The Voice of Cyber®

KBKAST
Episode 259 Deep Dive: Dima Postnikov | Why Digital ID is Changing How We Think About Fraud Prevention and Defence
First Aired: May 31, 2024

In this episode, we sat down with Dima Postnikov (Head of Identity Strategy and Architecture – ConnectID) as we explore the challenges and potential of digital identity technologies in Australia. From fraud prevention to data privacy, Dima discusses the complexities and opportunities in the evolving landscape of digital identities, shedding light on the importance of trust, security, and consumer education.

Dima is an identity industry leader 20+ years of experience who is influential in the advancement of digital identity ecosystems globally.

Dima has a passion for digital identity, open banking and trust ecosystem design, having spent the last 10+ years focused on architecture, design and implementation of the technology platforms that underpin online systems of Commonwealth Bank of Australia (CBA), Westpac and Australian Securities Exchange (ASX).

Dima has significant technical experience in developing customer identity solutions in the areas of identity proofing, authentication, authorisation, application and API security, Digital identity, Open Banking.

As an active member of standard and industry organisations globally, Dima has been heavily involved with OpenID Foundation, IDPro, Trust Over IP, FIDO, Kantara and Open Wallet Foundation and ISO.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Dima Postnikov [00:00:00]:
Think the biggest message to all information technology and cybersecurity professionals is really look at the data you deal with. Why do you need certain data? Why do you need to store it? Try to minimize the data that you are storing within your systems. Try to share that and try to understand how much you can put trust in the data. So if we can minimize the data flowing around the economy, and I think all of us can do our path, it will be significant improvement in, everyone’s cybersecurity posture.

Karissa Breen [00:00:48]:
Joining me today is Dima Postnikov, head of identity strategy and architecture from Connect ID. And today, we’re discussing why digital ID is changing and how we can think about fraud prevention and defense. So, Dima, thanks for joining and welcome.

Dima Postnikov [00:01:06]:
Thanks for having me.

Karissa Breen [00:01:07]:
So, okay, let’s start perhaps maybe with your view of digital ID. So just so that everyone is listening, we’re on the same page, tell me everything. What’s in your mind? What comes up first?

Dima Postnikov [00:01:18]:
So, digital identity is a very large domain space. It’s an umbrella term for technology domain that deals with many things like identification, authentication, authorization. This does include multiple types of identities as well. Citizen identity, custom identity, organizational identity, employee identity, and even machine identity. These type of identity, they look the same and they look different at the same time. Where we focus most of our time is within reusable digital identity space, mainly within the sport within the citizen and consumer domain.

Karissa Breen [00:01:54]:
So you said they look the same, but are different. What do you what do you mean by that?

Dima Postnikov [00:01:57]:
There are different concerns that, need to be taken care of. For example, if you’re trying to employ a person, the organization typically owns that digital identity and can terminate it real time. With the citizen and consumer identity, it’s, much more owned by the citizen and consumer themselves. One of the examples. So the different approaches.

Karissa Breen [00:02:18]:
Sure. Thanks for clarifying that. Now I have an interesting question because, you know, if I read sort of content online or in the comments on social media, etcetera, people, and when I say people, I mean just, you know, the general population, seem a bit rattled by digital IDs. So where do you think this sort of stems from?

Dima Postnikov [00:02:35]:
A lot of concerns with digital identity come from misunderstanding and the fact that it’s it’s in relatively new technology. What’s important for me to I think it’s important for us as cybersecurity and identity professionals to educate people around us to, show the benefits of each store identity. But it’s also very important to understand where we come from. If you look at some examples how we with digital with identity related things or identity related processes right now, it’s very often, it’s a horrible, cumbersome, inconvenient process that has a lot of privacy issues. If you look side by side at 2 different processes where you’re trying to prove your identity with paper at the moment, and you’re trying to prove your identity using true digital identity ecosystem. The difference is amazing. And the difference will convince most of the people that it’s the right way to go. People will have more transparency, will have more control over where their data is being shared, why, and how.

