Currently we have hard copy passports and driver's licenses, but as our digital identities evolve, we may find ourselves with a worldwide digital standardized way of proving who we are. Today’s guest is Philipp Pointner. Philipp leads Jumio’s digital identity strategy and the initiative to enable multiple digital identity providers in its ecosystem. Prior to Jumio, Philipp was responsible for paysafecard, Europe’s most popular prepaid solution for online purchases.“People don’t think about a social media account as an asset to be protected.” - Philipp Pointner Click To Tweet
- [0:53] – Philipp shares his background and current role at Jumio.
- [2:12] – Our online identity has changed very quickly over the last decade.
- [3:47] – Over time, this evolution has made people a lot more comfortable with technology.
- [5:50] – The changes that Philipp thinks are coming may cause problems with some countries not accepting them.
- [7:30] – The digital identity will likely be more secure than physical copies of important documents like passports and driver’s licenses.
- [10:47] – Chris and Philipp discuss a recent experience in verifying the credibility of physical documents.
- [12:52] – With more sophisticated benefits to a digital identity comes more sophisticated attack attempts.
- [15:40] – Where does one turn if they are a victim of identity theft?
- [17:11] – Philipp believes that it should be the responsibility of an organization to ensure the end user is safe.
- [18:48] – Philipp shares the results of a survey that asked people if they were willing to take more steps to ensure that they were secure online, but the exception was social media.
- [22:02] – Education around scams is improving and increasing, but not about everything.
- [26:20] – The technology exists to keep people more secure, but it isn’t employed as often as is necessary.
- [27:47] – At the end of the day, the inconvenience is always put on the end user.
- [29:07] – Biometrics are strong and have a lot of well governed standards already in place.
- [31:40] – Research shows that the requirement to change passwords every 90 days is ineffective.
- [32:59] – Currently, there isn’t a one-stop shop to receive the education they need to better understand cybersecurity.
- [35:48] – Philipp and Chris talk about the recent issue with concert tickets being purchased by bots for scalping.
- [38:28] – The general public has become an easier target than in years past because of the increase in online activity.
- [40:09] – People vastly overestimate their ability to detect fake images and deep fakes.
- [41:42] – Philipp explains what it means to have a reusable digital identity.
- [43:30] – When digital identity is used to verify in the future, will users have the ability to revoke their provided information?
- [46:58] – Pursue education on this topic and then take action.
- [50:01] – Your data is definitely online and it's important to be aware of what is available for potential scammers to know.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Jumio’s Website
Philipp, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me.
Can you give myself and the audience a little bit of background about who you are and what you do?
Absolutely. I work for Jumio. We're in the identity space. My role for the first nine years here was chief of product. Now I'm the chief of digital identity. That's trying to future-proof Jumio for the world of digital identity and the threats that are coming down the pipe. I've been here for more than 11 years.
Before that, I actually worked on a consumer product. We had to do KYC on consumers. I knew exactly how big that challenge is of identifying people and keeping the fraudsters out, making it convenient for good people. When I then had the opportunity to go solve that problem, I knew that that would be a nice challenge and a good field to work in.
Ever since, identity has been my lifeblood. It's such an interesting topic. It's the linchpin to accessing all the online services that really matter to people.
Online identity has fundamentally shifted very quickly in the last number of years in terms of how we identify ourselves, so to speak, has it not?
Absolutely. When we started this idea that we asked for a passport, a driver's license, or something for understanding who someone is, or even asking people to show their face, when we started with that in 2014, we got strange looks. We saw that conversion rates are impacted.
Now, everybody's showing their faces to the phone camera all the time. It has become such a convenient way to unlock services. You might use your fingerprint on the device or whatever it is. I think smartphone use has fundamentally paved the way for more security in many different areas.I think smartphone use has fundamentally paved the way for more security in many different areas. -Philipp Pointner Click To Tweet
People have gotten over that first layer of, hurdle of, “You want me to do what?”
