Real Time Fraud Detection

Everywhere you turn, someone’s trying to fake something like an image, a voice, or even an entire identity. With AI tools now in almost anyone’s hands, it takes minutes, not days, to create a convincing fake. That’s changed the game for both sides. The fraudsters have new weapons, and the rest of us are scrambling to keep up. The real question now isn’t just how to stop scams, but how to know who or what to trust online.

My guest today, Bala Kumar, spends his days on the front lines of that battle. He’s the Chief Product and Technology Officer at Jumio, a company working to make digital identity verification faster, smarter, and safer. Bala has more than twenty years in the industry, including leadership roles at TransUnion, and he’s seen firsthand how the race between innovation and exploitation never really ends. It just keeps speeding up.

In our conversation, Bala shares how generative AI has supercharged the fraud world, what makes identity such a fragile link in digital trust, and why biometrics may finally offer a way forward. We also dig into the psychology behind online risk, how convenience often wins over caution, and what small habits can help people protect themselves in an age where deception looks more real than ever.

Show Notes:

• [01:04] Bala Kumar has a background in product management and fraud prevention from TransUnion to Jumio.
• [01:59] He describes how fraudsters constantly evolve, forcing companies to anticipate attacks instead of just reacting.
• [03:56] The quality of manipulated images has skyrocketed, making real vs. fake nearly indistinguishable.
• [05:17] Jumio’s systems catch most fake IDs, but Bala admits even advanced systems must keep auditing for missed fraud.
• [07:16] Regular audits and rapid response cycles help Jumio identify attack spikes within 24–48 hours.
• [09:40] Generative AI has dramatically increased the speed and volume of fraud attempts across industries.
• [11:33] Jumio uses cross-transaction risk analysis to detect emerging fraud patterns and shut down attacks quickly.
• [13:00] Fraudsters move from one platform to another, always searching for weaker defenses and faster wins.
• [15:10] Bala explains how fraud prevention has expanded beyond banking into gaming, dating, and gig platforms.
• [16:38] Consumers crave low friction, which ironically makes them more vulnerable to scams.
• [17:20] Instant gratification culture pressures companies to reduce security steps, fueling greater risk.
• [19:52] New AI-driven fraud tactics include injected camera feeds and highly realistic deep fakes.
• [20:12] Old tricks like “send me a selfie with proof” no longer work—deepfakes can now mimic anything.
• [22:22] Bala sees biometrics as the next major safeguard for digital identity and real-time verification.
• [23:12] Facial recognition has become mainstream, paving the way for secure and low-friction identity checks.
• [26:19] Jumio is already deploying biometric check-ins for events and hotel registrations with great success.
• [27:30] Account recovery and payout systems now use liveness and device checks to confirm identity safely.
• [30:09] Bala critiques outdated knowledge-based questions like “What’s your favorite food?” as unreliable security.
• [31:12] Consumers lack visibility into which apps use strong verification or multi-factor authentication.
• [33:56] He calls for an independent rating system to rank apps based on security and identity protection.
• [37:53] Bala urges users to question why companies ask for personal data like SSNs or ZIP codes.
• [39:29] Even a ZIP code and last name can expose personal records, highlighting the need for awareness.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Jumio
• Bala Kumar – LinkedIn

Transcript:

Bala, thank you so much for coming on the podcast today.

Great to be here, Chris. Thank you for having me.

You're welcome. Can you give myself and the audience a little bit of background about who you are and what you do?

Absolutely. My name is Bala Kumar. I'm the Chief Product and Technology officer here at Jumio. I spent my entire career in product management, especially in the fraud prevention and identity space from my time at TransUnion, where I led the global fraud and identity product groups to now here at Jumio, where our focus is on reusable digital identities, biometrics, and fraud prevention at scale.

What drew me here is very simple. Identity sits at the center of trust online. If you can't trust who's on the other end of a transaction, whether you're trying to open a bank account or whether it's a dating app, et cetera, then everything else falls apart. Trust is fundamental and key to everything that we do online or in real life. We here at Jumio, that's what we are focused on. That's what excites me with what I do.

How did you get into fraud initially at TransUnion? Was that something that you had studied in college, or you went to work for TransUnion and ultimately got, “Hey, come on into the fraud department. You've got an eye for this”?

