leave the arena.
Twenty minutes after that, the NBA suspended all games.
Imagen 4.
A little over a month later, on April 19, millions of people were huddled in their homes, glued to the opening episode of a TV series called The Last Dance…the only basketball any of us were going to get for a while. And of course, these games were on decades-long tape delay, and we already knew the outcome. (The Chicago Bulls won.)
And that was our basketball…until the suspended season resumed on July 30 under very bizarre circumstances.
Anyway, all of that was a very long time ago.
Imagen 4.
Games and concerts have been back in business since 2021, and identity verification and authentication of venue visitors with biometrics and other factors is becoming more popular every year.
I generated this picture in Imagen 4 after reading an AI art prompt suggestion from Danie Wylie. (I have mentioned her before in the Bredemarket blog…twice.)
The AI exercise raises a question.
What if you are in the middle of an identity verification or authentication process, and only THEN discover that a fraudster is impersonating you at that very moment?
And I confess that if I were Joel R. McConvey, I would have unable to resist the overpowering temptation to dip my pen in the inkwell and write the following sentence:
“But as age checks become law in more and more places, the industry will have to weigh how far it can push – or pull out.”
But McConvey’s article does not just cover the Supreme Court’s decision on Texas HB 1181’s age verification requirement for porn websites—and Justice Clarence Thomas’ statement in the majority opinion that the act “triggers, and survives, review under intermediate scrutiny because it only incidentally burdens the protected speech of adults.”
What about social media?
The Biometric Update article also notes that a separate case regarding age assurance for social media use is still winding its way through the courts. The article quotes U.S. District Judge Amy Totenberg’s ruling on Georgia SB 351:
“[T]he act curbs the speech rights of Georgia’s youth while imposing an immense, potentially intrusive burden on all Georgians who wish to engage in the most central computerized public fora of the twenty-first century. This cannot comport with the free flow of information the First Amendment protects.”
One important distinction: while opposition to pornography is primarily (albeit not exclusively) from the right of the U.S. political spectrum, opposition to social media is more broad-based. So social media restrictions are less of a party issue.
But returning to law rather than politics, one can objectively (or most likely subjectively) debate the Constitutional merits of naked people having sex vs. AI fakes of reunions of the living members of Led Zeppelin, the latter of which seem to be the trend on Facebook these days.
Minority Report
But streaking back to Texas, what of the minority opinion of the three Supreme Court Justices who dissented in the 6-3 opinion? According to The Texas Tribune, Justice Elena Kagan spoke for Justices Sonia Sotomayor and Kentanji Brown Jackson:
“But what if Texas could do better — what if Texas could achieve its interest without so interfering with adults’ constitutionally protected rights in viewing the speech HB 1181 covers? The State should be foreclosed from restricting adults’ access to protected speech if that is not in fact necessary.”
If you assume age verification (which uses a government backed ID) rather than age estimation (which does not), the question of whether identity verification (even without document retention) is “restricting” is a muddy one.
Of course all these issues have little to do with the technology itself, reminding us that technology is only a small part of any solution.
Because I have talked about differentiation ad nauseum, I’m always looking for ways to see how identity/biometric and technology vendors have differentiated themselves. Yes, almost all of them overuse the word “trust,” but there is still some differentiation out there.
And I found a source that measured differentiation (or “unique positioning”) in various market segments. Using this source, I chose to concentrate on vendors who concentrate on identity verification (or “identity proofing & verification,” but close enough).
Before you read this, I want to caution you that this is NOT a thorough evaluation of The Prism Project deepfake and synthetic identity report. After some preliminaries, it focuses on one small portion of the report, concentrating on ONLY one “beam” (IDV) and ONLY one evaluation factor (differentiation).
Four facts about the report
First, the report is comprehensive. It’s not merely a list of ranked vendors, but also provides a, um, deep dive into deepfakes and synthetic identity. Even if you don’t care about the industry players, I encourage you to (a) download the report, and (b) read the 8 page section entitled “Crash Course: The Identity Arms Race.”
The crash course starts by describing digital identity and the role that biometrics plays in digital identity. It explains how banks, government agencies, and others perform identity verification; we’ll return to this later.
Then it moves on to the bad people who try to use “counterfeit identity elements” in place of “authentic identity elements.” The report discusses spoofs, presentation attacks, countermeasures such as multi-factor authentication, and…
Well, just download the report and read it yourself. If you want to understand deepfakes and synthetic identities, the “Crash Course” section will educate you quickly and thoroughly, as will the remainder of the report.
Synthetic Identity Fraud Attacks. Copyright 2025 The Prism Project.
Second, the report is comprehensive. Yeah, I just said that, but it’s also comprehensive in the number of organizations that it covers.
In a previous life I led a team that conducted competitive analysis on over 80 identity organizations.
I then subsequently encountered others who estimated that there are over 100 organizations.
This report evaluates over 200 organizations. In part this is because it includes evaluations of “relying parties” that are part of the ecosystem. (Examples include Mastercard, PayPal, and the Royal Bank of Canada who obviously don’t want to do business with deepfakes or synthetic identities.) Still, the report is amazing in its organizational coverage.
Third, the report is comprehensive. In a non-lunatic way, the report categorizes each organization into one or more “beams”:
The aforementioned relying parties
Core identity technology
Identity platforms
Integrators & solution providers
Passwordless authentication
Environmental risk signals
Infrastructure, community, culture
And last but first (for purposes of this post), identity proofing and verification.
Fourth, the report is comprehensive. Yes I’m repetitive, but each of the 200+ organizations are evaluated on a 0-6 scale based upon seven factors. In listed order, they are:
Growth & Resources
Market Presence
Proof Points
Unique Positioning, defined as “Unique Value Proposition (UVP) along with diferentiable technology and market innovation generally and within market sector.”
