Who is faking location? Featured Image

Who is faking location?

Location spoofing poses a threat to apps that rely on location to service their users. Learn more about who spoofs location, why, and how to detect it.

 

 

 

 

Location spoofing is a pressing trust and safety concern for location-based applications. Andre Ferraz, CEO and Co-founder at Incognia, and Felipe Cerqueira, Global Head of Operations for Rappi, joined a webinar with ISMG to talk about how location spoofing works, who’s taking advantage of it, and how platforms can detect it.

Key TakeAways

  • Bad actors can use easily accessible location spoofing tools to fake their location for personal or financial gain
  • Location spoofing fraud can affect gig economy apps, online marketplaces, social media platforms, dating apps, and gaming
  • There is location technology that can detect various forms of location spoofing and block the responsible devices

How does location spoofing work? 

In the ISMG webinar, Ferraz explains that location spoofing first became popular with recreational users with the release of Pokemon Go in 2016. Certain rare types of Pokemon could only be found in certain geographic locations, such as Central Park in New York City.

Players would download a GPS spoofing app or put their phone into developer mode in order to spoof their location to specific places enabling them to collect rare Pokemon, sometimes selling them to other players in violation of game policies. 

While this usage of spoofing may not have the most dire consequences by itself, it  popularized location spoofing and drew the attention of bad actors looking for ways to make money quickly.

Andre shares, “This was the moment when location spoofing became popular…the fraudsters identified an opportunity and started using it to run scams for financial gains.” 

One of the most appealing aspects of location spoofing as a fraud or policy abuse tool is how accessible it is. iOS and Android OS both contain a feature called “developer mode,” which enables users to change their device’s location data.

The intention of this feature was to allow developers to test geo-restricted app functions from anywhere in the world. Unfortunately, this feature also became popular among bad actors because it doesn’t require a high level of technical expertise to leverage. For an even easier location spoofing solution, dozens of legitimate GPS spoofing apps are available through Google Play and the Apple App Store. 

How location spoofing is used to commit fraud 

In order to maximize profits, bad actors will rarely restrict themselves to just one type of fraud technique. Location spoofing has a variety of fraudulent use cases across different industries, including food delivery apps, gaming, social media, and others. 

For example, in the online gaming space, location spoofing can be used to facilitate player collusion on poker apps. Three players in the same location can spoof their locations to appear different before joining and manipulating an online poker game. The other two players, who aren’t colluding and don’t know that three players are working together, stand to lose their money unfairly. 

On the gig economy side, bad actors use location spoofing to get paid for work they never did. In food delivery and ride-hailing apps, swindlers use location spoofing to artificially inflate the distance traveled during a delivery or ride, or to make it appear like they are near a new job when they aren’t, leading to logistics complications and user experience issues. In extreme cases, drivers may use spoofing to get paid without even leaving their home. When scaled to a coordinated operation like a fraud farm, these scams can be incredibly lucrative. 

The importance of location spoofing detection 

Location spoofing schemes still fly under the radar despite evidence of volume.  As Ferraz explains, “On average, we see that about 1.9 million location events are spoofed [on delivery apps] per month…So there is volume there.”

Felipe Cerqueira adds, “It's easy to understand that performing identity checks is a big thing for us [at Rappi] and location spoofing is a big part of that. We have users faking their location on the platform, just like Andre said, for their own benefits. Therefore, one of our challenges is to be one step ahead of those users by mapping the latest identity falsification trends. And that's where Incognia comes in.” 

He further explains that Rappi has seen location spoofing used in a variety of ways, from unauthorized account sharing to fake order generation. These types of policy abuses and fraud could have serious impacts for a company if left unchecked. 

Luckily, spoof-resistant location technology does exist. As Ferraz describes in the webinar, Incognia uses a combination of location fingerprinting and device intelligence to deliver risk assessments and also determine whether a given user may be spoofing their location. From there, Incognia’s partners can decide whether they want to block those users and locations or challenge them to prove their identity. 

Location verification works by using a combination of signals like GPS, Bluetooth, and WiFi to create a unique fingerprint of frequented locations for each user that opts-in. The first step in the location verification process is to check the integrity of each device by checking the presence of GPS spoofing apps and scanning for app tampering tools and emulators as well as other techniques used for location spoofing. 

