This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad herself. I'm doing great. I'm so excited about today's episode. Every once in a while you get a founder who really takes technology and solves a real world problem. I mean, you and I have been doing identity strategy for a long time. And one of the things we always say, how do you know who's calling the help desk actually
is who they say they are, right. And like, it's how often do we get a good answer? Hardly ever. I think we'll talk about technology today that, you know, could turn that on his head. Yeah, exactly. And I think this is a, a question that typically comes up is it's, it's, I've asked it so many times in our, you know, client engagement, things like that and has never really been a
good answer, but. This is a. A a sponsored episode that I am actually very happy about because not that I'm not happy about the other ones, but this is one that solves a real world problem that I have seen come up multiple times. How do you know someone is calling the help desk? And so to that end, we do have a sponsored episode today. It is with Trusona. It is with the founder and CEO of Trusona, Ori Eisen.
So welcome back to the show, Ori, because this is actually your second time being with us. Thank you for having me again. I'm super honored and excited to be here. Yeah. So we're excited to have you here, trusona.com/IDAC. We're going to have some content there that we're going to kind of talk about through this. You were kind enough to give us a demo, So we might refer to that as we go through the conversation here and it's
recorded there. So we have kind of our own little IDAC spin on that into into the demo world that people will be able to visit there. But I'm not going to ask you how you got into identity because we already asked you that question back in 2023, believe it or not. So about a year and a half, maybe almost two years ago, we were at the Authenticate conference and he came in and sat down with us.
So what I want to find out is what's been happening since 2023. Tell us a little about Trusona and then we're going to definitely we're going to get into ATL Protect here in a minute. What happened is after eight years of developing the no passwords solution, as you can see, even my shirt is still saying that many customers asked a simple question. What happens when someone calls in and says I lost my hardware key, I lost my MFAI don't have a device with the password list?
Let me in, hear me out. Even if you take every single employee in a company and you completely retrofit them with password less authentication, which I think is an amazing idea. The problem that still exists is when hackers call in and say I don't have that thing you want me to have. Now what? So by talking to customers, we realize at your Sona that the last hole, the last gaping hole in the hole password less strategy is I don't have it. Help me.
And you can see that the call quickly turns to an identity verification effort as opposed to authentication to be crisp about that. If MFA works perfectly, you don't need what I'm we're about to talk about because people get in and out of systems all day long. But if you're on vacation and your phone falls in the ocean, you just go to, let's just say, the Apple Store and you get a new iPhone. You now need to get back to your
business. However, you don't have that thing that you need in order to get back in there. Why would they give you access? How would you prove to them that it is you, Jeff or Jim or one of our listeners here on the other end? And when you add to it, what happened two years ago that we have to insert into this conversation is the word Jen AI. When we sat at authenticate 2 years ago, I guess ChatGPT just started and people kind of thought about it as a textual tool.
If you look at what Scattered Spider doing as we speak here, as we're recording this episode, simply are calling your IT help desk, claiming to be the CSO even with your voice or your CEO with their own voice that they have sampled. And good luck to the IT help desk agent to know is this the CEO berating to reset their password or not? That is what's new and different. Well, as someone who's been on that call where, you know, you've got people calling and it's like, OK, read it.
You're, you're trying to authenticate callers, etcetera. I remember when you showed this to me and, and this is something you've actually been working on for I think maybe a year and a half or, or something like that. But I was kind of like, oh, this is kind of cool. So tell me a little bit about what it is about Ato Protect. And when we say Ato, we're talking about account takeover. And so the goal here is to yeah, know that it is Jim calling me and not someone to pretend to be
Jim, etcetera. So my, my, my, my jaded See, so hat tells me I've got so many security tools out there. Cool Ori, like, why do I need another tool in my stack? So tell me a little bit about more about Ato Protect specifically and what do you think makes it different from other solutions that are, you know, kind of trying to do the same thing? Yeah, I, I love this and I love this conversation as a practitioners talk, because you should ask me and everybody else who come on the show, do I
really need another tool? I mean, we have a toolarama everywhere you go with so many beeps and bops and reports, it's actually becoming harder to know what's going on because of all the chaff, right, As opposed to the signal. To answer your question, I'll say this. Identity and authentication have been close Friends, enemies, frenemies, cousins. They were never thought of as the same thing. Let me prove it to you.
