How do you prove you are who you say you are? That might seem like an easy question to answer, but in a world where your most personal of private information can be harvested from your credit agency or social networking account, that ease is a problem. Fraudsters and criminals can also prove they’re you, using surprisingly little information.
That’s the puzzle Ori Eisen is hoping to solve with the Trusona password-free authentication system. It offers middle-man validation services to companies all over the world, in hopes of improving the protection of everyone’s digital data. He’s using the expertise of 20th century fraudsters like Frank Abagnale, famously depicted in the movie Catch Me If You Can, to shore up our modern digital defenses against classic social engineering tactics.
Digital Trends: Frank Abagnale is probably known by most as the subject of the 2002 movie Catch Me If You Can based on his escapades in the ’60s with check fraud and impersonation. How did you two become involved together?
Ori Eisen: The short version is that while I was working for one of the largest credit card companies, I was asked in addition to my internet responsibilities, to learn about all about counterfeiting of cards, which I didn’t know anything about. There’s no book or university degree on that subject, so I asked, who can teach me? The name Frank Abagnale came up again and again, it’s just that he doesn’t take new students.
— Ori Eisen (@orieisen) December 7, 2017
I begged him for months and months to meet me and help me because through me he could help curb crime because I would take his knowledge and go and beat the bad guys. Eventually he agreed to the meeting and we’ve been working together ever since.
Although today Abagnale operates a consultancy firm, his expertise comes from a time when computers were incredibly rare and incomparable to the digitally-enhanced world we enjoy today. How is his input useful in the modern age?
The word “Trusona” is a fusion of True and Persona and in order to know who the true persona is, you have to go through a process called identity proofing. First let’s establish who you are as a person [because…] there is no authentication without identity proofing. How can I authenticate it is you if I don’t prove it is you to begin with?
“There is no authentication without identity proofing.”
Frank is really good at helping us think through in that moment when you conduct identity proofing, how to spot a fake document. How a bad guy would replace a picture of Frank with a picture of Steven Spielberg. How would you beat the certificate or how would you beat the black ink on the document or all the fine microprint. He really knows a lot about those documents because governments use them in that process.
In the journey of devising a way to find out who the true persona is, in many cases where we would have come up with a solution, he basically showed us how you could beat it very easily. So it was like playing chess until you come to the point where he could not beat what we were doing.
What kind of systems did you develop that were protected against the kind of social engineering attacks that Frank Abagnale is so effective at implementing?
When Trusona debuted, we launched with a curve that says what are you trying to protect, and that is the level of service we provide. In all of them, there won’t be any kind of password.
Different service levels require different levels of reveal. Our basic level, called “Essential,” is only asking you to provide an email address that we send an email to verify you indeed have access to it. There’s no documents involved, no pictures, nothing like that. That can tie you to an account, for media streaming or similar. Because it’s good enough. It still uses our anti-replay technology, so that even if bad guys were listening in to it, they couldn’t reuse it.
Our next level is “Executive.” That level says, ‘ok you can still be in your house, but in addition to your email, I want you to scan remotely, either a passport or a driving license.’ It’s not Trusona telling you to do it, we’re only completing the request of our partners. So, you’re trying to do something with your bank or to do something with your healthcare, and on their behalf we do it. Trusona does not store any of this data, because we don’t want to become the next hot potato for a bad guy.
The third level is called “Elite” and it asks you for an email, and to scan your document remotely, and to show yourself up in person. We only ask you to do that once, to connect you to a very strong credential. It’s not that every time you need to take a selfie or video, because that’s the only level that an underwriter will insure. It’s not for mass market, it’s for unique situations, but that is the only way to know the true persona, which is what our business is all about.
What about the growth in deepfakes and AI-driven video manipulation software that makes it possible to create lifelike video and images of people on the fly? Does that pose a threat to your “Elite” level?
Companies like Adobe released the equivalent for Photoshop for live video. It can imitate voice and face […] To go beyond that, you would have to begin with in-person identity proofing, meaning I need to meet you in real life, and with your documents, to establish that it’s you. You can not do it remotely. But not every use case requires that. It really depends what you’re trying to protect. If HBO wants to allow you to watch a movie, they don’t need that level of security. But if Goldman Sachs wants to move $50 million for Steven Spielberg, they might need that level of security.
Did you ever have Frank Abagnale try to social engineer Trusona employees?
In order to become the world’s first authenticated company – nobody else has taken these steps, because it’s not simple — we have to first protect our own data from our own employees. What if you kidnapped one of them and told us ‘I’ll only release them if you give me access to the keys?’
Right from the get go we spent a year in stealth mode and designed a system that even if you put a gun to my head I can’t help you. That includes our head of engineering and everyone else who built the system, because I explained to them, in order to protect the world from the bad guys, we can’t be the weakest link in the chain and they understand. That’s why we have to take very special people to sign up to this mission.
“[We] designed a system where even if you put a gun to my head, I can’t help you”
We also don’t store any hot potatoes. If you hacked us today, and we’ve done a lot of pen tests with different companies, all you get is one way hash of data. If I took your email, it’s one way hash. If I took anything about a transaction, it’s one way hashed, so you can never revert it back to the data because we don’t know what the raw value is.
If we were hacked by a nation state, which I expect to happen any day now, they would find something that was useless. We announced our insurance on May 6 2016 – two years ago. Ever since, 13 percent of our web hits are coming from Russia. And we don’t have a single customer there, we don’t have a single sales person there. That’s a lot for people we aren’t doing business with!
The third is training. I can tell you that even at our support guy, who takes support calls […] we train them to take calls from people like ‘Donald Trump.’ We are very adept at faking phone calls and making it look really legit, to make it seem like the president is calling you. We know how to do that because we are hackers. It’s the steps, the questions, not just saying yes to everything, that makes us as strong as we can be. Because we realize that the more pervasive we become, we are ourselves becoming a target.
What about legitimate demands from government agencies? Is Trusona data protected from the real Donald Trump?
We have had many dealings with three letter agencies, but the design is such that I can’t do it, even if you wanted me to. I don’t know what the data is. You can subpoena me today, and tell me to give you all the data on [a client]. Ok I’ll get the subpoena and I’ll reply if you can tell me which ones of our records are theirs, then you can have it, but I don’t know.
One of the most talked about digital systems in recent years has been blockchain technology. Today it’s used by governments and organizations to protect the veracity of data. Is it an effective tool for improving privacy and data protection too?
Blockchain technology is one of the most amazing inventions of our time, hard stop. However, many people make the link that if it’s mathematically correct they are immutable in real life and that’s where Frank Abagnale will just laugh at you.
If I make a fake document of Jon Martindale and I go to a bank and apply with it and they put into a blockchain, by the time you will figure out that it wasn’t you and you’ll try to undo it, how will you expunge it from the blockchain? It’s the “GIGO” principle, garbage in garbage out.
Making a technology that’s mathematically perfect, is wonderful. I actually think that everyone who buys a house should have it on a blockchain so you can never lose your house. There’s a lot of good applications for that, but to say that that will solve the core identity problem is a falsehood. The problem was never about how to store the data, it was: How do I know who is who in the zoo?
With so many major hacks and data thefts taking place, it’s easy for people to feel powerless in protecting their data. Do you have any security recommendations for our readers that they can use to help protect themselves?
There is a very simple tip I’ll give them. Until we live in a world with no passwords, my only advice is change your passwords. It doesn’t cost you anything. Even if passwords were stolen yesterday, changing them is like changing the lock on your door. For the most important things in your life, your bank your healthcare, put a calendar entry and every month, every quarter, at a minimum once a year, change your passwords. The fact that we are creatures of habit is working against us.