I have to thank one of my colleagues who decided to take on a step-up role in the organization. When she took on that role, there was a vacuum. My boss at the time asked me if I'd be willing to step in and help out with that particular solution. There's been no looking back. I got them. This is an area that keeps you on your toes all the time because fraudsters are a fun batch. You’ve got to give them credit. They do a lot of hard work, they're extremely innovative, and they work together really well.

They're constantly posing challenges. As a product person, you're trying to figure out one reactively how do you defend yourself against their attacks, but also proactively how do you think ahead, how do you think like a fraudster, and how do you start building defenses in advance of them even trying those attacks. Once I got into the space, there's been no looking back. It's been a pretty fun journey.

Is there anything about it either personally or on the corporate side that keeps you up at night concerning what's going on with fraud these days?

All the time. Not just now, for the last decade and a half that I've been in the space. It's like watching Tom and Jerry, the cartoon series. You're constantly running around chasing or beating each other up. You build a tall wall and they find a taller ladder. That's why I said in this space, you're always on your toes.

Especially in the last year and a half, I would say the proliferation of GenAI tools has definitely on the fraudsters so much more. We use it extensively in our space, whether you're building products, whether you are designing systems, you’re scaling systems, et cetera. Guess what? Those tools are so easily available to fraudsters as well.

I've seen generations of manipulated images now. If you look at an image from even six, nine months ago that was digitally manipulated, the one that you see now is almost like looking at a four megapixel picture versus a 400 megapixel. The quality of those images have gotten so much better now. It's very hard to tell good from bad. That's where we are now. Imagine where we will be six, nine, 12 months from now. That definitely is something that's very concerning.

The good news is we saw this coming. We'd already been working to deter these attacks. In general, we are catching a majority of these types of attacks that come through the door, but I won't be surprised if these guys come back with something even more powerful. We'll wait and watch while we are continuing to cook up our own defenses on our end.

I was just thinking something funny when it comes to identity documents because you're talking about how image quality has, on anything pretty much in the last couple of years, gone through the roof. Nobody has a good looking driver's license picture. Nobody has a good looking passport photo. Maybe they weren't all analog at the time. I guess probably a lot of them were digital at the time, but because those systems were particularly low quality, is that actually one way to spot fakes? The quality is almost too good?

Not necessarily because fraudsters are quite good. They're not just creating these high-quality images. They're creating high-quality images so they can submit. Fraudsters, when they used to create those fake physical ID cards, they wouldn't just print it and then hand it off. They would print it, then scrape it, and make it look like it's been through wear and tear before they hand it to whoever's buying the fake ID to make it look legit. Fraudsters do the same. They try to put in some noise in the high-quality image. That in itself is not a giveaway, but there is enough digital footprints there for us to be able to spot these manipulated images.

It's the amateur guys that are doing the really high-quality work.

I always say this. When we stop fraud and we get excited, “Hey, look at all the fraud we caught.” My general guidance, the team, those are the amateurs. The ones that you're missing are the really sophisticated, smart guys. Let's see if we miss any of those. That's one of the things that we do here differently at Jumio. We have a team that we call the service quality team. We audit transactions after the fact to see if you've missed anything as well.

Every now and then, we will find a bunch of these that we have missed, because let's face this, no fraud system out there is a hundred percent perfect. There will be some amount of fraud that gets through the door. The important piece is, is that really small? And then what are you doing to course correct and start closing the gaps? Once in a while, we'll see some of the sophisticated fraud come through the door as well. Like I said, you have to give them credit. These guys are really putting a lot of thought into how they want to do this, and they're trying to figure out how to do it at scale.

I'll ask you a question. If you can't answer it, that's fine. You've talked about we've gone back and looked and gone, “Oh, wow, hey, something got through.” Has it ever led to a new technique or, “Oh, my gosh. There was significantly more that got through than we realized”? You have this one thing that's like, “This looks suspicious; let's dig into this. Yup, it's fraudulent.” You found that, but has it led to, “Oh, we figured out what happened here,” and then we look back at a larger list of transaction identities and see, “Oh, gosh. It has actually been going on for a while”?

I don't know about the going on for a while because like I said, we very regularly audit all the transactions that's coming through the door. We almost do this on a daily basis. We don't really have scenarios where, “Hey, we missed something and it's been languishing for a period of time.” We typically catch it within 24-48 hours.

