Rodger Desai on ID Verification Authentication & Fintech

Enjoying the podcast? Don’t miss out on future episodes! Please hit that subscribe button on Apple, Spotify, or your favorite podcast platform to stay updated with our latest content. Thank you for your support!

There is no faster moving space in finance right now than the anti-fraud space. With all the advances in Generative AI, the fraudsters are more difficult to catch than ever. But there is one place where fintechs and banks can focus that has real promise: authenticating the mobile phone.

My next guest on the Fintech One-on-One podcast is Rodger Desai, the CEO and Founder of Prove. They have developed sophisticated tools to verify identity through a mobile phone that can help banks and fintechs across a variety of touchpoints. We explain why the phone may hold the key (literally) to the future of ID verification and authentication.

In this podcast you will learn:

What led to the founding of Prove.
Why they decided to focus on financial services.
The different types of services Prove offers today.
ID verification best practices and why you need to add authentication.
Rodger’s thoughts on the ready availability of PII due to data breaches.
What data they are returning back to their clients around authentication.
How they work with transactions that happen on a desktop rather than a phone.
How we should be thinking about sophisticated fraud rings today.
How to combat Gen-AI deep fakes.
Why key management is the answer to how you authenticate.
The role of visual cues when it comes to verification.
What the popular attack vectors are for criminals.
Who is winning in the arms race between the criminals and the good guys.

Read a transcription of our conversation below.

FINTECH ONE-ON-ONE PODCAST NO. 501 – RODGER DESAI

Peter Renton: Welcome to the Fintech One-on-One podcast. This is Peter Renton, Co-Founder of Fintech Nexus and now the CEO of the fintech consulting company Renton & Co. I’ve been doing this show since 2013, which makes this the longest running one-on-one interview show in all of fintech. Thank you so much for joining me on this journey. Now let’s get on with the show.

Today on the show, I am delighted to welcome Rodger Desai. He is the CEO and Founder of Prove. Now Prove is a super interesting company. They are one of the world leaders in ID verification and authentication. I wanted to get Rodger on the show because this is such a fast-moving area. There’s so much happening, particularly when it comes to Generative AI. We cover a lot of territory on this episode. We discuss ID verification best practices, and embedded authentication. We talk about the bad guys and the implications of some of this Gen AI-powered fraud being used today. We talk about the different attack vectors criminals are using. We talk about digital trust and much more. It was a fascinating discussion. Hope you enjoy the show.

Welcome to the podcast, Rodger.

Rodger Desai: Thank you, Peter. Good to be here.

Peter Renton: Okay. My pleasure. So let’s kick it off by giving the listeners a little bit of background about yourself. I know you’ve been doing Prove for a long time, over a decade now, but tell us a little bit about your career to date, particularly before Prove.

Rodger Desai: Yeah. Thank you, Peter. Great to be here. I’ve always been very entrepreneurial. I had a company a long time ago that helped with micro lending. Back then, it was difficult to know what kinds of projects folks could take on with a micro loan in developing countries. And one of the winning solutions was to give people a cell phone so they could rent it out to other villagers. And these villages with no electricity and certainly no cell phone towers, somehow magically made it work. But I saw firsthand the societal impacts of giving people a phone. And ever since then, I’ve been looking at other ways to use a phone besides the way it of keeps us connected to our friends and family. But as a tool that can keep us safe, that can connect us to the world, help us thrive in the digital economy.

Peter Renton: Right. What led to Prove, then? What was the idea that you specifically wanted to explore there?

Rodger Desai: Prove was originally called Payfone. One thing I noticed in the phone world is that it is quite more advanced than we give it credit for—definitely more advanced than the web itself.

Peter Renton: Right.

Rodger Desai: So think about going on a European vacation and the phone just works wherever you go. Despite, let’s say, you had AT&T or Verizon, those companies don’t exist outside of the US, your phone works, and it’s convenient, secure, and private, all at the same time, without trade-offs. So the original use case was to make it so that you could essentially use your air time to pay for things. Most of the world at the time, and even now, doesn’t have a credit or debit card. So even in Italy, where we launched, I think only 8 % of Italians had a way to buy on iTunes. And so we made it so that you could just burn off exactly the amount of airtime in order to buy an iTunes, for example. The key insight there was that we knew whose airtime to burn without having to ask the person. And that’s because the SIM card is actually your proxy. So today, Prove does a lot of things around authentication. We can know it’s Peter without asking if it’s you or who you are. Of course, when you ask someone who they are, they could say they’re someone else. So one of the novel things we figured out in the early days was there’s things like SIM cards that act as a great proxy for someone’s identity.

