Navigating the Future of Fraud Prevention in Digital Banking with Incognia’s Andre F.

Episode Overview

Andre F. is the CEO and co-founder of Incognia, a pioneering mobile identity solution provider specializing in fraud prevention and enhancing user experiences for digital platforms. With a robust background in computer science, Andre started his career as a tech enthusiast, delving into software development and cybersecurity. Over time, he transitioned into a more strategic role, leveraging his technical knowledge to solve complex business problems. His ability to bridge the gap between technology and business has been instrumental in developing innovative solutions that leverage location intelligence to distinguish legitimate users from potential fraudsters. Under his leadership, Incognia has become a key player in the fintech industry, known for its innovative approach to security and user experience optimization.

Beyond his role at Incognia, Andre F. has been actively involved in the entrepreneurial ecosystem as a mentor and advisor. He is affiliated with Endeavor, a global nonprofit that supports high-impact entrepreneurs. Having benefited from mentorship in his early career, Andre is committed to giving back by helping other entrepreneurs navigate the challenges of building and scaling a tech-driven business. He is passionate about fostering innovation and resilience in the startup community, emphasizing the importance of learning from failures and staying adaptable in a rapidly changing market. His mentorship focuses on guiding entrepreneurs through the complexities of fundraising, business development, and market strategy, offering insights drawn from his own experiences in the fintech space.

Andre’s journey from Brazil to the United States has also provided him with a unique perspective on the global fintech landscape. Moving to the U.S. four years ago, he was surprised by the technological gaps he observed, especially in digital security practices compared to those in Brazil. This realization fueled his mission to advocate for more secure and user-friendly authentication methods. He has been vocal about the shortcomings of traditional security measures, such as SMS-based two-factor authentication, and has championed the adoption of more advanced techniques like zero-factor authentication. Andre’s work at Incognia reflects his commitment to improving digital security standards worldwide, ensuring that businesses can protect their users while maintaining a seamless user experience.

Episode Transcript

Kevin Rosenquist: Hello, welcome to Pay Pad, where we bring you conversations with the trailblazers shaping the future of payments and fintech. My name is Kevin Rosenquist. Thanks for listening with location intelligence. A company can analyze device behavior and location patterns to create a unique identity profile for users, thus distinguishing legitimate users from fraudsters without requiring additional inputs from the user. Pretty cool h? But how does it work? Today I’m chatting with Andre F. CEO and co-founder of incognia, a mobile identity solution for apps that increases conversions and reduces fraud by enabling real time recognition of trusted users. He sheds light on the idea of location intelligence, the shortcomings of two factor authentication and mentoring young entrepreneurs. Joining me now, Andre F.. So we all want and expect a high level of security and fraud protection on our phones, our computers, any device. But we also hate when it’s a hassle. We love to complain about when that stuff gets in our way from our whatever it is we’re trying to do at that particular moment. How do you manage that delicate balance between implementing stringent security measures to prevent fraud and maintaining a smooth, user friendly experience?

Andre F.:  Yeah, well, this is Interesting because I’d say one of the key questions here is which of the two do we want more. Right. Yeah. And one thing I saw, I think it was two years ago or so, was I was analyzing some of the opt in rates for the use of tufa on some of the major like internet platforms. And what I found was was quite interesting. Like the first one was Twitter now X, and I saw that the number of users that used some form of MFA on their platform was less than 2%, which was quite surprising.

Kevin Rosenquist : Wow, that is surprising.

Andre F.: Right. So if someone takes over your account on that platform, they can basically like start scanning people and posting whatever they want. So it’s not the type of account that you want to lose. The second was Gmail accounts, and we saw that less than 10% of the users have enabled MFA. I think it was like 2020 or something like that. So the conclusion I got to when I saw this was that, like, people are more worried about user experience than security, but there are many applications that they need to provide more security because it’s core to their business. Right. So if you’re a bank, if you’re an e-commerce company and you don’t. Don’t offer security to your users, in the end of the day, you’re going to pay for. That’s right. Like users are going to call you. They’re going to sue you, and you’ll end up having to give their money back. So. So I’d say these type of companies are the ones that are most challenged because. Nothing’s going to happen if you lose your Twitter account. Right. Twitter is not going to pay you anything because of that. It’s just going to be.

