How 20th century check fraud is helping prevent 21st century data theft

How do you prove you are who you say you are? That might seem like an easy question to answer, but in a world where your most personal of private information can be harvested from your credit agency or social networking account, that ease is a problem. Fraudsters and criminals can also prove they’re you, using surprisingly little information.

That’s the puzzle Ori Eisen is hoping to solve with the Trusona password-free authentication system. It offers middle-man validation services to companies all over the world, in hopes of improving the protection of everyone’s digital data. He’s using the expertise of 20th century fraudsters like Frank Abagnale, famously depicted in the movie Catch Me If You Can, to shore up our modern digital defenses against classic social engineering tactics.

Digital Trends: Frank Abagnale is probably known by most as the subject of the 2002 movie Catch Me If You Can based on his escapades in the ’60s with check fraud and impersonation. How did you two become involved together?

Ori Eisen: The short version is that while I was working for one of the largest credit card companies, I was asked in addition to my internet responsibilities, to learn about all about counterfeiting of cards, which I didn’t know anything about. There’s no book or university degree on that subject, so I asked, who can teach me? The name Frank Abagnale came up again and again, it’s just that he doesn’t take new students.

I begged him for months and months to meet me and help me because through me he could help curb crime because I would take his knowledge and go and beat the bad guys. Eventually he agreed to the meeting and we’ve been working together ever since.

Although today Abagnale operates a consultancy firm, his expertise comes from a time when computers were incredibly rare and incomparable to the digitally-enhanced world we enjoy today. How is his input useful in the modern age?

The word “Trusona” is a fusion of True and Persona and in order to know who the true persona is, you have to go through a process called identity proofing. First let’s establish who you are as a person [because…] there is no authentication without identity proofing. How can I authenticate it is you if I don’t prove it is you to begin with?

“There is no authentication without identity proofing.”

Frank is really good at helping us think through in that moment when you conduct identity proofing, how to spot a fake document. How a bad guy would replace a picture of Frank with a picture of Steven Spielberg. How would you beat the certificate or how would you beat the black ink on the document or all the fine microprint. He really knows a lot about those documents because governments use them in that process.

In the journey of devising a way to find out who the true persona is, in many cases where we would have come up with a solution, he basically showed us how you could beat it very easily. So it was like playing chess until you come to the point where he could not beat what we were doing.

What kind of systems did you develop that were protected against the kind of social engineering attacks that Frank Abagnale is so effective at implementing?

When Trusona debuted, we launched with a curve that says what are you trying to protect, and that is the level of service we provide. In all of them, there won’t be any kind of password.

Different service levels require different levels of reveal. Our basic level, called “Essential,” is only asking you to provide an email address that we send an email to verify you indeed have access to it. There’s no documents involved, no pictures, nothing like that. That can tie you to an account, for media streaming or similar. Because it’s good enough. It still uses our anti-replay technology, so that even if bad guys were listening in to it, they couldn’t reuse it.

Our next level is “Executive.” That level says, ‘ok you can still be in your house, but in addition to your email, I want you to scan remotely, either a passport or a driving license.’ It’s not Trusona telling you to do it, we’re only completing the request of our partners. So, you’re trying to do something with your bank or to do something with your healthcare, and on their behalf we do it. Trusona does not store any of this data, because we don’t want to become the next hot potato for a bad guy.

The third level is called “Elite” and it asks you for an email, and to scan your document remotely, and to show yourself up in person. We only ask you to do that once, to connect you to a very strong credential. It’s not that every time you need to take a selfie or video, because that’s the only level that an underwriter will insure. It’s not for mass market, it’s for unique situations, but that is the only way to know the true persona, which is what our business is all about.

What about the growth in deepfakes and AI-driven video manipulation software that makes it possible to create lifelike video and images of people on the fly? Does that pose a threat to your “Elite” level?

Companies like Adobe released the equivalent for Photoshop for live video. It can imitate voice and face […] To go beyond that, you would have to begin with in-person identity proofing, meaning I need to meet you in real life, and with your documents, to establish that it’s you. You can not do it remotely. But not every use case requires that. It really depends what you’re trying to protect. If HBO wants to allow you to watch a movie, they don’t need that level of security. But if Goldman Sachs wants to move $50 million for Steven Spielberg, they might need that level of security.

Did you ever have Frank Abagnale try to social engineer Trusona employees?

In order to become the world’s first authenticated company – nobody else has taken these steps, because it’s not simple — we have to first protect our own data from our own employees. What if you kidnapped one of them and told us ‘I’ll only release them if you give me access to the keys?’

Right from the get go we spent a year in stealth mode and designed a system that even if you put a gun to my head I can’t help you. That includes our head of engineering and everyone else who built the system, because I explained to them, in order to protect the world from the bad guys, we can’t be the weakest link in the chain and they understand. That’s why we have to take very special people to sign up to this mission.

“[We] designed a system where even if you put a gun to my head, I can’t help you”

We also don’t store any hot potatoes. If you hacked us today, and we’ve done a lot of pen tests with different companies, all you get is one way hash of data. If I took your email, it’s one way hash. If I took anything about a transaction, it’s one way hashed, so you can never revert it back to the data because we don’t know what the raw value is.

If we were hacked by a nation state, which I expect to happen any day now, they would find something that was useless. We announced our insurance on May 6 2016 – two years ago. Ever since, 13 percent of our web hits are coming from Russia. And we don’t have a single customer there, we don’t have a single sales person there. That’s a lot for people we aren’t doing business with!

