Bussiness
Prove: Spike in Business Identity Theft Calls for Phone-Based Approach to Authentication
As the company that laid claim to the concept of “digital identity” more than 10 years ago, Prove Identity takes verification seriously, even when it’s not.
Case in point: As CEO Rodger Desai told Karen Webster in an interview, at Prove, there’s a running joke inside the firm in which he keeps score on how many times a would-be scammer (Desai) has texted employees that he’s in a jam and they need to purchase gift cards for him.
It’s a joke with a serious side, of course, because criminals are stepping up their brazen attempts to pose as corporate executives, owners, vendors and even employees. For businesses across all types of verticals, the problem is ever-present and boils down to the urgent challenge of trusting interactions in the digital economy, especially when you’re not directly in front of someone.
Even Desai, who helms the identity verification and authentication platform, has been targeted by bad actors who have taken artificial intelligence and twisted it in the service of identity fraud.
“Someone sent me a website where I put in a two-second clip of my voice … and it had me singing songs,” Desai said. “The technology’s becoming democratized quickly, and it’s pretty cheap.”
Deepfakes represent a growing threat to businesses, he said, adding the phone needs to be the foundation of identity verification because it is often the device used to commit fraud. A spike in business identity fraud demands a new approach to authenticating the person sending invoices, phoning in and even texting.
“The digital front doors of most businesses are not very secure,” he said.
What Change Has Wrought
The lack of security has pushed business fraud to a level so lucrative that sending out false invoices brings in billions of dollars a year in Europe — proving to be a more lucrative trade than drugs and money laundering with higher margins to boot.
“These scams include people pretending to be your bank’s fraud department, the government, a relative in distress, a well-known business or a technical support expert,” the FTC said.
Major breaches such as a hack into Change Healthcare have provided huge swathes of transactional data. This then becomes fodder for fraudsters looking for “replayable” relationships that can give them grist for business impersonation schemes, fake invoices and even employee details to appropriate to create synthetic identities, Desai said.
Part of the reason those scams have been so lucrative and successful, said Desai, lies with the fact that business transactions tend to be highly “repeatable” interactions. An unwitting employee at a firm that does business with, say, ABC Carpet several times a month, may not have their suspicions roused when yet another invoice comes in (but with bank details subtly changed) or they’re prompted by a phone message to send payment for a bit of fictitious business.
Before the ruse is detected, the scammers have had several payments redirected to their own accounts, and then disappear into the ether.
Signature Solutions
Desai said the solution, no matter if the contact with a company comes through a tweet, bot or invoice, is that “these things have to be signed — because by signing it, you can authenticate the vendor or counterparty and make sure it’s someone you trust.”
Automated authentication eliminates the time spent — upon getting an email from someone claiming to be your boss, for instance — calling the counterparty and finding out if the contact was indeed legitimate, he said.
To be specific, the signatures are cryptographic ones tied to mobile devices, he said. Across platforms, such as what is on offer via Prove, which through its Identity Manager has a real-time registry of phone identity tokens tied to phone numbers, the onboarding process is similar to what would be seen across vendor management systems.
Using the ABC Carpet example again, the carpet firm representative, and invoices sent, can be identified via the phone that was enrolled at the start of the relationship, Desai said.
As he told Webster, just as financial institutions onboard individuals who open bank accounts and make sure that one-time passwords can authenticate them, “vendor relationships have to be onboarded in the same fashion. There has to be something that you can reach out and ‘touch’ … that subsequently, you can ‘redo’ for authentication … so you have a lineage of trust.”
As he noted, “if you can enroll all of the phone numbers — and the phones — of the people you trust to interact with, you can authenticate them” automatically every time.
That level of automation builds a strong digital front door that Desai said “keeps the bad folks out while the good folks have an easy way to get in.”