The SSN Breach: What Now?

0:00:01 (upbeat music)
0:00:02 – Hello everyone,
0:00:04 welcome back to the A16Z podcast.
0:00:06 Today we’ve got a special episode
0:00:08 covering a timely piece of news
0:00:11 that quite frankly, I wish we were not reporting on.
0:00:12 In case you missed it,
0:00:14 this week there was a reported breach
0:00:17 of nearly three billion records,
0:00:19 but not just any records.
0:00:21 Headlines included, quote,
0:00:23 “Billions of social security numbers exposed.”
0:00:25 Or even, quote,
0:00:28 “Did hackers steal every social security number?”
0:00:30 Naturally, we wanted to bring in the experts
0:00:32 to break down what really happened here
0:00:34 and its expected impact.
0:00:37 So joining us today are Joel de la Garza
0:00:38 and Naftali Harris.
0:00:41 Joel is an operating partner in A16Z,
0:00:43 who was previously the Chief Security Officer at BOX.
0:00:45 And previous to that,
0:00:46 the Global Head of Threat Management
0:00:49 in Cyber Intelligence for Citigroup.
0:00:50 Naftali on the other hand,
0:00:52 is co-founder and CEO of Centrelink,
0:00:55 a company that helps block identity theft and fraud
0:00:57 for hundreds of financial institutions.
0:00:59 At a scale that might make you wins.
0:01:02 – We verify over a million people every day.
0:01:03 – Incredibly enough,
0:01:05 Naftali’s team was actually able to get their hands
0:01:06 on the breach data set.
0:01:08 And we’re actually in the room as we were recording.
0:01:10 So you’ll hear Naftali reference them,
0:01:13 as they were poking and prodding to validate the claims.
0:01:16 Listen in as we explore the who, the what, the when,
0:01:17 the where, the why,
0:01:20 but also how a breach like this happens
0:01:21 and what we can do about it.
0:01:24 – You watch these markets,
0:01:26 like this has been going on forever.
0:01:30 You can see the fraudsters talking about this on the forums.
0:01:32 – Social security numbers are the kind of things
0:01:33 that don’t change, right?
0:01:34 You get one when you’re born
0:01:36 and you’re stuck with it for a while.
0:01:38 – Yep, you’re in this breach.
0:01:39 You’re in the breach.
0:01:41 And probably all three of us are, frankly.
0:01:43 – As a reminder,
0:01:46 the content here is for informational purposes only.
0:01:47 Should not be taken as legal, business,
0:01:49 tax or investment advice,
0:01:51 or be used to evaluate any investment or security
0:01:53 and is not directed at any investors
0:01:56 or potential investors in any A16C fund.
0:01:58 Please note that A16C and its affiliates
0:01:59 may also maintain investments
0:02:02 in the companies discussed in this podcast.
0:02:03 For more details,
0:02:04 including a link to our investments,
0:02:07 please see a16c.com/disclosures.
0:02:16 – So Joel, Naftali, this was a pretty crazy week.
0:02:18 I got a Slack from one of our coworkers, Joel,
0:02:20 that was like, have you seen this social security hack?
0:02:22 And I had not at that point.
0:02:25 And that is a pretty, you know, frightening message.
0:02:27 So why don’t we just take a second
0:02:30 to recap what actually happened here?
0:02:33 What was this breach and what data was potentially at risk?
0:02:35 – Yeah, so just when you thought
0:02:36 there wasn’t any more information
0:02:37 to leak out into the world.
0:02:39 And then there’s always a surprise
0:02:41 that there’s still more data to come out.
0:02:44 And so this week we saw there was a third party company
0:02:46 that collects all this information
0:02:49 and uses it for things like validating your identity.
0:02:50 And so they have your name,
0:02:52 your social security number, your address.
0:02:54 They also have nicknames.
0:02:56 And it seems like they had it for all U.S. citizens
0:02:58 as well as all Canadian citizens.