Yeah, exactly. It was interesting. Fingerprints were always like, “Oh yeah, sure. Do whatever you want.” But face was always where people were a little bit more sensitive. While that has changed, I think people are aware.
There's a heightened awareness now of, “Well, I want my biometrics protected. I want security and compliant use of my face, but just the comfort level.” The actual mechanical handling of putting the face inside the frame is something that people can just do in their sleep.
Yeah. It used to be you're chatting with people and you see their foreheads or their chins.
Even our parents can now get their faces in the center frame.
It is a demographic question. It's very interesting. That whole question about inclusion and making sure that everybody can use these technologies is an important one. It's about guiding the user, but it's also about bringing the right methods to the right people in order to achieve what you want to achieve with them in terms of authentication and security.
It brings new challenges with accessibility. If you have someone who's blind, they may have a camera. But if they don't have the tools to properly aim the camera at themselves for facial identification, that's a new challenge that we didn't have that we weren't thinking about 10 years ago.
Absolutely. I think the next level there is really going to be to have digital identities, where it's a reusable digital identity. You don't need to get your wallet, your driver's license, or your passport every time. But it might be a credential that lives on your phone that you can selectively share into different applications that you use.
I think it's coming. We've been talking about this for such a long time. It's a little bit like the payments industry when they wanted to introduce the NFC chip. It's like, yeah, it's such a great idea. It's going to be so much better when we're finally there. We see it really emerging now. I think in two, three years, we will live in a different world.
Do you foresee challenges of digital identity in terms of jurisdictions, governments, and this country will accept it, this country won't, this country wants to implement it this way, and this country will implement it in a way that's mutually exclusive to that country?
Absolutely. Interoperability is the big term that this industry is throwing around. You can't get through a conversation about digital identity without getting into interoperability. I think where there's a very good chance that standards are going to be adopted is with the mobile driver's license initiative, which is an ISO standard. There’s also things in motion with getting us to a digital passport, which is governed by the EATA, which governs the whole cross-border document use and compatibility with everything that is on airport equipment and all of that.
I think there's a good chance that that is going to give us a global standard as well. In terms of national eIDs, some of them try to lean towards the standard, but nobody has really done a purebred implementation. Everybody's cooking their own thing somehow. It's not looking as if it would be a global initiative.
In the EU, the EU digital identity wallet is going to harmonize a lot of this. At least within the EU, there should be comfortability. That's a big goal of the initiative. I think internationally, it's going to be the mobile driver's license and the digital passport.
Do you see this transition of going from physical documents to electronic documents is this ripe opportunity for scammers, that as we're not familiar with what the digital documents should be that there's just nastiness that will happen?
It's very interesting, because technically, on its face, the digital identity is going to be a lot more secure than your plastic identity when you use it online. There's a simple reason that most people don't think about, which is if you upload a photo of your passport today to a website for them to verify, they then have that copy of the passport.
What you have delivered is your identity information and the proof. You've sent the proof also along with digital identity, you're passing the data, and so the other side has your identity information. But the proof stays with you, stays on the government server, or however the cryptographic security works.
Even though your data is now with the website provider, no one else can take it and open an account in your name, because the evidence is still with you. That makes a huge difference from the technical aspect of it.
In the US, often when I check into a hotel, they say, “Can you give me a copy of your passport, your driver's license?” They make a photocopy—a physical copy—and they put it in a folder this thick, and then the folder goes under the counter. And you don't know what happens to these images. There's certainly not a lot of security around that.
Online, there's always a chance that someone gets their hands on these databases of ID photos. But if it's only the data, it's bad enough if your first name, last name, date of birth, your residence address, all of that gets stolen, but it's probably out there anyways. But with digital identity, you can't do anything with it, because you can't prove that you are that person. The proof is missing.
That means the consequence is, because there are less attack vectors on the technical track, the attack vectors must shift towards attacking the individual and towards scamming and getting people to use their identity in a way that benefits the fraudster or get access to the identity itself. Hijack it, whatever. We definitely are going to see a rise in the different schemes and modes of operation that the fraudsters are deploying.
