Andrew Nash, Confyrm: "New online attacks are perpetrated and discovered daily"

How can Confyrm’s products and services enable clients protect their digital identities?

The way Confyrm does this technically is through propagation of operational identity system events. These identity events originate at authoritative sources including the business entities that manage accounts such as identity providers and service providers. Confyrm’s Early Warning System (CEWS) facilitates sharing events so that attacks that begin in one segment of the identity ecosystem can be detected before other dependent sources are exposed.

Just one real life example of this is the “Password Reset” process, which is used in almost all online accounts including those at merchants, payment companies and other financial institutions. If a user clicks on the password-reset link at a website, an e-mail message containing a unique URL will be sent to the user – when this link is clicked you will be queried for a replacement password. If the e-mail account that is used as the communication channel has been subverted by a bad guy, the owner of the financial account is about to lose control of their finances. CEWS would allow a warning event to be generated at source i.e. the e-mail account provider that is then evaluated by the financial service provider when a password reset occurs.

Could you elaborate more on Confyrm’s two years NSTIC pilot project that is aimed at pointing out ways to minimize loss when criminals create fake accounts or take over online accounts?

We are really excited about the work we are doing for the NSTIC programme. NSTIC has recognized the massive growth and importance of identity systems, and that distributed identity attacks increasingly expose individuals to loss and harm. CEWS enables notifications and queries that support the efforts of online services to determine if the online contact information is valid and in the hands of the rightful owner. In support of the NSTIC program guidelines, the identity of the real individual is not revealed during the event reporting process allowing fraud detection information to be shared whilst eliminating the risk of sharing personally identifying information. This is how CEWS is fundamentally different from the fraud prevention systems out there today. One of the most common attack vectors in a fraudulent online transaction starts with the creation of a new e-mail account created with the express purpose of hiding previous fraudulent activity. Simple event notifications that describe how recently an account has been created would aid in the risk evaluation process for new account registrations or online checkouts.

In your opinion, what would be the best approach to reduce the risk of online fraud?

Many approaches allow online fraud to be reduced. What CEWS adds to the available set of risk evaluation factors is a set of authoritative event assertions from online account managers. As fraud risk and security professionals we have all been aware for considerable time that simply participating in an environment that supports sharing fraud indicators will dramatically decrease the impact of online fraud. CEWS creates a sharing infrastructure or community that protects the brands of commercial entities that share events, and in a unique way that is also respectful of the individual’s privacy.

The online environment is changing at a faster pace. What is the impact this constant development has on online security?

New online attacks are perpetrated and discovered daily. Addition of new and varied online service providers such as payment providers, merchants and identity providers create additional sources of attack against the online ecosystem. CEWS provides an event notification system where new types of events and recognition of large scale attacks can be deployed without requiring changes in the event notification infrastructure allowing us all to be more responsive to the changing nature of online attacks and fraud.

What are some of your company’s plans for the future?

We are aiming at making a real difference to reduce online fraud, and make the internet a safer place for everyone engaged in it, but critically we aim to do this without abusing customer privacy and storing personal data.

About the author

Andrew was Director of Identity Services at Google and Senior Director of Identity Service at PayPal. Andrew has developed consumer identity vetting and verified information systems as CTO for Trulioo, and as CTO at Sonoa Systems and Reactivity he built XML and Web Services Gateways. As Director of Technologies at RSA Security, Andrew worked on a wide range of identity and security systems.

Andrew has been a board member at the Open ID Foundation, Open Identity eXchange and the Information Card Foundation.

About the company

Founded in 2012, Confyrm’s mission is to increase the safety of internet users and their online transactions by providing alerts when criminals create fake accounts or take over online accounts. Confyrm uses their ground breaking “shared signals” model to mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, with special emphasis on consumer privacy.

Confyrm’s solution Confyrm Event Warning System (CEWS) enables individuals and organisations to experience improved trust and confidence in identities online.