S3 #20 The future of digital identity

[00:00:00] KRISTINA PODNAR, host: We continue to rely on flawed digital identity methods, and our practices are negatively impacting customers' trust in online services or digital trust as we know it today.

[00:00:10] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:26] KRISTINA: Thanks, everyone, for joining me for this episode of the Power of Digital Policy. Digital trust and consumer loyalty go hand in hand with our growing concern for marketers, digital operations teams, IT, and even the C-suite. It's a timely topic for us today because we all need to be thinking about and working towards information that keeps us secure and safe from a policy perspective, but most importantly, an action-oriented perspective. I am not the security wiz, but I've invited an industry veteran to shed light on what we need to do in terms of stopping activities, starting new ones, or maybe what are the things that are working and we shouldn't touch because they're working well, so continue doing them. In other words, what are our triggers for sound digital policies? With us today is Bill Sytsma, who works with some of the largest financial institutions in the world to combat fraud and educate businesses on the importance of proper authentication. He has over 20 years of experience in the industry. He's well-equipped to talk to us about breaches, consumer trust around the globe, and how to get security right in a world of emerging technologies. Bill, thanks so much for taking the time to share your insights with us today, and welcome.

[00:01:34] BILL SYTSMA, guest: Thanks, Kristina. Much appreciated.

[00:01:36] KRISTINA: Bill, we previously covered various security areas. We've talked a little bit about having insurance in place, if you will, for breaches, but I'm curious to hear your perspective on the financial sector, given that's your background and obviously an area that's so critical when it comes to security and breaches. What are you seeing when it comes to consumer trust and digital security in that sector?

[00:02:00] BILL: When it comes to digital trust, what we're seeing is that a lot of the end-user customers are a bit concerned about how is my information being utilized, how am I being protected. And then also who actually has access to that information in the back end. Because, as you brought up, were data breaches, how is my information stored? What type of information is being used, for those types of things? So from our perspective, from a call sign perspective, what we're trying to do is work with our banks and in our communities to be able to leverage technology that allows you to authorize, for example, you, Kristina, but not capture your PII information. So we're looking at digital identity in regards to where your device is coming from, the device itself. How do you interact with that particular merchant or your or bank? And by looking at that information, we're actually able to create a digital representation of you but not have to know your name. And so we actually go down to the individual level so that if someone were to take over, for example, your account, they had your username and password and tried to log into your account, for example, we would be able to look at different nuances to say, that's actually not Kristina trying to log into her account. And so with data breaches, what we've seen is organizations, whether it be organized crime or individuals who take that information, and what they'll do is they'll write scripted attacks against different sites, so it could be banking sites, merchant sites, it could a number of different digital properties and the ability to be able to have that protection in place. So if I guess you're using a password, in the past, I was actually able to get into your account and the problem with that is a lot of people use the same username and password for their mobile parking that they did for their bank, that they did for retail merchants, and if I got into one now, I had access to a lot of your other data and a lot of your other sites. So for us, that ability to be able to recognize that activity, we don't need to capture the actual username and password, but we can look at how you enter that information and how you typically put that in. And then also how you typically a bank or go on particular sites, and we can use that information to actually protect the customers

[00:04:37] KRISTINA: You mentioned understanding maybe where's my device or which device I'm even using, but what type of data are you collecting about me? What kind of information are we talking about beyond just which device or where that device is located?

[00:04:49] BILL: Sure. While the device is foundational, for us, if I can capture the information, location, and different things of the device, and then I combine that with behavior, now, what I can do is I can say that we know that this is Kristina coming in, logging in. This is her typical behavior as she logs in. So is that she's not under duress, for example? So in the case of, for example, elder fraud, where people are being coerced into sending money out, right? Leveraging, for example, like a Zelle network. We can actually look to see the different patterns and, based on our models, say, this is how she's typically banking; she's gonna make a wire transfer. This is not outta the norm. And just by different patterns, by different hesitations, things like that, that type of behavior, we can say, Okay, allow this transaction to go. In the case where we see pauses, we see other nuances that are not typical of the way that you're doing your online banking; for example, we could actually, interd in the session as well and ask certain questions. And this is stuff that we're developing with the banks themselves. Social scams, social engineering, that's really where our technology really shines. So it's a combination of, as I mentioned, a device, and it's location, but it's also that behavioral component as well as how you typically interact with a particular site.