Yeah, it's interesting. I'm going to be intentionally vague here, because this is being broadcast. There was a particular vendor that I was working with. I got an email from them saying that something had changed on my account. I know I was not logged in and had not changed anything, so I immediately accessed the account, reset all the security settings, and contacted their fraud department.
Someone had basically contacted them saying, “Hey, I'm Chris. I got locked out of my account. Let me send you a copy of my passport.” They had a fake passport. They provided all this fake documentation, of their proof of documentation of being me, in order to take over access to this particular account. I was like, “This is definitely a challenge, because the person who is looking at the paper documents or the scan of a document, they have no way of validating whether it was a real document and had nothing to compare it with to see, is it really Chris?”
That's something we're seeing every day: the evolution of the sophistication level of fraudulent documents. We used to have different categorizations, where you had just kiddies trying to hide their age or something, and it was low effort. They would put, even sometimes a sticker, or a piece of paper with a new date of birth, or something, like, obvious. Even those low criminal energy attempts are now looking quite sophisticated. The really dumb, stupid frauds that you can easily identify has pretty much gone away.
One of the things that really scares me is that just two weeks ago, our engineers have now proven that with AI image generation pipeline and the right templates, you can create real-looking, but fake ID documents, en masse. You have your file where you have all the names, all the dates, and everything you want printed on the document, and then you hit the button and you generate tens of thousands of fake documents.
Before, the fraudsters had to do a lot of that manually. They had to go into Photoshop. They had to really put work in, and it would take them maybe half an hour or an hour to create a well done, high sophistication-level fraud document. You cannot just create them.
It's the scale that is scary, because now they're not attempting to get through with one, two, or five, or 10 documents. They might send you thousands and try to open thousands of accounts in the hope that one of these might eventually succeed. And the effort for them is quite minimal. I think the evolution is just the scale of these attacks that we're going to see.
That reminds me of the transition of how 419 or the Nigerian prince scam was escalated. It used to be that one of the original routes was either postal mail. They had to pay to put a stamp on an envelope and throw it in the mail. Then it escalated to fax machines, and they still had to pay for the phone call, pay for the fax machine, it takes time to send faxes, and then faxes were automated. The huge parallel was when they went to email, they could send out millions of emails at effectively zero cost. This is now suddenly the same thing with identity.
Yeah. That analogy works. I think to your point, it goes even further now, because now you have these chatbots that are intelligent in holding a conversation. Imagine the scammer saying that I sent out 50,000 emails, and he got a 1% response rate. Now he has to react to those responses and see what are people saying, what questions do they have, how do I take that next step?
They may have had templates. I'm sure they had some templates, but they had to figure out which reaction is appropriate and how do we get this week's theme to the next step? You can now connect the chatbot and it can perfectly do that. It can stay in context, it can hit the right tone.
This is scary, because I don't think that the consumers are yet aware of how quickly generative AI is changing that landscape. I think nobody yet has really hit the alarm and said, “The internet is changing. Be careful, protect yourself, and how to protect yourself.”
The other thing that I always think is missing is guidance and help when you've already become a victim of identity theft. Where do you turn to? How do you know what to do next? What do you do with all your other accounts?
Which attack vectors do you have to be aware of? How do you behave? Do you check your bank account now on a daily basis, or is it enough to check it on a weekly basis? Simple question that all victims ask themselves, and there is no good guidance out there.
Yeah. I think from the legislative side, the banks have an obligation on what they have to do. But from their perspective, when fraudulent transactions have happened, the credit agencies have things that they have to do. But you as the consumer still have to know, “Well, who do I talk to? What do I tell them? What's the process?” There's not this one-stop shop for helping you to unravel identity stuff.
Absolutely. I think it's a little bit unfair also to shift all that burden towards the end user. It's very easy. You read in the newspaper, some guy was scammed into sending $50,000, or euros, or whatever. You're like, that's silly behavior. But at the end of the day, I think it's on the institutions, on the businesses that offer their services online to make sure they're safe, to make sure that they're safe in a way, where even if the end user cooperates with the fraudster because you could do, he still can do damage.
