Remote Caller Identity Verification
Join Robert MacDonald and special guest, Mike Engle, for IBA Friday. In this week’s episode, they discuss remote caller identity verification.
Video Transcript
Rob MacDonald:Hi, everybody. This is Rob MacDonald. Welcome to IBA Friday. I am without my cohort today. Sheetal is on vacation. She's enjoying her time, I believe, in Hawaii, so we're a little bit jealous. But to backfill Sheetal today, I brought along my best buddy, Mike. Mike, how are you doing?
Mike Engle:
I'm doing great. I'm doing great. It is Friday, and we have IBA, don't we?
Rob MacDonald:
We do, yeah. Just for everybody, to replace Sheetal today, I brought a beer. It's a coffee porter, so it'll keep me awake. It's brewed locally here in the village that I live in, so I'll be drinking that today as Mike goes through our discussion. Mike, I think many people probably know who you are, but if it's somebody's first time coming in to watch our IBA Friday, tell everybody a little bit about who you are and what you do here.
Mike Engle:
I'm one of the co-founders. We started this many moons ago with the goal of proving who people are and getting rid of passwords. In the one cosmos, the one universe, having one identity anywhere you go. We're working on that, and we're going to show a little bit of that today, applied to some pretty exciting use cases. My background is in information security. I've been doing it before it was called that, so a very long time back in the '90s, did it for some Wall Street banks. Then here I am, spreading the good news about identity now.
Rob MacDonald:
Yeah, that's cool. We are going to talk about an interesting use case today, and it's a hot topic, especially since the MGM and the Scattered Spider attack, help desks, and specifically account updates, whether that be a credential reset, lost phone, whatever that might be, seem to be an attack vector on the rise. The issue is that we can't tell when somebody calls the help desk that it's that person, right?
Mike Engle:
That is right, yeah. When you call somebody, this is how many, many phishing scams operate, you can't tell who it is it's calling. That becomes a real problem when you're calling the corporate help desk and saying, "I am Johnny Administrator. I need access to..." Or even just a regular user. Once you get past that VPN or whatever it is, there's a lot more possibilities that you have to go find your way around.
Rob MacDonald:
The way in which people are typically identified are through some sort of knowledge-based type questions. What department do you work for? Who's your boss? What's your last name? What's the phone number we got on record for whatever that might be? And those things are all easily found on your LinkedIn profile, on your Facebook profile, on your Instagram profile, Mike, on your TikTok profile. Those things are all discoverable, and that's really what the bad guys are using. They're calling in saying, "Hey, I'm Mike Engle. I did some research on Mike Engle." To that, calling and finding out what those knowledge-based questions are so then you can go do the homework. Calling in, "Oh, these are the questions they're asking. Okay, we'll go find the answers, then we'll call back. We'll get the answers and we'll be good." There's all kinds of ways around it. You and the team have come up with a pretty elegant way of figuring out how you can prove someone's identity when they call in. Why don't you tell us a little bit about what we've got cooking here?
Mike Engle:
Yeah, yeah. I'll tee it up here for 60 seconds, then I'll just show it. Picture worth a thousand words. We're really good at reaching out to somebody remotely and asking them to prove who they are. We can do that for new hires, for new bank accounts, in the spirit of KYC, do it for the federal government before you can log in and do your taxes or your health stuff, whatever. Prove who you are. Those are common use cases, especially in healthcare where you have really sensitive stuff and you have to prescribe controlled substances. That's our superpower. What we did is we packaged this up and had it applied to the help desk/remote caller environment. Just drop it in, help desk agent clicks and sends a message to the remote user, and they prove who they are. To your point, yeah, the KBA, the knowledge-based answers or whatever are very much... They're tired, they're being extorted by bad actors, and it's where hundreds of millions of dollars of ransomware payments have been paid out, in those types of compromises.
So let's fix it. Again, just jumping in here and showing a quick video of what this looks like. This is our remote caller verification slide, but this is real production stuff. The beauty of this is you drop it in and can literally start using it today, because the remote verification is decoupled. You don't have to go get an app and authenticate as a remote user. Let's let the tape roll here. You have a help desk agent on the left. That could be in the office, home, doesn't matter. They authenticate, typically using 1Kosmos password lists, as you're seeing here. Then they're reaching out to the remote user. They ask them for their phone number, and now that the remote user takes over. In seconds, they will scan the front, the back, fraud checks are done. Let's watch this here, show you how it works. But it happens this quick. They just did the front. They just did the back, and then we match it to the selfie. Next step is to make sure the driver's license photo matches the user's face.
