Outwitting Fraud with Real-Time Actionable Device Intelligence with Dan Pinto of Fingerprint
Want to know how identifying bad actors is crucial to preventing account takeover and payment fraud? In this episode of PayPod, host Jacob Hollabaugh sits down with Dan Pinto of Fingerprint to discuss how Fingerprint uses sophisticated techniques to generate identifier information from a user’s browser. Fingerprint empowers developers to stop online fraud at the source. Watch this episode for a fun and interesting dive into this latest development in payments and fintech.
Payments & Fintech Insights In This Episode
- Fingerprint’s focus is on maximizing the accuracy of the identifiers generated, which is unique among their competitors.
- Dropbox is a customer who was able to solve an account takeover problem and prevent free trial abuse using Fingerprint’s service.
- Fingerprints were able to identify bad actors even through common privacy measures like Tor and VPNs.
- Checkout, an early enterprise customer, uses Fingerprint’s service to cross-correlate payment streams and detect fraud before it happens.
- Fingerprint’s stable and accurate identifiers can be stored for long periods of time, allowing for identification of bad actors even months or years after initial activity
- And SO much more!
Today’s Guest
Dan Pinto : Fingerprint
Fingerprint empowers developers to stop online fraud at the source. They work on turning radical new ideas in the fraud detection space into reality. Their products are developer-focused and their clients range from solo developers to publicly traded companies. Some of their customers include Coinbase, Booking.com, Target, and Yahoo just to name a few. They are a globally dispersed, 100% remote company with a strong open-source focus. Their flagship open source project is FingerprintJS (18K stars on GitHub). They’ve raised $44M and are backed by Craft Ventures (previously invested in Tesla, Facebook, Airbnb), Nexus VP (previously invested in Postman & Hasura), and Uncorrelated Ventures (previously invested in Redis, Rollbar & Gradle).
Featured on the Show
About PayPod
PayPod is the leading voice in the payments and fintech industry, covering payments, risk management and new technology. Host Jacob Hollabaugh interviews leaders who are shaping the payments and fintech world, as they discuss the latest developments in the payments and fintech industry.
Episode Transcript
Jacob: Welcome to PayPod, the Payments Industry podcast. Each week, we’ll bring you in-depth conversations with leaders who are shaping the payments and fintech world from payment processing to risk management and from new technology to entirely new payment types. If you want to know what’s happening in the world of fintech and payments, you’re in the right place. Hello, everyone. Welcome to PayPod. I’m your host, Jacob Hollabaugh. And today on the show we are talking about the intentions of those visiting your web page, your app, visiting you digitally in any way. We’re talking about fraud. We’re talking about how to outwit fraud with real time actionable device intelligence. Security is of the most utmost concern in our ever more digital financial world. So we want to give it our focus for today’s episode. Joining me to discuss these topics is Dan Pinto, co-founder and CEO at Fingerprint, the device intelligence platform for high scale applications powered by the world’s most accurate visitor identifier. Dan, welcome to the show. Thank you so much for being here.
Dan: Yeah, thanks for having me.
Jacob: My pleasure. Let’s kick things off with just an overview of who Fingerprint is, what you all do. Can you tell me a bit about the services you offer? Yeah, sure.
Dan: I can give a quick summary. So what we do is offer a service that uniquely identifies devices and browsers, both on the web, via Safari, Chrome, Firefox, etcetera, and also in native mobile applications. So Android and iOS and essentially most of our customers use the identifiers that we provide to try and prevent very sophisticated types of fraud that are happening to their services.
Jacob: Yep. And definitely, as I kind of said in the lead in there, this is a topic I was excited for because it’s a topic that comes up on every single episode now of this podcast and pretty much has for the history of this show and would have a few years back even further the more and more digital everything, especially the financial world, our focus here gets, the more and more this almost that sometimes feels like a cybersecurity podcast. If I’m being honest with you, of every person I talk to like, okay, but how do you keep it secure? How do you know anything? So with your services, obviously you can’t tell me like the full secret sauce. I know that you’re not going to explain exactly how you do everything, but are you able to give us a little insight into like, the types of data you are pulling to put together these visitor profiles?