There are ways to protect people from giving away their valuables, whether it's use of biometric authentication, or whether it's stepping up to security to even ask again for a document or something. There are ways to get to a level of security, where even if the end user is tricked, it might not be that easy to get to the assets.
Online is where it happens at a high scalability. We've now seen cases where fraudsters set up a pop-up shop in the center of a shopping mall. They had people scan their IDs and scan their faces in order to participate in a raffle or something. People are like, “Oh, great. Yeah, I can win a car, a phone, or whatever.” They're just giving away whatever.
Those are the rare cases. The main attack vector is still contacting people online, emails, text messages, social media. That's where it happens. Social media is another great example.
We did a survey recently where we asked people if they're willing to invest more effort into their account security for the different things they do online. It was very interesting, because it showed us that people are very smart about this in a way. They had everything where there are assets and things you need to protect, they ranked high. The things where it made this last, they ranked at the bottom. The exception was social media.
Social media, in my opinion, should have ranked much higher, but it ranked very low. People don't think about social media accounts as an asset that needs to be protected. I can tell you, we've seen this case. If someone gets ahold of your LinkedIn account, it's a nightmare. That, I think, hasn't really landed yet. Social media is the gateway to other areas in your life, because you then can social engineer yourself into more information and more access.If someone gets ahold of your LinkedIn account, it's a nightmare. That, I think, hasn't really landed yet. Social media is the gateway to other areas in your life, because you then can social engineer yourself into more information… Click To Tweet
As the scammer, if you've taken over someone's social media account, you now have access to everybody they know, not as a scammer, but as a trusted ally, a trusted friend. If my friend says, “Hey, Chris. I'm tight this month. Can you give me $20?” I'm a lot more inclined to help out a friend versus some random person texting me saying, “Hey, can you give me $20?” “I don't know who you are. Why would I give you $20?”
I did have this happen recently where I was connected on a social media platform with a former coworker. He and I have had no communication in the last 10 years. I see his posts on this platform, but we've never had a conversation. He immediately starts up a conversation. “Hey, how's it going?” I was just like, “OK, this is weird. We've never communicated on this social media platform.”
Immediately, I was like, “OK, this is probably a scam. Let me see where this goes.” Within a couple of messages, it was like, “Hey, I've got a problem with my electric bill. I haven't gotten paid yet by my employer,” which he references based on the information on the social media account. “They've got a problem. Hey, can you help me cover my electric bill or something like that?” I immediately knew, “OK, there's the scam.” I'm messaging his relatives saying, “Hey, this guy's accounts have been compromised.” Messaged his wife.
You've invested years into educating consumers about this stuff. You look at this with a completely different eye.
The point is that trust that normally people would have for their friend approaching them on a compromised social media account is, “Hey, it's my friend. Why would I not listen to them?”
You've done this for many years now, the consumer education side. Would you agree that the consumers are, as a general population, getting smarter about online security? Or is it getting worse? What's your take?
I think people are getting smarter about some things. I think that the well-documented, blatant scams—the Nigerian prince says, “Hey, you've won $10 million.” People are pretty comfortable with that, but I'm getting people contacting me every day where someone that they've met on a dating site, they've had this casual interaction with on a dating site, has duped them into a fake crypto investment scam. That's what I've seen happening on social media.
It's not like, “Hey, I'm taking the money from you, or you're sending the money to me.” It's this third-party platform that's done it to them. I think that shift away from, “Hey, you're stealing from me versus this platform is broken,” that's what I've seen. They're still holding onto this relationship with the scammer thinking that it's the platform that is scamming them, not the person that they're actually talking to.
There's been a little bit of a shift that way, but I think in some areas, people have gotten a lot smarter. I still run across people who use the same password for everything. “Oh, my account got compromised. Let me change every account now to have that same new password.” I'm like, “No, no. Don't do that.”
