Kevin Lee, Digital Trust and Safety Architect at Sift (sift.com), talks about his company and their mission.
As the Trust and Safety Architect at Sift Science, Lee is very involved in Sift’s core mission—securing trust and safety for the digital age. Lee is skilled in building high-performing teams and systems that will combat suspicious and malicious behaviors. Before bringing his expertise to Sift, Lee was a manager at Facebook, Square, and Google in roles pertaining to risk, and spam, as well as trust and safety.
Lee discusses how Sift started out in the payment fraud area, using machine learning and other technologies to outsmart fraudsters. Today, they are focused heavily on digital trust and safety issues. Lee explains the mechanics of their solutions, and he cites specific examples of client work, from Airbnb, Twitter, and others, helping to stop data breaches and fraud. He explains how ‘bad actors’ take over accounts and the kinds of malicious acts they try to implement.
Lee discusses some of the e-commerce sites that they offer protections for, and how attacks against them are designed. Continuing, Lee explains some of the signs they look for that could indicate fraud is potentially happening. He talks about iPhone fraud attempts, and the telltale signs of fraud that they see in that platform/family versus android. From account take over to trolling and financial fraud, Lee explains some of the most current problems businesses are combatting. As he states, in account take over scenarios, often trust is destroyed, which could result in the loss of customers and clients.
Wrapping up, Lee explains how easy it is to get started with Sift and the protections that companies can take advantage of right away. As digital disrupters, Sift is innovating daily, taking its position as a leader in the digital security space.
Kevin Lee: Great to be here today.
Richard Jacobs: Tell me about SIFT. What’s the premise of the company?
Kevin Lee: So we were founded back in 2011 out of San Francisco through a Y Combinator company. And we started off in the payment fraud business. So essentially our objective was to stop fraudsters and criminals and bad actors out there that are online using stolen credit cards and different things like that to conduct fraud. And so our essential take on it was to use machine learning and other forms of technology to outsmart these fraudsters to protect the internet. So overall what we really want to do at the end of the day is create a space or make an internet that is safer and where people feel that they can trust it and be their authentic selves. And really that’s where we have since evolved from more of a payment fraud platform that’s using machine learning to really something that’s focused more around digital trust and safety, where fraud these days can happen from a whole bunch of different vectors. So that’s really about the company itself. And great to be here.
Richard Jacobs: So what’s the mechanics of the solution? Is it just like a plugin for e-commerce stores? Or does it go way beyond that? Like who are typical customers?
Kevin Lee: So typically we certainly serve as plenty of e-commerce providers. So actually our first customer was Airbnb. So that’s a marketplace if you’re not familiar with it, where people can post their homes or apartments or their rooms for rent. And so we service a lot of companies like that and also traditional e-commerce companies like a Way fair or a Harry’s as well. And they’ll all use our tech to stop the card fraud. And these days, unfortunately, since data breaches are more common, things like account takeover or fake accounts. So you might have some people going online to, let’s say a company like Twitter they have to deal with trolling and fake accounts and fake news. So companies like Twitter will use us to protect their platform and their users against that type of bad activity.
Richard Jacobs: So how would you protect against what someone would consider being fake news?
Kevin Lee: So that’s actually very near and dear to my heart. So prior to joining SIFT, I worked at Facebook actually and helps monitor against spam scams and malware. And so when we look at fake news and trolling most often where it really gets bad is not necessarily one person creating one account doing bad things. What it really is actors creating bulk accounts whether they’re fake or doing massive account takeover where they will take over other people’s accounts and start spamming the ecosystem from that front. And so what we’ve created is the ability to look at different user behavior and were essentially able to understand the differences between natural and normal behavior versus inauthentic behavior. And so let’s take fake news as an example. Where it does get worse is if it becomes that scale, it starts spreading and kind of going viral. And oftentimes those are proliferated by fake accounts. And so if you’re able to stop those fake accounts from being created or the exposure of those fake accounts to your real authentic platform, then you’re able to curb some of that activity.
