05-31-2023 Cybersecurity – Zero Trust Network With John Mahoney Of Moby, LLC
In today’s digital age, with sophisticated cyber threats becoming increasingly prevalent, ensuring network security has become more critical than ever. One solution that has emerged as a beacon of hope is the concept of ‘Zero Trust Network’ or a radical shift from traditional network security measures, Zero Trust Network advocates for a ‘never trust, always verify’ approach, offering a more comprehensive way to combat cybersecurity threats. Zero Trust Network is a security model that eradicates the conventional binary notion of ‘trusted’ internal networks versus ‘untrusted’ external networks. This model operates under the principle that threats can occur anywhere, and thus, no user or system should be implicitly trusted. Instead, every request is thoroughly verified, authenticated, and validated before granting access, regardless of where it originates from within or outside the network. Explaining more about this is John Mahoney, CEO and Co-Founder of Moby, LLC.
---
Cybersecurity - Zero Trust Network With John Mahoney Of Moby, LLC
David Kittle called me and says, “You've got to meet and talk to John Mahoney. He'd make a great interview, especially when you consider what John does.” Our guest is John Mahoney, CEO and Cofounder of Moby, LLC. They deliver a number of innovative tech solutions, specifically in the cybersecurity space. We're going to talk about the liveness of verification. You've heard all the different ways dual authentication all the different ways you can authenticate getting into a website. We have a real risk going on out there. It's getting exponentially worse. How are we going to solve that? In our interview with John, you're going to get some new insights. Let's get started. John, it’s good to have you joining us in our show.
Thanks for having us.
It’s good to have you here. Marc is my co-host with me as well. Marc, thanks for joining in on this interview. I’m glad to be here. I’m glad to be here with you, John.
Thanks, Marc.
Let our audience get to know a little bit about you. Tell us a little bit about yourself, your background, and what has brought you to the place you're at.
I got the entrepreneur bug many years ago. That went into data validation and identity fraud prevention, mainly triggered by the issues of 9/11. I didn't know how I could help. I was gravely concerned about the issue. People are getting on airplanes with fake IDs. It motivated me and my team to go out and figure out solutions for industries. We tried to raise capital in various markets and had a profound impact on, of all things, the casino industry.
We did extremely well with casinos. We installed software in about 90% of the casinos in Las Vegas and a lot of the global providers because they have a lot of strict guidelines and defense in reporting mechanisms they have to follow. We help them clean all that process up, track their players, and the mouths of money they are spending. We submit SARS records and all those wonderful things that they needed to do to keep their regulators on the back.
We worked there. That was one major impact. The other good impact we made with our digital onboarding and our identity verification space was in the pharmacy. We saw the Combat Meth Epidemic Act back in 2005, a major need for pharmacies to be able to manage the purchase and sale of pseudoephedrine products. There was a huge issue with people taking the products, jumping around between stores, buying up a lot of products, and then going home and cooking methamphetamine precursors.
We invented a system. We launched it in London, Kentucky, with a drug test force. Cody identified they were smurfers. I followed him back to this house and popped him for his lab. That happened in one week. We had CBS ready to contract within three months. It's about 60,000 pharmacies using our platform. It's 200,000 milligrams of meth off the streets every week. That's my claim to fame there.
You're the reason I have to give them a birthday every time I get some decongestants. We need to get more controls in place when it comes to Big Pharma and what's going on there. Let's shift over and talk about what's going on in the mortgage space. I love talking to innovators and those who are looking for solutions. You clearly have that. We seem to have and continue to have significant cybersecurity issues here in the industry. In spite of us before the significant effort to stop that, we hear about more and more security breaches. Whatever we're doing does not seem to work. Could you give us a state of the industry as it relates to cyber security and just how vulnerable we are?
The financial sector is the number one targeted cybersecurity attack more than any other sector in the world when it comes to security breaches.
Zero Trust Network: The financial sector is the number one targeted cybersecurity attack. The financial sector is attacked more than any other sector in the world regarding security.That goes back to why robbers rob banks. That's where all the money is. It's weird that finance is looking for this, and they're doing it to get wealth. It makes sense. We're vulnerable.
You think of industries out there. You're exactly right. The money's there, but there is a lack of controls and mechanisms in place. If you think about the mortgage process, it still boils down to a commission loan officer performing an identity verification of the borrower, and then everyone throughout the lending process trusts that one loan officer makes a photocopy of a borrower's ID.