0:03:00 So this is larger than just the U.S.
0:03:02 – So I’m not safe as a Canadian?
0:03:05 – Well, I can’t save you this time, unfortunately.
0:03:07 And so these hackers somehow came
0:03:09 about getting this information.
0:03:12 And then they tried to sell it on the dark web
0:03:13 and there weren’t any takers.
0:03:15 Nobody wanted to buy it because like I said,
0:03:17 I thought all this stuff was already public.
0:03:19 And so when they couldn’t sell it,
0:03:20 they just released it for free.
0:03:22 And so now there is this hundreds
0:03:25 of gigabyte file out there on the internet
0:03:27 that encapsulates data about all Americans
0:03:28 and most Canadians.
0:03:30 So there you go, that’s what happened.
0:03:32 – Oof, when I read the articles yesterday,
0:03:35 it seemed like this was alleged reporting.
0:03:38 People weren’t sure confidently per se
0:03:40 that this was billions of data points,
0:03:42 including social security numbers.
0:03:45 How sure are we that is the data that was hacked?
0:03:47 – Well, Steph, I can answer that quite confident
0:03:49 because we actually have it.
0:03:51 So we found it ourselves on the dark web.
0:03:53 And so to fill in a little bit of the timeline here,
0:03:54 so National Public Data,
0:03:56 which is the company that had the breach,
0:03:58 they reported that the hack itself happened
0:04:00 in December of 2023.
0:04:02 And then it got released onto the dark web
0:04:05 on a place called breached forums
0:04:08 by some hacker named Fenis or Fenise.
0:04:09 If I mispronounced your name,
0:04:11 please don’t come after me.
0:04:14 But that person released it on August 6th
0:04:15 and we got to copy yourselves.
0:04:18 And so we looked through it and yeah, it’s as reported.
0:04:22 So there’s names, dates of birth, addresses.
0:04:24 The data, I would say is like relatively messy,
0:04:26 relative to some other data breaches that you sometimes see,
0:04:29 but no, we’re confident and it’s true
0:04:30 because we literally have it.
0:04:32 – Jeez, and so when you say it’s messy,
0:04:34 so like if there’s a name
0:04:35 and there’s a social security number,
0:04:37 are those linked and are those linked to email
0:04:39 or any other fields that might be in there?
0:04:40 – Yeah, I’ll give you an example
0:04:41 of the way in which it’s messy.
0:04:45 So for example, the first six records
0:04:47 all correspond to the same individual,
0:04:49 a woman from Alaska,
0:04:51 but they have different variants on her name,
0:04:53 including like nicknames and stuff like that.
0:04:56 I believe it’s across two different addresses that she had.
0:04:58 That’s one level of messiness.
0:04:59 One other way that the data is messy
0:05:03 is about 10% of the SSNs are obviously fake.
0:05:06 Like they begin with three zeros or four zeros.
0:05:09 So the data is not as clean as it could be,
0:05:11 which is obviously a good thing,
0:05:13 but there’s no question there’s a lot of bad stuff in there.
0:05:15 – You’ve obviously accessed the data set.
0:05:18 How long did it take you to actually get access to it?
0:05:21 – What’s that, sorry, how long did it take us guys?
0:05:23 Literally on August 6th.
0:05:25 My God, you guys fucking believe this team?
0:05:28 Unbelievable, incredibly proud of my team here.
0:05:30 We already got it like the day it was released.
0:05:31 – And maybe for the listeners,
0:05:32 give us a little insight.
0:05:34 When you get access to a data set like this,
0:05:36 what are you looking at, right?
0:05:38 ‘Cause I mean, obviously this is not your first rodeo.
0:05:40 – Yeah, when we first get a data set like this,
0:05:41 the first thing we’re trying to do
0:05:42 is just understand like what’s in it.
0:05:45 So we’ll take a look at the first couple of thousand rows
0:05:47 and just understand what fields are present
0:05:50 and where does it look like the data set actually came from,
0:05:53 how common are the different fields?