Karissa Breen [00:03:37]:
So do you think when you said people don’t really understand it, is that the part that people don’t understand? Do you think that people feel a bit vulnerable that you’re saying that people do have more control? Walk me through how people have more control now with the digital identity, let’s say, historical identity.

Dima Postnikov [00:03:53]:
Well, it’s about transparency. Right now, if you walk into let’s say, you’re trying to check-in at the hotel. You need to present your paperwork. You probably produce your passport or get your driver’s license. A big photocopy of your driver’s license will be taken, and then you lost that data forever. It sits down in my whole perimeter secure location, in a physical location or in a digital secure store storage, but you don’t have any visibility where it is, how it’s used, and what’s happening with it. With the digital identity ecosystem that are being built right now, globally, you have more much more control and much more transparency. You’re able to see where you shared your data in the past.

Dima Postnikov [00:04:33]:
You’re able to see why you shared it and what specific elements of data have been shared apart from the general data mini organization. Because in digital identity ecosystems, you don’t have to share your document, at least not as much.

Karissa Breen [00:04:46]:
And do you think it’s going to now because, like you’re sort of saying, we’re traversing a digital ID. You can be able to tell where you’ve shared it, who, etcetera. What about for the, you know, the old school, you know, identity, if you look at it like that, for example. How’s that sort of gonna go? Are people going to know, like, where things being shared? Is it gonna be hard now to sort of, you know, get that back in terms of having the control, or what does that look like?

Dima Postnikov [00:05:10]:
It’s probably hard to take control over things that already happen outside of digital identity, ecosystems. But what we can do is we can reduce the going forward, we can reduce the reliance on the document, for example. So there have been massive data breaches in Australia where a lot of your document data has been shared. And to date, a lot of companies are relying on determining that you are who you say you are based on the document that you provide them. And if someone has your document, a lot of times they can impersonate you. So there is nothing we can do to deal with the documents that have been leaked and already out there. But what we can do is digital identity theft and so I aim to move the needle to reduce the reliance on those documents. So instead of relying on that document, you might be using bank rate authentication to authenticate that person, on the way into your system.

Karissa Breen [00:06:06]:
And so just going back to the everyday Australian or or people in general, is it because this is just new and foreign to them perhaps? So, obviously, there needs to be that adoption there towards digital IDs similar to the the Internet when that came out in the nineties, for example. Is it just gonna take a little bit of time? And then if so, like, how much time do you think this will take for before people feel a bit more comfortable with this new way of operating?

Dima Postnikov [00:06:29]:
Like with any new technologies, there are people that can could jump on it immediately, and there are people that will be sitting and waiting for a wider adoption. And majority of the people will be somewhere in the middle, in my view. The reality from a consumer perspective, where I see the major the biggest shift, will happen where a large or a number of large, reliant parties or the number of large organizations will start using digital identity in their processes, and people will see the difference. If I have to prove my identity and it’s actually quite interesting. Right now, when we work with some of our merchants, which we call the line party, we sometimes map out their existing journey, identity proofing journeys, and we map out the new journey using, for example, connect ID, reusable identity. It’s a massive difference in convenience, security, and privacy. And if customers have experience both, my assumption is that they will use a simpler and more secure option, which is reusable digital identity where it’s available. And they will be asking their merchants and the organizations that they work with whether reusable digital identity is available.

Dima Postnikov [00:07:40]:
Some of the basic concepts, not necessarily in in a high assurance way, have been familiar to consumer market for a long time. You log in to different sites using your login with Google, using your Google account, using your Facebook account. These are the low assurance examples of digital identity. But consumers are already used to that, and that gives them ability not to create an additional path with an additional account with different ecosystems and with different organizations. People already use it. What we think to provide here at Connect ID is to give a high assurance bank rate authentication option for usable digital ID.

