#388 - Fraud Reduction Intelligence Platforms with John Tolbert

This is identity at the center. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great. Well, mind if I start? To smile. Something's up. Yeah, Go ahead. Rant away, man. This is this is your time. All right, my problem is with password less.

That truly isn't password less. There's damn password behind the scenes and it's actually this to me, this is like exactly why NIST said don't make people change passwords every three or four months. Because when this stuff kind of props up and you haven't been using your password, what are you going to do? You're going to pick the

simplest password. You're going to write it down and put it in like a notepad file somewhere so that on the off chance once every three months where it says, hey, you set up, I don't recognize this device. You know, we're going to play a safe put in your password. I don't remember my password. First off, it was like 852 characters long with all kinds of different special characters.

I don't remember. And then you go through the password reset and then every time you type in the password, for some reason it doesn't match the the policy. Oh, sorry, that wasn't 862 characters long. Or maybe it looks like a word and our smart software picked up. We're going to prove it. Then after the three tries, I feel sorry. You must be some kind of scammer. Start over, call the help desk like it's actually, if you're going to set up a process like that, it's worse than actually

having passwords. Yeah. So Grant. So this rant brought to you by Jim's new iPad, which we're recording slightly out of order. So I think it's like the next episode or maybe it's the episode after that I remember where it's the one with Tobin S that we're going to have come out where we talk about AI. And Jim, you had started off that show saying you got the iPad in the mail and it was in a box. You haven't like unboxed it at that point yet.

And so now we're a day later and I'm guessing most of your problems are because of trying to set up your iPad, am I right? Yeah, well, OK, make your props to Apple, because you set up the Apple and then it's like, OK, just hold your phone somewhere close to this new device and we're going to bring over everything you've ever had. My God, that's like such a beautiful experience. Now don't forget if you ever have to set up your Apple ID and forget your password.

I haven't done that in a long time, but my goodness is that a nightmare. It's passwords, Jeff. Passwords are hell. They are. I mean, nobody likes them. You, you know, this, this example you just gave is a perfect example of the pain that people go through whenever they get a new device. It's the same thing every time. You know, I, I have a bit Warden password wallet that has like 1000 passwords in it. I don't even remember them anymore.

I just automatically my, my, my workflow is just OK, create a pass phrase, get it into bit Warden and then I'm never going to remember it. And then just use that going for it. So I don't know any of my passwords except for the 1 to get into bit warden. That's it. Yeah, well, I mean I. Definitely can't lose that way because I lose that I obscured. Then you have access to nothing. It's like you don't exist. Death in the Digital Estate has just caught up with you.

You know, and that's probably something we should talk to that group about because, yeah, what happens if all your credentials are stored in something like that? Can you set up like a legacy contact somewhere? It's like, I think like Facebook does something like that where if your your digital credentials can pass on to your next of kin or maybe just start putting that into your into your will is, you know, I bequeath my bit warden wallet and all associated

information to my wife. Good luck. Yeah, yeah, No, I also got AI got a thumb drive, you know, basically a a password key. And I, you know, before I used to think that was such a great idea, you attached it to your keys. But the only thing I know that I have with me almost at all times except when I'm sleeping is my phone. I don't always have my keys on me, I don't always have my leather wallet on me, but I

always have my phone. So I I continue to think that the phone is the best form factor for me and probably for most people. It's ubiquitous. I think, you know, the phone is obviously there. You've got watch, right? That could be another option,

still kind of pricey or a ring. There are a variety of things I would love to see, you know, more of like a, I don't know if it would be Apple, but a smart ring that actually has, you know, some of those biometric authentication capabilities rather than just measuring my heartbeat. And you know, my terrible sleep was last night because I was so excited to talk with our guest today about fraud.

Well, then we should get into that. What do you think? Yeah, why don't we do it? Because if you've read the title of the show, which you probably did, it's we're going to talk about fraud reduction and the intelligence platforms going with it. So I want to welcome back to the show John Tolbert. He's the director of cybersecurity research at Cooper, your coal analyst. So welcome back to the show, John. Thanks, nice to be back.

Good to talk to you guys again. So we were prepping the other day and I was absolutely, and I don't use this word lightly, flabbergasted that it's been 4 years since we've had you on. We actually had you back on almost back-to-back, which kind of these days is kind of unheard of. It's November and December of 2021. We talked about customer or consumer identity and access management. We talked about fraud reduction.

And here we are 4 short years later talking to you again around again, fraud reduction intelligence platforms. We did see each other in Berlin earlier this year at the Coomer Coal conference. That was kind of cool. So maybe that's why it felt like it was more recent. But man, we can't, we can't have another four years go by without a, without a dose of John Tolbert on this show. I'm just going to say that right now. Sounds good to me, so why? Don't we catch up a little bit

here? It's been 4 years. What's new? We already did your origin story, so I'll encourage people to kind of go back, but maybe you can kind of fill in this timeline gap in the Identity at the Center cinematic universe of 2021 to now. What have you been up to? Well. As the life of the analyst dictates, we do a lot of research, talk to a lot of customers, vendors and look at

what's new out there in the field, try to figure out what trends are worth reporting on, and just to try to educate our readers. So I've covered a number of different subjects. Of course, I have been doing CIA for going on 10 years now, fraud reduction for at least six or seven I think. Then I also have covered XDRNDR, tax service management, a bunch of different cybersecurity reports, as well as now we're keeping our eyes on things like NHIS and agentic AI and topics that are emerging.

