How can companies balance the user experience with security? In this episode, Simon is joined by Vincent Guillevic, Director of Product Management and Head of The Fraud Lab at Onfido. They discuss the focus of The Fraud Lab and why it is needed, diving into the current fraud landscape and the future of fraud prevention.
How can companies balance the user experience with security? In this episode, Simon is joined by Vincent Guillevic, Director of Product Management and Head of The Fraud Lab at Onfido. They discuss the focus of The Fraud Lab and why it is needed, diving into the current fraud landscape and the future of fraud prevention.
---------
“Everything that tends to make our life more secure tends to also have a higher friction. And everything that has more friction tends to make our life less secure. So you definitely want to find the right balance here.”
“The first mistake that I see is having teams that are too siloed, meaning that the onboarding team or the UX team working on the onboarding of their service or platform or product are too siloed from their fraud and risk team.”
“We always think about friction as something negative. There is also a positive aspect to friction.”
---------
(03:13) Vincent’s role
(04:44) What is the focus of The Fraud Lab?
(06:26) Kickstarting an ML a model
(09:26) How does UX Design impact fraud detection?
(11:00) Common user-experience mistakes when preventing fraud
(13:11) ROI and pitching technology
(15:06) Balancing friction with security
(17:40) Staying ahead of changes in the industry
(20:41) How will the industry change in coming years?
---------
Vincent Guillevic on LinkedIn
Simon Horswell on LinkedIn
Onfido’s Identity Fraud Report
[Subscribe to the Podcast]
Simon: [00:00:00] Costing the global economy 5 trillion every year, fraud is big business. In the digital age, fraudsters are constantly evolving and exploiting new vulnerabilities. And staying ahead and protecting your business can feel like an insurmountable challenge. That's why we founded the Fraud Lab. To deconstruct attacks, mimic behaviors, and share insights with our partners.
In this podcast, I'll be talking with business leaders. and policy makers about their experience, the fraud landscape, and what's coming next. I'm your host Simon Horswell. Welcome inside the Fraud Lab. On today's episode we welcome Vincent Guillevic. Vincent is a Director of Product at Onfido, and he has a rich background in product design and digital identity, which at Onfido is [00:01:00] focused on how businesses can integrate identity verification workflows into their onboarding while balancing user experience with security.
However, over the past three years Vincent's focus has shifted to instead examine the fraud landscape, fraudster behavior. And how to deconstruct and replicate their attack patterns to strengthen our defenses and share those insights with our partners, leading him to found the Fraud Lab. But first, a word from our sponsor.
Narrator: Inside the Fraud Lab is brought to you by Onfido. Onfido's real identity platform is trusted by thousands of businesses to stop fraud and know their customers. Their AI powered Identity Verification means businesses can securely and seamlessly onboard customers.
Simon: Hello and welcome to the show, I'm Simon Horswell. Vincent, [00:02:00] thank you for being with us here today.
Vincent: Thank you, Simon. Thank you for having me.
Simon: It's a pleasure. First of all, let's kick things off. Can you tell us a bit about yourself and your role and your relationship with fraud?
Vincent: My name is Vincent. I am the head of our fraud lab at Onfido.
I'm based in San Francisco. And to tell you a bit about myself and my journey at Onfido, I joined Onfido around seven years ago, started to lead our design function. And as part of that function, we were actually doing the design for most of our tools to actually check documents. And then we were also working on the capture experience of documents, one that users use to actually picture all their documents.
And so while we were working on that, we had requests coming from our research team that had some issues of not, not having enough fraud data to be able to evaluate their, their, um, models. And so my team and I had to sometimes spend a week to [00:03:00] recreate some fraud attacks using the same tools as the one we used to design.
And that was basically the beginning of us thinking of how we could cover that. gap we had in fraud sampling and kind of the start of a fraud lab. And then Simon, someone in your team as well, had some background in design and was actually spending most of their time doing that as well. So then after we just, we grouped all forces and put that into the fraud lab.