Karissa Breen [00:08:20]:
Okay. So you just made a comment there around high assurance. Talk to me a little bit more about that. What does high assurance look like?

Dima Postnikov [00:08:26]:
Connected ID is an ecosystem that, brings trusted identity provider that people already have relationship with. For example, it could be a government. It could be a bank. And we started off with, largest Australian banks. Those banks have many other obligations in order to KYC their customer. So they need to implement certain processes to guarantee that you are who you say you are, and you’re entitled to do what you’re planning to do through this particular financial institution. So there are hundreds of people involved, in a large financial institution, trying to look at how how it’s best and the most secure way to more secure and convenient way to authenticate the customer.

Karissa Breen [00:09:06]:
I want to press on that a little bit more. But before we do do that, perhaps, now from my understanding, there has been more of an increase towards adoption for digital IDs. Now I know if we talk we we spoke before around the consumer more broadly. That’s a little bit different, but maybe it’s more towards, to your point, financial institutions that are adopting this. Talk to me more a little bit about that, why that’s the case. Are we gonna see more rapid adoption as we sort of traverse into 2025 and beyond? What are your thoughts then on that front?

Dima Postnikov [00:09:36]:
We are doing more and more things online in general, going forward as consumers. And looking at the use cases that, we have privilege to to exploring right now with Connect ID, They’re not limited to financial institutions at all. In fact, the majority of the conversation that we’re having right now, they are in travel space, employment space, rent and purchase, of the property. And the interesting point there is if you look at the processes that a consumer has to do right now, where are those the most paper intensive? And what what are the processes that you are supplying? I mean, a lot of your personal documentation right now. So these are the processes where they’re the biggest the biggest value of using proper digital identity. And this is where the concentration will probably happen. This is where the biggest benefit, and the consumers will see it. Like I said earlier, as as long as you have ability to be hearing the old way and the new way, I believe it will be a no brainer for a lot of consumers to adopt each side in.

Karissa Breen [00:10:38]:
Okay. So let’s talk more about the fraud side of things. You mentioned that before with financial institutions. I myself used to work in a big full bank here in Australia in cybersecurity, and I used to look at the numbers in terms of fraud, scams, etcetera, that was reported monthly by cybercriminals, etcetera, doing the wrong thing. Those numbers were pretty high. That was probably about a decade ago, and it’s probably a lot of since then. Maybe talk me through that a little bit more. How are we gonna see a reduction then on in on the fraud side of things? Just do you wanna use financial institutions as an example to run with that?

Dima Postnikov [00:11:11]:
Yeah. Sure. If you look at the scams, landscape or fraud and scams landscape in general, a couple days ago, a triple c published a report that asserted that Australians lose $500,000,000 a year on average due to scam and fraud. And if you look at the types of scams that have been quoted in that report, some of them are related directly to identity. So there’s identity fraud category, which is quite large, portion of the scams. But a lot of the other ones, whether it’s investment scam, employment scam, phishing, false billing, a lot of them are related to identity in one way or another. What I believe, what we can do is well, first of all, there’s no silver bullet. There’s no solution in the market that can help to solve the problem 100%.

Dima Postnikov [00:11:57]:
But there are certain things we can certainly improve. If you are dealing with a financial for example, you get a call from a financial institution to authorize a certain transaction, If we can establish the authentic chain of trust, where you know that the phone call that you got indeed came from your bank and the person that’s calling you is authorized to do what they’re asking you to do. If the bank has the 100% assurance that, you are who you say you are, and what you’re trying to do, you authorize to do. We’re improving significantly the whole landscape that will definitely reduce some of those scams. Because a lot of those scams, link to someone impersonating either someone impersonating you or someone impersonating a product or someone impersonating a company. So what digital identity ecosystem tend to work on is trying to create the authentic relationships, ultimately achieving the high level of trust. Once again, there is no silver bullet, and a lot of a lot of guests on your podcast, they provide a piece of a puzzle that helps organizations and consumers to solve some of those fraud and, I think, the challenges, but it’s just a piece of the puzzle. And we see ourselves connect.