And, you know, everybody wants to know how can you secure these things? John, you just dropped alphabet soup on us, OK. And by the way, that is OK because that's the industry we're in is you got an acronym for everything. But we do have some blisters who are newer to the space. So you mentioned CIAM, let's

start there. What is that and what makes that special? Well, you know, I had been for the majority of the last 10 years sort of calling it customer slash consumer and also it can encompass citizen identity and access management. But you know I'm working on that report actually today the CIM report and I'm going to go back and call this one consumer because I'm really going to focus on B to C business to consumer interactions.

I'm doing a follow up report to that early next year around B to BCIM, which it's about business to business. Because you know, I think over the last couple of years both the requirements that we see businesses leveraging on vendors have changed and now the vendors are trying to meet all those requirements. And and I think that's good, but they're diverging quite a bit, as you can imagine, because the use cases are different. Yeah, I'm glad you.

I'm really started there because, and I'm glad you pointed out the citizen angle because I was going to say what is CIA customer identity and access management, but that citizen angle is interesting as well. I, I think what's different is compare and contrast that to kind of workforce identity and you know, fraud within the

workforce for sure. But when I think of like fraud related to identity and access management, it's usually that external use cases, folks who are, you know, outside of the organization are trying to commit fraud through external facing application, customer or citizen facing applications. And there's this space now within my identity called fraud reduction intelligence platforms.

And that's interesting because I kind of feel like the the, the only reason they put the word intelligence in there is because they needed a vowel. You correct me if I'm wrong, right, but fraud reduction platform would have been good enough, but that wouldn't have made a, you know, a word. So correct me if I'm wrong, but just kind of walk us through like, what is the space all about? What? What is FRIPP? So I usually define it as a set of capabilities.

There are six major kinds of capabilities that you need in a fraud reduction Intel platform. First off would be identity verification, which is something that we all know and love. Then device intelligence, you know, knowing about the device that let's say a request or a login attempt is originating from. And there's a ton of information that's available on devices that usually gets pulled through SDKS, software development kits or JavaScript.

And that can be everything from like the the device type. Maybe it has a specific device fingerprint, you know, IP address, location information, device posture check, you know, can you tell whether or not it's has, let's say an anti malware program on it or is it exhibiting signs of a malware infection? So all this intelligence can be evaluated by a trip. Then we have compromise

credential intelligence. This is using information sources from the dark and deep web about whether or not a credential has been breached and made available out there. Or maybe if you're using shared signals, you might be aware of an attempt to use a compromise credential, you know, in the recent past and then maybe that presents on your website. We'd like to raise the risk flag on that.

Then we have user behavioral analysis and that can get, you know, pretty in depth depending on the platform you're looking at. You can look at transaction amounts, transaction history, locations where transactions may have originated. Is this sort of in line with other types of transactions a person who's made in the past? So there's a lot of information that potentially could be evaluated by a fraud reduction Intel platform just on the user

behavioral analysis part. Then there's behavioral biometrics, which is, you know, how you interact with your devices could be typing cadence, or how you use a mouse on a desktop or laptop, and then how you hold and interact with your phone, touch screen pressure, and then bot detection and bot management. And behavioral biometrics generally inform bot detection, but there are also other methods for trying to figure out whether or not a session is being

initiated and controlled by bot. You know, so I kind of feel like you talked about like the six different areas and they're all kind of related, but all kind of different. And I kind of feel like sometimes we have to, the analysts like yourself have to create a space and include all

these things because if you don't, you'd have too many spaces. So you create 1 space and, but most vendors like, correct me if I'm wrong here, they, they maybe tackle one or two of these things, but then they'll tackle the whole space. Or am I wrong? Well, there's kind of a a wide range of solutions here. There are point solutions, let's say behavioral biometrics is good with there are several companies that specialize in that and they do a really, really good job at that.

They may license their technology or OEM it into other platforms. Then we see that can be pretty common as well. But yeah, there are quite a number of different solutions out there. This time around, I think we had close to 25 that do multiple of these categories of intelligence gathering and processing. You mentioned the identity verification, which we all know

and love is what you said. And I kind of I smirked when you said that because actually I do feel like the space is getting better. When I say the word better, I'm thinking from a usability perspective. I've had some instances in the past where I went to use that any verification and couldn't be verified. And I'm like, what the heck, I'm me. Like I'm not committing a fraud. Why is this saying you can't, you can't Now I don't run into that as much.