[00:06:16] KRISTINA: Bill, why not just biometrics? Why not continue to use my thumbprint, or why not just use my facial features? It seems like if it's good enough for Apple and my iPhone, it should be good enough for my bank because that's how I sign onto everything these days, right?

[00:06:31] BILL: Yeah, and that's actually a good level of authentication, but the problem that you have with APP fraud, right? Authorized push payment. Is that it's you, right? It's your device; it's your location. It's actually you authorizing that payment to go out. But the question becomes, who's behind that? Who's actually walking you through sending that payment out? So, for example, in real-world experience, I had one of our family members they got a phone call; it was actually from a local government up in Massachusetts, and they said that they had someone that was in jail they didn't wanna prosecute for certain reasons and that if they could just wire money, but, just for the fees and the attorney fees and everything else, they would just allow this to go away. In that case, they almost got to the point of actually sending that money out. In a lot of cases, people have sent money out, right? They've sent money to the IRS, they've sent money to the police, to a number of different things. So even with face recognition or putting in your user, your password or your thumb, you've authorized it and in fact, you've authorized that payment to go out. Then the question sits. I fraudulently sent that out. Who's liable? And that's really what's happening right now is there's just a lot of questions about where does that liability sit. And I think that's the concern right now with the banks is where does this actually sit? Who is liable for that payment that went out ‘cuz you authorized it? So those are the challenges that they're dealing with today.

[00:08:10] KRISTINA: It's a very innovative and interesting way to address the issue, especially from a financial fraud perspective. I think I read last week that one in 15 people are becoming victims of identity fraud, and it's like them giving away their information one on one. It's not like some cryptic crazy; I got hacked. It's like, no, somebody called me up, and I gave them the information because they sounded legit. So it's sort of interesting to me that level of scamming is happening, and with the technology being as rampant as it is, and we're all talking about, okay, we're almost to the metaverse, we're getting into VR, how does that start to work from a security perspective? Because a lot of the things you're talking about, to me, I'm maybe going to the darkest place I can think of, which is what happens when there's a digital twin that looks, sounds, and smells exactly like me in the metaverse. Bill, help me out with that one.

[00:09:02] BILL: I think that's, that's the key, right? If someone harvests your information and tries to use it, and even, you're seeing now deep fakes in regards to your face or your voice, whatever it might be. The thing that can't be mimicked is your behavior, so how you hold a phone, how hard do you press down? Do you swipe? Those types of little nuances are very much individual. And so that's where the idea of understanding in kind of a holistic approach of the device, location, and behavior is critical because I can harvest all your information and I come in through a different device, I can flag that as a different device, I can see that it's a different location. In fact, what's probably happening is that if I harvest this information, I'm probably using a number, it could be, you know, a hundred people's information and trying to log into those different accounts and test it in a variety of areas. So, in that case, from a device perspective and location perspective, we can solve that. The biggest issue that we're trying to solve for today is, again, if I have, it's your device, and you're the one authorizing. Being able to look at that behavior. So I think all those aspects need to take place. And then how do I authenticate you right in that process, and making sure that when I'm authenticating you, I'm doing the right level of authentication, so that if I know, it's you, I know it's your behavior, maybe this payment you're making is a little bit outside your normal. So maybe I'm just doing a simple swipe, for example. Or maybe it's a pin. We're trying to remove as much friction from the process as possible as well because while it's important to fight fraud, you have to remember that the majority of transactions are actually good transactions. So from a positive perspective, if I know it's you, I don't need to interject; I don't need to put any type of friction in place. I can allow you to move. Make your payment right, Make an account update, buy that particular product and move on with your day cause the last thing you wanna do is create such a negative customer experience that you abandon the process.

[00:11:19] KRISTINA: How does that work, Bill, for individuals, from a consumer perspective, who maybe aren't in the digital sphere? I'm thinking about my 82-year-old father, who, unfortunately, doesn't have a footprint in the digital space. Where are you going to learn his behavior to actually start to drive the opportunity to recognize whether it's him or not? So, is there a population that just can't onboard to this level of security or this level of authentication? Are they going to be left behind? What's the deal for those individuals?

