Subscribe to Identity at the Center
Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started.
Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. We probably want to talk some identity, but before we get to that, any notes or things you want to bring up before we introduce our guest today?
Jeff, Jim, great to be on. Thank you for having me, and I hope everyone is staying well and healthy. I’ve been a fan of your podcasts, and I’ve been checking out a few of the episodes in the recent past.
Well, first off, I’ve been a product guy most of my life. I spent the majority of my career at TransUnion, the credit bureau, before joining Jumio. My move to the identity space was happenstance. One of my colleagues took up a different role in the organization. My boss, at the time — an amazing guy, Jeff Brown — asked me if I could step into the role and help out. I’ve always been ready for a new challenge, and I said, “Sure, why not?” and it started there with my taking on responsibility for one component of TransUnion’s identity solutions over a decade ago. I hit the ball out of the park, and Jeff and the organization started to interest more responsibilities over time. I was leading the product organization for all of the fraud ID solutions in the US market. We made a bunch of acquisitions, including iovation, one of the leading devices providers in the marketplace. With that acquisition, I moved to iovation as the chief product officer. Over the two years that I was there, we made some great strides expanding the iovation suite, and integrating the high-value iovation capabilities into the broader TransUnion fraud ID product suite. Then, Jumio happened.
I loved my time at TransUnion. When the Jumio opportunity came up, it was a tough call. As I said earlier, I’m always excited for new challenges, so I decided to make the jump, and so glad that I made the call. It’s been an amazing time here. The culture, collaboration, customer focus runs in the company’s DNA. We’re all focused on solving one customer need, which is ensuring a high degree of trust that the individual has that you’re dealing with, and making sure that they are who they claim to be.
On a lighter note, a few years ago, my son, when he was in kindergarten, asked me what I do at work. I tried to explain it many different ways. I tried to explain how fraudsters operate and what my team does to stop them. He goes, “So, Dad, are you like one of those superheroes?” I said, “Sure,” and I have, of course, not tried to correct that image he has about me.
He’ll figure it out one of these days, right? Having teenage boys, I know that eventually, they become much cooler than you are, so I have two people who live with me who are much cooler than me.
Bala, in your role as chief product officer, what would you say you do there? What is a chief product officer? I’ve heard that role a million times, but I’m not really clear what it is.
Great question. There are a few things that I am responsible for. It starts with establishing a vision, driving focus in the organization, keeping it simple, execution of that vision and being the glue in the organization. To double-click on that, in terms of establishing a vision, my primary responsibility is to make sure that we have a very clear product vision, and a strategy and a road map that goes with it. It is about making sure that we are placing the right bets that will deliver the highest value to our customers.
This is not just about another feature that got rolled out, or ten features that got rolled out. If it does not have a meaningful impact on customers, we’ve just wasted our time. It’s about placing the right bets, making sure that that’s going to deliver impact and value for our customers. On the driving-focus piece, this requires ruthless prioritization. It comes with having to say no to more things than I’d like. Steve Jobs very famously said that it is saying no not just to initiatives that you don’t like but also to some initiatives that you’re passionate about, to be able to let go. That way, you can truly focus your time and your energy on a few that will make a massive impact. That, ultimately, is what will ensure customer successes and, therefore, our success as well. Getting that focus, getting that prioritization nailed down, is a key part of my responsibility.
I think that mind-set is really valuable for an identity and access management program — specifically, a program manager — because a lot of times, you do need that glue. I do think of a program manager as also a product owner and a product manager sometimes when it comes to prioritization. What are the features and functionalities that they’re hearing from their customers, whether it’s external or internal, whatever it may be, and being able to articulate that and translate that into a product or a service. That’s a valuable skill that a lot of folks don’t necessarily overlook, but sometimes they undervalue it — hearing about your experiences and having the passion for IAM, and, obviously, we all have a passion for IAM. We’re on an IAM podcast, obviously. This is very niche from a topic perspective, but we’re doing it anyway. I think that’s the kind of thing that helps.
I’m curious: As you’re talking with customers, partners, maybe even competitors or other folks, when you start talking about product development, where do you take your inspiration and your inputs from, and how do you coalesce that into that this is a feature or a functionality that, “Yes, we’re going to move forward with this,” or how do you say no to something that you know is a great idea but is just either not feasible right now, or, for other reasons, you can’t pursue it?
