Some people are willing to hand over their identities for cash, while organized fraudsters are lining up to buy them. What used to be a matter of stolen credit cards has turned into a global marketplace where personal details fuel large-scale fraud. Now with AI, automation, and deepfakes making impersonation easier than ever, it’s becoming much more difficult to protect identities.
To understand how we got here and what can be done, I spoke with Ofer Friedman, Chief Business Development Officer at AU10TIX. Ofer has spent more than 15 years in the identity verification and compliance world, working with companies like PayPal, Google, Uber, and Saxo Bank. He’s seen the evolution from basic ID checks to today’s sophisticated fraud-as-a-service platforms, where attackers can buy stolen data cheaply, sometimes for just a few dozen dollars, and use it to launch real-time, undetectable attacks.
Ofer explains why traditional approaches like uploading a photo of your ID are no longer enough, and why privacy, in practice, is already gone. He walks through the “minefield strategy” of fraud prevention, where businesses must layer multiple defenses like device, network, and behavioral indicators. We also talk about the rise of digital IDs, the coming challenge of quantum computing, and why regulators and service providers, not consumers, are now the ones who must shoulder the responsibility of protecting identities.
“Fraud-as-a-service is already here. You just pick who you want to be, upload an image, and the software runs the attack for you.” - Ofer Friedman Share on XShow Notes:
- [01:00] Ofer explains his role in forecasting fraud trends and designing solutions, drawing from years in identity verification and compliance.
- [03:32] The conversation turns to people selling their identities, with fraudsters buying because impersonation is easier than ever.
- [05:18] Ofer describes how sales happen in encrypted channels like Telegram or Discord, often targeting desperate individuals.
- [07:07] He calls these sellers “identity mules,” noting they only receive a few dozen dollars per transaction.
- [08:20] With billions of stolen data points in circulation, there’s more identity data than people, making personal data cheap and plentiful.
- [09:00] Regulations require minimal information, often just basic ID details and a selfie, which makes fraud easier to attempt.
- [11:00] Deepfakes and injection attacks undermine even live ID checks, giving rise to fraud-as-a-service platforms that automate attacks.
- [13:00] New age verification laws in the US and UK highlight the growing tension between privacy and regulation.
- [15:53] Ofer outlines the “minefield strategy,” where layered defenses (ID, device, network, behavior) are needed since no single tool is sufficient.
- [18:46] The discussion shifts to how fraud is global, not just American, and why digital IDs may offer better protection though not without flaws.
- [21:45] Fraud is evolving quickly with automation, enabling fraudsters to launch massive, randomized attacks.
- [29:03] Ofer explains the three lines of defense: live checks, collateral risk factors, and behavioral monitoring.
- [31:40] He stresses that privacy is effectively dead, as the balance between privacy and security always favors security.
- [34:47] Consumer education won’t stop fraud—technology and companies must take the lead in identity protection.
- [39:14] Identity verification and cybersecurity are merging into one process that scrutinizes users everywhere online.
- [45:34] The rise of agentic AI could reduce friction in transactions, but desensitization means people accept more scrutiny over time.
- [47:24] Ofer argues regulations need to evolve, calling for service providers to be rated and held to higher standards.
- [50:36] He reflects that we’re moving into a new era where deepfakes and impersonation will affect not just finances but media, politics, and trust itself.
- [52:05] Ofer closes with advice on evaluating identity verification vendors, emphasizing layered defenses and transparency.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- AU10TIX
- Ofer Friedman – LinkedIn
Transcript:
Ofer, thank you so much for coming on the podcast today.
Happy to.
Can you give myself and the audience a little bit of background about who you are and what you do?
I am, I think, 17 years in the business of technology for the purpose of automating identity verification in a company which actually introduced it to the market many years ago—something like 25 years ago—the technology that does exactly that in airport security and border control, which reflects on how we approach solutions.
I’m responsible for doing everything that no one else wants to do, like understanding where the market is going, understanding how decisions are made, and understanding how fraudsters are doing and why. Basically, trying to foresee in order to provide solutions that solves problems that have not been in existence before but also those going to be.
It’s your job to see beyond the horizon.
I’m an oracle, yes.
How did you get into the industry?
Previously, I’m coming originally from the advertising and marketing domains, and have been doing it quite a lot abroad in Europe. I started to see that happening. Obviously, the big bang in identity verification as a domain was when FinTech came to be, when it came to be digitally globally at a scale no one has ever seen.