Dima Postnikov [00:13:11]:
I do see the self as a piece of a part as a key piece of a puzzle to solve the identity related.

Karissa Breen [00:13:18]:
So, Dimi, you’ve probably seen online in in the news, etcetera, about let’s go with the I think there was a couple in Melbourne. They I don’t know, got a message from Big Four Bank and so and so and so. They ended up transferring their entire life savings. I think it was, you know, just shy of a 100 k. And then they sort of turned around and was like, it was the bank’s fault. Now look. I get it from a consumer perspective. They made a mistake, but then it’s like, well, hang on a second.

Karissa Breen [00:13:43]:
You will, as in you, the consumer, willingly transferred the money. Now it’s very different if, oh, I wake up one day and I’ve got a $100,000 sold in my account or something like that. But when you’ve willingly transferred it because they were tricked into thinking it was x bank, how does that sort of sit in your mind? Because, again, I I go in both worlds. I look at every side, obviously, because I’m a I’m a journalist. But working in a bank myself, I’m I’m I’m looking at it going, well, you guys didn’t actually do the appropriate steps. You just willingly transferred it. Now it shouldn’t really be on the bank to be like, okay. We’re just gonna refund you the money.

Karissa Breen [00:14:20]:
If it was the other way around and someone had, you know, siphoned off all that money, I get it. But when it’s willingly transferred, that’s where I think this space gets really interesting. What are your thoughts on that?

Dima Postnikov [00:14:30]:
Unfortunately, these stories are quite common. And part of the reason is that right now, that these consumers, they don’t have tools that will allow them to understand that it’s it’s a bank calling them or it’s a legitimate party. If someone impersonated an investment company and convince them to send their money, there’s very little we can do, but at the same time, there are no tools available. So right now, telecommunications industry is working on improving the process of how we identify organizations that call us. Even cybersecurity professionals confuse very often when they get a phone call from ATO or someone else. It could be legit, or it could be a fraudulent. Sometimes, there are obvious signs, and sometimes, there are not. Even the people that are aware of those claims can’t determine for sure.

Dima Postnikov [00:15:19]:
But the regular population, normal people, they don’t have the tools. And I know, like I said, telecommunications industry working on on some initiatives in this space. Organizational identity is, one of the future trends in digital identity that will definitely be strong over the next few years, and that’s also partially trying to solve the problem. When you are contacting someone or being contacted by someone, how do you determine that they are truly represent a certain organization, and how do you trust that that organization is the one that you meant to talk to? So that’s organizational identity. It’s not there yet. The job of identity professionals and cybersecurity professionals is to provide more and more of those tools to consumers.

Karissa Breen [00:16:02]:
And, look, you are right in terms of they don’t have the tools. I get that. I just think that, you know, banks are running these awareness campaigns, etcetera, to say, like, you know, we’re never gonna contact you or if you if we do contact you for for whatever reason, call us back on the actual number so that there is and I know that sounds really rudimentary and really basic, but that does help. But then I’ve spoken to people on this show, and they’re like, maybe we just don’t make good technology. Maybe we’re failing as technologists because, you know, perhaps consumers don’t need to be as aware as what we’re we’re putting the onus then on that. Where does your sort of mindset on that front? Because, again, all I do is really ask the questions and come from a place of neutrality. So I’m curious then to see what’s your thoughts if you sort of apply that to sort of the the digital identity space.

Dima Postnikov [00:16:46]:
So there’s things that we can do in the technology space. If it involves system interactions, we can definitely resolve it. I agree it’s very hard to solve problems related to human psychology by using technology. How many stories have we heard about those organizations, like financial institutions, telling their customers that they’re more likely being scammed right now when they’re trying to do something, and customers have overridden and continued with their transaction. Ultimately, that’s their free will, and there is not much that can be done there. But at least if we can identify the obvious scenarios and give them tools, give them warnings where it’s possible. I know large financial institutions in Australia work on that as well. If we improve detection and warning system by 5%, it will save a lot of money, consumer.

