What if hackers didn’t need to know a lot about technology and leverage system vulnerabilities to get where they wanted to go? It’s a reality we’re starting to see. Criminals don’t need to break in if they can get your credentials and just log in. Identity is becoming a weapon in cybercrime. And that means identity protection is more crucial than ever.
See Identity is the New Security Perimeter with Jeff Reich for a complete transcript of the Easy Prey podcast episode.
Jeff Reich is the Executive Director of the Identity Defined Security Alliance (IDSA), a nonprofit focused on two different components of identity protection – identity security and raising awareness about the importance of it. Before that, he did a variety of things. He got his degree in physics and astrophysics and taught at a planetarium for a while before moving to law enforcement. He was good at it, but his fellow officers kept asking why he was there if he had a degree. Eventually, he became convinced that doing something that didn’t involve getting shot at was a good idea. He went back to school, and eventually ended up in Texas, where he’s been for the past five decades.
His career included starting security programs at ARCO (a petroleum company now owned by Marathon), Dell, a financial services company, and several hosting companies. For a few years, he was the director of a cloud security-focused research center at the University of Texas San Antonio. He’s been with the IDSA for about three years, and appreciates no longer having to be on call. There was a point with one job that his non-techie wife could diagnose firewall problems as well as he could because she’d overheard so many 2 a.m. conversations.
Incidents and Identity Protection
Jeff has a lot of stories about scams, frauds, and security incidents. And a lot of them come down to situational awareness. Situational awareness is just what it sounds like – being aware of the truth of a situation and acting accordingly. If you’ve ever seen a Jason Bourne movie, whenever he goes into a new place the first thing he looks for is exit points. That’s situational awareness. Jeff isn’t Jason Bourne, so the things he needs to be aware of are a little different, but the concept is similar.
In the past month, you’ve probably gotten a text that seems interesting, sincere, or just vague, and it turned out to be a scam. It happens with phone calls, too. Being aware that this is a scam tactic can help you avoid a potentially terrible situation.
If you’re receiving something from someone you don’t know, assume it’s hostile. – Jeff Reich
Strange Signals from the Servers
Not long after starting one role at a hosting company, Jeff noticed clusters of servers in the network center would go to red status, be red for about ten minutes, then turn back to green, then another cluster would do the same thing. He asked the network technicians if they were doing maintenance. They said it happened to the servers all the time, but the customers didn’t really complain.
Jeff went to the CFO and asked about the size discrepancy between the bandwidth the company was paying for and the bandwidth they were selling. The CFO said he was just thinking about that and couldn’t figure out where all their bandwidth was going. It ended up being a five-month incident where the hackers were not only stealing bandwidth, but taking over customer websites. Even a complete wipe and gold disc image reboot didn’t help, which meant their gold disc backup was compromised too. At the time, perimeter security was relatively new, and Jeff decided to beef up the perimeter first to see if they could get through. It became a cat-and-mouse game of protecting sites and trying to keep them out.
Jeff later found out that the hackers were reaching out to customers and pretending to be from the hosting company. That’s how they got in. Sometimes they were mean and berated the customers if they wouldn’t comply, and customers got upset about the terrible customer service. But Jeff and the team at the company had no idea about any of this until one customer contacted them. That’s one key to avoiding these threats. Always use a channel you know works. Wherever you think a contact is from, don’t reply – validate it using known contact information. Validate every message you get.
A Fraudulent Invoice Incident
In another situation, Jeff was doing some consulting. The company wanted him to recommend a cybersecurity framework. When he arrived, there had been a miscommunication, and the CIO didn’t know he was coming. So when he walked in, the CIO asked if he was there about the incident. Jeff hadn’t heard about the incident, but asked his contact at the company. Since the CIO had already said something, he explained. One of the company’s customers paid a $2 million invoice, but the money didn’t go to the company. They found out when they sent the invoice to the customer, and the customer called and said they already paid.
The CEO wanted to fire the entire IT team about it. But what had happened was business email compromise. The criminal had created a domain with one character that looked similar, figured out what the company’s invoices looked like, and was able to send a legit-looking email with fraudulent payment instructions. The CEO wanted tech to prevent this, but there isn’t any. Jeff recommended sending all customers the company’s payment info, with a notice that any time they see something different, it’s a scam, they shouldn’t pay and should call the company. If someone pays anyway, that’s on them.
Spoofing is easy – even spoofing someone’s voice on the phone, with AI. If you get a call from your brother that he’s in jail and needs bail money, the first thing you should do is call your brother. If you get an email from a company advising of new information for paying invoices, call the company. Verify and validate in a way you know, every time.
How Identity and Identity Protection Has Changed
The concept of identity is pretty much the same now as it has always been, with a few new components. The biggest change is that everything happens much faster and identity protection has to account for that. If you go back to the 1950s, most people had a social security number. So you have your carbon-based physical identity and this number, which is not supposed to be used for identification but often is. For a long time, the military printed your social security number on your equipment.
A portion of your identity may or may not related to your carbon-based self. Most people have a bank account, which is a number. You may have an account at a store. If you went to school, you got some sort of identifier. Going back a hundred years, it looks a little different, but it’s not as simple as everyone likes to think. Now we have more components, and also additional tools to manage those components.