0:05:55 So for example, for this particular breach,
0:05:57 phone number is mostly missing.
0:06:00 It’s mostly like aim, address, social,
0:06:02 data birth is sometimes in there, sometimes not.
0:06:05 For example, we looked at the evolve data breach
0:06:07 from about a month or two ago
0:06:11 and that one had information on ACH transactions
0:06:14 and balances across different fintechs and stuff like that.
0:06:16 And so, you know, that let us sit down
0:06:17 a different sort of path of inquiry.
0:06:19 – And just for folks listening
0:06:21 who aren’t spending time on the dark web,
0:06:24 how easy is it really to access the data set?
0:06:25 – It’s relatively straightforward
0:06:26 if you know where to look
0:06:29 and like we’re also by far not the only people doing this.
0:06:30 I mean, I think as of this morning
0:06:34 we’d seen 26,000 views on breach forums for the thread.
0:06:37 So like the foster community is looking at this
0:06:38 and we’ve seen this there,
0:06:40 we’ve seen it on telegram, we’ve seen it on leak base.
0:06:42 It’s just, it’s all over the place.
0:06:44 And so if you know where to look, it’s not that hard.
0:06:46 Obviously, folks like the three of us
0:06:47 don’t do this every day,
0:06:49 but for fraudsters or for infosec professionals,
0:06:50 you can find it.
0:06:51 – That’s not reassuring,
0:06:53 but I mean, it’s the answer I expected.
0:06:56 – I would say that this is probably one of the big wins
0:06:58 for sensible regulation around breach disclosures.
0:07:01 Like I think having worked in this space
0:07:04 since before there were breach disclosure requirements,
0:07:05 these things were always happening
0:07:07 and no one talked about them
0:07:08 and consumers were just oblivious.
0:07:10 And I think that knowledge is power
0:07:12 and making consumers aware of what’s happened
0:07:13 with their data is super important.
0:07:15 And this is one of those cases
0:07:17 where I think forcing disclosure around breaches
0:07:19 makes the world a safer place
0:07:21 and makes people respond to them
0:07:24 and handle them in a correct way.
0:07:26 – We’re gonna get to how this happens
0:07:28 and obviously its impact,
0:07:30 but maybe we could just get a sense for scale.
0:07:33 I mean, when I heard this, it felt bigger,
0:07:36 but I’m a layman, I hear about breaches all the time.
0:07:38 And so how would you actually characterize
0:07:41 maybe like the magnitude or importance
0:07:43 of this particular breach?
0:07:45 – In terms of magnitude,
0:07:48 so it’s 277 gigabytes of data uncompressed,
0:07:50 which is a lot.
0:07:51 That’s across two different files,
0:07:54 which totals 2.7 billion rows.
0:07:56 Now, some of the reporting you’ve seen in the media is like,
0:07:59 oh, this is on three billion people
0:08:00 who had their identities stolen,
0:08:02 which is fortunately not the case.
0:08:04 As I mentioned, there’s a lot of duplicates there,
0:08:06 but they’re 2.7 billion records.
0:08:08 It’s literally a CSV file.
0:08:10 And so each row is some different piece of information
0:08:12 about an individual.
0:08:15 Now, we haven’t gone through the full file,
0:08:16 but based on sampling,
0:08:21 we think about approximately a third of the records are unique.
0:08:23 And so if you run the math on that,
0:08:25 it’s high hundreds of millions of people.
0:08:26 But again, we’re not completely sure
0:08:27 because we haven’t seen the whole thing.
0:08:30 So I’d say hundreds of millions of individuals confidently
0:08:32 and 2.7 billion records.
0:08:35 – Hey, it’s Steph.
0:08:38 You might know that before my time at A16Z,
0:08:40 I used to work at a company called The Hustle.
0:08:42 And then we were acquired by HubSpot,
0:08:44 where I helped build their podcast network.
