0:00

If digital identity is going to

0:02

be the future, it has to

0:04

work for everyone. I would love

0:06

to see us help them skip

0:08

physical identity documents all together. And

0:10

let's just go straight to digital

0:12

identity. Wouldn't that be the perfect

0:15

world though? I feel like consumers

0:17

have become so callous to data

0:19

breaches that they almost don't even

0:21

register anymore. No, I'm really scared.

0:23

I like how positive we've been

0:25

on this podcast episode today. Hello,

0:27

dear audience, and welcome back to

0:30

Series 3 of What the

0:32

Fraud. A podcast by Some

0:34

Sub, where Digital Fraudsters meet

0:36

their match. I'm Thomas Taraniak,

0:38

head of partnerships here at

0:40

Some Sub, the Global Verification

0:43

platform, helping to verify users,

0:45

businesses, and transactions as well.

0:47

Governments worldwide are racing to

0:49

roll out digital identity systems,

0:51

promising greater convenience, security and

0:54

efficiency, of course. From Estonia's

0:56

e-residency program to Singapore's same

0:58

pass, these initiatives are gaining

1:00

momentum. The UK is also launching

1:02

its own digital wallet to store

1:05

official documents this year in 2025,

1:07

but with new technology comes new

1:10

risks. Hackers recently exposed vulnerabilities in

1:12

Germany's digital ID system. affecting over

1:14

10 million users. And in India,

1:17

login credentials were leaked on the

1:19

Dark Web for just $8, as

1:21

per the Adhar database. And in

1:24

this episode today, we will sit

1:26

down with Daniel Flow, head of

1:28

digital identity at the London

1:30

Stock Exchange Group, and

1:32

Eddie Moxon Garcia, product

1:35

marketing lead at Samsung,

1:37

to hear what's being

1:39

developed in the new

1:41

digital ID sector. and

1:43

find out whether there

1:45

really can be a

1:47

reusable identity solution that

1:49

balances privacy, security and

1:51

accessibility as well. Daniel Eddie,

1:53

thank you so much for coming

1:56

on the show with us today.

1:58

I would love to get... straight

2:00

into it if you don't mind.

2:03

So Daniel, if I turn to

2:05

you first, I'd like to address

2:07

digital IDs. It is going absolutely

2:09

global right now and you're right

2:12

at the center of it at

2:14

the London Stock Exchange Group. So

2:16

how did you get into the

2:18

world of digital ID in the

2:21

first place and how has the

2:23

landscape evolved since you started? So

2:25

I got into digital ID, I

2:27

think the way most everybody gets

2:29

into most anything, through personal connections

2:32

and some friends. So I started

2:34

interacting with a startup called Global

2:36

Data Consortium back in the mid-20-10s,

2:38

worked with them on and off

2:41

as an advisor through that period,

2:43

and then came on as a

2:45

full-time employee sometime around 2020. And

2:47

the London Stock Exchange Group bought

2:50

us. in 2022. It has been

2:52

an interesting ride through the space.

2:54

I got involved because it's just

2:56

full of interesting problems. We've got

2:59

eight and a half billion people

3:01

globally. How do we enable them

3:03

all to participate in the digital

3:05

economy to transact? to prove who

3:08

they are, how do we keep

3:10

people safe online, how do we

3:12

protect people from fraud, and it

3:14

seems like there's just never an

3:17

end to the opportunities to learn,

3:19

grow, and hopefully stay ahead of

3:21

the fraudsters. I think the big

3:23

change for us is, you know,

3:26

10 years ago, there was a

3:28

lot of human intervention in identity

3:30

verification. There was a huge focus

3:32

on documents. And many times you

3:35

would see a lot of that

3:37

work really being performed behind the

3:39

scenes by human beings with eyes

3:41

on glass. And the technology for

3:44

fraud detection, the technology for liveness

3:46

has come so far, and the

3:48

adoption of digital IDs has come

3:50

so far. It's like being in

3:53

a whole new space than the

3:55

one I started in. Absolutely, Daniel.

3:57

I mean, that's a big mission.

3:59

I think one that we're all

4:02

a part of, the democratization of

4:04

access to, of course, digital services

4:06

globally for those underserved. But that

4:08

means sort of releasing those moats,

4:11

those barriers to entry for those

4:13

individuals. And of course, having people

4:15

on the back end actually go

4:17

through and do everything manually, an

4:20

over usage of ID documents, etc.

4:22

Can also, sort of kill progress.

4:24

So Eddie, Eddie, great to have

4:26

you on the podcast, finally. forward

4:29

question, what in your opinion are

4:31

the benefits of digital ID compared

4:33

to traditional methodologies? First I have

4:35

to agree with Daniel, but it's

4:38

a fascinating space, but it's just

4:40

riddled with problems every new day

4:42

we come up against new challenges.

4:44

So it does keep us interested,

4:47

I would say. I would say

4:49

the biggest difference and benefit is

4:51

that digital reusable identity aims to

4:53

remove repetitive onboarding steps. And this

4:56

is a major bottleneck for businesses

4:58

and users, so it's not just

5:00

something that... Only companies need to

5:03

worry about. Right now, if you

5:05

want to sign up for a

5:07

new service, open a new bank

5:09

account, access a crypto exchange, maybe

5:12

just join an online marketplace, you

5:14

have to go through a pretty

5:16

much identical process from scratch every

5:18

single time. And that is very

5:21

tedious for you, but it also

5:23

leads to drop-offs and rejections and

5:25

so on. So the premise of

5:28

reasonable identity is that you can

5:30

verify once and then reuse that

5:32

verification across multiple platforms. This does

5:34

mean faster on boarding and lower

5:37

drop-off race, which makes everybody happy.

