Imagine receiving an urgent email from your bank that looks perfectly legitimate. It warns you of a suspicious transaction and prompts you to verify your identity. You hesitate but click, and suddenly, your credentials are compromised. This scenario, crafted by AI-powered fraud-as-a-service, is happening now.<\/p>\n
In this episode of the Security Matters podcast, host David Puner is joined by Blair Cohen, Founder and President of AuthenticID, to discuss the evolving identity threat landscape. They explore the rise of synthetic fraud, the role of biometric authentication and how AI-driven security is reshaping the fight against cybercrime. Blair shares insights on the challenges of detecting deepfakes, the advancements in biometric authentication and the impact of generative AI on security measures.<\/p>\n
Tune in to learn how security leaders can stay ahead in this rapidly changing environment and what organizations can do to prepare for the next generation of cyberthreats.<\/p>\n
Your credentials are compromised. Your data, exposed. But here’s the twist \u2014 this wasn’t crafted by a human. It was built by AI-powered fraud-as-a-service capable of generating perfect phishing campaigns, realistic deepfake voices, and even synthetic identities.<\/p>\n
This scenario isn’t some distant future. It’s happening now. And as cybercriminals refine their techniques, even seasoned experts struggle to separate real from fake.<\/p>\n
So \u2014 how do security leaders stay ahead?<\/p>\n
Today, we’re joined by Blair Cohen, founder and president of Authentic ID, to break down the evolving identity threat landscape, why synthetic fraud is skyrocketing, and how biometric authentication and AI-driven security are reshaping the fight against cybercrime.
\nLet’s dive in.<\/p>\n
David Puner: Blair Cohen, founder and president of Authentic ID \u2014 welcome to Security Matters. Thanks so much for coming onto the podcast.<\/p>\n
Blair Cohen: Thank you so much for having me here today, David. Glad to be here.<\/p>\n
David Puner: Really excited to have you. Really excited to talk to you today.
\nTo start things off \u2014 when did you first start thinking about identity, and how did you wind up founding Authentic ID? What inspired you to focus on identity verification and fraud prevention?<\/p>\n
Blair Cohen: It’s actually a pretty interesting story here. I’m a serial entrepreneur. This is my third or fourth company that I’ve created as an adult. The previous one was a background checking company \u2014 a background screening company.
\nWhen you do a background check, part of the process is performing identity verification. Historically, identity verifications were done by asserting your Social Security number. I\u2019d take your SSN, run it through one of the credit bureaus, and see if your name was associated with that SSN. If it was, then your identity was considered verified.<\/p>\n
David Puner: Mm-hmm.<\/p>\n
Blair Cohen: But in the early 2000s, I started seeing something strange. When we\u2019d run an SSN, not just one name would come back. Sometimes we\u2019d see 20, 30, even 50 different names associated with it \u2014 and it kept getting worse.
\nBy 2006, this was a pretty regular experience. That told me something was very wrong with the way we were proving identity. It just didn\u2019t make sense anymore. So many people had access to your Social \u2014 it wasn\u2019t a private identifier anymore.
\nThat was the impetus for creating Authentic ID. I realized in the mid-2000s that we needed a much better way to prove identity \u2014 one that couldn\u2019t be based on data. It can\u2019t be based on what you know \u2014 like your car\u2019s make and model or your pet\u2019s name. We needed something that was much harder for fraudsters to obtain.<\/p>\n
Blair Cohen: What\u2019s the gold standard for proving identity across the globe? Government-issued IDs. Anywhere in the world \u2014 if you need to open a bank account, you show a government-issued ID.
\nWhat else can\u2019t fraudsters really steal? Your face. People take pretty good care of their identity documents, and your face is uniquely yours.
\nSo instead of using data, we now use what you have \u2014 your government-issued ID \u2014 and what you are \u2014 your biometric identity. That\u2019s what led to creating Authentic ID.<\/p>\n
David Puner: You had mentioned at the beginning of that answer that you had founded a number of companies as an adult. What companies did you found as a pre-adult?<\/p>\n
Blair Cohen: Oh, just small businesses \u2014 snow shoveling and lawn care and things like that. Yeah, just small businesses.<\/p>\n
David Puner: Life skills.<\/p>\n
Blair Cohen: Life skills, yes.<\/p>\n
David Puner: Good ethic.