There have definitely been instances when we see some of these spikes in attacks. I've seen this for the last couple of decades now. Fraudsters will poke at every possible system, different customers. Once they get their foot in the door, there's an onslaught. They try to get in till the controls are locked down and then they're like, “Yeah, I'm done with this. I'm going to go try another customer who's not figured this out yet.” Once in a while we'll see a spike like that.

I will say there's definitely a lot of thanks that we have to give to fraudsters because they have definitely contributed to making our systems better. When we see those spikes, we go back and we investigate. Sometimes it results in newer techniques, newer models or enhancements to existing models that we roll out so we can start blocking these guys out. Absolutely, there have been instances where there's been increased innovation on our end because of some of the spikes that we've seen in these attack vectors.

Got you. Because of the new generative AI tools, one of the common things people talk about when it comes to AI, fraud, and scams is this ability to orders of magnitude more scams and frauds in a short period of time. Are you seeing that thing as well that when those spikes are happening, they are significantly bigger than they were five years ago, 10 years ago, two years ago?

You don't even have to go two years. I would say if you go back two quarters or three quarters, you'll definitely see it. I mentioned at the start, the increase in GenAI tools and therefore the attack vectors. I would say over the course of the last 12-18 months, we had started to see a trickle of these. We are expecting it and we had started to build the countermeasures for that.

I would say in the last three or six months, we have definitely seen an increase in the number of these types of attack vectors across our customer base. The good news is most of those have been countered because we saw it coming. We had the defenses in place. We are able to detect it, but we've definitely seen spikes in those types of attacks, especially with the injected camera attacks. They're basically taking over the camera, injecting a feed, and trying to send the images through to us, but we are able to detect those through a variety of techniques.

One of the important aspects that we bring is as a data controller, we have access to a ton of data that we can now leverage against these types of attacks. We have a solution that we call cross-transaction risks. We are able to look at attack vectors across transactions. When we see those patterns of attacks, we may have missed the first one, maybe the second one, but then we go, “Hold on a second, there is a pattern here.” Attack number three, four, five, and so on gets blocked right away.

We will see that couple initial ones trickle in, then we'll see a spike, and then the fraudsters realized that they're wasting the time and energy with us. We will see an abrupt drop, so it'll be like a cliff. They'll drop off and they'll go try to find an easier prey. That's definitely something that we have seen quite a bit in the last three to six months.

Are you starting to see quicker cycle times between those spikes? They try something, they get through a little bit, you block them, and then the time between the next incident, has it been consecutively just getting closer and closer?

They'll probably come back with something slightly different. We will see the same types of attacks across other customers as well. We already now have the defenses. After the one or two, doesn't matter which customer they're coming through. Now they're basically blocked. It's like we have a firewall up against these types of attacks.

We do see them attempting this across multiple customers over a period of time because the fraudsters are not necessarily all acting together. One fraud ring will try it and then they'll realize, “Yeah, this customer is no longer worth our time and energy. Let's go find somebody else.” That ring may go to another customer. They may not realize that customer is also protected by Jumio. The number of attacks will not be the same as previous. Previously, they may have hit us 500 times. Now after 15 or 20, they'll be like, “Oh, hold on. Not working. Let’s move on.”

Fraudsters are constantly looking for the path of least resistance. The moment they realize that somebody's got their walls up and the defenses up, they don't waste their time. They'll try and go find somebody else with the vulnerabilities.

Yeah. I assume that appears to be the case for most types of scams, not just financial systems, but always looking for the lowest hanging fruit. “What's the least amount of effort I can put into the scam to get the most payback?”

Absolutely, a hundred percent the case.

When it comes to it protects your transactions and whatnot and identity, has most of the growth from what you're seeing, is the industry starts with financial transactions and identity involving financial institutions? Is that where the technology starts, and then it starts to roll out into other industries?

That used to be the case many years ago. I'd say that changed quite dramatically, especially now with the Ubers of the world, the gaming apps that are out there, dating apps that are out there. There's a lot more variety of apps where you have that customer, end user interactions, and actually more frequent interactions than you would expect to see with financial institutions outside of payments, of course. We used to initially see this technology growth, the fraud defenses grow in financial services, and then others adopting these techniques. Now I'm actually seeing this happening across different types of industries, different service organizations.