Security is always a barrier. It's a challenge of what people are willing to tolerate for the experience they want to have. People are much more willing to do two-factor authentication to access their bank account once a week versus I've got to do two-factor authentication to access my social media accounts several times a day. Those incremental verification requests start to become burdensome, even though they realize the value of them, that the inconvenience of them over ways the perceived value of them.
Yeah. That's a great example where I think that the business can do more. Maybe there is a way to deploy passive behavioral biometrics or something like that. You're just checking if the way the person pulls the phone out of the pocket can already tell you whether this is the user. That technology exists, but it's not deployed as widely as we would want in the security field.
Yeah. I think Apple has done a fairly good job with the iPhone in terms of you now can allow apps to do facial recognition instead of two-factor authentication on things. That becomes more like, “I'm willing to hold my phone in front of my face for an extra second.”
And you're looking at it anyway.
There's no inconvenience to me, but there's been that biometric authentication factor. I agree, I think financial institutions, to me, haven't quite figured this one out yet. As a good example, a number of years ago, I got contacted by a bank legitimately. “Hey, there's been a fraudulent transaction on the account; we stopped it. We're going to cancel your card. All your scheduled transactions will go through, but we're going to send you a new card, because the card has been compromised.”
They were able to figure out from a single transaction that something was fraudulent, but they still seem to let an awful lot of wire transfers go through and things like that. It's like, “OK, there's a certain amount of machine-learning, which caught that, but you don't seem to be applying it towards things that require a little bit more human intervention on a regular basis.”
I did have a transaction with a bank where I opened up an account and had to do an international wire. I got a phone call from the fraud department at the bank who interrogated me enough to be annoying, but I was really happy at the same time. “Who are you sending money to? Why are you sending it to them? Are you sure this isn't a scam?” I super appreciate that, but from consumers that I've talked to, that's few and far between.
They set up a wire transfer on their bank account. The money goes. There's no contact from the bank saying, “Hey, you've never done this before. You only have $6000 in your account, and you're sending $5000 to someone that you just created the transfer for? That seems out of character for a consumer. We should intervene here.” But I don't know how it applies to other things.
I can't say that I've ever had the bank stop a transaction. No, I can't remember a case. To your point, at the end of the day, the inconvenience, though, still lands on the consumer. It's the method. If they say, “Could you confirm for me by giving me certain data points?” All right, if it's something that I really have in my head.
Where it becomes tricky is, “We want to know the third transaction from the previous monthly statement. What is the amount?” It's like, “OK, let me go find it. I don't know if I even have it anymore.” I think it's the method that makes the difference.
Yeah. I haven't seen one of those in a long time. I remember one time, it was like, “What was the last amount of your credit card payment that you made?” I don't know. How would I know?
I had to check the other day online to verify a transaction. It gave me a list of, I think, 15 transactions or so with amounts, targets, and everything. It was like, “Do you recognize any of these?” I'm like, “That's none of these. What is this? None of these.” I saw that at the very bottom, if you scroll down, there is the “none of the above” option. That was actually the right button to click. It was the none of the above.
That's awful. That's such a horrible experience.
Right. Biometrics are so strong, so convenient, and are governed by a really strong standard. If you look at what FIDO has done for the industry in terms of really getting the best practices out there—communicating it, making sure it works in all cases, where it is the face-to-face transaction, is it an online transaction, is it mixed reality—now there are standards for everything. This is well-governed, it's well-understood, the technology is there, it's right on your phone. There's really no reason to bother the end user anymore with these knowledge-based authentication challenges.
I think that that would make a big difference for users. It's something that the user can get behind. Like I said, in our survey, clearly people were saying, “I'm willing to do something for security in my bank account, in my stockbroker account,” whatever. But I don't think that message has landed yet necessarily with those businesses. They could do more with less inconvenience.
