Identity Is The New Security Perimeter

“Cybersecurity is not an IT problem. It’s a business problem, it’s a people problem, and it affects every part of your life.” - Jeff Reich Share on X

Sometimes it feels like every new technology we adopt comes with a new risk we didn’t see coming. From AI and data breaches to phishing scams and ransomware, it's clear we live in a time when cybersecurity isn’t just a tech issue, it’s a human issue.

In this episode, I talk with Jeff Reich, Executive Director of the Identity Defined Security Alliance. Jeff has been in the cybersecurity world since the early days, with decades of experience helping organizations protect what matters most. His passion for identity security and risk management runs deep, and he brings a thoughtful perspective on how the industry has changed and what we need to do to keep up.

We explore why identity is the real perimeter in today’s digital world, how businesses and individuals can be proactive rather than reactive, and what it really takes to build a security-first mindset. Jeff also shares why communication is just as important as tech when it comes to staying secure. Whether you're a cybersecurity professional or just someone trying to stay safe online, this conversation will leave you thinking differently about the role identity plays in your digital life.

“You can have the best technology in the world, but if your people aren't trained and engaged, you're still vulnerable.” - Jeff Reich Share on X

Show Notes:

• [00:54] Jeff Reich is the Executive Director of the Identity-Defined Security Alliance, a nonprofit focused on raising the level of awareness of identity and identity security.
• [01:52] Jeff began studying physics and astrophysics in school. He even taught in a planetarium. He also went into law enforcement.
• [03:10] He went into security and was planning on working at EDS, but he ended up at ARCO. He then moved to Dell computers and a financial services company. He started the security program at Rackspace and was also a research director at the University of Texas, San Antonio.
• [03:49] He is now enjoying the nonprofit space.
• [04:43] Not becoming a victim of a scam comes down to situational awareness. If you're receiving something from someone you don't know, assume it's hostile.
• [06:33] Jeff tells the story about when he was working at a hosting company, and he noticed clusters of servers turning from green to red and then back to green.
• [07:42] It turned out scammers were taking over customers' websites. It ended up being ransomware.
• [16:03] Be very aware of fake invoices and spoofed emails and scam phone calls.
• [20:18] They recently had identity management day 2025. They had a lot of presentations on what existential identity might mean to a certain individual or corporation.
• [21:57] People can protect themselves by using different email accounts.
• [24:34] Tips on protecting yourself when someone is impersonating you.
• [27:21] The future of identity should have big advances going forward that will involve AI.
• [31:40] Improved authenticator apps and DNA-based identity are in our futures.
• [36:22] Hackers are stealing credentials and logging into companies not breaking in. 
• [39:01] Our identity needs to be protected more than an account number.
• [40:01] Clean house and get separate accounts for important things like banking.

“There’s no such thing as 100% secure. What we aim for is making it too expensive or too noisy for attackers to succeed.” - Jeff Reich Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Jeff Reich – Identity Defined Security Alliance
• Identity Defined Security Alliance
• Jeff Reich – LinkedIn
• [email protected]

Transcript:

Jeff, thank you so much for coming on the podcast today.

Well, Chris, thank you very much for having me. It’s great to be here.

I’m glad to have you here. Can you give myself and the audience a little bit of background about who you are and what you do?

My name’s Jeff Reich, and I am the Executive Director of the Identity Defined Security Alliance. We’re a nonprofit focused on raising the level of awareness of identity and identity security, and they are two different components, which I’m guessing we might talk about a bit today and how they intermingle.

The nonprofit’s been around for about six years. I’ve been here a little over two years. Prior to that, I did a number of things, but I’m guessing we’re going to get into it. This is what I do, and we just recently completed our annual identity management date, which is a 21-hour event around the world.

Nice. We’ll talk a little bit more about what that is and what it’ll be like next year. What is your background with security and identity?

