Fraud prevention examples from along Incognia's journey [Podcast]

This blogpost contains a summary of what was discussed in the an episode of the Peak IDV podcast. You can listen to the whole episode below (reposted on the Trust & Safety Mavericks podcast) and subscribe to the Peak IDV podcast on the show's website.

Understanding Incognia's Mission

The host, Steve Craig of Peak IDV, introduces the topic and his guest, André Ferraz, co-founder and CEO of Incognia. Steve Craig also introduces himself as the host of the Peak IDV executive series video podcast, where he speaks with industry leaders and founders in the digital identity space.

The first part of the discussion revolves around Incognia's mission and the problems it aims to solve. 

André Ferraz,  provides an overview of Incognia. He explains that Incognia specializes in tamper-resistant location and device intelligence to combat fraud. André points out three key issues in the industry that Incognia seeks to address:

• Changes in operating systems and browsers impacting data collection;

• Fraudsters attempting to clean devices and generate new IDs;

• The inability to draw connections between multiple devices and accounts used by organized fraud rings.

André shares that Incognia's journey began with the aim of building a fraud prevention solution leveraging advanced location technology. However, when Incognia’s development started, the market wasn’t ready for such a solution. The founders initially monetized their location technology in ad tech. Still, they always had the intention of returning to the idea of a fraud prevention solution. The onset of the pandemic and the increased reliance on digital channels during that time made it clear that the market was finally ready for their product.

Brazil's Influence on Global Fraud Prevention

In this section of the webinar, Steve and André delve into André's personal journey as an entrepreneur based in Brazil and discuss the unique challenges and opportunities it presented. They explored how André's experiences in Brazil have influenced the development of Incognia as a global brand in the fraud prevention space. Here's a recap:

Steve acknowledges the intriguing model of global companies emerging in the fraud prevention space and expresses his interest in learning more about Incognia. He begins by exploring André's personal story, highlighting André's history of founding companies in Brazil and creating a global presence for Incognia.

André shares insights into the entrepreneurial ecosystem in Israel, drawing parallels to Brazil's potential in the field of fraud prevention. He points out that Israel's constant exposure to threats and conflicts has led to the emergence of world-class cybersecurity companies, which quickly expand globally. André believes that Brazil has similar potential in the fraud prevention domain, given its unique challenges, such as complex regulations, ineffective prosecution of online fraudsters, and a fast, nationwide adoption of real-time payments systems like Pix.

He explains that real-time payments in Brazil create additional incentives for fraudsters, making the country a prime target for organized crime in the digital space. André notes that Brazilian financial institutions have had to adopt advanced fraud prevention solutions to combat these threats, providing valuable insights that Incognia can share with customers in the United States and other regions.

Steve appreciates André's point about leapfrogging in technology adoption and highlights the importance of learning from different regions' experiences. He discusses how some countries have embraced new technologies and payment methods more rapidly than others, resulting in varied fraud landscapes.

André emphasizes the value of learning from Brazil's experience in combating fraud, particularly in real-time payment environments, and applying this knowledge to help customers upgrade their fraud defenses more effectively. He hints at the global impact Incognia has achieved by leveraging insights from Brazil's challenging fraud landscape.

Creative Fraud Schemes and Incognia's Solutions

In this section, André Ferraz discusses some of the innovative and creative fraud schemes that Incognia has encountered. He highlights two specific cases and how Incognia's solutions have helped address these challenges:

1. Food Delivery Scam

André describes a sophisticated fraud scheme that targeted a food delivery platform. Fraudsters infiltrated the accounts of drivers on the platform and engaged in a form of social engineering. They would pick up a customer's food order and then cancel the order through the app. The customer received a notification about the cancellation and a refund. However, when the driver arrived with the food, they claimed it was a bug and asked the customer to pay on a tampered point-of-sale (POS) device, with the actual charge being significantly higher than the order cost. André was impressed by the effectiveness of this social engineering attack, which successfully deceived many consumers. Incognia addressed this issue by identifying and preventing account sharing among drivers and improving user verification processes.