Simon: Yes, I remember. We, uh, we basically trained him how to attack documents and, um, and we couldn't set him loose for a few years. It was very unfortunate. Um, but yeah, no, it was a really nice start. So you're the head of the fraud lab. You've explained to us how it's come about. So what would you say is the focus of the lab?
Vincent: So I could probably divide the focus of the fraud lab in three different topics. The main one is how we deploy countermeasure faster. And that's very critical in our industry. Um, foster, um, have all sorts of [00:04:00] skill sets that actually become smarter and smarter. And we are, we are in the cat and mouse game, right?
So it's really very important for us that we react very quickly when we notice a new attack vector. So that's the first one. The second one would be, oh, it covers a gap we have in fraud sampling. Even if we are processing millions of identities every year, the fraud cases are very Different. Um, it's not always on the same documents, not always on the same.
Uh, geo there is a lot of evolution of fraud attack as well. There is, um, a lot of types to that and we sometimes don't have enough, uh, samples to be able to either train or evaluate or AI system. And so the job of the fraud is actually to recreate, to replicate these at scale. And what I mean by scale is being able to generate 10,000 of these attacks so we have enough data to be, to train and to evaluate our models.
And then the last one. is about being proactive. We have a group of fraud experts who are ex [00:05:00] agents from governments. And so again, they are here to monitor what is happening with our customers to make sure that they, they can highlight any new attack, uh, any, any fraud ring as well. And then from there, we are also able to start thinking about what would be the new attack and behave as a rec team as part of Onfido to challenge our system.
Simon: Okay. So it sounds like part of the need there is Pentesting and part of it is generating more synthetic food to kind of bridge this gap because ML models need a really large amount of data or, uh, to get better results, you need a more significant amount of data. So exactly what's the kind of minimum we're talking about there.
Vincent: To kickstart a model, we have something we could actually use in production and start to evaluate in production. We need around 300 samples of food and that just to [00:06:00] kickstart them to reach a good level of maturity. We did some improvement on how all models can train faster with less sampling. So we, it's probably around between 3000 to 5000 samples.
Simon: Oh, that's quite a lot of samples. And how quickly are you able to do that?
Vincent: So, it depends on the attack vector we talk about, but we have a platform that we developed over, I mean, since 2018, really. But that platform is able to generate around 10, 000 samples a day. So we are, we are able to generate quite a lot, but then after it depends when we are thinking about deepfake, these are requiring a much more, much more processing.
Deepfakes are requiring much more processing and so it will basically be way less for generating these samples.
Simon: So you mentioned deepfakes, that kind of leads on nicely to how things are changing. So in your experience with what you're seeing, how do you feel things in [00:07:00] Froude are changing? I'm a bit
Vincent: anxious, I have to say.
I think fraud is evolving pretty fast. I'm always very surprised how all the fraudsters get more and more organized, the type of knowledge they get access. Due to our job, we spend a bit of time on website and forum where fraudsters can actually share their knowledge between them. It's actually very organized.
The cost of attacking And someone's identity is becoming lower and lower and then the technology is evolving pretty
Simon: fast. So what attack methods are keeping you up at night then? I think
Vincent: the impersonation, that's something that we are seeing more often. Someone trying to get a picture of your face or trying to store your document and then either trying to replicate your face or either trying to inject their face into your genuine document.
And you see a lot of toolkits that start to be available. And that again, that's getting a bit out of hand. So we need, we really need to focus on that, uh, and prevent that, [00:08:00] especially deep fake.
Simon: Cool. Now I know you have an amazing background in UX design. How does that change your approach to fraud detection?
Vincent: Yeah, I think, um, it's pretty unusual for a designer, I think, to shift into working on AI and fraud. I think I ended up there because of my experience at Onfido and then the type of problem that I saw with our customers as well. Usually when you are a healthy business, you focus on increasing your user base, you know, making sure that your onboarding is very smooth, making sure that your passwords are very high.
When it comes to security, there's a lot of things to think about, right? Everything that tends to make our lives more secure tend to also have a higher friction and everything that had more friction tend to make our lives less secure. So you definitely want to find the right balance here. And every business is different.