I think they need to be more consistent about even what they're currently doing. I don't think it's particularly great. I've had a number of financial institutions, where my favorite past password manager spits out a 32-character password with all the appropriate bells, whistles, and underscores. And the bank says, “Well, you can't use those characters, or that password is too long.” I'm like, “You're forcing me to choose less security.” That seems odd, like, “Oh, no, no. You can only use a password that's 12 characters max.”
Yeah. And here's the set of special characters you may use—only these and not the others.
Yeah. You're intentionally taking something that was secure and whittled it down to be less secure for some really obscure reason.
Yeah. My bet is it's because of the legacy systems that sit way, way, way behind everything. You're right. That's just not good practice. Also, what I found extremely interesting was this recommendation and research from NIST in the US where they basically said, “You shouldn't have your users change your password every 90 days. It actually makes security worse, because it drives bad behavior on the user side.” They will use simpler passwords, easy to remember, easier to change. They will reuse passwords across sites. All of that behavior is driven by that 90-day change policy. That I found very interesting. This was two years ago that that came out. That was quite interesting.
I understand the reasoning for that was the fear that, well, the password has been compromised. If we give them a 90-day window to change their password, we know their account can't be compromised for more than 90 days. After 90 days, the account is no longer compromised. Just do two-factor authentication and you've eliminated 99% of that without the hassle.
Absolutely. Let's say I'm right and there is a huge wave of new fraud methods that have scaled up. Basically, old MOs but just scaled up to a much larger level. Aside from your own website, where can people learn something? How do people get more sophisticated as a general population?
I think that's one of the challenges. I don't think there is a one-stop shop of, “Where can I go to learn about all the latest stuff?” I've had a couple of recent discussions where that's probably not even the right way to educate people, because then they're looking for, oh, it's the Nigerian prince. As soon as it's the Canadian businessman, they're looking at the wrong warning signs. They're looking at the scenario rather than critically thinking, “Is someone trying to trigger my emotions? Is someone pressuring me with urgency? Is someone using authority?”
We're not teaching people critical thinking, we're teaching people, “Here's just this big, long list of red flags.” As soon as that list is 50,000 things, you can't keep track of your red flags anymore. I think there's more of a need to educate people on knowing when people are trying to take advantage of you by the psychological mechanisms that they use versus if you get this email and it comes in at 2:00 AM. It’s probably not from someone who lives in your time zone.
Those warning signs that we, maybe historically 10 years ago, would tell people, I don't know that they're necessarily valid anymore, or they're too overwhelming. I wish I could say, “Here's this one-stop shop that will help you with everything,” but there isn't.
Australia has a great Scamwatch website. If you want to learn about scams, probably one of the best things is scamwatch.au. But again, it's talking to specifics of scams, not methodologies and the general warning signs—what are the techniques. They're just talking about the specifics of the scam. If someone comes up to me and says, “I have a Taylor Swift ticket or something like that….” Hey, if I'm a Taylor Swift fan, then I'm now more likely to fall for that as a scam, because they know I'm a Swifty.
Yeah. Did you hear that story, that they think most of the concert tickets got actually bought by bots instead of real users?
You had told me about the green one. But prior to that, I don't know that I hadn't necessarily heard that. But it wouldn't surprise me. It's not like buying a ticket is a really complicated process. Are we talking about scam ticket purchases or purchases done for the purpose of scalping the tickets?
Scalping it? Yeah, I think that's what it is. The way we heard about it—the main protection mechanism is a CAPTCHA. AI technologies are laughing about this. I think 96% or so, the CAPTCHA can be passed by attorneys already.
That's better than me.
That's what I said. I have trouble sometimes. It's insane how this technology has evolved. The AI can see, it can hear, it can generate text, it can generate images. The one that I'm actually very, very about and still waiting to hear about cases is speech synthesis. When you then get a phone call from a voice that sounds like your own mom or something like that, that's going to change the landscape yet again for the scammers.
I've heard of a number of very specific cases where that is already happening, where with a fairly limited set of audio, they can create a very convincing synthesized voice. If you're on TikTok, if you're on YouTube, and you've got more than a couple of minutes of audio of you talking, that's pretty much enough for them to come up with something that, under the right situation, works. If you think that I'm upset, I'm in duress, I've hurt myself, I'm scared, now the way I communicate is different from how I communicate when I'm calm.