Kevin Rosenquist: Elon’s not going to throw some money at us. Come on.

Andre F.: I don’t think so. I don’t think so. But the big will right. So these are the companies I’d say are the most challenged with this issue, which is how do you balance user experience and security. And there are multiple ways to address this. There’s new technology that enable these companies to do this, but to be honest, most of them have been moving very slowly. Another example now from the financial services industry is that originally from Brazil. And I moved to the US about four years ago. And, I had a very interesting experience because everyone was coming to this country. They come with the impression that, like, everything is extremely advanced and the technology is on another level. But when I try to open my first few bank accounts, I was impressed because most of the banks were still relying on SMS, so they were texting me like a six digit code to verify my identity. And it’s been probably ten years that I’ve seen this in Brazil, like most of the financial institutions were already using other forms of authentication that were more secure, more user friendly.

Andre F.: So when I saw that, I was like, okay, let’s let’s do the following. Let’s do a research and try to identify what is the penetration of SMS based authentication in the financial services industry in Brazil and in the US. And that’s as compared to and it was quite impressive. We did this survey in 2021. And what we found was that less than 2% of the top 100 financial institutions in Brazil still used SMS for authentication purposes. And here, over 75% were still relying on HMS. And there are multiple problems with SMS. The first one is you can intercept SMS at scale. You can literally buy a it’s legal. It’s not a legal thing, but you can buy an antenna that basically scans all the SMS traffic and in the surroundings, and you can literally read everything that’s being texted from one one device to the other. Some of these might be the six digit codes that you use to access your bank account. So you can do that. Well that’s terrifying.

Kevin Rosenquist: I don’t want people reading my texts. Andre. Like what? Yeah. What? That is.

Andre F.: Possible.

Kevin Rosenquist: Oh. Like that?

Andre F.: So. Yeah, that is possible. The other thing is, you can scam the telco operator to migrate the line to your, , SIM card. So you can literally, like, take over someone else’s phone number. And if you do that, you’re able to take over this person’s bank account. So, yeah, I was I was quite scared to see that still, 75% of the top financial institutions in the US relied on that. So clearly , they’re not moving as quickly as they should to not only upgrade their defenses, but also to improve the user experience. Because for me, honestly, this is the worst possible method of authentication because they need to go there, get the code, type it again, etc. it’s not a great experience from a security standpoint. It’s terrible. So yeah.

Kevin Rosenquist: I mean, I did that. I had that sound from a major financial institution. I’m not going to name names, but a major financial institution. And I had to log in and I was on a different I think, I think I was just on a different like Google profile. It sent me a code to my text. And I mean, it’s today. So like you’re so you’re saying that they were far behind when you got here four years ago and it’s not getting much better.

Andre F.: No, it’s not, but there’s one thing that I believe was the primary reason for the financial institutions in Brazil to move forward more quickly, which was real time payments. So currently in the Brazilian market, real time payments represent the vast majority of payments. It’s already bigger than cash and credit cards combined. And basically, , this means that you can transfer money from one bank account to another instantly, with no limits and one hand. This is great because it’s like it accelerates cars, it boosts the economy, etc. on the other hand, from a security standpoint, it’s quite scary, right? Because you can move money right away. There’s not not going to be anyone to reveal that transaction.

Kevin Rosenquist: Yeah. There’s no intermediary making sure it’s legit. Yeah, yeah.

Andre F.: And there’s no way to revoke that transaction. You can’t say like, oh, that was a mistake. I want my money back. So from a fraud standpoint, that is quite scary. But the thing is, sometimes you only solve problems when they become very latent. Right. And this is what happened. , this was launched in 2020. The banks were like they were really impacted by, , fraud. And they had to move very quickly to upgrade their defenses. And so, the financial institution there, they had to move away from, for example, SMS and they started adopting more secure technologies. , and, and currently, , the fraud rates are actually very low because they all had evolved in that direction. So I believe the same is going to happen here in the US once real time payments become more prevalent. And, there are few initiatives that are going on like Feed now and RTP etc., that might send the financial services industry in that direction.