\nWhat do you see as the most critical identity security concerns facing organizations today, and how has the evolving threat landscape over the last year or so reshaped or solidified these threats?<\/p>\n
Blair Cohen: Gosh, to nail down just the single biggest problem that exists today would be hard. We’re moving very quickly to biometric authentication. And there are plenty of flaws out there. There are bad algorithms, exploitable vulnerabilities, and ways to inject images into workflows \u2014 all of which exist in many organizations‘ workflows today.
\nIn most cases, people are manually reviewing transaction or account-opening data \u2014 information that\u2019s been asserted. With GenAI and the quality of audio and visual signals now possible, humans simply can\u2019t detect this stuff.
\nYou need to deploy very sophisticated liveness detection and biometric matching algorithms to protect yourself from being defeated.<\/p>\n
David Puner: I should point out that we\u2019re, of course, talking about human identity here \u2014 a big piece of the puzzle \u2014 but we don\u2019t want to confuse it with machine identity.
\nYou mentioned generative AI. How has GenAI transformed authentication challenges and authentication itself?<\/p>\n
Blair Cohen: It\u2019s enabled the creation of sophisticated identity documents and entirely fake but realistic faces. You can generate a completely new person \u2014 someone who never existed \u2014 just by asking the AI to do it.
\nToday, you can synthesize a voice from as little as three seconds of audio.
\nSo GenAI has changed the game. Humans can no longer be relied upon to look at an image or listen to a voice and say whether it\u2019s authentic. That\u2019s over.
\nYou now need tools \u2014 sophisticated detection capabilities and algorithms. Manual review just doesn\u2019t cut it anymore.<\/p>\n
David Puner: Have you ever been fooled by a deepfake?<\/p>\n
Blair Cohen: Yeah. It’s sad to say \u2014 I\u2019m considered one of the world\u2019s experts at this, and I just took a test yesterday. They showed me 10 images of deepfake faces. I got five out of ten.<\/p>\n
David Puner: Wow.<\/p>\n
Blair Cohen: It\u2019s kind of what I expected. In a real-world environment, people are only given a short period of time to examine an image. And deciding whether that image is authentic, deepfake, synthetic, or something else is really hard.
\nLet\u2019s say you\u2019ve got 10 seconds. That\u2019s not enough time to catch the subtle GenAI-created details.
\nThe deformities in ears or eyes that we used to spot? Those are gone now. And the tools are accessible. You no longer have to be a tech expert with Photoshop skills. You just chat with the model, tell it what you want, and it does it \u2014 often better than a human \u2014 in seconds.<\/p>\n
David Puner: You mentioned \u201csynthetic.\u201d So, what is synthetic identity, and what are the authentication difficulties associated with it \u2014 beyond what we\u2019ve already discussed?<\/p>\n
Blair Cohen: Synthetics are a tremendous problem \u2014 and they\u2019re not new. Synthetic identities have been around for a long time.
\nIt\u2019s kind of hard to understand why they even exist, but it really has a lot to do with the Fair Credit Reporting Act \u2014 the FCRA. If someone submits a \u201cnew\u201d identity, the credit bureaus often create a brand-new file.
\nSo if you slightly modify your name \u2014 say, David L. Puner instead of David M. Puner \u2014 and change one digit in your Social Security number, the bureaus may create an entirely new persona.
\nThey\u2019ll stitch together pieces of your identity and someone else\u2019s, creating a whole new synthetic file.<\/p>\n
Blair Cohen: Generally, the synthetic won\u2019t get credit immediately. But the fraudster will build it up over time. They might start with a prepaid card, slowly build credit, and then \u2014 all at once \u2014 perform a \u201cbust out.\u201d
\nThat\u2019s when they apply for four or five credit cards, get approved, max them all out, and disappear.
\nAnd since the person never existed in the first place, there\u2019s no one to go after. That\u2019s the problem. It\u2019s a fake person \u2014 a synthetic \u2014 and they\u2019re gone.<\/p>\n
David Puner: Is this something that threat actors can do at scale? Or is it more of a one-off tactic?<\/p>\n
Blair Cohen: No \u2014 it\u2019s absolutely scalable. They can maintain and grow synthetic identities over time.
\nThere are websites out there \u2014 I won\u2019t name them here \u2014 where you can generate an entirely new identity with one click. Name, address, geolocation, email, phone \u2014 everything.
\nClick a button, get a new identity. Click again \u2014 another one.
\nSo yes, they can absolutely do it at scale, and they do.<\/p>\n
David Puner: Back to this big piece of the puzzle \u2014 what are the latest advancements in biometric authentication, and how do they impact security?<\/p>\n
Blair Cohen: From a biometric standpoint, all the top algorithms perform quite well today.