You can sign up for a Gmail account today without them really knowing if it's you or Jim. They they just don't care to know. As long as you have a unique handle, you can stay anonymous. There's zero identity proofing or identity verification in those kind of processes. Think about your net Netflix account. If you paid with a credit card that was prepaid and was anonymous, they would also not
know who you are. However, when you call an IT help desk or we'll talk about other use cases that a company could have. For example, you're interviewing somebody to come work for you. You want to make sure they are who they say they are when a vendor calls your accounts payable and say we changed the bank account, so send us the next invoice to this new bank. Now it's not about authentication, it's about, wait, who is telling me to do this? Who is the true identity on the
other side? So the reason you might need another tool is if we'll focus on the IT helpdesk, even though you can see that there's other things around it. When someone calls and they cannot authenticate perfectly, you are turning the problem from, do you have the credentials I gave you to? I need to know who you are
before I do anything. Anything could be reset that password, reset your MFA, give you privilege access, or do anything that is seriously risky because I can't really tell who's calling me. We have in our industry all kinds of tools for account verification for our customers. For example, if you're a bank and you open credit card accounts or a DDA account, yeah, you scan documents and you do checks and liveness that you do all those things when you open a
consumer account. I doubt that you do the same things today with your employees, and I doubt that you do the same thing when an employee comes in without MFA. Yeah, it feels like I'm so interested to get your take on this, but it feels like when Jeff and I would ask this question 10 years ago in that workforce identity situation, it was something like, OK, how are you verifying people? And it'd be like, well, we asked them their badge number and then
who did they sit next to? Like, like knowledge base. So we say, OK, well, that's a big Rev X. That's not good. But then you see organizations that, well, we text them a special number, then ask them to read it off to us, or we e-mail that code to the e-mail address we have on file in their HR system. And so you say, OK, that's out of band. It couldn't be broken probably. But you know, you'd have to be a super hacker today. I'm not Even so sure that that's
true. Like give us give us your perspective on that e-mail to or SMS kind of scenario. Is that good enough? Well, let's do this. Anybody who listens to this podcast, I assume reads the news from the security world. If you don't just open your favorite search engine, put in these two words Scattered Spider together to name off a Cybergang. Pick up any article and go read their MO, their modus operandi,
and the answer will be there. Let me tell you what they're doing and why the answer is absolutely not Jim. Their favorite tactic is what's called SIM swap. And what that means is they would call your telephone company and and again, if there's no hackers in the audience, you can derive who my telephone company is by the 1st 6 digits of my phone. It's not a secret. You can tell if I'm with Verizon or AT&T, Not a problem.
You would call my telephone company as a precursor to the attack and basically tell them that you are me and you got a new phone and you want to port the scene, you want to SIM swap the phone. And what happens if they fall for this? And let me explain to you why they do all the time. All the text messages you're about to send me, Jim will actually go to the bad guy, not to me anymore. Let's take it slow.
The first step is to snip out the real customer from the traffic so they're not even aware that the OTP, the one time passcode you just sent me did not reach them. Now I'm going to take a step backward. This is not, you know, don't try this at home, kids. I'm not teaching you how to hack, but I just want you to know why this happens and why you have 0 control over it. If you're a CSO listening, you can't control AT and TS processes. You can't control Verizon.
They will do whatever their script says in the call center and unfortunately they might ask me things like my mother's maiden name and my last four of my social and my date of birth to prove to them that I am Ori the telephone owner before they SIM swap me. So good luck with that. This is step one in how Scattered Spider get you to operate as if you are sending it to the real employee. But you if you're not checking first. Is this phone recently SIM swapped?
You're duped. You're none the wiser. You're now sending all the stuff directly to the bad guy. I'll pause here. No, it's that's exactly. And to think that that is that uncommon, I mean, when you hear about these scattered spudger attacks, that's the exact pattern that's used. And at least there's some really catastrophic data breaches and and beyond data breaches where you get to the point where you can really have an operational
impact on a company. You know this, you know, given that given that that kind of backdrop, because I'm not a true believer, this is not something that is some kind of far out, yeah, that's never going to happen to me kind of scenario. It very well could if you don't have the right projections. And look, I don't want to say company names, but some of the the household name breaches that you've heard of, they started very much in that way. Exactly.
I guess we have what I really want to ask you Ori is like how does your Ato product, Ato protect product prevent that? I mean, what can what can you guys do? Let let me just go back a second to answer your question about e-mail. I just want to see what is the pre step there. I already explained in the phone world, you do a SIM swap in the e-mail.
There's an easier path. If I imagine a bank that has 40,000 employees, I call one of them and say, hey, I'm calling you from the IT department at the bank, I need to install something so we can help you next time. Now how will the employee ever know if I'm really working at the bank or not? So unfortunately, some people take the lure, allow me to get complete access to their computer and now I can get their emails.
So if you sent me the e-mail in the chain we talked about before, I'm now getting that as well. I just want you to know how it's done, Yes. Am I foreshadowing what the Ato Protect does? Yes. But I want you to understand the why because we've spoken to enough Csos and enough customers that told us all the different ways they were taken down. And we've done a thing that is a little bit to our detriment. So I want to be very upfront about that.