5:39

But I do think that there

5:41

is an argument to be made

5:44

about financial inclusivity. Our own research,

5:46

which came in the form of

5:48

an initiative called Green Flag, there's

5:50

a fantastic white paper out, I

5:53

encourage everyone to read it. shows

5:55

that there are 627 million people

5:57

across the world that are digitally

5:59

excluded and I can go into

6:02

the reasons a bit later on

6:04

but the point is that that

6:06

627 million people represent 1.75 trillion

6:09

US dollars of missed opportunity for

6:11

businesses. So making identity digital and

6:13

reusable but also universally recognized is

6:15

something that companies should care about

6:18

because it's not about just reducing

6:20

friction. For users it's about expanding

6:22

their market and revenue potential and

6:24

I would say that's a pretty

6:27

big benefit. Definitely, Eddie. And we're

6:29

talking about solving a massive problem

6:31

here. And it's like one step

6:34

at a time, as I'd always

6:36

think. This year, the UK government

6:38

is planning to introduce a new

6:40

digital wallet storing official documents, such

6:43

as driving licenses, which will be

6:45

completely digital. So countries like Germany

6:47

and Estonia have already implemented similar

6:49

systems with mixed results. Daniel, why

6:52

is there such a demand for

6:54

digital IDs right now? I think

6:56

there's always been... demand, especially as

6:59

if you look at the last

7:01

25 years, as we've moved from

7:03

having our digital selves. in our

7:05

digital participation, a complementary element of

7:08

our lives. It's really become how

7:10

we live our lives. You know,

7:12

I like to use this as

7:14

an example. I work from a

7:17

home office. I bank with a

7:19

financial institution that doesn't have a

7:21

physical branch anywhere near me. I

7:24

live in the United States and

7:26

I work for a company based

7:28

in London. So my digital self,

7:30

my my transacting online, the accounts

7:33

of... sign up for and the

7:35

things that I do, they're not

7:37

a complementary element of my life.

7:39

They are my life. And if

7:42

you go back to all the

7:44

protocols that the internet has, there's

7:46

no identity protocol. There never has

7:49

been. And what we have done

7:51

throughout the, you know, especially the

7:53

last 25 to 30 years, is

7:55

we've made it work with... physical

7:58

photographic IDs and user-controlled devices. And

8:00

that fundamentally is a useful and

8:02

purposeful work around. The photo ID

8:04

I always like to point out

8:07

was invented by the British in

8:09

1915 during the Great War because

8:11

they were concerned about German spies

8:14

entering the UK. If you go

8:16

back, you know, let's say 10

8:18

years, if you wanted to verify

8:20

yourself online, you were using a

8:23

100-year-old technology at core to establish

8:25

who you are and gain entry

8:27

into a system or a financial

8:29

institution. that you wanted to. So

8:32

I would argue that for as

8:34

long as people have been transacting

8:36

online, there's been the need for

8:39

a digital identity or a way

8:41

to assert and prove your identity

8:43

that is truly digital. I think

8:45

what we're seeing in the last

8:48

five years, particularly, is our governments.

8:50

Our regulators are catching up to

8:52

that demand and are starting to

8:54

recognize the digital world for what

8:57

it is and the need of

8:59

their constituents and consumers for what

9:01

they are. So not to be

9:04

overly picky, but I would argue

9:06

the demand's always been there. I

9:08

think we're just finally seeing some

9:10

of our older institutions catch up

9:13

to it and offer what people

9:15

have always wanted online. Absolutely. So

9:17

I do agree there as well.

9:19

Eddie, what do you think on

9:22

the matter may ask? I agree

9:24

also. I think the demand has

9:26

always been there, but the high

9:29

demand that we're seeing today is,

9:31

I would say, being driven by

9:33

this perfect storm of regulatory pressure,

9:35

security concerns, and consumer expectations. And

9:38

I think those expectations come from

9:40

the reality of people's lives. Already,

9:42

governments worldwide are recognizing the paper-based

9:44

identification. just doesn't cut it for

9:47

a digital first economy. And if

9:49

we take the UK's digital wallet

9:51

initiative, for example, and Daniel correct

9:54

me if I'm wrong, please keep

9:56

me honest, it's part of a

9:58

wider push towards self-sovereign identity, where

10:00

people can control and reuse their

10:03

digital credentials without needing to repeatedly

10:05

submit sensitive documents. At the same

10:07

time, I think that businesses are.

10:09

Under pressure to improve onboarding while

10:12

staying compliant, and regulators are tightening

10:14

KYC and AML rules, but users

10:16

still expect a seamless digital experience.

10:19

So I think that digital identity

10:21

is the only way to meet

10:23

both of these demands simultaneously. No

10:25

solution should... only focus on efficiency.

10:28

It has to be about security

10:30

and usability as well. There's a

10:32

great example about Germany when they

10:35

rolled out their digital ID system.

10:37

It exposed a bunch of security

10:39

gaps and I think it was

10:41

around 10 million users that were

10:44

affected ultimately. It does highlight why

10:46

we need this balance between security

10:48

and usability. So yes, the demand

10:50

is high, but I would say

10:53

that the real question is, can

10:55

we have these solutions and systems

10:57

designed in a way that is

11:00

truly secure, inclusive, and scalable? Absolutely,

11:02

it needs to be robust at

11:04

the end of the day. The

11:06

idea is to stop fraud at

11:09

us, right? And from our perspective

11:11

as well, we do know, Eddie,

11:13

of course, that the biggest type

11:15

of identity fraud that we've seen,

11:18

making up 50% of cases, is

11:20

indeed ID cards, as the most

11:22

exploited type of document, of course,

11:25

and they're being used in around

11:27

70% of identity document fraud. from

11:29

the other angle, Daniel, what sort

11:31

of benefits can digital ID offer

11:34

people when it comes to protecting

11:36

themselves online compared to, let's say,

11:38

the most, let's say, abused non-digital

11:40

IDs that have been the target

11:43

from Fordsters as well? Yeah, and

11:45

I think you touch on what

11:47

is a really important element in

11:50

this discussion, which is that we

11:52

shouldn't fall in the trap of

11:54

expecting a new technology. to be

11:56

perfect, we should expect it to

11:59

be better. And I see a

12:01

lot of arguments against Digital ID

12:03

pointing out places where there have

12:05

been breaches and there have been

12:08

failures and I don't think there's

12:10

any denying that there have been

12:12

and there will be. privacy security

12:15

issues with digital IDs. But the

12:17

question we need to ask ourselves

12:19

is, are we more private and

12:21

more secure under some of the

12:24

digital ID schemes than we are

12:26

under today's scheme, where if I

12:28

lose my wallet, I've lost my

12:30

identity card, and for about 15

12:33

bucks. I can get a pretty

12:35

convincing digital ID that has my

12:37

face and my signature on it

12:40

and a completely fictitious name and

12:42

address. 15 sounds like quite a

12:44

lot as well, Daniel. I've seen

12:46

them go for four or five

12:49

bucks. I want one of the

12:51

good ones. You're being scambered. I

12:53

think that's the thing that we

12:55

have to get to and you

12:58

guys have some great research on

13:00

how much fraud is undertaken with

13:02

counterfeit identity documents and synthetic IDs.