Ferraz concludes the webinar with this key takeaway: “If you want to leverage location signals for identity and security purposes, you need to make sure that you have strong location spoofing detection capabilities.” 

This blog post is a commentary on the webinar and Mobile Identity Mavericks episode #2. Listen to the full episode on your favorite podcast player:

Apple Podcasts     Spotify Podcasts

 


 

This is an audio transcript of the Webinar: ‘Who is faking location? The bad actors using location spoofing to swindle geolocation-based apps’.

You can watch the full webinar here, or listen to the podcast on Apple and Spotify.

 

Andre Ferraz

Hi, everyone. I'm your host Andre Ferraz, co-founder and CEO at Incognia. Welcome to Trust and Safety Mavericks, a show focused on topics related to online trust and safety and riding the next big wave. Welcome. This episode was originally a webinar hosted and recorded by ISMG. Our host, Tony Morbin, helped conduct the session, and we invited Felipe Cerqueira, global head of operations at Rappi, one of the top food delivery players in Latin America. The topic of the conversation is location spoofing. In July 2022, Incognia had published an insights report on novel fraud schemes using location spoofing to target delivery apps. But why is location spoofing so important? Fraudsters spoof their location to take advantage of location-based services to swindle trusted users, food delivery companies, restaurants, gamers, and even people looking for a date. In addition, location spoofing is a way to hide fraud farms, which are large-scale fraud operations. Want to learn more about location spoofing and how to fight back against this particular type of scam? Listen to this Trust and Safety Mavericks episode.



Tony Morbin

Hello. My name is Tony Morbin, executive news editor of ISMG. I'm your moderator for today's webinar,  “Who is faking location?” How are fraudsters using location spoofing to attack location-based apps? So let's jump straight into the questions. Andre, can you tell us a little bit more about location spoofing? How exactly does it work? 

 

Andre Ferraz

Absolutely. Thank you, Tony. Location spoofing is being used by fraudsters in many cases simply because they want to hide their true location. They don't want to be found. There are new fraud schemes that have been using location spoofing as an entry point, and here I'm going to share a little bit more about these issues. During the conversation, we're going to talk about some real-world use cases. For example, one interesting case is from the online gaming space. Let's imagine a poker game. If you have a poker table with like five people, for example, and three out of these five are colluding to try to manipulate that game, they can play it in a way that the other two that are not participating on that scheme will lose their money.

 

How does location spoofing come into something like this? The three players that are trying to manipulate that game, they will be at the same location, and they would be using location spoofing techniques to show to the application that they are actually in different places, otherwise they would be blocked. That's an example of location spoofing being applied to fraudulent activity, in this case in the online gaming space. But this applies to other things as well.

 

Another topic that we're going to talk about here more specifically is delivery services and also ride-hailing—applications that rely on location for logistical purposes. And what happens here is that, for example, on the driver's side, there are incentives for these drivers to make longer rides. For example, a rider would use location spoofing to show to the system that they've made a very long ride, so they would make more money. But they actually didn't even leave the place they were—that's another possibility here.

 

Some of these drivers could use location spoofing to show that they are at a certain location, where prices tend to be higher, for example, near airports. They would accept the ride, they would never show up. But if they accept the ride and the user doesn't arrive to their car, they would still make some money. So they could be sitting at home using location spoofing to accept the number of rides. They would never take anyone anywhere, but they would still be making money. Then the other thing is around fraud farms. When there is systemic type of fraud, a more organized type of fraudulent activity, we see that many of these processes are using location spoofing techniques to make it harder to be found. The authorities, they usually get access to data from e-commerce companies and banking institutions. And once they analyze the data, they see the location information, they're not able to correlate that to a single place from which that fraudulent activity is happening.

 

In this case, by detecting location spoofing, we're able to identify the true location in which the fraudulent activity is happening, and then we can block that in a way that makes the life of the fraudster harder. 

