Aviva Zacks of Safety Detective had the wonderful opportunity to sit down with Robert Prigge, CEO of Jumio, and ask him about his company’s KYX Platform.
Safety Detectives: How did you get started in cybersecurity and what do you love about it?
Robert Prigge: My interest in cybersecurity was sparked in college when I was studying electrical engineering at the University of Illinois. The technologies and science behind cybercrime have always fascinated me. This includes the advanced technologies used by cybercriminals such as social engineering, phishing, malware and spyware, ransomware, and even AI-fueled deepfakes.
One of my first big jobs was as CEO at Japan InfoTech, a security consulting company, but this was only a stepping stone into the world of cybersecurity. I subsequently lead teams at Quest Software, Secure Computing, McAfee, Sterling Commerce, IBM, and Infrascale—companies that were all dedicated to developing technologies and science designed to outwit fraudsters, hackers, and criminals.
The job of making the internet a safer place has become infinitely more difficult for the modern enterprise. Cybercrime in 2020 looks very different than it did 20 years ago. Today, we’re witnessing more sophisticated attacks, the emergence of the dark web, and an abundance of advanced persistent threat actors, most of which were sponsored by nation-states. Cybercrime has morphed from a cottage industry into big business. Attackers developed new malicious programs and techniques, which increased both the cybercrime rate and the number of cyberattacks per day. Trillions of dollars have been lost.
Now, that I’m at Jumio, the game is the same, it’s just that the bad guys are incredibly sophisticated. I genuinely enjoy being one of the good guys and helping to make the internet a safer place.
SD: Tell me about Jumio’s technology.
RP: As near-daily data breaches continue to expose personal information, fraudsters can easily access user accounts with stolen information, such as passwords, email addresses, and answers to security questions. Jumio’s technology replaces passwords and other traditional authentication methods by using biometric authentication (using a person’s unique human traits to verify identity) to prevent cybercriminals from accessing accounts, ensuring only the real user can log in.
Jumio’s mission is to make the internet a safer place by protecting the ecosystems of businesses through unified, end-to-end identity verification and eKYC platform. The Jumio KYX Platform offers a range of identity proofing services to accurately establish, maintain, and reassert trust from account opening to ongoing transaction monitoring. Leveraging advanced technology including AI, biometrics, machine learning, liveness detection, and automation, Jumio helps organizations fight fraud, onboard good customers faster, and meet regulatory compliance including KYC, AML, and GDPR. Jumio has verified more than 250 million identities issued by over 200 countries and territories from real-time web and mobile transactions.
SD: What verticals use your services?
RP: Jumio’s solutions are used by leading companies in the financial services, sharing economy, healthcare, telcos, digital currency, retail, travel, and online gaming sectors.
SD: What is the worst cyberthreat out there today?
RP: As banks have increasingly gone digital, there has been a parallel proliferation of cyberattacks that attempt to damage, disrupt, or gain unauthorized access to the computer systems of banks and other financial institutions. So, while banks are looking for ways to streamline the onboarding process, they must ensure that they build in the necessary safeguards to protect their ecosystems, reputation, and accounts owners. New account fraud isn’t new, but it’s fast becoming one of the biggest problems in the digital banking era, costing the financial services industry billions each year. In fact, 48% of all fraud value stems from accounts that are less than a day old, according to RSA Security. Moreover, 57% of businesses report higher fraud losses associated with account opening and account takeover than other types of fraud.
Right on its heels is account takeover fraud. Traditional authentication methods including passwords and knowledge-based authentication can be easily bypassed with readily available information on the dark web exposed from previous breaches—over 8.5 billion records were exposed in 2019 alone. With 65% of individuals using the same password across one or more accounts, it’s easy for fraudsters to log in as the real user with the same password across multiple accounts including bank accounts, social media profiles, insurance portals, email accounts, and more. With traditional authentication methods, there’s no way for the online business to know if the person logging in is the account owner or a fraudster logging in with stolen credentials. Once logged in, fraudsters can change passwords to lock the real user out, steal benefits, send emails on behalf of the user, and even transfer funds. By relying on traditional authentication methods, businesses are putting their users at risk for fraud, account takeover, and identity theft. It’s time enterprises adopt stronger authentication methods to verify user identity.
SD: Where is cybersecurity headed in the next few years?
RP: Given security’s current climate, it’s hard to tell which trends will be expedited, which will remain the same, and which are no longer relevant. Two trends we definitely expect to see in the next few years include:
- Cybersecurity will increasingly move toward platform solutions vs. an amalgamation of point solutions. For example, if you’re a large bank in the United States, you may be using as many as 30-40 different solutions for fraud detection, transaction monitoring, and KYC/AML compliance. On the fraud side alone, organizations may use advanced identity verification solutions, alongside behavioral biometrics (e.g., solutions that look at the typing speed to complete online forms), device fingerprint solution, geolocation services, address validation services, phone/email age information, and a variety of other solutions that provide fraud signals. These organizations end up building their own risk engine that consumes and prioritizes these signals into a risk score that determines whether or not to open an online account, but the type of account that gets provisioned. These same organizations will use different solutions for identity proofing and ongoing user authentication, potentially each using a different biometric to anchor the account. Here again, we see institutions using the same biometric (e.g., a user’s face map) for the upfront identity proofing when a new account is getting established and for ongoing (high-risk) authentication events.
- Passwords will become extinct much faster than predicted. As the COVID-19 pandemic pushed more of us to self-isolate, Zoom became the go-to teleconferencing platform. In fact, Zoom went from 10 million daily meetings in December to 300 million today. Unfortunately, this surge in popularity came with a price tag—a lack of data privacy. Now, there are over 500,000 stolen Zoom logins floating around the dark web for just .002 cents each. And this is just opening the door for account takeover attacks via credential stuffing—a type of cyberattack where automated bots use those stolen account credentials to gain unauthorized access to user accounts. And Zoom is not alone. We’ve also seen a rash of account takeover attempts aimed at users of Microsoft’s proprietary Remote Desktop Protocol, striking millions per week. With data collected and sold on the dark web containing usernames and passwords from past breaches, and internet users often recycling the same login credentials across multiple platforms, cybercriminals have all of the tools they need to impersonate a user’s identity online. This means that if your online account is only protected by a username and password, then you’re likely going to be an account takeover target. As a result, password-based authentication, multi-factor authentication, and knowledge-based authentication will be a thing of the past much sooner than previously anticipated, and businesses will look to more sophisticated and secure login options for current and prospective users.