Anyone who's listening to me, “Well, it sounds like Chris, but I'm going to ignore the fact that it doesn't quite sound like him, because he's going through something traumatic, scary, or whatever.” It's, “Hey, mom, this is my daughter.” These were the examples. It was daughters who were supposedly off at college that had been picked up by the police or kidnapped, and they were using it to scam the parents. That's just downright evil.
I agree with you. I think, generally, I suspect that the general population has become an easier target, maybe for scams also, because the world has become more stressful, scary, and difficult for people to navigate as a whole in the last few years. I think there's just more. These scams fall on really good soil for them to grow and prosper.
I think it's also, a little bit in a sense, there's more opportunity now. If you're looking 10 years ago, people weren't online as much. The people that we interacted with online were people that we had met in real life. They're family members, friends, people that we used to go to school with, people that we worked with. At the moment, we might not be sitting across the table from them, but at some point in the past we did.
Now there’s people that I do work with, that I've worked with them for several years. I've never met them in person. I've only ever seen them on Zoom. Once you have no basis for who this person really is, I think there's a bigger opportunity to be scammed by someone who's online, because it used to be, well, if someone's online, our defenses are really high. Now, because of Covid and years of Zoom, this is just normal. You could be a generative AI face on somebody else and I wouldn't have any reason to suspect that you're a generated face.
Yeah, it's interesting. This is also an area that we tested. People vastly overestimate their ability to detect the fake image, a fake face, or a fake view. It's insane how much confidence there is that, yeah, of course, I can detect the deep fake. No, you can't.People vastly overestimate their ability to detect the fake image, a fake face, or a fake view. It's insane how much confidence there is that, yeah, of course, I can detect the deep fake. No, you can't. -Philipp Pointner Click To Tweet
I also love technology. I think it's wonderful what this technology can do. But at the same time, it can be abused, of course. To get to a more hopeful state of the conversation maybe, I think this is where my big hope lies in a reusable online or digital identity, where very easily and conveniently, you can prove to the other side who you are, sometimes maybe in a passive way where that just gets exchanged.
You have a relationship with a person that you interact with on social media, and you have made that connection of identity. It just gets checked whether that key still checks out or something. And really secure the communication channels in that way a little bit, but also make it easier for people to identify themselves. With businesses, they interact with other people they interact with.
I'm not saying pull out your driver's license or passport every time you talk to someone online. It has to get this promise of reusable identity. You get a verified identity once, and then you can reuse it in a very, very convenient way. I think this is where the solutions we see today in the market partially still fall short.
We've done a joint demo the other day with a customer. They basically said, “Well, I'm better off just using my driver's license if that is the user flow.” I do understand that sentiment. It's currently still a little bit cumbersome for the end users, but I'm very positive that digital identity is going to change that whole security aspect of the internet as a whole.
I agree. I see two. There are two things that I see as concerns of digital identities, and I think I've heard this one discussed. (1) Do I have the ability to revoke it? Since I've provided it to this company to prove who I am, I want to now revoke that relationship and say, “If I interact with you again in the future, I have to re-identify.” As opposed to saying, “I've identified once, assume that I'm identified, but I wouldn't be able to retract it, and you can't do anything with me anymore.”
Then there's (2) the fear of fraud on the front end. If I pay somebody to ask the digital identity verification center to set up a fake identity, it is now a much more trusted fake identity.
It's a Gordon key to the kingdom.
Instead of Chris Parker, it's John Parker, and I now have two identities. John has all the authentication. Now, because we trust this digital authentication so well, other warning signs might be overlooked, because he has a valid identity. It's always there. There's always a human element somewhere in the process that can be exploited.
Definitely. I think that's why we think about digital identity as an evolutionary step and an add-on, not a full on replacement. The tools that are there today that help you identify risk, you do check for behavior. Like you said, you're wiring all your money to the Caymans. Is that what you usually do every week, or is that new? That kind of stuff is not going away. That's still going to be relevant and important.