 

And finally, the last category here would be social and dating platforms. Location spoofing is being used usually to enable these people to create fake accounts and to access content from specific regions. For example, one of our customers is a social media company, and they have been struggling with this issue around misinformation and fake news and hate speech, et cetera. One of the ways they found to attack this problem was by leveraging location signals to identify that multiple accounts were being accessed and created from the same location. It was not a coincidence that so many phones and so many accounts were related to the same place. In that way, they can relate all of those accounts, and by linking all of those accounts, they're able to detect these bad actors, take down their accounts, and block them from creating new accounts in the future.

 

Same applies to dating. We've even seen some documentaries on Netflix talking about Tinder and the types of scams that were going on on platforms like that. The same concept could be applied here. Once you identify the bad actor, you leverage location signals to block that particular place so that that person is not able to access the service anymore, even if they buy new phones and do things like that. Getting more technical here, there are basically five ways in which fraudsters are spoofing their location, in which they're hiding their true location. The first one is related to IP-based geolocation. With the IP address of a user, you're able to locate them, usually down to the city level. It's not super precise. You can identify which city that person is, but you're not able to identify, for example, in which street or in which building that device is located. But still, fraudsters are able to spoof that type of information. For example, if a fraudster from a different country, let's say North Korea or Russia, is trying to attack a financial institution in the US, they could use a proxy or VPN to show an IP from the US. The banking institution would not flag that as suspicious, but they are actually somewhere else.

 

They're committing this fraud from a different location, a different country, a different jurisdiction. That's the first part here, which is the most basic type of location spoofing. But when we're talking about mobile applications, then these applications are able to get a lot more accurate information about location because they have access not only to the IP addresses, but also to the GPS information. The operating systems, both Android and iOS, they enable developers to access data from the GPS. There is an issue there which is, for these developers, the two platforms. They have decided to build a feature that enables developers to test their applications as if they were in different locations. Why was this created? Because there are many global apps that have different functionalities depending on the country. So, for example, if we look at a ride-hailing company like Uber or Lyft, they have different policies for different countries. In the US, for example, you can only pay with your credit card, but in countries like Brazil, you can pay with cash. You have to have different versions of the same application running for different locations. If I'm a developer working on that application, and I'm currently located in California, but I'm developing a feature for the Brazilian version of Uber, I need to have a way to test that feature that I just developed.

 

That's what was built by the operating system so that the developer can test their applications as if they were in different locations. That's a feature, but unfortunately, that feature is being exploited by bad actors to spoof their location information. The most popular form of location spoofing when it comes to GPS is the use of GPS spoofing apps. Anyone could go to the App Store or Google Play Store. If you search for fake GPS or GPS spoofing, for example, you're going to find a number of applications that enable you to spoof that information. It's a very accessible type of tool that anyone can use. You don't have to be a hacker in a basement with a hoodie. Anyone can do it. It's super accessible for fraudsters. That's why it's so popular. 

 

A side note here is that one of the apps that popularized the use of location spoofing applications was actually the gaming app from Pokemon called Pokemon Go. And the reason why it popularized this type of application was that in certain locations you could find specific types of Pokemon that were more valuable, like Central Park in New York, for example. People from all over the world would spoof their location to show that they were at Central Park. Then they would be able to capture those Pokemon. That was the moment in which location spoofing became popular and everybody started downloading these apps, and then the fraudsters identified an opportunity with that and started using it for malicious purposes.

 

GPS spoofing is the most popular form of spoofing for GPS data, but you also have emulators, instrumentation tools, and app tampering as other alternatives for fraudsters to spoof this type of information. Finally, just to build more data points here, talking more about delivery apps, on Incognia’s network, we have identified a number of users spoofing location information. On average, we see about 1.9 million location events that are being spoofed. And we have identified that in the same month, about 13,000 devices were generating location data with spoofed information. So there is volume there. Basically, we're talking about potentially 13,000 fraudsters or hackers that are finding ways to commit fraud in these delivery applications. This is a single industry in a specific region and we're able to see high volumes. Finally, just a quick explanation on how Incognia is able to detect location spoofing and identify the true location of the user.