[00:11:50] BILL: Yeah, I think that's really the challenge, especially as you see like banks, for example, closing down branches and things like that. And I think through the pandemic; you saw a number of people that probably wouldn't have gone electronic, wouldn't have gone digital, were forced to go digital. The problem that you have with forcing people that are not comfortable with technology going into the digital environment is they're not going to be as tech-savvy, right? So what happens is when you land up having to register yourself for your bank, and then all of a sudden you get an email that says, Oh, you're, you have to update your security profile, and it's a phishing exercise, right? That's really the challenge. And so it's, that's really where the onus lies on the banks and these merchants to make sure that they have the right technologies in place. Now, because this is the digital world, in the case of someone that's not going to ever log into their online account, we're only going to go to the branch. You're right; then we're not going to have that digital representation. And then, because of that, the chances of them being scammed. And using a Zelle or things like that are pretty minimal. So in that case, I think that you're, they're okay. It's those that were, again, forced into the digital world that really didn't want to be in the digital world, that area of vulnerability. And I think by having technology in place that protects them, that makes sure even if they fall for giving out their credentials to someone, that if that those credentials are attempted to be used, the banks have the ability to stop that and block that. And the other thing is for that the right liability has been set, right? So if my account gets compromised, the banks are going to, have been, have already used to setting up that type of a policy, right? My credit card gets stolen, for example. Those processes have been in place. And again, I think that's where, uh, in this new universe of authorized push payment, that's where it's still, that's where it's still being kind of figured out, if you will, right where that liability sits.

[00:14:08] KRISTINA: And how does it get impacted by geographical location? You mentioned that we have some of the policies worked out from a bank, authorized retailer perspective. But when we expand the scope and talk about this outside of the United States, west to east, north to south. There are a lot of differences there in terms of how people bank, how they behave, and what digital they're involved in. So how does that work for different financial institutions around the globe?

[00:14:30] BILL: Well, I think that for in certain countries there, they're actually more advanced than we are in certain areas of mobile, so in a lot of cases, they're mobile only. So in the States, you're seeing, it's very heavy on the web browser. So you're using your laptops, you've got your iPads, you've got your phones, and a lot of other countries, it's just mobile only, so those apps are basically dedicated to those platforms. So in the States, you've got a broader perspective, Canada as well. The ability to protect in multiple channels is also critical, as being able to tie that together. So if I've got one device associated with one account, for example, that's easier than if I've gotta tie your iPad with your Mac, with your iPhone, or how do I tie all that together? So having a technology like ours is able to pull all that together, whether it's a one-to-one relationship or maybe a one-to-many, per account is critical, right? And again, that's that underlying infrastructure that it's able to tie that together.

[00:15:36] KRISTINA: Wow, this sounds like such a great opportunity, and I'm thinking about maybe some of the new security ways that financial institutions are interacting with us. For example, I recently had to authenticate my voice several times. I don't know if voice authentication includes part of what you're talking about or not, but at some level, you're still tying a broad set of data about me. And at some point, you have to tie it to my account or to something that still identifies me fundamentally. So what happens when a breach happens to that data? Like how are we ensuring that this isn't just the next level of cat and mouse and we're staying one step ahead? The bad guys are going to get two steps ahead soon.

[00:16:16] BILL: Yeah. And that's where it, it has to be that layered approach, right? So to that point where it's voice, its face, its fingerprint, from an authentication perspective. That next level could be a pin, a swipe from an authentication. And then it's also just kind of going back to validate that it's the same device that typically is associated with that account. Because even if I am able to harvest that information and try to leverage it, I don't have your device or maybe what I've done, I've used what's called a remote access Trojan, and I've actually gone through your device to your account. Again, looking at the different anomalies to be able to detect them is critical, right? And so having that holistic approach is really what's needed in order to stay ahead of the frauds, of the fraudsters, because to your point, they're getting more and more creative. There are other technologies that can fake the browsers that you're using that can do a replay of your browsers. So again, ensuring you've got a layered approach to security is important. Not only for the individual making sure that they've got the latest code installed on their devices, but from a banking perspective or from a merchant perspective, making sure that they've got a multilayer approach as well when it comes to securing their customers, not only their internal data, so the customer data that they're retaining, but also the interaction as well. And I think eventually what you're gonna see is how do I then tie that all together, right? The banking information with E-com, right? With the different merchants, with the government? How do I start to tie that together? And I think you're gonna start to see some of that have to take place, cause at some point you'll see that the government is gonna say, What is this digital identity about? How do I, regulate that to make sure that there's an advantage to be able to leverage that for the purpose of securing their customer? I don't think we're there yet. I think we're gonna be building to that. But again, as do you know, more and more this is going digital and so to be able to protect against the fraudsters is just key.