And I don't know if the technology has improved or they've, you know, widened the lane in terms of kind of letting more iffy connections go or what it is. What what's your perspective on that? Is the space getting better? Is the tech getting better? I think it is getting a lot better. It's it's certainly more accepted.

I think we've seen it, you know, it really started probably mostly in like the government to citizen interactions or in finance, you know, because you want a strong or higher level of identity assurance. And then of course, the pandemic came along and made it hard for people to maybe go do some of these things in person. So that's when we really started to see these remote onboarding apps proliferate. And I, I do believe they've gotten quite a bit better.

I mean, many of them incorporate liveness detection, passive liveness detection. Sometimes you might be asked to, you know, look in a certain direction or blink your eyes or something like that to, to prove that you're a real person and you're not holding up a photo. But I think overall usability has gotten better, too, because they've probably applied better usability engineering studies to getting the flow just right. Yeah, we all occasionally do these things.

I did one recently and kind of encountered a hiccup in the process too, but fortunately it was able to be resolved pretty

quickly. So yeah, I do think usability has improved, security has improved, but at the same time, this has become a major attack vector too. So this is another major source of fraud. You use the term capabilities that OK Fripp is 6 capabilities. I'm wondering about how these capabilities get delivered. So do they tend to be products or say like a software as a service solution where you have to do the technical implementation support or is it like a fully outsourced service?

So I'm thinking like an ADP versus a work day. I'd say by and large it's it's a SAS. It's API driven. So let's say I'm running a bank and I want to contract with a Fripp service provider. Mostly what I need to do is code that into the their APIs. You have to of course pass certain amount of requisite information to them to get a judgement or a risk score back, but it's generally API driven. So it's API driven.

So you know, the, the, the thing I always think of from a fraud perspective is that the old use case like, oh, somebody wants to transfer $50,000 and there's some kind of API on the back end that's saying, oh, that that trigger some kind of rule and that rule now requires you to do something more. So I'm kind of thinking of like that RSA type of scenario. And to me that's always kind of what fraud is.

But it sounds like we're talking about the bigger picture of fraud, which is preventing bots and things like that. So I guess when you look at the space, what kinds of fraud are we talking about preventing? And what is like outside of the

scope of what this FRIB solution or solution set can provide a defense against? What kind of fraud can I help with and what kind of fraud can't it help with? I think a lot of the solution providers in the space are trying to address most every angle of it, you know, and from the technological perspective, there can be many different

angles to come from. I mean, just thinking back to identity verification, we see, you know, a huge increase in the numbers of things like face swapping attacks and use of like fake video, injecting video streams into video

identification processes. So I mean, that's like a whole different kind of technology that you have to put into place as opposed to if you're in the finance world and you need to do checking against sanctions lists and you know, for anti money laundering regulatory compliance there. There's just very disparate sets of technology that go into this. But yes, there are several major platforms that are trying to address financial use cases, e-commerce use cases.

That's why I did two different reports on it, as I see that they've kind of, you know, grown apart in both the types of fraud that are being perpetrated against these different organizations and the technical capabilities required to deter it. So that is the distinction. Then it's like the identity and access types of fraud, that's what gets prevented. Whereas like some of those deep finance use cases, those kind of frauds need to be identified within the applications. Is that right?

Well, I think there's several different layers for it too. I mean, identity verification you can do as they come in through the digital front door. But yeah, I think there are real time transaction level checks that need to go on in certain circumstances. And you know, another, another interesting thing is that this is kind of a union of just what we think of pure identity and access management and cybersecurity because you do have the bot angle too.

You know, bots are used. I I think you know slightly more than 50% of the traffic on the Internet is some kind of bot or another. But you know, you can't just say, OK, I don't want any bots to hit my site because a lot of the legitimate business on the web is being handled by bots. So you've got to be able to figure out are these good bots or bad bots or somewhere in between? And then what do you want to do with that? Once you know that, how do you want to handle that?

Do you want to challenge them so that we all see these captions and get aggravated with those or do you want to throttle them? Do you want to redirect them or block them? There's there's lots of different choices you can have on how to handle bots want you to determine that's what it is.

But yeah, I mean, you can kind of see that there's this wide variety of different kinds of techniques that span identity and cybersecurity that are used by fraudsters. And you, you kind of talked about there like the majority of traffic these days on the Internet is not human, right. It's AP is and bots. And you know, I was going to say we've got a great system to catch bots, right?

Just pick all the pictures of a bus or a sidewalk and you know, grainy little 9 box that it's like, I don't know, is that a bot? I don't know. Let's talk about the reports that you wrote back in July here. So you had two, one was on finance and one was on e-commerce. Let's start with the finance one. What are some of the trends or challenges that you saw that are sort of shaping the way that this RIP space is evolving and maybe some of the way they're being used?

