Contact Us

 

  • The identity authentication leader has taken action to extend its SIM swap detection algorithms to protect even more consumers from a fast-growing fraud scheme that easily breaks 2FA, costing victims millions in lost dollars and personal data.
  • Payfone’s patented capability is the only technology of its kind that can overcome the well-documented vulnerabilities of current 2FA methods to end SIM swap fraud for good by giving companies the ability to differentiate between fraudulent SIM swaps and suspicious ones.
  • Payfone is now calling on all financial institutions, cryptocurrency platforms, social media networks, and other enterprises to bolster 2FA with more advanced algorithms to protect their customers against SIM swap and other forms of account takeover fraud.

 

NEW YORK (September 30, 2019) SIM swap attacks continue to make headlines, with Twitter CEO Jack Dorsey becoming one of the most famous victims to date when his mobile phone number was taken over last month. Similar scams are rapidly increasing in frequency, impacting high-profile CEOs, Hollywood celebrities, cryptocurrency communities, and everyday people, as criminals take advantage of security loopholes and the vulnerabilities of 2FA (two-factor authentication) to hijack social media accounts or steal money and cryptocurrency by taking over victims’ mobile phone numbers.

 

Payfone, the world’s leading digital identity authentication provider, today announced that it is taking a stand against SIM swap attacks with real-time SIM swap fraud detection technology that has the power to end these kinds of hacks for even more consumers. 

 

The technology leverages Payfone’s Trust Score™, a real-time measure of identity confidence, and telecom intelligence signals to thwart both SIM swap and device swap fraud in real time. The patented capability is the only technology of its kind that can inform banks, cryptocurrency platforms, social media platforms, and other service providers of suspicious activity related to SIM swaps in real time, allowing them to take action to prevent illegitimate withdrawals and transactions while also making it easy for legitimate customers to transact.  

 

“Businesses and consumers now rely on 2FA to secure our most essential digital services, services that are woven into the fabric of our daily lives,”said Rodger Desai, Chief Executive Officer, Payfone. “It’s critical that we extend our technology to take a stand to fight this national threat.”

 

To carry out SIM swap fraud, hackers take over a victim’s phone number and exploit weaknesses in 2FA in order to gain access to bank, cryptocurrency, or social media accounts. Without Payfone’s advanced algorithms, enterprises with SIM swap detection technology may have visibility into the fact that a SIM swap has occurred, but they are unable to see when the event took place, which is a major factor when it comes to differentiating fraud from a legitimate transaction. With Payfone’s real-time SIM swap detection algorithms, companies can now not only see that a SIM swap has taken place, but also the proximity of the event to a high-risk transaction (for example, a SIM swap that is immediately followed by a password reset). 

 

In addition to preventing fraudsters from accessing victims’ accounts illegally, Payfone’s patented technology enables a more frictionless and pleasant experience for good customers. Since many SIM swaps are legitimate (in 2018, there were 90 million ports and 100 million device upgrades in the U.S.), enterprises do not want to slow down the experience for customers who may have legitimately ported their numbers or upgraded their devices. By analyzing the contextual behavior and time of a SIM swap, Payfone’s Trust Score can provide a faster and easier experience for good customers while identifying potential bad actors and subjecting them to further inspection.

 

Enterprises who are interested in protecting their customers against SIM swap fraud via Payfone’s service can visit payfone.com for more information.

 

About Payfone

Payfone’s award-winning Trust Platform™ and Trust Score™ bring trust to the digital economy by enabling businesses to instantly verify customers while thwarting fraud and cyberattacks in real-time; all within a privacy-first, zero-knowledge framework. Payfone serves 6 of the top 10 US financial institutions, and leading healthcare, insurance, technology and retail companies. Learn more at payfone.com and linkedin.com/company/payfone.

 

Press Contact:
Yuka Yoneda
yyoneda@payfone.com
212.614.6927

 

In Q1 2019, some mobile network operators (MNOs) decided to stop making certain data available for inquiry to third-party identity authentication providers. This decision created concern regarding a possible gap in identity verification coverage. But was it actually a blessing in disguise? Join Payfone CEO Rodger Desai at Fraud Force 2019 on September 19th as he breaks down what companies can do to approach the situation as an opportunity to address the challenges presented by MNO data, and to implement solutions that offer higher coverage, increased privacy, and reduced operational complexity. This session will include an actionable checklist of things that enterprises can get started with today to bolster their identity authentication plans for the future. See you in Portland!