Actually, I’m old enough to have seen the world where the way to identify who you are is to just give me physically an ID and stand in front of me. The situation where I don’t know even if I am talking to someone real right now—you look too good for your age—
Thank you. I appreciate that.
—so anything can happen. It’s an exciting ride because I suppose there are other domains that change that fast, but I’m feeling like living in history in the making.
The world of identity. When you contacted me, I was really surprised because we’re going to talk about people actually selling their identities. It would never have even occurred to me as an individual that I would want to sell my identity. Let’s talk about what in the world is happening and why it’s happening, and then we’ll go into what to do about it.
There are people selling because there are people buying, and there are people buying because right now, the ability to commit fraud, which requires impersonation, is so easy and the tools are making it so industrial, then why not? But the question is: Who wants to sell one’s identity? Because when you are selling it, you’re not an innocent bystander. You are getting money for giving your details to someone else. No normal person with the right mind would do that.
Who wants to sell one’s identity? Because when you are selling it, you’re not an innocent bystander. You are getting money for giving your details to someone else. No normal person with the right mind would do that. -Ofer Friedman Share on XBy definition, it’s a very specific use case. A little bit like another topic I was discussing in such interviews, like impersonating CEOs. It’s very juicy, but most CEOs are not facing impersonation at the level of stealing millions from banks.
Here too, let’s say a specific branch of professional organized crime. Obviously, most people do not do that. In order to happen, it has to happen in channels that many people are not present. It usually would be the encoded, encrypted channels, like the Telegrams or the Discords of the world where people feel relatively safe. For someone to actually wanting to sell it, they have to be feeling safe enough that if someone uses it, they’re not there, and perhaps desperate enough.
Having researched a little bit based on the same news, etc., the assumption is that those who are buying it are actually professionals in an organized manner, actually also advertising for it, and they’re taking advantage of people who usually have some kind of financial problem. I’ve seen quotes. I’ve never been there. I haven’t bought or sold an identity, but the analysis that I’m seeing is that it would be students, unemployed people.
There is even speculation about revenge, like you have revenge porn, revenge selling of PII—personally identifiable data—which is not necessarily even yours. If it works, then you continue, because the basic assumption must be that you are not detectable. In order to be not detectable, you’ll do it in places you assume, let’s say, out of the radar.
So many questions here. How much are the willing participants—let’s call them that; I was going to call them victims, but they’re probably willing participant victims—getting paid for their identity?
How much they’re being paid—usually, what I’ve seen was figures which are a couple of dozens of dollars. If it’s done on a regular basis or a recurrent basis, maybe more, maybe it doubles, but no one becomes a millionaire from just… Share on XFirst of all, I think that perhaps a good definition of them will be willing identity mules. They are mules. How much they’re being paid—usually, what I’ve seen was figures which are a couple of dozens of dollars. If it’s done on a regular basis or a recurrent basis, maybe more, maybe it doubles, but no one becomes a millionaire from just selling some personal data.
The reason is simple. I have checked using LLMs and all those engines in order to make it faster and perhaps encompass more information. How many bits of personal information are out there stolen? The answer I found, the estimation, is 10 billion. OK, question two. How many people are there on this planet? And the answer is about eight-and-a-half billion. There’s more data available than people, which means that someone is very popular and probably appears in multiple resources.
How many bits of personal information are out there stolen? The answer I found, the estimation, is 10 billion. -Ofer Friedman Share on XThe whole idea of selling identities for those obviously who don’t want to maybe expose themselves in the dark net, usually buy it. Or those who are not technologically savvy to simply steal it en masse from profiles.
Let’s say that the usage of personal data for the purpose of identifying people is one of the weakest ways of establishing who you are, and now more than ever because of generative AI and all the rest of the tools.
What information are they selling about themselves? Is it just a photocopy of their ID, their passport? How much information are these people giving up?
You don’t actually need that much. Regulations that dictate identity verification, usually for criminal purposes, are very thin. All I need to have is the basic data that exists on your ID. That data probably exists in your profile, probably exists in a thousand other places, but the usage of the ID and alongside it for a good couple of years with your selfie at least tries to make it live and to add additional indicators for the risk behind it.
Six, eight years ago, you could simply upload it. You have enough time, like a whole year, to design your own ID and decide what data is in it. Now it is much simpler to get and the problem now is not getting the data, by the way. It’s the magnitude or the ability en masse to implement that data into realistic attacks, and those attacks can be real time.
