Unique Contributions

Unmasking digital fraud: How AI and biometrics are changing the game. Insights from LexisNexis Risk Solutions

RELX Season 4 Episode 4

Share episode

In this episode, YS Chi speaks with Kimberly Sutherland, vice president of fraud and identity at LexisNexis Risk Solutions. 

Banks and businesses need to constantly adapt to our need for fast and secure online transactions, while having to detect and stop online fraud. This is a complex task since scammers are increasingly sophisticated and operate as organized networks.  

What can businesses do to better protect their customers from fraud? How can biometrics play a role? What does 'risk appropriate friction' look like?  Who is most at risk? 

This episode is also available on YouTube: https://www.youtube.com/watch?v=xMCKyXVyn-E  

YS Chi:

The Unique Contributions podcast is brought to you by RELX. Find out more about us by visiting relx.com.

Kimberly Sutherland:

Trust is the backbone of enabling digital transactions that drive our country and global economies. We can't let that erode, but it is starting to erode.

YS Chi:

Hello and welcome to our podcast. These days, nobody robs banks. It's not particularly lucrative. It's also dangerous, and the custodial sentences are long. As our lives have become digitised, so has crime. In fact, online fraud is the 21st century's criminal growth sector. My guest today is Kim Sutherland, who leads our fraud and identity strategy within LexisNexis Risk Solutions. Her role is to think about digital identity and keeping online commerce safe. Kim, welcome.

Kimberly Sutherland:

Thank you so much.

YS Chi:

But before we get going on the subject, how about you tell us a little bit about yourself?

Kimberly Sutherland:

Absolutely. I live in Alpharetta Georgia, that's part of the Atlanta metropolitan area, and I have a wonderful family that's spread across the US and the Caribbean. I've been a part of the LexisNexis Risk Solutions family for a little over 18 years, and I joined the company because I wanted to work for a mission oriented organisation that aligned with my interest around using data and information to positively impact society. And they would also let me use my public policy background and my technology management, educational and professional experiences, and I found that with the company.

YS Chi:

Well, your background in even studies are interesting and you seem to have hit the jackpot with LNRS over these 18 years. I'm sure you've evolved tremendously within the group as technology has advanced so much during these years, hasn't it?

Kimberly Sutherland:

It really has. That's the exciting part about what we do. As consumers and society adopt more forms of technology, it opens the door for new innovations. It's a constant opportunity to try to make things better for the world.

YS Chi:

Indeed, and you are part of that. So let's jump into the subject. Our lives as consumers are now highly digitised. It seems that the more we transact online, the more opportunities for fraud attacks. As an industry, and you personally at LexisNexis Risk Solutions, what are the challenges facing the industry and the individuals in general?

Kimberly Sutherland:

So you're right about how digitised our lives have become, and that makes things much more efficient for our personal and work lives. We can open accounts and make purchases more conveniently for our lifestyles, regardless of the time of the day or the location. We can more easily share and update information about ourselves, and the businesses that we work with are really empowering us as consumers to do more self service transactions without the direct interaction of an agent or company representative. Processes that took days and weeks, now take minutes, and we can all transact virtually anywhere on the globe. The world has kind of become much smaller, but every one of those things that I mentioned are also major risks. It's opening up new attack vectors and the remote nature of most of our transactions, and the speed of those transactions. Even the fact that we can do them anywhere in the world, is actually creating much more availability of the data that we have about ourselves. I'll first mention that fraudsters are increasingly becoming more sophisticated, and they're more frequently operating in a more organised network, rather than acting solo. They're looking for scale and efficiency, just like legitimate businesses are.

YS Chi:

Right.

Kimberly Sutherland:

In fact, fraud has become an industry of its own. Now there's small organisations, large, that are driving these fraud attacks. This is like the first thing that we're paying a lot of attention to, because we assess over 100 billion real time transactions each year as we're trying to help improve the risk assessment and protect those transactions. We see an increase in human initiated attacks around the regions and almost every industry. Financial Services, e-commerce, government, and we're even seeing high velocity scripted attacks also increase. Fraud attacks in general are really a challenge.