See the full Fraud Force agenda >

Read Aite Group’s report on how diversified signals proved superior to MNO data alone >

Join Payfone’s Vice President of Legal – Privacy and Products, Renata Lowenbraun, Esq., CIPP/US, for two seminars on August 22 in New York to learn more about hot topics in privacy law (GDPR, CCPA, Nevada Senate Bill 220) and how to operationalize privacy by design and privacy by default principals. This Advanced Privacy Seminar Program, facilitated by the New Jersey Institute on Continuing Legal Education (NJ CLE), is open to all attorneys and non-attorney related professionals (ie. CPAs).

This advanced program will cover the latest information and practical steps that attorneys can take when advising clients on privacy and data protection in private practice and as in-house counsel.

• Seminar 1: Privacy Law Hot Topics
(9 a.m. to 11 a.m.)
This seminar will consist of hot topics in privacy today (GDPR, CCPA, Nevada Senate Bill
220) and also include updates on sector specific privacy laws and regulations (including
HIPAA, FERPA, COPPA) effecting operations for both technology and non-technology
companies. Updates on GDPR will also include a deep dive into evaluating whether and how
GDPR’s long-arm jurisdiction impacts your client’s business and operations. Our experts will
also conduct a mini mock negotiation to demonstrate the possible contractual pitfalls and
clauses that are and aren’t acceptable.

• Seminar 2: Operationalizing Privacy
(11:30 a.m. to 1:30 p.m.)
This second seminar will focus on issues associated with operationalizing privacy by design
and privacy by default principals. Speakers will discuss the considerations necessary
to conduct gap analyses for both new and mature privacy programs at companies, and
discuss legal review considerations and suggestions to help implement change. This section
of the program will also discuss and show examples of the various components of a
simulated privacy program of a company.

Moderator/Speaker:
Renata Lowenbraun, Esq.,
CIPP/US
Payfone, Inc.
Vice President of Legal –
Privacy and Products

Speakers include:
Parry Aftab, Esq.
Internet Privacy and Cybersecurity
Doug Boykin, CIPP/E, CIPM
Solutions Engineer
One Trust – Privacy, Security and
Third-Party Risk
Melodee Henderson, Esq.,
Tech/Media Counsel, CIPP/US,
CIPP/E
Former Corporate Counsel with
VMware, Inc
Dr. Robert Spangler
Associate Executive Director for
IT and Operations
New Jersey State Bar Association

NEW YORK
INGEN200219
Thurs., Aug. 22, 2019
9 a.m. to 1:30 p.m.
National Opera Center
(330 7th Ave. New York, 10001)

This program has been approved by the Board on Continuing Legal Education of the Supreme Court of New Jersey for 4.8 hours of total CLE credit.

Registration for this seminar has closed.

Did you KNOW…

In addition to battling fraud and delivering better user experiences, there is one area that is becoming mission-critical to every organization: privacy.

  • Results of an online survey conducted by IBM revealed that for 78% of US respondents, a company’s ability to keep their data private is extremely important: only 20% percent completely trust organizations they interact with to maintain the privacy of their data. Furthermore, 60% are more concerned about cybersecurity than a potential war.
  • Improper use or inadequate protection of consumers’ personally identifiable information (PII) is not only extremely damaging to the reputation of any business but can result in significant financial losses. The 2018 Cost of Data Breach Study published by IBM found that the average total cost of a data breach rose by 6.4% since 2017 to $3.86 million. The latest reported average cost is $148 per lost or stolen record. 
  • One of the most effective ways to eliminate the risk of re-identifying personal data in the event of a breach is to employ modern identity authentication solutions that use anonymous tokens and zero-knowledge architecture (a privacy protocol where only yes or no responses are passed as opposed to personal information.) 
  • The consumer benefit of zero-knowledge is that it minimizes the need to pass personal information in order to verify identity for security purposes. That means a more secure and convenient digital customer experience which is also more private, and meets the requirements of privacy based on consumer choice and controls in addition to thwarting fraud, ease-of-use, and compliance regulations. For Payfone, ‘Privacy above all else’ and is a core value and differentiator that is included in our Bill of Trust.

Are your customer identities adequately protected using tokenization and zero-knowledge protocols? To learn more, contact us to speak with an identity tokenization expert today.

Also on the topic of privacy, we recently hosted a Cybersecurity After Hours event at the IAPP Global Privacy Summit in Washington, DC. See a recap of the event here.

Interested in receiving Did You Know? emails in your inbox? Sign up here.