I took what I consider a very direct route to get here, and I haven’t found anyone that agrees with that assessment yet because I started in school with physics and astrophysics. I actually taught in a planetarium, and now you know someone that has.

Nice. I think I may actually know someone else who has. I know two.

It’s a rarity. There aren’t many people that would’ve done that. Then I made the logical leap into law enforcement.

Now, I had worked with campus police and campus security through school, so it wasn’t that much of a relief to get involved with the municipal department. Did some of that, and was convinced that the right thing to do for me with my degree and background was to go do something that didn’t involve catching bullets. I was effective enough at that, but they said, “You have your degree. Why are you doing this?”

So I went back to school—and this was in Massachusetts—with the intent of getting down somewhere between Texas and Arizona. I ended up in Texas and have been there ever since the 70s.

I was to start the security program at EDS, but they delayed it once they hired me, so I went to ARCO. If anyone’s on the West Coast, they know what the ARCO brand is. Everyone else is wondering what I’m talking about; it’s a petroleum company. Actually, the brand is now owned by Marathon, but it’s strictly West Coast. So I started the security program there, and was there for about 14 years.

As ARCO broke up, left to start a security program at Dell Computers. Went from there to starting a security program at a financial services company—if you haven’t picked up a theme on starting security programs yet. Then after that, started a security program at Rackspace, a few other hosting companies.

For a few years, I was a director of a research center at UTSA (University of Texas, San Antonio) focused on cloud security. I’ve been in the nonprofit space for about three years, and I like it if for no other reason, I’m not on call.

And anyone who’s been in it long enough or any technology long enough had to take 2:00 AM phone calls.

On that note real quickly, there was a point with one company I worked with where my wife could help diagnose firewall problems as well as I could—she knows nothing about technology—only because she heard so many conversations that had to be repeated at 2:00 AM.

I’m the same way with my wife’s job. I sometimes feel that if I needed to join her team, I could get up and run faster than anybody else.

One of the things I do want to ask you, and definitely because you’ve been involved in security for decades here, really want to de-stigmatize becoming a victim of either a scam, a fraud, or a cybersecurity incident. Do you have a story that you’d be willing to tell about that?

I have a bunch of stories that could fall into that. I’m going to intermingle a couple of different stories in with, “and here’s how you could stop that from happening to you.” It really boils down to situational awareness.

But a lot of people don’t necessarily know what situational awareness means. It simply means you need to be aware of your situation—hence the name—and act accordingly. -Jeff Reich Share on X

If anyone listening has spent time in the military, they know what that term means. Others do as well. But a lot of people don’t necessarily know what situational awareness means. It simply means you need to be aware of your situation—hence the name—and act accordingly.

If you’ve ever seen one of the Jason Bourne movies, you notice when he goes into a diner or a restaurant or anything else. The first thing he does is scan and look for every exit point. That’s actually situational awareness. Now, I may [inaudible] too, but I do the same thing. I’m not Jason Bourne. I’m not trying to draw any personalities. I look more like George Clooney anyway.

But starting with situational awareness, I have had, and I’m going to bet that within the past month, everyone watching this has received a text message that looks either interesting or sincere only to find out it wasn’t who they thought it was. And now, it’s actually come down to phone calls as well, unfortunately. If you’re receiving something from someone you don’t know, assume it’s hostile.

If you’re receiving something from someone you don’t know, assume it’s hostile. -Jeff Reich Share on X

Let’s talk about a couple of situations. There was one where I worked at a hosting company—we don’t need to reveal the name—it wasn’t long, like within a couple of days of me starting, I noticed in the network operations center that there were clusters of servers just turning from green to red. And then after 10 minutes, back to green. And then there’d be another cluster.

I asked, because I was brand new, and I said, “Are you doing maintenance?” Because they were hosting over a million websites, so a lot of servers. I said, “Are you doing maintenance on these based on time zone, whatever?” And the answer was, “No, that happens all the time.”