0:08:46 While I’m not there anymore,
0:08:48 I’m still a big fan of HubSpot podcasts,
0:08:51 especially My First Million.
0:08:55 In fact, I’ve listened to pretty much all 600 of their episodes.
0:08:56 My First Million is perfect for those of you
0:08:59 who are always trying to stay ahead of the curve,
0:09:00 or in some cases,
0:09:01 take matters into your own hands
0:09:04 by building the future yourself.
0:09:07 Hosted by my friends, Sampar and Sean Curry,
0:09:09 who have each built and sold eight-figure businesses
0:09:10 to Amazon and HubSpot,
0:09:12 the show explores business ideas
0:09:14 that you can start tomorrow.
0:09:16 Plus, Sam and Sean jam alongside guests
0:09:19 like Mr. Beast, Rob Dyrdek, Tim Ferriss,
0:09:22 and every so often, you’ll even find me there.
0:09:24 From gas station pizza and egg carton businesses
0:09:27 doing millions all the way up to several guests,
0:09:29 making their first billion.
0:09:30 Go check out My First Million
0:09:32 wherever you get your podcasts.
0:09:34 (upbeat music)
0:09:42 – Joel, you’ve been working in security for so long.
0:09:43 How would you characterize,
0:09:45 maybe not only the sheer number of records,
0:09:47 but maybe the quality of the information,
0:09:49 the particular kind of information?
0:09:52 – I’m unfortunately probably a little desensitized.
0:09:54 I’m only partially being snarky.
0:09:56 Like I do think a lot of this information
0:09:57 is already leaked out there.
0:09:59 Like we’ve had multiple breaches
0:10:01 of credit reporting agencies.
0:10:03 And you have to remember that social security numbers
0:10:05 are the kind of things that don’t change, right?
0:10:06 You get one when you’re born
0:10:08 and you’re stuck with it for a while.
0:10:11 And so not through any central repository,
0:10:14 but just the breaches over the last 20 years,
0:10:15 a lot of this information’s already leaked.
0:10:18 And so I don’t know how unique it is.
0:10:20 What might be interesting is that it gives you
0:10:23 sort of maybe a central repository
0:10:25 where you can QA the information you already have,
0:10:26 or maybe there’s some information in there
0:10:28 that hasn’t already leaked.
0:10:30 And so that’s probably gonna make a little bit
0:10:32 of a difference for folks.
0:10:32 – I agree.
0:10:34 The bureaus have all had leaks at different points.
0:10:36 And I think the Equifax breach
0:10:38 from what five or seven years ago
0:10:40 had something like 80% of Americans in it
0:10:41 or something like this.
0:10:44 But one of the things that I’m sort of thinking about here,
0:10:46 and actually you can see the fraudsters
0:10:48 talking about this on the forums,
0:10:50 is they’re sort of using this as a backbone
0:10:52 to other breaches.
0:10:55 Another thing too is frankly fraudsters today,
0:10:59 folks who commit identity theft are not limited by PII.
0:11:00 Like PII is already out there.
0:11:02 It’s relatively easy to get an identity
0:11:04 that you can use as a base to steal.
0:11:07 But the place where breaches really get bad
0:11:09 is when you connect the sort of core PI information,
0:11:12 so name, date of birth, SNN address,
0:11:14 when you connect that to other things.
0:11:16 So if you connect that to a driver’s license
0:11:21 or a bank account or a VIN or email addresses,
0:11:22 like that’s when you can actually start to do something
0:11:25 interesting from a fraudsters perspective
0:11:26 with the information.
0:11:29 And this data that has gotten breached here,
0:11:31 we think could be used as sort of a backbone
0:11:34 to connect to all other sorts of information that’s been breached.
0:11:35 As I mentioned, in breached forums,
0:11:38 the forums are the fraudsters who are talking about this.
0:11:40 – Yeah, and it’s funny when you actually read through
0:11:42 some of these chatter with the attackers, right?