Well, you know, especially in the finance world, scams are are make the headlines and they're very problematic. I mean, just talking with people, occasionally tell them

what it might be working on. Everybody's got a story about a relative or a friend or somebody that they know that's been scammed out of a lot of money online. So I think on the finance side now, depending on the jurisdictions in which you live and operate, you know, some areas are putting much more responsibility on financial institutions for trying to help help their customers stop these

scams from happening. So that too is a takes some pretty complex technology in order to be able to detect that and then present options to the potential victim about whether or not they want to actually authorize A transaction. So scams, of course, are are big news and a big problem. But you still see lots of Ato account takeover attacks and you know, they're just trying to get your account so they can get

money or something worth money. Now there's new account fraud, various forms of new account fraud, where again, it could be like a presentation time attack where you try to use, let's say the fraudsters picture to get access to a legitimate bank account or some other account. There's synthetic fraud where you try to take realistic looking but not quite real information and assemble an account so you can open an

account somewhere. So yeah, banks, financial institutions are dealing with lots of different kinds of fraud, all of which, you know, can result in big losses for not only the banks and FIS, but their customers as well. Yeah, and it seems like at least here in the USI think at this point, everybody's Social Security number has been stolen or burdened part of a breach. So, you know, that used to be sort of like the unique identifier you could trust.

But you know, we're moving away from that thankfully. But it's things like that, right? It's hey, the data is out there. So now it is incumbent on really everybody to be vigilant. But at least here in the US, it seems like there are some stronger laws or maybe some stronger in industry viewpoints or say, OK, we need to kind of

band together to fight this. Do you see at least in the financial space, do you see like a shared signals type approach where it's like, hey, if one bank or financial institution sort of detects an issue, are they sharing information or is it because they're all using maybe a consolidated source that they're all kind of benefiting from that like it? I guess my my short question is, are these financial institutions working together to print fraud or are they going it alone?

Well, they're not really going alone. I think ultimately this shared signal framework thing is a great idea and it's going to get more traction. But one of the the features of some of the leading fraud

reduction Intel platform vendors is that they aggregate information amongst their customer base and then a share that you know, to help prevent attacks throughout their customer base. And yeah, there are quite a few that are heavily invested in the the financial industry. So they are on a more limited scale sharing some of this information about fraudsters amongst themselves through their

Fripp service provider. But I think, yeah, eventually where we need to get to is a more open framework where we can share signals. But I think we're we're not there yet. Maybe I'm just thinking too much of like, you know, mob movies in Vegas where, you know, the person comes in to scan the casino and then all of a sudden all the casinos are aware of, you know, Jim coming in counting cards. Sorry, Jim, pick on you.

But like, you know that that sort of like, hey, we've got a known vector, right, a threat here. Let's make sure that these institutions are all sort of on the same page. Course, there are other information sharing arrangements out there and, and I think that the they've probably been somewhat successful, but there's still always room for improvement.

I think kind of that scenario that you just talked about, you know, especially if it's a smaller company, I don't imagine that they have that big of a picture of like what the fraudulent accounts are. If they can get information from Google, Facebook, Microsoft, the big identity providers in the world, that would be a game changer. And I would love to see the industry as a whole stop looking at security and fraud as a competitive advantage.

Like, oh, we're the biggest, we have the most logins, so we have the most visibility and start looking at it as like for a common good being able to, you know, I, I see Jeff laughing like, like for the good, like. Common. Good. Like I'm speaking a different language or something. I mean, you can't make money off that, so come on, like. I'm a capitalist by the way, so I'm not trying to say that, but like, you know, we have hospitals and we have. I mean, I mean, that's like a

real world example. But what I'm I'm saying is like even people in the identity industry, like 2 identity leaders from competitors, like 2 banks that compete with each other. I've seen it in the real world where they talk shop, they talk about what they're doing because you getting hacked doesn't like make my bank like more attractive. It actually just makes the whole industry suffer. So I just kind of feel like organizations should stop like taking this data and thinking

like, oh, we're going to use that for our competitive advantage. I, I don't like that. That's my, my two cents. That's my rant rant #2. Well, you know, thinking about banks, I know a lot of people in the banking industry talk about the reliance on still mainframe technology, COBOL written programs and trying to figure out how to plug this kind of information in I think is challenging because each company is different how they built

their their systems. They may use home grown code, they may use, you know, core banking applications made by vendors from from years ago. So how do you integrate the signals that you may be getting in an ideal world such that it can be of use at runtime? Well, it becomes a major rewrite of the way that authentication or risk calculation works with an organization, right? It's at that point you kind of have to treat those as data sources, not as the system that

is performing the risk check. So you end up in this, you know, catch 22. It's like, OK, you know, do I, you know, do I have this mainframe sitting in my basement and I, I don't have anyone who can maintain it or I'm going to lose those people who can maintain it sooner, whether it's because they age out of the workforce, they die somewhere else, right? There's a bunch of reasons like they're going to, you have to start planning for that shift

over. And so it's like, OK, when do we bite the bullet and say, guess what, guys trying to modernize the way that we approach authentication and as part of the authentication, that means risk. So how do we do things like identity verification?