At first glance, calling something “zero-knowledge” may not sound like a positive thing. Since knowledge is typically seen as something that’s good, it would make sense that having less of it would undesirable. But there are certain situations where having less knowledge is better than having more. One of the most common scenarios is where privacy is involved, and that is where the technical term zero-knowledgewhich refers to a method where the yes or no answer to a question can be shared without revealing the actual details of the answer—comes into play. But before we delve too deeply into that, let’s look at a basic example of how a zero-knowledge proof works:

If a bank would like to check if a customer’s phone is in the city where an unusual transaction is taking place, then the bank, with consumer consent, can ask if the phone is in that city*. The answer should be yes or no, and the actual city the consumer is in should not be returned. For example, if the transaction is taking place in Denver, and the consumer’s phone is in Atlanta, a zero-knowledge response would be that the phone is not in Denver. It would not be disclosed that the phone is actually in Atlanta.

If you think about why you would not want to disclose the actual location of the phone, it’s because that information may be used for nefarious purposes. In a non-zero-knowledge scenario, if a criminal wanted to know where a specific consumer was, they could learn the answer by asking whether the phone is in another location. With zero-knowledge, the answer that is returned is a simple yes or no and one cannot learn something new (such as a specific location) by asking a question.

*IMPORTANT NOTE: Although this example mentions location, Payfone does not use, and has never used, location data.

Another simple example of zero-knowledge identity authentication is one we are calling Maya and the Online Wine Shop. Maya wants to purchase wine online but there is an age restriction of 21-years-old or older. Maya wants to prove that she meets the age criteria without revealing her age. She prefers to have a private simple Yes/No response provide an answer that definitively proves that she is of legal age. This can happen if the online wine shop has zero-knowledge architecture, which can validate her age, without giving away the ‘secret’ (i.e. that she is actually 45 years old).

 

Interesting, But Why Does This Matter?

 

These two examples give us a basic understanding of what a zero-knowledge proof is and how it can help maintain privacy. In essence, zero-knowledge is a method of one party proving to another party that they know a value without conveying any additional information. So how can this be applied to some of the real-world problems that are challenging society today?

 

One area where zero-knowledge architecture is especially applicable is the realm of digital identity. With people using their phones and other devices more and more to interact online, verifying digital identities is now crucial to allowing consumers to access online services in a secure manner. Until recently, our online identities were managed in a similar fashion to how our offline identities are—by leveraging a trove of personal information such as names, addresses, social security numbers, passwords, etc. There are three key problems with this model:

 

  • These “honeypots” of personal information are not secure. And as we saw in some infamous data breaches of late, they are a magnet for opportunistic fraudsters.
  • Because these honeypots are so easy to break into, the information held within is often easily available on the black market, rendering it useless as a means of securing online identities. For example: a hacker can simply buy your social security number, type it in and pretend to be you.
  • The information held in these honeypots is also oftentimes out-of-date. Consumers change their phone numbers, move, and make other changes to their lives, and the static information in these giant databases can’t keep up. In addition to not being secure or effective, verifying identities against these troves of static, hackable, often outdated information is a pain in the neck for consumers. Think security questions like ‘What’s your mother’s maiden name?’ While you may remember that, you might not remember the answer you provided to the question ‘Who was your favorite teacher?” These are annoying time-consuming authentication practices for consumers and are easily hackable by fraudsters.

 

Most digital identity experts agree that our online identities cannot and should not continue to be managed using this “old” non-secure way of doing things. So what should the “new” way be?

 

Passive, Private & Minimalist

 

Passive identity authentication, which analyzes secure, dynamic signals instead of relying on static information, is being adopted by more and more forward-thinking Fortune 500 companies. True to its name, this type of technology often removes the need for the consumer to take any action, and instead uses signals from their mobile or other device to instantly complete the authentication. Removing the consumer from the process not only takes away opportunities for fraudsters, but also makes things easier and more frictionless for users.

 

But what about privacy? In the past, concerns have been raised about how passive authentication companies leverage dynamic signals. Oftentimes, these signals come from authoritative sources, known as Identity Verifiers, such as mobile network operators or banks. The main concern around this model is that the Identity Verifiers must often pass the signals outside of their systems to the company that is doing the passive authentication. This leads to a question of whether the signals are indeed secure and private, or whether they can be intercepted during that transfer.

 

The solution to this problem lies in the fact that the company that is asking for the results of the identity verification (a.k.a. the Relying Party) really only needs a ‘Yes’ or ‘No’ answer. Is this really my customer trying to interact with me, or someone else? Does this customer meet my criteria or not? They don’t need to know any personal information about the customer beyond what is minimally required, and because of privacy, they shouldn’t want to. This is a real-world scenario where less knowledge is desired: the perfect application for zero-knowledge.

 

So going back to the example with Maya who is purchasing wine online, with zero-knowledge architecture, a green ‘Yes’ signal, indicating that Maya is old enough to purchase wine,  will be sent to the wine site. The only information the wine shop will know is that she is 21 or older; her real age will never be revealed.