I’ve been around long enough, and I’ve made a bunch of those mistakes where you think, “Hey, I’ve got an idea — I think this is going to deliver value to our customers” and expend a bunch of cycles on it.” Then, eventually, when you take it to market, you realize that you’re not getting the traction that you thought you would get.
For me, a big step in the right direction is moving away from those whiteboards and getting out and meeting with your customers, having the conversations with your customers, observing how they work, understanding their processes, understanding their workflows. When you do that, you start seeing what their pain points are. Some of these pain points are very obvious for customers and they’re like, “I wish somebody could help solve this problem,” and there are some others that they don’t realize, because it has just become second nature. They’ve been operating in that environment, and they just go on clicking through stuff. As you observed this year, there could be more efficiencies that we could bring about here.
Spending a lot of time with customers and understanding what the processes look like is very critical, and the most important feedback that any product manager can take back, and then get to the drawing board and start figuring out how to design the solution around it, take the design back to the customer and get the feedback. That continuous iteration is what is necessary for good product development and rollout. There’s another aspect of it as well, which is keeping it simple. I mentioned setting the vision and prioritizing. My next job is to also make molehills of mountains — simplification of complex topics. Folks oftentimes across organizations end up overthinking, overcomplicating and overextending what is required. We start looking at corner cases. My job is to build and mentor a product organization that can help drive the “Keep it simple” mantra.
I like that approach.
The other aspect, too, Jeff, and, as you said, is how you actually take this to market — execution of the vision. We really need to stop just talking and brainstorming ideas — let’s actually get it on the ground. As soon as that happens, you will start getting real-time feedback on whether the direction you’re headed in is the right direction, or if you need to pivot.
There are a couple of questions there. One is what ID proofing itself is. When somebody is out there trying to apply for a credit card or trying to get an insurance policy, if you’re in the branch, you can see the person, you can have a conversation with the person, you can check the identity documents and all this other fun stuff, and green-light them through the process. If they’re coming through a digital channel, you’re not seeing the individual. You’re missing that personal connection. It’s very critical in those channels call centers, online channels, etc. — to be able to verify that the person who is applying for whatever service you’re providing is, indeed, the right person.
ID proofing is the process and the tools that enable you to be able to successfully do that. At Jumio, we provide ID-proofing capabilities, which is very much centered around government-issued IDs, or other forms of documentation that you carry. This could be a driver’s license. It could be a national ID. It could be a U.S. passport, or whichever passport of your nationality.
To answer the second part of your question on what is critical to help customers trust their end consumers — my friends, of course, know me as the fraud guy. I have to keep reminding them I am not the fraud guy. I’m the fraud-prevention guy. Anyway, recently, I had a friend ask me if there’s a way to find out if their information has been compromised. I told her, in these times, by default, you should assume your information has been compromised. There is even a Wikipedia page with a chronological list of breaches.
You can go online and find sites where you can purchase stolen identities. Some of these sites are beautifully designed. They offer an Amazon-like shopping cart checkout experience to purchase compromised data. You can go in and say you’re looking for a male, 35 years, with a master’s, two major credit cards, with a credit limit of $10,000, and boom! You will get results back. You can choose and add it to your cart, and a couple dollars later, you actually have those identities. It’s as simple as that. Fraudsters thrive on these.
In this breach environment, if you’re trying to do ID proofing, it is hard to tell if you’re dealing with a real individual or if you’re dealing with a fraudster using some of that compromised data. There are some controls you can put in place, like device resolutions. You can check to see velocity, how often does an individual repeatedly come back to a site, but these are Band-Aids to a massive problem. That’s where the document-centric approach comes into play — or the ID-centric approach.
Companies like us, Jumio, provide that ID-verification layer that can take a government-issued ID, extract information from it, verify that it meets the minimum fraud checks and then extend fraud checks that we run on it to make sure that an image is not superimposed, and to make sure that they’ve not messed around with the barcodes off the back of the driver’s license, and things like that.
Also, think about this: You cannot get on a plane without a government-issued ID. That’s what the TSA looks for before they let you through the line. There’s a significant level of trust in these IDs. Switching from the traditional checks and moving to an ID-centric or a document-centric view brings a much higher degree of confidence in these transactions. Now, couple that with a selfie that can be matched against the photo. You now have an excellent fraud deterrent in place. How often do you think a fraudster will be willing to take a selfie of themselves to establish an identity? It would be like saying, “Say ‘Cheese’ so the cops know what you look like.”