 

The main thing we do is we create what we call fingerprints. So instead of relying on the OS-level location information, we capture data from other sensors like WiFi, Bluetooth, even a GPS, and we combine all of those things, creating the equivalent of a fingerprint for each location. For example, in this place there's a unique set of WiFi signals and Bluetooth signals that don't exist anywhere else. We create a fingerprint based on that. If we identify a mismatch between the WiFi and Bluetooth data and the GPS signal, we know that there is GPS spoofing going on. Other things we do are the device integrity checks, which are basically analyzing if there are misconfigurations on that device, or if there are apps that are used for this type of malicious purposes. If we identify this type of misconfiguration or suspicious apps, we would flag that device as suspicious as well. We would potentially block it where we would not use the data that is coming from that device. 

 

Then finally we have the concept that we call watchlist, which are devices, locations, networks that we flagged as suspicious once we identified that there was fraudulent activity related to it. If the fraudster comes back to us, we would re-identify them even if they're using different devices, because the location will be the same. We would identify that location as a fraud farm, which is very prevalent because most of the fraudsters are professionals. They do that for a living, they do that recurrently. And once we identify the place in which they operate, we force them to move out. We make the operation more expensive, more complex, and they usually go away to try to defraud other institutions.

 

That's all I had for today. Happy to dive into the questions. Thank you. 

 

Tony Morbin

Certainly. And that's really fascinating because I must admit there were some applications that I hadn't thought of. And of course, there's more applications using location, you can have even more use cases. In fact, I just thought of one, which is here in Europe, we have Pay TV, which you can often get free to air from another territory if you spoof your location. Can you also tell us a little bit more about what you found from your new insights report on location spoofing fraud?



Andre Ferraz

Yeah, absolutely. The first thing is that there is a lot of volume. It's incredible how many people are leveraging these techniques for different purposes. Some of them are using it to access content that they shouldn't have access to, like the example you just gave. In the entertainment and media industry, that's a big problem. In industries like food delivery, for example, there are these abuses related to incentives. Overall, every fraudster is trying to hide their true location. 

 

That’s why the volumes are so high. They don't want to be found. If you identify location spoofing, you are a few steps away from actually catching that fraudster. And that's the most important piece, because once we identify the bad actor, we need to make sure that we're able to block them over time so they don't come back, because that's the issue. There's always going to be fraud. You will never be able to bring fraud to zero. But if we're able to block repeat fraud, repeat bad actors, you're able to have a much safer environment for your customers. 

 

Tony Morbin

And Felipe, Andre suggested there that Rappi has had a challenge with location spoofing. Can you tell us a bit about that?

 

Felipe Cerqueira

Yes, of course. As you mentioned during my presentation, Rappi has a number of users. It's easy to understand that identity check is the big thing for us and location spoofing is a big part of it. We have users faking their location in the platform, just like Andre said, for their own benefits. One of our challenges is being one step ahead of those users and mapping the latest identity falsification trends. And that's where Incognia comes in. Not only are they helping us keep the pace of new trends, of new spoofing trends, but most importantly, through their services, we are better able to identify fraudulent access. In terms of examples, we have a big range of scenarios, from simple fake GPS to elaborate device fingerprint hacking. 

 

Andre mentioned the Pokemon Go example and as a matter of fact, we have actually learned from their experience and we have made some changes based on lessons learned from Pokemon Go, which is, as Andre mentioned, when it became popular. One of the most simple examples that we have is users checking in at a certain location when they're not actually there. They do it so they can, for instance, close an order and move to the next one as fast as possible. In a more elaborate example, on top of that previous one, it's when they do it with multiple accounts being accessed in the same device so they can optimize their performance on their platform. In an even more elaborate example, they do it by hacking the device fingerprint features that we currently have, so it gets even harder to track. 

 

An interesting variation of this sort of fraud is when couriers, partners and users, collude, creating a fake order to speed up their earnings. If they can spoof their location, they're able to do it faster and close more orders in a shorter period of time. A different kind of example, which is actually where Incognia is helping us more, is users that lend their accounts to other people, which impacts very negatively on the safety of the whole environment. They basically emulate their location in their default locations, let's say when they normally log in. They do it to avoid the security check features that we have, and then it's easier to just lend an account to someone else.

 

Tony Morbin

Yes, I can see how you could be using that, basically spoofing your behavioral analytics. Andre, what sort of other examples have you got regarding the impact of location spoofing in other industries for companies and trusted users?