When I speak to some of the analysts in our field, without mentioning company names, they basically said you've created something that is a Franken solution in the sense that it is not focused in any specific domain or expertise. It is by taking five different domains and putting them together that we are not really a fit to any Magic Quadrant, if you want to think about it that way, because we're not like this
one thing. So I'll go, I'll explain how we do what we do, but the key is that we did not start with like, what are we good at? And let's try to convince you to buy that, which is unfortunately how our world is. It is taking 2 steps back. It was about 18 months ago. Jim, listen to all the MOS, all the attack vectors that are happening after The MGM breach and say if you were to sell the solution to the Cecil, not a point of I can do this or that,
What would that look like? It forced us to be good at document scanning telcos, DMVS, different data brokers, realizing that there was a man in the middle attack perpetrated a second ago. All these things together. Plus, did somebody call your employee without you even knowing right? Have amalgam into this Ato protect because it really protects from AT OS in the different permutations they can take.
So I'll let you ask the next question, but the key is that if Trusona started its journey by saying we need to go password less, and I still think the world should, and at the end of that journey realized, Oh my God, if everybody had password less, but the bad guy just needs to say it. Well, I don't have the password less. Let me in. We are now solving that issue. But I want you to realize that it's not a single disciplined area to focus because scattered Spider and the calm and black
Cat are so well organized. I don't want to say sophisticated because deep, deep down, everybody who listens to this call can commit these crimes. It's not like you need to be a rocket scientist. You just need to have your moral compass at the set wrong because they can come to you at all these different angles. We have to be good at all these different angles to protect. I'll pause here. So I think that idea of the man and middle attack is sort of how things kind of get started.
I don't want to get too far along here because I don't know if we have really talked about how this works. So I'm curious or if you could just take me step by step if, if someone's, if I'm a security analyst, a help desk person, whatever it is. And I might be responsible for taking a phone call. And we'll just pick on Jim here. So Jim calls me, but it's not really Jim, right? It's bizarro Jim. We'll call him. How does Ato protect work? So I, I go to the website and
then what? Take me step by step because I think that'll help maybe make it a little bit clearer as to what we're going to get into next. Cool. I'll, I'll start by saying for those of you who will stick around until the end of this episode, there is a page that the Jeff and Jim were very kind to record me show how this works. So if it interests you after you're done with your job, there is a video that you can go watch all this. I'll try to describe it
verbally. Let's call the actors by their name. Jeff, you would be the agent like the IT help desk agent and Jim will be the caller. And of course you can replace IT help desk with HR department, finance department, whoever gets the call. The way it works is this. There are two modalities. One of them when there is a human taking call, that is the most common thing we do. The other modality is when
there's self-service. You call an IVR or you go to a web page and you say I need to change my password. We can do exactly the same thing without a call. When I call or Jim calls you rather, Jeff, you will tell them first, please get your ID ready, literally just like if you were stopped by a policeman and say, OK, show me your driver license
and you know, insurance. We believe that in most countries that need to do this, you have access to your ID even though you might not carry it like in the United States, but you have access to it when you need to do something risky or if you're traveling, you should have your passport or something else. You've shown the border control, so you should have something like that. The second thing is you would tell the caller that none of
this data will be stored. Pretty important because we don't want to become part of the problem. And the third thing is you'll ask the caller how would you like to get this URL? That will help you with your mobile browser begin the journey. You can ask why. Why reduce it all to a URL? I'll go back to what I said 5 minutes ago.
If you're on a vacation somewhere in the world and your phone drowned in the ocean, what we can expect you to have is a new phone out-of-the-box with Wi-Fi connected to it. And if you can get an e-mail to it or a URL to it, you should be
able to do this. It is specifically designed to have the minimum viable technical know how or ability because if I'll require you to log into our network to do this, it's a catch 22. You don't have the very thing you need to get it and that is what causes the issue to begin with. So you would ask me, do I want to get an SMS, an e-mail or literally just like in a video
call like this? You can paste the link into chat or if there is a video call you can show me AQR code that I will scan with any camera and essentially bring the caller, Jim in this example to a page that will allow him to self-service himself. Scan the document. What your Sona will do there is verify, for example, if you sent him a text that the phone has not recently since swapped. If you sent him a text that he is really the owner of this number and not just lying to you about it.
When they scanned their document, we would go to numerous authoritative databases such as in the United States. We can ping the DMVS to ask did you issue this document as opposed to is the font looking good or is the template correct? I'll state the obvious. I'm sorry for everybody who might get hurt, but Jenny I deepfake have robbed us as an industry from the ability to look at documents and say oh
this looks fishy now. When I used to be the head of Frisk in the large credit card company, I relied on this tool. But that was a world before chat GPD and before mid journey. Today I can mimic your voice, your video image to that effect that unfortunately it is not simple for AI to detect it and definitely not for the human eye. That was Orion, just so you know, I'm starting to get the
hang of this. So all this to say, Jeff and Jim, when a call comes in, you ask the person to get ready to identify themselves and you simply share with them a URL. And from there on, the tool does what it does, including checking if the link has been forwarded. But I'll pause here. We'll get into that later on because that's another MO of the bad guy, which is man in the middle attacks. So when I log into this thing, I, I have two options, right?