How do we take all the different signals within our own environment and from our external signals coming in to really modernize the way that, you know, we do this login so that, you know, Jim doesn't have to have a nightmare scenario logging in right to his new device, right? Or me if I forget my bit word and password and all of a sudden I'm and I'm another person going through the unhappy path of I've got to call someone and then that's where attacks also go

after, right? Most attacks are you're getting socially engineered, you're getting fished. Your help desk would already be guess what they need risk signals as well. So things like identity verification to reduce fraud. So I, I don't want to lose the lose sight of the fact here that like this fraud reduction we talked finance, but there's a lot of like entry points for this, right? It's not just like a signal

behind the scenes. It's is this really John I'm talking to or is this AI version of John right that's trying to scam me. That is also I think part of this equation. And I don't know if that's necessarily it definitely is finance, but maybe it's also part of the e-commerce world where, you know, maybe it's more consumer focused. And I know there was a second

report that was written on that. And so my very long winded question is, OK, so we went from one end on the finance and now we're talking about sort of like the end user experience of fraud and e-commerce companies or at least companies that have an

e-commerce component also need to address that. So why write a second report? What's different about e-commerce that's like, OK, we need to focus on specifically this versus finance in general? Well, again, I think the use cases are quite different. You know, where banks, financial institutions are really concerned about or or having to do AML compliance, Know your customer, do that name watch list screening and they generally have a higher levels of requirements for identity assurance.

So there there's a lot of emphasis that gets put on that. On the e-commerce side, you know, there's a whole different set of attacks that they face and just think about how we interact with online shopping services ourselves. They can be concerned about many, many different kinds of bot driven attacks. You know, think about ticket scalping bots, bots that go out and you know, try to download all the information that's available on a website there.

There can be other cases where you got bots that are out there generating comments, generating fake reviews that might affect the whole e-commerce experience. And then they have policy abuse. They have to worry about two things like we probably all encountered, you know, do you want to log in or do you want to check out as a guest? So guest check out policy abuse, returns, chargebacks, loyalty programs.

You know, frequent flyer miles is a good example because so much money is sort of tied up in loyalty programs of all sorts of different kinds. So, you know, trying to gain access to somebody's account so you can drain those loyalty points and use them elsewhere. These are things that are a little bit different than what banks have to face.

So that's why I thought it would be better to break this into two where I could in the first report put a little bit more focus on the the name, watch those screening and identity verification versus you know, looking for more thorough bot detection and more granular bot management capabilities for the e-commerce report. Yeah, I was, I I can't find any holes in those in the argument. Like those seem to be the top 2 focuses for most fraud, but I can think of two others.

So one is the other C for CIA and the Citizen, you know, especially for state actors to go in and commit fraud, But I'm sure there's other use cases as well. And then the other one that I thought of, which I thought this is a growing one, is streaming services or any kind of subscription services where people want to share their

account with other people. So I guess, you know, that's just kind of like me thinking through it. Have you given thought to additional reports to write, or do you think there's just not enough meat on the bone? I think those are two really good use cases. Yeah, definitely two different areas of focus. The citizen angle, yeah. I mean, harkening back to the pandemic that that happened a lot, you know, when the Paycheck Protection Program was going on and a lot of state unemployment

agencies were hit. I'm sure if they'd had some fraud reduction technology in place, it probably would have saved taxpayers a lot of money. Many of these kinds of use cases can be addressed by well, in the case of like unemployment insurance, if you were using better identity verification. So a lot of the same vendors that appear in both reports probably would be able to help cases for like G to C government to citizen interaction and then the streaming services too.

That's I do try to address that a bit on the e-commerce side. That's a a very good and interesting point you make there about people who do try to share accounts and then the streaming services who don't want you to do that with good reason. Yeah. And and so I was, you know, asking about, you know, whether or not it was worthy of a paper.

But another angle is just kind of like, it seems to me like these there's some form of those six capabilities that almost every industry that is on the Internet needs. And I'm kind of wondering also, you know, when you're going through this capabilities, just it seems to me there's like I'll use the term poor man's version of a lot of those built into ID PS for example, or, you know, other Cam technologies where

it's like, you know, is that really the decision that organizations need to make? Like, Oh yeah, I'm buying this system to do my authentication. Is that good enough for am I good enough just to use their layer of fraud protection? Are you kind of looking at that when you're considering the e-commerce or is it just looking at, is it just looking at like what are the add-ons that you can get on top of your IDP?

Mostly looking at what are the add-ons because yeah, let's say you're an e-commerce vendor, you're going to be accepting logins from lots of different ID PS And it's not just the login information or what the IDP knows about the person who registered their account with that IDP maybe many years ago, but what else do you know about that account right now? You know, going back to the streaming thing there, that's where device intelligence comes into play.

So what do you know about the device? Are they watching on their phone? Are they going to are watching on a smart TV or set-top box? All those things have device IDs and that can be part of the overall risk equation. Same thing was about how you present to AE commerce site. Sure, you might log in with your regular e-mail address. You've made an account there, but are you authenticating that yourself, or are you relying on the IDP to do the authentication?