IDSA recently had their Identity Management Day, and the theme for 2025 was “existential identity.” Your identity may be based on the carbon-based identity you see in the mirror, but you also have an identity at work, through your personal email, your Meta account, your Google account, any shopping accounts, any streaming accounts – anything you do online ends up as part of your identity. Jeff has twelve email addresses to separate parts of his identity. One, for example, he uses only for financial transactions. You can keep some parts of your identity separate for better protection.
So what’s changed over the years? Identity theft occurred in the 1950s and even earlier, but started ramping up in the 1980s. Driver’s licenses and other forms of ID were easier to duplicate back then. And these licenses and numbers are part of your identity. These days, there are more components to your identity, but fundamentally not much has changed. It’s just much faster now and criminals can do identity crimes in bulk.
Identity theft and protecting identity is not a new concept, but … the playing field has completely changed and everything is faster. – Jeff Reich
Identity Protection and Compromise
If you’re in a situation where someone is using your identity and claiming to be you, how you want to respond and protect your identity depends on the situation. If they’re claiming to be you to your bank or to the IRS, it might be worth considering an attorney. But if it’s a browsing website, you can probably manage it yourself. It’s a spectrum.
When someone tries to impersonate you, there’s two victims – you and the organization they’re impersonating you to. If the organization was concerned about security, they should have given you a process with a failsafe. There are a lot of different failsafe methods, from a PIN to a pre-determined phone number to call. And many aren’t expensive. If there’s not that failsafe, consider telling the organization that it’s time to play King Solomon – determine criteria, decide which of you is real, and apply that to every customer. That’s why you sometimes need an attorney. The words have more force when said by someone with “Esquire” at the end of their name.
In the end, you have to put the onus on the organization that was willing to accept the bogus credentials. The first thing you should do is freeze all activity. You don’t want the account to be able to do anything until the matter is settled. A good organization will do that. One that doesn’t deserves to lose you as a customer. Additionally, most scammers aren’t going to ask the bank to freeze accounts until it’s resolved. Once a scammer realizes it’s going to take time and effort, they’re probably going to give up and move on. Unless, of course, you’re a high-net-worth person – in which case you should hire someone specifically to protect your assets.
The Future of Identity
Identity protection is making huge advances. Future identity protection is going to use AI. It’s relatively easy to impersonate someone using AI, so we should be able to use it as a relatively easy way of confirming identity. Some tools already exist. The challenge is getting enough big organizations to make the investment. Jeff has known people who have more token generators on their keychains than actual keys. Going to apps changes the security profile. There are advantages and risks to both. Going down to just one way to get tokens concentrates the risk.
If there’s going to be an identity protection app that blows up in the next five years, it’s going to be an aggregator. It will be something that takes every key you have, registers it, and confirms your identity. Rather than consolidating everything, it just aggregates it. The app that can duplicate every YubiKey or other options is going to be big in the identity space in the next five years.
A neutral authenticator app would also be a big hit in the next five years. Microsoft and Google both have good ones, but if you don’t trust Google, why would you trust their app? An independent organization with no big tech alliances or association with a big company would probably see some popularity.
DNA-Based Identity
This advancement is probably at least a decade out, but Jeff thinks it’s possible we’ll see DNA-based identity in the future. The DNA info from 23andMe is about to be sold. Whether or not that’s wrong, consider the ramifications of who’s going to buy it and what they’re going to do with it. Without a scenario involving CRISPR and a time machine, you can’t change your DNA. With that information being sold, do you want to take that risk or do you want to delete your data off the app before it’s sold? Nobody was thinking about this risk when they wanted to find out their ancestry, but we need to consider it.
This data could go into a DNA registry that could be used for identification and identity protection. We already put our fingers on readers for fingerprint ID. It could easily be modified for a DNA reader and it wouldn’t need to do a full analysis, just a quick match. We have the technical capability. A better question is can we duplicate it in a way that we can read in three dimensions. That’s how face ID works now, too. The reason you have to look different directions when you do the initialization is because it doesn’t just want to take a photo, it wants a three-dimensional image.
The Future of Identity Threats
A big change to identity protection and threats is time. You may not know an attack happened until long after because they’re no longer attacking you directly. They don’t have to. Hackers aren’t breaking in anymore. They’re stealing credentials and logging in. That’s what’s going to happen to most companies that have compromises. You won’t know what happened until you see the effects, and that may be a while.
Hackers are no longer breaking into companies. They’re logging in. – Jeff Reich
We’re going to see a lot more of these attempts. For identity protection, people need situational awareness. Know what you should be confirming and what not to trust. You don’t need to be tough enough to defeat the hacker, you need to be just tough enough that they decide you’re too much work and they should look for an easier target.
Validate everything. Assume any contact you get is fraudulent until proven otherwise. Clean up wherever you can by deleting accounts and data you don’t use. Consider dividing the things you do into different classifications of security and acting appropriately. Do what you can to not work with organizations that don’t protect your data. Jeff once left a doctor’s office because of this. Jeff would argue that things like health data need to be protected more than your accounts. You can get a new account with a different number if you need to. You can’t change your medical history or your DNA.
Reach Jeff Reich through the Identity Defined Security Alliance at www.idsalliance.org. You can also email him at [email protected] or find him on LinkedIn. There are also a lot of resources free on the IDSA website, and you can also consider membership at different levels in IDSA.