Peter Renton: Okay. Why did you decide to focus on financial services? What was the thinking there?

Rodger Desai: After talking to lots of customers, we said, “Well, this is great. Then you can make it so that you can convert the roaming system into a payment system”, which is phenomenal, but that’s a limited part of the market, just digital goods. When we spoke to banks, they said, “Listen, though, the challenging part is not the underwriting part; we’re banks, and we’re good at underwriting. We just can’t figure out who anyone is online without asking them a lot of questions that quite annoy them.” And so they love the fact that we could passively identify folks with their consent, of course, by a very, very frictionless measure. And that could apply to anything. It could apply not just to buying something, but logging into an account, know, like high-risk transactions, account opening, pretty much the entire digital journey, not just the ability to buy digital goods.

Peter Renton: Okay. Interesting. So then what does Prove actually provide today? Just talk about the different types of services that you’re offering.

Rodger Desai: So the first thing we looked at is what kind of asset can we build that can help enable these amazing experiences, making things that are easy to use, but yet more secure at the same time, which typically those things are trade-offs. You can have things that are convenient, but not secure and vice versa. So we created a platform to drive our many solutions. We created something called an identity token. And what that is, is your identity tied to something we can authenticate, like a SIM key, a pass key, things like that. So for example, if you wanted to open up a bank account as a consumer, what if you could just type in your phone number, you know, get a text with a link, click on the link, which authenticates your SIM card, and that is your entire application. So it’s convenient because it’s just a few pieces of data. It’s more secure because the only way I can pretend to be Peter Renton is if I have his phone in my hand during the transaction. With Prove we can make it so you can apply for things with just your phone and a phone number because behind the scenes we know who owns and operates nearly every phone.

Peter Renton: But that doesn’t happen very much. Most of the time, from what I can gather, you might do that authentication, but there are also other things, particularly if you’re applying for a loan or something with a high ticket value, that there are other parts to the process, right?

Rodger Desai: Yeah. I kind of simplified it. You know, yes. It’s almost like if you think, let’s say you went to Sicily for vacation and you made phone calls there, you know, a lot more is happening behind the scenes besides authenticating your phone. They have to know how to bill you in that currency. You know, they’re underwriting you effectively in real-time. So we do all the same things. So, for example, when you click on that link that was sent to you, we authenticate that SIM card, we have a bind between that SIM and let’s say your national ID. And because we have now your national ID, we can then fetch things about you with your permission. I can fetch your name, your address, your date of birth, things like your income, your credit score. We can fetch those things from partners we have because we don’t store that kind of information with a simple consent and authentication from the consumer. So, in other words, we can get all the data required for incredibly complex tasks like underwriting by making it as simple as clicking on a link. That’s because of the authentication behind the scenes and our ability to fetch things with your consent.

Peter Renton: Okay. So, let’s just take a step back for a second and talk about ID verification best practices. Beyond just the Prove product, if there’s banks and fintech companies listening, what are some of the best practices that you would recommend for someone who wants to up their game when it comes to ID verification?

Rodger Desai: I think the original assumptions we’ve had just don’t work anymore. I think it was thought when things like CIP in the US were developed after 9/11, it was thought that, well, in order to open a bank account, you need to know the person’s name, address, social security number, date of birth, and those things need to go together in authoritative databases. I think, at the time, it was considered impossible or really expensive to be able to get someone else’s personal information. For example, how would I know where Peter lives and his birthday? That’s hard to determine. Because of all the breaches that have taken place, it’s very, very readily available and very cheap. And so I can go to a bank and say I’m Peter, put in that information. The bank will then see if that data goes together. And it will because I got it from a breach. And then effectively I pose as Peter at that point. So, the part that’s missing that we’ve been advocating to regulators, to banks, and the community in general is adding authentication. So it’s one thing to verify information that you’re provided by the consumer, but how do you authenticate that there’s some kind of cryptographic key that’s present that you can authenticate? For example, if you know that this is Peter’s phone that’s behind the transaction, that is a higher bar than just knowing things about Peter. And so the combination of verifying that data, but also saying, Peter’s phone was present and authenticated right as he was applying. Now, of course, someone can steal your phone and apply on your behalf. Then we have other measures looking at behavioral biometrics of how you use your phone. But it’s a higher bar than just knowing things about Peter. So, I think adding authentication, even though it’s not often required by regulators, certainly not part of the CIP practice, but it just adds that additional bar that makes it difficult and more expensive to fraudsters to get above.