\nThere used to be criticism that biometrics didn\u2019t work equally across demographics \u2014 skin tone, gender, age \u2014 but that\u2019s no longer true.
\nWith facial recognition, the top 20 algorithms now perform equally well across all demographics.<\/p>\n
Blair Cohen: The bigger challenge today is spoofing. Accuracy isn\u2019t the issue \u2014 stopping spoofing is.
\nThere\u2019s plenty of video of me out there. It wouldn\u2019t be hard for someone to grab a video, still image, or even create a mask of my face.
\nIf they pair that with a fake ID and attempt to authenticate, the match might succeed.<\/p>\n
Blair Cohen: That\u2019s where liveness detection becomes critical. We need to detect whether we\u2019re being spoofed \u2014 whether it\u2019s a real person in front of the camera, not a static image or pre-recorded video.
\nWe use \u201cpresentation attack detection\u201d for that.
\nLevel 1 and Level 2 certifications exist, and Level 2 is robust enough to stop most spoof attempts.<\/p>\n
Blair Cohen: But fraudsters are smart. They\u2019ve figured out that we rely on device sensors \u2014 like the ones in your phone or computer \u2014 to catch those presentation attacks.
\nSo now, they bypass the camera altogether by installing virtual cameras. These virtual cameras feed synthetic images directly into the system, bypassing the sensor data we rely on.<\/p>\n
Blair Cohen: When they inject these signals through a virtual camera, we don\u2019t receive the same cues that a real camera would give us. It circumvents the presentation attack detection altogether \u2014 and that\u2019s hard to defend against.
\nIt\u2019s a growing problem.<\/p>\n
Blair Cohen: Everyone\u2019s moving toward frictionless experiences. No one wants to download capture software. They want it to work via a web browser.
\nBut the problem is \u2014 on the web, anyone can open developer tools and see exactly what\u2019s happening. That makes it easier for fraudsters to inject fake content at the right moment and bypass security entirely.
\nSo ironically, in the pursuit of frictionless experiences, we\u2019ve opened up some serious vulnerabilities.<\/p>\n
David Puner: A lot to consider, obviously \u2014 and that\u2019s why we need the help of GenAI.
\nSo how is GenAI \u2014 or AI in general \u2014 being used to enhance authentication processes and improve security?<\/p>\n
Blair Cohen: AI is great at spotting anomalies that humans would miss. Think about a large enterprise \u2014 they might have thousands, even hundreds of thousands of transactions happening at once.
\nIt\u2019s impossible for a person \u2014 or even a team \u2014 to sift through all that data in real time.<\/p>\n
Blair Cohen: But AI can.
\nIt works quickly and accurately, and when something unusual happens \u2014 like an anomaly in a transaction pattern \u2014 it can raise a flag instantly.
\nSo in that sense, AI is extremely valuable in protecting against fraud and authentication attacks.<\/p>\n
David Puner: Security practitioners are using AI \u2014 but threat actors are, too.
\nIf we\u2019re looking at this as an AI vs. AI kind of scenario, how is AI enhancing cybersecurity measures while also enabling attackers?<\/p>\n
Blair Cohen: It\u2019s a double-edged sword.
\nThe challenge for us \u2014 the \u201cgood guys\u201d \u2014 is that our hands are tied in ways the attackers\u2019 hands aren\u2019t.
\nWe\u2019ve got to follow strict privacy and compliance rules. We can\u2019t share certain data or collaborate freely between organizations.<\/p>\n
Blair Cohen: But attackers can.
\nThey\u2019re not bound by any regulations. When one discovers an exploit, they can instantly share it across the entire fraud community and launch coordinated attacks at scale.
\nWe don\u2019t have that kind of latitude. So, they often stay one step ahead.<\/p>\n
David Puner: So then \u2014 how do the good guys stay a step ahead of the bad guys?<\/p>\n
Blair Cohen: I\u2019m not sure that we do, David.
\nLike I said, our hands are tied. We can\u2019t collaborate the same way. We can\u2019t share exploits and threat data across enterprises the way bad actors can.
\nUntil that changes \u2014 until our hands become untied \u2014 I think they\u2019ll always be a step ahead.<\/p>\n
David Puner: So that\u2019s where it comes down to defense and best practices.<\/p>\n
Blair Cohen: Correct.<\/p>\n
David Puner: Looking across various sectors \u2014 like finance, government, and telecom \u2014 how do authentication challenges differ from one sector to the next?<\/p>\n
Blair Cohen: It doesn\u2019t just vary by sector \u2014 it varies by use case within each sector. But let\u2019s take a high-level look.<\/p>\n
Blair Cohen: In government, the goal is to serve all citizens \u2014 including those with accessibility issues. So they tend to offer more flexibility in their authentication workflows.