2. Social Media Chat Bot Attack

André discusses another attack involving social media and chat bots. Fraudsters created fake social media accounts resembling a bank's official page and used chatbots to interact with users. The chat bots would initiate conversations, gain the user's trust, and eventually ask if the user recognized a suspicious transaction. When users responded, a real person took over the conversation and convinced the user to share their one-time password (OTP) sent to their email, allowing the fraudsters to take over their bank accounts. André explains that this attack was scalable and used automation to target a large number of users simultaneously.

He emphasizes that Incognia had encountered and successfully addressed these types of attacks in Brazil before they surfaced in the United States. This early experience allowed Incognia to provide effective fraud prevention solutions to its American customers.

Future Initiatives and Endeavor Involvement

In this part of the webinar, André Ferraz discusses Incognia's future initiatives and his involvement with the organization Endeavor:

1. Future Initiatives

André highlights Incognia's plans for the future. One key focus is expanding into additional verticals beyond banking. While they initially started with banking customers, Incognia's flexible product has found applications in various industries, including marketplaces, gig economy platforms, food delivery, vacation rental, social media, gaming, and entertainment streaming. André mentions that Incognia is open to exploring new channels and types of devices, such as smart TVs. The goal is to adapt their product to meet the specific needs of each industry. Additionally, they are considering adding more signals and layers of data to enhance their fraud prevention capabilities.

2. Partnerships

André emphasizes that Incognia also collaborates with other companies in areas like document verification and selfie verification. While Incognia focuses on account security and does not plan to delve into these specific areas, they are open to partnering with existing players who specialize in these fields. This approach allows Incognia to maintain a privacy-centric stance and minimize the risk of sensitive user information being exposed through a data breach. 

3. Involvement with Endeavor

André discusses his involvement with Endeavor, an organization that fosters entrepreneurship and economic empowerment. He mentions that Endeavor has a global network of entrepreneurs and mentors. André himself serves as both a mentor and a mentee, benefiting from interactions with entrepreneurs and experienced mentors. He highlights the rewarding experience of being part of a community that helps entrepreneurs build their businesses and connect with mentors from around the world.

Podcast Transcript

Steve Craig: Welcome to the Peak IDV executive series video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, founder and Chief Enablement Officer at Peak IDV.

Andre Ferraz: Thank you. Pleasure to be here.

Steve Craig: Absolutely. Let's dive in. I've personally worked in mobile application and SDK development, and I must admit with what I know about Incognia, you've got one of the most interesting companies that's emerged in the past few years. Can you talk a little bit more about the problems that you're solving at Incognia?

Andre Ferraz: One of the key issues we find in the industry is that pretty much everything that has to do with fraud prevention has a device fingerprinting component to it. We identified that there were a few issues arising. The first one is that recently we saw a lot of changes to the operating systems and browsers in terms of limitations around data collection for privacy purposes, hurting solutions relying on device fingerprinting. The other two issues involve fraudsters trying to clean their devices, making it look like a new device, and the inability of existing solutions to find connections between multiple devices used by fraud rings.

Steve Craig: The shift from large device manufacturers and the lockdown on privacy created opportunities for fraudsters to exploit features meant for good consumers. Did your history in ad tech connect to the Incognia problem space?

Andre Ferraz: Actually, it was the other way around. Initially, we wanted to build the same product we're working on today, but the market wasn't ready for it a decade ago. We decided to monetize our location technology with ad tech. We always wanted to build a fraud prevention solution, and when the timing was right, we launched Incognia.

Steve Craig: It's as if the onset of the pandemic and the sudden shift to people not working in offices and the emergence of digital nomads, you saw these shifts. Fraud exploded during that time as everyone moved into the digital channel. Did you see that black swan event and go, "Hey, this is starting to ramp up. Maybe we can take that technology and apply it." Is that what was the compelling event?

Andre Ferraz: Yes, exactly. We started developing the product in March 2020. Once we saw lockdowns and everything, we thought, "Now it looks like the right moment for a product like this." So we began building it back then and launched it in September 2020. It was finally the right time.

