Rick Song, Persona: “businesses should choose an identity infrastructure that’ll act as a data store for them”

The rising number of data breaches has shaken the trust between customers and companies. Now, people continuously question the security capabilities of businesses and are reluctant to share even the tiniest bits of information.

Many users opt for security tools like VPNs to change their location or otherwise hide their private information. However, these can be of little help for assisting businesses and individuals in protecting themselves against online fraud.

According to Rick Song, the Co-Founder and CEO at Persona, identity verification solutions effectively deter online fraud and can be used to rebuild trust between companies and customers.

Tell us about your story. How did Persona go from an idea to a business?

While working at Square as an engineering manager, I noticed a few fundamental problems in the identity verification space:

  1. Identity is complicated. Many legacy identity verification (IDV) services aren’t effective because they’re one-size-fits-all and don’t take into account the company’s unique customers or use cases. Meanwhile, Square was quickly evolving from a merchant payment processor to an entire platform that includes Caviar, Cash App, and more. It was clear we couldn’t take the same approach to identity for each product.
  2. Services are manual. Traditional IDV workflows are also clunky, time-consuming, and non-secure — and often involve contractors manually verifying other individuals’ extremely personal information.

The more I thought about these problems, the more excited I became by the possibility of solving them – not just for the fintech industry but for any business operating on the internet.

IDV is fascinating because it’s a progressive problem: as the internet and its use evolve, the need to properly identify everyone also grows. As such, there’s a real need for infrastructure that’ll allow companies to customize the way they collect and verify the information and make decisions about their customers.

After talking about this challenge for a while with my friend, Charles Yeh, we decided we should tackle it and founded Persona in 2018.

Can you tell us a little bit about what you do? What are the main issues you help solve?

Over the past ten years, the internet has evolved to the point where most transactions happen online. This means every business, regardless of its industry, is forced to be in the business of identity verification.

However, identity is difficult to prove online. Our digital identities rely on personal information like birth dates, addresses, and SSNs. Yet, if someone possesses any of this personal information, they can essentially become that person.

At Persona, our goal is to make it easy for businesses to know their customers. Businesses can build and manage the entire end-to-end identity process on our platform, whether they want to comply with regulations, mitigate fraud, or build trust and safety. Our identity infrastructure is:

  • Customizable. Every business has individual requirements for identity verification. So, we give companies the building blocks to create the perfect identity experience for their specific use cases and customers.
  • Easy to implement. Our solutions support low-code/no-code integrations that can be completed within one afternoon, so companies canfocus on business matters.
  • Automated. We take care of everything: from information collection to verification decisions. Additionally, we can connect disparate systems to pass data in and out and trigger actions like closing a customer support ticket.
  • Holistic. Manage the identity process throughout a customer’s lifecycle — not just during onboarding.
  • Secure. Our platform leverages bank-grade security and is designed to limit access to sensitive data – giving companies only what they need in terms of Personally Identifiable Information (PII) to protect them from liability.

How do you manage to implement strong identity verification without compromising the user experience?

It’s a tough challenge to create a seamless experience for an interaction that's heavy with friction. No one wants to submit personal information if they don’t have to.

One of the most important factors is to ensure that your identity verification flows look and sound like your brand, so users feel more comfortable with the process. It’s also essential to ensure that the process is as user-friendly as possible.

We designed Persona specifically for end-users since, at the end of the day, we want to help real people verify themselves online and improve the safety and security of every online transaction. As such, we make it easy to switch between devices, provide live guidance, and use auto-capture to make the process as easy as possible.

We also encourage businesses to find the best balance between risk management and conversion optimization – after all, not every user is a bad actor, and not every transaction is fraudulent. There are a couple of ways businesses can find this balance.

First, they can ingest other signals they may not actively have to collect from users, such as the user’s IP address or third-party reports, like watchlists. Secondly, they can dynamically adjust their level of friction based on the riskiness of the individual and interaction instead of having everyone go through the same flow.

For example, asking for someone’s name, date of birth, and SSN during signup but requiring them to upload a government ID and take a selfie if they want to make a major transaction.

What would you consider to be the most serious cyber threats that emerged as a result of the pandemic?

Right now, numerous consumer scams prey on Coronavirus-related fears. In my opinion, the most serious types are not the ones where scammers ask individuals to pay for vaccines or offer bogus tests. It's the ones that attempt to get people to reveal personal information, like their insurance information, SSN, and other PII that can be used for identity theft. It can take hours to years to recover from identity theft – not to mention the monetary cost.

Another thing companies should keep in mind is that as more transactions move online, it opens up a lot more surface areas for fraudsters to attack. Many businesses aren’t prepared to safeguard the increasing amount of PII they’re collecting because they rushed to shift everything online when the pandemic hit. As such, we recommend businesses choose an identity infrastructure that’ll act as a data store for them. This way, they can rest easy knowing their customers’ information is safe and they’re complying with relevant data privacy laws.