There it is. That was about 40 seconds. The user did a full, highly-verified, selfie-matched verification. Help desk agent really just gets a yes or no. There's very simple run books involved here, where they don't have to make any serious decisions. They can take that heavy lifting of trying to prove who it is off the table. It's really that simple. We support documents from about 200 countries, thousands of document types. You could use passports or state identity cards, national cards. It's just a really flexible, easy to use process. And when you want to integrate it very tightly, you drop it into ServiceNow and put it into your flow. Then you can go tap into the HR database and get the phone numbers. Really, sky's the limit on this.
Rob MacDonald:
That's amazing. Now we know with confidence, a high level of assurance, that the user is who they claim to be, that's on the other end of that phone. We've just scanned a whole bunch of PII data there. Where does that go? Does the help desk agent get access to that? It's a leading question because I already know the answer to that, but people on the call probably would be interested to know, "Where does all that information go that we just captured from that driver's license?"
Mike Engle:
There's a lot of rich data. All these things are very sensitive and all of them need to be verified. We have very flexible data retention policies. For example, you can make sure that data is discarded instantly. This is all the stuff that we have access to before. You can see there's really nothing here once it's discarded. All you would have is passed with 92% accuracy, and maybe your threshold is 87%. And you can dial those knobs however you want.
Also, you can set up policies based on the role of the operator. The help desk agent just needs to see this simple yes/no, but maybe you do want fraud or risk teams to see more data. You can apply role-based policies on this stuff. But again, if you want to never have this data as a company, just give me the green check mark, that's really the ultimate in privacy. 1Kosmos would not have access to it, you wouldn't have access to. It keeps things really simple, and far better than answering some questions about your mother's shoe size or your employment history.
Rob MacDonald:
Yeah, absolutely. There's nothing to socially engineer getting to that point. It's scan the driver's license, yes or no. Does it match? Whatever. One of the things we do, Mike, as well, here at 1Kosmos, is that we can go and check against issuing databases like AAMVA, in this case where we did the driver's license. Is that available? Can you plug that in for this type of workflow?
Mike Engle:
You can, yeah. This is an example of some of the journeys and data sources that you can augment this type or really any type of authentication process with. We can verify that they have that SIM in their hand, something called SIM Binding. We could verify the driver's license against the DMV aggregator, called AAMVA. We could go check with credit bureaus to make sure they live at that address. There's some really neat things we can do along this journey. These are all modular. They're microservices. You could do one, all, and really depends on the risk of what operation you're trying to do and how far you want to go.
Rob MacDonald:
Yeah, that's super cool. The fact, like you said, it's a standalone application. You can just drop this into an existing workflow. It's not going to impact run books or call books, whoever you want to refer to them, within these help desks. It fits in and doesn't impact existing infrastructures in any way and supports the net result that they wanted to get out of asking those knowledge-based questions anyway, prove who that user is. A much more elegant and faster way, in some cases. It was 40 seconds, I think it said, start to finish?
Mike Engle:
Yeah, it's much faster. When you start having to ask user secrets and things like that, it takes a long time. Then you probably won't end up trusting that, and you'll have to do other things anyway. It's easier, faster, better. I call it checks all those boxes.
Rob MacDonald:
Checks all those boxes. Like you said, if you want to plug it into existing information, you can do that, as well. Which again, could just go that much further into verifying that user. Now, we talked about it from a workforce standpoint, Mike. I'm assuming if we look at it from a consumer standpoint, calling into my bank, similar experience? Exact same experience?
Mike Engle:
It can be, yeah, absolutely. Customers will appreciate it because they don't feel safe when you ask them unsafe things to do. When I get that 2FA for something that's a text message on my phone for something that's really important, I'm like, "Oh, this feels bad. This feels like it could be taken advantage of." Imagine you give your customers this high secure process that's trusted, very clear privacy policies, then they'll feel better about it. They'll have a great experience. It opens up a whole new world of authentication as well that we'll touch on sometime, as well.
Rob MacDonald:
Yeah, for sure. I was talking to my spouse the other day. She was like, "I didn't know that I shouldn't hand out that code that I get from the bank." I was like, "What?" She's like, "Yeah, yeah. I didn't know that you weren't supposed to hand that out." I'm like, "Yeah, yeah, no, don't ever hand that out. If anybody asks for that, you tell them no. Unless you're actually sitting at the bank in front of the teller and then they ask." Those are all the little things where people start to get into trouble.
Mike, I appreciate you coming by and showing this to us today. It's super cool technology and capabilities that we offer, and we have a lot of customers that are looking at deploying this stuff right now because it meets a real need that all organizations that have helped us face right now.
Mike Engle:
Sure. Yeah. No, it's a right time, right place. The threat actors know what they're doing, so do we.
Rob MacDonald:
It's all about staying one step ahead of the bad guys. All right, Mike, listen, I appreciate you coming by, like I said. Everybody, thanks for coming by to watch another IBA Friday. We appreciate you watching us, and we'll talk to you again in a couple of weeks. Thanks.
Mike Engle:
Likewise. Thank you.