Karissa Breen [00:17:34]:
Even by 5%. What what is that? Do you have any sort of numbers? Or

Dima Postnikov [00:17:37]:
All I’m trying to articulate here is that even a small improvement in each area will generate significant benefits across the industry. For example, if you look at, you know, the whole data breach problem, if you reduce amount of data you store, the less less chance you’re gonna be breached or less data will be impacted. If you reduce the amount of data you share own share to other organizations, once again, privacy will be improved control will be improved if the consumer is aware of it. And third parties will store less of your data as a result of digital identity. Overall, we’re improving each party’s interactions, each party’s system by 5 to 10%, small number, not an exact number. Overall, there’ll be a massive benefit to the industry and increasing trust, especially if we are starting to reduce the reliance on this data. So a lot of the data that’s being leaked is public right now. If we rely away from them data to identify you, this is where we’ll be the the biggest impact is.

Karissa Breen [00:18:37]:
So just on the privacy front, I interviewed a privacy professional probably about 2 weeks ago. And what he was sort of saying was, yes to your point, how we’re collecting it. I think they are trying to bring in more regulation around that, especially, for example, we spoke about retailers, number 1. So the collection of that, but then the second part is, like, sharing of that information, parties, etcetera. But is that gonna be hard now to sort of claw that back? Do you think, like, the genies that are out of the bottle? Because, like, who who potentially would know after after so many years with all this information, who has it been shared with? Because a lot of these terms and conditions are written in a way where it’s like they’re still stipulating what they’re gonna do with it without being super clear. And unless you’re a lawyer, which I am not, it’s very hard to decipher what these very small fine print t’s and c’s mean, which kind of means, hey. We’re just gonna share all your information with all these third parties as as we please. But then when you’re sort of backed up against the wall, what are you gonna do? You either have to sign it to to use the the system or, you know, procure whatever you what it’d be doing.

Karissa Breen [00:19:34]:
So sometimes you have no option. What are your thoughts then on that? How are we gonna claw some of this stuff back?

Dima Postnikov [00:19:40]:
We can’t claw a lot of this stuff back. The regulations can definitely help the industries and organizations in Australia to do the right thing with the better with the data that they previously collected. The best practices, industry best practices, and tools, and processes can definitely help with remediating part of it. But as I as I consume my personal opinion, a lot of this data is already gone, and we have to accept it. But what we can do is to make sure that it doesn’t really matter if someone knows my driver’s license number. It shouldn’t really matter for, shouldn’t be used for identity proofing purposes by anyone. If no one can impersonate me with their driver’s license number, it doesn’t matter if someone knows it. It’s probably not great, And in the future, it should not happen.

Dima Postnikov [00:20:30]:
But if it had happened, we should be removing the reliance of it.

Karissa Breen [00:20:34]:
And you’re saying we are getting to that point when we’re removing the reliance on it. And would you say you just mentioned before, we have to accept it. Do you think people are accepting it? Because and I asked that question because of all those major, you know, data breaches that have happened in the last 2 or so years, I don’t know whether people are becoming a little bit more desensitized. Like, oh, another breach. Like, who cares? My stuff’s already out there anyway. I’m hearing a little bit of that from everyday people who are not in cybersecurity. Are you afraid that people will become desensitized perhaps to their identity or not really?