And what other information do you want to collect about that user at that particular transaction time that may not be available to the IDP? Yeah. I'm kind of wondering also, you know, when it comes to these kind of investments always, it always comes down to dollars and cents, right? And so maybe if you don't have the money or you can't make the business justification, buying an add on isn't something that you even consider. But if you have enough money to add on, I think the answer I'm

going to get us, it depends. But John Tolbert, here's the the $1,000,000 question, like where do you put your money? What's the order of importance? Where do you get the biggest bang for your buck in terms of risk reduction and the different types of FRIPP? Capabilities. Wow. I guess that's why you've got to know your own business. You know what? Understanding the threats that you've already faced and, and where you think they're going to be coming from.

I think across both finance and e-commerce and, and any others, four of the six are, are pretty commonplace and you're going to need, you know, some combination of those pretty much at all times. And I guess I would say device intelligence is really, really important user behavioral analysis. I mean, because if you just do 1 without the others, then you're still leaving an awful lot of attack surface at that at that point.

So knowing about compromise credential usage, if somebody's had their credentials leaked out on the dark web, that's certainly important. You'd, you'd certainly want to increase your risk score because of that. If you're in a place where you really need higher assurance, identity assurance levels, then identity verification is going to be more important. So I don't think I could give

like A1 size fits all answer. It really depends on what business you're in and understanding the threats that you faced before and and how to most effectively reduce those. I think that's a great answer, John, because Albert is going to say it depends. The consulting answer right it where you know. Where are you? Where? Do you need the most help?

Because not everybody is on a playing field where it's like everybody's starting at 0. You might already have some capabilities in place and you have to kind of start whatever. That's no different whether we're talking fraud or we're talking an IGA deployment or a privileged access deployment or

authentication just at large. So I'm curious that when we talk about these capabilities you talk about like identity proofing and verification, credential intelligence, device intelligence, behavior analytics, right, bot detection, right, kind of all these different things. Where does where do those capabilities tend to fit? Jimmy, you kind of alluded to the authentication platform of the IDP, but talk to me a little bit about like where do you see

these coming in? Because I don't think it's just one product that does all this, right. It's a mesh of things that need to kind of provide the full solution set to have an effective fraud reduction into intelligence platform. Again, I think it, it, it sort of depends on what you've already got. I mean, if we go back to the bank situation, a lot of banks have already written their own fraud detection routines and they're, they're running that alongside their other banking

application. So maybe they just want to get better identity verification. In that case, you might just look for discrete identity verification services or if you're looking to sort of totally upgrade all of your fraud prevention capabilities, then yeah, you might want to look for a platform that has some of all of it. And then many of these can be augmented. You know, this is, it's more of an ecosystem kind of things.

So you will find that even in this Fripp space, there are partnering arrangements amongst the vendors in some cases like I was talking about with behavioral biometrics, some of the other platforms will OEM in the behavioral biometrics piece and and use that or they may automatically or have you know, contracts with other service providers so that they're bringing in say device intelligence feeds or IP reputation information from third party sources.

So it really is an ecosystem and you can which one do you want to be your front end if you're trying to augment your own fraud detection capabilities? It's it's again very specific to the organization that that needs it.

So for this to work effectively, there's got to be some sort of like automation or integration and I'm taking off, you know, larger platforms that tend to be within, you know, a large organization that might need this type of solution, something like an identity governance solution. So I'm thinking of like a sale point or a savior or maybe a privileged access management solution like a cyber Ark or Delinea or Beyond Trust, right? Those are just kind of leaders

sort of in those spaces. Is that where, you know, the

information sharing between your fraud platform is saying, hey, not only don't authenticate, but kick over this thing into your IGA platform or your Pam platform to do some sort of thing? Like there's got to be orchestration that takes place behind the scenes, right? Like what does that orchestration layer look like and where does it come in? Like what is the driver for that? Is it the risk platform or is it just a signal and somebody has to do something about that

signal? I'm glad you use the O word. It's it's a very hot topic everywhere in identity orchestration. It's many of the platforms that I looked at do have really good orchestration capabilities and I think that's key to making it adaptable to what, you know, many organizations already have. So you probably already are using let's say for example an IP reputation or a device reputation service and you just want to sort of Plumb that into

your flow. We do need a good orchestration engine and a good, you know, graphical workflow designer ideally to help you figure out how to do that just right. That is something that I think is pretty much absolutely required, the ability to orchestrate amongst existing

services that you might use. And then also, you know, a year from now, two years from now, after you do this implementation, you might find you want to swap out and use a different point solution for an intelligence source than to.

John, it wouldn't be an episode of Identity at the Center if we didn't bring up AI. So I mean, obviously AI is touching everything and it's touching it so fast and it's changing the game where, you know, new vendors spin up solutions and they can do things that the the vendors that kind of are the incumbents and have been doing this for a dozen years can't do. Where do you see the impact when

it comes to FRIB? I mean, are you seeing it already with like vendors starting to use AI to multiply what they can do? Yes, I mean, I guess it depends on what we mean by AI. I mean, ML has been around for a long time. It's sort of the silent hero in the background that's been helping us in multiple areas of cybersecurity for, you know, more than a decade. And that's very true in in the fraud reduction space.

