Account Takeover: Why Your ATO Controls May Not Be Enough Anymore

Charles Goldberg: Hello and welcome to the Intellicheck podcast. This is a show where we delve into the news and issues around identity verification, identity fraud, and the tools needed to combat it. I'm Charles Goldberg, your host for this episode. Why your ATO controls may not be enough anymore. This is a follow on episode. The first one is Account Takeover. What the industry is getting wrong. However, if you haven't listened to that episode, no worries. You can still learn a lot from today's episode and listen to the previous episode later. So I'd like to welcome back my guest with all the answers, Bryan Lewis, the CEO of Intellicheck. Bryan Lewis: Happy to be back. Thank you, Charles. Charles Goldberg: Yeah, thank you, Bryan. I know your time is very valuable and appreciate you returning for this very interesting topic. And in our last ATO episode, we discussed the scale of the problem. Javelin Research said it was a $15 billion problem impacting 6 million people. This is just US stats and had an 18% growth rate year over year. We also established that the problem is now bigger in line than ever before. And TransUnion reported that digital ATO grew 37% year over year from 2024 to 2025. So what are the controls that companies are relying on today to stop fraud? Bryan Lewis: Well, yeah, and I think it probably makes sense to talk about why the fraud keeps going up, right? AI is making it a lot easier to have way more attempts in a digital world. So the tools that people have been relying on still to this day are a lot of it is knowledge based authentication. Answer a question about where did you live? What was your first car? You know, so much of that is now, you know, you can find it on the web. So the tools that people are using I think are somewhat antiquated. You know, I even, you know, I laugh when I go into a bank sometimes. And what they want to do is, you know, take that black light pen and shine it at my driver's license. I have stacks of fakes on my desk that we have from customers. Every one of them will have those black light things shining. So you've got to get smarter. The bad guys are really smart. They know what they're doing. They're using AI and that's why I think we're seeing this rise. They are defeating the tools that most are using. Charles Goldberg: Okay, so what should companies rely on before giving someone access to an account or like the ability to transfer large amounts of money between accounts, even though they've never seen those large money transfer between those two accounts before? But they're like, okay, you know, we'll transfer your HELOC loan over to this other account or even more so last episode we were talking about how once people reset passwords on social media accounts or email accounts, I mean, that's it, you got the keys to the kingdom. Because that's also where your second factor often is. So what is the right process? Bryan Lewis: I think there's like two ways you can go about this, right? First is one is very deterministic and the other is data driven. Right? Now, first, when I say deterministic, it would be, can you prove with near certainty is the document that somebody is presenting you to prove who they are, is it real? You know, and that's part of what we do, you know, at Intellicheck, right. We know what's in the barcode and all the hidden security features for, you know, right now in circulation there between Canada, the U.S. and all U.S. territories, about 250 different barcodes and they're all different. All these stacks of barcode of fakes I have on my desk, they all scan and they match the front doesn't mean it's real. And I think people confuse scanning with reality. But no, you need to know what are the hidden security features? And then there is also what can we do with data? You know, and I'd say about half the adult population in US and Canada goes through our system every year. So we, we know we see anomalies like this doesn't make sense. You know, Bryan has never done this before and how do you flag that? So, you know, I think it's a, you know, a little bit of both using data, but also using something that's very deterministic. Because if the first step in the process is like this piece of plastic is fake, why waste all the downstream money, right? Start just pressing that person now and I guarantee they walk away because they know they've been caught. Charles Goldberg: Yeah. And then once that fake ID goes through, so there's, it's usually synthetic IDs, so maybe some of it is the real customer name. But then very important parts of change, like the portraits change. So instead of being the picture of the 65 year old whose Social Security check, you're trying to go in and has the other person's picture or the address has changed because you're looking to get retail products shipped to a different address. So it's hard to catch and it's garbage in, garbage out. Right. Your whole detection system is being based on that synthetic information that you let through through. Bryan Lewis: And, and you have to be careful about a lot of it, because the data will often match. You know, we look at a lot of the fakes. You know, it's. It's simple enough. You can go to certain websites and find out, you know, is there a Bryan Lewis at this address when we look at the fakes? And yeah, it all matches. Right. And then, you know, United Healthcare, I was part of that hack. They had pictured that were hacked of driver's licenses. Right. So it means I can create a fake that will match everything on the driver's license. The document discriminator, the, you know, the DL ID number. All of those things are