Dima Postnikov [00:21:01]:
People definitely accept that the day data has gone. At the same time, people are scared because they know that someone can impersonate. And I think the the the big fear right now that’s sort of growing where people are realized that someone can impersonate them. And people are trying to be careful, trying to monitor. But a a lot of times, you wouldn’t even know right now if someone opens a bank account using your papers, your documents somewhere else, you don’t get notified. So there is also a fear at the same time. And this is why I think it’s important to focus on removing the reliance on those documents, whether the breaches will happen or not, whether the data will be cleaned up or not. And it it doesn’t really matter if people change their driver’s licenses and passports to make their old numbers invalid.

Dima Postnikov [00:21:46]:
Once again, we’re coming back to the point where digital identity ecosystem is more manual in direction of removing reliance on the document and the document data. You still have to do it with some of the institutions. Larger institutions have the right processes to deal with it, and that this is not the only thing that they’re relying on. But at the moment, the reality of the status quo in the industry is that we force the small companies to look at identity documents and try to determine where those identity documents are legit or not and rely on document data and use use additional services. For every company has every no matter how small or big they are, became a company that sort of specializes in identity proofing. And in general, in cybersecurity space, we know that it’s best to delegate this type of responsibility to professionals. And if we can isolate an island of crap that you proof yourself 3, 4 times to government, to big financial institution or small financial institution, but you do it once or twice. And then you can reuse your digital identity based on what you’ve done before with the rest of the industry.

Dima Postnikov [00:22:53]:
The rest of the industry doesn’t have to prove you a gain. They can still do some level of proofing, but they don’t have to go to the same level. And not everyone has to do everything themselves. Because that’s what it is right now. Everyone starts every organization that you deal with right now, they start from scratch, and they have to do everything themselves. And a lot of them are not equipped, which is why I’m a little bit worried about the small and medium sized companies that don’t have enough resources, don’t have enough skills to deal with it properly. And this is where ConnectID partially provides a solution because ConnectID is an network where that enables you to share your existing group identity with a smaller financial financial smaller organization.

Karissa Breen [00:23:33]:
So, Dima, with your experience, in your role at the moment, if you were to zoom out, what do you think is the, you know, the biggest problem in the in the identity space today that you see as of, like, we’re talking through this conversation?

Dima Postnikov [00:23:46]:
Biggest problem in the identity space is probably adoption time or speed to market. You’ve highlighted in our conversation just now, you’ve highlighted a lot of a lot of different problems. We’re just starting on our journey. And we’re starting on our journey. It takes time to get there. We have a lot of problems, like I mentioned before. We we have a lot of problems we have to solve in organizational identity. It will take time for the industry to get there.

Dima Postnikov [00:24:14]:
We need the solution now and it takes time to develop those solutions.

Karissa Breen [00:24:18]:
And going back to your point before around the reduction of 5%, do you think sometimes when people can see, hey. 5%, I’m saving 5%, that sort of buzz people on a little bit more to make faster decisions. Because at the end of the day, you’re a CFO. You’re not gonna want your organization losing money, like, 5% for a large company. You know, that that’s that’s still a significant amount of money. Do you think sometimes that’s what encourages companies to move and adopt a little bit more because if they’ve got a solution or there’s there’s a better way of doing something, which means they’re not losing as much money, therefore, they’re more willing to adopt faster. Would you say that’s the case?

Dima Postnikov [00:24:56]:
Positively. I I think I I had the other day, I was thinking about it. And I feel that digital identity is one of those areas where the problem doesn’t become a massive problem for organization. It is a big problem, but it’s not a massive problem. It’s kind of spreading between different parties. So it’s inconvenient for the customer. It’s probably not private. It’s inconvenient and not very privacy preserving, right, in the current processes.

Dima Postnikov [00:25:22]:
It’s inconvenient for the merchant or potentially the staff member that’s dealing with that particular customer. It’s inconvenient to them. But the problem is spread out between different participants. It’s not concentrated in one place to be visible enough a lot of times. And that’s potentially why it’s not clear for organizations that they have a massive problem and they have to deal with it now. If you look at overall landscape, how much each customer service if you if you if you make it a difficult process right now for a customer and don’t use, any of the modern tools, it might take an hour for a customer. Customer might complain, but customer, a lot of times, don’t have a doesn’t have a choice. If they try and to consume service a certain product, they will go through that process.