Richard Jacobs: So do they generate accounts for use later or they take over existing accounts from other people and then poses them then postings?
Kevin Lee: So from a fraud standpoint, it’s usually the path of least resistance. So right now there’s a mix, but if you can get away with creating hundreds or thousands of fake accounts and then posting bad or spammy content, you’re going to do that as a fraudster. It’s the easiest path. The good news is most companies have started adopting more advanced technology to stop that basic kind of scripting behavior. But the ROI on from a fraud perspective is still high enough where the fraudsters have upped their game, where they’re now either taking over accounts or doing more sophisticated types of attacks to circumvent those things. And so that’s really where ATO starts to kick in. And where unfortunately from a damage-control perspective if you’re a Facebook or Twitter, for example, you can shut down those accounts, but Hey, they’re still a real user at the end of the day. So you have to do some remediation clean up and then return that account, hopefully in the same condition that it was prior to that exposure.
Richard Jacobs: How do you tell if an account has been compromised?
Kevin Lee: Oh, sure. So there’s a lot of different signals to look at. So one way I try to couch it is if for example, you have an iPhone or Android phone and you’re using let’s say the Instagram app or let’s say Expedia or some other travel-related app, it’s pretty astonishing how much information you as a user are passively giving to that app. So let’s take Uber for example. You can use it for rides and order food, et cetera. The way that you interact on that app is actually pretty much tailored to you and you don’t necessarily share your app or your phone with too many other people. And because of that, you were able to establish some sort of pattern in terms of how you buy, how you consume, how you just use that app. And if there is an account takeover scenario the behavior will certainly change. So let’s say for Uber eats, you order it once a week and the average order value is $50. If there is an account takeover let’s say suddenly you moved from, I’m based in San Francisco and you move from SF to Los Angeles or New York, and the average order value goes from $50 to $300. All those are really kind of telltale signs that something might be a miss or something’s different here. And so you as a merchant or as a merchant of record may want to take a deeper look at and what’s going on there.
Richard Jacobs: What about looking at the language that the user likes the keyword cloud and see if that changes dramatically?
Kevin Lee: Oh yeah.
Richard Jacobs: Location or other things.
Kevin Lee: Sure. Certainly, you want to look at things like IP device fingerprinting, for example, my time zone on my phone is set to Pacific Standard Time. English is the default language is suddenly, even if I’m logging in from New York maybe I have a New York Time zone, maybe I have a Russian time zone, maybe my language settings for some reason have switched from English to Russian. But everything else looks normal. Those are all kinds of good indications that something might be awry or a miss here. So let’s take an example with DoorDash where a user if I’m using the app as a legitimate user, I’m coming from San Francisco, I’m coming from an Android phone. Then if suddenly my location changes to New York and my time zone changes to Russia or the default language on my phone, let’s say it’s an Android phone, it moves to an iPhone and the presets are to the Russian language. All those things are telltale signs that something might be amiss or awry. But there is a ton of passive data that users readily give up in order to use that app or go through that website. And all those things can be essentially mined for particular security purposes and monitor for fraud
Richard Jacobs: Any really interesting or revealing type parameters that you can talk about what you found?
Kevin Lee: So some interesting ones might be, so let’s say you have an iPhone here. And so the level of fraud or abuse of activity that comes from iPhone 11 is significantly less than what comes from iPhone sevens or sixes. And the reason for that is you don’t need the latest and greatest technology or an iPhone to perpetuate bad activity. And the iPhone six will get you there. And so if you are the fraudster as you’re running your business, you have an ROI, you have overhead costs and things like that. You don’t want to be spending $1,000 on the newest piece of equipment when you can buy something that’s refurbished off the rack. And so that’s one telltale sign. Another one might be if you suddenly, sure if there’s another one where if you switched from what’s the one operating system to another. So if you move from an iOS device to an Android device or vice versa, that can be a sign of something’s wrong. And another one, another positive signal that’s something might be going on is if you, let’s say you’re staying within the same family, but instead of going to let’s say an iPhone 10 operating system, you move back to an iPhone or a previous version, whether it’s a browser, as a Chrome browser or if it’s just an operating system within a particular family of devices. And so those are things that to a normal user you may not think about. But from a fraud standpoint, definitely come to mind,
Richard Jacobs: They can’t take over trolling, that kind of thing. In terms of just straight-up fraud, you know, financial fraud, are there any new things in that arena?