going to perfectly match what is in a database already. But what they can't do is match what's in the barcode for that jurisdiction for that date of issuance and all those secret security features, right? Charles Goldberg: Yeah. And like you said, all that real driver's license data is out there. I was just reading an article that reported in June, a company in Buffalo, I won't call them out, but they lost driver's license number, Social Security, photos of driver's license for all 50 states. Like, they had some data from licenses from every state. And earlier this year, it was kind of a big article within the realm of just how much is on the dark web. And there was an auction that started at $10,000 for a collection of DMV licenses. And the marketing for it was over 90% of this stack of licenses they were selling, I think it was 54,000 licenses were not expired through 2026. Right. So, yeah, that data is out there, right? Yeah. Bryan Lewis: And you combine that, you combine that with everything else that's known about you. Right. Social Security, phone number, email, where you have credit, where you don't, where you have a mortgage, where you have a HELOC, you know, all those things, debt is available. And you combine, you know, organized crime, knowing who you are and able to replicate your identity, you know, with any one of these, you know, bajillions of fakes that are easy and cheap and really good, they know where to go to rip you off and make one heck of an ROI for them. Because honestly, it's about 60 bucks, 20 bucks to get all your information, about 40 bucks to get one of these fake licenses. That's going to fool almost everybody. Charles Goldberg: Okay. So I think in person, it's really easy to picture how to check for a license properly. You know, a human looking at the license that's not proper because the fake IDs are so good. Using most of the traditional ways of digitally looking at a license is not good because they use OCR optical character recognition and they're just essentially being faster than a human in looking at the license. They're looking at the template, is it laid out right, just like a human does. But AI knows all that too and it's creating these high quality license so it's passing those systems visual checks. Just like a human visual check. You need this secret information in the barcode like Intellicheck has. And you explained all that with the 250 formats that are active today and how Intellicheck is really looking at that security information to differentiate and AI doesn't know that. Right. And that's very secret information. Okay so we understand that in the physical world but how does a company add that into their digital experience since that's where ATO is exploding? Bryan Lewis: You know, basically your phone gets turned into the device that is going to be used to you know, authenticate you and the license. Now I will say, you know, we can do barcode, we can do OCR, we can do facial recognition. We allow our customers to decide how much friction they want to put into their customers process they choose right, you know, one through three steps. The vast majority of our customers do not go past just the barcode because they see each step you put into the process. You will have card abandonment. You know, unless you know, you know, we do have somebody, you know, some customers are doing, you know, subprime and all that and people want the money, they're going to do whatever you ask them to do. But you know, I don't know about you know, you or me, but you put too many hurdles in my point. I'm like I'm done, I'm not going to do it anymore. So the majority of our customers rely on just return the phone into a scanner scans a barcode, we parse the data, we give them everything they need to fill out whatever the downstream process is and we give them an indicator of whether it is a valid invalid or valid but expired and then they can make their decisions on their end. But then also if people do want we OCR front to back and again facial recognition if they want to make sure that you know, we prove that the plastic is real and I in fact are, you know, I'm holding it right. So it's, it's, it's me doing this, this process but it's really, you know, we definitely see card abandonment the more you put in place. So our customers are looking at, you know, the accuracy of what we do in first step is it worth losing the LTV of this amount of clients. And most say no. You know, so though they won't put in a ton of hurdles. Charles Goldberg: Yeah. You know, so I just had this experience myself. I won't call out which credit card, but it was airline credit card. And they had one of those promotions where you add a second person, they spend a little money on that second card, and, you know, you get a bunch of points. So, like, hey, what the heck? Signed my wife up for the credit card. I'm paying her bills anyway. I might as well get some extra points out of it. So she got her card, called to activate it. She accidentally put my last four Social Security numbers. She missed. You know, her. What they were asking for, not her. And it was very unforgiving when she blew it one time. That was it. Sounds like maybe good security. I called and said, hey, this is the situation. And. And they're like, okay, card is activated. Like, I was like, in my mind, really, like, I could have been anybody. Like, they didn't like, what should have they done? What would have been a much better process for that call center agent to prove I should have? Bryan Lewis: Charles, they should have authenticated you. And we're in a ton of call centers, and it's super simple. Person asks for your phone number, text sent to your