Kevin Rosenquist: Let me talk about location Intelligence. So that other aspect of what you guys do, you can analyze device behavior and location patterns and create a unique identity profile for users, thus distinguishing legitimate users from fraudsters without requiring additional inputs from the user. Did I explain that well? Yeah. Perfectly correctly. Could you elaborate on how device and location signals help in creating a unique user identity?

Andre F.: Yeah. Yeah. So I’d say the key insight behind this idea is that for every online interaction or transaction, we have to do this from a physical device and from a physical location. And so we thought that if we understood these two things really well, we would be able to very precisely determine what is risky and what is not. So, for example, , let’s say someone is trying to open a bank account, right? So they downloaded a mobile app and they’re trying to open an account first. If we’ve seen this device trying to open other accounts in the past, that’s not normal behavior, right? Like, why are you trying to open three, four, five accounts at the same institution using different identities and using the same device? So that’d be the first thing we would check for. The second is, as part of the process, you have to share some information about you, right? So one of these data points would be for example like oh we need to scan your driver’s license. And one of the data points that we have on the driver’s license is the physical address of that individual. Right. So what we can do there is we can look at the location signals that we’re collecting from that device to determine the likelihood of that device living in that physical address. Right? So for example, we see that 85% of bank accounts that are open on mobile apps are open when the user is currently at home, which means that the real time location of that device is going to match that physical address perfectly.

Andre F.: Right. So the likelihood of that being a legitimate account is much higher if we see that. So this is the kind of thing that we look for when we’re trying to determine risk. But we are also able to use the same data to identify the bad behavior. Right. So for example, one of the things we see a lot is very high concentration of devices in the same place. What is that? Well that’s probably like organized crime right. Like a fraud ring that has access to multiple devices. And these people are finding vulnerabilities in the systems of different financial institutions or e-commerce merchants and things like that. And once they identify these vulnerabilities, they start exploiting them. So, for example, if there is a vulnerability related to creating accounts on a food delivery platform, for example, and for every new account, you get a 20% coupon to make your first purchase. Well, I can eat for free if I find that right. So I can start creating one account after the other. And in placing orders that are below $20 and I can eat for free for the rest of my life, right. So people do that. And this is the type of behavior that we identify. Well, we’ve seen multiple accounts being created from the same physical location before. So we’re not going to allow any new account to be created from this place. Same applies to devices, right? If we see the same device trying to do the same thing over and over, that’s not the type of behavior we expect from a good user.

Kevin Rosenquist: So given the apprehension and sometimes even fear that people have regarding being tracked, is location intelligence something that people are nervous about in your experience?

Andre F.: It depends. If they don’t know why this data is being collected, they’re certainly going to be apprehensive and they’re not going to want to share, right? So we. One interesting experiment we’ve run was with the same app. We had a group of users that would receive that like classic pop up, asking for the user to share location. And the pop up would not say anything. It was just like the app wants to collect your location for that first group. We saw that less than 20% of the users were willing to share that information. Then the second group, we sent the same pop up, but we explained why we wanted to collect that data. In this case, it was a. By the way, a food delivery app and the food delivery app said, we want to collect your location data to be able to verify your identity and protect your account. And then we saw 95% of the users saying yes, exactly, exactly. So when you’re transparent with your user and they understand how the app is going to use this data, there are way more willing to share the information. So I think that’s the most important thing is like if you’re using it for a good purpose, tell your user, right. Obviously there are some apps that are collecting location data for other purposes. They’re not necessarily going to make people comfortable. So these apps are not good to share. , but if the use case is like security and fraud prevention, like, most people are more worried about having their bank accounts and their credit card information stolen, then having their location information be available to the app.

Kevin Rosenquist: If someone travels a lot, does that confuse things? Does that make it difficult for, you know, the location to be consistent enough to not kind of screw them up if they were trying to access their information or their accounts?

Andre F.: Yeah, that’s a great question. And I’m actually a great example of a user that travels a lot. So if it’s working for me, I’m confident that that’s working for other people. But basically the way it works is, given what we’re looking at, two things at the same time, it tends not to be a problem. Right. So we’re looking at the device and the location. So if you’re traveling it means that the location is changing but the device is still the same right. The device is coming with you where very rarely you will forget your phone before taking a plane. Yeah. Somewhere. Right. So the only scenario.

