“May spotlighted how even the most advanced enterprises are vulnerable when identity systems are fragmented, machine identities go unmanaged, and workflows rely too heavily on manual intervention—creating conditions ripe for risk. Enterprises need to get the message: identity is the perimeter of cybersecurity, and orchestration is the force multiplier. It’s time to learn how to effectively leverage it.”
Of course, there’s that interesting wrinkle of the identities of non-person entities, which may or may not be bound to human identities. Simeio, with its application onboarding solution, plays in the NPE space.
As for me, I need to start thinking about MY Bredemarket monthly LinkedIn newsletter (The Wildebeest Speaks) soon. June approaches. (Here’s the May edition if you missed it.)
“Anonybit…announced the first-ever live implementation of agentic commerce secured by decentralized biometrics, marking a significant milestone in the evolution of enterprise AI.
“Through a strategic partnership with SmartUp, a no-code platform for deploying enterprise AI agents, Anonybit is powering authenticated, identity-bound agents in real-world order, payment, and supply chain workflows….
“Anonybit’s identity token management system enables agents to operate on behalf of users with precise, auditable authorization across any workflow—online, in-person, or automated.”
So—if you want to—all your bot buddies can be linked to you, and you bear the responsibility for their actions. Are you ready?
When a person is born in the United States, they obtain identifiers such as a name and a Social Security Number.
When a non-person entity is “born,” it gets identifiers also. For automobiles, the two most common ones are a Vehicle Identification Number (VIN) and a license plate number. (There is also title, which I’ve discussed before, but that’s not really an identifier.)
In my country license plates and the associated vehicle registrations, like driver’s licenses, are issued at the state level. Montana, for example, has 2.3 million registered vehicles…which is odd, because the state only has 879,000 licensed drivers.
“All that wealthy car owners have to do is spend around $1,000 to open an LLC in Montana, then use the LLC to purchase a car with no sales tax — and said car is not subject to vehicle inspections or emissions testing.”
That explains things. The Montana LLCs need multiple cars for all their LLC-related travel between Billings, Bozeman, and Butte. That’s a ton of miles on the Montana highways.
Um…no.
“According to Bloomberg, former Montana revenue director Dan Bucks said there are likely more than 600,000 vehicles registered in Montana but operated in other states.”
Like California. Where people don’t want to pay the fees associated with vehicle registration here, so they say their vehicles are Montana vehicles. Only problem is, license plate readers on California freeways can identify the movements of a car with Montana plates. And if that “Montana” car is moving in California, expect a visit from the tax authority.
But it’s not just the money hungry loony liberal Commies in California. Jalopnik reports that the money hungry loony liberal Commies in…um…Utah are mad also.
“This is really an abuse of our tax system,” said Utah tax commissioner John Valentine. “They pay nothing to support our state, just a small fee to Montana for the opportunity to evade taxes in Utah.”
Because in the end it doesn’t matter if you’re blue or red. What matters is the green. And the geolocation.
Now that it’s showing up in search, I will announce what I’ve done. Although I shouldn’t have done it.
I created my own Meta AI character on Instagram.
I was nosing around in my Instagram settings and discovered I could create an AI bot. So I did. You may or may not be able to create your own: see https://help.instagram.com/1675196359893731 for instructions.
“His” name is N. P. E. Bredemarket. Regular Bredemarket blog readers know that NPE stands for non-person entity.
“[N]ew Okta Platform capabilities…help businesses secure AI agents and other non-human identities with the same level of visibility, control, governance, and automation as human ones. The Okta Platform will now bring a unified, end-to-end identity security fabric to organizations for managing and securing all types of identities across their ecosystem, from AI agents to API keys to employees.”
I think that “unified” will take the place of “trust” as the identity buzzword. Thankfully.
If you’re only selling biometrics, or maybe biometrics and ID cards, where will your customers go to get the rest of their systems? Or will you just be a commodity supplier to the companies that provide the REAL systems?
When I introduced emotions as the seventh question in Bredemarket’s seven questions, I was thinking about how a piece of content could invoke a variety of emotions in a human reader.
“Like anything else, I think in some cases robots with emotions will be really good. It’s good in the sense that emotions are one of the best human interfaces. If you want to interface with us humans, we respond to emotions, and so having an emotional component in robots is a very smart, powerful way to help us work with them.”
As you know, I’ve been spending more and more time concentrating on identity issues when a person is not present. This is what the attribute-based access control folks refer to as “non-person entities” (NPEs).
In the article, CyberArk’s Scott Carter makes the following points:
Today there are many more machine identities than human ones.
They may have a short shelf life. Unlike humans, who usually access your systems for months or years if not decades, machine identities may be “created and discarded dynamically in minutes.” (Incidentally, I just wrote a LinkedIn article that delves into this in more detail.)
These identities are being breached. “Half of the surveyed organizations experienced security breaches tied to compromised machine identities within the past year.”
What does this mean?
Well, for CyberArk, it means that it endorses technologies such as automating certificate lifecycle management. And by the strangest coincidence, CyberArk offers a solution…
But for us, it means that we don’t only need automation, but we also need governing processes to ensure that ALL the people and NPEs that are accessing our systems are properly managed, quickly commissioned, and quickly decommissioned.
(Image from Imagen 3. Yes, I’m falling into the habit of reusing images for multiple use cases. It’s easier that way.)
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Bredemarket 