Steve Craig: Yeah. With all the food delivery and essential services, people weren't leaving their houses, so you really needed to rely on those frontline marketplaces to continue doing business.

Steve Craig: It's been out three years, so that was 2020. We're coming up on September 2023. Can you describe a little more how your product works today? What's the state of the art with integration experience and do end users interact with your technology?

Andre Ferraz: We started with the concept of device fingerprinting and added a location layer on top. Over the past 10 years, we developed a location technology that's more accurate than GPS, using signals like WiFi and Bluetooth. We combine this with device fingerprints to create a more stable fingerprint, detect device resets, and find connections between multiple devices used by fraud rings. Additionally, we use location to streamline the onboarding process, authentication, and prevent fraud across various industries.

Steve Craig: Do you require permission for accessing device GPS, and can your features work if users deny location access?

Andre Ferraz: For device fingerprinting, we don't need permission, and we capture the data we need. However, for location, we do require user opt-in. Users are willing to share this data when they understand it's used for fraud prevention.

Steve Craig: Looking at your case studies, where do you see the most value you're creating? Is it in onboarding, authentication, account recovery, or elsewhere?

Andre Ferraz: We create value across the board. Our flexible solution benefits onboarding, reducing manual refills and streamlining the process. We also help authenticate users, prevent account takeovers, and improve the authentication experience by eliminating passwords and OTPs. We address fraud use cases, such as payment fraud, coupon and refund abuse, across various industries, and have specific solutions for industry-specific challenges.

Steve Craig: Yeah, it was great. You mentioned something about multi-factor and one-time passwords. Anyone watching this series knows not to use SMS-based authentication; it's subject to fraud attacks. On your LinkedIn, you talk about being a pioneer around zero-factor authentication, where we're always adding factors like an authenticator code and password lists on the device. What does zero factor mean to you, and how has Incognia continued to pioneer this capability.

Andre Ferraz: The idea is that, by analyzing data, some signals and data elements can help determine if the user is who they say they are without asking for any credentials. Three important data points for this are the device, network, and location. The first data point is the device itself, ensuring the device fingerprinting is strong and resilient. The second is analyzing the network, checking if it's trustworthy or suspicious. The most important is location, as most logins occur from places the user frequents, making it likely they are the correct user. This way, we can authenticate the user without asking for a password or MFA.

Steve Craig: On the first point about seeing the device, does that imply your platform is almost consortium-powered, where every client you bring on expands the footprint of the devices you see, or is it only within each client's ecosystem?

Andre Ferraz: Yes, it's a consortium. Currently, we have about 200 million devices in our network, and it's expanding quickly.

Steve Craig: Powerful. You may have a first-time customer, but if they've been seen and flagged as good with a peer or a different type of business, that gives you a lot of intelligence right away.

Andre Ferraz: Yeah. Well, there are a lot of things going on. Overall, some of the attacks that I was most impressed about were two. One was in the food delivery space, where basically what was going on was they infiltrated a lot of accounts of drivers in a fully delivered platform. And basically what they did was they would go to the restaurant, pick up your order. And right after they picked up your order, they would cancel it. So you, as a consumer, would receive a notification on the app saying like, Hey, your order was canceled. Here's your money back, et cetera, et cetera.

But then the driver would show up at your home with the food and the receipt. And they would say, Oh, I'm sorry. There was a bug on the app. You got a refund. But the payment didn't go through. So I need you to pay here on this POS, and the POS was tampered with. When they typed like $50, it was actually like, in practice, $5,000. So you would swipe your credit card, and they just took $5,000 from you. I was really impressed because it was very hard for a consumer to tell what was going on because it was a very credible type of social engineering tech. Usually, social engineering techs are one in 10, one in 100. In this case, it was almost like 10 out of 10 that were falling for it.

So I was really impressed by this one. It was also challenging because the payment was happening outside of the platform. So the short delivery company didn't have any visibility on what was going on. It has become a massive problem for that company. Fortunately, we were able to partner and enable them to reduce that. Basically, we did it by using our identifiers to prevent the drivers from sharing their accounts with someone else because we would see someone else accessing this account on another occasion, it might not be the same person from a different device, etc. So that was one.

