Can platform businesses win the security fight against fraud? – Interview with Ralph A. Rodriguez

Can you please share with us some details regarding your professional background and what drew you to this idea of keeping the digital space safe? 

When the iPhone was released in 2007 the world changed yet again. I immediately began investigating how to use built-in sensors like the accelerometer, GPS, magnetometer, proximity, and gyroscope to further investigate your motor control behaviour by how you touched, held, and interacted with your mobile device. This exposed many unique signatures like whether you were right or left-handed, the size and shape of your fingers, and your overall touch dexterity. This was a real breakthrough. Today, many large enterprises are using behavioural biometrics or what Gartner Research now calls ‘continuous authentication’ to detect the true user enrolled.

The main problem with biometrics such as facial, voice, and fingerprint is day one identity verification. How does the system know it’s you responding to an SMS message or touching, speaking, and taking a selfie picture using the mobile device? 

This led me to co-found a company called Confirm, back in 2015. I wanted to solve the remote biometrics identity problem by using a mobile phone to take a picture of your passport or driver’s license, along with a selfie picture. Using AI, specifically machine learning and computer vision, we developed a way to biometrically match the selfie taken to the photograph on the ID. Also, we validated that the government-issued document was also physically real, unaltered, unexpired, jurisdictionally accurate, and contained the minimum amount of security features available based on the use case.  

This new capability enabled industries, including banking, insurance, ecommerce, and healthcare to provide a safe and effective experience for consumer digital onboarding, coupled with being able to bind this verified identity to a classic physical biometric for future identity reauthentication into a system.

Considering how sophisticated fraud has become nowadays, what are the main questions businesses should ask when it comes to platform security? 

First of all, businesses should be creating internal red teams or hiring red teams to attack themselves and look for vulnerabilities across their ecosystem, partners, and suppliers. There are many big questions to be answered, too many for this article. That said I would ponder how can I get to be attacked at scale? Do I have a continuity plan for my platform? To what extent am I vulnerable to digital spoofing?

If we think of balancing security with UX – this never-ending quest – how can businesses fight fraud without affecting customer experience? 

The delicate friction balance will always exist. My advice would be to break up identity use cases into smaller parts looking for opportunities to fast check and verify consumer identity. I would focus on workflows that both protect consumers, while also providing the best frictionless experience. An example would be the credit card industry. Instead of performing an exhaustive multi-modal MFA (multi-factor authentication) identity inspection for digital enrollment, simply verify the minimum amount needed to issue a lower credit amount. Alternatively, focusing on the development of intelligent authentication based on behaviour will enable attention on specific transaction types such as change passwords, add a payee, wire money, and other consumer options where a profile change or action creates an opportunity for fraud.

Often big techs such as Facebook or Google develop their own in-house fraud prevention solutions/platforms. How do you see this phenomenon impacting the fraud prevention industry? Is this an opportunity for competition or cooperation? 

It is both competition and cooperation, but not a new phenomenon. Big companies with large budgets, world-class engineers, and unique perceived problems, both real or imagined, will partner with providers and use 3rd party software.  Oftentimes they acquire the company if they cannot build it themselves as they did with my own company back in 2018.

More and more companies are offering digital services enhanced via virtual personal assistants (VPA) – e.g. Amazon’s Alexa, Apple’s Siri, and Google’s Assistant. What is customers’ perception on security when it comes to these devices? 

I can speak to my knowledge owning one of these devices or opinions coming from family, friends, and co-workers.  Overall there is a worrying perception that all these brands are listening devices and violating consumer privacy, especially in the US which doesn’t have the enacted General Data Protection Regulation (GDPR) laws on data protection and privacy as the European Union and the European Economic Area have. Because these devices capture and store conversations and buying patterns in the cloud, they are also susceptible to hackers who could exploit the privacy of what you said, how you said it (regional dialect), what you buy, when you do it (time/date/frequency), and who else is in the household has buying privileges (spouse, partner, friend, child, visitor).

To conclude, what advice would you give to the so-called platform-businesses in order to boost their security? 

Test against yourself! No one knows more about your architecture, micro-services, cloud, tools, and related software to run and maintain your platform. Reward your engineers to find and solve problems!  Demonstrate to your customers and partners that you take customer data and privacy very seriously. Highlight your pen-testing compliance results, SOC1/2 audit, and the organisation’s overall internal controls, regulatory, and IT compliance.  

About Ralph A. Rodriguez 

Ralph is a former MIT Fellow & Scientist focused on applied identity intelligence at Facebook. Previously he was the Co-Founder and CTO of Confirm.io, which Facebook acquired in 2018. As the longest serving Fellow at MIT, he pioneered research on AI, cloud, mobile, neural science, and security at the MIT Media Lab and Harvard-MIT Health Sciences and Technology (HST) department. He holds a Sc.D. in information systems and is a graduate GPMD-MBA at IESE Business School, Barcelona, Spain. He is a US Army intelligence veteran of the Persian Gulf War in 1990 and holder of 21 US patents.

About Summit Partners 

Founded in 1984, Summit Partners is a global alternative investment firm that is currently managing more than USD 19 billion in capital dedicated to growth equity, fixed income, and public equity opportunities. Summit invests across growth sectors of the economy and has invested in 500+ companies in technology, healthcare, consumer, financial and business services, and other growth industries. Summit maintains offices in North America and Europe and invests in companies around the world.