In our endeavor to find “Most Influential Business Leaders in Cyber Security, 2022”, we crossed our paths with Ari Jacoby, the Founder and CEO of Deduce. We got into conversation with Ari to learn more about how he and his team at Deduce are protecting businesses and their consumers from identity fraud threats while simultaneously creating more secure, frictionless experiences.
Below are the highlights of the interview:
How do ATO attacks work?
Account takeover (ATO) attacks take place when fraudsters gain access to a victim’s account and leverage that access in order to steal funds, information, rewards/perks, make purchases, or leverage application functionality for other forms of intended gain.
It is an unfortunate condition that a plethora of static identity data has already been breached due to massive historical attacks, and the availability of such data on the dark web continues to flourish. This static identity data extends beyond credentials, often linking static credentials with digital fingerprints.
These readily available attributes enable an adversary to extend techniques beyond credential validation attacks, leveraging fracture points such as account recovery processes or access to an individual’s email account to successfully complete their attacks.
As more complete data attributes about an individual become available and linked over time, this results in decreased complexity and cost required to successfully execute ATO and makes this form of fraud more attractive to bad actors.
Modern techniques by attackers undermine the intended goals of friction. If identity and authentication controls predominantly rely on static data to prevent ATO, an organization is at a longer-term disadvantage.
How does the Deduce solution address this ATO risk?
Deduce has created the Deduce Identity Network, a consortium of over 150,000+ participating websites and apps with the objective of sourcing the maximum amount of real-time activity data for a given user as they traverse the internet. Its intent is to specifically rival the visibility and scale only previously seen at internet giants and to commercialize an offering for risk teams.
With over 450M unique identity profiles and collectively generating in excess of 1.4B daily interactions, Deduce sees the majority of the U.S. population transact in real-time, several times a week — based on four principal threat vectors: device, network, geography, and activity.
Built on top of the Deduce Identity Network, Deduce offers two solutions to combat ATO fraud:
- Identity Insights — Risk & Trust signal data to empower risk teams with a dev-ops friendly approach to managing identity/authentication risk.
The data includes telemetry from real-time activity information packaged into risk signals (Impossible Travel, Device Downgrade, Unfamiliar Device, Previously Unseen Email, etc.), trust signals (Familiar Network, Familiar Device, Familiar City, Familiar Activity, etc.), or scores for simple ingestion into a risk engine.
The Deduce Identity Insights solution is intended to be used as a high fidelity approach to identifying suspicious activity while decreasing unnecessary friction.
Deployed as an API, Insights is consumable in any risk engine, CIAM, or application stack. Deduce is typically consumed at registration, authentication, checkout, and risk moments such as change of primary contact (email, phone).
- Customer Alerts — Deduce sends an Alert — typically a first-party branded email, asynchronously, on behalf of the Deduce customer — to their end-users on suspicious logins to enable a proactive stance against ATO. Customers are prompted to confirm or deny the activity. A negative selection will cause all active sessions to be terminated and proactively enable a user to reset their credentials.
How does your team keep track of aggregate historical data to support your solution?
Deduce’s system is designed to correlate event-level telemetry data, augmentative data sources, and first-party feedback data, to create hundreds of data features on a data-driven platform. We derive these insights by deploying code directly to user touchpoints across the web while aggregating information in a secure, encrypted, and privacy-compliant environment.
Historical features used in our model provide predictive analytics on user behavior based on access patterns — devices users leverage, geographies they sign in from, networks they frequent, security preferences (privacy-conscious individuals typically leveraging VPN, for instance), and activity across the web. This visibility facilitates dynamic, real-time responses to human behavior while stopping fraudsters and bad actors in their tracks.
For instance:
- If a user is seen successfully authenticating at dozens of websites from a new city in the last day, it can be inferred that the user is traveling. Deduce’s system reference against successful ATO (from its first-party Alerts and from network behavior) before providing this insight to the enterprise.
- If a given IP that has been shown (and confirmed by third-party sources) to be a benign residential IP node suddenly sees a spike in high-authentication failure rate paired with many new attempted usernames, it can be inferred that there is malicious activity (typically indicative of compromised node).
Deduce recognizes that risk data is continuously evolving and maintains a rich solution that provides user metadata, trust and risk signals, and scoring, providing never-seen-before data and explainability to security/fraud forensics teams.
Powering a long list of use cases, Deduce’s customers use this technology to solve an array of cybersecurity problems, such as: verifying that the user behind the screen is really who they claim to be, optimizing user experiences by removing authentication friction, or stopping fraudsters at authentication.
Tell us more about how intelligence is used to power your processing algorithms?
Deduce’s greatest strength is the ability to correlate device, network and geographical information against a particular account to build predictive telemetry about the expected behavior of an individual. Using a combination of statistical, unsupervised, and supervised machine learning models, this allows us to understand the specific characteristics of specific actors and imposters over hundreds of data features in the digital world.
For example:
- Statistical data features establish baseline behaviors across the dimensions of activity, network, geography, and device, in the context of individual activity. This creates a basic understanding of a particular user’s behavior.
- Unsupervised machine learning models observe user activity in real-time, continuously determining trust and risk factors to facilitate immediate cybersecurity responses to quickly evolving threats.
- Supervised machine learning models augment Deduce’s understanding of particular fraud profiles, blending fraud feedback data with observances across the network, to surface specific threat actors.
Using a fully horizontally and vertically scalable deployment model, Deduce is able to process billions of transactions daily while maintaining blazing-fast response times across its cloud infrastructure.
Do you have any predictions about emerging cyber threats to business infrastructure?
Identity fraud doubled from 2019 to 2020, with the number of data breaches reaching an all-time high in 2021 – and those numbers are just going to get worse in 2022 as more people browse, transact, and share information online than ever before.
As fraudsters have become increasingly sophisticated and strategic, outdated approaches and implementations requiring months of planning and implementation no longer work – increasingly, the most effective anti-fraud tools are those that support agile deployment in hours and that can be adapted quickly to address the constantly changing threat landscape.
It is imperative that we all band together to form a collective defense against online adversaries, and leverage systems designed with knowledge-share in mind to defeat attackers as they evolve. Deduce believes that real-time, dynamically networked data, with the largest possible activity consortium, will provide more robust, longer-lived defenses against bad actors.
