As people are getting more dependent on technology, driven by the rise in online shopping and entertainment during the pandemic, fraudsters found great opportunities to exploit users and companies.
Falling victim to such cyberattacks as fraud can cause huge financial consequences and reputational damage both for enterprises and their users.
In order for organizations to combat the rise of fraud, they need to step up their cybersecurity game, and implement advanced protection techniques, such as real-time data analysis.
For this reason, Cybernews invited Ari Jacoby, the Founder and CEO of Deduce – a company that specializes in cybersecurity, risk, and fraud technologies, to share his views on cybersecurity and fraud prevention methods. Jacoby believes that sooner or later, not switching to a real-time solution will inevitably lead to a data breach.
Can you tell us about the story behind Deduce? What has the journey been like?
The Deduce story began in the AdTech world, where we found ourselves battling bots and growing frustrated with legacy products that neither provided useful attack data nor made a concerted approach to security possible. So we decided to build our own, harnessing the network effects of data for good and the power of an Identity Graph.
Deduce has built the largest, independent identity network in the U.S. The constantly growing Deduce Identity Network is a coalition of over 150,000 websites and apps that track the online activity (logins, checkouts, account creation, password reset, etc.) for over 450M privacy-compliant U.S. identities. Collectively, the network generates over 1.4B daily activities to fuel the largest identity graph in cyber risk and fraud. We were recently named No. 1 in the Security category of Fast Company’s Most Innovative Companies Award for 2022.
Can you introduce us to your Collective Intelligence platform? What are its key features?
Today, the average consumer has online accounts with over 80 services, and weak, non-unique passwords are the most significant threat facing account takeover fraud today. Consumers expect a trusted, seamless, and passwordless identity management experience that safeguards them from genuine online fraud while eliminating frustrating user experiences during account creation and login. The problem is that the desire of the consumer is polar opposite to the position of the Chief Information Security Officer and their security team who want to challenge 100% of users to protect their identities and safeguard the data and reputation of the company they work for.
Many traditional ways to safeguard a user’s identity and authenticate their login experience have been compromised by previous large-scale identity breaches. Device fingerprinting compromises and synthetic identity fraud add to the challenges for security professionals in preventing identity fraud. This is where the unique identity intelligence generated by the Deduce Identity Network can be harnessed.
Built on top of the Deduce Identity Network, Deduce offers two solutions to combat Account Takeover (ATO) and account creation fraud:
- Identity Insights – Risk & Trust signal data to empower risk teams with a dev-ops friendly approach to managing identity/authentication risk.
The data includes telemetry from real-time activity information packaged into risk signals (Impossible Travel, Device Downgrade, Unfamiliar Device, Previously Unseen Email, etc.), trust signals (Familiar Network, Familiar Device, Familiar City, Familiar Activity, etc.), or scores for simple ingestion into a risk engine.
The Deduce Identity Insights solution is intended to be used as a high-fidelity approach to identifying suspicious activity while decreasing unnecessary friction.
Deployed as an API, Insights is consumable in any risk engine, CIAM, IDV, or application stack. Deduce is typically consumed at registration, authentication, checkout, and risk moments, such as change of primary contact (email, phone).
- Customer Alerts – Deduce sends an Alert – typically a first-party branded email, asynchronously, on behalf of the Deduce customer – to their end-users on suspicious logins to enable a proactive stance against ATO. Customers are prompted to confirm or deny the activity. A negative selection will cause all active sessions to be terminated and proactively enable a user to reset their credentials.
You mention democratizing cybersecurity as one of your main goals. Would you like to share more about your vision?
By the time you finish reading this interview, over 70,000 consumer identities will have been stolen and used by bad actors for some of the most nefarious crimes, such as people trafficking, drug dealing, and arms smuggling. This has become a societal problem that is undermining our very social fabric. We must collectively put a stop to this before such activities completely undermine our social fabric. Account Takeover fraud has risen over 67% since the start of the COVID pandemic as consumers increasingly turn to online banking, shopping, food delivery, and entertainment. Companies who provide products and services to consumers are increasingly torn by the dichotomy of increased security at the cost of a frictionless user experience.