I like that. It's actually good news to me that it's not just, “Hey, we're going to let the financial industry, they're going to cut their teeth and figure it out, and then we're going to adopt it 10 years later.”

I would actually say a lot of these companies, especially with the fintech boom, I'd say a lot of these organizations move a lot faster. Again, nothing against financial services organizations, but big banks are big banks. They have regulations, they have compliance teams. They have got fraud operations and risk folks that are monitoring these different solutions that are being offered. They are more of an ocean liner. It takes a lot of time to bring those controls in place and to roll out different solutions.

Fintechs, dating apps, or gaming apps and others are more startup-like organizations. Their existence at the end of the year depends on the funding that's going to come through. They have to move a lot faster. Therefore, I think they no longer are waiting for examples to be set by others. They look at, “Hey, what did they do?”

Also, financial services in general, because of the value of impact, they're OK with putting more friction in the path of end users, not so with fintechs and a lot of these right trading organizations. They're trying to minimize friction as much as possible. The same techniques that financial services use may not even apply for a lot of these other industries.

Your ride share app company doesn't have the same restrictions as all the know-your-customer content of a bank. If I had to jump through all those hoops in order to get a ride, I probably wouldn't use their platform.

Exactly. Imagine trying to get a ride share, and then you're sitting there with your app going through 20 forms that you have to fill out. If you're just going to hail a cab, you're going to get in the cab, and you're going to get going.

The drivers, the people that are providing the service, I want them to jump through all the friction but not me.

Not us, exactly.

“I want other people to experience friction, but not me.” I think it's one of the societal challenges that we have that makes scamming possible or that aids the scammers. As consumers, we're looking for the least amount of friction possible, the scammers are going to use that to our detriment.

Without question. It's always about instant gratification, especially for the current generation. There is no way my kids would be willing to go in and fill in a username, password, et cetera. “Does it have face ID? Great, sign me up.” I would say the last 5-10 years is mostly driven by instant gratification. That puts more pressure on organizations like us that have to find the balance between the right level of friction and the right level of convenience for end users.

Got you. What are some of the new tactics that the fraudsters are using against victims these days?

Some of the traditional factors have not really changed, which is preying on the vulnerable, leaning on emotions, leaning on the tactic of urgency to try and drive reactions from end users. That phishing email that comes through that says, “Hey, your payment is overdue. Click here.” It's forcing an action. Some of those techniques, they've actually gotten a lot better sophisticated, but how those emails appear making them look more legit than they used to previously. You don't see all that blinking text, the banners, and other things that we have probably seen 15-20 years ago.

A lot of those still continue to improvise and make it look a lot legit than before. Outside of that, I would say the GenAI tools are able to create much better images, whether it is ID images, whether it's the biometrics pictures for selfies and so on, whether it is about manipulating the background. They've gotten a lot more sophisticated with that. They are leaning on open source tooling for things like injected camera attacks. It's so easy to create a deepfake video now. In 30 minutes, you can have the environment set up, and then you are off to the races. Every minute or two, you're generating a very sophisticated deepfake.

This is not them waiting days on end or weeks on end to get that fake ID printed and use it for any fraudulent transaction. They're leaning a lot on these types of techniques, especially in the last 12-18 months. In the last three, six months, I've definitely seen a huge spike in these types of attacks coming through the door.

Yeah. There are two sets of advices. Have the person send you a photo of themselves holding something specific that was location-specific. That's not the thing that could be forged. Now all that could be like, “Yes, here's this fake AI identity, a picture of a person that we have all different angles from. Let's put them in front of the Eiffel Tower holding up a teddy bear, whatever.” It's like, “OK. Give me 15 minutes to run over to the Eiffel Tower and I'll send you that picture, or jump on a Zoom call and I'll see you moving and not glitching out so I know you're a real human being.” Unfortunately, those things are not good enough.

I think when it comes to identity for banks, me as a consumer, deal with the bank, there's checks and balances to make sure that they knew who I am and that I know who they are. When it comes to I'm going to jump on Zoom with somebody, I'm jumping on Zoom with you, I've never met you before, I don't know what you'll look like. How do you see identity starting to be incorporated into real time, real life, not necessarily, we're not in front of each other, but in consumer identity cases, where I want to know that you really are who you claim to be and you're not an AI-generated avatar?