YS Chi:

These, as you say, are becoming more organisational attacks, meaning that it's not an individual who's just doing it as a fun thing on the side, but these are truly organised crime.

Kimberly Sutherland:

Yeah, they're learning from each other. They're sharing information. They've created their own marketplaces. This is something now that is a real challenge for businesses, but over the years, businesses have done a really good job, in general, of adopting solutions and platforms to detect and prevent successful fraud attacks. They're using more things like predictive modeling to try to thwart some of these bad actors. It's a constant battle, however, and fraud attack methods are, they're not stagnant. They're always looking, fraudsters are looking for the weakest spots.

YS Chi:

Right, the weakest link. As much as we have advanced technology, I bet they have access to the same stuff, because they're sophisticated too.

Kimberly Sutherland:

They are using all types of technology, absolutely. But unfortunately, the weakest spot, that weakest link, is often the human in the process.

YS Chi:

Yes.

Kimberly Sutherland:

So, that's an employee or a consumer. That second major trend that we see is, around social engineering or manipulating to trick people into giving away sensitive information or security vulnerabilities. It doesn't always require a lot of technology, because a lot of it's... like the psychological aspects of it and that's on the rise as well.

YS Chi:

How do you address that? Particularly the social engineering aspect of it. Your team's got tremendous talent for technology and predicting business patterns and stuff like that. But what about the social engineering side?

Kimberly Sutherland:

Yeah, so I think we've all become more familiar with, unfortunately, I guess, with 'phishing' for information via emails or'smishing' with text messages.

YS Chi:

Right.

Kimberly Sutherland:

Or even'vishing' now, with over the phone and voicemail. All of these 'ishes' I guess we can say. Consumers are barraged with scam activity, and they aren't able to always identify that that's occurring. With the rise of AI, it's going to become even more challenging as we're starting to see more AI driven fraud attacks. We're seeing now there's reports of a 20x increase in deep fake attacks being reported in North America and a little bit lower globally. But those are the kind of things that we're paying attention to. That fraudsters are deploying, and that businesses have to use technology to help in detecting and preventing.

YS Chi:

Right. We're going jump to AI a little bit later, because it's a big iceberg of its own. But can you give us an example of some social engineering things that really explain the rise of these frauds, because consumers are doing something or are not doing something.

Kimberly Sutherland:

You know, one of the things I think is really disheartening is that a lot of the scam activity or social engineering attacks are letting individuals know that their account has been compromised. People are receiving text messages or emails from what looks like a legitimate business that they work with, letting them know that their account has been compromised and to reset a password. Passwords still exist today. Individuals tend to want to hold on to them dearly, and that is a very common attack vector now to make you think that something's wrong with your account, so that you do go access the account and the fraudster can go along the path with you.

YS Chi:

Do you think that there will come a day when passwords are not necessary, but there will be other forms of identification that is more secure?

Kimberly Sutherland:

So consumers tend to do things that are convenient and comfortable and familiar.

YS Chi:

I can speak for that.

Kimberly Sutherland:

Me too, right? So when it comes to those scenarios, I think that passwords will always at least be a backup. I think the key for businesses is going to be how can they identify that a device or that an account, an individual, the things that are interacting with them at that moment, are safe so they don't rely as heavily on the password itself.

YS Chi:

Gotcha. So, much of the work you do centers around the importance of a trusted online identity, and as more and more of our time is spent online on a mobile at the same time, consumers are increasingly careful with sharing the personal information. How do we address this problem of trust? But also at the same time, we need to address the need for online safety. It's a trade off, isn't it?

Kimberly Sutherland:

It really is. Trust is the backbone of enabling digital transactions that drive our country and global economies. So we can't let that erode, but it is starting to erode. It's eroding at the government level. It's eroding at business levels. You and I as everyday consumers, we're getting more and more worried if we're doing things safely. We've been given this power to do things on our own remotely, but we have to be able to have trust that we're working with the right business and with the right individuals when we're sending payments. Finding that right balance is mandatory. It's our ability to have the right forms of authentication. Like I said earlier, consumers usually lean towards convenience and familiarity. They want security, but security sounds complicated and sounds confusing to a lot of people, and so at LexisNexis Risk Solutions, we spend a lot of time trying to understand consumer behaviour and try to offer a wide range of choices to businesses and consumers, because, again, trust is key. Without trust, why would you want to send a payment or open an account? I'm a strong believer in consumer education, but I have a stronger belief in passive forms of risk signals to businesses so that they don't have to just rely on you and I catching a fraudulent activity.