You nailed it, Jim. That’s essentially what it is. Especially in these COVID-19 times, a lot of businesses have shifted to these online channels. They don’t have a choice. It becomes even more critical for them to have good fraud deterrents in place. Things like the ID scans, the selfie checks, etc., go a long way in allowing them to establish good confidence and trust that they are interacting with the right individuals.
I know another major use case for that is KYC, or know your customer. I’ve seen that a lot. I was in the banking environment prior to getting into consulting. A lot of the focus of KYC, if I remember correctly, was around preventing money laundering — having that assurance at such a level that people weren’t setting up accounts just so they could launder money through a bank. Maybe you could educate us a little bit more on know your customer, and what the major use case is that you see surrounding that, and how they tie back to identity-proofing.
KYC, or know your customer, actually spawns across multiple use cases. It starts with account creation — the first time you’re trying to establish an account for yourself — but it doesn’t stop there. The journey continues into account management as you’re trying to make changes to your existing profile. You require it as consumers are transacting with your enterprise as well. The key piece, as I mentioned earlier — enterprises are increasingly vulnerable to fraudulent attacks. There’s so much compromised information out there. It’s very hard for them to keep up. To better protect them, KYC standards, or guidelines, have been implemented to guard against fraud, like you said, money laundering, drug and terrorist financing, etc.
There are some very basic and foundational steps required. Establishing the identity of the consumer that you’re working with, what the nature of their activities are, where they are getting their funds from, how much they are transferring around — is that a typical behavioral pattern, or are we seeing some anomaly patterns, fraudulent patterns or risk patterns here? Those are the things that KYC and AML solutions, essentially, are able to surface.
A good KYC process is critical for compliance, but also from a risk-management standpoint. The requirements of KYC AML programs, though, can be very overwhelming for enterprises. As they’re getting more and more stringent, it takes significant allocation of resources to meet the regulatory requirements. Even if you have it in place, the continuous monitoring, tracking, etc., can be quite burdensome on enterprises. Ultimately, though, it will help enterprises be less prone to fraudulent attacks and, more importantly, reduce fraud losses. Note I said, “reduce fraud losses,” because it is not realistic to expect to stop it altogether.
I cringe when I hear “eliminate” and these superlatives that basically say, “It will never happen again if you do this one thing.” I think it’s really about mitigation, remediation, managing risk and those sorts of things. From a KYC or even from an identity-proofing standpoint, are there any best practices that organizations should be following so they know what the right situations are to leverage capabilities in this space? If I’m not doing this today, how do I get into this? What are the best practices that I should be looking for as I get into this space?
That’s a great question. If you’re just getting in the space, you want to make sure you’re working with someone who’s got a ton of experience in understanding the types of attack vectors that fraudsters are going to be using. It is critical for you to implement a solution that is not just looking at one or two risk signals. You have to have a layered risk mitigation solution in place. It’s not just about the document that you’re using, or the ID that you’re using. What device are you using to capture the document? What is the name and address information that’s on the document? Are there any criminal records tied to this individual? Whatever the address, it serves as a real address.
Fraudsters are a sophisticated lot. They know how to go to manipulate information. It’s a cat-and-mouse game. It’s like Tom and Jerry. We’re constantly trying to stay ahead of them. You build a wall; they find a taller ladder. If you want to keep up with this, you want to make sure that you’re using a solution that provides you with multiple layers, a solution that can quickly allow you to configure, calibrate and tune the offering and be responsive to unexpected attacks, because, as soon as you put the controls in place, the fraudsters are going to say, “Well, these guys are using a lot of good controls, so I’m going to go attack someone else who doesn’t have those controls,” or they may go, “This is still a good place for me to continue my attacks,” because maybe they’re still making some good money off it, and so they’ll intensify their attacks. It’s critical that you have a solution that can be enhanced and extended rapidly in response to these types of attacks.
Ultimately, there’s another important aspect to think about: As you start putting these types of controls in place, you are impacting good consumers as well. The more layers of defense you put in, the more friction you start introducing to the good people. An analogy that I like to use is, what type of experience do you want to provide your good customers? I used to travel. I haven’t traveled in the last 18 months. I don’t know if either of you have, but I used to travel quite extensively. I loved my TSA PreCheck experience. I got my TSA PreCheck thing, and then, after that, I was just breezing through the security lines.