phone, scan your license, boom, we know it's Charles. Okay, we're going to go do it, because that is part of it. Again, the amount of information known about all of us makes it easy to impersonate you, particularly nowadays with what AI can do. Even with your voice. You see the amount of people who are fooled by AI, you know, voice, you know, creation. It's scary. Charles Goldberg: Yeah. I've been seeing a lot of articles very recently about those, you know, spam calls, whatever you want to call them when someone calls. And then if you actually do pick up, you don't hear any response. And they're just. It's AI making these phone calls to record your voice and record voices. So if it decides to use you, it doesn't take a lot of words anymore for AI to very accurately pick up someone's accent, tone and voice and reflection speed. Bryan Lewis: All of that. Correct. Yeah. It's not hard. And, you know, so many people put stuff out, you know, even what we're doing here today. Right. This will get published. AI is going to figure out how you and I talk. People put things on social media. AI can figure it out from that. And that's how it is so easy to replicate who you are. Charles Goldberg: Oh, maybe next webinar, you and I could just be AI avatars and we could go out for breakfast while AI is making this next podcast. Bryan Lewis: Might be better than us. Charles Goldberg: So we'll see. Nah. All right, so let's switch gears a little and talk about the in person experience. You just talked about digital. So what are the controls today? You know, why are they failing? Like, what can we, we do about that? Bryan Lewis: I think so many controls are, you know, really relying on the human being to look at it. And you know, you know, I travel with, I've got a couple of fake licenses from the state I live in and I pull them out of my wallet and I show people the real one and the fake ones and say, pick, tell me which one's real. No, you know, people maybe get it right 30% of the time. And then you look at it and if you're going to be comparing how that license looks to, you know, maybe a template, a portfolio of templates that you have that that requires rather expensive hardware. One of the reasons I believe that our customers like what we do for them. No new hardware, the thing that rings up merchandise in the store. So if you're doing, you know, a new, new credit card opening or an account lookup, you know, the same scanning gun that reads merchandise will read the barcode and we can tell you good, bad or good, but expired. Charles Goldberg: Same thing. Bryan Lewis: You know, you go into a bank, the device that can read and deposit a check, that's all we need. So it's always just slight configuration changes. And I think that's one of the reasons, you know, and I do like, you know, to toot our own horn here. We make it simple, easy and very inexpensive for people to cut their fraud losses and, and more importantly, protect people. Right. Because the thing that I found out about, you know, through talking to our customers, most of the bad guys never get prosecuted. Because, for example, if I go in to a bank and you know, pull money out of your HELOC, you know, Charles Goldberg: It's the bank, I'm going to make Bryan Lewis: you whole. It's the bank. I am not the victim of crime. The only person who can now report the crime is the person whose HELOC got stolen. Really that majority of the time they won't do it because they've already been made whole. Charles Goldberg: Right. Bryan Lewis: So these guys, the bad guys, know they're sort of in the wild, wild west where, okay, no worries. I got my money and I'm not going to get prosecuted. Charles Goldberg: That's interesting. You think when the promise is a six billion dollar problem. Yeah, I guess that's an online and in person. But still, it's talking a lot of money that, yeah, they would be more aggressive in trying to prosecute because it's usually a few bad apples. Right, that are stealing a lot of money. Bryan Lewis: Yeah, well, it's all organized crime, there's no doubt about that. You know, and a lot of the digital stuff is coming from overseas in person, certainly organized crime here in the US and Canada, you know, but they're looking at the risk reward, right? The reward's really big, and the risk of being prosecuted is relatively low. Charles Goldberg: Yeah. Well, you know what, it does sound like it's pretty easy to catch a fake ID if you have the right solutions. You know, a modern way of looking at even something as simple as the barcode. There's a lot of security and secret information in there for a reason. And if you could leverage that, it really makes all the difference. And, you know, companies that do want to protect their customers and reduce fraud, that's an opportunity for them to look at that. But, yeah. So I think we're running out of time again, and I think this conversation between everything that could go wrong is going to leave our listeners with as many nightmares as a Wes Craven movie. But we can make a movie. Look out for the Invasion of the Identity Snatchers. But the good thing is Intellicheck gets to be the hero in that episode. So that's all the time we have today. My guest on the Intellicheck podcast has been Intellicheck CEO Bryan Lewis, and we've been discussing why your ATO controls may not be enough anymore. So be sure to check out the show notes and description. If you didn't see the first episode, you'll find that very interesting as well. So you can find that in the same place you found this episode. So that's all for this week, and thank you for listening and stay safe. Thank you again, Bryan. Bryan Lewis: Thanks, Charles. Appreciate it.