Peter Renton: Right. So, do you think then when you look at the landscape today and you hear new breaches happen pretty regularly, the average consumer should assume right now that all of their PII is out there, right? And so what’s the purpose of a centralized database? They seem like they’re a 20^th-century concept that should be done away with.

Rodger Desai: We are definitely going through a transition where consumers are inundated with breach alerts, and letters in the mail, and every other story in the news about their identity and data being available. Lots of sites will show you if your data has been breached. I checked mine, and I couldn’t believe how much of my data was out there; seeing it firsthand is quite alarming. So we’re in this transition phase of going from the old way to new ways. And it really just is part of the banking system and trust and silence in the financial system to modernize how we do things. Thankfully, a lot of US banks, a lot of US merchants, the US phone companies treat this very seriously and are taking those steps. Increasingly, it’s not enough just to know Peter’s information. You have to have some kind of hardware element like a SIM key that has to be present during the transaction. It’s a bit like EMV. For a long time, there was resistance on putting chips in credit cards and debit cards. But of course, prior to that, if I was your waiter and I got your card to pay for lunch, I just had to write down your numbers and buy things with your money. Well, now I have to have your EMV chip. Well, that’s a lot harder to do. So I think in the same way with the advent of AI and how that’ll just increase the types of attacks, the cost of the attacks, this acceleration that will erode trust in the digital economy. And the counter to that is going to be adding the notion of EMV-like techniques to online transactions. I don’t think it’ll be limited to payments. I think it’ll be for any transaction with risk, it could be going on a date. You know, how do you know this person is really who they claim to be? It could be buying a lawnmower from someone. You know, I think these worlds are converging. So fraud and risk mitigation is converging with trust and safety. And I think we’re going to have to introduce things like EMV, that kind of concept to online transactions, because it’s going to be really hard to tell the good versus the questionable.

Peter Renton: I want to talk about something I saw your company mention a little while back, and it’s the idea of embedded authentication. We have embedded finance, which is a big part of the ecosystem today. So maybe you can talk about what embedded authentication is, and maybe you can talk about how it can accelerate digital payments.

Rodger Desai: Kind of the same topic I just spoke of. I think we take for granted how amazing our phones are, but you could hop on a plane and go to Vietnam right now and buy yourself lunch. And the transaction will go through because the circle of trust around the Visa MasterCard system, again, EMV will likely be present. So they know that while Peter has never gone to Vietnam, we can trust that he’s there because his chip was there. In that same vein, when you call people from around the world, it’s pretty convenient. And yet, you check your phone bill, which most of us don’t do, and you’ll never find something on your bill that you didn’t do. Every call or text is something that you did because your SIM card is present, just like an EMV chip. So I think what embedded means is exactly that. There are ways in which you can authenticate a key that acts as your proxy behind the scenes, just like when you make a phone call. And so we’re leveraging that technology, is what we do. So, for example, if you’re logging into your bank on your phone, behind the scenes, Prove can say, “Hey, this is the phone. This is Peter’s phone. This is Peter’s SIM card that’s logging in.” Despite the username, password, or if it’s a passkey, whatever kind of authentication factors they have, we can give a pass authentication behind the scenes, saying this is the right piece of hardware that’s coming into the bank. And we can keep track of things like that as you change your phone and your phone number. People often change their phone number for surprising reasons, sometimes from high debt, but we can keep track of those changes to maintain the accuracy of who’s authenticating into a bank or merchant.

Peter Renton: Okay. So what are you returning back to your clients that are using Prove to authenticate? Also, does this happen in real time while someone’s filling out an application or making a payment? Or do you send them a score? Let them know we’re 99% certain this is Peter? What are you outputting back to your clients?