The question is, what type of experience do you want to provide your end consumers? Do you want to give them the TSA PreCheck-like experience, where you’re very quickly able to identify the good people and give them that VIP treatment, or do you want to put them through the more challenging lanes, where you have to take your jacket off, take your laptop out of your bag, take your shoes off? It really comes down to finding the balance in how much the controls are helping you catch the bad actors, and how much of that is proving to be a friction for your good consumers. You need a system, or you need a solution, that can adjust the dials appropriately so you’re not negatively impacting your good consumers while you try and stop the bad actors.
Hey, Bala, I’m wondering what your experience is with the customers you’ve worked with. Do they typically do the identity verification up front, and never require the person to go back and do it again, or is there a refresh process for the identity verification? Is that usually something that needs to be done? Are you tracking expiration dates on the identity that they use — in other words, the expiration of the driver’s license — or is it more like a business process?
To some degree, it’s a business process, but it varies by customers. It varies by verticals. It also varies with how the consumer is interacting with your sites. If a consumer is regularly coming in the door, you start establishing a pattern of behavior associated with that individual. The first time you’ve established them, you want to make sure you’re putting all the stringent checks: You’ve got the ID, you scanned the ID, you established the association with the devices, their addresses, etc. But once they’ve established themselves, you don’t want to keep putting them through the same friction unless you see some different behavior from them.
If they get a new device, you may want to introduce a little bit of friction to confirm, verify and validate that it is still the same individual. Other than that, I would say just let them run through. As long as they get the credentials in, their login, you’ve got your basic controls in place, whether it’s two-factor authentication, etc., but once they’re in, let them navigate through. If they try to change their address on their profile, if they try to change the phone number on the profile, those are instances where you want to step up your authentication, because oftentimes, fraudsters, if they’re able to get in either through social engineering or other means, they’ll try to change the address on file. Five minutes later, they’ll call into the call center and request a new credit card. Where do you think that credit card is going to go? It’s important for you to figure out when step-up authentication is required, and employ those methods and tools in those instances.
We do provide what we call authentication service. When you’re onboarded using your ID, there’s a selfie that goes along with it as well. So, when you get to a point where you’re trying to make some of these major changes, like changing your address or your phone number, do a quick selfie. Folks are very much used to taking selfies these days, so it’s not seen as too much friction. Take a quick selfie and, like, “Yes, it’s still the same individual — check,” and then you go on to the next step in the process.
It’s all about finding the right use cases and employing these tools as required. It also depends on the customers. If they’re frequent, regular customers, you don’t want to be harassing them. But if someone has not been interacting with your site for three weeks or two months, when they come back in, you want to make sure there’s a little friction to confirm that they are who they say they are.
I feel like that is what I was thinking. It’s a technology issue. The best camera most people have in their life is probably their phone, and it’s probably been that way for most people for the last five, six, seven and maybe even ten years, depending on what your camera situation is at home. I feel that is certainly the case. I’m looking right now at the video that we’re sharing internally here. I see you guys both on 720p and, probably a MacBook, because MacBooks really don’t have very good cameras. As much as I love Macs and that kind of stuff, it isn’t a high-quality thing. I’m curious, Bala: What is your perspective, because I think Jim asked a very interesting question on how technology has improved the ability to do more accurate identity-proofing scenarios?
Well, I wish there were high-resolution cameras everywhere, but that’s not the case, as you rightly pointed out. It becomes necessary for companies like us to try and figure out how we can do the best with what we have. You’re absolutely right, Jim. When you think about a few years ago, taking a picture with your webcam was not very useful — a lot of blur, poor picture quality — but we’ve made a ton of investments in this space now, because we have seen quite a few of these samples come through, and we have adapted on our end to make the best with what we can get.
Our success rates with the webcam’s pictures now, I would say, runs very close to what we see happening through mobile devices as well. It has definitely gotten much better now, but there is definitely a technology challenge. In some regions, we do see where they have lower bandwidth than what we have here in the U.S. We do see, because with the bandwidth challenges, it takes a bit of time for them to go through the process and the image getting uploaded, etc. We continuously keep monitoring. We keep checking the data. We check to see where we have some of these drop-offs, and then we start employing right corrections to make sure we can address those. Ultimately, it’s important for us to reduce the abandonment rate, as much as possible, of good customers. It’s critical. It’s always about that end-consumer experience, and we need to make all the investments we can to reduce that abandonment rate so they can have quick, easy passage while our customers’ enterprises have a high degree of confidence in those individuals.