Dan: Yeah, definitely. So what’s unique about our business is that the company was founded by two software engineers, so we built everything from the beginning to focus very deeply on technical implementations and pulling data that’s difficult to pull from browsers and mobile operating systems and processing that information. So in the open source version, it’s some of the more open techniques that we have. So things like what fonts are installed on your computer, the screen resolution, etcetera, etcetera. But then in the paid service we go even deeper with stuff that we’ve discovered by hiring high number of engineers and our team that focus on doing research, right? So any time Safari makes a change, Chrome makes a change in the browser, They do a new release, they’re scouring the release notes or testing new things and trying to find other ways of getting information from the browser so that we can then process it and then turn it into an identifier, right? So there’s a lot of really interesting things. Like for example, we have one technique that’s pretty powerful called TLS fingerprinting. So it’s basically the way that an SSL connection happens. So if you’ve noticed, there’s an Https for some websites that you go to. So the way that that basically handshake happens between the client and the server has some information that comes out of it. So we can process that process in our servers and then combine it with all the other factors that we use. And that gives us a lot of information to further increase the accuracy of our identifier.
Jacob: Yeah, that’s fascinating and sounds like very busy lives for all those engineers trying to keep up with as many releases as there are across as many platforms and products and things we use. Is it just that dedication to how deep into it you get, how up to date you stay with it, that kind of sets you apart? Or is there something about your approach or is it because starting the company with the software engineers, what sets you apart or gives you that ability to go further than anyone else in the market has gone? As far as accuracy goes, it’s.
Dan: Basically a combination of things and like the culture of the company, right? So even now the company is over 100 people, but half of the company is engineers, right? So we’ve built it from the beginning in terms of what we value is doing this research, processing the information in smart ways and then providing that to other businesses. So no other startup is currently focusing on maximizing the accuracy of the identifiers in these environments. Usually what happens this is the case with most of our competitors is they try to go towards like convenience and integrations with different services and stuff like that, try to maximize revenue. But we’ve always focused on it’s available on the website, it’s self-service, it’s API driven and the complexity is significantly lower to offer it as a result. So we can put all of our engineering resources into the research, the processing and the providing of the actual device identifiers that we generate.
Jacob: Yeah, love that and definitely a little bit more of a long term approach. I would say too, then of like focusing on let’s make this the best it can be versus the short term. What’s the path to profit that might not long term mean that we’re actually the best at what we do or the easiest to work with at what we do? Tell me a bit about I think you referenced a few of them earlier, but the types of companies you’re currently working with, kind of the scale of operations you’re at right now.
Dan: So if you go to our website, you can see some of the case studies that are public. We have some customers that we can’t talk about publicly, but the ones that we can talk about publicly that are interesting, probably one of the most interesting is Dropbox. There’s a case study on the website talking about how they’re using us, but essentially they had an account takeover problem. So people were trying to log in to other people’s Dropbox accounts using stolen passwords or different techniques. And too many of them were happening on a regular. bases, even using the historical services that they use in the past to try and prevent that other common account takeover prevention services. So then they did a POC with us and we essentially solved it for them, right? We caught significantly more account takeovers, I believe during the POC it was about 500 per day that we were able to catch that they weren’t able to catch before. And it’s a huge amount of economic value for them because people are trying to break into the Dropbox accounts to get access to something else, right? So some people store like their bank passwords and stuff on Dropbox or sensitive documents like Social Security cards and stuff like that.
Dan: So once you get into that, then you can do the next stage of identity fraud on other websites and actually get money and steal things from other people, right. The next stage of the fraud. And then additionally, because we’re open and we offer it via API, they also solved other different problems using the same exact service. For example, the second biggest problem that we helped them with was free trial abuse. So people making lots of new Dropbox accounts to basically take advantage of the storage, right? So people were storing like illegal content and things like that just by making new Gmail account, create a new account, upload it, host it, post it on some piracy website or something like that. And the techniques that people have available to them nowadays are very sophisticated. You can use a VPN to hide where you are privacy aware browsers like Tor, etcetera, but we were able to identify those things even through changing our IP address, clearing cookies, incognito mode tor all the common stuff that people use. And that signal was able to help them prevent and block all of those bad actors.
Jacob: Yeah, well, I can already say we’re early in this conversation, but I can already say and I know lots listening would have the same feeling whether we know it or not. We’re very thankful for folks like yourself because, yeah, it’s pretty wild, the sophistication level of some of these bad actors that are getting to and all of the new technologies that exist that help your side of things, prevention and everything like that, but also help their side of things in getting more sophisticated and how they’re going about. And just to also back up to the numbers you shared there, the impact that has is monumental. I mean, 500 a day, saving them on different infiltration is a huge number. But even if that was like five a day, like any individual, one of those could be have a massive downstream value effect. That is pretty wild. So hats off to you. Let’s move to a couple specific products of yours where payments focused podcast more often than not here at PayPal. So let’s talk payment fraud prevention and detection. Specifically, can you walk me through some of the ways adding fingerprint helps protect my payments?