Or a couple options I could say. So I can send it, SMSI can send an e-mail, I can send a link. What are the IDs that work? Because I see options here for driver's license and for passport. So I think that covers most government documents. And then what you're doing behind the scenes, as I understand, is you're querying DMVS in the United States or other, you know, I guess registries of that sort of data around the world. What are the limitations when it comes to driver's license and
passport? Like where? What doesn't work? Yes. So if after this podcast you will take our challenge which again we will unveil at the end of going to try that trusona.com or trusona.com/identity at the center IDAC, we will invite you to play with the demo. The demo has the following options. A driver license in the US and Canada, a passport from any country in the world.
So that covers every country. And then a few documents from India, that is what we give people to play with for free because those are the most common in the UK. Driver license we have that. We have 2500 additional documents from many different countries. So Philippines, China, Costa Rica. We just don't put it in the default demo because then the combo box will just be, you know, endless. We have customers who are using up to 20 countries at the same
time. The question is, Jeff, not where we can scan a document that we can do in any country because passwords by design are in any country. The question is, where can you verify that this is legit? So I'll go slow. Let's take the United States, which is the best country to do this in. It is still not perfect. Why? For all kinds of reasons, states like California and New York have decided not to allow vendors like Trisona to ping
them and verify identities. They allow the Social Security Administration to do it. So the data is there, but they don't allow it for commercial use. So in the United States, we can verify literally with the, with the authoritative data sources, about 80% of the population. Pretty good what we do for the other 20. So if you do come to us with a driver license from California, we triangulate it differently. We still scan the document because it's hard to mimic the PDF 417.
And for the uninitiated it is the 2D barcode on the back of your driver license that has a machine readable payload. And instead of asking the California DMV, hey did you issue this? Is this real? We would ask you for your mobile number and then ask the telephone company. Is this identity of Jim Stedman with this date of birth and address matching whoever owns this phone? So we're replacing the authoritative source with the next best thing.
In India or the UK. We replace the DMV with LexisNexis with one of our data providers. And of course, we can add more. In India, you can go to some government databases. In Costa Rica you can query the voter ID database. There are different configurations. The key is that you will not be
blind. Meaning what? When Jim calls you today before you have Ato protect, he can just social engineer you and tell you I am who I say I am because you have no semblance of control as to is he telling me the truth. But when you start scanning documents and you have the triangulation and then we have the device information telling us what time zone this device is configured in, and I can ask Jim to click on a button we added that gives his GPS location with permission.
All these pixels create a picture of is it likely to be Jim at his house begging me to get him in, or it's somebody all over the world who's just trying to masquerade who they really are. So I see as an admin or whoever logged into this, I see a bunch of these pieces of information. The goal here is to give me enough pieces of information to say, do I think this is really Ori or Jim calling versus maybe someone else? And so as I have these combinations of pieces of data, right?
So I'm looking at the screen right now and it's, you know, the IP address, the country, the IP region, you know, the browser. But in addition to that, I see literally a map that shows me where things are coming from. And then I see, you know, different parts of the data that you've checked from either DMV or LexisNexis or even the MVO, the mobile network operator, right, MMVO.
So all of this combined kind of gives me a picture to say, oh, OK, I have pretty reasonable assurance based on this that I have the right person on the phone that I'm transacting in a relatively secure way. The man in the middle, if I was outside of that. So let's say I, you know, did something and I am got two people on the phone. We're going to try and trick Ori out of his money. You know, I call Ori up and I say, hey, I'm the help desk.
And then maybe Jim's got something else on the line and I'm just like, give me the code, right? That I'm going to send you 'cause this is the common way they do it is they say I'm going to send you a code and then you read the code. And then despite every single SMS and vendor out there saying we will never ask if your code, what do people do? They read the code to the person that's going to, you know, take their money. So when I read that code in now, it's coming in from a different
IP source, right? Or a different Geo location. And so I see this on the map and this is something again, trisona.com/idac, go watch the demo there that I see that information and now I can start to raise some reasonable doubt around whether this is legitimate or not. Is that a fairway to put this? It's absolutely a fairway. I'll give you 2 more anecdotes. 1 is iPhones use what's called private relay. It's a type of AVPN.
And even though Jim called you and say, hey, I'm at my house, his phone will tell you he's not at his house. So for cases like that, even though the IP, you know, a la carte would not reveal the truth, you can ask Jim to click on this extra button with permission to say, hey, tell me where your phone really is. And then if that is within 100 feet of where the driver license of your home address is, let me tell you, Jeff, he is at his house because you can't be
elsewhere doing this. The second is the man in the middle works when people get the payload, let's just say from the bank and they cannot respond to it because they're not the real customer. Now, they put the bank on hold. Let me give you the most common. I use that in the demo. The most common excuses we hear on calls. My baby is crying. I, I, I, I'll be back. My dog is barking like always play something else. And the latest one is Amazon is knocking at my door.