The days of being corporately insular in combating fraud must be put behind us. Most companies will never have enough data and identity intelligence to tackle the ever-increasing threat from the bad actors. Take a simple use case that we can all sympathize with. You are on vacation overseas and want to check that your salary has been deposited into your bank account. So you open your mobile banking app and the risk signal for “Unfamiliar Location” triggers an MFA. You respond with yes – it’s you at this location. Now you log in to your mobile credit card app to see what exchange rate you were getting for last night’s dinner, and again, you are challenged because of your location. And so on for every app that uses location data as a risk signal. If all companies were sharing data or subscribed to the Deduce Identity Network this MFA affirmation you provided would be recorded and applied to your identity so that the next mobile app does not ask for such authentication again. Reinforcing security and providing less customer friction – Deduce is a winning combination in everyone’s book.
In your opinion, has the pandemic altered the way threat actors operate?
With the surge in people ordering things online, entertaining themselves from home, and downloading various apps, fraudsters have more opportunities to acquire and utilize login details. There has been a 67% increase in consumer identity fraud since the global pandemic started as more consumers turned to online shopping, banking, and food delivery services. This has been a boon for bad actors.
Another issue is the fact that with pandemic lockdowns and travel restrictions, many people resorted to online shopping and gift-giving. The double whammy risk issue for online merchants: Card Not Present (it’s an online transaction) and Ship to Bill address mismatch, one of the most common scenarios for fraud where a stolen credit card is used to buy goods. False declines (sometimes called false positives) are one of the biggest issues plaguing eCommerce merchants. Roughly 10% of all eCommerce dollars get rejected. It could be even worse for merchants operating in more susceptible verticals like high-end fashion or travel. Businesses in those industries can experience payment decline rates of 20% or even 30%. This brings the total cost of false declines to $443 billion every year. Ironically, that’s substantially higher than the actual cost of credit card fraud. This false positive rejection is another area that merchants can tap into the behavioral analysis and trust signals generated by Deduce Identity Insights.
What details make companies more vulnerable to fraud and other identity-based cyberthreats?
Companies employing a static, traditional fraud prevention approach are prime targets for account takeover (ATO) and new account creation fraud, among other cyberattacks expected to cost $10 trillion globally by 2025.
Fraudsters are smarter and faster than ever. Real-time data analysis is the only plausible way for businesses to protect their finances and reputations. Out with static or historic data (email, phone number, SSN); in with dynamic, up-to-the-minute data (user activity, IP address, device). Not switching to a real-time solution will inevitably lead to a breach sooner than later – and it only gets worse from there.
What would you consider the biggest security threats nowadays that companies should be on the lookout for?
Identity fraud doubled from 2019 to 2020, with the number of data breaches reaching an all-time high in 2021 – and those numbers are just going to get worse in 2022 as more people browse, interact, and share information online than ever before.
As fraudsters have become increasingly sophisticated and strategic, outdated approaches and implementations requiring months of planning no longer work – increasingly, the most effective anti-fraud tools are those that support agile deployment in hours and that can be adapted quickly to address the constantly changing threat landscape.
It is imperative that we all band together to form a collective defense against online adversaries, and leverage systems designed with knowledge-share in mind to defeat attackers as they evolve. Deduce believes that real-time, dynamically networked data, with the largest possible activity consortium, will provide more robust, longer-lived defenses against bad actors.
Talking about individual users, what security solutions do you think everyone should implement?
The biggest failure from the consumer side comes from the inadequate use of passwords. The vast majority of consumers use one or two passwords for all of their online activities, which makes the job of the bad actors easier. We must educate consumers about security until passwordless security becomes the standard. In the meantime, we’re working to provide companies with the tools and data to provide a frontline defense against identity fraud while laying the foundation for a Trusted User Experience and a passwordless future.
What does the future hold for Deduce?
We’re looking to amplify our platform to incorporate additional signals on the risk and trust side. We will also add more partners into our identity graph, a database that stores critical identifiers including email, phone, and cookies that correlate with individual customers.
Simplifying access to the wealth of identity intelligence is another key aim of the business. We have adopted a partner-forward strategy to enable this. With seamless integration into both identity verification and consumer, identity access management platforms allow customers to easily take advantage of Deduce Insights without long, drawn-out development cycles involving cross-company implementation teams.