Identity Verification in the Digital Age
Posted April 19, 2018
In this episode Frank is joined by Kathryn Petralia, Co-founder of Kabbage. They explore the vulnerabilities of old forms of identity verification, and the importance of developing a new paradigm.
Frank: Welcome everybody to another edition of Digital Identity 360. We’re delighted to have Kathryn Petralia from Kabbage today, she’s the co-founder there, joining us. Welcome Kathryn.
Kathryn: Thanks. Thanks for having me.
Frank: You know Kathryn it’s interesting. We’ve been talking back and forth in prep for the webcast about some of the things we’re seeing as it relates to digital identities and credentialing and so forth. And it struck me this morning coming in to the office, the incessant number of almost daily breaches that we’re seeing and I wanted to touch base with you, what’s the impact you’re seeing in your business generally and maybe the digital commerce world at large as a result of these breaches?
Kathryn: We get asked that question a lot because we have a lot of customer data. We’re a little bit unique in that we don’t have credentials for our customers, our customers give us access to the data they use for their business, it could be checking accounts, it could be their accounting data for processing information shipping, social. And we don’t actually get their credentials, we are participating in this data sharing environment where these APIs and OAuths get access to data. But still we do have sensitive information of our customers and so we take all the usual precautions-
Kathryn: To protect that whether it’s digital security, or access control, encryption, all the things that we’re expected to do. But I think it does make customers a little bit weary and it raises a lot of questions and we spend a lot of time on it.
Frank: Yeah, especially in light of something like the Capitol Hill hearings this week and what’s happening with data in general and I’m sure you guys are going through maybe a GDPR exercise, we are as it relates-
Kathryn: Oh yeah.
Frank: Yeah, so you can imagine, it reminds me of Y2K all over again with all of the stuff we’re going through to get ready. You know it’s interesting what we see, you know we do this cybersecurity report every quarter and we see the impact of these breaches manifesting themselves in identity spoofing. Device spoofing, identity spoofing where the bad guys are trying to open accounts on services like Kabbage. I mean Kabbage performs a great service, you know, capital into the marketplace for business folks. Do you see any of that impact where those credentials eventually try to wind their way into your organization? And obviously somewhat self-servingly, how does ThreatMetrix help you with that?
Kathryn: We see a little bit of effort I think to get into our systems from external forces. And I’m going to say something I don’t really mean. On the one hand you’re sort of like, “Oh man, somebody cares about us,” but on the other hand it’s really terrifying because you don’t want to be at the tip of that spear, so to speak. We are grateful for ThreatMetrix because we really keep a lot of folks out who never really have a chance to try because of all of the data that you guys have and your commitment to help us with that.
Frank: Yeah for sure you know one of the interesting things that we see that’s a mantra around here that the old forms of authentication and identity don’t travel well in the digital world. You and I spoke briefly about social security numbers and some of those real world analog kind of identifiers. Why don’t you speak a little bit to your view on where the future of those identity components are headed.
Kathryn: I’m glad you asked, I have some thoughts on that matter. I think the thing that was frustrating about the Equifax data breach for me was, obviously nobody wants their information out there. The problem with that particular breach was that the information could be used to obtain credit as someone else. And that is because of the social security number. That particular identifier was never intended to be used to verify that information, but now it’s critical for healthcare, for education for other services. And so there needs to be a different way. If giant densely populated countries like Indonesia and India can tackle this identity issue then I think we can do it too and we just need another way to be sure that somebody is who they say they are, and those nine digits just aren’t cutting it.
Frank: Yeah, it’s interesting. There’s two problems I think that we see across our customer base. Number one, the amount of time and effort necessary to test those credentials, I mean the latency’s crazy so you can’t spend six, seven eight, nine minutes reaching out to some of the data source to see if they’re real. Number two, you may not know they’re compromised for months and months and months because someone spoofed the identity and used it. So, we agree with you and really, this is our focus on trying to use digital identities to replace some of those traditional authenticators. To your point, some of the developing countries in the underbanked world, these people are for example topping up their mobile phone every day, they have a good credit history based on activity, but they have no identifiers and that activity and behavior is proving to be just as good an identifier as it relates to credentialing as something like a social might be.
Kathryn: We totally agree. I mean every one of our identities is available for sale for a quarter somewhere online.
Kathryn: I mean it almost doesn’t matter at this point, trying to protect those numbers because you know that they’re there. I think finding other ways to verify identity is really important and it’s not just important for Kabbage, because we want to make sure that we don’t make a loan to somebody who’s not going to pay us back. It’s important to us as a country because we want to verify if the people we don’t want have access to capital and access to financial products, like terrorists and money launderers, those folks are able to get around a lot of these rules because of the way we use social security numbers, so we’re actually thwarting our very own best efforts to protect our country.
Frank: Yeah. Isn’t that interesting. It’s funny you mentioned that, so the government thinks of macro threats, attacks on infrastructure, attacks on the electrical system, the water system. We’re seeing it, ThreatMetrix as your partner and you obviously as an important customer at the micro level where as you said, the way to fund these things is to spoof the identity, spoof the device bring it to an account and use that. It strikes me certainly in the banking world online and fintech in general, that the stakes are much higher because you know, you rip off an ecommerce company, it’s bad, a digital camera walks out of the building but talk a little bit if you don’t mind Kathryn about the impact across fintech in general because I think the imperative to deploy capital so quickly makes it a very lucrative target.
Kathryn: I totally agree and I think people are just now becoming aware of it. I think the advantage that we have in small business lending is that you have to actually demonstrate that you are a business. So, unlike synthetic identity fraud where you can pick up someone’s identity and once you have a good credit score that’s all it takes. You have to have an identity that matches the identity of the business owner and matches the identity of the checking account and matches the identity of the accounting platform or whatever the service that you’re using. So it’s happened where people have actually and it’s sort of like, if you’re familiar with the idea of a bust out?
Kathryn: Where somebody comes in and takes over a business and then buys a bunch of stuff then runs away, so that’s happened a couple times in our industry and we’ve seen it across lenders.
Kathryn: But it’s hard to do because you really have to be able to get access to all of those accounts for that business and that’s challenging.
Frank: Yeah in your world you’re right synthesizing an identity for a business loan is much more difficult than for maybe a personal loan for sure. Well Kathryn we’re delighted at the opportunity to chat today, is there any closing thoughts you want to leave us with about Kabbage, or the industry in general?
Kathryn: I think that we’re all really excited about the opportunity to participate in some sort of new paradigm for verifying identity. We’d be happy to participate in building it if the government wanted to let us.
Frank: That’s true.
Kathryn: Tell us where to start and where to sign and we’re there so hopefully this is just the beginning of a much deeper dialogue.
Frank: Awesome, well there you heard it folks. Kathryn thank you so much, we’re delighted to be your partner and congratulations on the continued success in the business.
Kathryn: Thanks so much for having me.
Frank: Alright, thank you.