13:05

That needs to be our initial

13:07

point of comparison when we talk

13:09

about safety security privacy of digital

13:11

IDs, not a sort of fictitious

13:14

perfect world where everything is secure,

13:16

seamless, frictionless, and confidential. Wouldn't that

13:18

be the perfect world though? I

13:20

mean that's what we're sort of

13:23

always going for. So from the

13:25

fraud prevention perspective, do you think

13:27

a digital first approach will reduce

13:30

risks or introduce new ones? And

13:32

what would those risks be if

13:34

that was the case? I mean,

13:36

I think yes is the answer

13:39

to that question. It will both

13:41

reduce risks and introduce them. So

13:43

we'll have new and interesting risks.

13:45

I do think that we should

13:48

really limit our scope to those

13:50

that are doing it well. that

13:52

require active user input on a

13:55

known user-controlled device that cuts out

13:57

a lot of that. I have

13:59

a colleague that is based in

14:01

Sweden, and one of the examples

14:04

he uses is that he can

14:06

easily pull up his tax ID,

14:08

his name and his address, and

14:10

his date of birth. And it's

14:13

public information in Sweden. It's quite

14:15

easy to find, but the way

14:17

they've structured bank ID. And the

14:20

way they've structured a lot of

14:22

security around it, it doesn't matter.

14:24

No one can impersonate him and

14:26

interact with any of his accounts

14:29

because ultimately they have to be

14:31

able to utilize his bank ID

14:33

via a device that he controls.

14:35

So in a lot of ways,

14:38

I think that well executed digital

14:40

ID schemes take the teeth out

14:42

of those data leaks because they

14:45

make that data less useful, not

14:47

more. Definitely the case. Are you

14:49

on the same page as well?

14:51

Definitely. I think, I mean, your

14:54

question was around, are there new

14:56

risks in addition to the old

14:58

ones and 100% I think, it's

15:01

also not that black and white,

15:03

right? I do believe that a

15:05

digital first approach is essential for

15:07

fighting fraud, especially at scale, but

15:10

it has to be intelligent and

15:12

adaptive. Automation, AI and behavioral analysis

15:14

of... already massively improved fraud detection.

15:16

The biggest advantage is that it

15:19

removes reliance on human judgment and

15:21

outdated manual processes. With analog systems,

15:23

the risk was I think more

15:26

apparent because we had to rely

15:28

on how we'll train the person

15:30

was to spot a fake document,

15:32

for example, or how accurate the

15:35

physical scanning equipment was. And these

15:37

mentors were prone to human error

15:39

and efficiencies. The risk now with

15:41

the new technology, I think, comes

15:44

from having for other compensating somehow.

15:46

If you have a really strict

15:48

fraud prevention system, it can exclude

15:51

legitimate users. A really good example

15:53

of this is biometric verification. It's

15:55

a great finding tool, but it's

15:57

not foolproof. Our research again shows

16:00

I think it was around 96

16:02

million people who phase verification challenges

16:04

because they've had changes in their

16:06

physical appearance, because they've aged or

16:09

they've had medical condition, they've had

16:11

hair loss, even gender transitions and

16:13

so on. So a rigid system

16:16

may misclassify people as fraud risks

16:18

and lock them out unfairly. And

16:20

that's something that should be thought

16:22

of when you're trying to implement

16:25

these solutions. And I think another

16:27

big one is country-based restrictions. So

16:29

many companies automatically block users from

16:31

high-risk regions. And there is a

16:34

large subset of the population who

16:36

are affected by a blanket ban

16:38

that doesn't account for... individual legitimacy.

16:41

So in order to sort of

16:43

mitigate this you should be using

16:45

AI powered risk scoring that it

16:47

says is behavior dynamically rather than

16:50

denying access outright. So there isn't

16:52

a silver bullet to say there's

16:54

no risk. Everyone here is legitimate.

16:56

They have all the good intentions.

16:59

There should be a combination of

17:01

all these different tools that we

17:03

have at our disposal today. And

17:06

as Daniel said, it's no solution

17:08

is perfect. We have to keep

17:10

iterating and seeing what works. And

17:12

the nature of the solution. in

17:15

my opinion, should be very much

17:17

dynamic and able to adapt and

17:19

have a different approach for different

17:21

users. Yeah, well said. Yeah, absolutely.

17:24

I mean, iterations, essential innovation is

17:26

painful. So there is going to

17:28

be friction at the start as

17:31

well. But we've talked about why

17:33

governments now, of course, are very

17:35

excited about this. I'm excited about

17:37

it. Financial institutions are as well.

17:40

Specifically in Europe, of course, and

17:42

the new forms of the digital

17:44

ID are going to, well, of

17:46

course, have changes. But what I'd

17:49

love to touch on from both

17:51

of your perspectives, and Eddie, you

17:53

did this quite nicely as well,

17:56

is... What about the public? I

17:58

mean, the FIs are happy, the

18:00

governments are happy, and we're moving

18:02

forward, but is the public... embracing

18:05

this shift, let's say. Is there

18:07

skepticism that we're saying about security

18:09

and privacy? Daniel, would you want

18:11

to take this first? Sure, and

18:14

so many ID schemes, there's so

18:16

many countries that it's really hard

18:18

to give a blanket answer. I

18:21

think you are seeing a few

18:23

things that are really driving that

18:25

user adoption and user trust. So

18:27

there are a few interesting reports

18:30

out there. The Bill and Melinda

18:32

Gates Foundation and the Tata Foundation

18:34

are heavily involved in this. And

18:36

PWC has some interesting reports out.