I think that when digital identity happens at a large scale and really sees adoption, there's going to be way more use cases in places where we're going to use it as users. That's why this frictionless use for the end user is a must. Today, if you are a question and answer forum where people can post questions and others can give answers, they would love to know everybody's identity. Not in the sense of understanding what it is, but just to make sure that if there's hate speech and if there are legal implications, they know how to get to somebody in the real world and have some accountability for what you say online.
It's currently cost prohibitive for them. They just cannot because that's not scalable for them. With a digital identity that virtually costs nothing to transmit, all these use cases are going to open up in addition where we don't even think about it, using identity today. That's going to make it very widespread. You're going to use it multiple times a day.
Today, when I ask people, “Do you use your identity online?,” it's either no, once a year, or twice a year. “OK, I use my driver's license here to rent the car, and I use my passport here to do an online checkin.” OK, but that's going to change with the advancements in digital identity. It's going to be everywhere and all the time.
I think you're still going to have someone who's going to be able to get a fake ID, but we have then and again shifted that cost to someone who can't create millions and millions and millions of fake digital identities. That becomes cost prohibitive until the next evolution.
It's an eternal arms race.
This has been a great conversation, and we've waxed philosophical about these things. What can consumers do now? Should I be an early adopter? When my bank comes out with new authentication measures, should we be telling our banks and government agencies, “Hey, I want this. What are you planning on doing about it?” How can consumers advocate for this, or what steps should they be taking or looking for?
I think number one is self education and really trying to stay on top of what's happening. Second one definitely is, oh, my God, if two-factor authentication is offered as optional, just do it. That's the main takeaway. Where possible, use secure biometrics to secure your accounts.
As you said, where applicable. I mean, not everybody's going to phone their bank, but maybe if you go in and you have a conversation with your rep, maybe you can ask them about, “Hey, how can I improve my security? What are you guys doing to keep my account safe?” I think getting that conversation going is important as well.
When you send copies of documents, for example, make sure that they are transmitted in a secure way that you understand where you upload it, that it's not the wrong site where you are uploading your documents to. Also make use of the rights to just have companies delete your data again. At least here in the EU where I live, that's a right that every consumer has. If you don't feel like you're using the service anymore, or you don't have a relationship, make sure that your data is gone.
That data minimization concept, that is there for businesses. Security practice also goes for the end user, just make sure you're careful who you share it with and then get it deleted if you feel they don't need it anymore.
Definitely in the US, we don't have the EU level of right to be forgotten, so to speak yet. We'll get there. It's a little bit spotty in the US. I think California probably has the most strict right to be forgotten. But I like that. I want that in more of this position if I'm trying to actively remove my information that's out there that I don't want out there.
I don't want it in places. I don't want the junk mail. I don't want the junk email. I don't want to be marketed to as much. I don't want data brokers having my data. I don't think I can make it all go away, but I'm definitely trying to like, “Well, what can I actively do to minimize what I share, how I share, and retract what I can?”
At the same time, just be aware that probably your data is out there. You have to behave in a way where when you are trying to be vigilant, and you're trying to spot scammers, just be aware that they have a lot of knowledge out there, and they can use it to trick you into believing that they are authentic.
If you're a Swifty fan, and someone says they have Taylor Swift tickets for you, be cautious.
That sounds dangerous.
Philipp, if people want to find you online, where can they find you?
I'm on LinkedIn. I'm happy to connect on LinkedIn with people. As part of the Jumio universe, of course, we're always happy to chat with people that want to up their identity game.
If people want to see what Jumio is doing, how can they find Jumio?
Jumio.com is the public website, and most of the information is going to be there.
That's too easy.
We make it easy. We make identity easy.
Is that the corporate slogan?
It's not, but maybe it should be.
Can I get naming rights to it? Philipp, thank you so much for coming on the podcast today.
It was a pleasure. Thank you so much.