That's also what makes a job great is, is, um, every business have a [00:09:00] different service. They have a different way to onboard users. They have different, um, a fraud cost, level of fraud risk as well that they accept. And so you need to fine tune that engine, um, to make sure that you find the right balance for them.
And it is really a balance. You need to place friction at the right time, and you need to place the security feature at this, at this moment. So I think the fact that I have a design background helped me. navigate that a bit more easily because I can clearly see how I can deal with that friction.
Simon: Yeah, well, I think you've, you're in a very kind of sweet spot.
So as an examiner, as a fraud expert, you kind of focus far more on shutting things down and trying to prevent things, but maybe aren't quite as focused on the friction side of it. It's seen as a necessary evil. Having that insight as a UX designer really means that you're able to sort of balance it. So it's quite an interesting perspective.
What are the common mistakes you see in you, in the user experience when [00:10:00] companies are trying to? prevent fraud?
Vincent: Yeah, very good question. It really depends between regulated and unregulated business. But if I try to summarize, the first mistake that I see is having teams that are too siloed, meaning that the onboarding team or the UX team working on the onboarding of their service or platform or product are too siloed from actually their fraud and risk team.
Um, and you see that basically they don't talk to each other and that happens. It's one of the biggest mistakes because, as I said, it's kind of a balance that you have to, to find. At Onfido, it's something we, we understood pretty quickly and that's why we started, we blended everyone into, um, multiple teams to, to make sure that we have, um, a few lens to look at these problems with a different expertise and, and, and favor.
I think something you said is, yeah, as a full expert, definitely you want to be very aggressive on your defense line against fraud. [00:11:00] Again, it depends. There is some company will require them. There is some that don't. And then at the end of the day, everything is very fluid. So you need to be able to change these rules as you receive attack from foster, other foster try to challenge your system.
So it's moving parts, so you just need to be equipped and have the right gear in place to make it very smooth. And being able to deal with that level of friction, being able to deal with that line of defense and adjust it on the fly to make sure that, yeah, you are always at the optimum of what your service could be.
Well, I mean,
Simon: I, I think you've kind of touched upon a quite a An interesting point there as well. I mean everything you said is interesting, but um, not always. It's, it's, well, when we're striking that balance quite often you can see that it's, it's all about getting customers onboarded, so friction, you know, is the enemy you try and eliminate it.
Yeah. And that can often mean But when you're looking at the balance sheet, fraud can become, or fraud detection can become quite an easy target because [00:12:00] it can be seen as an obstacle to onboarding customers. So, what's your approach to the return of investment and then arguing for having the right technology?
Vincent: Yeah, I think, yeah, that's a very, very good point. You can see that a lot of people tend to focus on the pass rates because they can see behind that pass rate, the number of users they can unboard, and therefore the revenue behind that. But again, I think the ROI calculation requires a good understanding of your story behind numbers.
As an example, if you focus on pass rate, you might want to decrease drop off. The drop off might be the, might be the result of you having the right line of defense, and the drop off might be the result of Forrester who actually doesn't even attempt to fraud your system. And that's a good thing. You would be pretty happy knowing how many Forrester actually drop off you onboarding.
The last thing you want to do as well is have a weaker defense or where actually Forrester onboard, [00:13:00] and that creates Basically, um, some sort of fake revenue, because as soon as that falls, you're going to drop, or you're going to put the right measure in place, or being forced to do so, because sometimes that's what happens, or escapes.
Then you will have it on your revenue numbers, and on top of it, probably a fine or something. So Well, it's
Simon: a hidden loss when you're just looking at the, the amount of revenue you're bringing in. It's kind of hidden until the point where it reveals itself.
Vincent: Yeah, exactly. Okay. So it's, it's more like you need to do that math.
on the long term approach as well, on how you build and scale a solid business rather than trying to onboard everyone very, very quickly.
Simon: And I suppose it's, it's probably quite important as well. I mean, I'm sure this is part of the whole design, UX design process, but you're actually analyzing. at what stage people drop off.