Kevin Rosenquist: Crippling, wouldn’t it? That would be like this. Oh yeah, I couldn’t even function anymore in this day and age with that.

Andre F.: Exactly. Well, you would probably not. Not even be able to board the plane. That is.

Kevin Rosenquist: Yeah. You’re right.

Andre F.: You would have the QR code, right. But assuming that this happens. Right. You forgot your fault. You got on a plane, you arrive somewhere else, and only then you realize, oh, I forgot my phone. This would be a scenario in which we would be confused, right? Because we would see a whole new device in a completely different location trying to log into your account, we would say, well, this is probably somewhere else, someone else. But in these cases, the user can still like use other ways to authenticate themselves to that application. Worst case, you would need to call the contact center and say like, hey, I forgot my phone. I was on the West Coast. I’m on the East coast. It’s me.

Kevin Rosenquist: I swear it’s me. What exactly is, , the two FAA. Is that good? Like, is that something, for example, you know, like if I’m logging into something like my Google account from somewhere, I get the little thing on my phone, all I gotta do is hit, yes, it’s me and I’m able to get in, no problem. Same thing with, you know, sometimes with streaming apps and whatnot. Is that a good way of doing it? A good way of authenticating?

Andre F.: Yeah, it depends on the method. Right. So for example, SMS is something to avoid as much as possible if you have the ability to use something else. This other thing would always be better than SMS.

Kevin Rosenquist:  like the authenticator app and stuff like that.

Andre F.: Exactly. Authenticator apps are much better from a security standpoint. Email like even if instead of sending like the six digit code to your phone number, like if they send it to your email. It’s already much better from a security standpoint. So yeah, it really depends on the method. Like the most secure is usually the one that also creates most friction. So for example, hardware tokens like. That’s probably the most secure thing you could use. But then you need to be like. Carrying these like USB sticks around with you all the time. Right. So it’s not the most user friendly. But yeah.

Kevin Rosenquist: I didn’t even know what that was. So harder token would be actually like a physical drive or device that you carry. That is your. Oh wow. Okay. Yeah, that’s probably not in the cards for a lot of people.

Andre F.: Exactly, exactly. So that’s probably the most secure. But that’s a lot of friction I’d say. Yeah. Authenticator apps are probably the best choice for the regular user because, , yeah, it’s  more secure than SMS. The user experience is very similar to any, any form of like too far, but ideally but this is not dependent on the user. Ideally, the app uses some form of what we call zero factor authentication, which is basically authenticating you behind the scenes. Right. So collecting some data signals from your device so that they can determine what is the likelihood of that being used. So for example location is one of those. Device recognition is another. Right. So like us we don’t change our phones very often. Right. I think the average here in the US is every two and a half years for example. Right. Which means that we’re going to be holding the same device for some time. So that is a great signal, right? If you’re always logging into your bank account, for example, from the same device, we don’t need to ask for that six digit code all the time because it’s still the same device. Right. And even if it’s a new device, one interesting thing we see with location is that about 95% of new devices are set up when you’re at home, which means that even if we don’t know that device yet. , but we know the behavior of your old device, we’re able to see. Well, even though this is a new device, this user is at the place with the safest place for that person, right? Which would be their home. So we can verify that new device right away without the need for to far or any, any kind of friction.

Kevin Rosenquist: Okay. If somebody is doing a location tracking or whatever you call it is there is it all automated? Is there ever a time when a hand gets involved, or is it all happening behind the scenes?

Andre F.: There’s only one moment in which the hand gets involved, which is in this case, the user, which is to allow the user location or not. Right. So the first time we ask you, like, do you allow us to use location authenticating or to secure your account, etc.? Once the user says yes, There’s nothing else required from that individual. So from that moment onwards, we’re going to be collecting this data behind the scenes and verifying like okay, this, this is doing you etc.. So I’d say the most important thing here, particularly when it comes to privacy, is that ideally all the platforms should do what we decided to do, which was we don’t collect any personal information, so we don’t have their names, their phone numbers, their email addresses like Social Security numbers, anything like that. The party who holds the personal information about that individual is our customer, in this case, the bank or the merchant. But we don’t have that data, right? So what we do is our customer creates a unique identifier for that user. So they’re probably going to encrypt your email address for example, or your phone number. They will send that encrypted information back to us.