The other was preventing new fake accounts from being created. So we used our solution to verify the user address and link that to the ID process, etc. And also identify if multiple accounts were being created either from the same device or from the same location with multiple devices. With that, we were able to stop that problem. But if we didn't do that, probably this would have much bigger consequences for that company. So that was one. And the second was an interesting attack, also a social engineering attack in which was the first time I saw chat bots being used at scale.

Basically, the attack was if you followed it, it was on a bank, if you followed that bank's page on social media, another page would follow you back. That page was very similar to the original, with some differences in the characters and the image, but it was controlled by a fraudster, and that account was managed by a bot, which would start interacting with you, asking for basic things like, "Oh, can you give us feedback on our service? How do you like our content," etc.

At some point, that bot would then send you a message like, "Do you recognize this transaction? We found it suspicious." And that immediately puts the consumer in a place of vulnerability. "Oh my God, someone is trying to do something wrong here with my credit card," and then immediately the user would react, "No, it wasn't me," etc. And then at that point, the bot was out, and then a real person would play in. So yeah, and another impressive and very creative attack that we've seen.

And after seeing that, it goes back to my previous point. We saw this more than two years ago in Brazil. And recently we started seeing this in the U.S., like six, nine months ago. So when we saw this here with FinTech, we were like, "Okay, we already solved that problem for someone else. That's fine.”

Steve Craig: These scenarios you mentioned multi-accounting or account sharing, renting accounts. I've seen forums where people are not eligible to work in the country, but they want to rent an account so they can make some money, and it seems benign, but then fraudsters see that. I know I can rent this account and I can do this scam that you just described. And then what a lot of people don't realize, I think, in the mainstream is just how powerful these ChatGPT-like services are getting where a fraudster, a criminal ring, maybe it's a rogue nation state putting these things together, that can now communicate with tens of thousands of people at once.

And then it just takes out that one hook. And then here comes the live fraud agent to close the deal. And it's pretty scary because there's not a lot to deflect against those attacks. It's exciting that Incognia has technology to be able to do that. As the industry evolves and as Incognia grows, what are some of the key initiatives that you see for your platform that you can share in a public forum? In the next year what are you solving for?

Andre Ferraz: We continue to expand into additional verticals. We started with banking. Now we have customers across industries, like marketplaces, gig economy, platforms, food delivery, vacation rental, but also customers in the social media space and gaming space and entertainment, streaming, et cetera.

We're seeing that the product is very flexible and we continue to explore new verticals. So, that's one thing. Obviously for each of these verticals, you need to adapt your product in some way to their specific needs. So for example, in the streaming space, we're being asked to start building a solution for smart TVs.

And that's something we haven't thought about in the past, but we're going to start building this. So I see the product evolving in two different vectors. One is on new channels, right? Our solution started as mobile only, it was only for like native mobile applications. We expanded to the web. So now we have a solution that works for websites as well. Now we're building this smart TV product and we're seeing, for example, cars that are being unlocked using a mobile app. So that might be another step. Growing into new channels, new types of devices is one big area for us. The other is around new signals, right?

We started with location only, then we expanded to location plus device fingerprint. Then we started adding some capabilities around analyzing the user's behavior, like transaction behavior and board depth. Adding more signals, adding more layers of data is also going to be an important part of how our product evolves.

I think an important part is also determining what are the things that you're not going to do. We don't plan to get into anything related to document verification or biometrics or things like that. I see us being more of a behind the scenes type of solution that doesn’t interfere with the user experience or doesn't have any user interface, but we coexist and partner and integrate with these other solutions, for example. Those are the three key areas that I see our products evolving toward.

Steve Craig: I definitely see the smart TV play. All my TVs are smart TVs and I've got the Fire Stick to plug in there. This Internet of Things vision is coming together, like the refrigerators and the ovens and the cars, everything's all connected.