[00:18:24] KRISTINA: So what does the landscape look like? How many financial institutions have already bought onto this way of authentication? Where are we? Is this the norm?

[00:18:34] BILL: From an authentication perspective, all the banks have the username and password. That's the standard today. The level of authentication you're seeing, for example, OTP being utilized today, but OTP was really never meant as a security protocol, right? And so now the question is, do we need, is that next step going away from password? Because at the end of the day, a lot of your information, as we know, is compromised; it's out in the wild already. So it's a matter of how that information is being used against you. So the ability to actually start to move away from passwords, I think, is gonna be that next tier. I think people are not yet ready to get to that point, but I think eventually you'll see that where people are more and more comfortable with just being able to log in. I mean, you see that kind of today with your face, you hold up your phone, it's actually authenticating you, even though there's a user password behind it. And so eventually, I think you'll start to see that more and more of this is gonna go passwordless.

[00:19:35] KRISTINA: Oh, I'm looking forward to that day. Passwords are the bane of my existence, Bill. I'm like, if I could change one thing, it would be able to retire my Lastpass account!

[00:19:43] BILL: There you go!

[00:19:44] KRISTINA: I'm curious too, just to think about, we're talking a lot about the financial sector; you brought up a good point about the government probably going to go in that direction. It seems to me that this is so critical that we should all just take a big gulp of air and leap forward and do it right away and agree that 2023 is the year that we're going to be all in this new realm of security. What are some of the obstacles to that? Why can't we all just make that big leap forward and be secure starting as soon as possible?

[00:20:11] BILL: Well, I think the challenge you have in the States, for example, is privacy laws, so you have strict laws in California, you have it in Illinois, but there's really not a universal platform or privacy laws. So I think that's probably gonna be the first place that we start that says, Okay if we're gonna pull this data together, what does this data actually look like? How is this data used? How is it authentic? How do we authentic? So I think that's probably, for us, is some of the bigger challenges. GDPR, for example, in Europe and UK for example. I think that's a process that they've encompassed for the country. We need to adopt something to that similar to that, right? Versus going state by state. So I think that's probably gonna be the first area, but I do see technology conversions taking place as well. And again, I think the question becomes this technology drive it or do we actually get ahead of it and create policies? So I think. That's the challenge that we have right now.

[00:21:15] KRISTINA: Are you seeing a direct correlation between consumer trust in organizations that are able to use that type of authentication? Because to me it seems like maybe it's a little bit creepy that you know so much about me, but I do like my iPhone being able to unlock everything that I like to connect to. I don't like to remember passwords. And so, yeah, it's creepy that Apple knows my facial features and eyes, et cetera. That's like a trade-off I'm willing to maybe make in exchange for the comfort, convenience, ease, the not having to pay the $35 parking tickets. And so, it's, it's a balance there, but how do you see consumers adapting to that? Are they excited? Are they uncertain? Do we need to have an onboarding mechanism for them to explain this?

[00:21:57] BILL: Well, I think the, there is, in a lot of cases, onboarding policies, the question becomes is, do people look at it? It's kind of like your user agreements. How many people just kind of scroll to the bottom just to hit, accept and move on? And I think that's the bit of a challenge is that it's interesting because people are on social media, are willing to share everything and anything, and then when it comes to the privacy of their accounts and things like that, There's about, there's almost a negative connotation to that, right? And so the question is, how do we bolster that? How do we get that digital representation and make that more of a positive experience, right? And so I think that's kind of the things that we're. Those are some of the challenges I think that that is taking place now because a lot of this is used to be able to, again, authenticate you, to be able to allow you to go do what you need to do from a banking perspective, e-commerce or whatever it might be. And so I think having that balance I think is critical.