 

Payfone has been using a Zero-Knowledge framework for our clients (who are Relying Parties) since 2015. By employing zero-knowledge, we  are able to answer our clients’ question of whether their customers are who they say they are with either a Y/N answer or a score, and without having to pass additional and unnecessary attributes that could compromise our clients’ commitment to ’ consumer data privacy.

 

Earlier this month, we announced that we are now extending our Zero-Knowledge architecture to Identity Verifiers and Service Providers (the companies that provide the dynamic signals that we analyze to decision on identity). Identity Verifiers (such as mobile network operators) who are serious about protecting their customers’ data privacy can adopt our Zero-Knowledge framework to continue to participate in doing their part to safeguard customers against fraud while minimizing the amount of information that needs to be passed outside of their walls to do so. This also mitigates the risk of data leakage.  

 

What Are the Benefits for Consumers, Relying Parties and Identity Verifiers?

 

The consumer benefit of Zero-Knowledge is that it minimizes the need to pass personal information about a person in order to verify their identity for security purposes. That means a more secure and convenient digital customer experience that is also more private.

 

Relying Parties can benefit by getting the answers they need to protect their customers and companies against fraud, without opening themselves up to additional data breach risks or exposure.

 

Identity Verifiers can benefit by continuing to participate in thwarting fraud by allowing passive authentication companies to leverage their signals, without having to worry about exposing their customers to data privacy risks.

 

At Payfone, we believe that thwarting fraud does not need to come at the expense of convenience or data privacy. Our Zero-Knowledge architecture is helping Relying Parties (Brands) and Identity Verifiers to manifest this belief.

If you’re interesting in learning what drives our innovation around consumer privacy, please visit our Bill of Trust, and watch our webinar about Zero-Knowledge and driving better, more secure customer experiences.

Companies benefit from expanded U.S. coverage and efficacy of digital identity verification without sacrificing consumer data privacy  

 

NEW YORK (March 1, 2019) Payfone, the world’s leading digital identity authentication network dedicated to bringing Trust to the digital world based on their consumer-first Bill of Trust, announces that it has expanded its digital identity verification coverage to 90% of U.S. adults for all active mobile, fixed and non-fixed VoIP and landlines.* Additionally, Payfone is extending its Zero-Knowledge architecture, a privacy safe haven first introduced in 2015, to now include Authoritative Identity Verification partners, such as mobile network operators and financial institutions.

 

These two milestones represent major developments in the identity authentication leader’s strategy to harmonize trust, privacy and consumer experience in the digital world, and extend these benefits across the United States. This expanded reach means that Payfone can extend its KYC/AML identity verification and fraud prevention solutions to even more people, which is critical as more and more consumers rely on mobile devices as their primary form of interacting with businesses and each other.

 

To learn more, click here to join Payfone on March 14 at 1pm ET for a webinar on how to put privacy first with Zero-Knowledge architecture.

 

“Over the past few years, Payfone’s commitment to fraud prevention has led us to focus on bringing these benefits to all individuals in the U.S., including the underbanked. Digital KYC and AML services need to be available to all, including those with pre-paid phones, those who are on family plans, and even those with small business and corporate phones,” said Rodger Desai, CEO and Co-Founder of Payfone. “As we continue the journey in 2019, we plan to expand our reach by adding coverage for lifeline phones, hybrid WiFi-Cellular plans, as well as eSIM.”  

 

In addition to expanding coverage, the sharing of Payfone’s Zero-Knowledge architecture raises the bar for consumer data privacy for the entire industry. Zero-Knowledge architecture enables a Relying Party to verify a claim, such as age, through Payfone without personal information being passed back, stored, or aggregated.

 

“We have been using Zero-Knowledge for our customers (Relying Parties) since 2015,” explained Desai. “Now we are extending our Zero-Knowledge architecture to Service Providers and Authoritative Identity Verification partners to accelerate the modernization of the industry’s ecosystem. Thwarting fraud does not need to come at the expense of data privacy.”

 

“The telecom industry and American public are currently plagued by robocalls, SS7 attacks, SIM swap scams and porting fraud,” said Michelle Wheeler, Payfone SVP of Industry Relations and CTIA board member. “Solutions like this, which allow consumers to participate in the digital economy without fear of getting scammed or worrying about their data privacy being compromised, are welcomed news for the industry.”

 

For more information, see the interview between Payfone CEO Rodger Desai and David Birch of Consult Hyperion about the impact of Zero-Knowledge on consumer data privacy. We also invite you to join us on March 14 at 1pm EST for a webinar on how to put privacy first with Zero-Knowledge architecture.