Which security measures are essential for every Internet user to implement?

There are many measures individuals can take to better protect themselves online. Some of the best strategies include the following:

  • Using a password manager to set strong, unique passwords for each account.
  • Enrolling in two-factor authentication whenever it’s offered.
  • Updating software regularly. Or, even better, allowing it to auto-update, which many modern browsers, OSes, and mobile platforms offer as a setting.
  • Staying up-to-date on current fraud techniques and ways to stay protected.

However, online security is incredibly complicated, and when companies collect and store PII during the identity verification process, individuals are dependent on these organizations to keep their data safe.

To cultivate customer confidence and ensure individuals feel comfortable sharing PII, businesses need to create comprehensive security frameworks that show individuals they’re taking steps to effectively protect sensitive data. Otherwise, individuals may search for an alternative solution that does take the appropriate security measures to safeguard their personal information.

Today, it doesn’t make sense for companies to build their own data stores — that’s probably neither their expertise nor something they want to throw resources toward. Instead, it’s safer and more efficient to adopt an identity infrastructure that handles data security for them, so they can focus on other things.

What are some of the lesser-known risks a company can be exposed to if proper ID verification methods are not in place?

Every company knows improperly implemented or no identity verification can make it easier for bad actors to commit fraud. However, other risks companies should consider include the following:

  • User drop-off. If your identity verification process is slow, asks for too much information, doesn’t look like your brand, doesn’t allow for easy device handoff, or doesn’t work in your users’ native languages, you risk users leaving and potentially turning to competitors. You also risk turning away good users if you can’t verify them.
  • Account takeovers. When data breaches occur, the information stolen often gets sold to fraudsters, who try the stolen credentials on other sites. Because many individuals reuse passwords, it’s an easy way for bad actors to take over accounts. This is why it’s so important to verify identities when users want to take a major action, such as withdrawing funds or changing a password. Just because they passed verification the first time doesn’t mean it’s them the next time they interact with your brand.
  • PII non-compliance and privacy leaks. Identity verification involves collecting sensitive information from users. As such, you need to ensure you comply with data privacy laws such as GDPR and CCPA/CRPA and prioritize the protection of data at each step of the process: collection, storage, usage, retention, and redaction. Otherwise, ineffective security processes may lead to data breaches and regulatory fines — and set the stage for identity theft.

Are there any industries that, in your opinion, fail to recognize the necessity for stronger authentication methods? Why do you think that is the case?

Social media and dating apps, where fraud, deception, and disinformation currently run rampant, are the two examples that come to mind. While Twitter and Facebook blue checkmarks have become somewhat synonymous with authentic accounts, the truth is a lot more can be done to protect users from fraud and bad actors online.

Since these businesses were created as a fun and easy way to connect with others, verifying user identities isn’t as big a priority for them as it is for other corporations, like fintech companies.

However, fraud on these platforms can lead to financial extortion and criminal activity. Recent years have proven that these types of platforms are extremely influential and can affect elections, make or break vaccine campaigns, and even move markets. As bad actors grow to be more sophisticated, it’s easier than ever for them to prey on services with weak defenses, like social media and dating apps.

Talking about the future, what achievements and challenges do you expect to see in the identity verification landscape in the upcoming years?

Artificial Intelligence (AI) is evolving quickly. For example, OpenAI recently released a neural network where you simply type in a phrase like Avocado Chair, and it generates an image. With this pace of evolution, it’ll be hard to keep up from a security perspective.

At Persona, we’ve detected a wide range of fraud attempts enabled by AI and other advanced technologies. For example, we’ve seen bad actors create deepfakes to mimic live selfies and use celebrity photos combined with public data to photoshop fake IDs.

Because of this, companies will need to take a holistic approach that looks at many different signals to both mitigate fraud and evaluate identities correctly – there is no silver bullet to identity verification.

In the upcoming years, there will also be more regulations around data privacy at a federal and state level, especially around data locality. Equifax’s data breach and Google’s GDPR lawsuit are just a few recent examples that show how the data privacy climate is changing. Securely handling and storing PII is a non-trivial challenge and one that has serious repercussions for organizations and their users. As such, more companies will move toward identity solutions that not only adapt to changing regulations but are also automatic, which provide a better user experience and are often better at safeguarding PII.

Finally, more companies will seek out tools that’ll help them understand their users throughout the customer lifecycle and orchestrate the process from end to end. There’s no reason for them to integrate with dozens of vendors when they can just use one.

Share with us, what’s next for Persona?

Our ultimate goal is to be the trusted identity layer of the internet. To accomplish this, we're building the first identity infrastructure that is focused entirely on facilitating trust between businesses and individuals. It will enable businesses to know who they're doing business with at all times and empower individuals to feel as comfortable verifying their identity as they are buying things online.

Our goal is to help businesses stay compliant, fight fraud, build trust and safety, and ultimately future-proof their business by ensuring our infrastructure is customizable, secure, and streamlined.