And it isn't just a case of once you, you, you do it initially when you build it, but you're monitoring that the entire time. And then you know where your particular obstacles are or where you're actually filtering people as opposed to, you know, blocking them. You're, you're filtering the [00:14:00] right people out.
Okay. Exactly. So what, what's a key strategy or philosophy from, from your point of view that has enhanced your full prevention efforts?
Vincent: I would try to divide two into kind of two groups, right? There is, a frictionless approach, right? Or you improve the user experience, improve the onboarding aspect, improve key rate, pass rate.
And there is the security aspect of it. Further is definitely the signal. You want very strong signals available globally as much as you can, especially if you operate in many geos. You want to standardize your onboarding. And then you want really, really strong signals, meaning that They could be active or passive.
Passive signal means that the, that the user, um, doesn't do anything. Um, everything is on the background. Active signal means that users have to either answer a question, take a picture of their document, or take a picture of their biometrics. face and others. Um, so you really need to understand like what is the most efficient one, right?
Meaning that it costs what it costs, but [00:15:00] it's also, there is a high efficiency into how you catch fraud and how you build that layering of defense with these different signals and how you optimize that cost for security. And then that would give you kind of the level of friction you will, you will need first to protect yourself.
And then you need to implement that into your user journey. And so you need to look at where it makes more sense to. Now SVs, something I haven't talked about before, we always think about friction as something negative. There is also a positive aspect to friction. If I design something that prevents you to delete some emails in your, um, in your browser, you would be happy if you misclick on something.
The same thing here, as soon as a user understands that it's also for their protection, They're going to be much more keen into actually going through that experience, and they will not really see it as a friction, but as the necessary for their security. It will be a reassuring feature for them. And so you need to understand that and how you place [00:16:00] that into your journey.
Since
Simon: I joined Donfido, I learned about these studies that had shown that people, even if you can complete the transaction, the security transaction, in a couple of nanoseconds, people feel more reassured by the process that has a little swirly time delay thing. So you artificially introduce the delay so that people feel that there is necessary friction.
So yeah, I see your point. It's um, it's quite a good one. So how do you stay ahead? of the curve and then stay informed of the movements in the industry.
Vincent: So when we talk about fraud, it's mainly around what the tech is bringing as well. We talk a lot about AI, AI generation, actually the GAN model struggle to put text over features.
So there is already that first challenge between to sort before you can actually do a fully rendered document. Could definitely work on a face, again, like face to record a video. So These models will have to evolve again a bit more to be [00:17:00] able to challenge us, um, deeply. But you can use this model on specific area of the document, right?
If I want to change a name on a genuine document, this model could definitely help me. I don't have to do it manually with Photoshop. I can just use that, um, that generative model to do that for me. And that's something we are doing at ONFIDO. something we are experimenting with, but then after something that is coming, it's probably, it will probably be here in the next three years.
It's quantum. Quantum is a new way to process, so it's a new CPU. This will completely change all security protocol and the cryptography of it. Where I'm worried is usually Forrester get their hands on the new tech pretty quickly. When the government take a bit more time. And that delay is going to create some issues.
And so where I go to learn about this, uh, I just go on, on basically the tech websites, but also on the forum. That's where it's a bit tricky to actually do that. It's not easily [00:18:00] accessible information. The way we usually class the level of information we collect as part of FortLab is you have white information, Y2 information is something you can get on any browser.
It's reference online, very accessible. You can find it in a few minutes. You have gray information. That means it's already something that is less available. You need to find the right document or you need to subscribe to some service. And then you have black information. Black information meaning like, this is kind of secret.
You need to be part of a specific group to get access to that information. So it took us probably a good six to eight months to get to the level of black information that was necessary for us, like how they were generating the fraud template or document, um, what type of tool they were using to create deepfake, what type or, uh, toolkit they were, uh, doing as well.
Trying to understand, you know, what fraudster, what, what, what group of fraudster or group of er were, were actually doing. And so I would probably segment the information between this free level. What [00:19:00] information you subscribe to any blog, anything you could find, the great information that will require you to probably pay something or be part of a group, but if you is part of, of a few group with Interpol, the FCA, so you will, you will definitely get.
to that knowledge as well with this group of experts. And then the black information, that means you already go to the other side of the fence where you are trying to learn what foster are doing. And that's, that's basically an area where it's social hacking and very, very different.