Yeah. That's an interesting question. It really depends on what the app is and what the financial impact or risk impact is going to be with the deepfake showing up here. If this is a Zoom call where we are trying to figure out a financial transaction, we have to make sure that we have the right people dialing into the call. If this is a, “Hey, let's you and I have a chat about what's going on in the fraud industry,” we don't necessarily need the same degree of control. It really depends on the context, and it depends on the risk exposure of doing something.

The podcast itself, there could be a risk impact in terms of branding and others if you have a fraudster getting in the door. It's a combination of these different factors that need to go into that thought process of how you want to design a system for fraud detection.

Depending on that impact, that can define what types of controls you put in place. It could be like, I can't just get on Zoom. I have to log into Zoom, or can I log into Zoom with credentials that I've stolen, or did I just create an account just now? That's where the question comes on. OK, how much more risk layers do we need to start putting in here?

In my opinion, the easiest solution is biometrics checks. I say that because even four or five years ago, I would've hesitated before I said that. Now, people are so used to unlocking their phones with their faces. It's no longer, “Wait, what are you doing with my face? How do I have to hold the camera? How do I have to hold the phone, and how do I have to look at it?” That's gone. It's become second nature now. If I take my phone out now, of course I can go put in my PIN, but facial biometrics is in default. Given that folks have now adopted this, have accepted this, and feel comfortable doing this, I don't see why this cannot be a layer of protection because it's a strong protection that you can use within apps.

I'll give you a great example. We just did an offsite in India. We had 150 Jumio people show up to the event. We believe in drinking our own champagne. We spoke with the hotel guys and said, “Hey, when everyone comes in, they're going to have to furnish an ID,” which is what all hotels do. I said, “We had an ID company, what if we have everybody already pre-registered with their IDs, and we will have their biometrics and selfies taken, so when they show up at the hotel, all they have to do is take a selfie on your app, then you know that's them, and you have the ID card that you could use?” They're very curious like, “Oh, sure, let's give it a try.”

We went through the process. It was an amazing success story. When our folks showed up at the hotel, all they had to do was take a selfie, and it immediately triggered a message to them. They said, “Yup, thumbs up. We know this is a legit person.” Verified, validated, and they got them in.

The point I'm making is even areas where you don't necessarily need to put too much friction, this biometrics layer is something that can work very effectively. It gives you the confidence that you need that you're interacting with the right person. For this call, for example, if you wanted to make sure, “Hey, is this a legit person joining or not?” Zoom could have just layered in a biometrics layer when I was logging in. Right now, my camera's on and it can do a quick check to see, “Yep, this is the right individual.” If not, boot me out. If I'm valid, great. You have confidence that you're interacting with a live, breathing human being.

Now I'm doing product ideation. You've got all these two-factor authenticator apps. Can you imagine one that now, it doesn't just say, “Hey, here's the six-digit code that you need to enter in on the website,” but that it's actually aliveness or there's more identity verification to it, so, “Hey, this is just a plugin that would work the same way that any 2FA plugin would work that, well, now when I get on my dating app, I've got to hold up my phone and check in.” Or, “Hey, Zoom has this plugin. OK, yup, I'm dealing with Bala. Oh, hey, I'm sending an email; maybe there's an email plugin for it as well.” Do you see a product like that coming to market?

Absolutely. No question about it. That's something that we are actually working on with some of these folks.

That's neat.

The point I'm making again is, three-to-four years ago, even as a product guy would've hesitated, it's a great idea on paper, but how do you translate it to reality? That's now in the past. It's because folks have gotten used to it. I don't believe there is a generational challenge either, whether this is a teenager, a kid in school, or if it's my parents. They're all used to facial biometrics now because they all unlock their phones using their face. I say all, but majority of them. I think that hurdle, that friction layer is now gone. There's no reason why this cannot be a very strong verification or authentication layer.

Yeah. I would love to see something like that in account recovery, such that when you call into some institution, “Hey, I lost my password. Can you reset my password, can you reset my telephone number, and I can't provide the 2FA.” OK, there should already be a layer of suspicion. “OK. For you to prove that we really should be resetting the account, we needed you to jump through these incredible hurdles.”