Dan: Yeah, sure. So essentially the problems that we solve for all of our customers, payments or otherwise is identifying bad actors. Right? So those bad actors, what they’re trying to do is they’re trying to create multiple identities for themselves using different tools like VPN, etcetera. And we help pierce through that and actually generate an identifier that helps them. So another customer that I can talk about, checkout, they’re actually one of our earliest enterprise customers. Back when we were only a couple of people as a startup, so they signed up like back in 2020, very tech forward company. So they’re using us to cross-correlate all of the payment streams going through their browser based pages to try and identify these situations, right? So what you can do is you don’t have to wait until you actually have chargeback or fail transaction or some negative outcome. You can actually look at the behavioral patterns using the Fingerprint or device ID that we provide to detect unusual patterns and prevent the fraud before it happens. Right? So usually what happens with a fraudster is they don’t know which of the stolen credit cards are going to work well. So they test a bunch of things and you’re going to see an interesting pattern where a visitor ID that we provide to you has had 2 or 3 failed credit cards and 2 or 3 failed credit cards is already a huge red flag.
Dan: And under historical systems, you wouldn’t notice that because they’d be all different IP addresses, different cookies and everything, right? But for us, we’re able to combine them and show you that they have the same visitor ID and then when the fourth one comes in, you can prevent it from happening because the fourth time somebody is putting in a credit card, probably it’s a stolen credit card and they’re just continuing to test it. So it’s significantly cut back the amount of card testing that happened on their system. And then similarly, you can do the traditional methods of after the chargeback happens, storing the visitor ID for a long period of time because we’re also very stable over long periods of time to go back and prevent bad actors that are able to come back just because of decay of data and other systems, right? So in other systems they might use like a cookie and that’s expired by then or the IP address is rotated or any other technique they’re using, including older, less performant fingerprinting techniques, let’s say, or device identification techniques. But because ours is so high, accurate and so stable, even 90 days, 120 days, 180 days a year later, we are still able to catch a really high percentage of that and helps prevent that follow on fraud.
Jacob: That’s amazing. And you read my mind and mostly answered this, but I’ll kind of double back to it just to confirm then, because one of the main questions I kind of had with identifying potential fraud was does a user have to commit some sort of fraud once before they then are able to be detected or be potentially blocked in the future? Or are there things and it sounds like, yes, you alluded to things you’re looking for that can detect that first time user before as they’re attempting their first ever bit of.
Dan: Fraud, they can definitely do it. So the thing about our business, again, because we focused on API Driven, very open, very flexible, is that it’s actually on the customer to do that, though, right? Like they’ll have to implement it in the right way to detect those streams before they happen. So we have some customers doing that and more sophisticated ones. We also have some less sophisticated customers that are using in the traditional ways, right? Just look at the chargebacks and use it over long periods of time. So it’s on us, though, to continue educating our customers and helping them understand how to use it and solve the fraud fully from even before it happens.
Jacob: Makes sense. Let’s pivot to a hot trending area that’s come up a lot on this podcast. Within the payments world that you’re also working in, your service is really a BNPL buy now, pay later, and it’s been kind of blown up in the last few years within the financial world, really taking off. What makes a tool like Fingerprint with its level of accuracy so important to a payment system like BNPL?
Dan: So the great thing about BNPL, and they’re actually great customers for us and we have a number of them as customers is that as newer startups, their focus not just on reducing fraud but also growing their customer base, They’re very sensitive to friction, right? So historical techniques like two factor authentication and stuff like that, they’re like a sledge hammer trying to stop someone from doing something. But with our techniques of passive, it happens in the background. The fingerprinting process happens in milliseconds, so the customer doesn’t even know it’s happening. And we can solve two things there. It’s lower friction in terms of catching the fraud, but then they can also use the identifier in the future to try and reduce steps and increase the amount of revenue that they’re able to generate. So for buy now, pay later companies, it’s very important that they maximize transactions while trying to prevent fraud. And that’s where the sweet spot, it’s like the perfect sweet spot for us, right? Essentially because you can use the identifier for either of those use cases. So if you see the identifier came back and they didn’t buy something last time, you can show them the same product again, like a personalization use case or if you’re just trying to prevent fraud, you can also use it for the fraud use case and it’s the same identifier plugs into their system and they just leverage it depending on what team is actually involved. And again, maybe I’m beating a dead horse here, but that’s part of the vision of the API driven approach. You just consume it, you can collect it into your systems and then you can use it in whatever way makes sense for your business as long as it’s compliant with GDPR and everything else.