0:11:44 Because they have a lot of the same problems
0:11:46 that legitimate businesses have,
0:11:47 specifically like marketing companies, right?
0:11:49 Which is like, how do we make sure
0:11:50 that we have the right Joel,
0:11:52 and how do we know that we’ve got his right car,
0:11:54 and do we have his right identification?
0:11:57 ‘Cause a lot of times these guys are trying to defeat things
0:12:00 or they’re using personal information about you
0:12:01 for authentication, right?
0:12:03 They asked me what school you went to
0:12:04 when you were five and stuff like that.
0:12:07 And so the more of this demographic information
0:12:09 these folks can build up and the more accurate
0:12:11 they can make it, the easier it is to subvert
0:12:13 a lot of the security controls in place
0:12:15 and for them to commit fraud.
0:12:17 – Right, and as more of these breaches happen
0:12:20 and more data is released,
0:12:22 I mean, how much risk is there for me?
0:12:25 Like let’s just say as the average American,
0:12:28 should I be really concerned with this new breach
0:12:31 or like how would you measure that?
0:12:32 – I mean, I think the risk is always there.
0:12:33 It’s ever present.
0:12:36 I think that you should probably have a locker freeze
0:12:37 on your credit, right?
0:12:38 That’s sort of step one.
0:12:41 I think if you do that, you mitigate some of the problems
0:12:42 from these sorts of things.
0:12:44 I think the bigger issue is gonna be,
0:12:47 at least as you look forward and you think about
0:12:50 how thieves and scammers are gonna use this stuff,
0:12:53 you know, you can start to use this demographic information
0:12:54 pretty convincingly.
0:12:57 If you could clone someone’s voice using Gen AI
0:12:59 or you could take this in a new direction
0:13:01 in which you get a lot more attributes about a person
0:13:03 that let you build a much more believable profile
0:13:06 that then let you replicate the presence,
0:13:09 their kind of identity and a lot more difficult
0:13:10 to verify world.
0:13:13 And what we’ve heard from folks is that this kind of fraud,
0:13:16 this sort of next level social engineering
0:13:18 is a thing that’s been happening more and more.
0:13:20 – I can give the advice I typically give to my family
0:13:23 at Thanksgiving last week, the same question which is,
0:13:26 look, at the end of the day, there’s not too much
0:13:28 that people can do to prevent fraudsters
0:13:30 from stealing their identities.
0:13:32 If you’re in this breach, you’re in the breach
0:13:34 and probably all three of us are, frankly.
0:13:37 But the things that you can do are pretty basic
0:13:40 and strong personal security things.
0:13:43 Like for instance, turn on two factor authentication
0:13:45 for all of the important services that you have.
0:13:47 Probably the ones that are not important as well.
0:13:48 Use a password manager.
0:13:51 So don’t have a bunch of repeated passwords everywhere.
0:13:53 And maybe use your best judgment.
0:13:55 If something seems like it’s too good to be true,
0:13:57 it probably actually is.
0:13:58 Joel’s a good point of freezing your credit.
0:13:59 That’s a great idea.
0:14:02 It’s also a good idea to just check your accounts
0:14:03 on a regular basis to see if there’s anything
0:14:05 that you don’t expect.
0:14:07 – Yeah, and we actually have a helpful blog post
0:14:10 that we wrote years ago called 16 Things to Protect
0:14:12 Yourself Online that still is applicable today
0:14:14 even after this data breach.
0:14:15 – Yeah, Joel, I think you’ve probably gotten
0:14:18 way more use out of that than any of us would hope, huh?
0:14:20 I wish I could say that things had changed radically
0:14:22 but it’s still the same problems.
0:14:24 – How does something like this actually happen, right?
0:14:27 We know all of these companies have various versions
0:14:29 of our data, some more than others,
0:14:30 some more important than others.
0:14:33 Is it a lack of good infrastructure
0:14:35 or is this just the kind of thing that’s bound to happen
0:14:38 when you put data all in one central place?