 

*Based on independent third-party data studies with Fortune 500 companies in the fields of Financial Services, Healthcare, Insurance and Retail.

 

About Payfone
Payfone’s mission is to bring Trust to the digital world and enable enterprises and their customers to enjoy experiences that are fast, frictionless and fraud-free. Payfone’s award-winning Trust Platform™ and Trust Score™ give enterprises the power to give their customers safer and better digital experiences by issuing real-time Trust Scores. Our zero-knowledge Trust Platform™ orchestrates the verification of identity claims with an ecosystem of authoritative partners within a privacy-first framework. Payfone provides digital authentication services for 6 of the top 10 financial institutions, and leading healthcare, insurance, technology and retail companies. Learn more at www.payfone.com and linkedin.com/company/payfone.  

 

Press Contact:
Yuka Yoneda
yyoneda@payfone.com
212.614.6927

 

Payfone’s CEO and Founder Rodger Desai recently sat down with David Birch, Director at electronic transactions consultancy Consult Hyperion, to answer the ‘tough’ questions about industry challenges and how Payfone’s ‘call to arms’ regarding Zero-Knowledge can really impact the digital world.

 

  1. Birch: Can the different interests of convenience, public safety, privacy, security, and capitalism really co-exist?

 

Desai: Yes, these interests can co-exist; in fact, in our view, they must. Security and the desire for convenience should not override privacy, but you can’t have privacy without security. And since laws and regulations lag technology, GDPR and CCPA may not capture the full scope of the privacy protections consumers require. It comes down to having a strong set of principles that guide how products are built and used. Payfone’s Bill of Trust is our set of principles that we use to guide our actions that go beyond what may be required by regulators today.

 

  1. Birch: So, you don’t advocate using personal data without consumer consent in the name of fighting fraud?

 

Desai: Our view is that even with compliance obligations such as KYC/AML, GLBA exceptions and the GDPR’s notion of Legitimate Interest, consumers expect to always be informed, have the collection of their personal information limited to only what is minimally required, and their consent collected.

 

  1. Birch: Please tell me that privacy isn’t dead.

 

Desai: No, that is a common thought every time technology advances. Privacy is a constant renegotiation of the boundaries between individuals and society. History has shown that if society overreaches, innovation and personal rights suffer.

 

  1. Birch: So this is the idea behind the Zero-Knowledge service that you can deliver to mobile operators, banks, insurance companies and other industries?

 

Desai: We think Zero-Knowledge is key to the way businesses will work with each other in digital. Gone are the days where the industry needs to aggregate personal data and somehow protect it. Our mission is to accelerate the digital economy to a world where privacy is not compromised, while protecting from fraud and cyber-threats. Service Providers such as mobile operators and financial institutions play a critical role in the ecosystem, and Zero-Knowledge can allow them to participate safely.

 

  1. Birch: Would this have helped with the recent report that U.S. bounty hunters were accessing the location of mobile phones?

 

Desai: Yes. While we have never used mobile operator location data at Payfone, there are important and legitimate cases where location can help protect consumers. If a bank would like to ask if a customer’s phone is in the city where an unusual transaction is taking place, then the bank, with consumer consent, can ask a Service Provider if the phone is in that city. The answer should be yes or no, and the actual city the consumer is in should not be returned or revealed. That’s Zero-Knowledge.

 

  1. Birch: Some mobile operators have decided to change the way they share data in response to the location issues. Will this affect you or the industry?

 

Desai: As we just announced today, due to the sophistication of our platform and our focus on redundancy and inclusion, we have many authoritative identity verification partners. We cover 90% of U.S. adults across mobile, VoIP and landline, even pre-paid, family plans, and businesses. Additionally, since we tap into core telecom infrastructure, the way the mobile operators themselves do, we are less reliant on mobile operators directly.

 

  1. Birch: Do the mobile operators have a role in Payfone’s next-gen stack?  

 

Desai: Yes, especially with the need to thwart SS7 attacks, SIM swaps, robo calls and spoofed calls. These are among the top complaints the FCC receives from consumers. Mobile operators are adopting Zero-Knowledge protocols which will help prevent fraudulent activities, modernize their processes and protect their subscribers and customer data even further.

 

  1. Birch: This seems like an important step on your journey. Where is this journey taking you next?

 

Desai: We have been on a journey to accelerate the industry to a world that fulfills our Bill of Trust. Today the focus is on expanding our coverage and Zero-Knowledge. Later this year we will introduce new tools for consumers to take control of aspects of their mobile identity. It’s time to create additional tools that accelerate self-sovereignty.