18:39

But it seems like you start

18:41

to see a tipping point of

18:43

user adoption when a couple of

18:46

things are present. So one is

18:48

that sort of table stakes level

18:50

safety and security. It really comes

18:52

down to does the average citizen

18:55

consumer trust the government with their

18:57

data and believe that it is

18:59

going to be held and maintained

19:01

safely. The second thing that you

19:04

see is a number of services

19:06

available that access the digital ID.

19:08

And we tend to see tipping

19:11

points around 100. services. So if

19:13

you look at a country like

19:15

Estonia, right, there's hundreds and hundreds

19:17

of services that will accept the

19:20

the EID. It's very commonly used.

19:22

Same thing in the Nordics, the

19:24

same thing in Singapore and India.

19:26

Where you tend to run into

19:29

trouble is when you see some

19:31

in some countries where There's a

19:33

fairly small number of services that

19:36

are available to a consumer on

19:38

that digital ID. And you find

19:40

that they'll maybe sign up once

19:42

and then not use it again.

19:45

So we see that. I like

19:47

to use Hong Kong. Their digital

19:49

ID as an example there, where

19:52

there's really only a few things

19:54

you can do with it. Everybody

19:56

signed up for it and then

19:58

stopped using it. And then I

20:01

think the third thing and what

20:03

really seems to move consumer adoption

20:05

forward is frankly, forced usage from

20:07

government services. Your government services or

20:10

your bank require you to use

20:12

that digital ID to access services.

20:14

We see massive spikes in adoption.

20:17

So one of the examples there

20:19

is a service like It's Me

20:21

in Belgium, where for a lot

20:23

of residents in Belgium to access

20:26

government services, they're required to use

20:28

that to use that see massive

20:30

adoption essentially because it's been forced.

20:32

What about you Eddie? What do

20:35

you see? It's such

20:37

an interesting point about forced adoption,

20:39

because I do think there's definitely

20:41

a divide in public perception. On

20:43

one hand, people want faster, easier

20:46

access to services, you know, banking,

20:48

government benefits, whatever it may be.

20:50

But trust is a big challenge.

20:52

Many people worry about data privacy,

20:55

surveillance, and security breaches. And as

20:57

we saw with the example from

20:59

Germany, they have good reason to

21:01

do so. So I think that

21:04

the key here would be... transparency

21:06

and user control. Yes, there is

21:08

enthusiasm, but I think the real

21:10

test is how well these systems

21:12

address the security concerns and ensure

21:15

inclusion so that we are not

21:17

leaving the legitimate users out. But

21:19

ultimately, if people don't feel that

21:21

they can benefit from a digital

21:24

identity scheme, or if a certain

21:26

group is being locked out, I

21:28

don't think it'll gain the mass

21:30

adoption that governments and businesses are

21:33

hoping for. Well, and I think

21:35

you can look at, I like

21:37

to look at Adhar in India

21:39

as a great example of an

21:41

EID that rolled out to a

21:44

massive, right, billion-plus person population. When

21:46

ad hoc was rolled out, I

21:48

think the World Economic Forum said

21:50

like 25% of Indians were living

21:53

in extreme poverty. So you've right,

21:55

you've got a massive population, you've

21:57

got a geographically dispersed. population and

21:59

you've got a high degree of

22:02

impoverished people in that population and

22:04

yet they have been incredibly successful

22:06

at achieving adoption. widespread usage. There

22:08

have been some data security issues,

22:11

but I think on the whole,

22:13

when you look at the Indian

22:15

economy, when you look at the

22:17

declining poverty rates, the increased participation

22:19

in the digital economy, from the

22:22

Indian citizens. I think you see

22:24

that it can be done and

22:26

it can be done well. Absolutely.

22:28

Eddie, correct me if I'm wrong

22:31

there. I think Daniel touched on

22:33

a very good point, but it's

22:35

97% of the adult population between

22:37

16 and 65, right, in India,

22:40

have access to that ad hoc

22:42

scheme, which is amazing. Of course,

22:44

the country has been known for

22:46

very large, very good adopted censuses

22:48

of the population as well, and

22:51

that's super important to understand the

22:53

population and also provide them with

22:55

access to those digital. services which

22:57

they might not already have, but

23:00

you also touched on the security

23:02

sort of side. I mean the

23:04

security debate around digital IDs is

23:06

massive. We touched upon it briefly

23:09

now, but whilst these government schemes

23:11

of course offer or promise, let's

23:13

say convenience, storing sensitive IDs within

23:15

a single digital wallet, I mean

23:17

it creates a clear sort of

23:20

target for hackers, even if there

23:22

are limitations around how they can

23:24

actually gain access to those, there's

23:26

obviously the attraction for them. So

23:29

experts... across the world worry that

23:31

linking passports, drivers license and all

23:33

of these digital services with their

23:35

credentials into one system creates a

23:38

centralized point of failure. So I

23:40

would ask both of you actually,

23:42

how can digital ID systems be

23:44

secured without introducing one single attack

23:46

vector? I mean, what measures other

23:49

than what we've talked about today

23:51

have been put in place? First

23:53

of all, it's a very valid

23:55

concern and point to raise. I

23:58

think anyone would be terrified if

24:00

they knew their whole life was

24:02

contained. in one single place, right?

24:04

So it is about reducing reliance

24:07

on a single point of failure,

24:09

and there is a lot of

24:11

conversation around different topics. I think

24:13

the main one would be decentralization

24:15

and a push for self-sovereign identity.

24:18

So giving users the control of

24:20

their data and so on, I

24:22

think a more practical measure, though,

24:24

is this adaptive risk-based authentication. As

24:27

I said before, instead of treating

24:29

everyone the same and evaluating in

24:31

the same way, there's different prevention

24:33

systems that will analyze behavior, device

24:36

intelligence, location patterns, and so on,

24:38

just looking for anomalies. So if

24:40

a login attempt looks unusual, additional

24:42

verification is triggered. And so I

24:45

think this is a very practical

24:47

way to ensure security. Another one

24:49

is decoupled verification. many systems allow

24:51

for a separate authentication away from

24:53

storage. So when you do biometric

24:56

verification, that can be done locally

24:58

on your device on your mobile

25:00

phone without storing that raw biometric

25:02

data in a central database somewhere

25:05

else. So this alone reduces hacking

25:07

risks and increases users control. It

25:09

also increases that sense of security

25:11

and so on. So those two

25:14

are... former practical in my opinion

25:16

than decentralization because inherently it does

25:18

feel like you're putting all your

25:20

eggs in one basket. Yeah, and

25:22

I mean, absolutely spot-on response. I

25:25

think the only counter I'll offer

25:27

is, I feel like consumers have

25:29

become so callous. two data breaches

25:31

that they almost don't even register

25:34

anymore. Like, you know, how many

25:36

times has T-Mobile's database been breached?