0:14:39 – If I was a gambling man,
0:14:41 I’d bet that they had some kind of configuration issue
0:14:45 on a data store, that they had a cloud database
0:14:47 that probably had a guessable password
0:14:49 or wasn’t using two-factor authentication
0:14:51 and someone stole the credentials, right?
0:14:52 If you look at the snowflake breach,
0:14:56 which impacted, I think, 137 different companies,
0:14:58 that was all because there wasn’t
0:15:00 two-factor authentication enabled
0:15:02 and people were able to guess or steal those passwords
0:15:03 and usernames.
0:15:04 And so, to be quite honest,
0:15:08 these breaches are usually lowest common denominator, right?
0:15:09 They don’t have to pick the lock
0:15:10 if you leave the window open
0:15:13 and you’d be surprised how many people leave windows open
0:15:16 and that tends to be how these things happen.
0:15:18 I mean, on that note, I’m a little bit surprised
0:15:22 by maybe how unsurprised you are by this breach.
0:15:25 And so, where are we in that arc?
0:15:26 Is this just really something
0:15:29 that we expect to just continue to happen?
0:15:32 And if you frame things the way you have
0:15:36 as the hackers basically become more effective
0:15:37 as more of these happen
0:15:40 and they can piece together different blocks,
0:15:41 where does that put us?
0:15:43 How does the industry need to shift, if at all?
0:15:46 Or should we just expect a rolling cadence of this?
0:15:48 – If you go back decades,
0:15:51 people could be secure by this data
0:15:53 actually not being out there as much.
0:15:57 SSNs were secret and your possession of one
0:15:59 meant that it was probably you.
0:16:01 I like to joke, had some.
0:16:04 Social security numbers are both your username
0:16:06 and your password and at this point, they’re also public.
0:16:09 So it’s kind of the worst possible thing you could have.
0:16:11 But so many different data breaches
0:16:13 have completely broken that paradigm.
0:16:14 And as I mentioned, frankly,
0:16:17 there’s so much data out there that PI being secret
0:16:19 is no longer control at all, frankly,
0:16:22 to prevent identity theft or other kinds of fraud.
0:16:24 No, frankly, the reason why there’s not more
0:16:27 identity theft or other fraud out there
0:16:30 is because institutions that guard against identity theft,
0:16:33 so banks or governments or anyone that needs
0:16:36 to verify the identities of consumers,
0:16:39 like those institutions have controls for them.
0:16:41 And Centrelink is one of those controls.
0:16:43 And so actually the reason there’s not more fraud out there
0:16:46 is because of the controls that institutions take,
0:16:48 not because there’s not data breaches.
0:16:49 – Yeah, and I think like I said,
0:16:50 not to be overly cynical,
0:16:54 but we’ve had data and databases for a really long time.
0:16:57 And it’s relatively recently that there’s been
0:16:59 a requirement to disclose data breaches, right?
0:17:01 California passed the CCPA.
0:17:03 Actually, the breach disclosure law in California
0:17:05 passed I think in 2005,
0:17:07 but it wasn’t nationally implemented for quite some time.
0:17:10 And even then there’s still a patchwork of regulations
0:17:12 and it’s the SEC that’s actually driving
0:17:14 a lot of the breach disclosure requirements.
0:17:16 Currently they require you, I believe,
0:17:19 to disclose within 48 hours after material security breach,
0:17:21 which is only a year old, right?
0:17:24 So these breaches have been happening for years and years
0:17:25 and people just never talked about them.
0:17:28 And so when you work in the security industry,
0:17:30 especially if you work on the cyber intelligence
0:17:33 or the financial fraud side and you watch these markets,
0:17:35 like this has been going on forever.
0:17:37 And it’s only now that companies are being forced
0:17:40 to disclose it and that consumers are becoming aware.
0:17:43 And so I think that’s really the thing that’s changed.