Dima Postnikov [00:26:04]:
They will complain, but they will forget about it as soon as they can. So it’s not necessarily visible to the organization how much of the problem it is for the customer, especially if customer doesn’t have a significant choice to go and walk away to another provider. When it becomes competitive advantage, the onboarding the onboarding processes, then privacy when privacy, will become a differentiator, I think that will change our industries forever.

Karissa Breen [00:26:31]:
Yes. And what are your thoughts then on privacy being a differentiator?

Dima Postnikov [00:26:35]:
I do believe that, companies that think about privacy as a differentiator, definitely position much better in the future. The privacy becomes embedded in their processes, and consumers will trust them much more than organizations that don’t care about the privacy.

Karissa Breen [00:26:51]:
Look. That’s a good point. The only other way per perhaps which was interesting to look at it that all these companies out there and I worked in large corporates. They’re all gonna say, we care. We care. But either their actions don’t represent that or there’s data breaches that happen. Now I know no one’s perfect. I get that.

Karissa Breen [00:27:07]:
However, more so, how genuine are they being? Is it virtue signaling? Like, oh, we care about your privacy. It’s very easy to have some marketing person stick that sort of cord up on their site somewhere, and then when a a privacy breach happens, they’re like, oh, well, we really care about it. It’s on our site. How can people be more genuine about it? Because, again, for me, it’s followed up with actions, not just words.

Dima Postnikov [00:27:28]:
Yeah. A lot of time, privacy can stand related items that’s sort of hidden in the Ts and Cs somewhere. And we know that consumers don’t read Ts and Cs, and not many organizations are able to present those T and Cs in a way that consumer can understand in the flow when they’re trying to make a certain transaction. Therefore, I do believe that it’s a it’s a long process for each organization to establish their trust. And if they can make it clear and visible to the customer what’s happening at any point in time, capture their consent, and consent has to be specific. And it should be a true choice for a customer to consent for certain type of transaction. Then it builds up trap.

Karissa Breen [00:28:10]:
So I wanna switch gears now and talk maybe a little bit more about, like, identity theft. So your view is that this will decrease. I’m really curious to hear your thoughts. Like, how will we see a reduction in this with the adoption towards digital identities?

Dima Postnikov [00:28:23]:
So identity theft is related to the crime is that where another entity or another person can impersonate you. At the moment, it’s possible to do it because we rely on the document. A lot of times, a lot of organization rely on you presenting the right documents to them. And sometimes it’s not even physical documents presenting themselves. It’s just the document’s metadata and document the card number, for example, for driver’s license. And the driver’s license with a proper name and a date of birth might prove to some organization that you are who you say you are. And that’s definitely not enough. We have to change that.

Dima Postnikov [00:28:59]:
And this is where the government potentially can help as well by clarifying what each organization needs to do in order to propagate anything. Because all document check all document check does at the moment is validates that this person doesn’t exist in a real world. It’s not a synthetic identity. It doesn’t It doesn’t prove that the person that’s presenting those documents or presenting this data to the organization is the same person. This is where it’s important to differentiate identity proofing that identity exists somewhere with differentiate from authentication. And this is where Connect ID potentially helped because we also coupled those together. So when an organization received an identity information from an identity provider within Connected Ecosystem, they get 2 things. They verify they get verified data from a trusted institution about the customer, but they also utilize they’re also able to utilize bank.

Dima Postnikov [00:29:56]:
If it’s a bank, as a financial as a as an identity provider, they’re also able to utilize authentication. So the person authenticates using the whole set of tools, the bank can implement to authenticate a person, and Reliant Party is able to use that. So they get additional assurance. So I think we forget a lot of plans. Identity theft is possible because we forget about authentication. We’re not checking who’s presenting those documents to you.