YS Chi:

Do you find that our business clients and business partners are aware of their responsibilities to educate their clients and their business partners, so that this becomes a team effort?

Kimberly Sutherland:

Yeah, this is something that has really changed over the last five to 10 years. I know that if I look at my my emails from my bank or a retailer, they're trying to make sure that we're not falling susceptible to scam activity. Every time you go to a website, or even when you submit a higher risk transaction, you might receive a pop up. I think that the whole idea of educating the user is something that businesses are doing for both their consumers and their employees.

YS Chi:

Yeah, I know that there are more and more demand on my personal time for example, Kim, to do trainings online. Do you think that there's enough of that toward our clients, or is that not a popular thing to do, or is just not expected?

Kimberly Sutherland:

I think at the business level, so business to business. I see that happening a lot more than business to consumer. The fear I think businesses have when you try to impose, education requirements... I can't have continuing education or things like that with the consumer, necessarily, but that extra burden that might feel like is being placed on the consumer, might open the door for a consumer to leave and go to another business. I think there's a little bit of fear of pushing additional requirements. But at the same time, I think that businesses have done a really good job of trying to entice or incentivise consumers with more control if they show that they have more understanding of the risks that are involved.

YS Chi:

Right, and this is the whole concept of consumer experience friction, right?

Kimberly Sutherland:

Yeah, friction used to be a bad word.

YS Chi:

Oh, is that right?

Kimberly Sutherland:

Yeah. They used to think that, we don't want to cause any friction. So there's the whole concept of'friction free', was such a big deal a few years ago. Now people understand that there's risk appropriate friction. If you were able to transfer large sums of money without there ever feeling like there was any friction in the process, you might feel like it's not a safe. I think that now people expect to have authentication, to maybe have things slow down just a little when it seems more risky.

YS Chi:

Hey, I wouldn't do it unless there were frictions.

Kimberly Sutherland:

Right? Can you imagine like going in to your 401K or to your savings account, and just withdrawing a large sum of money, and you never had to submit a password or do anything. You probably would wonder if that's safe.

YS Chi:

Yeah, I would feel compromised. How do these education evolve? Does it start from our own experiences of being duped? Or do you have a group of companies that work together to learn from each other the way that the fraudsters are organising among themselves to learn from each other?

Kimberly Sutherland:

I think shared learning is definitely occurring. We're seeing an increased demand of the desire for businesses to build consortiums where they have shared intelligence. They can let each other know about fraudulent activity. That information is something that we're seeing actively happening, and that kind of helps balance, again, the desire for us to educate the consumer and on the back end, create a safe environment for the consumers to interact and transact.

YS Chi:

I'm going to come back to that point to talk about if there are particularly vulnerable communities out there. But before we do that, everyone is vulnerable to this new discussion point, AI. Everybody talks about AI, and this is going to be both good and bad. I can tell. How will AI impact fraud detection solutions going forward, or even today?

Kimberly Sutherland:

Yeah, so AI is actually really exciting from the standpoint of all the things that you can do when you can leverage massive amounts of information and make decisions more quickly. And AI is not new. We have been using artificial intelligence for 10 plus years, building analytic models for our customers and trying to help give those insights that customers need to have. What now people are spending a lot of time on is generative AI. That is something that we're starting to see impact from a fraud standpoint, because we're seeing manipulation of things like images. Not just data itself, but images. We've all heard about like deep fake technology.

YS Chi:

Oh my gosh, passport photos, driver's license photos, someone's voice.