Yes, your look is exactly pretty much the look I gave them. They said, “But the customers really don’t complain about it.” So thank you very much for that information. I think I know a lot more now than I did before I started here.

I went to the CFO. This is back when bandwidth was still a big cost issue for data centers and hosters. It’s not that it’s nothing now, but it was much bigger then. I said, “What’s the size of a discrepancy between what you’re paying for bandwidth and what you’re selling?” He said, “Funny you should mention that because I’m looking at this now and I can’t figure out where all this bandwidth is going.” I said, “I think I know where we can start looking.”

Now that started what ended up being a five-month event, a five-month incident, where they were not only stealing bandwidth but they were taking over customer’s websites. Even when we did a complete wipe and gold disc image reboot, within 10 minutes, they were back.

Ooh, that’s scary.

Yeah, which means the gold disc was compromised as well. Now we’re looking at a million websites. Are we going to be able to manage some maintenance on all of them and be able to protect it?

We decided then, at the time, perimeter security was still relatively new, that we had to just beef up our perimeter first and see if they could get through that. We eventually succeeded in doing that, but in the interim, what would happen is we would play cat and mouse. I know this isn’t an individual scam, but I want to get to those.

We would play cat and mouse where we’d protect one website and they’d attempt to get back in. I let the customer service area know that the person leading it, we’re going to be getting a phone call in the next day or two, probably, saying that they feel they control some of their websites, or it’s going to be something to this effect. “It’s not a scam. Forward it to me when you get it.”

Of course, that happened the next day. I had daily conversations with someone named David in an eastern European country. Big surprise, they claim to be a security management company. They said, “We’re aware of the problem that you have”—of course you are because you caused it—“and for a fee, we can take care of this.”

This was what would now be considered ransomware. I don’t want to call myself the father of ransomware, but I may have been involved with the first large-scale implementation of it. What happened is they were reaching out to a lot of our customers, and now I’m getting to how to identify scams as if they were representing us. Our customers assumed it was us reaching out to them. They were offensive at times.

So they started posting on a BBS—this is pre-Reddit—on how terrible we were because not only was the service bad and we were going down. Now we were essentially berating them. We were blind to this until a customer actually got a hold of us.

That’s where the key is. Use the channel that you know that works. Whenever you get a request—“Hey, blah-blah-blah, bank account or blah-blah-blah, money blah-blah-blah. You won a prize”—whatever it is, and whoever you think it’s from, stop from where you are and go find that organization. Whether it’s a bank or whatever it is, call that number or use that email address. Don’t reply to the one that came in. Don’t reply to the text that came in and validate. There’s rule number one: validate whatever you’re getting is valid. If not, it’s spam. You have to block it off as that.

Don’t reply to the one that came in. Don’t reply to the text that came in and validate. There’s rule number one: validate whatever you’re getting is valid. If not, it’s spam. You have to block it off as that. -Jeff Reich Share on X

I get those every day. I’m at the point now that unless I know you, you text me or call me, you can leave a voicemail and text is going to die. I’m going to reject it. I actually recommend everyone do the same, which may sound antisocial, but it is going to be, I think, in the long run, the only way people can get in front of this.

I had another case, a business email compromise. Spoiler alert: I gave away the ending of it. I was on a consulting gig, and the organization wanted me to come in and recommend a cybersecurity framework. Actually on the first call, I said, “There is something called the cybersecurity framework. You might want to just give that a try and then call me.” But they said, “No, no, no. We want you to come do a recommendation.” Fine. I’ll go in and recommend the cybersecurity framework. I’m fine if you want to pay me to do it.

I got there and the CIO, who didn’t know I was coming for some reason, the people that got me in said, “Oh, so you’re here for the incident?” I said, “Yes, I am.” Then I went to the contact, “So what is this incident?” “Well, who told you?” “Your boss.” “OK. We probably need to close the loop here.” He goes, “Well, I wasn’t going to really bring you in on that, but let’s talk about what it was.”