\nFor example, a government agency might allow you to upload an image of your ID or a selfie. That\u2019s not a best practice \u2014 but it\u2019s done to be inclusive.<\/p>\n
Blair Cohen: In contrast, financial services are far stricter. They won\u2019t let you upload an image \u2014 they make you go through a camera-based, real-time workflow.
\nThey\u2019re all about minimizing risk and ensuring that strong defenses are in place up front.<\/p>\n
Blair Cohen: Telecom is different again. Their focus is speed and volume \u2014 they want to get as many people through the flow and issue as many phones as possible.
\nSo the priorities \u2014 and the vulnerabilities \u2014 vary widely by sector.<\/p>\n
Blair Cohen: And even within sectors, the use case matters.
\nYou\u2019re going to treat a customer walking into a physical store differently than one interacting with you online.
\nIn person, there\u2019s some assurance that you\u2019re dealing with a real human \u2014 the employee can see you. But digitally? You want to see the face, the voice, the identity document.
\nYou need more signals to trust what\u2019s coming through the screen.<\/p>\n
David Puner: Sort of like when you\u2019re buying a microphone to be on a podcast \u2014 a two and a half hour retail experience.<\/p>\n
Blair Cohen: It was awful. They couldn\u2019t get their computers working once I got there.<\/p>\n
David Puner: Well, we thank you again for enduring the real-life retail experience for the sake of Security Matters. Now, when it comes to regulatory compliance and data privacy, what are the major compliance issues that you\u2019re helping customers navigate?<\/p>\n
Blair Cohen: There are so many new regulations out there, David. It\u2019s kind of hard to say where to start \u2014 but I\u2019ll give you one example.<\/p>\n
Blair Cohen: In California, you\u2019ve got CCPA \u2014 the California Consumer Privacy Act. And under that, a California citizen has the right to be forgotten.
\nSo, for example, if you\u2019re an AT&T customer, you can call them up and say, \u201cI want you to delete all the data you have on me.\u201d
\nAnd AT&T legally has to comply.<\/p>\n
Blair Cohen: But how do they know who\u2019s calling?
\nHow do they verify that it\u2019s really you making that request \u2014 and not someone trying to delete someone else\u2019s data?<\/p>\n
Blair Cohen: That\u2019s where our technology comes in.
\nWe allow people to image their government-issued ID and capture a selfie. We then authenticate both \u2014 making sure the document is real and that the person matches the ID.
\nThat way, AT&T knows it\u2019s the real Blair Cohen making the request \u2014 and not a fraudster.<\/p>\n
David Puner: Thanks for those examples \u2014 really interesting. So then, what promising biometric authentication innovations might we see emerge in the next few years?<\/p>\n
Blair Cohen: Oh goodness \u2014 I think we\u2019re going to see the liveness detection problem finally solved.<\/p>\n
Blair Cohen: Right now, spoofing attacks \u2014 like holding up a photo or video of someone else\u2019s face \u2014 are largely solved with Level 2 presentation attack detection.
\nBut injection attacks \u2014 where someone bypasses the camera entirely \u2014 that\u2019s still a big challenge.<\/p>\n
Blair Cohen: I think we\u2019re going to have to move toward more rigorous capture processes.
\nWe may even need to stop using browsers altogether and make people download apps again \u2014 which causes friction \u2014 but it might be necessary.
\nBecause in browser-based flows, attackers can open dev tools and inject fake content pretty easily.<\/p>\n
Blair Cohen: As spoofing continues \u2014 and fraudsters keep finding ways around biometric and liveness detection \u2014 we\u2019re going to see a combination of biometric modalities.
\nToday, using just your face might be enough. But going forward, I think we\u2019ll start to see a pairing of face and voice authentication.<\/p>\n
Blair Cohen: You\u2019ll be asked to say a random, dynamic phrase.
\nThen, the system will use lip-reading to confirm your mouth movements match the phrase, while also checking that the voiceprint matches what\u2019s on file \u2014 and that the face matches the one stored.
\nThis combo \u2014 random phrase, face match, and voice match \u2014 will be very hard for fraudsters to defeat.<\/p>\n
David Puner: And \u201cliveness detection\u201d \u2014 that\u2019s just what it sounds like? Making sure someone\u2019s actually real and not spoofing?<\/p>\n
Blair Cohen: Exactly. You nailed it 100%.<\/p>\n
David Puner: As we move toward the end of the conversation here, we always like to ask: what can organizations do about all of this?