Kimberly Sutherland:

I always thought it was going to be people like celebrities, like, Tom Cruise or someone like that. But it's actually just average individuals now, where they're modifying exactly what you said, a passport, a driver's license, and being able to make those changes in such a good way it's hard to detect. So it takes AI to fight AI, and that's what we've seen to be extremely effective. Businesses on their own, using traditional technologies that don't leverage AI, are going to have to really think about how they can incorporate that to improve fraud detection in their businesses, because we need to have it happening in real time, or near real time for effective fraud prevention. And it needs to be something that can be deployed across as many different contact channels that consumers have. And it needs to be a solution that can be used globally.

YS Chi:

I think that as consumers, perhaps not business to business, we are always behind the speed of the businesses that adopt these new technology opportunities. So, how do we as consumers learn to detect these fraudulent activities in timely fashion, so that it's not way after it's too late?

Kimberly Sutherland:

I think consumers probably won't be able to do a great job of detecting fraud.

YS Chi:

Then we have to do that as business, for on behalf of.

Kimberly Sutherland:

That's right. It shouldn't be on the hands of consumers. Something as simple as a few years ago, if you received an email that had misspellings in it or just improper grammar, that was a real telltale that this was probably a fraudster, active. Now with AI, those things are gone.

YS Chi:

Yeah, especially foreign sourced fraudulent attempts. You could tell by poor English, right?

Kimberly Sutherland:

Yeah, those days are long gone. Any smart fraudster, and most fraudsters are pretty smart. They are using AI technologies to help to scrub their emails before they send them. They have the best language now, the best English, the best whatever language. In fact, things like fraud and call centers in some countries where they had limited speakers of that particular language, they never had to worry about a fraud and a call center, because not many people knew Japanese. That is not happening now.

YS Chi:

Yeah, exactly.

Kimberly Sutherland:

Now, with any type of additional AI technology, anybody can speak Japanese.

YS Chi:

And with native accent.

Kimberly Sutherland:

Yes, yes, exactly. I think that we should not put that in the hands of consumers, and that businesses can educate and make people aware, so that way, if something does seem a little odd, they can report that. I think that opening the communication channels between consumers and businesses to know that they do have a role in reporting when something is not right, is a good thing. But businesses, I think, should take the onus of trying to safeguard the information that they're storing and limiting the access to account.

YS Chi:

And that's why LexisNexis Risk solution has so much value to our customers, who are businesses trying to protect their clients, their customers. This is great. I have another question related to AI. One of the things that we hear a lot about, a mean of protection, is the use of biometrics. Nowadays, I hardly go through regular checkpoints at the airports, for example. It's all done through eyes or fingerprints and whatnot. Just how important and how reliable is this use of biometrics?

Kimberly Sutherland:

I think the safe storage and transmission of biometric information is going to revolutionise so much of what we do. Like you said, we see that today in aviation and other transportation modes. We use biometrics on device when we're unlocking our phones, and this is going to be one of the unique aspects of interacting with humans, is to be able to leverage a biometric print in a safe manner. If I can compare your face with liveness detection, against your driver's license or passport photo. That's a starting point. But there's going to be things where now we can use that same biometric to do repeat authentications in the future, without having to re-share your driver's license or government issued ID again. I think that biometrics are definitely something that people have become much more comfortable. I think it was around 2014 when the word of the year was selfie, and I knew then that the average consumer was going to become much more comfortable with using their face to unlock things. We're going to see more uses of biometrics over time.

YS Chi:

I have to ask you a question that has always concerned me. People put their pictures online. People like me get photographed all the time, and it's in newspapers or other electronic news media. Can those be stolen to steal the biometrics of an individual?

Kimberly Sutherland:

They can be stolen, and that is one of the challenges of being high profile like yourself. If you have a lot of images out there, one of the concerns is, could that be used to go through an attack method to use that for authentication. Good authentication systems should not be able to just leverage a photo. But businesses have to use things like liveness detection to make sure that they're not using that static photo, and they are going to have to start using AI capabilities to detect if AI has been used in that capture. I think that we're going to see things like the streaming of videos and other aspects to be able to really tell if it is a safe image to leverage in the process.

YS Chi:

Phew, I thought I had to stop being public.

Kimberly Sutherland:

No, no, no. Keep taking your photos, but do be careful about about what you share online.

YS Chi:

No, I'm very careful. I do not post anything on my own. The key word here is safe keeping of those biometrics information.