Rodger Desai: It’s a great point, Peter. We definitely are coming from a probabilistic world. Most transactions in the current way are adjudicated based on the likelihood of you doing them. So if you do Starbucks every morning on your app and Costco for the weekends, those transactions always go through. But then you buy $1,000 of Ethereum on MoonPay, then the bank is like, wow, he never does that, decline. And so if you go from a probabilistic model to a deterministic one and you say, “Well, Peter’s not known to do this transaction, but his phone was present. His SIM card was present. And by the way, it’s not just the SIM key. It’s also things like pass keys. And we have a new key in collaboration with a tier one bank coming out called AirKey. These are all keys in the way that EMV chips are like keys. The ability to authenticate gives you a deterministic answer. Now, if I can say for sure that this is Peter’s phone and that’s behind the transaction, of course, again, maybe you’re not in possession of your phone. So you do have some other probabilistic measures like, it’s definitely his key behind the transaction, but it looks like we’re not confident that he’s holding his key at this moment in time. So you have to do a bit of both of what’s traditionally called risk -based authentication that’s probabilistic, but combining that with deterministic measures in the way that EMV works. So behind the scenes, we can say, “There’s enough evidence here that we’re confident that this is Peter’s phone.” And then we say, “Well, we have enough evidence that he’s not holding it during the transaction.” Our role at Prove is to help form the identity policy in such a way that our clients can form their authorization policy. So for example, we’re confident that is Peter’s phone, but we’re not confident he is holding it. Well, maybe that’s okay to check the balance at the bank, but certainly not okay to do a $50,000 wire. So ultimately what we want to do is be the best, most accurate platform to tell you if it’s Peter or not. But ultimately it impacts our decisions, our scores, our bits of evidence depending upon what the client wants, all help to shape their authorization policy.

Peter Renton: So we’ve been talking a lot about the mobile phone. What about the transactions happening on desktop computers? Through a browser, the phone may or may not be present; I imagine there’s a different approach you must take there, right?

Rodger Desai: Also, great question. I think people are sometimes surprised to know that we operate in every channel, even voice calls. Ultimately, the simple answer is as long as you can make the phone part of the transaction. So again, I can type in my phone number in a laptop browser and then click on the link on this phone and then authenticate the key that that phone has. You’ll also see increasingly that the phone and the laptop know each other. Like when you’re using services like Apple or Google, you’ll see the interplay between devices that are on common WiFi networks. You can you can cut something on your phone and paste in your laptop now with iOS. So I think you’ll increasingly see there’s more and more things to work with between the different devices in our homes and in our lives But it is the simple answer, just getting the phone involved in the transaction, enough to bring trust to other devices?

Peter Renton: Gotcha. Okay. I want to switch gears and talk about the bad guys. You know, they’re much more sophisticated now than they used to be. I mean, they have access to all the latest tools and they’re not encumbered by KYC or other regulatory requirements. They really can attack with a lot more freedom than the good guys can. So what are the implications of generative AI and how that’s being used in fraud? How should we think about sophisticated fraud rings today?

Rodger Desai: All the attacks toward the US government for the last few years were due to Covid funds. That was the best place to get the most money, whether it was the nation-states or fraud rings. Now that Covid funds have dried up, it’s all back to attacking the banks, the merchants and traditional folks. And of course, these folks never rest. They have more and more sophisticated ways to attack. One thing we’ve noticed is, in the past, five or six years ago, you didn’t necessarily need a phone number to create an account. Increasingly, you have to have one. So then the attackers would just use what are called Voice Over IP lines. They appear to be real phones with SIM cards, but they’re just virtual phone numbers that happen to be able to transact with an SMS, like respond to an OTP. But you could detect those. There’s easy ways for folks like Prove and others to say, “This phone number is not an actual mobile phone. It’s a virtual phone or a burner phone,” something you can detect. And then you just tell the user, “Hey, can you put in your real phone number?” Because maybe they use Google Voice as part of their daily lives, but yet legitimate. Well, now what we’re seeing, now that they’re coming back to attack banks and merchants, is that they’re using eSIMs. So it isn’t too hard for an attacker to download 10,000 eSIMs from an MVNO in Europe. These are real SIM cards, and you won’t be able to catch them by seeing what kind of line type these phone numbers are. Said another way, increasingly the attackers are making it look like a legitimate consumer. And they may even tenure these phone numbers. So they’re real mobile numbers, they tenure them. Another telltale sign is that half the 12-year-olds in the US, UK, and many countries have a phone. So if you try to open a bank account and your phone number is 10 days old, while it can happen, it’s highly unusual. It should be three to six years of tenure before you open the trade line. Now what folks are doing is creating real mobile numbers through eSIMs, putting bots behind them and tenuring them. And so you have to just constantly keep ahead of these types of attacks. Now we have clever ways of detecting even those. We can detect at the most basic level if a phone number, SIM card, if it’s likely being operated by a human or if it’s likely operated by a bot. And that’s the first step. Let’s just make sure you’re connected with a human before you even get to the KYC CIP stage. And ultimately it’s just about making it more and more expensive for the attackers to do their attacks.