Kevin Lee: I think the newest things there, unfortunately, what companies are talking to me most about is around account takeover via social engineering. And so now that, as I said earlier, companies by and large have upped the stakes or up the game in the sense of, okay, all these fake accounts that are being created, we’re going to be pretty good at spotting them now. And as a result, fraudsters have increased their level of sophistication where they’re going after other people’s real accounts. And so that’s creating a whole new shift in the sense of how do you deal with not only still spam and scams and other bad activity, but now you also have to deal with a real user. And oftentimes these are VIP’s or your most valuable users. Companies pay a lot of money to acquire customers and if you’re losing a real customer, it can be extraordinarily damaging. Something I tell companies when I consult with them is if there is an account takeover scenario you may be able to recover that account and give that account back to that person. But what is really damaged there is the level of trust that the customer has in the company. And so something that actually a coach of mine used to tell me no when I was younger. Trust is earned in drops and lost in buckets. And so if that trust is compromised, it takes a long, long time to recover from that. And I’ve seen that time and time again at companies where whether it’s a Facebook or other tech companies, once those accounts are compromised, even if you do return those accounts to the rightful cardholders or the users, oftentimes they take their business elsewhere. And if you, for example, calculate the lifetime value of a customer, if that’s something your business does, suddenly we’re talking it’s a lot more than just a $5 cup of coffee that was stolen. Like I have no idea how much my lifetime value at Starbucks is. But if my Starbucks account was taken over Starbucks can give me back my account, but there’s a good chance I might take my business elsewhere. And so they’d be losing out not just on the $5 cup of coffee or what or whatever was charged, but all of my future transactions as well.
Richard Jacobs: Is there a way for hackers to scan from the outside and looking at your account mix, whether in terms of like activity, number of logins, amount held in an account? If it’s a freelancer account, I mean, things like that. Are there ways for them to see from the outside, which the juiciest ones are to take over?
Kevin Lee: Oh, most definitely. So something that my team does on a regular basis is essential searches on the dark web, on different marketplaces. And we look at how much credentials for different companies cost. So for an Amazon account, for example, you can see how many points are in that account. If there was a card on file and you have the access to the username and password, you can see previous transaction history, shipping address and all those types of things. And unfortunately, they all have a price. And if someone has a lot of data on a particular account or there’s a high value in terms of airline miles, hotel points, gift cards, whatever’s on that particular account they can sell for quite a bit of money.
Richard Jacobs: Hmm. Any idea how these hackers figured this out from the outside?
Kevin Lee: Unfortunately, it comes with data breaches. So there are two ways this can happen, really. One is if a user’s account gets some sort of malware or their laptop or their phone gets compromised. And so hackers are getting information through that vehicle. On the other side, you can be the most secure buyer out there where every site you visit, you have a new password, a new username. You don’t duplicate anything and you can be really, really good about that stuff. But if the company that you are trusting with your credentials is compromised, you’re toast, at least for that particular business. And unfortunately, when it comes to password hygiene, most people don’t have a new password or username for every single website they go to or what they’re doing business on. Usually, the username is their email address. Passwords, there’s really not too much variation there as well, where I think it’s over 65, 66% of people use the same password over and over again. And that goes for their work passwords or their personal passwords. And so once something is compromised, if they’re not really diligent about it, then that password and those credentials can be used across multiple sites across the web.