Jacob: Certainly. And I do want to eventually come back to the philosophy around the open source that you do have and the API focus. But before we do one other thing then on BNPL, because your service definitely is one that. So to give you some background, some of the people we’ve had on this show that are actively working in BNPL companies will ask and we’ll hear a little bit of trepidation or from others in the payments world, some trepidation of this is this amazing service, this amazing product, but the level of fraud that has come with it that kind of naturally came with it is maybe so high that it actually threatens the existence of the industry. And where I would look at that and say that makes sense to me, but it’s more of it means that companies like yourself that can do it at a high enough level to mitigate that risk and lower that threat is the needle BNPL needs to thread. Do you have any insight on where current fraud levels are within this world? And if they are high enough that they do threaten the industry’s existence?
Dan: Yeah, I don’t have enough knowledge in that to be able to say like if it’s going to threaten them. I actually think that the interest rate increases are a bigger threat for buy now, pay later than fraud, just from what I’ve read about it. But as far as I’ve seen from the customers that we’ve helped out with. Right, we’ve been able to cut a significant amount of it and significantly improve their profit margins, which are very important for these businesses because they’re all leveraged to the hilt basically in terms of trying to maximize what they’re lending and how quickly and and all those things associated with it. So from our perspective, if anyone is close to that borderline point on fraud, they should definitely be talking to us so we can help them go much more in the black.
Jacob: Yeah, certainly. Let’s pivot for not really pivot because we’re talking about it more or less at all points here, but to privacy and security very specifically. And as I mentioned at the beginning of this this podcast, at times it feels more like a cyber security podcast than it does like a payments or anything podcast. And I’m about to use a couple terms that definitely maybe a little less familiar to our audience here. But in the last year you achieved SOC 2 Type II compliance, which is kind of a big standard to hit within the cybersecurity world. So can you talk to me a little about the path to getting to that level of compliance and what that meant for your business moving forward to be able to reach that standard?
Dan: Yeah, for sure. So everything that we did with our start up is that we waited until we needed to have something to actually build something, right? So we wait till the customers ask for something and then we build it, right? So that was the case with this compliance as well. So once we started talking to bigger customers, they requested these compliances to make sure that they can cover their bases and make sure that we’re a large enough business, safe enough following best practices. So it was actually in 2020 when we got our first request for that, we were able to delay signing the contract or we signed the contract with a delay in when we need it to be compliant because they knew it would take some time to get compliant. And then we just kicked off the process, got compliant, got the type I and then got the type II, and now it’s actually opened a lot of doors, especially with bigger customers. So we’re working on even further compliances, right? SOC 2 was the first one. Then we just got ISO and then the future. Likely we’re going to get Fedramp or some of the other more sophisticated ones depending on when we actually have interest from those types of customers. So essentially, from our perspective, we already were following best practices, but this type of compliance helps us prove that we’re following best practices to our customers and prospects and build confidence on their side, and then speeds up the sales cycles as well.
Jacob: Yeah, certainly gives them the confidence that they kind of stamp of you actually are doing these things or this is the body we all look to, to say, Yes, you are doing this or we checked and they are doing this, so got to have it. And I love the approach of doing things and I think it’s probably why you found such success so quickly of we wait till the customer asks for It is a fantastic approach to make sure you’re always doing things that are actually needed that are actually going to be value add to those folks. The flip side of security is privacy concerns. Those always go hand in hand depending which side of the coin you’re looking at. And there may be some users that imagine who you know, who mean well, no intent to fraud, anything like that, and potentially don’t like that they’re able to be identified so easily in so many ways that you do. How does the company look at and handle privacy and have you or the industry at large really ever gotten any major pushback over consumers hearing how accurately you can identify all of us and be like, Hey, we don’t like that. Most of us aren’t trying to do anything bad. We don’t like that. So how do you kind of handle that balance of privacy?