How do you assert the identity and ownership of a device, especially when that device might get AI in it and it's your AI-powered fridge that's ordering eggs for you? Like someone could hack that and suddenly you have fraud scenarios. It's really crazy where the world is going.

When you mentioned that you don't have a plan to really go down the IDV, the document stack, and other things, would you say your model includes both direct implementations and then you do partnerships with companies that sort of sit in their stack?

Andre Ferraz: Yeah, we do have partnerships with a couple of companies in the document verification and selfie space, for example.Given that's an area that we have decided not to get into, that's an area we are happy to partner with existing players. And the reason why we're not doing that is, if you think about the data that we capture, we capture quite sensitive information about consumers. We're talking about location data and device information, et cetera, so, this is more of a long-term strategy.

Given my background in security, the thing I believe in is that a data breach is a matter of time. It doesn't matter how good you are in security. It doesn't matter how good your technology is. At some point, someone will be able to find a crack, and get into it. As we've seen, all of the credit reporting agencies, for example, had data breaches, many of the payment companies, banks, telecoms.

They have capable people, they have very good teams. But at some point you'll be a target. And so what we decided to do was given, we have this data and it's sensitive, we don't want to know who's the person behind that device. We don't know or want to know their name, their phone number, their email address, anything like that, in case there is a breach and we have our data out there.

We don't want to be responsible for revealing the locations of these individuals, right? If we separate that and the only party that knows who that person is our customer, the app that is using us, but we don't know, we don't have that data, I think we create a much safer environment for consumers and for our customers. So that's why we're not getting into IDV.

Steve Craig: Yeah, it's a very smart way to do it, keeping that firewall and also making sure it's not just safe, but you're being very privacy-centric for the consumers. Well, Audre, we're almost at time. And if you've seen this podcast or those that are watching now, I like to go a little bit deeper than just the profile to learn about passion projects and what drives you.

I saw that you're involved with an organization called Endeavor, where you provide mentorship around entrepreneurship, and it has economic empowerment aspects to it. Can you share more about that and like the other things that you work on besides Incognia? Yeah, sure.

Andre Ferraz: Endeavor is a fantastic organization with a global network of entrepreneurs and mentors. I'm involved as both a mentor and a mentee. It's rewarding to connect experienced mentors with entrepreneurs in regions that lack VC activity, fostering learning and growth. Besides Incognia, I'm interested in conversations about evolving fraud attacks and how account security can mitigate them. Feel free to reach out if you're willing to share and discuss these topics.

Steve Craig: Yeah, that cycle is, you learn things, so you can share it. But then as your business scales and grows, like you run into new challenges and then you have that network. So that's a great organization to be involved in. Well, we're at time. Thank you so much for being on the podcast. For the audience that's watching or listening, what types of conversations would you like to have? Or would you like them to reach out to Incognia directly? What are you looking for from a market standpoint?

Andre Ferraz: Well, on my end, I'd say that the most interesting conversations are, for me, when I learn about a new attack. I'm always super curious to know what's going on with companies in different spaces. Because what's interesting is that when you analyze the attacks, usually pretty much everything boils down to account security. If you can ensure that all of the accounts in your platform are legit, like people aren't able to create fake accounts, or take over existing accounts from legitimate customers, you can get rid of most fraud-related problems. So, I'm always curious to learn about the attacks and the specific consequences of each attack in each industry and try to connect it to these underlying issues related to account security. So, I'd say that's certainly the topic I'm most interested in, and if anyone in any industry is willing to share and chat more about it, I'll be happy to.

Steve Craig: Excellent. Excellent. I'll include some contact details in this episode, like your LinkedIn profile. I highly recommend anyone who's watching and listening, follow Andrei on LinkedIn. He posts really good content about these fraud attacks and what's happening in the market. Again, Andre, thank you so much for being here.

Andre Ferraz: Thank you. I really enjoyed this conversation. I think we could spend another hour just talking about fraud attacks. It's really fascinating, but thank you for the time. All right. Thank you. It's a pleasure to be here.