There was an entity that I worked with that someone generated a fake passport of me and provided that to them. Because they had nothing to validate it against, they took it at face value and went, “OK, yeah, we'll reset the account.” Luckily I happened to get notified the account was reset. I was able to call into the company and un-reset it, so to speak, before the fraudster had any chance to do anything. Unless I had previously provided a copy of my passport to them, they have gott nothing to compare it against.

The good news is we actually have a lot of customers that are already using us, using Jumio in that particular use case for account recovery or even payments. Let's say it's a gaming company, some display splits, and now it's payout time before the payout happens. They basically use us to do that quick authentication, face check, and then they go, “Yup.” It's biometrics check, it's the liveness check, it's a check on the device that is being used in the transaction to see if this association's there and then they have that confidence. All of this is as least friction as possible. It's like, hold up your phone, your camera, take a selfie, and you're done. Behind the scenes, we are running all the different models to make sure we had that confidence, and then we gave them the green light.

Yeah. There's some things in life where if I'm doing an account recovery, I'm good with there being a certain amount of friction. I want there to be friction because I don't want it to be easy for scammers to do. If I won a million dollars at the casino, I'm OK with a little bit of friction to get my million dollars. That's something I'm willing to do. If you want to do all of this so that I could order a milk tea at the local boba place, that's probably going too far.

Absolutely. I'd say when you bring in biometrics or liveliness check, that's as least friction as you can expect. Even with 2FA, now you have to go get a code, punch in a code, et cetera. Here, you just hold the camera and you're done. The worst is KBA, knowledge-based authentication. It will ask you, “Hey, tell us about your friend from high school or middle school.” I'm like, “What was the answer I plugged in five years ago when I set up the account?” It is funny and sad at the same time that company still uses that as a 2FA solution.

Yeah, what's your favorite food? I'm like, that changes every six months because I run across something new that I love. Let's say I opened this account at this time. “OK. I was really into this. Maybe it was spaghetti. No, OK. That's not it.”

And did you spill it right then, or did you spill it right now?

And was it case-sensitive?

Yes.

From a consumer perspective, what can consumers do to move this technology forward and like, OK, if I have a choice of banks that I want to bank with, how do I know who has good liveliness check? If I'm going to use a dating app, how do I know which ones have these tools built into them? What are the questions that I need to be asking?

There are a bunch of questions you could ask. The question is who's answering them. I download a bunch of apps. There's no information available unless you actually go through the process. Even if you go through the process and they may be using some of these checks, how good are these checks? How is it tailored? How is it configured? There's no easy way to know that.

As an end consumer, it's not like there are certified apps at certain degrees of confidence that say, “This app is five stars and this one is four stars based on the types of controls they have in place.” Unfortunately that does not exist. If you're looking for that type of confluence, you're basically looking at review comments and others that you can see in the App Store. Outside of that, there is no inventory of apps that are graded for consumers to try and figure out.

That said, when you go through the onboarding process, if it asks you, “Hey, would you like to use your face biometrics, would you like to use your voice,” that starts giving you an idea of the types of controls that they have in place. They ask you to use a multi-factor authentication app that gives you confidence. When you see somebody saying, “Hey, here's three questions and plug in an answer,” that's when you know I exit, run. You have to go through the process for you to figure out. For the general population out there, this is not something that they are constantly thinking about. All they're interested in at that moment, “Let me create the account and be done.” That's definitely a challenge.

Is that something that consumers really need to start thinking about? “What is this app? What is this company doing to verify my identity? If they don't do verifications at some level that I've decided is acceptable for this amount of risk, that's when I should just, let me just stop the process and turn away?”

In an ideal world, yes. In the real world, I don't think that's practical. I was in India a couple of weeks ago. I was helping my dad with his phone. I was like, “What is this app and what is this app?” He's like, “Oh, somebody told me it's a good one. I downloaded it.” He's not even thinking when he is going through the process.

In the real world, folks are generally not processing. They're not thinking. They download an app, it asks you for permissions, you're not even thinking. All you want is to get the app working, so you granted all the permissions possible in the world. Unfortunately, I don't think consumers are aware enough at this point, but I do think there's an opportunity for an independent entity to start building that catalog of safe apps.

Of course when you download an app from the Apple Store, the Google Store, et cetera, you get the verified app feedback. Your question about how good is the security controls, et cetera, that part of it is missing. There may be an opportunity for someone to actually provide that information and that ranking like the Michelin four star, Michelin restaurant. There may be an opportunity there for someone to build that catalog.