The quick to the close to the end on that, they found out one of their customers paid a $2 million invoice, but it didn’t go to them. The reason they found out is they sent the invoice to the customer who then immediately called and said, “I already paid this invoice. Why are you sending it to me again? In fact, I have confirmation. I have the transaction ID right here that it was accepted.”

They looked at it and without getting a lot of details, they really didn’t know what it all meant. They didn’t recognize that it was a SWIFT transaction, which means it left the country. Of course, it went to PRC. The CEO wanted to fire the entire IT team. When I asked him…

They didn’t do anything wrong. It wasn’t an IT issue.

Yes, but it took me a few days to convince him of that. What happened was it was a business email compromise where they created a domain that was one character different, that looked very similar. They got a hold of what their invoices looked like. The invoices were sent from individual accounts, so they just spoofed a ‘reply to’ as a different one for the email. They were able to send what looked like a legitimate email, but the difference was, “Please forward payment to,” and they put an account number in.

They were scammed, and they really didn’t even know it. When I had a discussion, he said, “What technology can I buy to prevent this?” I said, “None.” To your point, there’s nothing IT could have done technologically to prevent this from happening.

Here’s another case of being situationally aware. The recommendation I gave was, and I said, “You’re going to be disappointed in this. Contact each one of your customers and say, ‘Here is our payment information. Anytime you see any change from us on this, don’t pay it and call our number directly. Assume it’s a scam.’”

He said, “Well, what if someone pays it anyway?” “Well first of all, it’s on them, not you, because you’ve already told them not to do this.” Then he said, “So how do I get my $2 million back?” I said, “Gone. It was never yours, technically.” He said, “Well, what do I do with my customer?” I said, “Well that’s completely up to you. You can either eat the $2 million and keep the goodwill, or tell them it’s already been paid, thank you, and they’re never going to do business with you again. That’s completely up to you.”

It’s not very different from an individual scam. I’m not subject to this, but I actually read one this past week where there was an AI-generated voice, which is easy to do. It wasn’t the grandparent. It was, I think, a brother who said he had made a bad life decision, was in a jail cell, this was his only call, and this was what it’s going to take to pay the attorney to get him out. Not to the jail, not to the city, to the attorney.

Of course, they had an account set up that they said was “do we cheat them and how” or whatever the law firm was going to be.

“Do we cheat them and how,” yes.

And said, “Just transfer the money to this account.” Everyone’s subject to your next phone call. Maybe that, because you can spoof a phone number too. You give me your phone number, I can call as if I was your phone number. Once again, easy to do for people that want to do it.

So situational awareness is always what is the first thing you should do if you get that call? Call your brother. You say, “I don’t know what you’re talking about. I’m here at a bar.”

I haven’t been arrested yet.

I have a number of consultants that work for me, and I got an email from one of my contractors saying, “Hey, I’ve changed my bank account number. Please send future payments to the new bank account number.” I was like, “OK, well this one came in via email. It looks like the right email. Let me call her and confirm. “Hey, I got an email from you asking to change the bank account number that I pay you. Is that correct? Did you authorize that?” “Yes, that was me.” “OK, cool.”

Good. See, that’s the right thing. You’re situationally aware that here’s a challenge coming in that I can’t say I really know is true. Validate it in a way that you know. Now what we’re getting into, and I think if we shift to identity in particular, how do you know that that was the individual you were talking to? Have you ever met her?

No. I’ve never met her in person.

OK. How did you validate that it was her?

Oh, for the phone call?

Yes.

It was the assumption that it was very unlikely that both the email and the phone were compromised.

OK. Was her email indeed compromised?

No. Her email was not compromised. It was legitimate. Well, I guess in theory, it was a legitimate email from her saying, “Yes, I did change my bank account.”

Oh, of course yeah, because it was a good request. But you did all the right things, and even if it was a slight annoyance to her in the long run, she’s going to be happy you called.