Richard Jacobs: Yeah, that’s really bad. Maybe what you are supposed to do. Everyone’s dealt with vendors that make you change your password all the time. It says one capital one lower case, one number one symbol and like, come on. Yeah.
Kevin Lee: At a minimum of 13 characters you forgot. So yeah, it’s a huge friction point right now. And unfortunately, the way that I see it or the way that SIFT sees it is we live in a kind of almost a world where credentials have already been compromised. And so to that end, what can you do from a behavioral standpoint to spot this activity. One of the really powerful things about sift is we are a more collaborative environment where really what we see every day, like everyday fraudsters are collaborating with each other to exploit all of our platforms out there. There needs to be a way for businesses to also collaborate to fight back. And that’s really what sift has created. We’ve created a data infrastructure where companies can share anonymously their information. So if one company is being attacked, then every other company within that global network will know that and be able to take action accordingly. And so that’s given us some sort of leverage to fight back and also the AI and the machine learning that comes with our suite.
Richard Jacobs: What side of the business can take advantage of this? Do you need to have a certain number of employees or revenue?
Kevin Lee: No, it’s actually relatively easy to sign up in terms of integration. We work with some of the largest companies in the world that are publicly traded out there. We also work with plenty of small and medium-sized businesses. And the reason why is because fraud, is quite broad. It doesn’t care if you’re a small business or an enterprise. It will go after you and try and take advantage of you if it’s within their ROI or if it’s within their interest. Sift, actually launched a survey not too long ago where if you, for example, are a fraudster and you conduct ATO activity 92% of the time you are doing other types of fraud which is to say some sort of payment related fraud or content like spam or scams related fraud. And these fraudsters are incredibly kind of clever and willing to attack multiple businesses. And so we need companies like SIFT to come together to pool this data to fight back.
Richard Jacobs: Yeah, that makes sense. Any upcoming schemes you’ve seen that are particularly terrifying or interesting or to watch out for?
Kevin Lee: The most terrifying ones? I think it comes down to people. In some cases the problem and in many ways the solution where we can build the best defense as possible from a machine or artificial intelligence standpoint. And fraudsters know that. And now what they’re trying to do oftentimes is call into different call centers to acquire a user’s information or let’s say a fraudster is going after the consumer. So they may send phishing emails or other things that look very, very legitimate to get those users to log into their account. Or what looks to be their account is actually just a fishing site or a site that looks like their Wells Fargo account or their chase account. But in fact, it’s actually the fraudsters kind of a site that’s used to collect the username and password so they can go onto the real site. So it’s incredibly difficult from that perspective, but it’s absolutely a fight that I think we can win as long as we continue to collaborate and are willing to take the right kind of technological advancements.
Richard Jacobs: Well, very good. So one can go to sift.com or what’s the best way for them to follow up?
Kevin Lee: The best way to follow up is sift.com to learn more about our products, whether you have pain with these problem content abuse, account takeover, fake accounts, really, we’ve built a system that can address multiple vectors of abuse. And do so in such a way that not only stops that abuse, but one thing I think many, many people lose sight of is the fact that 99 plus percent of the people going to your website want to be on your website, want to engage in the right way, get from A to B as quickly as possible, and then move on. And there is a relation, is really trying to do a disproportionate amount of damage. And so we still need to protect from that type of bad activity. But with the right tools in place, what you can do is apply friction not only not to the entire population, but dynamically to the right people at the right time. And in this case, it’s those fraudsters where you want to give them the most friction, full experience as possible. But for the 99 plus percent out there, what can you do to provide that one-click functionality? Not everybody. Not every company can be like an Amazon and have those resources. SIFT was created to really level the playing field there and enable more of these businesses to create those types of experiences.
Richard Jacobs: Well, very good. Kevin thank you so much for coming on the call.
Kevin Lee: Thank you so much.
Podcast: Play in new window | Download
Subscribe to Our Newsletter
Get The Latest Finding Genius Podcast News Delivered To Your Inbox