By the time this episode airs, that product will already be on the market and have a few billion dollars in venture capital.

There you go. The question is, who's launching that? Is it a fraudster or a real person?

That becomes the challenge. “Hey, the local mob is running the identity app and using all those identity tricks to commit fraud on other people.”

If people want to learn more about what's going on in the identity space and keep up with what's changing, where can they go for that?

Plenty of sources online without question. ChatGPT is a great source as well. If you're looking for companies in the identity space there, there are a lot of worthy folks out there. In Jumio, we do a pretty impressive job. We process millions of transactions every single day. The jumio.com website is a great place, great resource, that talks about how we think about fraud and how we are fighting fraud. We also have a lot of worthy competitors out there who do a pretty good job fighting fraudsters as well.

There's a ton of resources out there for someone who's interested and wants to learn about this. The most important thing, though, is it's not so much about these organizations and what they do. It is about what do they need to do to protect themselves. How guarded do they need to be when they're filling out an application form? Stop and ask, “Is this information really necessary?”

Without naming names, an organization that I was working with had to fill out a form and it had the Social Security number item. I was like, “Why do you need my SSN?” It is only when I asked a question, they said, “It's optional. You don't have to fill it out.” Of course I did not fill it out, but I guarantee that a lot of people didn't even ask the question and they filled it out. Six months later, that organization had a breach, and one of the pieces of information that was compromised was SSNs. Luckily, I've asked a question and I had not put that information, not so lucky for a lot of other people.

Having that awareness to stop and ask, “Is this information necessary? Is this necessary for this organization? Is somebody pulling up my credit score and therefore they need my SSN versus are they just asking it to have it in their records?” That's the awareness that people need to start building in their own heads when they're filling out information or when they're providing their personal information to an organization, to a stranger.

It is a hard shift to make. We're so geared towards someone puts a form in front of us and we just fill out everything. As a good example, my wife and I were at a free flu shot thing this past weekend. We get in line and we had done the paperwork online. A guy comes up with the line next to us and says, “Oh, fill this out.” It's like, “What do you need my address for? You're giving me a shot, why do you need my address?” They're like, “Well, it's a state-run program, and the state wants to verify.” It's like, “OK.”

He wasn't a jerk about it, but it was like, “So why do you need this information?” As society, we need to start asking more questions. It's nice to hear people out in public starting, “Why do you need my zip code in order for me to buy something at the cash register? You don't need that information.”

Yes. They need it so they know where the footprints are coming from, but at what cost?

Correct.

I always decline. They're like, “Hey, sir, can I have your email? Can I have your phone?” “Nope.”

“Nope, you don't need it.”

Here's my money, give me the goods, and I'm done.

I did have one of those. They asked for the zip code. I understand when you're doing a face-to-face transaction, there's a certain amount of research of, “We want to know, can we open up a new store based on where consumers are coming from?” It makes perfect sense to me as to why the organization was asking it. When I said, “Look, I'd rather not give you my zip code,” the person's like, “Oh, but the system requires me to enter a zip code for me to sell you something.” I'm like, “They make you type in the zip code?” I'm like, “What's the zip code here?” He's like, “No, let's use that one.”

Yeah. When I run into that situation, I always give them a made-up zip code. They never get my personal zip code. Again, we are talking about awareness. You just need to take the last name and the zip code to triangulate on an individual. It's so easy to do. This public sources of information is breached information, et cetera, so it's very easy with just the last name and the zip code to be able to get a ton of information.

Worst case, you have three or four individuals that show up, especially if it's a common last name. Again, you have narrowed down the scope. Now you've got three or four individuals' last name, zip code, and a bunch of addresses, date of births, and other pieces of information. Folks engaged only zip code, but it's so powerful when you take just the simple last name, the zip code, and try to look up information.

Yup. Bala, thank you so much for coming on the podcast today. If people want to be able to connect with you, where can they find you online?

LinkedIn. LinkedIn is a great place. I'm on Twitter as well or X.com, as they call it now. LinkedIn is a great place because they can message me as well. If anyone's got any questions, if they want to learn more about this, I'm more than happy to help answer questions.

Awesome. Thank you so much. I really appreciate your time today.

Anytime, Chris. Thank you for having me on. I appreciate it.