Peter Renton: That’s really interesting. Then what about deep fakes? I remember one of your executives talked on a webinar we did earlier this year, and it was really interesting to me because he talked about deep fakes not really being a big issue which I was very surprised about. He talked about securing the mobile channel, which is kind of, I guess, what you’ve been saying. So maybe you can just give a little bit more color there, because oftentimes you’ve got to do a selfie or to turn different ways and they can have AI deep fakes doing some of that. Are they a real powerful tool that we should be worried about when it comes to fraud?

Rodger Desai: Yeah, great question, Peter. You know, I think the way to look at it is, I don’t think we’re going to be able to stop the progress of AI and its ability to do what AI does. One could argue that this Zoom call is a deep fake because it’s not really me speaking and it’s not really you talking back. It’s just a bunch of ones and zeros, right?

Peter Renton: Right.

Rodger Desai: I think that if you’re on the side of being able to delineate something real versus not real I think that it’s going to get more and more expensive and more and more difficult to do as time goes on that to us, the telltale sign is, as you said, securing the channel. So, for example, if all of a sudden, our banker at Chase gets an email from our CFO saying, “Please wire this money for this conference.” And then he calls our CFOs and says, “Hey, did you send me this email?” Which is what normally happens. You know, like again, that could be a deep fake that answers back, “Yeah, I sent you that email. Please send it along.” Ultimately, you have to look at the keys behind the transaction. So for example, when the banker was calling our CFO, was there a SIM swap on that phone number or that SIM card? Are you really calling that key? So from the standpoint of, like the way EMV works, how do you know that you can authenticate or not authenticate the key behind the person you’re interacting with? So it always goes back down to that. There has to be some manipulation of the keys in order for the deep fake to work. And so we’re less focused on the thing, in this case, the deep fake, and more focused on the thing that authenticates the thing. So whether it’s a deep fake, a payment, a Tinder date, or hailing a ride. It’s all about the keys that are behind the transaction authenticating them. And it’s still a very hard problem to solve. There’s lots of ways to manipulate SIM cards and pass keys and the keys I speak of, but that’s what we’re developing expertise in at Prove. We call that future key management. So, as people move away from one-time passcodes, from KBA, from usernames and passwords, ultimately, it’s key management. It’s managing the keys that are our representatives in our digital world that we can authenticate. So key management is the answer to how you authenticate things, regardless of what the thing itself is, whether it’s a deep fake or anything else.

Peter Renton: Right. So when you’re interacting online, I’m curious, every time you do a transaction, every time you log in, there are often one-time passcodes that have to get entered in and sent to your phone. Are there things that, when you’re interacting online, you go, this is bad. I don’t want to interact with this website. Are there some basic telltale signs that they’re fake?

