There’s no denying it: cybercriminals are good at what they do. That doesn’t mean that businesses and can’t go toe-to-toe with fraudsters in fighting back, though. On a recent podcast, John Dancu, CEO of IDology, shared with MPD CEO Karen Webster how his observations of the ever-evolving business of cybercrime (and it is a business) can influence tactics for keeping consumers — and the companies who need their business — safe.
KW: You operate in the identity and age verification space — that’s the foundation of the products and services you provide, and has been since your inception in 2003.
Help us understand specifically what problems you solve and for whom.
JD: We provide identity verification, but our fraud platform is really one of the differentiators that we’ve brought forward over the last five years or so.
We solve a very horizontal problem of validating that someone is who they say they are in a consumer-not-present transaction — on the Web, in a call center, et cetera — and we do that across multiple industries. Clearly, we’re significant players in financial services, alternative financial, health care, retail commerce and so forth.
That problem we’re solving has really evolved over the last couple of years relative to the issues of data breaches and the creation of what we call a “perfect identity” — which addresses the reality that fraudsters have access to basic elements of customer data.
KW: There are lots of providers that claim to be able to authenticate a user in a consumer-not-present environment. What are the technologies or tactics you use that actually make what you provide different?
JD: Let’s start with the culture of IDology. We’re a very innovative company in the marketplace. Our customers view us as a company that’s helped them understand and solve their problems. We provide very high service levels by understanding our customers’ issues and also by being domain experts in certain areas. This may sound a little corny, but we really love our customers — we want to make sure that we serve them.
We do all that with a really dynamite solution in the marketplace. Our product is in essence focused on what we believe is the real issue with our customers today: trying to validate legitimate customers — whether that be account origination or step-up authentication — with nominal friction.
With all the fraud that’s happening in the market today, our customers are really concerned with making sure that they’re able to authenticate their customers in a friction-free way and drive customer acquisition and drive revenue. We achieve that with our product in multiple ways.
I want to return to the topic of “perfect identity,” which is a driving issue. Today, if all you’re doing is taking customer data and matching, for example, a person’s name to a street address or Social Security number, that’s no longer sufficient. Fraudsters have that information: they know people’s names, addresses, Social, and so on.
In order to provide a friction-free environment in customer authentication, not only do you need to validate the data of a particular individual, you also need to figure out if it’s the actual customer that is requesting or conducting the transaction. We’ve built a fraud platform that gives us really strong tools to enable that. The tools that we use, broadly speaking, relate to certain identity attributes, but they also look at activity that’s happening around the transaction, the device on which the transaction is occurring, and location attributes related to it. When you combine all that, you have the ability to validate customers under the covers in a friction-free way, and escalate — when you see potential fraud — to higher levels of verification.
What we do is very different from what other people are doing in the market.
KW: Who are your customers? Are you selling to issuers, or to the acquiring side of the business? Who exactly takes what you have and incorporates it into their environment?
JD: We’re selling to all the entities you mentioned. We’re a B2B player, and any place where our customer needs to authenticate their customer — the end user customer — that’s where our solutions are being utilized.
KW: You’ve been around, as I mentioned, since 2003, when there wasn’t a whole lot going on in the consumer-not-present environment. There is now quite a bit of activity in that arena, obviously, because of the proliferation of mobile devices.
How has your business had to adapt in order to keep pace with the changing consumer-not-present environment?
JD: Our business is evolving all the time. One of the things that we do is frequently talk with our customers about the issues that they’re seeing, so we can be innovative and put features and functions in our product that address how things have changed.
Creating a “perfect identity” in light of data breaches has been a prevalent issue over the last three to four years, and I don’t think it’s going to get any easier — it’s going to get more difficult, in fact. Fraudsters are very creative and they continue to utilize new tools; we need to develop new tools of our own that put roadblocks in front of them, stopping them from being able to open accounts and conduct commerce.
KW: Fraudsters, as you alluded to, are very adaptable and flexible; they monitor the roadblocks we’re trying to put in front of them and always seem to find the weakest link. How can a “perfect identity” possibly be achieved in the face of that?