The third is training. I can tell you that even at our support guy, who takes support calls […] we train them to take calls from people like ‘Donald Trump.’ We are very adept at faking phone calls and making it look really legit, to make it seem like the president is calling you. We know how to do that because we are hackers. It’s the steps, the questions, not just saying yes to everything, that makes us as strong as we can be. Because we realize that the more pervasive we become, we are ourselves becoming a target.

What about legitimate demands from government agencies? Is Trusona data protected from the real Donald Trump?

We have had many dealings with three letter agencies, but the design is such that I can’t do it, even if you wanted me to. I don’t know what the data is. You can subpoena me today, and tell me to give you all the data on [a client]. Ok I’ll get the subpoena and I’ll reply if you can tell me which ones of our records are theirs, then you can have it, but I don’t know.

One of the most talked about digital systems in recent years has been blockchain technology. Today it’s used by governments and organizations to protect the veracity of data. Is it an effective tool for improving privacy and data protection too?

Blockchain technology is one of the most amazing inventions of our time, hard stop. However, many people make the link that if it’s mathematically correct they are immutable in real life and that’s where Frank Abagnale will just laugh at you.

Data security is failing and there has to be a better system. Blockchain creates a secure, unalterable public record and is poised to dramatically improve the world around you, from voting systems to rental contracts.

If I make a fake document of Jon Martindale and I go to a bank and apply with it and they put into a blockchain, by the time you will figure out that it wasn’t you and you’ll try to undo it, how will you expunge it from the blockchain? It’s the “GIGO” principle, garbage in garbage out.

Making a technology that’s mathematically perfect, is wonderful. I actually think that everyone who buys a house should have it on a blockchain so you can never lose your house. There’s a lot of good applications for that, but to say that that will solve the core identity problem is a falsehood. The problem was never about how to store the data, it was: How do I know who is who in the zoo?

With so many major hacks and data thefts taking place, it’s easy for people to feel powerless in protecting their data. Do you have any security recommendations for our readers that they can use to help protect themselves?

There is a very simple tip I’ll give them. Until we live in a world with no passwords, my only advice is change your passwords. It doesn’t cost you anything. Even if passwords were stolen yesterday, changing them is like changing the lock on your door. For the most important things in your life, your bank your healthcare, put a calendar entry and every month, every quarter, at a minimum once a year, change your passwords. The fact that we are creatures of habit is working against us.

Emerging Tech

The Flamethrower Diet is better than keto and I burned all this food to prove it

When I first caught word that Elon Musk's Boring Company was selling a fully-functional flamethrower, I knew right away that I wanted to use it as a replacement for all of my modern cooking appliances. Why use a microwave when you can use a…

Google Maps is available on Apple CarPlay with iOS 12

After months of betas, the final version of iOS 12 is here to download. The new OS comes along with tons of new capabilities from grouped notifications to Siri Shortcuts, here are all the features you'll find in iOS 12.
Home Theater

Want to save your favorite film? Here's how to fix a scratched DVD or CD

A scratched edition of your favorite DVD is no good, but our guide will show you how to fix a scratched DVD, whether you prefer to repair it using a smattering of peanut butter or Mr. Clean's Magic Eraser.
Emerging Tech

Crazy vending machine swaps computer art for your permanent selfie

Coder artist Matthias Dörfelt's camera-equipped vending machine swaps unique prints of computer-generated faces for the rights to upload your selfie onto the main Ethereum blockchain.

Detangle your desk with these mighty wireless mice

If you're looking for the best wireless mouse on the market, we've got the list for you!. Here are six models that will give everyone what they need, whether they're hardcore gamers or looking to ward off carpal tunnel.

It's not all free money. What to know before you try to mine Bitcoin

Mining Bitcoin today is harder than it used to be, but if you have enough time, money and cheap electricity, you can still turn a profit. Here's how to get started mining Bitcoin at home and in the cloud.

How Razer forged the Blade 15, the slim gaming laptop nobody else could build

With the recent launch of the Blade 15, Razer ushered in a new design language that's cleaner and more angular. We recently visited Razer's San Francisco, California design studio to learn more about Razer's approach to design.

Bing, Windows search evolve into new, cross-platform Microsoft Search

Microsoft is upgrading its various search tools to provide more contextual help for those seeking it. Bing, Office, and Windows search will all be upgraded over the coming months to provide much more nuanced results.

U.N. security blunder left secret Trello boards, Google Docs exposed

United Nations documents were left vulnerable to unauthorized users by staffers who left Trello boards and Google Docs unprotected and accessible to anyone who had their unique URLs.

Back for the boardroom, Microsoft outlines the future of the Surface Hub

With the Surface Hub 2 still on the horizon, Microsoft announced two additional versions of its digital whiteboard, the Surface Hub 2S and 2X, to attendees of their 2018 Ignite developer conference.

Here's how to install the free MacOS Mojave update now

Apple's newest operating system has finally arrived, and we'll show you how to download MacOS Mojave for free. After you install Mojave, you'll be able to take advantage of new apps ported from iOS, a dark theme, and more.

Chrome 69 logs you in without consent, but Google says it’s for your own good

Google is under fire for how Chrome 69 behaves. When you log into a Google service, you're automatically logged into the browser, raising serious privacy concerns. Google was forced to address its tactics and update its policy.

Microsoft Teams blurs your video background, prevents national embarrassment

Users of Microsoft Teams platform can now blur out their background during video calls as the company calls out the world's favorite BBC dad to show it can be done. Available now for all Microsoft Team customers.

Spotify vs. Pandora: Which music streaming service is better for you?

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.