Until now, the idea was we cannot call you into the office, so we’ll do it remote. We don’t want to have you upload the image because you can buy it, design it, do it yourself, whatever you want. We want these to be live. ID and face, sometimes also POA documents to go alongside it, but that’s not the usual case.
Now, when deepfake and injection came into play, even that starts to lose credibility. I’m actually playing with it. I have videos of myself where I changed my face into Putin’s—not into Putin; it was before the Ukraine thing—and injected myself into a conversation behind the camera, and all of it with freeware. I didn’t even pay anything for it.
Now, it’s even worse because now you can do all of that live, responding to someone asking you to do something. We are already seeing, let’s say, Fraud as a Service platform—I’m not sure if you’ve seen one—where basically if you are lazy, that’s the best way to do fraud.
You have a menu where it says, “I want to attack that particular company.” Then all you need to do is decide who you want to be, get whatever image, and that software will perform the attack for you, which means the live presentation of IDs, the face, and the liveness detection, all of it will comply with what that particular website wants.
Oh, that’s scary.
Are you not the one who wrote the article that’s saying privacy is dead?
I don’t know that I necessarily wrote the article to say privacy is dead, but I would agree with a theory that it’s pretty much impossible to have privacy.
It is dead. It doesn’t make sense. You read the news like me, and you can see what’s happening with, let’s say, age verification that just came into play. Even to watch porn or to go into a social, you can’t escape it eventually.
There is a law coming out; I don’t remember what state it is. I think it’s one of the southern states in the United States that either went into effect or is coming into effect the next couple of days, that any website that allows someone to create an account and interact with other users, if it’s not a video game, e-commerce, news, or sports—who’s lobbying—that you have to affirmatively know that the individual is over 13 years old.
Which is tricky.
So you have to collect, not just the user has to self attest, “Hey, I’m over 13,” but you as the entity have to confirm through approvable mechanism that they’re over 18 or that they have permission from their parent. If not, you can’t let the person create an account.
And if you watch what’s now happening in the UK, you understand exactly what is the counter movement against it. Everyone leaving the regulated ones and going to the unregulated ones, or making VPN providers rich.
But the fact of the matter is that eventually—by the way, for good reasons but always the road to hell—you don’t have privacy any way you look at it, but you are now going to be aware of more and more instances where it’s happening, and the impact of it will be the good, old psychological desensitization. You won’t mind it any longer.
I have yet to use a service that requires me to hold up my ID on camera.
Well, there are.
I know there are. I have yet to sign up for a service that requires anything like that yet. If we think data breaches are bad now, wait till you have data breaches when you have to provide even more authentication mechanisms.
People unknowingly will provide it, because if the identity document interface and conversation like this can be faked, you must have additional indicators.
Actually, the paradigm is switching from a couple of items you need to present to what I call the minefield strategy, which means you are going to sandwich into the process multiple indicators with the hope that yes, some of them may be compromised or may be detected or circumvented, but some of them will give you an indication.
Everyone in the business knows that you must have the idea in the face because that’s what law says. But there is a device, and there is a network, and there is a location. Eventually, you as a user will not be noticing all of it. It’ll be obviously happening behind the curtain, but basically everything you use will be held against you.
I think of so many mechanisms for if you are an Israeli bank, if a user is trying to access an Israeli bank account online from, I don’t know, South America. Well, that’s definitely going to be a red flag. “OK, we need extra verification here to make sure this person is the person who’s trying to get into the account.”
You don’t have to look like coming from South America in order to apply as a South American, but it’s happening all the time. By the way, it’s happening all over the place. You’d be surprised how sophisticated professional fraudsters are, even from places you wouldn’t expect it.
I’m not talking even about, let’s say, state- or government-led operations that also do that. It’s not just criminals, outlaws. So we are all compromised. Then wait a couple of years and IoTs will be out there a little bit more and more, and IoT is yours. If it’s yours, it identifies you. Not only will we know—not we; whoever wants to—we know where you are at any given point in time; when’s the last time you put your socks in the washing machine.
Hopefully, I’m not putting my socks in the dishwasher.
You can. The action will be similar.
It’s amazing. We’ve gone from rudimentary identity theft and whatnot, synthetic identities, now people selling real identities. Initially, it’s like—I’m in the US, so I’m going to view things from a US-centric point of view—why would anyone in the US want to sell their identity that’s going to make their life absolutely miserable? They’re never going to be able to X, Y, or Z.