JD: Fraudsters will seek the easiest spot to penetrate and take hold of an identity in order to drive revenue for their business. What we do to combat that is put in place a multilayered process, creating barriers that compel a fraudster to not continue to probe for the data of a customer, to move elsewhere. We actually see that — where we’ll stop criminals and they’ll go to other customers who maybe don’t have as stringent of protections in place.
One of the keys in stopping fraud is collaboration. All of our customers are within the IDology network, and we share information related to fraud within it. We can actually see fraud move from Company A to Company B to Company C, all within a matter of minutes. Companies are of course highly competitive when it comes to customer acquisition, but when it comes to fraud and risk, they are willing to collaborate and they understand what an important metric it is for stopping fraud.
IDology serves as a hub for that collaboration among all of our customers, and it’s been very impactful.
KW: Collaboration and sharing of data is a pretty hot topic in the news today, with lots of people for it and others not so much. Where do the lines stop and start in terms of collaboration on the hub that you describe? What things are the companies comfortable sharing and what still remain proprietary to the individual customers?
JD: Without going into too much detail, I will say that we don’t really share data in the broad sense. We have a mechanism that gives people the ability to see what’s happening at other places.
We’re the conduit for all that data; we hold it. Company A is not sharing data with Company B; what all the companies are doing is seeing the impact of repeated transactions that are happening across the network. We’re extraordinarily concerned with consumer data and protecting it, making sure that it’s not misused, and our system has lots of controls relative to that process.
The end result of the collaboration that we facilitate is that it works; it stops the fraud. Protecting consumer identities is an obligation of ours, as well as of the companies that are our customers — and they think so, too. One way to achieve that is to make sure that identities aren’t misused, and our ability to stop transactions is obviously central to that.
KW: You must have observed so much about the cybercriminal in your work. You’ve mentioned a few of its characteristics, such as exploiting the weakest link, and that cybercrime truly is a business. I’m curious to know more of your observations about that business as you’ve watched it evolve over the years.
JD: It’s profitable; it’s organized; it’s a career for these people. We often wish they’d put their time and energy into more productive uses, because some of the things that we see are incredibly smart and creative. Cybercriminals are long-term planners; they’ll do things in the present that basically prepare themselves to commit fraud at future dates.
That said, I think that we have good tools in place that can ferret out that activity. What we tell our customers is that there isn’t one tool that stops cybercriminals; they need multiple layers and multiple tools to do so.
One of the things that we think is important in stopping fraud is to stop it up front. The process of validating individuals needs to be done before business is conducted with them; that protects the real consumer identities and it stops the misuse of them at the start, rather than leaving it to be dealt with down the line.
Multilayered protection is still essential, however. With it, not only is a customer protecting itself and its consumer data at the point of acquisition, but also in transaction processing and reviews. You need to have the tools to catch fraud in place at all of those points.
I want to emphasize that what makes us different — although we do get excited talking about fraud and the tools that we have to combat it — is our focus on the legitimate customer getting through the process in an easy, friction-free way. Our process takes place under the covers and allows for transactions to be approved very quickly. Friction is only created in response to indicators of potential fraud, at which point the authentication process is stepped up.
KW: You mentioned that your business is always evolving because the environment in which you operate is always evolving. I loved your characterization of cybercriminals as “long-term planners.”
What are your long-term plans for IDology? Can you give us any clues about what’s on your road map?
JD: We have lots that we’re working on. That’s kind of the fun part; we’re a really robust and innovative product company that’s guided by customer feedback. You’re going to see lots of neat things from us.
You’ll see us continuing to evaluate fraud trends and making sure that we’re giving our customers tools to deal with those. Our system is on-demand and dynamic; as fraud changes and evolves, it’s pretty simple to go into our system, see what’s happening and change rules in order to adapt accordingly. We’ll continue to build on that functionality to give dynamic escalation and dynamic decision-making capabilities to our customers.
We’re also focused on mobile in a very significant way. In terms of fraud prevention, mobile has differing controls — a lack of controls, really — compared to what can be done on a desktop or laptop in today’s marketplace. Fraudsters are pretty skilled at utilizing some of those differing factors to commit theft. We’re building a mobile solution that will allow a customer to establish a persistent mobile identity that’s connected to carrier data, relative device data, and the like.
That will be coming forward in the next couple of months, and it’s something that we’re really excited about.
To download the full version of the podcast, click here.