25:38

I've frankly lost count and not

25:40

to pick on them specifically, but

25:43

you know, as you look at

25:45

your digital footprint as a consumer,

25:47

one of the things that I

25:49

always try to explain to people

25:51

is every service you work with.

25:54

is maintaining some version of your

25:56

digital identity behind the scenes that

25:58

you have no control over. So

26:00

Amazon has one set of information

26:03

on me that they maintain in

26:05

a place I don't know with

26:07

security I can't control and have

26:09

absolutely no say over what they

26:12

do with the data. And kind

26:14

of so on and so forth

26:16

across all the services that I

26:18

use. I know I mean to

26:20

diminish the risks and I think

26:23

we have to put things in

26:25

place to minimize them and we

26:27

can do a lot better than

26:29

we are today, but I do

26:32

think we have to come back

26:34

to, it's not like it's secure

26:36

right now, it's not like everyone

26:38

that's listening to this podcast hasn't

26:41

been the victim of a data

26:43

leak or a data breach, probably

26:45

in the last few months. Absolutely

26:47

not. So we talked about this

26:49

a lot on our podcast, right?

26:52

It's a little bit of broken

26:54

records in my own minds in

26:56

my own minds, but. AI, it's

26:58

been used by fraudsters on a

27:01

day-to-day basis, not only for, of

27:03

course, deep fakes, but as Daniel

27:05

has mentioned earlier, for document creation

27:07

and the fraudulent documents which can

27:10

actually bypass systems and of course

27:12

return a very good, let's say,

27:14

ROI for the actual fraudster themselves.

27:16

So as for businesses, what can

27:18

they do to adjust their systems

27:21

to digital IDs whilst protecting themselves

27:23

from possible attacks using AI deep

27:25

fakes or otherwise? Eddie? I think

27:27

my advice is very simple, the

27:30

execution might be a little bit

27:32

more complex, but let's try. I

27:34

would encourage businesses to take a

27:36

very proactive approach when it comes

27:39

to fighting AI fraud, because the

27:41

fraudsters are evolving just as fast

27:43

as the technology. AI-driven attacks, especially

27:45

deep fakes and synthetic identities, have

27:48

become so sophisticated. And as Daniel

27:50

mentioned earlier, most fraud attempts a

27:52

while ago were just based on

27:54

installing documents. Now we have AI-generated

27:56

faces, voice cloning. entire fake persona,

27:59

slipping through the cracks of weak

28:01

verification systems. So in terms of

28:03

what can be done practically, I

28:05

would say, number one, and this

28:08

is something we love to say

28:10

at some service, by AI with

28:12

AI, enlist the power of machine

28:14

learning for fraud detection. Deep Fake

28:17

detection models can analyze subtle facial

28:19

distortions, you know, on natural blinking

28:21

patterns, inconsistencies in skin texture, things

28:23

that the human eye just might

28:25

miss, right? And then behavioral AI

28:28

can become a tool for evaluating

28:30

user interactions like keystrokes, device data

28:32

also might help determine whether an

28:34

identity is real or fake. The

28:37

second point would be a multi-layered

28:39

approach to identity proofing, not relying

28:41

on a single authentication factor. So

28:43

layer. Biometric liveness detection on top

28:46

of device intelligence, on top of

28:48

behavioral analytics, do as much of

28:50

it as you can in a

28:52

mix and match a way depending

28:54

on the use case, depending on

28:57

the user and so on. And

28:59

then the last one would be

29:01

adaptive risk-based authentication, as I've mentioned

29:03

before. trying to look for these

29:06

patterns and only surface additional checks

29:08

when it's absolutely necessary. And I

29:10

think if a company does all

29:12

of this, they're not just improving

29:15

security, it's reducing unnecessary friction for

29:17

those legitimate users. Absolutely. And of

29:19

course on the business side as

29:21

well, I mean, there's a lot

29:23

of security risks, one challenges as

29:26

well in making digital IDs truly

29:28

fraud resistant, of course. I mean,

29:30

Daniel, from your perspective as well,

29:32

are there... key security features being

29:35

prioritized right now for businesses or

29:37

otherwise, would you recommend that businesses

29:39

focus on similar elements as Eddie

29:41

has pointed out? Yeah, I mean,

29:44

I think everything Eddie said is

29:46

excellent. It's a really good answer.

29:48

I would just add in, I

29:50

think that the more that you

29:52

as a business can widen the

29:55

aperture when you're looking at an

29:57

individual. The harder and harder it

29:59

is for someone to have really

30:01

any kind of attack, much less

30:04

a presented content AI attack. And

30:06

I may be overpaying. Apparently I'm

30:08

overpaying for my fake IDs. We'll

30:10

talk about it after the podcast.

30:13

But I can make up an

30:15

identity and an address and a

30:17

date of birth and I can

30:19

have an identity document. for a

30:21

fairly small amount of money. Now,

30:24

if I were to try to

30:26

create a credit record for that

30:28

identity, that's a whole lot harder

30:30

and takes a whole lot more

30:33

time. So the more that organizations

30:35

are able to broaden out and

30:37

not only just look at the

30:39

presented content, but also look to

30:42

verify it with independent authoritative sources,

30:44

that's one of the big ways

30:46

that we see. organizations handle that

30:48

challenge of generated content. And I

30:51

think the second way that we

30:53

see that is really relying heavily

30:55

on things that involve active user

30:57

participation and consent. So, you know,

30:59

I love seeing pass. I love

31:02

the way that they require active

31:04

engagement from the user on a

31:06

known device. much easier for you

31:08

to create a video of me

31:11

that might get past somebody else's

31:13

biometric or liveness scans. It's entirely

31:15

another for someone to control a

31:17

known device that's in my possession

31:20

and give consent on it. Definitely

31:22

is super important as well Daniel's

31:24

just to have a multi-layered approach

31:26

to everything you do around making

31:28

sure the person is who they

31:31

say they are and by all

31:33

means that can stop of course

31:35

the the nefarious actors who are

31:37

trying to bypass systems but with

31:40

the development and also that sort

31:42

of exponential growth of social engineering

31:44

as well people often handing over

31:46

the reins to these. as well,

31:49

which is something that we need

31:51

to bear in mind, right? I

31:53

mean, at some sub, developing the

31:55

some sub ID involved extensive planning

31:57

and also refinements ensure the robust

32:00

security of the network as well.