It may not necessarily be someone in the US, or they’ve got pressure points, but if you look at how many billions of people are not active internet users or living in third-world countries, there are billions of people, billions of identities, associated with that that aren’t necessarily at risk to the same sort of things that if I’m a US citizen and I’m giving up my identity, there are different risks associated with that.
Actually, the US is trying to do something about it, which is the slow transition towards digital IDs, those you are putting in a wallet, and already states accepting it. The TSA allows you to fly with those, and presumably is going to make you safer. Because what you will transmit to whoever is not your identity, but specific details which, in order to release them, there has to be quite sophisticated encryption in place.
The assumption is that once you are digitally safe in that identity wallet, no one can pretend to be you. Unfortunately, by the time that exists, there are already indications that these can be circumvented. -Ofer Friedman Share on XThe assumption is that once you are digitally safe in that identity wallet, no one can pretend to be you. Unfortunately, by the time that exists, there are already indications that these can be circumvented.
If I were a fraudster, I may consider switching from trying to open an account with your details to simply be you when you already have an account, and call the bank or whatever I want to do. I can do that because your basic details I already have. I can use deepfake and I can use injection and I’m you.
Let’s say that we started the conversation discussing people selling IDs. More and more very quickly it’ll become a very marginal use case, because why do you need to do all of it? The information is out there anyway. It’s, let’s say, more important to focus on the tools that will allow you to do it as massively or in multiple times in a way you are not caught with sophisticated AI engines to do that. We already see them.
By the way, some work I’m doing on the next generation of frauds, maybe we’ll save it for next time, because it is happening in fast forward. I cannot recall, at least in my lifetime, technologies changing the world at that pace. We are talking about things that don’t happen years apart but weeks and months, and spreading.
And people are exploiting the technology as fast as it’s being developed.
Yes. It’s becoming faster on that level because it’s not about the deepfake, it’s not about the injection, it’s about the ability that exists today to automate it with randomization. It’s like you are shooting a gun one shot at a time, let’s say, previously. Now you can put it in automatic with a magazine of personal data, faces you want to use, and the list of targets. Press the right button and it’s all happening for you, because now you can introduce randomization into it.
And all of that makes it harder to detect and harder to notice.
Well, I think the whole idea of identity fraud, and especially identity fraud prevention and detection, will have to change as fast as those tools. Things we didn’t even hear about two-to-three years ago are now already on the table. It’s a fast forward arms race, and right now the best way to try to get around it is, as I said, the minefield. There’s no magical detection tool that will keep you safe for long. Doesn’t happen anymore.
There’s no magical detection tool that will keep you safe for long. Doesn’t happen anymore. -Ofer Friedman Share on XSelling identities probably makes sense to certain people or certain scenarios, but the big problem, the big rock is not there, because how many people actually want to sell identities and how much money are they going to get out of it? Not that much anyway.
This is a little bit of my ignorance. If it’s someone in the US selling their identity, it’s clear to me what the consequences for them might be. It’s difficulty opening future bank accounts because now there’s a history.
Assumedly, if someone is opening a bank account with a fake identity, they’re going to do bad things with that bank account, and that gets associated with the seller of the identity, or their credit gets destroyed, their ability to rent, buy things. All those things happen. But for someone who’s outside the United States or living in a third-world country, is there much negative consequence for them?
Try to think not like an American now, but—
And that’s where I’m asking for you to help me because I’m an American. I’m going to think from that perspective.
That’s OK. Look, in our world, or at least the domain we are seeing, yes, lots of them are American, but not necessarily. Global players in FinTech, crypto exchanges, managed transfer companies, etc., gaming, and all of these, the online domain is not American. The online domain is global. That’s why the stakes are higher. The opportunities are higher.
But if you now, let’s say, want to do some fraud at an American bank, for instance, would it make sense to buy the details of someone from far off in another place on the globe? Not really, because all of these are risk indicators. You would want to be looking like an American doing that.
By the way, there are enough people in the US who want to be looking like someone else in the US because of where they’re coming from. And right now, anyone who reads a little bit, you understand that beyond identity verification, there is the risk element that is part of a KYC process. You want to look as American as you can in order to do that.