I'll be right back. But all these are just excuses to put the call on mute so the bank or the IT help desk doesn't hear that you are now puppeteering someone else. And you basically call the victim and say hi, I'm calling you from the bank. We think there's fraud in your account. I'm going to forward you this link that you got. It's just that you can't act on it. Could you please load it in your
browser and scan your ID? Because then I will know it's you and Wilkin and the people are freaking out. The bank is calling them. Sounds really serious. You don't even know you're being puppeteered. So what our tool does based on knowing how the bad guys operate is it takes a fingerprint every time the link is loaded.
And then you, even though you're on mute because the person gave you and you see on the map all these different houses, holds and devices pop up. You say, OK, I know one thing for sure. I'm not talking to Jim McDonald on his own. There's he, he is not in five different location. There is quantum stuff happening in entanglement, but this ain't it.
Not yet anyway. And and so this is the part that kind of really kind of sold it for me as I kind of looked at it was, OK, I'm looking and this is not this is naughty, you know, very hard thing to do for me as an admin. I see it as very easy. It's showing me literally a map. And when we tested this out the other day, you know, we had your information and you were kind enough to kind of go through US with us. And that's where that demo is,
is we see your information. And then we had OK, well, Jim, go ahead and click, you know the link again. And all of a sudden across the world, right, the map zooms out and says, OK, well, wait a second. Why is why did we start in Arizona and then end up in South Dakota? Well, that's, that's a flag right there. And so I think this kind of brings home a little bit some of that man in the middle because we thought of ways. OK, well, and, and, or you were very gracious, like try and break it.
Like, OK, well, let me think of ways to do it. Now, I'm not a professional penetration tester. So that's where we'll talk about maybe later. People can kind of, you know, help with that. But the first thing I thought it was, OK, well, what happens if I intercept the man in the middle type of thing, right? E-mail, text, whatever may be another one was OK, well, the whole liveness check, right? There's been, well, I can just hold my picture to my camera, right?
And it will do that. Well, if you blink, that must be enough liveness. OK, well, that's not, you know, good enough. And so now we're saying, OK, you're scanning the document. You're saying, OK, you're checking it against known sources of good information. You're combining pieces of information from multiple sources. So if I were to tamper with one, the odds of being able to do both become less and less.
Now they're never 0, right? And without being suspected as SIM swapping, yes, let me reverse it and tell you, here's how you can beat it. Like, let me give all the listeners the recipe just so you understand what your task is. And then you'll see how monumental it is. You'll hear at the end of this podcast that we're going to give you a challenge hack the box. And it's a very simple ask. You need to log into our tool, play with it.
And if the tool will say that it is me, meaning you can scan a document that would pass all the checks with the DMV to say, yeah, yeah, this is Ori's real driver license and you will not trip a we just SIM swapped his phone and my telephone company will say that this if it all matches and there is no SIM swap and no man in the middle, you have beaten it. OK. And we can talk about how to claim your prize. What you can't do easily, Jeff and Jim, is plant records in official databases.
You can clone my ID. You can do that if you know what to do because my record is there. Who have to be able to do it in a way that is not caught. This is really the hurdle. The next level is exactly what you said is how do I do it without SIM swapping or man in the middle, which really are trying to puppeteer somebody with social engineering to do it for me. And the last leg of the stool is this. There is 5% of the listeners who at this point are thinking a
thought. So let me just tell you what they're thinking. Wait a second. I know how to break this. Didn't you say that you need to send the link and then I will see that multiple people. Yeah, I'm. I'm revealing to you a method. But here's what I'm not going to reveal. Just so you know, we thought about it. And you will only learn about this if you're a customer in our training. What happens if the bad guy doesn't click the link and only send it to you?
I just say the words. So you know, we thought about it. Yo did you did not find the gaping hole? Not yet. But that we only train customers because we do want to stay in business. Or you can just tell Jeff and I that way we can go ahead and steal your idea. And I mean, I think this is a genius because I think the industry's answer for identity verification is the document verification, the liveness testing. And I mean, that's built into your product, but it's more than
that, right? Just stay in the geolocation angle as well. So there's two forms of assurance that go into kind of this risk modelling. Yeah, we, we think about it as 5 disparate sets of signals. Some of them come from the device itself, Jim. So your browser can tell me what language it's configured in. And if it says Russian, you can tell me all day long that you live not there, right? So that's one set of signals. The second is, as you said, from the scan of the document itself.