Andre F.: And this is how we understand that we’re talking about the same person, but we don’t know if this is John or Andre. We don’t know if it’s a man or a woman. All we know is that this is the device linked to this unique identifier that is randomized. And by doing that, we’re protecting both our customer and our user in an important way. Because the reality when it comes to security is that the only data that is really secure is the data that you don’t have, because it’s a matter of time for every platform to be breached and eventually for this data to be exposed. Right. So if we don’t have the names of our users, for example, and eventually a data breach occurs, it will be very hard for people to tie these location signals back to a person, right? Same applies to our customer. If something happens on their side and there is a data breach on their side, like, okay, the personal information of their users is gonna leak. But they didn’t receive any location data because we are storing that part, right. So we’re basically creating this wall between like the location data and the personal data.

Kevin Rosenquist: Well that’s good. I mean, that should help people, people’s, you know, hesitancy to accept something like this as long as they know it, like you talked about before, it’s just being transparent and it’s about educating and all that. And I think that, you know, I mean, it’s understandable. We get asked all the time if we want to share our data. The funny thing is, and we’ve talked about on this podcast before with other guests, is it’s like, I mean, how quickly do people just hit agree? Agree. Agree. Agree. Agree. Agree. Agree. When they’ve got something on their phone or their computer, they just want to get to whatever they’re looking for. And it’s like. Like we pick and choose what we’re going to be, what we’re going to be freaked out by. Like, someone might hear what you do and be like, oh, I don’t want anybody tracking me. But yet they’re doing some shady card game that they got. They got and they’re, you know, they’re like, oh yeah, I’ll, I’ll buy some more, some more tokens so that I can, I can play, you know, spades or whatever. So it’s funny that sort of a catch 22 with people that their comfortability level just just varies by person.

Andre F.: Yeah. Yeah. I remember a story of a, I think it was a flashlight app that later on was, was revealed that the app was, was, was basically stealing data from their users, and they were asking for every type of information that was completely unrelated to flashlight. They weren’t asking for location. They were asking for it. Yeah. Access to your microphone, like, why do you need access to my microphone to improve the flashlight experience? Yeah. Right. Yeah. But yeah, later on they were caught. They were selling like data, hundreds of millions of users because it was a free app. A lot of people downloaded it and it was launched even before the operating systems offer their own flashlight apps. So a lot of people have downloaded this. Yeah.

Kevin Rosenquist: What a great tool. Yeah.

Andre F.: A lot of weird things can happen in apps that seem like they’re not would not be a threat. .

Kevin Rosenquist: So this is the third company you founded.

Andre F.: Yeah. We could consider the third is still kind of the same company but it went through different iterations.

Kevin Rosenquist: Are you a tech guy or are you a business guy who has good tech people around him?

Andre F.: It’s interesting. I started as a tech guy. So yeah, my background is in computer science, started very, very early. But yeah, eventually I realized that I was I was better at translating business problems to the tech people. So today I consider myself more of a product guy. Actually, I kind of sit in between tech and In business trying to facilitate the conversation because, yeah, sometimes the engineers have a hard time understanding the business people and vice versa.

Kevin Rosenquist: Yeah, that’s for sure. I saw you’re a mentor with endeavor as well, a nonprofit that helps high impact entrepreneurs, entrepreneurs dream bigger and scale faster. How did you get involved with them?
Andre F.: Yeah, actually, initially I got involved as, , one of the entrepreneurs receiving help and mentorship from, from other others that were more experienced. Really, really great institution. Like they’ve been very helpful in like during the toughest times in our journey and yeah. Now, now it’s great to be able to give back and help other entrepreneurs. So yeah, that’s essentially how it works. Like most of the people who are like helping the newer entrepreneurs, like they started just just like me. And after gaining some experience, they started helping the others, so it’s been a great experience.