Kimberly Sutherland:

Absolutely.

YS Chi:

That is the key. I mean, if that is compromised, then we're in big trouble.

Kimberly Sutherland:

Also leveraging that source of truth too. When you have a point of reference that you're comparing a photo against, was that an accurate image? Was the ID document itself, an authentic document that you were comparing the photo against? Being able just to have that accurate source of truth is going to be really, more and more critical for safe use of biometrics.

YS Chi:

Right. I could go on about AI forever, but since we're running out of time, I have maybe one other question.

Kimberly Sutherland:

Okay.

YS Chi:

You're also a board member of 'Women in Identity.' Can you talk a little bit about this and explain how this ties into overall Risk Solutions?

Kimberly Sutherland:

This one's really interesting and really dear to me. I am a board member of 'Women in Identity', and the organisation was created to really drive that identity solutions should be created by all people, for all people. The idea is that if you have a broad set of individuals that are developing technology, they're going to also think and drive innovation from a much more holistic standpoint. And the goal is for us to create solutions that can be used by all individuals in society. Right now, one of the big initiatives that Women in Identity is focused on, is their ID code of conduct. What they want to be able to do is have a set of guidelines that businesses can leverage to ensure that they're serving the broadest set of individuals, and we can assess ourselves on how well, we're doing it. This is just really important. Goes right at the heart of financial inclusion and the areas of inclusivity that our company strives to support.

YS Chi:

Right.

Kimberly Sutherland:

We're very proud to be a sponsor of the organisation.

YS Chi:

That's great. I was going to ask you this question about who are the most vulnerable people today, at least in America, let's say, for these fraud attempts. Would you say women are in particular, or in any other category of people?

Kimberly Sutherland:

When we've looked at demographics, we've actually seen two big groups that are more susceptible to fraud. That is older adults, male or female. Often because they have less familiarity with evolving forms of technology.

YS Chi:

Yes.

Kimberly Sutherland:

And also young adults. Young adults are also very high attack targets because they use it so often, and they sometimes have become desensitised. But when it comes to the dollar amount, most young people don't have as much money as those who've amassed it over their lifetime. They're low targets from a dollar standpoint, but high targets in terms of volume.

YS Chi:

Right, and you would say that's probably true around the world?

Kimberly Sutherland:

Around the world, you start to get some different impacts, because often individuals, based off of their gender or their economic status, may have limited access to identity tools, to identity solutions, and so even their ability to assert their identity may be limited overall. We actually see differences in that by country by region. This again, the idea of trying to ensure that the identity solutions that are being asked for by a business and being supported by companies, like ours, really need to have as wide a net to serve the broadest set of society.

YS Chi:

Yeah, I can definitely see that. At the same time, we need to be careful when these tools are made available to them, accessible to them. That they are well trained, alerted about the danger of someone coming after. They may be small amount of money, but Kim, imagine if that's the only cheque they have to live off of for the next two weeks.

Kimberly Sutherland:

Absolutely.

YS Chi:

It doesn't matter whether it's $100 or $1,000 it's the most important dollars to them.

Kimberly Sutherland:

That's right. And, the part of our business that focuses even more on that is our government division. Because these are, again, you're talking about everyday things. Access to food, access to housing. Being able to safely open accounts to be able to apply for these types of benefits, is something that around the world government agencies really strive to try to improve.

YS Chi:

Well, Kim, thank you so much for joining us today and for sharing all these insights. I can tell you're definitely excited about what you do, and that if I talk to you in a few years, you will still be even more excited.

Kimberly Sutherland:

It is an extremely exciting area, but very important to our society, to our economies. I really appreciate the time to talk a little bit about fraud and identity, how it impacts you and I as consumers. And how in the business world, we have an obligation to really try to improve our processes as fraud continues to evolve.

YS Chi:

Well, thank you again. Fraud is everywhere, particularly digital fraud now that is easier to commit. It is faster and we need to be really vigilant, and I'm proud to be working with a company like LexisNexis Risk Solutions that are constantly addressing these vulnerability for everybody. Thank you for listening, and we'll be with you on another episode.