32:02

And there's a few other things

32:04

that we could touch upon here,

32:06

but Eddie, I'd like to sort

32:09

of pose a question to you

32:11

as well. Would you be able

32:13

to sort of break down exactly

32:15

how that works from our side?

32:18

I have to preface by saying

32:20

that there's an army of people

32:22

behind sums of ID because we

32:24

all deeply care about security privacy

32:26

and user consent and finding that

32:29

balance between making users feel at

32:31

ease but also providing businesses with

32:33

the right verification data and information

32:35

that they need to conduct their

32:38

actual business. So with that in

32:40

mind, sums of ID was very

32:42

much designed. to provide a seamless

32:44

and secure and reusable identity form

32:47

while maintaining high compliance standards. And

32:49

that compliance point is so important.

32:51

and I'll talk about it in

32:53

a second, but instead of having

32:55

users upload documents and input data

32:58

every time they sign up for

33:00

a new service, some sub-id allows

33:02

them to reuse that stored document

33:04

and data across multiple platforms. So

33:07

it's very simple. And then once

33:09

that some sub-id account is created,

33:11

it can then be used across

33:13

different platforms. And the power is

33:16

very much... within the user, they

33:18

can select what data to share,

33:20

and if at all, they're very

33:22

much within their right to not

33:24

give consent, and that's completely okay,

33:27

but we made sure that that

33:29

was a part of the process.

33:31

That user consent is so important.

33:33

At the same time, in order

33:36

to meet that compliance element, I

33:38

mentioned, we really wanted to take

33:40

care of the fact that sometimes

33:42

different companies have... different regulations, different

33:45

guidelines, they have to abide by

33:47

a different KYC or AML framework.

33:49

And so what happens is if

33:51

I've created a sums of ID

33:54

account and I have my story

33:56

documents, my date, and so on.

33:58

And then I go to reuse

34:00

it with another company, and that

34:02

company requires my ID document to

34:05

be valid for at least six

34:07

months, instead of the three that

34:09

I have left on my ID

34:11

card, we will prompt for a

34:14

re-upload of the document. So compliance

34:16

is never really compromised at any

34:18

point. And what's really interesting is

34:20

that across the entire flow and

34:23

process, all of these... steps and

34:25

checks that we have. So for

34:27

the ID check, for the liveness

34:29

check, the fraud prevention is really

34:31

baked in because we don't do

34:34

liveness check without checking for deep

34:36

fakes or a synthetic identity. We

34:38

don't do an ID document check

34:40

without doing an OCR extraction and

34:43

checking against databases. So it's really

34:45

as robust and as a comprehensive

34:47

a solution as we could come

34:49

up with. So

34:54

we've noticed here at some

34:56

sub that one in three

34:58

users have already verified their

35:00

identity with one of our

35:02

clients before So why go

35:05

through the same KYC process

35:07

again and again? That's exactly

35:09

why we've just launched some

35:11

sub ID our new digital

35:13

reusable solution that allows users

35:16

to create a secure reusable

35:18

identity profile, speeding up verification

35:20

across platforms whilst reducing friction

35:22

as well. So, here's how

35:24

it works. One, the user

35:27

logs into some sub-ID ID,

35:29

verifies their email, and selects

35:31

a stored document. Secondly, they

35:33

pass their liveness check, and

35:36

finally, thirdly, once verified, their

35:38

data can be securely shared

35:40

with no more manual document

35:42

up. So, for businesses, this

35:44

means 50% faster verification, 30%

35:47

higher pass rates, GDPR compliance,

35:49

and over 1 million sum

35:51

sub ID users. So, to

35:53

learn more, check out the

35:55

link in the description or

35:58

visit sum sub.com. Daniel,

36:02

you've spoken about Sing Pass, the

36:05

Estonian of course Bank ID, and

36:07

now in the UK, of course,

36:09

well, Helsinki are based, the UK

36:11

government's digital ID program will roll

36:13

out later this summer in 2025,

36:15

which is super exciting, right? I

36:18

mean, what else are we expecting

36:20

Daniel in the coming years and

36:22

months? Are there other projects that

36:24

you're keen to keep an eye

36:26

out on rather than outside of

36:28

the UK as well? Well, I

36:31

mean, I think you've got the

36:33

EU Digital Wallet Initiative, which currently

36:35

requires all member nations to have

36:37

at least one digital identity that

36:39

could be presented in a mobile

36:41

wallet for all residents, citizens, and

36:44

subjects of the EU by January

36:46

1st, 26. So that obviously is

36:48

going to be huge. There are

36:50

some countries where... they're already there

36:52

and it's not really going to

36:54

be a big lift. There's some

36:57

other countries where they've got a

36:59

lot of work to do in

37:01

the, you know, what, nine months

37:03

remaining before that deadline. I also

37:05

think that there are some really

37:07

interesting IDs in like Southeast Asia

37:10

that aren't commercially available. So, you

37:12

know, for example, there's several in

37:14

Indonesia, the Philippines, where... Commercialization is

37:16

limited or not available at all

37:18

and citizens really only use them

37:20

for government services. But given the

37:23

difficulty in verifying identity in some

37:25

of those regions, we're working heavily

37:27

with those identity ministries to broaden

37:29

the scope of those digital IDs

37:31

and make them more easily accessible

37:33

for commercial vendors. They should make

37:36

a huge difference in minimizing fraud

37:38

and improving that user experience in

37:40

Southeast Asia. Daniel, that's a super

37:42

interesting point actually. Much of our

37:44

life is online now, as is

37:46

everyone's right? I mean, internationally as

37:49

well, especially when it comes to

37:51

financial transactions and being included financially.