But I assume there are enough people who (a) don’t understand the risks, (b) assume what are the chances of anything happening? Because even if there is fraud, it’s not that you just open an account and in two hours you are robbing the bank. You are usually starting to mature it so no one sees the repercussions that quickly. It can even take years, I don’t know. It depends on what’s happening.
There must be some enough feeling of immunity for you. I can assume that a lot of people will say, “OK, if now the FBI is knocking on my door, I can say I have no idea it happened. They were not using my phone. The location is not my house. Someone stole my ID.”
Now, companies making money in the US are insuring you against it. You may sell your ID and open an insurance. At least you’ll make some extra money out of it. But there must be denial in the process.
What red flags businesses that need to utilize identity should be starting to think towards? Clearly, “Hey, send me a photocopy of your driver’s license or your passport” isn’t a sufficient mechanism to prove identity going forward.
We’re talking now not about identity verification but about risk. It goes beyond the actual identity, what I look like, or what my name is. We talked about the minefield strategy that is required right now, and at least two things are being done.
Regulations mandate that the process is done live and liveness is being checked. For someone to pull that through, they must find it that way with, let’s say, the defects and all digest to do it in a convincing way, which already deletes from the playing field images who don’t have the knowledge, don’t have the tools, don’t want to take the risk, etc. But there are enough other people who want to do that.
Now, let’s assume you have done that and you know how to run a live session with either a fake ID or a deep fake ID or whatever in whatever phase. Then comes the second line of defense, which is the collateral risk elements. I think I mentioned the device, the location, the network, so things you are not being asked to furnish but can pretty easily be obtained along the process and used as a whole array of risk indicators.
Then comes the third line of defense, which is largely behavioral. Behavioral means that if I’m a fraudster and I just paid you whatever for your identity details, even your face photo, I am not an amateur. I’m buying and selling identities. I would try probably not to use it once. I want to make the most out of the assets I just invested in.
That means that everything which is monitoring, and there is, let’s say, a branch in fraud prevention, which is the monitoring element of it, which enables, especially in the US—it’s quite prevalent—to see what actions have you been doing along the time with different companies, and to try to see patterns that make it suspicious.
As you noticed, by the way, we slowly started gliding from identity verification, knowing who you are, in the direction of cyber. It’s not what I look like or what my name is. It’s much more than that. This is required in order to make the process as safe as possible, but this is exactly the cause why your privacy is dead, because there will always be that fight between privacy and security or safety or whatever. Privacy will lose.
We’re not all going to disappear from existence. If we want to exist, you can’t be entirely private.
But look at the bright side of it. Deepfake, injection, and all those tools are available to anyone. You can be three different Chris Parkers, or whatever you want to look like or be because you can. You just need to be sophisticated enough.
We understand we are not talking about every man’s fakery or forgery or whatever. This requires skills and tools. But the downside of it is that, as I said, the automation thereof is accelerating in places unseen before.
There’s definitely progress being made on the business side for companies that are looking for identity verification, authentication and whatnot. Is there anything out there that is aiding consumers?
To me, I look at this and I say you’re talking about looking at how an identity is being utilized. That means more entities have to share what’s happening about me in order for them to detect whether it’s really me or somebody pretending to be me, which means there’s more risk to me as the individual. As the consumer, the more either intentional or unintentional sharing and verification of my identity happens.
You invited from me one of my favorite quotes. Actually, it exists as a wallpaper on the Internet. It’s a quote from Agent Smith from Matrix, and I actually have it. He says, “Never let a man do a machine’s work.” You see those action figures?
Yeah.
I’m looking for Agent Smith. He was so right. I’m seeing those advice about how to avoid someone stealing your identity or how not to respond to whatever solicitations. Really, do you expect to do that? Do you think it’s working? Does it make sense?
It’s like expecting you, for instance, to stop viruses from attacking your computer. I’ll take the antivirus you have and leave you with the mission of doing that. We do understand that it’s not a human being’s job any longer, especially as this fraud is challenging your senses.
My expectation would be not to educate people on what to do because they will be able to do less and less and less, but to enforce more and more protections on those who are supposed to give those people access, services, etc.… Share on XMy expectation would be not to educate people on what to do because they will be able to do less and less and less, but to enforce more and more protections on those who are supposed to give those people access, services, etc. It’s sophisticated technology. Who’s buying an antivirus? Usually expect your access provider to do it for you because they are updated. They have the best ones.
Same here. It is virtually futile to have people educated on how to detect deep fraud because someone would have six figures—I still have five—or I don’t know, missing ears or whatever, because you don’t see that anymore. Your sense of the expectation to have people do something about it is not realistic.