The third is from the data verifiers. So even if you fake the document pretty good visually, the verifier will say, well, I don't have this document in my records because it's a synthetic identity. The third will be all the man in the middle detection to know, did you forward something else? And the 5th, I know we didn't talk about it much, but it's what we said before.
How would you know if somebody's calling your employee and tell them, hey, I'm calling you from ITI need you to do something. So that is again another module in the Ato Protect suite that companies can advertise either to their customers or to their employees on an intranet and say, if ever you get a call from us, this is how you would know it's really coming from the company as opposed to believing somebody who's done social
engineering. I'll talk us through that because that's actually something that was on my mind. I had my bank, I know we're talking about the workforce example, but I had my bank call me the other day and they kind of wanted to jump right into the details of them. I. I believe it was them because I was just interacting with them, right?
But the scenario was they called me, so it could have been anybody calling me. Imagine if someone calls you Ori and says, you know, I'm calling from the help desk and you're like, OK, that that is my company's help desk now. And they start asking you for information. I mean, how can you how how as the person who received that call use your product to verify that you know this legit? Yep. I'll, I'll take a second to give some kudos to our we call them the ninjas at Trusonas.
Those are the engineers that sit with me and the product management team and say, listen, the problem is thus how do you solve it? I'll be honest with you. I've been in this industry for 24 years. I did not think there's a solution to this. I honestly did not. Actually, I didn't even spend time figuring this out because it seems so well, how could you? Thank God we thought of something. It's now patent pending, so I can talk about it freely.
If you'll have time to see the demo, we're demonstrating it there. But it works like this, Jim, if you went to the trusona.com website right now and scrolled all the way to the bottom of it, on the right hand side, there's a link called Agent Verify. And we would recommend companies that have consumers and employees have a similar link on their homepage so everybody knows it's there, both the bad guys and the good guys. And the law or the rule would be
simple. If you get a phone call that claims to be from the company, whether you're working here or you're a customer, go there, click it and ask the person on the phone for a simple thing. Give me your agent verify code. If truly they are calling you from the company, our tool will give him a six digit code that is a one time thing. And then they can see I am talking to Jeff. And after that this code will not work again.
And it's the first time that we can give a simple instruction without any technical know how or buying something for the consumer to do that. You have a tool to fight this. And unfortunately this is the only thing we know of. Everybody else who buys this and understand how it works knows that my employee can forget to do it. I, I will tell you that as well. My mom may not remember to go do it. I get that.
But at least now you have a way to prove to somebody that you're calling them, especially if you have a personal banker that wants to help you with a wire and they are calling to help you, but at the same time, they need to identify themselves. If IT wants to call you and help you while you're stuck, you want to get that help, but you also want to make sure that it is
really them calling you. So this will be the way to prove to both sides that you're talking to the right person with this feature that is included in the umbrella of Ato Protect. Oh, it's really great actually how to quit. You brought up that topic and I did have a follow up there, but you when you're talking earlier about the geolocation, I wanted to get this question in. So if somebody is say the hacker, the man in the middle is using VPN software, do you
accommodate for that? Yeah, I, I mean, Ori, what I think is cool was like coming into this session, you said throw away the script, go ahead and like try to stump me. This is my attempt, you know now like I I'm not based on my I could be calling you from Russia using AVPN voice over IP. How did your software stop that? Great. So you can't stop somebody from using AVPN, but we do help you uncover it and solve it two ways.
One of them, we have a list of VPNs, either they're, they're beautiful ones from Apple. There's AIP range that you can say, OK, you're using iCloud relay and that's just a toggle. If it's one of your employees and you really wanted to know where they are, you just tell them, hey, can I give you instructions of how to turn it off momentarily because I want to make and no employee should argue about that because they really want to make sure the company's safe.
The other one is AVPN, like a Nord VPN that you can come from any country in the world. But hear me out, Jim, if you wanted to get privileged access and you called in and says, hey, I'm working from our whatever office or from my home, once you scan your driver license, it has your home address. So if I now ask you to click on a reveal your GPS location and that is like 20 miles from that address, there's a problem.
Our tool can show you those, the driver license address and the GPS within 100 feet of each other. And you have every reason to think that the person is there. I'll give you one more thing that we do. And again, not revealing any methods that will help the bad guys. Some companies are so large that they have 5 different IT help desks in different countries.
So what do you do then? We allow them to associate the C blocks of those different areas so that you can tell, hey, this person was asking for help is coming from an internal IP address of the company, which again, would lower the guard, not completely, but give you reason to think that you're not talking to somebody who's just talking to you out of the blue. And lastly, if somebody at the company does use VPN because they want to stream some stuff, hey, we all do it, it's fine.
You can simply tell them for this call, I'm asking to turn it off. And if they give you any resistance, that is immediate reason for you to pause and say, OK, I need to use more security on this call versus less. Because if somebody really works here and they don't want to masquerade at somebody else, there's no reason for them to not listen to your asks so that you can give them service.