Dan: Yeah, no, it’s a tricky question. So first, from my side, I’m very pro privacy. Like I’m using ad blockers and all kinds of things on my device. I’m using VPN right now while we’re talking. So I strongly believe it’s an important thing to be able to have that. But at the same time, some minority of people are abusing those services to do bad things. So we need some method in order to fight back versus that. And I think the solution actually came with recent legislation, right? So GDPR and CCPA are both very effective in terms of defining not from a technological perspective, but from like a legal perspective, what is okay to do with identifiers and cookies and all these different things and what is not okay to do. And so we just lean heavily into that. So like one of the most important taglines we have on our home page is that we’re fully compliant with GDPR and ccpa. So we make sure that we’re following that law very closely to try and be as private as we can in how we’re processing the data and everything, right, and make sure that our customers are also compliant because it’s more actually on the customer to make sure that how they use the identifier is compliant with those laws. So for example, under GDPR, it’s one of the most strict laws. So you have to get consent in order to do like a marketing type use case. With our identifier, you don’t need to get consent to do antifraud because it’s for anti-fraud, right? You’re protecting your website, you’re protecting your other users. So it fits very cleanly. It works very well and is actually future proof. So regardless of how the technology changes, it’s still a good framework for how we should operate and how other businesses should operate.
Jacob: Yeah, and always great to hear that we’ve come up with some laws that actually make sense and work and I like hearing that kind of with all the change that’s happened in the last decade plus in the digital revolution, that it is kind of just we’re going to go a little too far and then come back and find what really works. And that meeting, that line of let’s clearly differentiate between we’re actually trying to protect you against fraud. We can do that. There’s no consent here. But then not taking that same data and going on the other side and saying, now we can use that to sell you to market you or whatever without your consent and feel more like manipulation or privacy infringement or anything like that. So that’s pretty cool. The final question I want to get you out of here on is I think you’ve referenced a few times through this conversation, but in the past year you’ve expanded your available SDKs and open source libraries to 18. You’ve passed 18,000 stars on GitHub and have this open source model that a lot of your product is available for free use or to integrate in whatever way someone sees fit. And then you’ve got your paid subscriptions that are more internal. What’s the benefit to Fingerprint and being part of an open source community and sharing your tech in these ways instead of being that totally closed off type of business, keeping it all to yourself? Yeah, it’s.
Dan: A great question. So essentially the answer is that we wouldn’t be where we are today without open source. So the company itself didn’t start as a company, but started as a hobby project by the other co-founder, Valentine. And he came up with an idea based on reading about fingerprinting online, built the leading browser, fingerprinting, open source library, put it out there, thousands of stars. So we know that we came from that. So we want to make sure that any future product releases and anything that we do from the research stage is first available via open source and that gives us more information about what to do next. So if we do it in the traditional methods of let’s build a service and let’s try to get money associated with it, it’s a great approach, but the feedback loop is much slower versus let’s put this thing in open source and let’s see what people do with it, right? Let’s see what feedback we get and we get a lot of really interesting feedback from customers. Or in this case there wouldn’t be a customer, but like users of the Open Source library. And then that informs us and then we can figure out, okay, now it’s time to build a service around this, right? So for example, our Android and iOS. The service started as just an open source library that we put out there, and then we saw how people were using it, what aspects they used, and then we integrated it into the main product after that initial feedback loop. So for us it’s both paying homage to how we started, but also really great feedback loop to get information from potential customers in the future.
Jacob: Love that and it’s definitely across a lot of different industries. That’s kind of a big debate in philosophical way a company can go of going to open source versus closed source model, and I tend to, in a lot of instances, and this one certainly like hearing the type of approach that you’re using. I think it it works well and it speaks to a lot of the success that you’ve had. So, Dan, this has been an absolute blast. For those listening who may want to follow you, learn more about Fingerprint, keep up with what you and the company have going on. Where would be the best place for them to go to do so?
Dan: Yeah, I think the best method is just go to fingerprint.com and we’re fully open. You can create an account and test out and see the full value of what we can provide. Wonderful.
Jacob: We’ll link to that in more in the show notes below. Dan, thank you so much for your time and knowledge today. It’s been a real pleasure.
Dan: Yeah, thanks a lot for having me.
Jacob: If you enjoyed this episode and want to hear more, head on over to sorbet.com/podcast to subscribe on your podcast listening platform of choice. That’s s o a r p a y.com/podcast.