Synopsis: In this AI Leadership Insights video interview, Amanda Razani speaks with Philipp Pointner, chief of digital identity for Jumio, about chat phishing and how to recognize and protect oneself from AI fraud.
Amanda Razani: Hello, I’m Amanda Razani with Techstrong.ai and I’m excited to be here today with Philipp Pointner. He is the chief of digital identity at Jumio. How are you doing today?
Philipp Pointner: Wonderful. Thanks for having me on the show.
Amanda Razani: So can you tell me a little bit about Jumio and the services that you provide?
Philipp Pointner: Absolutely. We’re a leader in the identity verification space. We help our customers understand and trust their users. Most of it happens during onboarding, but also as part of ongoing monitoring. And so we do that mainly by inspecting government issued IDs and testing people’s faces on whether they are live and matching that ID. But we also launched our KYX platform, which helps you bring together a lot of different risk signals like an email risk, a phone risk, EKYC systems. So it’s really a one-stop shop for identity and KYC needs.
Amanda Razani: Okay. So you are a good person to speak within about a growing problem today, which is the advent of AI and the easy use of AI now, and with so many people using AI, we have to worry about fraudulent activity. And there’s a new term called chat phishing. Can you share exactly what that is?
Philipp Pointner: So one of the things we’re watching always is what are the techniques that the fraudsters are using? And obviously in our space we very carefully look for signs of manipulation on an ID, but in many cases we see an authentic ID because people were scammed into providing their identity documents to the fraudsters. And so often the attack angle is not, oh, I’m a fraudster. I’m going to create a fake ID. It’s, I’m going to try to get you to give me your ID so I can then go and open accounts in your name and do other malicious things. And so that’s the attack angle that we are talking about here. And previously when fraudsters were doing a scam like that, let’s say they got a hold of an email list of 50,000 email addresses, they would then craft their first attack email. They would send it out to all 50,000 mail accounts and then wait for a response.
And then depending on how people responded and what questions they had and the level of engagement, they had to decide what to follow up with and how to hold that conversation and drive it towards the point where the scam actually becomes effective and they’re asking for the identity documents. And so now that can be handled by a chatbot, so they don’t need to do that manually anymore. And so that means their entire activity is scaling up to infinite resources because these modern AI driven chatbots, if they are trained on that context, they can hold the conversation, they can respond to questions that people have, and they can do those next follow-up steps that are part of the scam. And that’s really a game changer because it’s now no longer human power that is required to drive these scams. It’s basically just computational power and that we have an abundance of.
Amanda Razani: That’s certainly concerning. So what can people do to sort of figure out if the chat is real or if it’s an AI chatbot?
Philipp Pointner: So one thing that’s interesting is that people still don’t seem to understand how important their social media accounts are when it comes to protecting their identity. We did a customer survey recently, an end user survey. And so we asked people, what are the different online activities that you do where you would be willing to invest more time and effort into account security? And obviously people are ranking things where they have assets on the line high, so banking and insurance and all of that stuff is high up in the rankings. And then some other websites at the bottom. But social media is the one that is the outlier because we think that people misjudge this because they have it in the lower third of the willingness to invest more. And that’s just not good.
If someone gets hold of your LinkedIn profile or hold of your Facebook or Instagram, it’s a real problem because what they’re going to do is they’re going to pose as you and not necessarily you are then going to be the victim, but all your friends and contacts are going to be victims, because it’s so different when you get an email from an anonymous email address, you’ve never interacted with the person, people have become good at spotting that and the guard goes up immediately like, that’s too good to be true. But if a friend comes to you maybe with an emergency situation, there’s some urgency in the messaging and you trust that communication channel, that’s where people fall into these traps. And so securing social media is actually very important to protect the community around you.
Amanda Razani: What are some other examples of AI fraud that is currently happening?
Philipp Pointner: So a few weeks ago now, our team for the very first time has managed to create a image generation pipeline that can create basically, so based on templates of different driver’s licenses and passports, an infinite supply of fake documents. And so where previously the fraudster would take maybe half an hour or an hour or even more to handcraft and maybe Photoshop or kind of create the actual plastic card and really be invested, at the click of a button, you can have now a file that has all the first names and last names and date of births and the photos that you want to have on these documents. And then at the click of a button, you can generate 10,000 fake documents that you can then go and try and open accounts with. And so that is a real game changer.
And I think in the consumer world, people are not necessarily aware of the gigantic wave of fraud that’s coming their way because of the emergence of these tools. And as you can imagine, I mean we invest a lot into trying to keep up and understand what the fraudster are doing, but most of the individual end users, they have no idea how these technologies are kind of changing the game they’re in when it comes to security and identity.