I think it's such a fascinating approach to this is you're collecting all these signals, you know, from all these different areas and kind of combining to it. You know, Jim and I have been consulting now together for 10 years, him him much longer in his advanced age. But this is a question that, you know, has constantly come up is how do you validate people calling the help desk?
And, you know, for the last eight years or so, there hasn't been really the last 10 years, there hasn't really been an answer. I remember being on these calls before as a help desk agent doing password resets and this is a very interesting solution. So I would definitely encourage people go check it out. trusoda.com/IDAC. There's a whole demo there. And you know, we're, we're, most of our listeners are listeners, right? They're, they're not seeing things happening and stuff like
that. So we're trying to describe it as we go along, but it, it is a very, very cool solution. I want to kind of take us into the future here a little bit with a little bit of time that you've got left. What do you think is the next battleground when it comes to this type of thing? Right? Is it's it's really identity verification. It's how do I make sure this is really Ori and not, you know, the the Google VO2 or the meta. What do they call it?
Emu model, right? Whatever AVAI thing that I can create that would say Oh yeah, that sure looks and sounds like Ori. Let me go ahead and do it for him and take care of his his account for him. What like what do you see as next? So. Jeff and Jim, I, I told you that I brought my special effects here just in case the opportunity will arise. So it is you just ask the question that merits this. So I'm going to have a
contrarian view. It's, it's not fun news, but I will share it with your audience of what I think comes next. So unfortunately, it will begin with this sound. I'm happy that I'm at the end of my security career. That's the beginning of the answer. I have a son who's 22 years old, just finished computer science and forensic accounting. He's just getting into this world and I tell him I don't know how your generation will handle what comes next. And next is not 20 years.
Next is 2 years, five years. Here's what I think would happen next. Video Gen. AI will become so good that for most people it will be indistinguishable from live video. That includes sound, which is very important for this topic today. Without mentioning company names, I can tell you I've listened to recordings of CEOs of company because they were interviewed on the TV being voice modulated. And now you can have this voice say anything you want, berating the IT help desk to reset the
password. That will only get better with time, not worse. So you won't be able to trust your ears. You won't be able to trust your eyes, you won't be able to trust images that I show you because who knows? So it will again rob us as an industry from all those senses, if you want to think about it, that we had for so, so long. And the next thing again that that could come, I hope it won't is any breach of the authoritative data sources. So if you told me today, all the
DM VS data has been spilled out. We are now going to be in a period of time of just not knowing blind, leave it leading the blind until it would be so bad that governments will say, OK, now we need the self sovereign identity and all the things that we're talking about in futuristic world. I believe we're not there for a simple reason.
We did not experience enough pain as a society to say enough with this, we're doing it. Heck, 50 states in the United States cannot agree on what's secure between them. So what? What do you want the world to do? Right? I think we still have more time. We can still do some work, but AI will be the breaking weapon of the bad guys if they use it well, including writing emails and persuading people with, you know, agents that know how to do that, man, they will have the
upper hand. It's just nature of the beast. I don't like saying it. I know people don't like hearing it. But as a defender, as a practitioner, I'm happy that I'm towards the end of my career because I I have no idea what comes next and how we will solve it. Because things that we held near and dear as sacred will not be with us as the gold standard anymore. Well, that's a very positive way
to to end the conversation. But I think this is the realistic way, right Is this is has always been a cat and mouse game with attacker versus defender and trying to figure out how can we stop one or the other. And it happens on both sides. So it's as hard as we are trying to defend the other side, just as much is trying to poke holes
into that. And there will be new creative ways to do it. AI is just the latest version of it. I mean, we did an entire episode that was all AI like for us on April 1st. And, you know, it was fine. It sounded OK. And that's me as an amateur spending a little bit of time, you know, training models on my voice and Jim's voice and, and me telling Jim, no, you got to do it more demonstrably, right? If I have motivation, the tools are absolutely there.
The accessibility to be able to do Gen. AI to create video, audio images is, is so good right now. And it's absolutely scary because what does this lead back to? It's social engineering again. The unhappy path, as we've called it for a long time, is that's what people are going to take advantage of. It's usually the way that people get breached or popped or whatever word you want to use to say that bad things have happened. And these are just tools that people are going to use to do that.
And so another arrow in that quiver might be something like this is how do you stop account takeovers as well? Take a look at something like Trisona's ATL protect. So I'm a big fan of it. I remember when you, when you called me or I think you shot me a LinkedIn message like a year and a half ago, it was like, oh, this is kind of cool. Like what is this thing? And to see it evolve over the last, like I said, year and a half and see the value of it has
been really interesting. So like typical cap to you, Sir. Thank you. I appreciate it. But as I asked you and Jim, I want today to be all about trying to break this because I feel for everybody who listens to this podcast on the defender side. I would not want to be doing this job today because it's we don't get paid enough for doing it. But I do have a positive endnote if you don't mind, and I'll use my slide whistle in the in the fun way just to say this.