 

Andre Ferraz 

Perfect. When we talk about fraud, all of these different schemes could be reduced to two main issues, which are one, the ability to create fake accounts or multiple accounts and two, the ability to access multiple accounts. 

In almost every industry, when it comes to things like digital commerce and digital banking, etc., they have to deal with this type of problem. Location spoofing comes in because it makes it more scalable. For example, if I'm trying to create multiple accounts on a banking platform —because the purpose here is to launder money with these fake accounts—what would I do? Well, I would have access to multiple IDs. Some of these could be fake IDs, some of these could be stolen IDs. There were multiple data breaches recently, so this data is out there for sale. When I start the application process at a bank to create my account, one of the data points that this bank wants to check is that this person is located in this country. That's the most basic thing they want to verify. If someone is trying to open a bank account in a bank that is based in the US, this person should be here. The fraudster could be anywhere else in the world, and if they were using location spoofing, the bank would recognize them as if they were in the US, so they would probably have an easier process for opening their account. That's one of the ways in which a fraudster could leverage location spoofing to open multiple accounts. They could be in different locations. They could be doing that. Some banks are a little bit more sophisticated, so they check not only if you are in that country, but they would actually validate your address information. For example, when you scan your driver's license, your home address is right there. Some banks try to match that to the GPS location of that phone to see if you are actually near or at that address. 

 

If the fraudster is using GPS spoofing tools, they could spoof the location information to show as if they were at that address, so the bank would allow them to open that account. Making sure that the location data that you're analyzing is trustworthy, it's legitimate, that’s really important, so you're able to identify these accounts and tell the difference between a legitimate account and fraudulent activity.

 

That's for account opening, that applies to banking, but it applies in the same way to food delivery. When you're onboarding a driver or courier to your platform, you want to make sure that you can trust that person. You want to ask for some information so you can validate them. For example, one good thing would be to understand the user's phone number, their name, but also their address. That's another way to verify that if you don't have protections for location spoofing, they could open bank accounts. That's the first piece, creating fake accounts.

 

The second part is related to accessing multiple accounts. There's a lot of social engineering going out there. There are many fraudsters that are able to convince end users to share their credentials, like passwords and one-time passcodes, for example. Once they have access to that data, they're able to take over your account. This applies to banking, food delivery, online commerce, gaming. Every digital application that stores some kind of value is a target for this. For example, the courier apps, these people have a balance there that they can transfer to a bank account. So if I take over an account of a courier, I could change the banking information and I could withdraw the money that's on that balance to my account instead of the account of the owner of that app. For us access to multiple accounts, you can use location to identify what we call device farms, right, or fraud farms. But if you don't have protections for location spoofing, it's not going to work.

 

You have to be able to identify the true location. You see from this single house, for example, or from this single location, we're seeing 10, 20, 30, 50 logins a day. That's not normal activity. We should be expecting much less. If we identify this very high activity in terms of accounts being accessed—and it could be from a single device, it could be from hundreds of devices—but the location would be the thing you would be able to block. Having access to spoofing-resistant location information would enable you to stop these bad actors from doing this. Essentially, that's a proxy for identifying good and bad behavior, so that you can stop the creation of multiple fake accounts of systematic account opening in the same way you can stop the fraudsters from accessing accounts that they don't own. 

 

[intermission music playing]

 

Tony Morbin

As well as enterprises, banks, sounds like a great tool for law enforcement. Might even provide evidence for their [criminal investigations]. How exactly does Incognia detect fraudsters spoofing location? 

 

Andre Ferraz

 

Perfect. So the first part is, as I said, the device integrity check. We want to make sure that we can trust the device. For example, if we detect that that's not a real device, it's actually an emulator, that's something we would block. If that device has some misconfiguration or some privileged access, for example, like root, in that way we would identify that device is risky—not necessarily as a bad actor, but there is a higher risk that that person could spoof location. Besides analyzing the device's configuration, the other thing we do is to analyze the applications that are present on that device. If we identify that there is a GPS spoofing application there, that's a very strong indicator that that person could be spoofing location. Same applies to identifying app tampering tools. There are applications that enable you to create multiple instances of the same app. You can clone the app, so you can access multiple accounts at the same time from that same device. Identifying these app tampering tools and also instrumentation tools is very critical because these applications give a lot of power to the user, so they can tamper with the source code of the application, and once you're able to do that, you can do pretty much everything. 