Yes, and she’s very well aware of the content that I produce, and to some extent was expecting the phone call.

Yeah, because you did not want to turn to easy prey.

Yup.

OK. I’ll send you the bill for that.

I appreciate that, but I won’t trust that it actually came from you until we talk on the phone.

Exactly. Here’s my account number.

Is our concept of identity now what it has historically been, or have we always had a good semblance of what identity really is?

I think our identity is the same it’s always been. There are a couple of new components, certainly, and everything that happens with it happens faster. If you go back to the 50s or 60s, most people in the US had, at a minimum, a Social Security number.

There is your carbon-based entity that you have, and now you have a Social Security number, which is not to be used for identification, but always is. It is diminishing. It’s less than it used to be.

When I was in college, my college ID, the number that the college used and printed on your college ID card was the Social Security number.

And for a long time, the military printed your Social Security number on your equipment.

Oh, gee.

Yeah. It was out there. It was used for identity. There’s a portion of identity that may or may not relate to your carbon-based identity. Most people have a bank account. There’s a number. You may even have an account at a store that you trade in. If you go to school, you have some sort of identifier, even if you go back 60 years. Now going back 100 years, different. But even in that situation, your identity wasn’t as simple as everyone would like to think it was back then.

Now, we have some additional components, but we also have additional tools that we can use to manage those components. I mentioned that recently we had our identity management day. The theme for identity management day 2025 is existential identity, which should make you think, which is the reason we had that, and we had a lot of presentations on what existential identity might mean to a certain individual or corporation.

Your identity, even though it’s still based on the carbon-based unit that you look at in the mirror every day, it’s also your ID at work. It’s your ID you use for your personal email. It’s your Meta account, it’s your Google account that you have. Amazon, Temu, and everything else where you may be shopping, anything you do online, every single Hulu, every streaming, each one of those has an account.

Now they all may look the same, which I would recommend you not do when they say it must be your email address. There are times you should be able to say, “I don’t want to use my email address.” Or if you do, it’s easy to get multiple email addresses. For the record, I’m down to 12.

That’s it?

Yes. Oh, I had a lot more before, but it can be a challenge to manage. I have an email address that I use for financial transactions I never use for anything else. If it ever shows up on anything, I can call a financial institution and say, “Why did this information get out? Why am I getting this?” And then change it. But I’m probably more paranoid than most. I should be. That’s my job.

I think people can help protect themselves now with all the new, different facets of identity by using that to their advantage, such as using an email account for financial transactions and never using it for shopping online. Never… Share on X

I think people can help protect themselves now with all the new, different facets of identity by using that to their advantage, such as using an email account for financial transactions and never using it for shopping online. Never use it for browsing. Now what’s different? Because the question was what’s changed over the years.

Identity theft occurred in the 50s and 60s, and certainly in the 70s. Then it really started ramping up. My point was identity theft was occurring where someone can get a Social Security number. Driver’s licenses, another form of identity, were easy to duplicate back. In fact, my first driver’s license was a piece of paper without a picture.

Oh, wow.

I’m old, and I think I still have it. But even then, you get enough of those that could be duplicated by a fraudster, and they become you. Add credit card number information as time goes on. Even though there’s more of it, it really hasn’t changed, but it happens much faster now. People can do it in bulk.

That’s where your defenses need to be. Identity theft and protecting identity is not a new concept, but you need to be aware that the playing field has completely changed and everything is faster.

We talked a little bit about this before we started recording. What is the solution or the pathway where I’ve created an account with some set of identity credentials, someone else has them, now come in and claim to be me, and present different credentials? How do we determine whose credentials are legitimate?

Was I the fake person who set it up, or was I a real person who set it up? Was the person who’s calling in and trying to claim that they got locked out of the account and are submitting extra documents to get back in, if they’re submitting documents that the company didn’t already have on file—how do you then deal with the disparity in documents between two people claiming to be the individual?