In the way that there are companies providing identity infrastructure for businesses, do you foresee companies rising to provide identity protection services? I’m not talking about the traditional credit monitoring or things like that, but ways to use technology to protect your identity.
We are talking about the usage of technology, but let’s do this. We’re now focusing—
But most of these are focused for companies that are selling services to other companies. They’re not selling services to individuals. Hopefully, if I’m a company that provides identity verification services, I am selling my service to a business, and the business is getting the benefit of that, and maybe by side effect the consumer’s getting benefit from it. But if the consumer’s not the customer, are they really aligning with my interests?
I recommend it very strongly to expand the vision beyond buying and selling stuff because the real danger is not in buying and selling stuff. It’s in social media. It’s not the commercial transactions that are under danger right now. Already on YouTube, many times you have to identify yourself. It is becoming an immersive situation. As I said, it is done for a good reason.
By the way, I would expect the issue of impersonation to extend beyond the individual identity into the whole content you’re looking at. Regulations are already happening. The process, however, is becoming more and more immersive.
Right now, we talked primarily or zoomed in on the piece of the puzzle that’s called identity verification with, let’s say, the angle of someone wanting to open an account. But in the market, this is part of a bigger puzzle, which is sometimes called IAM or CIAM, identity and access management.
There is someone at the gate when you open the account. There is someone at the gate when you try to access it next time. There is somebody looking at what you want to do, what you want to access, what you are allowed to access, etc. Our entire interactions using internet and mobile, which is the same thing, is going and will more go into ongoing scrutiny. Big brother, big time.
That’s so hopeful.
And that’s merging domains that, until now, are still seen as different. Identity verification and access management. Cyber and identity verification. Actually, all of them are destined to be married into one process which follows you everywhere you go and anything you do.
Interesting. Do you see a timeline on—I was going to say when these things play out, but they’re already playing out. Are there any milestones that you see that this has to happen by this particular date? Where are there tipping points is what I’m trying to ask.
I saw two tipping points in terms of, let’s say, changing the way fraud is happening. One of them is, we’ll take a couple of years, but it’s when encrypted digital IDs, self-sovereign, will become prevalent enough. Right now, it is happening, but without any uniform standards, interoperability is an issue. Even acceptance is still happening. Not in all markets it’ll happen, but when it’s there it’ll be more difficult to steal your identity. Not really, but at least the way it’s done now. That’s one thing.
Then there is another milestone being talked about, but I think it’s yet to happen, which is obviously the world of quantum. If we are now talking about the encrypted credentials, which are very strong by the way, I’ve seen some estimations that breaking the normal encryption of today will take a couple of thousands of years. I’m not sure it’s that much, but let’s say it takes.
Obviously, with quantum computing, it’s a couple of minutes. Your encryption, even your ability that things that are now happening are not still yet, not still the standard, even they aren’t the threat. That will give birth to new ways of protecting against those types of anti-encryptions.
You probably heard about the first ones, but right now my main concern, which is less discussed in the media or online, is the tipping point of fully automated fraud machines. It is happening, it is still rare to see it. As I said, give them a target, give all the details you want, and it’ll do it for you.
This is what bothers me, because until now most of the market is made of amateurs trying to open one account, trying to be another person here or there, and the professionals. But now what’s happening is that professionals have tools that enables them to multiple their attacks to levels unseen.
I think the biggest attack we caught last year, not this year, was about 20,000 attempts made by the same entity with almost infinite combinations so that nothing repeats itself any longer. -Ofer Friedman Share on XI think the biggest attack we caught last year, not this year, was about 20,000 attempts made by the same entity with almost infinite combinations so that nothing repeats itself any longer. Obviously, the spread is global. You cannot attack the same company or the same country. You can’t afford it.
Now, the level of ability to automate it, that’s the problem because it’s much easier. It’s much easier to commit huge magnitude, global-level fraud with the same effort it took you previously to do one.
Now, the level of ability to automate it, that’s the problem because it’s much easier. It’s much easier to commit huge magnitude, global-level fraud with the same effort it took you previously to do one. -Ofer Friedman Share on XYou’re in this space more than I am. So much of marketing—you’ll understand this concept—is about reducing friction, making transactions easier, making processes easier. We’re talking shopping here, but how easy can we make it to get the consumer to buy our product?