Karissa Breen [00:30:23]:
And would you say this problem has just sort of crept up on us as an industry over the years? And therefore, we’re trying to fix the problem we’re dealing with now is is a lot greater than what it used to be, like, back in the day. So do you think perhaps now people are working even harder to fix this problem? Because this problem’s, you know, gets out of control. It’s it’s not an easy one to fix immediately, but, also, the scalability of this problem is significant. So do you think people are aware of the the risks that are attached to this, or do you think that people are still, you know, figuring it out?

Dima Postnikov [00:30:56]:
Yeah. The recent breaches definitely, made everyone aware of the problem. And I think both organizations, we see it definitely now, managed and reliant party community that we’re talking to as a part of Connect. ID rollout. They definitely are aware of it, and they definitely are looking for better solutions. It did creep up in a way, and a lot of it was, sort of the final straw was some of those large data breaches when the large dataset became available, and the large dataset of document data became available. The problem existed always because the people relied on documents only, but the this document data was hard to get. And now suddenly, it’s not.

Dima Postnikov [00:31:35]:
So this is why we’re unrealized. Well, we got to the point where we cannot rely on those documents ever again.

Karissa Breen [00:31:41]:
So, Dima, in terms of people listening to this interview, what can people sort of take away, and what would you sort of encourage people to start thinking about? Maybe not implementing is, again, not an easy thing to do. But what would you what would you sort of advise, especially, you know, moving forward now with with your knowledge and your experience?

Dima Postnikov [00:32:00]:
I think the biggest message to all information technology and cybersecurity professionals is really look at the data you deal with. Like, why do you need certain data? Why do you need to store it? Try to minimize the data that you are storing within your system. Try to share that, and try to understand how much you can put trust in the data. So if we can minimize the data flowing around the economy, I think all of us can do our part, it will be significant improvement in, everyone’s cybersecurity posture.

Karissa Breen [00:32:34]:
So just a quick question on minimizing the data flowing around in people’s organization. Like, 10 years ago, I remember everyone sort of saying, we’ve gotta get as much as we can so we can analyze people. And now we’re saying now we’re saying the opposite. So what what’s happened? That wasn’t even that long. 8, 10 years ago, I remember, you know, looking at Cloudera and friends like this. Like, everyone’s saying, let’s get as much information on people as possible. Do you think that we didn’t really think it through in terms of the risks?

Dima Postnikov [00:33:01]:
Absolutely. And and the requirements came from different sites. And I’ve also observed that in for the large banks as well, where on one side, cybersecurity professionals and identity professionals are trying to minimize the data and trying to lower down the data as much as possible. On the other side, marketing professionals and, to a certain extent, even product professionals tend to try to absorb as much data as possible, either for fraud decisioning or for personalization. But these are the things that still have to be reconciled by the banks, but this is where you have to look at it as a whole. You can’t look at it in isolation, either in the marketing space or in a cybersecurity space. You have to make decision as a company what’s your post chain in regards to the data. Of course, you need to enable the better experience.

Dima Postnikov [00:33:48]:
Of course, you need to protect the data. And this is where I see digital identity probably being a little bit different from pure cyber security. Is where I see the main two goals. One is to protect the customer, the data, the assets. But on the other side, it’s also to enable. To enable journeys, customer journeys that are not previously possible or customer or employee journeys that are not previously possible. We need to look at both together, not separately.

Karissa Breen [00:34:16]:
So, Dima, do you have any sort of final thoughts or any closing comments you’d like to leave our audience with today?

Dima Postnikov [00:34:22]:
Everyone should look critically what their teams are doing in regards to the data, in regards to the identity proofing. We need to utilize industry best practices. We need to understand what other jurisdictions are doing because the world is evolving. The way we were the conversation we were having 5 years ago, they’ve changed. So we are talking a lot more right now about reusable git show identity, and now it’s available.

Share This