My answer is going to depend on what environment it is. If it’s a bank, consider getting an attorney. If it’s an online browsing site, I would say that’s something you can probably manage yourself. There’s a different scale. There’s a spectrum there of what the problem is.

But if someone’s trying to impersonate you, your challenge should be to whoever is receiving it, because there are now two victims, by the way. There’s you and that organization that you’ve been dealing with. If the organization was concerned about security, they would’ve said, “Here’s your identity. Should anything ever break, this is our fail-safe to get in, whether it’s a passcode or a PIN or a predetermined phone number that they’re going to call.” There are a lot of different mechanisms to do that; it doesn't have to be expensive.

Assuming that wasn’t in place, I would then consider saying to the organization, “It’s time to play King Solomon now. You have to decide which one of us is real, determine what criteria you’re going to use, and then apply that across every customer you have.”

That’s why sometimes you need an attorney because sometimes the same words have a lot more oomph if “esquire” is at the end of the […] that says it. But I think it really boils down to putting the onus on the organization that’s willing to accept the bogus credentials.

The first thing you do is what I recommend is, say, “Freeze all activity. I don’t want to be able to do anything. Freeze my accounts, whatever money is in there. Freeze everything until we get this settled.” A good organization will do that. An organization that doesn’t do that deserves to lose you as a customer.

Using the Solomon scenario, most scammers are not going to go to the bank and say, “Yeah, freeze the account while we sort this out.” Just like the mom who’s like, “Let’s not chop up the baby,” the scammer will not be the one who’s going to offer that statement.

And the bear analogy comes in as well. Two friends are walking in the woods and all of a sudden there’s a bear. The same thing. Once the scammer realizes this is going to take more time and effort, they’ll drop it. Unless you’re really a high net worth, targeted individual, in which case you should hire someone like us to help protect your assets.

And don’t keep them all in one place.

Exactly.

We’ve talked a little bit about the past and the present of identity. Where do you see the future of identity going?

I see the future of identity making some big, big advances going forward, and it’s going to involve AI. There. I don’t think we mentioned it yet in the podcast. How far into it? That’s a record.

Yeah, like 27 minutes in, and we hadn’t used the magic phrase yet.

And the reason I think it’s going to involve AI is since it’s become relatively easy to impersonate someone using AI, we should turn that around and say, “Let’s use AI to have a relatively easy way of confirming identity.”

Some of those tools exist. Now, I’m not going to get into product names or anything else. Some tools exist now. The challenge is going to be to get enough receiving organizations, whether it’s an online shopping site or a bank, to be willing to say, “Yes, I’m going to make that investment and really get into AI.” Because a lot of organizations still think AI is new, but it’s getting dusty. I’m not saying it’s going to go away, but it’s not new anymore.

Isn’t that one of the challenges, getting traction on the methodology, in the sense of like VHS and Betamax, is that once everybody’s using the same technology, then it’s easier for everybody? But if I’ve got 15 different tokens that I have on my keychain, one for every different entity, as opposed to an authenticator app.

I’ve known people that have more token generators on their key chain than they actually do keys. Then magically, “OK, we got authenticator apps and it all goes down to just the phone and that’s a different security risk.”

Yes, it is. It’s an advantage and a risk, but I see nothing wrong other than the logistics of it with having multiple keys, because the key to the situation isn’t how do we get down to one because now you’re concentrating your risk. That may not be such a great idea […] means I have multiple ones. But rather find a way to consolidate or aggregate how you can use that to validate in one way, and have the different tokens generated out to the different organizations that need it.

If there is going to be an app that really makes it, that really blows up identity in the next five years, it’s going to be an aggregator that says, “I can take every single key you have. Let’s plug it in, register it, there’s a confirmation of identity and everything happens before. Now, every time you’re going to go to this site, instead of having to have your key, I can generate the same for you.”