Do you think about the numbers of transactions that are going through, you know, any, any customer facing organization and then all the different data points that they have to analyze around like identity analytics? ML is a big help right there. Just because there's such a large volume of data. You need something to be able to look for anomalies, look for normal traffic, classify it and then, you know, alert the human fraud analysts to go take a look at it.

So M LS been around for a while and it's it's it's doing a great job. I think when it comes to Gen. AIII see some implementation of Gen. AI like in the fraud analysts interfaces. I think that can be very helpful. But I'll say the same thing about that as I did for, you know, cybersecurity solutions that are starting to embed Gen. AI. And that's I'm curious about who's doing the, the quality assurance on on the output there. Because yes, you can take in a

big amount of data. You can have it create a narrative to feed to a junior analyst that get them to be able to take a, you know, a particular action that I think it would be nice to understand what the the level of quality is on the output of that. Some are also working toward allowing business people to write policies in, you know, what we would call natural language and then then turn that into a machine executable language. I think that's ongoing in some areas too.

But I think the biggest area of course, where AI has had an impact on fraud is helping the fraudsters themselves, unfortunately. Yeah, that that is the unfortunate punchline to every one of these discussions. You know, I always want to make sure that we're coming away with

actionable tips for the identity practitioner. So in this case, I'm thinking the identity practitioner that is evaluating some of these trip platforms. And I think with as much whiz bang stuff there is as there is here, it's easy to kind of like, get lost in some of the glitz and glam. But what I'd want you to help with would be like, what are some things that people need to make sure they're asking when they get a demo of a solution?

How do they ask smart questions that are going to get to, yeah, these guys can really, you know, mail my use case or not? That's a good question. I can just think of the questions that I'd like to ask the vendors themselves and I really want to understand what part of the solution are they contributing themselves and where are you depending on others you know, And this is bigger than let's say a use of open source code kind of question.

But if your solution is depending on, let's say a third party for behavioral biometrics or some third party service that collates dark web intelligence, then I think having that information transparently presented is is very useful for somebody that's looking to buy a platform, buy access to a platform. How how do they do they have SDKS is another one. You know, many organizations are trending toward, you know, going completely API driven, but there are lots of different SDK environments.

And maybe if you're in an organization that's already built, let's say a big, you know, web presence and you've got mobile apps that you're really proud of and you're happy with the SDK environments. Make sure that whatever you're looking for supports all of that. And then trying to get information about false positives is always very useful. Trying to get objective information about false positive rates and what techniques do

they use to help mitigate that. And in a few very rare cases, there are a couple of these vendors out there in the fraud reduction space that offer things like warranties or chargeback guarantees. So if that's important to your organization, I'd say ask about that because it can save you

money in the long run. I, I don't want to get into the financial implications of a chargeback, but you know, hopefully it's not something where it's like, OK, it's a nickel per check, we will refund you that nickel that said that this transaction of $5,000,000 was, you know, was, you know, a, a flow enough risk that you could ignore it. I'm going to assume that there is some better contract structure around that. Most likely, yeah. Well, John, it's been a great conversation.

I want to wrap things up with a little bit of music talk here. So we were talking yesterday as we were kind of getting prepped up for this and you mentioned you've been to a couple concerts recently. And one of the things that I want to find out from each of you is what is a musical act, band, you know, performance artist, whatever you want to

call it, right? That you have not seen yet in person, but you would absolutely, you know, go out of your way like it's your Mount Rushmore of this is the person that I want to see or band or group or whatever. Like what do you? What do you most want to see? Well, what I would have liked to have seen would be Pink Floyd. I've seen Brit Floyd a number of times and Aussie Floyd a number of times and they, they, they do a great job. But I think it would have been nice to to see the real Pink

Floyd at least once. So why Pink Floyd? Is it the dark side of the moon? Or is it you just celebrate their entire catalog and you just want to be part of it? Oh, I think I like it all. Yeah, I like it all from the early days through the the Gilmore only era.

You know, in general, I'm a fan of progressive rock and everything that came afterwards, so I've gotten to see most of the progressive rock bands that I like, but not the real Pink Floyd. But not a grunge fan, as I established yesterday and being from Seattle. Yeah, not so much. So I'm a big like Alice In Chains fan and you know, Nirvana, Pearl Jam, like that kind of stuff. But I got there's so many different things that go with this one.

Let me think about this for a second, Jim, what about you? Like who is the band or artist or whoever that you would love to see in person? They have not yet. Well, I feel like I have to comment on Pink Floyd because Pink Floyd, like Dark Side of the Moon is such an epic album and I listened to it the other day. It's like if you get into a long drive in your car, just tell Siri, play Dark Side of the Moon album. And it is just like 45 minutes of insanity.