[00:22:59] KRISTINA: And how does this also impact the youngest of the young? When my son was five, we introduced him to the concept of saving money, being able to save it, donate it, and spend it at some point for a toy, et cetera. It was so exciting, and so, yeah, you know, I was helping him out, but it was his account. It has his name and social security at the bank, and as he's gotten older, I thought about how we tie into a credit card. But we're also talking about children under the age of 13. We're talking about the fact that we had the Children's Online Privacy Protection Act. You can't collect their information. How do we start to educate the youth and bring them into the same kind of authentication schema? Because there are coming up the pike behind us here. How are we going to get them into the ecosystem of security?

[00:23:42] BILL: I think from a lot of their perspectives, it's, they look at it as the bank or whatever application I'm using is to protect me, they're already coming in with the assumption of it's there, right? The technology's in place, so if something happens, these organizations are gonna protect my data or protect me, or, you know, the liability sits with those organizations.. But I think what we should be doing at a younger age is kind of talking with students about this digital age, what it means to be in the digital age, whether it be social media, because of the idea of social engineering and all the different things that are taking place, but also what rights do they have versus, when you're giving out your data, for example, your information, what privacy protections are in place? I think they already think it's there, so there has to be an educational process. But again, I think this is also where universal privacy of regulations, and laws, however you wanna define it, are critical as well. ‘Cuz right now it is a bit of the wild, wild west on, okay, what do I do with this? I have this individual data, right? So whether you're using social media or whatever it might be, How are those being used, and how do we make sure that we are protecting the youngest and the elder as well, on both sides, to make sure that there are levels of protection in place?

[00:25:07] KRISTINA: So the universe of listeners out there who are kind of going like, Bill, this sounds so great. I'm sitting in an organization that does none of this, or I don't know if we're doing any of it. We probably do have flaws in digital identity methods. There's an opportunity. What do you want them to step away with or do or ask next? What should they be thinking about, or what can they do within their enterprise to take security and authentication to the next level?

[00:25:34] BILL: So from that perspective, I think it's, takes an audit of what they're currently doing. Understand the processes that they actually have in place versus what they think they have in place. Because there's actually sometimes a pretty big gap in that. And I think once that's done; then it's really okay; what do I need to do to make sure that I'm filling in those gaps I think from an organizational perspective, I think we all have a responsibility to protect our customer's data. And I think that's beyond just reputational risk; that's just, I think, just good corporate business. A lot of organizations, they wanna do that to the question of do they have the proper pieces, the people, because sometimes it's just about having the right people in place to be able to implement some of these things. And so I think, and especially with today's technology, it's becoming easier and easier to implement that type of technology. And I think sometimes it just seems like it's a big onerous process, but in fact, it's actually if you follow a step-by-step process, you can actually get there, and in the end, what you're doing is, again, you're driving out a lot of the frictions outta your environment. So it's a benefit to the customer, but you're also removing a lot of the fraud out of that space as well. So again, it's that the ability to balance that friction versus fraud is also important.

[00:27:04] KRISTINA: Those are two great points! Thinking about it, be beyond fraud, beyond security protection and data breaches, really to taking out the friction with the consumer experience, making sure that it's easy, fast, and natural, I think is what you're talking about here. So that sounds good to me. This is great. Thanks so much, Bill, for coming by, talking to us, and really helping us think through the security aspects and the consumer digital trust in a more knowledgeable way. I'm sure that people will have a lot of questions around; gosh, how do I start to balance out those conversations doing some of the audits? Where's a good place to go and get more information for everybody who wants to either learn more or they want to get started and ask the right questions within their enterprise?

[00:27:43] BILL: They can start by going to our website callsign.com, and there's a lot of information there. There are some videos and things like that. And beyond that, feel free to reach out to me, Bill Sytsma, at call sign.com. So, looking forward to having a continued discussion.

[00:28:02] KRISTINA: Thanks so much, Bill. Appreciate it, and we'll definitely take you up on that offer. So, look forward to an email or two, and one's going to come from me for sure. So, thanks to everybody else for listening. Be well and continue to do good policy work, and we'll talk to you next time on the Power of Digital Policy.

[00:28:17] OUTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.