Business Model & Strategy
Biometrics and Document Authentication
Deepfakes & Synthetic Identity Leadership
In essence, the wealth of data makes this report look like a NIST report: there are so many individual “slices” of the prism that every one of the 200+ organizations can make a claim about how it was recognized by The Prism Project. And you’ve probably already seen some organizations make such claims, just like they do whenever a new NIST report comes out.
So let’s look at the tiny slice of the prism that is my, um, focus for this post.
Unique positioning in the IDV slice of the Prism
So, here’s the moment all of you have been waiting for. Which organizations are in the Biometric Digital Identity Deepfake and Synthetic Identity Prism?
Deepfake and Synthetic Identity Prism. Copyright 2025 The Prism Project.
Yeah, the text is small. Told you there were a lot of organizations.
For my purposes I’m going to concentrate on the “identity proofing and verification” beam in the lower left corner. But I’m going to dig deeper.
In the illustration above, organizations are nearer or farther from the center based upon their AVERAGE score for all 7 factors I listed previously. But because I want to concentrate on differentiation, I’m only going to look at the identity proofing and verification organizations with high scores (between 5 and the maximum of 6) for the “unique positioning” factor.
I’ll admit my methodology is somewhat arbitrary.
There’s probably no great, um, difference between an organization with a score of 4.9 and one with a score of 5. But you can safely state that an organization with a “unique positioning” score of 2 isn’t as differentiated from one with a score of 5.
And this may not matter. For example, iBeta (in the infrastructure – culture – community beam) has a unique positioning score of 2, because a lot of organizations do what iBeta does. But at the same time iBeta has a biometric commitment of 4.5. They don’t evaluate refrigerators.
So, here’s my list of identity proofing and verification organizations who scored between 5 and 6 for the unique positioning factor:
ID.me
iiDENTIFii
Socure
Using the report as my source, these three identity verification companies have offerings that differentiate themselves from others in the pack.
Although I’m sure the other identity verification vendors can be, um, trusted.
There is a lot of discussion about identity verification for people working in certain jobs: police officers, teachers, financial professionals, and the like.
With one exception.
One job that isn’t frequently discussed in the identity verification world is that of a sex worker. Primarily because sex workers usually don’t undergo identity verification for employment, but identity checks for criminal proceedings.
Applicants are fingerprinted and are also required to submit a recent photo.
Applicants must provide their birth name and all subsequent “names or aliases used.”
Three years of residence addresses and employment information.
The applicant criminal record “except minor traffic violations.”
“A waiver of release of medical information,” since the nature of the work involves the possibility of transmission of communicable diseases. And you thought being a nuclear power plant worker was dangerous!
Presumably the fingerprints are searched against law enforcement databases, just like the fingerprints of school teachers and the other newer professions.
Why?
“The chief of police shall investigate, through all available means, the accuracy of all information supplied by the prostitute on the registration form.”
Included in the investigation:
Controlled substance criminal convictions.
Felony convictions.
Embezzlement, theft, or shoplifting convictions.
Age verification; you have to be 21.
As you can see, the identity verification requirements for sex workers are adapted to meet the needs of that particular position.
But…it takes two to tango.
Brothel clients need to be at least 18 years old.
But I don’t know if Nevada requires client age verification, or if age estimation is acceptable.
I’ve noticed that my LinkedIn posts on jobseeking perform much better than my LinkedIn posts on the technical intricacies of multifactor identity verification.
But maybe I can achieve both mass appeal and niche engagement.
Private Equity Talent Hunt and Emma Emily
A year ago I reposted something on LinkedIn about a firm called Private Equity Talent Hunt (among other names). As Shelly Jones originally explained, their business model is to approach a jobseeker about an opportunity, ask for a copy of the jobseeker’s resume, and then spring the bad news that the resume is not “ATS friendly” but can be fixed…for a fee.
The repost has garnered over 20,000 impressions and over 200 comments—high numbers for me.
It looks like a lot of people are encountering Jennifer Cona, Elizabeth Vardaman, Sarah Williams, Jessica Raymond, Emily Newman, Emma Emily (really), and who knows how many other recruiters…
…who say they work at Private Equity Talent Hunt, Private Equity Recruiting Firm, Private Equity Talent Seek, and who knows how many other firms.
If only there were a way to know if you’re communicating with a real person, at a real business.
KYC and KYB let companies make sure they’re dealing with real people, and that the business is legitimate and not a front for another company—or for a drug cartel or terrorist organization.
So if a company is approached by Emma Emily at Private Equity Talent Hunt, what do they need to do?
The first step is to determine whether Emma Emily is a real person and not a synthetic identity. You can use a captured facial image, analyzed by liveness detection, coupled with a valid government ID, and possibly supported by home ownership information, utility bills, and other documentation.
If there is no Emma Emily, you can stop there.
But if Emma Emily is a real person, you can check her credentials. Where is she employed today? Where was she employed before? What are her post secondary degrees? What does her LinkedIn profile say? If her previous job was as a jewelry designer and her Oxford degree was in nuclear engineering, Emma Emily sounds risky.
And you can also check the business itself, such as Private Equity Talent Hunt. Check their website, business license, LinkedIn profile, and everything else about the firm.
But I’m not a business!
OK, I admit there’s an issue here.
There are over 100 businesses that provide identity verification services, and many of them provide KYC and KYB.
To other businesses.
Very few people purchase KYC and KYB per se for personal use.
So you have to improvise.
Ask Emma Emily some tough questions.
Ask her about the track record of her employer.
And if Emma Emily claims to be a recruiter for a well-known company like Amazon, ask for her corporate email address.
Bredemarket 