0:17:46 And like all of these different kinds of situations,
0:17:48 this is very much a cat and mouse game, right?
0:17:50 It’s the attackers and the defenders
0:17:51 and you go back and forth.
0:17:52 And to be quite honest,
0:17:54 the defenders have gotten really good.
0:17:56 We have some really excellent technology out there.
0:17:58 Centrelink’s a great example of that
0:18:00 where a lot of this stuff can be nipped in the bud.
0:18:02 Even if the information is out there,
0:18:03 you can limit the harm that it causes.
0:18:06 – Joel, you know, we verify over a million people every day.
0:18:07 There’s literally a million people a day
0:18:09 that we hope to prove who they are.
0:18:10 – That’s amazing.
0:18:11 – Yeah, we’re really proud of it.
0:18:13 – The bottom line of a lot of this stuff is that,
0:18:14 like I said, it’s easy to be cynical.
0:18:16 It’s easy to get worked up about this stuff
0:18:17 or whatever the case may be.
0:18:20 But in reality, things have actually gotten a lot better.
0:18:22 And if you freeze your credit,
0:18:25 if you follow the security best practices,
0:18:27 if you use things like a Yuba key,
0:18:28 you know, a hardware security key,
0:18:33 you can exist online relatively safely, right?
0:18:34 Probably more safe than you are walking
0:18:37 through a city street at risk of being robbed, right?
0:18:38 We’ve come a long way.
0:18:40 We just, you get these headlines
0:18:41 and the media hypes this stuff up
0:18:43 and people think it’s the end of the world.
0:18:45 But in reality, like things are a lot better.
0:18:47 They’re a lot better than people would report them to be.
0:18:48 – The other really cool thing
0:18:50 about the way the world has evolved is that
0:18:53 with the startup ecosystem and the ability for,
0:18:55 you know, expert founders to build technology
0:18:58 to address these things, like we’ve actually shifted
0:19:00 a lot of the economics on some of these things
0:19:03 where you can build a successful company
0:19:07 fighting this stuff and end up financially way better
0:19:09 than if you were doing this stuff, right?
0:19:10 And I think if you look at all these different
0:19:13 kinds of situations and you look at any kind of crime,
0:19:16 to be quite honest, it’s just about where the incentives lie.
0:19:18 And if you shift the incentives in a meaningful way,
0:19:20 you can actually really start to crack down
0:19:22 on a lot of this stuff.
0:19:22 – That’s a great point.
0:19:24 And Naftali, that’s what your company does, right?
0:19:27 How many cases of identity fraud are you blocking per day?
0:19:29 – We stop over 20,000 a day.
0:19:32 – And who is paying for that?
0:19:35 Is it the end customer who’s paying you to monitor
0:19:36 or how does that work?
0:19:37 – No, it’s the institution.
0:19:42 So we serve over 300 banks, lenders, financial institutions,
0:19:45 telcos, governments throughout the United States
0:19:48 to help them figure out if their customers or users
0:19:50 are who they say they are.
0:19:52 So for example, before someone opens a credit card,
0:19:54 that financial institution will ask us,
0:19:55 “Hey, is this a real person?
0:19:57 Are they, is that identity stolen?”
0:19:59 And we’ll be able to answer that for them in real time.
0:20:01 – On the note of some of the new technologies
0:20:04 coming online, they do open up a new vector
0:20:08 both for Tier Point Joel, attacking and defending.
0:20:12 Curious if you see any gaps in terms of places
0:20:15 that builders should be addressing on this new frontier,
0:20:19 as again, like the attack vector has also opened up.
0:20:20 – Everyone’s talking about generative AI
0:20:22 and sort of the ability to do deep fakes
0:20:24 and that sort of thing.
0:20:25 And there’s a lot of activity there.
0:20:27 We actually have an investment in a company called Pindrop,
0:20:29 which is really good at spotting audio deep fakes.