 

Being able to detect these suspicious patterns is the first layer of defense. The second layer is mostly around analyzing network information. We want to identify if the user is logging in from an IP address that was flagged as suspicious in the past. If we see that again, we would probably block that user or at least flag them as suspicious. We also use the WiFi information. If those users connected to a WiFi router that was used by fraudsters in the past, that's probably a fraud farm. Finally, we also use the WiFi scanning and Bluetooth scanning to fingerprint the location and to identify the true location of that device. When we compare that location information to the GPS data, if there is a mismatch, we identify that there is location spoofing.

 

It's a mix of analyzing network information, analyzing sensor data, and analyzing the configuration of the device and even the applications that are installed on that device. It's a cat and mouse game. Fraudsters are always changing their techniques, so you have to be ahead because they move quickly.

 

Tony Morbin 

Felipe, do you want to add to that?

 

Felipe Cerqueira

I wanted to ask you about this cat and mouse situation. One of the cool things that Incognia is doing for us is that you're helping us to keep pace of the trends, and how do you do that? How do you make sure you are one step ahead of everyone, of the fraudsters? 

 

Andre Ferraz 

Perfect. That's super challenging. It requires a lot of research. Another thing that helps a lot is that we are working in many different industries. We have customers in the banking space, we have social media companies, we have gaming companies, we have food delivery, e-commerce and we also act in different geographies. We have operations in the US and Latin America, Europe, Southeast Asia. What's interesting is that we are watching different things in different locations and in different industries, so usually, we see the transition. As an example, about two years ago we started seeing a trend in Latin America of fraudsters using bots on social media to social engineer users to give away their credentials. The way it happened was if you followed the social media page of a bank, a bot would follow you back and their name would be very similar to the bank. [The username] would be a typo or something like that, so the user wouldn't even notice. The logo was the same so the user would think that that was the bank starting the interaction, and the initial conversation seemed legit. The bot would ask you for feedback, “How's it going? How do you like our application? Please provide feedback. Please rate us on the app store.”  The user wouldn't find that suspicious. 

 

But at some point, the bot would send you transaction information asking if you made that transaction because they flagged it as suspicious. That immediately puts the user in a state of mind of vulnerability because they would be concerned, like “Someone is trying to steal from me.” Then the bot would start asking questions, “Okay, if this wasn't you, this was probably fraud. We need to check your account. We will need to log into your account to analyze more information. So I need you to share some information with us.” Then the bot starts asking for information that will eventually give the fraudster the ability to take over that user's account. It's a pretty sophisticated type of attack. It started in Latin America two years ago, and recently we started seeing the same type of attack happening in the US with fraudsters trying to take over the user's account so they could send money using Zelle, which is an instant payments platform that is present in the US.

 

We saw that transition, and now that we're being asked by US banks for this, we already know how to solve that problem. The opposite has happened recently in which we saw certain activity from fraudsters spoofing location in US institutions, in which they were using that to validate their address information while applying for a bank account. Then we started seeing that happening in emerging markets a couple of months later. Being present in so many different industries and so many different geographies enables us to identify these issues earlier and then apply the learnings to all of our customers. 



Felipe Cerqueira

I understand that you're foreseeing some trends coming from one place to another, right? When Incognia sees new fraud types coming in, how do you work on that? How do you approach your customers? How do you approach your teams to tackle it?

 

Andre Ferraz

Perfect. That happens in two ways. The first one is we're very close to our customers. One thing we decided to do was to focus on very large accounts—companies that handle millions of customers—because then we can have a closer relationship with them. With every customer, we have recurring meetings to understand how the product is performing, and if there are new types of fraudulent activity happening. Once we learn something new and we implement that to our platform, then we update the product for all of our customers. We go back to them and say, “Here's an update. You need to update the integration for this version if you want to protect your application from this type of attack. This is how it works, etc.” There's a lot of collaboration between our teams and our customers that enables us to learn more quickly and apply these learnings to everyone. Scale is super important here. Being able to be present in multiple industries and multiple geographies is really what enables us to move quickly in regards to that and this close relationship that we develop with customers is key.