37:53

I mean, on your side, Eddie,

37:55

how important is getting an international

37:57

agreement when it comes to regulation?

37:59

Are you optimistic of that right

38:02

now? Of course, we have the

38:04

EU coming into play, but beyond

38:06

that, of course, people wanting to

38:08

remit money cross-border and across the

38:10

West East, etc. How important is

38:12

that? How important it is. I

38:15

think going back to Daniel's introduction

38:17

and his depiction of his life,

38:19

living somewhere, working for a company

38:21

based in a different country, doing

38:23

business with another bank, it's crucial

38:25

because this is the way that

38:28

we live now. Interoperability amongst all

38:30

these companies is what's going to

38:32

ensure that I as a user,

38:34

as a citizen, as a normal

38:36

person, adopt this type of solution.

38:38

Because if I move from the

38:41

US to Spain... and then I

38:43

go to Southeast Asia or whatever,

38:45

I want to be able to

38:47

open a bank account seamlessly and

38:49

with very little pain and that

38:51

is not the case right now.

38:54

And this is a very real

38:56

problem and it's linked to all

38:58

sorts of like... immigration debate and

39:00

being able to prove your identity

39:02

when you don't have documents in

39:04

a new country, for example. It's

39:07

very tricky, so I think it's

39:09

incredibly important. I don't know how

39:11

optimistic I am that the nations

39:13

of the world will agree, but

39:15

hopefully, hopefully, the technology is advancing

39:17

really fast. as we said before,

39:20

so I think maybe that will

39:22

give a push for governments and

39:24

institutions to at least pay a

39:26

little bit more attention and then

39:28

just sort of realize these benefits

39:30

that we've been talking about for

39:33

the past hour because it's not

39:35

just about the user and making

39:37

their life easier. There is a

39:39

financial economic advantage to businesses that

39:41

will adopt these technologies. Definitely the

39:43

case. I like how positive we've

39:46

been on this podcast episode today.

39:48

As me again after the podcast.

39:50

Indeed, we'll have the same conversation.

39:52

But of course when we're looking

39:54

at the benefits, it's very clear

39:56

for people like us day to

39:59

day and for business. businesses, of

40:01

course, that we work in or

40:03

that we buy a purchase or

40:05

utilize the services from how important

40:07

a digital identity and also a

40:09

global digital identity or cross multi-border

40:12

or at least interoperable in how

40:14

important it must be. I mean,

40:16

at the end of the day,

40:18

it's going to save businesses a

40:20

lot of time and of time

40:22

and headache as well, but are

40:25

there any other benefits that we

40:27

could talk about and share with

40:29

our audience today? I would argue

40:31

that I think that the biggest

40:33

benefit Eddie touched on this earlier

40:35

is, you know, I think that

40:38

the estimates range from what 600

40:40

million to 800 million people in

40:42

the world don't have an identity

40:44

at all. They can't participate in

40:46

the digital economy, they can't transact

40:48

online, they can't vote, they can't

40:51

bank, and I think that's a

40:53

humanitarian crisis. So I spent a

40:55

lot of time in Africa about

40:57

15 years ago, and one of

40:59

the things that was really interesting

41:01

back then. was that most of

41:04

Africa skipped landlines, and they just

41:06

went straight to mobile phones. So

41:08

everyone had a mobile phone, everyone

41:10

had access to mobile internet, and

41:12

very few people had landlines. They

41:14

just never ran the cables. And

41:17

I think that there's an opportunity

41:19

for us in some of these

41:21

more impoverished or low-income countries. to

41:23

take a similar initiative with identity.

41:25

I would love to see us

41:27

help them skip physical identity documents

41:30

altogether. And let's just go straight

41:32

to digital identity. Let's go straight

41:34

to mobile internet access for people.

41:36

And let's take that number from

41:38

six to eight hundred million down

41:40

to zero in our lifetimes. I

41:43

couldn't agree more. Likewise, I don't

41:45

have anything more optimistic to say

41:47

than that. And I think, like

41:49

for normal people, like reusable or

41:51

digital identity is not something that

41:53

you... think about until you come

41:56

across a problem, until you cannot

41:58

open a bank account. or whatever

42:00

it may be. So for businesses,

42:02

it's just a win-win. You're ensuring

42:04

your users are having a great

42:06

on-boarding experience, you're improving your prevention

42:09

tactics without adding unnecessary barriers for

42:11

the users. I really don't see

42:13

a downside in the adoption of

42:15

this. Absolutely. Not so much the

42:17

adoption, just maybe some of the

42:19

friction that of course we'll see,

42:22

and the adoption of new methods

42:24

or methodologies from fraudster's perspective of

42:26

trying to target these spots. well.

42:28

We're coming towards the end of

42:30

our podcast today. Eddie, Daniel, it's

42:32

been great, but we'd love to

42:35

get to know you more on

42:37

a deeper level as well, a

42:39

more personal level. So would you

42:41

both join me for five quickfire

42:43

questions? No, I'm really scared. Well,

42:45

these are quickfire, so I'm going

42:48

to ask both of you, and

42:50

if you can give me a

42:52

quick answer, we'll move from question

42:54

to question. Are you ready? Sure.

42:56

So when choosing a digital wallet,

42:58

do you go for more features

43:01

or better security? Better security? Better

43:03

security. What's one thing about fraud

43:05

that still surprises you even after

43:07

all of your experience? The social

43:09

engineering element. How many people, regardless

43:11

of the barriers put in place,

43:14

voluntarily give control of their accounts

43:16

to bad actors? It does happen,

43:18

doesn't it? Eddie, are you on

43:20

the same page? What else is

43:22

there? The level of sophistication, I

43:24

like to talk about digital literacy,

43:27

also being a barrier to adopting

43:29

this type of technology, and I

43:31

consider myself a somewhat digital, digitally

43:33

literate person, yet sometimes I come

43:35

across an email or a message

43:37

in my own banking platform where

43:40

I go, hold on a minute,

43:42

I have to double take, I

43:44

have to go, hold on a

43:46

minute, is this genuine? So it's

43:48

so sophisticated that I'm being fooled

43:50

and I'm not... that far behind

43:52

in terms of understanding the differences

43:55

between a scam that my mother

43:57

would be targeted with versus the

43:59

ones that we're targeted with. But

44:01

yeah, that level of sophistication is

44:03

definitely surprising, not in a great

44:05

way. Super scary, and I think

44:08

that feeds into what Daniel was

44:10

saying about the manipulative side of

44:12

social engineering as well, but that

44:14

takes us well into our next

44:16

question. Have you ever actually been

44:18

a victim of fraud yourself? Yes.

