“What are you going to do when your best customer is ChatGPT?” says Alisdair Faulkner, CEO of the anti-fraud startup Darwinium, towards the end of our Zoom interview. “And your biggest threat is from [human] fraud farms sitting in a Southeast Asian country?”
That is the world he envisions us rapidly hurtling toward. One where the bots might be extensions of legitimate and even high earning human customers and the humans displaying “normal” behavior are actually highly organized fraudsters.
Adversarial AI is knocking on the door
It’s not the only scenario that keeps the former co-founder and chief product officer of ThreatMetrix up at night. “The world, including banks, merchants, and others, is wholly unprepared for adversarial AI,” says Faulkner. According to him, we are very close from being unable to distinguish between a video chat with a live human subject and a conversation with a synthetic twin. “That means we have to reinvent everything that we know about digital risk, cyber protection, and digital security for prevention and abuse,” says Faulkner.
The key problem is that adversarial AI can evolve very, very fast to find the holes in fraud prevention systems, even ones using machine learning. It gains generations of human years’ of experience in experimentation in an instant compared with a human fraudster who has to plug away slowly with individual credit card numbers until they find a vulnerability.
What is the solution in this world, where bots can represent legitimate customers as well as crooks, and patterns of human behavior can indicate fraud or just your grandmother? It requires determining not just the basic identity of the user, but also their intent.
The key: content delivery networks
One of Faulkner insights realized while working on a networking technology company years before Darwinium is that if you are in an organization’s network and able to see all the packets of information traversing the network, you have the best opportunity to see all the relevant security or fraud data compared to basing your view on an API call made in a specific point in time that has only a limited keyhole view into the user and their interaction with the network. The problem is magnified if you have multiple different APIs and pieces of infrastructure. Essentially, you are left with the parable of the blind men and the elephant. With each API providing you with a little bit of information regarding the user at different points of time, with nothing showing you the whole picture and telling you that the animal you are examining is an elephant.
“It’s a little bit like at the airport,” explains Faulkner using a different metaphor. “The equivalent of most fraud prevention systems in most large organizations today, is like the security check at the airport that verifies your identity when you check in. After you get through security it then lets you walk onto the plane without verifying you are who you say you are.”
“They’re single siloed points in time without taking a holistic view,” he says.
The key is being able to follow the user journey throughout and using it to understand their intent. Darwinium’s solution can do this by running code on the edge of the perimeter, which in this case is the content delivery network through which all web traffic passes through to get to the client company’s network. It does this instead of routing traffic to a third party, which would entail additional security risks, privacy risks and latency issues.
Where fraud prevention blends into cybersecurity
And if all this sounds more like cybersecurity than fraud prevention to you, that may be because Darwinium is one of a number of companies in recent years that is starting to blur the lines between the two categories. Darwinium itself is trying to promote a new category called “digital security.” It is a niche of the overall security landscape that deals specifically with consumers – the people who have no control over the security infrastructure and are most vulnerable to abuse by criminal actors.
Both cybersecurity and fraud are concerned with the question: Are you who you say you are? Fraud prevention, in particular, began with the question: Does this identity exist? The next question to be asked was If this identity exists, are you that person? According to Faulkner, these questions served the good guys in the ecosystem well between 2000 and 2020. However, 2023 is a new day. Now it is question not of who a person is but what is their intent?
That is because with malware, insider threats, account takeovers, scams and a myriad other different types of threats, it’s not just a bad guy trying to steal somethings. Sometimes it’s bad things happening to good people (like account takeover or scams) and sometimes its good people going bad (like first-party fraud).
Darwinium, according to Faulkner, does not replace most existing anti-fraud solutions, rather it is another layer built atop existing solutions to help coordinate and make use of the information other solutions provide. This addresses merchants need for an overarching holistic fraud solution.
Darwinium’s hierarchy of risk evolution
“Like Maslow’s hierarchy of needs, I call it Darwinium’s hierarchy of risk evolution,” says Faulkner.
The first layer provides visibility to connect all the dots about what is going on in the user session. The next layer is data enrichment that utilizes proprietary risk signals, what Darwinium calls digital signatures that turn behavior into identities, and which can then be fed into merchant’s existing risk detection or cybersecurity systems. The third layer is orchestration and optimizes the use of third party anti-fraud solutions. It enables A/B testing to optimize the user’s risk score based on a holistic view of the customer throughout their user journey. The fourth and final layer is automated remediation. The last layer enables things like the termination of a user session based on unusual behavioral characteristics, which can be used to prevent account takeovers.
“What we have been passionate about since day one is how do you protect those who could at least protect themselves, which in this context is actually your customers,” says Faulkner.
He elaborates that it is the end-user who is being targeted, whether that means they’re the ones who are being impersonated, whose machines are being infected, who are being scammed, or whose accounts are being taken over. They are the ones being left defenseless.
And that is the difference between cybersecurity and the digital security category that Darwinium is trying to promote.
“[In cybersecurity there] are employee endpoints that you can lock down and the employer network that you can lock down. But after all, it doesn’t matter how high a wall you build you or how big a moat, you still need a drawbridge to do business with the outside world,” says Faulkner. “And Darwinium is that drawbridge.”