\nHow can they prepare for the next generation of cyber threats and authentication risks?<\/p>\n
Blair Cohen: Humans are your biggest vulnerability.
\nIn digital channels, most enterprises already have plenty of tools deployed \u2014 tools that can detect anomalies, tools that can detect AI-generated content, and so on.
\nBut when it comes to humans? We\u2019re the weak point.<\/p>\n
Blair Cohen: If you walk into a brick-and-mortar store with a fake ID created using fraud-as-a-service, it\u2019ll look perfect. And most of the time, the human checking it won\u2019t know the difference.
\nSame thing online \u2014 if someone is manually reviewing documents or faces, they have almost no ability to tell real from fake anymore.<\/p>\n
Blair Cohen: So it\u2019s time.We\u2019ve got to get rid of all human processes when it comes to identity verification.
\nWe need to deploy tools \u2014 automated systems that can analyze, detect anomalies, and flag GenAI content in real time.<\/p>\n
David Puner: It probably goes without asking, but you mentioned fraud as a service. Fraud as a service is presumably thriving these days?<\/p>\n
Blair Cohen: It has gone crazy.
\nI first discovered this about a year and a half ago. Back then, you could pay a set amount \u2014 say $200 a month \u2014 and generate an unlimited number of attacks.
\nBut the quality of those attacks was low. You\u2019d see grammar mistakes, logo issues, bad formatting \u2014 things like that.<\/p>\n
Blair Cohen: But now? It\u2019s completely different.
\nToday\u2019s phishing campaigns are flawless \u2014 perfect grammar, perfect branding, even multilingual translations that are spot-on.
\nEverything looks legitimate.<\/p>\n
Blair Cohen: And the price has gone up. That same fraud-as-a-service platform that used to cost $200 now goes for $2,000 a month.
\nBut the attacks are high-quality and unlimited.
\nIt\u2019s like the \u201cplatinum tier\u201d of cybercrime.<\/p>\n
David Puner: Unlimited attacks \u2014 that\u2019s the platinum tier.<\/p>\n
Blair Cohen: Yep.<\/p>\n
David Puner: Unbelievable. Although, very believable \u2014 especially considering everything we talk about on this program.<\/p>\n
David Puner: So now more than ever, it goes back to zero trust \u2014 never trust, always verify.
\nHow do you practice that in your day-to-day life \u2014 professionally or personally?<\/p>\n
Blair Cohen: Just like you said: I never trust, and I always verify \u2014 no matter how convincing something may look.<\/p>\n
Blair Cohen: At AuthenticID, we house very sensitive data from some of the world\u2019s largest enterprises and governments.
\nSo we take security extremely seriously.<\/p>\n
Blair Cohen: We go through continuous security training from a company called KnowBe4.
\nEvery single week, everyone at the company completes a new certification or training module.
\nWe stay on top of the latest exploits and always stay vigilant.<\/p>\n
David Puner: Does it ever surprise you \u2014 among your clients or day-to-day contacts \u2014 how inconsistent cyber hygiene can be?<\/p>\n
Blair Cohen: I think people know what they should do \u2014 but implementing it across a massive enterprise is really tough.<\/p>\n
Blair Cohen: I\u2019d love to see a world where we get rid of usernames and passwords entirely.
\nTo me, all authentication should be biometric \u2014 that\u2019s the safest path.
\nBut when you\u2019ve got 70,000 employees, switching them all over to a new system? That\u2019s not easy.<\/p>\n
Blair Cohen: Still, if everyone moved to biometric authentication, the world would be a much safer place.<\/p>\n
David Puner: Blair Cohen, founder and president of AuthenticID \u2014 thank you so much for coming onto the podcast.
\nReally appreciate it. It\u2019s been great speaking with you.<\/p>\n
Blair Cohen: It\u2019s been my pleasure, and I appreciate your time today. Thank you very much, David.<\/p>\n
David Puner: Alright \u2014 there you have it. Thanks for listening to Security Matters.
\nIf you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop.
\nAnd if you feel so inclined, leave us a review \u2014 we\u2019d appreciate it, and so will the algorithmic winds.<\/p>\n
David Puner: Got questions or comments?
\nAre you a cybersecurity professional with an idea for an episode? Drop us a line at: SecurityMattersPodcast@cyberark.com.<\/p>\n
David Puner: We hope to see you next time.<\/p><\/div>\n","protected":false},"featured_media":213810,"template":"","class_list":["post-206297","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n