And I didn't have a chance to go see them in probably the early 90 or early 90s or late 80s. But at that time, it was like $300 a ticket. And it was already like, insane. And, you know, they were known for putting on a huge show with like, laser lights and everything, all the stuff they used to do at concerts that was like, so cool. And you look back at it now or So what they have at concerts today and it's like a joke. It looks like you're watching your grandparents TV or something.

So OK, so Part 2 of what I wanted to say. So there were two bands that I really wanted to see I'll never hit to see now. And I should have just pulled the trigger when I had the opportunity. Grateful Dead with Jerry Garcia. So I wanted you to see them actually the summer that he passed away. And I didn't like have tickets or anything, but it's like 94 ish 95. And then Nirvana, right before Kurt Cobain passed away, he actually did Lollapalooza #1. I went to Lollapalooza #2 or not?

What's the Lollapalooza? I think so, yeah. Lollapalooza. Anyway, I didn't get to see Nirvana or I've gone to a lot of concerts, a lot of concerts, hundreds of concerts. So I've got 2 that now. This is Part 3. This is the direct answer to your question. So one that will probably everybody can understand would be Metallica. I miss like going to a real deal Metallica concert, but I would

still go to see them. I still pay the 300 bucks to go see them live even though I know it wouldn't be prime Metallica. And then a current act, which I very well could easily get to is Post Malone. But it's like one of those things like that's why I didn't go to see Nerf Honda was like, I'll definitely get to see them. I'll just wait till next summer. Next summer might never come so. Just watch on YouTube. Well, that's I've got that for life, man.

I can see Jerry Garcia on the YouTube all the time, all day long. So this was a chance to make John jealous because you saw Pink Floyd live. I've seen Metallica twice, at least twice live. So now I can make you jealous. And they put on a great show. I saw them in early 2000s, late late 90s. I think it was the Load Reload album tour that they were on. So it was great. Saw them at the Rosemont Horizon in Chicago. Now it's called like Allstate

Arena or something like that. And I saw them at Lollapalooza when they did that, I think it was like 97. So I've seen them live a couple times, a band that I have not seen that I would love to see, but it's probably too late. And I would like to see the maybe a decade ago is Megadeth. I'm a huge Dave Mustaine fan and I think the guys just a brilliant guitarist and I would love to see prime Dave Mustaine out there. Just whaling baby. That's that's what I want to see in here.

And now I'm going to listen to Megadeth after I'm done while I you don't work on editing this the show. That was, you know, another one that I could have gone to see in the 80s was Rolling Stones like way already way past their prime. The funny thing was, I mean, they were touring as of like within the past decade. I think it's like. Just a few years.

Definitely you missed. You can, you can watch the AI version of it. You know, there's the holograms that people are doing now for some of these shows. Like, you know, it's, it's an interesting world we're living in now from a technology standpoint where we have recordings, right, audio now, we got beta recordings. And now we're serving this next generation of like, yeah, what's stopping somebody from making a virtual version of any of these acts and doing something brand new with it?

I think that's part of the, you know, the part of the battle, right, that a lot of like artists are having right now is how is their name, likeness and content going to be used in the future after, you know, they've moved on. Have we ever asked? And maybe we'll just do it real quick. What's the first concert you went to? First concert for me was Offspring 1994, the smash album at the Aragon Brawl Room, downtown Chicago. What about you, Jim?

Harry Chapin, My parents took me when I was a little kid. OK, well, that explains a lot, yeah. What do you think, John? What's your your first concert? First concert was Yes and I went up to see them about 30 times all together over the SO. Definitely a yes, man, yeah. Definitely. Yeah, I'll never forget that first concert. It's such a great, I don't know, memory, I think for everybody, right, No matter who you go to, kind of go and see. Maybe I don't know, Jim, I don't

know about you. Maybe. I don't know if you're a fan. It was a great, great experience and I'm like, what's that smell? Never mind, Jim, never mind. Don't worry about that, little Jimmy. All right, let's go ahead and wrap it up for this week.

John, thank you so much for coming back. Looking forward to see you in Berlin in 2026, hopefully at the European Identity and Cloud Conference. Right now, Jim and I are planning to be there. Hopefully you'll come back sooner than in four years.

Maybe as you put out some new research and things like that, you'll come back and kind of update us so we can, you know, tease people to go out and get the report and kind of, you know, see what what's in that big brain of yours that you're willing to share with with the Internet at large.

I'll have I'll have Lincoln or show notes for people to connect with you on LinkedIn. I'll have links to both reports, the e-commerce and the finance version of the Fraud Reduction Intelligence platform report from Cooper Cole. And then for Jim and I connect with us on LinkedIn, like and subscribe to all that stuff. For us that helps us outgrow the channel, get great guests like John and others to to join us and spread the gospel of I am and identity at the center.

So with that, we'll go ahead and leave it for this week. Thanks everyone for watching and or listening and we'll talk with y'all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.