Amanda Razani: So how can businesses better give awareness to their customers? Is this affecting businesses as well?
Philipp Pointner: I think it should. And the reason is I think it’s very easy to say, oh, yeah, yet to know the stupid end user that fell for a scam or whatever. But I think there’s a responsibility for businesses and service providers to secure the assets and access in a way that even if the end user falls into such a trap, they’re not able to overcome the security mechanisms, the fraudsters are not able to overcome the security mechanisms. And there’s a couple components to this.
So one is it’s a very good practice to send a push notification or whatever channel to the end user when a serious action is happening in an account. And so we see this all the time. Good practice is that if the password is changed, you get a notification to your email. If there’s a high value transaction in your account, you get an email. If you do a credit card transaction, you see an email. That kind of practice certainly helps because even though it’s too late at that point in time, you can react immediately. You can say, wait a second, I wasn’t doing anything today. Why am I getting this notification? So notification is a big pillar of protection.
And then when it comes to protecting logins, we always recommend strong biometric solutions. So that is just such, especially with a good liveness detection, it’s such a problem for the fraudsters because they only have their own face available and they usually don’t have access to the live person that they are scamming. And so they will try to use photographs or screens or whatever to fool the liveness, but it’s not that easy. So good liveness systems can detect these presentation attack and then prevent the login or prevent the takeover of the account.
Amanda Razani: So with those biometric systems, I know the first thing I think of is with our phones, we now have a way to open up our phones with our face features, are biometric systems going to become more widespread to regular individuals as far as say, laptops and other software programs, do you think?
Philipp Pointner: Yeah, I mean that’s another thing that came out of our survey is that the end users are so comfortable meanwhile with using their face as a part of a login mechanism or their finger for that matter. And this is where the smartphones really have kind of paved the way for all other applications. When we started asking consumers for a face in 2014, almost 10 years ago, it was a big deal. And when we turned it on for customers and we did AB testing, we could see that there was a drop in conversion rate. People were dropping off because they were like, “You’re asking me to do what now?”
And so nowadays, this just isn’t a problem anymore. People are used to showing their face. They do understand that their biometrics are part of security measures on the internet. And so that’s no longer a problem. And that’s a big step forward because at the end, you can design whatever systems you want in terms of security, if the end user doesn’t buy into using it and has fears or concerns, that’s just bad user experience. That’s going to kill it. And so having the user on board is a big part.
Amanda Razani: Thinking toward the future, and maybe this is a ways down the road, but we’re already seeing things like deep fakes and we know AI can sound like someone, look like someone. So moving forward, how do we keep from getting simply AI deceptive phone calls? I mean, where we really think we’re talking to a person, AI deceptive FaceTime calls. I mean, how far is this going to go and how can we stop it now or protect ourselves?
Philipp Pointner: I think there are two answers, right? One is I think everybody needs to have their guard up really and be aware of what these technologies can do. And be very careful, especially when something comes to you with a sense of emergency and urgency. You have to ask yourself whether that truly can be true. And so I know my sister had a case the other day where a friend called her or texted her and said, “Oh, I have this or that problem,” but they just talked on the phone half an hour earlier and she’s like, “Well, what the heck?” That doesn’t compute. And so sometimes you’re just lucky and the context. But if you don’t, it’s easy to fall for these traps. And I think awareness is extremely important.
The second part that I always criticize when it comes to options for the consumer is even after the fact, even after you have discovered that you have been scammed and somebody now is using your identity, there is no good summary or information or organization or website that you can turn to and learn what to do next. So what are you supposed to do once you realize you’re a victim of an identity scam? And so I think that’s where collectively as an industry, we can do better in providing tools to people and make them aware of how to get help and information.
And then on the technology side, I think the big technological promise is once we reach that era of digital identities, where ideally a lot of the digital identity usage is going to be passively embedded into everything we do online, including all the communication channels, and so if I chat with you, then my chat software and your chat software should exchange the digital identities in the background and make sure that, okay, this message is indeed coming from that identity that is tied to you. So that would be the dream scenario for the future, is that we can all establish these secure communication channels everywhere, ideally, so that our devices, smartly and in the background and without inconveniencing us, take care of that identity problem.
Amanda Razani: Absolutely. So what is one key takeaway, if you had to say one last key takeaway for our audience today that you want them to remember?
Philipp Pointner: I would say probably use two-factor authentication wherever you can to protect your accounts is probably still the number one where I see it offered on many sites and people are just like, nah, what is the worst that can happen? And so I think that would be my number one recommendation.
Amanda Razani: Okay. And that’s a pretty fairly simple thing to set up. So thank you so much for coming on our show today and sharing your insights.