Simon: Okay. Well, I mean, you did allude to the future quantum computing.
So that then poses the question, how do you see things changing in the next year, in the next five years? What do you think is going to be the landscape? What's going to happen? The
Vincent: evolution of fraud for next year, I would see probably more impersonation, coercion. Uh, we can, we can definitely see that as well, um, with our customers.
Because it's becoming easy for Foster to [00:20:00] impersonate someone with different medium. I think, I don't know if you agree with me, Simon, because you've been looking into that as well, but I think we do, we see less synthetic identities as before, where that was a big trend two years ago.
Simon: Yeah, it's difficult to know precisely, but I think a lot of the stuff that we've seen of late.
There's probably been genuine documents with altered biometrics or as, as you mentioned, the fact that we're now seeing fraudsters using more traditional scams or kind of scams that have just been reworked to coerce people or fool people into committing, um, to basically giving over their genuine documents and their genuine biometrics.
So yeah. So I'd go along with that, but what about in the next five
Vincent: years? Yeah. Five years is a very good question. You would probably see the generative AI taking more and more of a play there. We already know that some fosters are working to retrain some models, so they are [00:21:00] fishing for getting more data because they need that data to be able to train these models to commit their fraud.
So data breaches, we probably, we'd probably see even more of that, even more attack. Anyone withholding that data would be at risk, I think, in the next five years. As I said, the AI is going to be the thing here. probably in a shorter
Simon: time. Well, I think the emergence now that we're, we're seeing it more and more often, it's definitely become more popular to talk about it.
But as you well know, AI is a tool and it just means a lot of tasks can be done at scale and be done quicker. And we're seeing that across fraud in general. So with the stuff we're doing on Fido, but also with scams as well. And this then lends itself to, okay, so leveraging AI to commit phishing. Uh, tax at scale, which then gives you the ins so that you can get the data, which then gives you the data to help you then create these, uh, these attacks in identity as well.
Vincent: Exactly. [00:22:00] I can see that in the next five years become a big thing for us. On the defense aspect, you will see more EIDs coming in play. Now EIDs, if well built, could be very effective to reduce that. But let's not forget that a document will be probably in operation for around 10 years. Most of the documents like driving license, passport.
And so the fraudsters EIDs. They are. able to attack, we were able to, we found some forum where they're actually selling some passport cheap. Um, so again, like, um, they will find a way, um, to get through that. So we will have to find a way to defend against that
Simon: as well. I'd also say that as, as the EOIDs come out, I think at this stage, they're all quite new.
There are some projects here, some projects there. So it hasn't kind of fully established as to its format. And I think what you'll also see is the fraudsters will take to that as well. It might [00:23:00] take longer to figure it out, but it's, you know, I always think fraud is like water. It's always going to find a way.
It's just how big of a hole it creates, um, how big of a hole it finds. Great. So finally, any other advice? Engage
Vincent: with the fraud lab. Engage with the fraud lab, definitely. We, we, um, we've met a lot of our clients over the year. I think, and again, to, to, to advise them on fraud, but also on, on UX. We try to bring these two aspects on how we can help you fine tune your, um, your service and your fraud.
And, um, All we advise you through that as well. And so yeah, there is, there is plenty of theories that Onfido can give on that. So yeah, feel free to discuss with us and engage with us. Thanks Vincent.
Simon: Thank you for joining us on this journey inside the Fraud Lab. If you'd like more insights into attack patterns and trends as we see them at Onfido, head to onfido.
com [00:24:00] or click the link in the show notes to access our annual identity fraud report. It's full of proprietary research into how fraudsters are attacking identity verification and how the world. of prevention is changing. It's full of insights. For example, financial services has seen a 23 percent increase in fraud versus last year, and 46 percent of document fraud targets national ID cards.
If you'd like to know more, get your free copy by clicking the link in the show notes. Goodbye for now, and I hope you join us again next time.