 

Felipe Cerqueira

Thanks for replying.

 

[intermission music playing]

 

Tony Morbin

We're talking about preventing spoofing to protect the end users and to protect the organizations. But what about when you get a legitimate end user who is the subject of investigation? It turns out that they are legitimate, but their given location is PII. So, does Incognia know where the users are? Are you invading their privacy?

 

Andre Ferraz

Perfect. That's a very important question. With Incognia, even the name of the company stands for anonymity, right? It comes from the Latin word incognito, which means a person in disguise. What we're building here is a digital identity that is a proxy for you to access online services while protecting your personal information, your real-world identity. We're able to build this digital identity based on device information, so that includes all of the device fingerprinting techniques that we apply, but also the location fingerprinting techniques that we use. But we don't need to really know who's that person, so we don't have access to their name, we don't have access to their email address, their phone number—anything that can help someone reach out to that person in the real world is not ingested by our platform. Even the location data itself is anonymized. Because what we really need is to analyze the location data relative to the user's legitimate behavior. We don't even need to know where you are in the world. What we need to know is if you are at a location that you go frequently, and if you are at a location that you go frequently, the likelihood that this is you is very high.

 

We're able to let these users experience a frictionless authentication process, so they don't need to type passwords, they don't need to scan their faces, they don't need to go through many hoops to verify their identity. But if we identify a mismatch or that the user is at a location that was used by a fraudster in the past, for example, we would flag them as suspicious, and we would challenge them to prove their real identity. If it's a good user, they're going to pass that challenge. If it's a bad actor, they will be blocked. Being able to do that without really knowing who that person is is critical to us, because matching personal data that can identify you with location information could be dangerous. That's why we have this clear separation between device-related information and personal data. The personal data doesn't come into our servers. We only analyze the device-related information.

 

Felipe Cerqueira

A big thing about fraud is ensuring that we use our features or fraudulent features, generating the least friction possible to legitimate users. And this is one of the things that Incognia is helping us with, and I know it's helping the market as well. It's having more valid information before making the decision to actually generate a very big feature like a selfie liveness and stuff like that. We can read Incognia’s information before doing so and then we can have a more seamless, smooth experience for our customers and users.

 

Andre Ferraz

Yes, the topic of friction, that is very critical because today the standard behavior from these applications is to challenge everybody. Even if you're logging into your account from the same device that you always use, from the same location that you're usually at, when you use that service, they will always ask you for the password.  Sometimes you forget that password. Sometimes you don't have access to your wallets where you store this type of information, for example. That friction could lead to the user saying, “Well, I'm not doing this now, I'll do it later,” and they end up not buying your service. That's bad for the business.

 

Friction makes users go away. Especially now when we start seeing more and more applications implementing password list authentication, offering a better user experience, we're starting to see users transitioning. They want to move away from more bureaucratic institutions that ask a lot of questions to institutions that offer a more frictionless experience. Being able to ensure that you can trust that user by analyzing those signals is critical because you also don't want to bring security down. You want to maintain security or improve it while you enhance the user experience.

 

Tony Morbin

Andre, if you want to just give us any key takeaway that you want the audience to get out of today's webinar.

 

Andre Ferraz

I would say that the key takeaway here is that—especially if your company or service is present on mobile applications—location is a signal that can help you do a lot. That can help you deliver a frictionless experience. That can help you enhance security. Prevent fraud. But only if you make sure that you are protected from location spoofing, because the fraudsters already know how to do it. It's really accessible. If you want to leverage location signals for security purposes, you need to make sure that you have strong location spoofing detection capabilities. Otherwise, instead of enhancing your security controls, instead of improving the user experience, you could be actually opening a security vulnerability on your application. It’s important to be aware of that because it's a very strong and valuable signal, but it has to be carefully implemented so it doesn't create more problems than you have today.

 

I hope you enjoyed this episode of Trust and Safety Mavericks. Subscribe to our show to be notified about every new episode and follow Incognia and me, Andre Ferraz, on LinkedIn and Twitter.