RSA actually was the first to premier this. They were one of the first tokens, and the way it works is every 60 seconds the six digits change. Then they said, “We don’t need to have hardware,” which was a great high-margin device for them, but they went to software tokens, and eliminated the need for hardware. Or you could keep the hardware, but always use the software tokens.

The app that can do that for, whether it’s using OAuth or I can duplicate every YubiKey, whatever it’s going to be, I think that’s going to be a killer app in the identity space in five years. That’s going to make that easier, I think.

You have authenticator apps as well, and it’s going to be a neutral one that’s going to work there. Nothing against Microsoft or Google, but it’s going to have to be an authenticator app that says, “I’m an authenticator app. I don’t sell anything else.”

Because if you don’t trust Google, why would you trust their authenticator app in a sense? But beyond that, an independent organization doesn’t have alliances and whatnot.

Exactly. Microsoft and Google actually do a fine job with their authenticator apps, but this one I’m talking about was going to have to be not associated with one, as much as they would love to do it, and they’re going to come up with a version of it, and that’s good.

The second thing I think that’s going to come up is—and go ahead and laugh at this; it’s going to take 10 years before this happens—I think we’re going to have DNA-based identity.

Ten years ago I probably would’ve laughed at you, but I’m not laughing now.

I’m not up to the chip in the head yet. I’m not going to predict when that’s going to happen, but here’s something else for everyone listening to this can consider. If you use 23andMe, your DNA information is about to be sold. I’m not saying it’s evil, and I’m not saying it’s wrong, but it is going to happen. You have to consider the ramifications of who’s going to buy that and what are they going to do with it because you can’t change your DNA.

You’re going to have to get back to CRISPR. You’re going to need that in a CRISPR app and then you’re going to have to go back in time, so you need a time machine and a CRISPR app. Do that, and you’re in good shape. But beyond that, you can’t change your DNA.

With that information being sold, you have to consider, is that a risk you’re willing to take or do you want to confirm that it’s deleted off the app before it’s sold? Once again, nothing against 23andMe, but this is a fact and they won’t admit it. They’re saying, “Trust us. We’re going to go to a worthwhile/good source.” We’ll see.

And that’s the risk with that type of stuff. No one was thinking about that when they wanted to find out their ancestry.

Exactly, because it was a good concept, good way for them to make money. Everyone’s intentions were noble with it, but it didn’t work out that way yet. It may still be good, but I believe there’s going to be a way to have a DNA registry, and I think that’s going to be used.

I can put my index finger on a fingerprint reader, and that could be obviously modified and replaced with a DNA reader, and it doesn’t take long to match. You don’t have to do a full analysis. You’re not going to find out people’s ancestors. You just want to say, “Does this match what I have on record?”

I wonder if it’s too easy to get somebody’s DNA.

Well, it all boils down to ones and zeros when you’re done with it. Technically, you should be able to do this. You can duplicate someone’s fingerprint because it all boils down to the minutiae. But the question is, can you duplicate it in a way that can be read in 3D, and that’s what readers can do right now.

The same with your face. Facial recognition, the reason you have to look left and right and up and down when you do a facial recognition initialization is they don’t want to be able to just take a picture. They want to say, “Turn your head. Is this contour the same? Are your ears the same size when you turn different ways?”

And that’s the thing. When you’re doing the facial, it’s not just a camera. There is three dimensional information there that it’s looking at. You’re not just holding up a piece of paper that looks like someone. There actually needs to be three dimensions of that person.

And the dimensions need to be consistent. You can’t just put a mask on. Although there have been cases where a mask can fool some facial identity, because you’re not doing a good enough job of really analyzing all the different angles that occur.

I remember working in a data center in the 80s that was dealing with classified information, and there was voice recognition in there. It didn’t work real well. You go in, you have a phrase, you have to say it, and it usually takes three attempts before you can get in. With one exception. There was someone I worked with who had a profound stutter, never failed.