I believe that some of us will try to fight AI with AII, already see startups trying to do that. I personally don't believe that that will be the solution because of the cat and mouse issue. 25 years ago when you bought Norton Virus, you were defended from what he knew about, but not from the next thing, right? So unfortunately, it is a way to give you some cover from what's known. But in this world of AI deepfakes, you just don't know what's coming tomorrow.
So I just don't know that overall that's the strategy. A way to finish this episode is to think about what we described today and what this tool does as a sort of a Turing test. Hear me out. If we try to fight AI with AI, we're now just fighting CPU with CPU and capacity with capacity. And unfortunately, the bad guys have more money than most
companies to do this. What we're trying to do with this tool is to take you out of your comfort zone, Mr. AI, and have you hold the phone in the air and scan something. In real life, no AI model can do that. No AI model can generate the record for me in the phone company. No AI model can do a lot of things that we're testing for because it simply doesn't know. It knows how to do a lot of things, but we're forcing it to do things that human can do easily.
So here's the positive sound. But AI will fail miserably. So I don't want people listening to this thinking, Oh my God, we're doomed. AI will take over the world. That is not what I'm saying. I'm saying if you put in front of AI the things that it knows how to defend from, just with more training, that is not a great strategy.
Force it to do the thing it cannot and now you have a leg to stand on. OK, well you've been teasing us the whole conversation and so let's talk about how do we break this? And so you've you're issuing a challenge to whoever is listening. Tell us more about this hack the box. What is it? How is it going to work? And I guess just give the details on it. So we will go to the website of Trusona forward slash idac at empty at the center. There you will read a little bit
about this demo. You can see a video of it. If you don't want to go do it yourself to hack the box, I'm offering the following thing. Go to our demo and send us a screenshot of the entire screen that it would also have a GUID of the transaction you're on because we need to find it in our systems to see that you did not manufacture one. How's that for thinking like a hacker where the DMV and the phone company and all those things do not suspect that it's
not my document. And again, I have one. I'm not going to hold it too close to the camera. I'm not going to do that, but I have one. I've done this demo as you'll see there, but the net net of it is if you can generate a screenshot from our tool that we can verify was a real transaction on our end and it will say, yeah, this is Ori Eisen, it was not me. You get the prize now, Jeff, Jeff and Jim, you can help me pick what the prize will be. I don't want it to be like a
gift card or something. Should be something cool. So we will by the time this episode will pause post, we'll decide what the prizes. I think it's such a cool thing and, you know, being able and open to be able to say, hey, let's figure out better ways to poke a hole in this is great. And I guess be prepared because I think, you know, hopefully people will check this out and really want to try to figure out how it gets. I will let me say it again.
I'm not afraid. Most vendors are afraid to be. It's OK if you ever listen to Karen and Lazari's Ted talk that hackers are the immune system of the Internet. I believe in that. So if you're listening to this podcast, I'm not afraid. I want you to show me where the holes are because I'd rather fix them if there are and protect the world then not allowing you to test it. I mean, that is not security. There's no security and obscurity. Sorry. I'm asking you help us see how it can be broken.
And if you can't break it, at least be like Jeff and Jim, they were very honorable and say, hey, we couldn't break it easily. Let us at least share it with more people because if this can help the companies to not be broken into, so be it. I think the other cool thing is, well, first of all, famous last words, I'm not afraid so I'm not that. I'm not that courageous, so I
will not say that myself. But the other thing I think people should know is if they go to trusoda.com and they click on the try now you actually get what, six of these? I think 3 per month. Per month? Yep. And so people can actually try this, try that in an environment, see how it. Works on their own ideas. You can just see what it would do for you. Literally it's like a Gray box
as opposed to a black box. You can see what would happen, but to break it, you need to be me with a real transaction. Then we can chat about the prize so far. Just so you know, no one has been successful trying to do this. OK, the challenge has been tossed out there. The gulp has been tossed down. Whatever analogy you want to use, Ori, I'm I'm a big fan of what you've built here. Very impressed to see how it
goes out there. Definitely encourage people visit trisona.com/idac and we'll have links in our show notes for people to find that easily, as well as a LinkedIn link for you as well or for people to reach out and maybe send those screenshots or whatever it may be to say, hey, I got you. But hopefully not. So with that, we'll go ahead and leave it for this week. Ori, thank you so much for your
time. Really appreciate you being a supporter of the podcast and encourage people to visit the website, visit us on the web, idscpodcast.com, do all those fun, cool things like and subscribe, share those with people. And yeah, we appreciate it. So we'll go ahead and leave it there for this week. Thanks everyone for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show.
Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.