0:20:31 And they sell a lot of products as you can imagine
0:20:32 to financial service companies,
0:20:35 ’cause that’s typically where you see the threat.
0:20:36 But it all rolls downstream.
0:20:39 And so it’s not just JPMorgan Chase and Citibank
0:20:42 that are getting hit by these generative AI fakes.
0:20:45 It’s actually becoming grandmas and grandpas and parents.
0:20:46 They’re getting the fake phone calls
0:20:48 from grandchildren and children,
0:20:50 that they’re being held and you need to wire the money
0:20:53 and stuff to that effect, the virtual kidnappings, right?
0:20:55 Like these are things that trickle down.
0:20:58 And so enterprises are doing a good job
0:20:59 of protecting themselves from some of this
0:21:01 and what we need is for some of that technology
0:21:03 to start to filter down
0:21:05 into protecting consumers at large.
0:21:08 – Obviously we’ve been using the same PII for ages, right?
0:21:11 Like you guys mentioned social security.
0:21:13 I mean, it’s also crazy to me that they send you
0:21:17 that on a piece of paper, but in any case,
0:21:20 is there some world where we have similar
0:21:23 to password managers like forcing you
0:21:25 to update your password every so often
0:21:29 or other forms of like biological identification,
0:21:32 should we be rethinking the idea
0:21:34 that we use name, email, address, phone, et cetera,
0:21:36 or am I thinking about this incorrectly?
0:21:40 And even those have just like the same kind of vectors.
0:21:41 – I would say like, yes, for sure,
0:21:43 we should be thinking about this differently.
0:21:44 Is it ever gonna happen?
0:21:45 Unfortunately, no.
0:21:46 But, you know, frankly,
0:21:50 public cryptography solves like quite a bit of this.
0:21:51 And I’m not talking about like crypto blockchains
0:21:52 or anything like that.
0:21:55 I mean, simply every citizen having a public private key pair
0:21:58 and having the government or some trusted entity
0:22:00 go and cryptographically sign those,
0:22:02 would solve a bunch of identity verification issues.
0:22:04 Is that gonna happen in the United States?
0:22:04 Absolutely not.
0:22:06 But, you know, would that be an elegant solution
0:22:07 that would solve a lot of problems?
0:22:08 It would.
0:22:10 – There has been a dream for a really long time
0:22:13 among the number of diehard old cryptography people
0:22:15 that one day the US government
0:22:17 would get into proving identity.
0:22:19 And there has been a NIST working group,
0:22:22 the National Institute of Standards Technology,
0:22:25 has been trying to set standards for proofing for decades.
0:22:26 There was a hope that maybe one day
0:22:29 the post office would become the place where you could go
0:22:31 prove your digital identity and get a token
0:22:33 or some kind of key.
0:22:35 I think we’re still as far away from it today
0:22:36 as we were 10 years ago.
0:22:39 But, I hold my hope for that one day.
0:22:41 One day, I mean, California’s rolling out
0:22:43 digital driver’s licenses, right?
0:22:46 I got a digital license plate for my car.
0:22:48 Like, we might get there.
0:22:50 It might happen in my lifetime, I’m hoping.
0:22:53 I think the Naftali’s point, like the technology exists.
0:22:54 We know how to stop this.
0:22:57 We just need someone with the political will and desire
0:23:00 to make this a thing and maybe go after the real problems
0:23:02 that everyday American consumers face.
0:23:03 So one day we’ll get there.
0:23:04 I’m optimistic.
0:23:05 Hopefully in my life.
0:23:07 – Just a few more breaches along the way.
0:23:11 All right, if you’ve made it this far,
0:23:12 thank you so much for listening.
0:23:15 And if you’d like us covering these timely topics,
0:23:19 be sure to let us know at raidthispodcast.com/a16z
0:23:23 or you can email us at podpitches@a16z.com.
0:23:25 We’ll see you on the flip side.
0:23:27 (upbeat music)
0:23:36 [BLANK_AUDIO]