Interesting. You would think that would be the person that would be more complicated to work with.

Oh, yeah. I’m not sure what happens in the brain to a stutter or not, but there he always got into the first try.

Good for them.

The rest of us were thinking too much about it.

Very interesting. What do you see as the future of adversarial against identity? You’re trying to steal identity.

Big time and you won’t know about it until the after effects, because there’s no longer an attack on you. They don’t have to. In fact, here’s something I’ll say for corporations. Hackers are no longer breaking into companies. They’re logging in. They’re stealing credentials and logging in.

Hackers are no longer breaking into companies. They’re logging in. They’re stealing credentials and logging in. -Jeff Reich Share on X

That’s what’s going to happen to most people who have compromises, and they won’t know what happens until they see the effect of whatever the perpetrator did. And it may be a while before they do it, so if you see something happen today, don’t assume, “Oh, where did I go yesterday?” It probably wasn’t yesterday that it happened.

I think you’re going to see more of those attempts, but I think if people keep their situational awareness and they know, “What should I be confirming and what should I not trust,” which is more and more, I think you’re going to be able to keep yourself in a better situation. And don’t worry about outrunning the bear.

Just got to be faster than you.

Well, let the other guy that isn’t doing this become the victim, not that I’m assuming someone should. I’m not endorsing having someone be a victim, but don’t let it be you.

It’s the premise of the podcast. Don’t make yourself an easy target. If there are things that you could do to make yourself more difficult, in many cases, they’ll just go on to somebody else.

Exactly. I saved you some money. I didn’t use that. I didn’t say the name a second time, but that’s exactly it. It ties back to how you prevent yourself from becoming a victim or becoming easy prey. Validate what it is you need to be doing. And is it true? Assume it isn’t.

Then at some point, if you call twice and they say, “Hey, it’s true. It’s still us. Here’s how you could tell.” Good. You’ve made progress with them. You’re annoying them less now because they took good steps. So a lot of what you need to do is influence the organization you deal with.

Make decisions. Work with companies that are embracing new technology for identity protection and security.

Absolutely, and help convince the others that they should get there too.

The reason why I’m not working with your organization anymore is because you don’t provide XYZ.

I actually left the doctor’s office because of it. I could tell that they weren’t protecting my data. I said, “I would like all my records, please. Or you can shred them. That’s your option, and I’m leaving.”

And did they do it?

They gave me the records. Of course they still had copies. I get that. But I wasn’t just trying to make a point, even though I think I did make a point. That’s my information, and I can’t change my health history. There’s something else I can’t change. That needs to be tech prepared more than my account number. Fine, I don’t care if my account number is compromised. Give me a new one. But you can’t give me a new diagnosis, or I like to think you’re not going to.

So as we wrap up here, any parting practical advice for consumers?

I think I’ll sum up with, without question, situational awareness. If you have an account somewhere that you’re not using, make sure it can be deleted and get it deleted. I said I’m down to 12 email accounts. Clean up your act wherever you can. Simple housekeeping.

These are the recommendations I’m going to leave with. Be aware of where you are and consider coming up with different classifications, even if it’s two or three that said, “Here’s the accounts I use for stuff that’s really important or expensive to me, here’s the things I use for everyday life, and here’s the things I use when I browse something and I don’t care what happens.” Those are my three categories. Consider that three accounts.

Those are three good categories to have. Jeff, if people want to find you online, where can they connect with you?

I’m available through contact at Identity Defined Security Alliance, or idsalliance.org. My email is [email protected]. You can also find me on LinkedIn with my name. I speak at different conferences.

We invite people to consider looking into membership at IDSA. This is not necessarily a sales pitch. We have different levels and we can talk about what that might or might not be. Most of what we do is given away for free, so please take a look at our website and see what you want to harvest for free.

I love it. Jeff, thank you so much for coming on the podcast today.

Chris, it was a pleasure being here. Thank you for inviting me.