I’m curious, Bala: As technology has matured, one of the things I am deeply fascinated about — and if you’ve listened to prior episodes — is deepfakes and how this is affecting the identity space. How are Jumio, and other organizations in this space of identity-proofing, looking at deepfakes, whether it’s video or even still pictures? How do you stay ahead of that rapidly iterating space?
Great question. We run into this more often than we’d like. We do have instances where fraudsters are trying to make their way through. We have partnered with great companies. We recently announced a partnership with iProov, which provides an excellent liveness-detection capability. With that technology that they bring to bear, with the assets that we have, together, we have a really good way of identifying still images. We have a really good way of identifying deepfakes.
I would be lying if I said we catch all of them. We’ve done a pretty decent job, and I’ve seen so many instances where we see the aftermath of a transaction, and you’re like, “Why did this get rejected?” As you dig in, you think, “Well, it’s not really a selfie —they’re trying to upload an image,” or there have been instances where I’ve seen someone try to take a selfie with a mask on, and then, of course, the deepfakes. I would say the technology is getting better over time in identifying these types of instances and weeding them out of the system. It’s not 100% foolproof, but it’s definitely much better than what it was even three to six months ago.
Yes. I feel it’s definitely an arms race — it’s getting better, faster and easier to create them. But at the same time, you’ve got companies that are getting better, faster and more accurate in being able to detect them, which is interesting.
I know you’ve been really generous with your time, so we’re going to start to wrap things up here. Jumio is a very interesting name. What does it mean?
We’ve been around for quite a bit. Jumio stands for “Just use my ID online.”
I love a clever name, and that’s definitely one of the ones that is certainly ranking top of mind off the top of my head here. That’s a great name.
We’re going to close it out for this week. Before we do, I want to pass it around one more time to Bala and to Jim. What are some final words of wisdom, or advice, that you can give people who are listening here, whether it’s on identity-proofing or maybe something else identity related, or whatever you think is important for folks to hear. Bala, why don’t you go first?
Sure thing. Think customers first — your end consumers. Make sure that you’re giving them the best experience they can get. Make sure that you’re reducing as much friction as you can, because each and every one of us goes through this process at one point in time or the other. I tell my kids all the time, “Do unto others as you would have them do unto you.” So, it’s very critical that we build solutions not just because it’s technically great, but because it also provides a good level of positive experience for the good consumers while effectively stopping the bad actors. That’s my two cents at the end of this podcast. Thank you so much for having me on the call. It’s been a great conversation today.
Yes. Thanks so much for joining us. Let’s pass it over to Jim. What about you? Any final thoughts to this week?
I’m going to harken back to our news announcement at the beginning of the show about the conference coming up. I’m, obviously, excited for conferences coming back, but I would encourage folks that there are these calls for speakers, and opportunities to get it out there and share your knowledge. Look, Jeff and I are just regular folks, and we get on and we do this. I mean, I consider this public speaking. We do this every week, we share our knowledge, and we bring guests on who share their knowledge. You have knowledge, too. I think it would be great if you can get out there and share. If you have a fear of public speaking, that’s very understandable, but, you know, sometimes you just have to take on those fears. Everybody deals with that at some level. What I found is, if you rehearse your presentation a million times, that million and first time that you go to deliver it, it’s going to sound good. You’re going to feel confident in what you have to say. My recommendation is, even if that Authenticate Conference isn’t the right one, think about getting out there, telling your story and take on public speaking.
Thank you so much, Bala, for joining us. We appreciate it. Jim, as always, thank for your time. You can connect with Bala on LinkedIn. You can learn more about Jumio at Jumio.com, and we’ll have links to both of those endeavors in the show notes, as well as a link for AuthenticateCon later this year. You can always visit us at the web at Identityatthecenter.com. You can follow us on Twitter @IDACPodcast. If you like what you heard, please share it with your friends or enemies — I don’t care who you share it with, as long as you share it.
Other folks in the identity space, we continue to grow, and that helps us to get great guests, and we’re trying to put out the best informational safe place for identity that we can think of that is free of distraction from the sales and marketing BS that we’re all hit from on a daily basis. We’re trying to keep it safe. The more we can share with folks that idea, hopefully, they’ll listen. With that, thanks to everyone for listening, and we’ll talk with everyone in the next one.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at Identityatthecenter.com.