Rodger Desai: Yeah, I wish there were an easy way, especially with folks like our parents who are even more susceptible to all sorts of scams. It’s really hard, which is why I think people go to a place like Amazon where they may even be paying more, but they trust the brand. They trust the channel. They trust their interactions there. Again, I think that it’s, you know, obviously helpful when the bank covers your loss. I don’t think there is an easy way to tell. I see more and more examples of people that even brands that they trust are, you know, some people are posing as those brands, especially in social media. You can create a channel on TikTok and say you’re Bank of America. Now what you’re going to start seeing, something that Prove is really trying to pioneer, is visual cues. So, for example, you’ll see the early versions of this, like whether something’s verified on X or platforms like that. And sometimes it starts with celebrities and VIPs. I think we’ll move into the world that you’re going to have to look for visual cues that is the counterparty, whether it’s a merchant, a person, a Tinder date or whatever it may be, have they been verified? And I think that’s the world we’re going to move into. I think there’s going to be a need to balance anonymity with accountability. So for example, if I want to buy someone’s used lawnmower on a marketplace and he’s called LawnmowerGuy5000. Look, I can respect that he doesn’t want to share his real name, but imagine a visual cue that gives me the confidence that if this person does do something that breaks the law or breaks the terms of service, you can kind of break the glass and see who they really are. I think we’re going to have to move into an environment where if you’re sending someone money through a P2P scheme or whatever it is, again, I think that you’re going to start seeing visual cues to give you trust in the transaction. It’s something at Prove we’re really excited about, some of the announcements we’ll make on visual cues that consumers, well, marketplaces, can use to give folks confidence to do the transaction itself.

Peter Renton: That’s super interesting. So when you’re looking across banking and fintech, what are the popular attack vectors today for criminals? Is it primarily during onboarding, or is there something else that is popular?

Rodger Desai: It’s really all of the above. It comes down to more and more sophisticated ways to pose as someone else. It could be an account takeover. It could be an onboarding event. I may have a slight preference to account takeover because there’s more things available. So for example, if I pretend to be Peter to open an account, I may have a small line, maybe it’s a thousand dollars at first. If I can take over Peter’s account, you may have a $10 ,000 line. So I think that, you know, and I’m just speaking anecdotally more and more kind of examples where people pose as others for existing accounts. It could be something as simple as like, “Hey, I’m Peter, I changed my number.” You know, we’re seeing 10 million phone numbers get permanently disconnected in the US every month. Now some of that is the phone number on your Apple watch that you didn’t know you even had before you deactivated it. But it could be a big percentage of that are people that are hiding, maybe from debt. And then those phone numbers get recycled. The 12 -year -olds get their first phone. All that noise means it’s not unusual for you to call a bank, a merchant and say, It’s Peter. I’ve changed my number. My ex was harassing me, whatever it may be. But it’s not you. It’s someone posing as you. And I think that’s why it goes back to key management. How do you make sure that if you’re authenticating against SIM cards, pass keys, all sorts of keys, how do you manage changes to those as people change their phone numbers legitimately, as people get new phones every couple of years, as you may have more than one phone in your household. Like I have a work phone and a personal phone. Sometimes I use my wife’s phone. Ultimately that’s where the investment in managing keys and how they tie out to identities and act as our proxies. I think that’s vital for the road ahead. But yeah, so in all of the above, maybe a slight preference toward account takeover.

Peter Renton: Interesting. Okay. So last question then, when you’re looking at the anti -fraud, verification, authentication landscape, and then you look at the fraudsters, who’s winning I guess, is what I really want to know. Right now, do you feel like the fraudsters have the upper hand? Is the technology such that what you’ve talked about in this interview that we’re really catching the majority of the fraud? What are your thoughts there?

Rodger Desai: You know, we obviously don’t know all things that are happening that get caught before that happens or just haven’t been announced. I think the scale of the breaches is just getting larger and larger, like numbing how large they are. And there are probably many that have taken place that we’re not even aware of. And so I have to think that in an environment where there’s two wars going on and you need plenty of money to fund wars they’ll find a way. And I think I’ve definitely put it out there that the fraudsters, the attackers, the money launderers are winning. The places that you should see the sanctions working as an international community don’t seem to be working as well as they should be, which means the money is getting there. And so from that alone, I think they’re winning.

Peter Renton: It means that companies like you are needed more than ever. I always say to everyone in this space, it changes so fast. You know, it’s so important. We’re going to need companies like yours in a thousand years time, right? When we’ll still see fraudsters, trying to do battle and people trying to stop them. So anyway, Rodger I really appreciate you coming on the show today. I learned a lot. It was a fascinating conversation. Thanks a lot.

Rodger Desai: Thank you, Peter.

Peter Renton: Well, I hope you enjoyed the show. Thank you so much for listening. Please go ahead and give the show a review on the podcast platform of your choice and go tell your friends and colleagues about it. Anyway, on that note, I will sign off. I very much appreciate your listening and I’ll catch you next time. Bye.