We’re going to talk about the objections in advance so we can overcome those objections. We’re going to accept 16,000 different types of payment. You don’t even need to create an account; it can be a guest account. All these things are designed to facilitate the smoothest, fastest transaction as possible.
In the interim, are we going to see intentional friction points with these systems? It’s like, “OK, great. We can open account, but before you do anything, you have to go somewhere in person and do something.”
Are you a robot? First of all, I’m sure you are aware of agentic AI. That’s the whole idea. It is reducing potentially friction. It’ll buy your tickets at the right place, at the right price, etc. This is already there.
But I think that the friction is a bit overrated for the same reason I quoted earlier, which is the desensitization. If you think you can get away with it, it’ll be an issue. And that’s exactly what’s happening now with age verification in the UK. People think—by the way, they’re right—they can get away with it, so they go to VPNs and do all that jazz. But if there’s no place to run, that’s how you do your business. That’s when desensitization is kicking in.
Just like now, I’m giving my credit card details to companies I’ve never been in. I don’t even know where they are and I don’t feel bothered by it. That’s the thing. That’s why the most important players here are regulators and governments, and not the individuals who are supposed to be told to be careful when you cross the road, be careful when you open your computer, be careful when you are pressing X, Y, and Z. It doesn’t work.
So is regulation the way forward then for the consumer?
Different regulations than what I see now. Regulations, I’ve actually read quite a lot of them. Interesting reading materials written in a very legal language that sometimes I have to read three times in order to understand. But they always tell you what to do, but not how you should do it.
You are supposed to check an ID. You are supposed to check if it is fake, but is there only one way to do that check? Everyone is doing the same thing, so just buy the cheapest. Or are there better systems than others?
I would want regulators to regulate service providers like technologies like ours. Why do you have a star system for hotels and not for identity verification solutions? -Ofer Friedman Share on XI would want regulators to regulate service providers like technologies like ours. Why do you have a star system for hotels and not for identity verification solutions? The assumption is that what AU10TIX does is probably the same like everyone else.
When we talk to each and every new client, we have to demystify—although today it’s not that difficult—the gap between promises and reality, and then show them what’s under the hood, because on face value, everyone is looking to be doing the same thing. What I’m saying is that so many things are regulated in terms of the service you’re getting. Why not this as well?
That sounds very, very, yeah. It’s going to have to be in order for there to be success.
But regulations are happening slowly, and much of it, good or bad, are influenced by politics.
Like I mentioned earlier, who has the best lobbyist?
Yes, and politics in terms of governments taking initiative, which appeals to the people. For instance, the issue of fake news and all of […], you would expect regulations to address that effectively or ineffectively, it doesn’t matter. Or the age verification thing, which is about protecting minors from exposure to whatever. Someone has to vote for it at some point in time, so it has to be important enough at some point in time, and it has to make sense to regulate those who are writing the rules, those writing the laws.
There is always prioritization, and when prioritization comes into play, it is inevitable to have some political consideration in it. But eventually the damages of all those deepfakes and impersonations affecting not your bank account but the media, what you know, think, and what you’ll be voting for, that will make it way more important.
Much more. It’s not a simple issue.
I think that you know we are basically living the end of one era in history, let’s say the post–World War II vision and utopia of the world and entering another one.
And we don’t know what the next one looks like yet, so it’s hard to plan for it.
It doesn’t look good.
On that depressing note, as we wrap up here, if people want to learn more about what you do, where can they find you and where can they learn more about what’s being done in the identity space?
First of all, I think that my mission here is not to say anything. My mission here is to educate people because it is that complicated. I would be very happy if people read as much as possible about it.
I’m writing articles, I’m being interviewed, etc. That’s OK. You can do it with other people as well. But one of the things to learn is how to pick and choose the right vendor.
Let’s carry on that for a minute or two. When someone’s looking for an identity verification vendor, what are the key things they should be looking for?
We talked about the minefield, which means there are things you must have and there are things you want to have. That’s one thing. We are talking about the basics of ID and document and face, and then things that will beef it up into a much stronger thing, like we talked about the device, we talked about the network, etc. But I do notice that we’ve been talking for quite a lot of time. How about leaving something for the next meal?
I like it. These conversations are always so interesting to me. We’ll definitely have another meal. Thank you so much for coming on the podcast today.
Happy to. You actually did make it quite interesting and challenging, and you noticed we started from people selling identities and ended up with Agent Smith.