44:21

So, well, fraud, I've certainly had

44:23

credit card numbers stolen and abused.

44:25

Yes, yeah. But I will say

44:27

for Eddie, I almost clicked on

44:29

a link, so there's a big

44:31

scam in the states right now

44:34

around tolls, like highway tolls. And

44:36

I had just gotten back from

44:38

a road trip where we drove

44:40

through some states and I got

44:42

a notice that I had unpaid

44:44

tolls. And I mean... My thumb

44:47

was hovering over the link and

44:49

I'm like, how did they get

44:51

my phone number? So yeah, I

44:53

think to Eddie's point, it's probably

44:55

not an if, it's a win.

44:57

I think the most recent digital

45:00

one is, and I think it's

45:02

quite common in Spain, actually, whenever

45:04

you are waiting for a parcel

45:06

to be delivered, you will get

45:08

from the local post office, you'll

45:10

get a tax message that says,

45:13

you need to pay. five cents

45:15

in order for us to unlock

45:17

this thing because whatever but it

45:19

looks legitimate and in the when

45:21

you're waiting for something and you're

45:23

excited to receive it you're not

45:26

really thinking straight and you're like

45:28

okay I just need to get

45:30

my package I'll pay for whatever

45:32

this is and then you go

45:34

on to a website that doesn't

45:36

look incredibly authentic and then you

45:39

realize but I think that's the

45:41

last thing that I almost fell

45:43

for. Okay, well there's always next

45:45

time, so stay safe, Daniel. And

45:47

of course Eddie, I also have

45:49

a question on the back, which

45:52

I think this flows quite nicely

45:54

into. What's one habit now that

45:56

you've been a victim of fraud

45:58

that you rely on? to stay

46:00

safe online. I don't encourage anyone

46:02

to do this. But when I

46:05

get the iPhone message saying your

46:07

password has been compromised or whatever,

46:09

ever since that sort of happening,

46:11

I now every three months do

46:13

a full sweep and I change

46:15

all my passwords and make sure

46:18

everything is as unhackable as possible.

46:20

And I've also consolidated my email

46:22

addresses because I used to have

46:24

about 17 different email addresses. One

46:26

was for serious business. The other

46:28

one for, you know. utilities and

46:31

whatever. Now I only have to.

46:33

My personal one that I don't

46:35

get about very often and then

46:37

the daily use one. So I'm

46:39

also trying to just reduce my

46:41

exposure that I'm willingly just giving

46:43

away email addresses for people to

46:45

contact me and so on. Interesting.

46:47

Perhaps a critical single point of

46:49

failure then as well. I would

46:52

say for my side not to

46:54

end us on a you know

46:56

we've been so optimistic here. But

46:58

I think just a constant paranoia

47:00

and cynicism has served me well.

47:02

That if you believe everyone's out

47:05

to get you, it is certainly

47:07

helpful in avoiding becoming a fraud

47:09

victim. Oh, absolutely. Absolutely. I think

47:11

I'm on the same mindset as

47:14

well. And if we're looking towards

47:16

the end of the quick fire

47:18

questions as well. I'd like to

47:20

ask you both a very interesting

47:23

one. You might be quite pensive

47:25

about it. But if you could

47:27

have any other career other than

47:29

the one you currently have, what

47:32

would it be? I would be

47:34

a photographer. It's the easiest answer

47:36

I can give you. There's no

47:38

risk of being scanned. You're out

47:41

there in nature taking photos and

47:43

that's it. That's what I would

47:45

do. Yeah, I mean, I think, you know,

47:47

no one at five years old

47:49

says... I want to work in

47:51

digital identity product and prevent online

47:54

scams. So I think it's probably

47:56

safe to say that all of

47:58

us in this field had a

48:00

dream of something else at some

48:02

point. But I think I'm with

48:05

Eddie. It would be something outside

48:07

and something in the arts that

48:09

I would want to do. I'm

48:11

not quite sure what. I might need

48:14

to think about that. I think that

48:16

brings us to the end of our

48:18

show today. So I would like to

48:20

thank both of our guests. Eddie, Daniel,

48:22

you've been amazing. We've touched on so

48:24

many important topics today and we've been

48:27

wholly optimistic throughout, which is fantastic. So

48:29

hope the audience has enjoyed and of

48:31

course taken some great pointers back. But

48:33

is there anything you'd like to say

48:35

before we go? Thank you for having

48:37

me. And I'm glad to be working

48:40

alongside and with such smart people

48:42

to keep everyone safe and

48:44

fraud free. Wonderful. Light was.

48:46

Thank you for having me,

48:48

Tom. Thank

48:52

you for joining us on this

48:54

episode of What the Fraud? On

48:56

the next episode, fraud is no

48:58

longer just about crime. It has

49:00

become a global business with software

49:02

at its heart. We will take

49:04

a look at the rise of

49:07

fraud as a service with a

49:09

very special guest, a hacker turned

49:11

security consultant. So calling all listeners,

49:13

we need your support. So please

49:15

hit that follow button on your

49:17

favorite podcast platform. And of course,

49:19

if this episode has left... you

49:21

feeling empowered, drop us a review.

49:23

It helps other individuals and businesses

49:26

out there trying to dodge the

49:28

digital tricksters. So let's cut the

49:30

small talk and get down to

49:32

business. Follow, comment, review. you know

49:34

the drill. And of course if

49:36

you want to hear more about

49:38

what we do here at sum

49:40

sub and how your business can

49:42

actually benefit from our verification services,

49:44

definitely check out our website at

49:47

www. sum sub.com and subscribe to

49:49

our socials. What the fraud is

49:51

a listen production. The producer is

49:53

Adrian Bradley, the executive producer is

49:55

Nick Minter and the producer from

49:58

sum sub sub is Mila. Baravina.

50:00

Stay safe and see you on

50:02

the next one.