Tag Archives: security

An IMEI Number Is NOT Unique to Each Mobile Phone

(Imagen 3)

Have you ever used the phrase “sort of unique”? Something is either unique or it isn’t. And International Mobile Equipment Identity (IMEI) numbers fail the uniquness test.

Claims that International Mobile Equipment Identity (IMEI) numbers are unique

Here’s what a few companies say about the IMEI number on each mobile phone. Emphasis mine.

  • Thales: “The IMEI (International Mobile Equipment Identity) number is a unique 15-digit serial number for identifying a device; every mobile phone in the world has one.”
  • Verizon: “An IMEI stands for International Mobile Equipment Identity. Think of it as your phone’s fingerprint — it’s a 15-digit number unique to each device.”
  • Blue Goat Cyber: “In today’s interconnected world, where our smartphones have become an indispensable part of our lives, it is essential to understand the concept of IMEI – the International Mobile Equipment Identity. This unique identifier plays a crucial role in various aspects of our mobile devices, from security to tracking and repairs.”

These and other descriptions of the IMEI prominently use the word “unique.” Not “sort of unique,” but “unique.”

Which means (for non-person entities, just like persons) that if someone can find a SINGLE reliable instance of more than one mobile phone having the same IMEI number, then the claim of uniqueness falls apart completely.

Examples of non-uniqueness of IMEI numbers on mobile phones

People who claim IMEI uniqueness obviously didn’t read my Bredemarket blog post of April 1, in which I WASN’T fooling.

  • I talked about an incident in India in which a cyber fraud operation “specialised in IMEI cloning.”
  • And an incident in Canada in which someone was scammed out of C$1,000, even though the phone had a valid IMEI.

IMEICheck.net even tells you (at a high level) how to clone an IMEI. It’s not easy, but it’s not impossible.

“In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.

“The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning.”

So don’t claim an IMEI is unique when there is evidence to the contrary. As I said in my April post:

NOTHING provides 100.00000% security. Not even an IMEI number.”

What does this mean for your identity product?

If you offer an identity product, educate your prospects and avoid unsupportable claims. While a few prospects may be swayed by “100%” claims, the smarter ones will appreciate more supportable statements, such as “Our facial recognition algorithm demonstrated a 0.0022 false non-match rate in the mugshot:mugshot NIST FRTE 1:1 laboratory testing.”

When you are truthful in educating your prospects, they will (apologizes in advance for using this overused word) trust you and become more inclined to buy from you.

If you need help in creating content (blog posts, case studies, white papers, proposals, and many more), work with Bredemarket to create the customer-focused content you need. Book a free meeting with me.

Stop losing prospects! Use Bredemarket content for tech marketers

Is “Autonomous SOC” Real?

On the long-standing debate on the mix between automation and manual operations, here’s what the Cyber Security Hub says:

100+ AI security startups claim they can replace Tier 1 and Tier 2 SOC analysts with 24/7 LLMs. They promise AI can triage, detect, and respond—no humans needed.

But here’s the reality:

  • AI tools hallucinate and miss context
  • Custom attacks slip by without human insight
  • Escalations stall when no one’s validating alerts…

…This isn’t about rejecting AI. It’s about using it wisely—and never cutting people out of the loop.

More here: https://www.linkedin.com/pulse/ai-cant-run-your-soc-heres-guide-proves-the-cyber-security-hub-awa9e

Is the Cyber Security Hub correct? 

Are there truly over 100 firms who promise a completely automated cybersecurity solution?

More importantly, can 100% “autonomous SOC” be circumvented by a determined opponent?

A Jewelry-related Third-Party Breach: What Could Go Wrong?

Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.

“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”

So who was the third party? BleepingComputer has that part of the story:

“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”

Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.

All Salesforce users should read “Protect Your Salesforce Environment from Social Engineering Threats.”

It’s not just a technical issue, but also a business process issue.

Or a user education issue.

Bredemarket can help firms educate their users. Talk to me.

Stop losing prospects! Use Bredemarket content for tech marketers

PoisonSeed and FIDO Update

Update to my July 21 post “PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device.” FIDO’s cross-device authentication is NOT inherently insecure.

From Chris Burt at Biometric Update:

“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.

“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”

Proper implementation and configuration is essential.

PoisonSeed: Cross-Device Authentication Shouldn’t Allow Authentication on a Fraudster’s Device

(Important July 30 update here.)

(Imagen 4)

The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.

Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:

“Cross device authentication allows a user to sign in with their device using a QR code. 

“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.

“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”

What could go wrong? Well, according to Expel, plenty:

“After entering their username and password on the phishing site, the user was presented with a QR code…. 

“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.

“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”

Presumably the FIDO Alliance will address this soon.

Tracking 2025 Changes to U.S. Border Security Policy

Among the available downloads for the Institute for Defense and Government Advancement’s (IDGA’s) upcoming Border Technology Summit is one entitled “Tracking 2025 Changes to U.S. Border Security Policy.”

“In conjunction with a new administration in the White House, operations on U.S. borders have shifted drastically in 2025. Figures from Customs & Border Patrol (CBP) show apprehensions at U.S. borders are higher than they were at this time a year ago, and a recent travel ban has restricted entrance into the U.S. for citizens from 12 countries.

“In its first six months, the Trump administration has moved quickly to mitigate what the White House is calling an “invasion” taking place on the southern border. On Inauguration Day, January 20th, the new administration moved quickly to sign a handful of new policies directed towards American borders. This report will highlight how executive orders, CBP mission areas, and DoD actions on the southern border have established a new normal for American border security. The first section will look at the instructions explicitly laid out in the executive orders signed by President Trump.

“If you are interested in learning more about the future of border security, register for IDGA’s Border Technology Summit taking place September 23-24 in San Diego, California. The two-day summit provides a forum to explore the latest advancements in border security technology. This year, we are focusing on engaging our audience with high-level discussions surrounding advancements in biometrics, non-intrusive inspection, smart walls, current and future operations of border security, and much more.”

This download and others are available via this page: https://www.idga.org/events-border-tech-summit/downloads

About ISO 27001

I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”

From Drata.

Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.

The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.

As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.

And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).

So what is ISO/IEC 27001?

Let’s ask ISO:

“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.

“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….

“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”

For additional information, see Drata’s page.

TPRM: When the Board Gets Involved

As promised, I am going to continue to write about third-party risk management (TPRM).

And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…

“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”

Yes…the Board. (Of Directors.)

Now the CISO is sweating bullets.

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

  • To promote Bredemarket’s services so that you meet with me and buy them.
  • To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
  • To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
  • Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

  • The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
  • The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
  • Organizational process maturity. News flash: I used to work for Motorola.
  • All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
  • Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
  • Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment. 

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

  • So I applied on Monday, June 2 and received an email confirmation:
  • And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
  • And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels. 

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.