We should point out here that you owned a partner in a mortgage company. It's not like you have an entrepreneur who does not understand the mortgage process. Talk a little bit about that.
We got into the business a while back. It was successful up to the 2008 meltdown, which affected a lot of people. From that point forward, it was synonymous with the proliferation of mobile devices and mobile phones. The whole industry and security measures started changing. It seemed to me that the mortgage never changed. Every time I go back to refinance a house or have some experience in the mortgage industry, I literally went through a title issue the other day and was sent some knowledge based on indication questions, which was popular in the ‘80s. Nowadays, that is not the mechanism to identify people.
Explain when you say acknowledge base mechanisms or what that is for us.
Knowledge base authentication is simply someone giving you a series of questions and you have to answer them. For example, “Here are four addresses. Which one did you live in? You had a car in the ‘90s. What color was it?” Those types of questions that supposedly only the person answering should know. In reality, 294 million people were impacted by cyber security and personal data stolen. If you think about that, every year and a half, one of us has our identity stolen.
That's the fact. It's out there. Your data is out there. Any time you fill out a credit application, you're filling out sweepstakes to win something, your data is out there. It is being compromised. The mechanisms have to be put into play to prevent that, but they're just not happening in the mortgage business.
I have a question and a follow-up comment. I'd like to discuss with us what industries are impacted most by cyber attacks.
The top three are financial, health care, and government. The first one baffles me because you have a lot of money and people are protecting their money. I'm still just perplexed that the financial sector is number one. In healthcare, you can understand that because you have so many people participating and touching the environment. From employees to doctors, nurses to vendors, everyone's hitting that network. There's a big opportunity for breaches. Thirdly is government because we all know Biden's back. We don't know how that game works. They have a lot of great ideas and concepts, but they are not necessarily the best vendors providing the service.
The follow-up item I have is not as much a question as it is a statement. I would like you to respond to it. I know that when we talk about cybersecurity, we're talking about people trying to get into what you have in one place or another, but there are so many applications. When we talk, my mind goes wild thinking about things. I'm thinking about how great it would be if I walked into Wells Fargo, where I bank, and the counter. I did visual identification there rather than having to pull out IDs and all that stuff or doing that little four-digit password on the keypad, which is how many times we talked about how people can figure that out.I was thinking about pulling into a drive-in. They can't even see you in a drive-in and how nice it would be that you say you pull up and you hit your Wells Fargo app and do an image ID. It transmits internal to the driving one to tell her to do things like that. Do you think we're going to see things like that in our lifetime? Do you think in the next 10 or 15 years, we're going to see some things like that, like clear at the airport where we depend on the visual ID?
It's moving there. Some Industries are quickly adopting it. I'm hoping after this, the mortgage industry will start progressing in that direction a little more aggressively. You hit the nail on the head. About 90% of all data breaches are a result of someone giving up their credentials. What I mean by that is giving up a username and password. We all work on computers all day long. We are constantly being attacked. The term is called phishing attack.
What happens is you receive something that looks like, “Microsoft is asking for my credentials because there's been some changes to our Windows application.” The consumer will put in their login credentials and they'll ask for some basic information. It could be a credit card and mobile number, but any of that information they provide gives the hackers keys to the kingdom. Businesses don't realize this. The business is one disgruntled employee away from having their network act.
If you think about it, one phishing attempt to an upset employee can give keys to the kingdom away in a heartbeat. That's the troubled part. The thing is, what we're bringing to the environment is the liveness authentication. You hit the nail on the head there, Marc. Our focus is to eliminate usernames and passwords. You eliminate the data and the breech mechanism and just put a padlock on the door and they can't get through it. If you do that, and everything driven forward is liveness, then a trusted device to do a one-to-one match.
What I mean by that is if you enroll in the system using your mobile device, you have to do your live discussion and your mobile device to access the system in the future. That eliminates hackers. They don't have your phone, they sure don't have your face, and they don't have a liveness of your face. Combining those two together takes the security level to an exponential notation from what is out there.
You mentioned you get a lot of phishing attacks. I've tried to educate my wife. I said, “Read the email that's coming from. Most of these phishers are using crap emails, but every once in a while, they get creative on emails and it looks just like it's a bank. It's a real challenge we have in the future.We know what phishing attacks are, but if you could cover that again, also how artificial intelligence is impacting this latest round of threats.
Phishing is the fraudulent practice of sending out emails or texts. The whole goal is to make it look like a reputable company in order to induce individuals to reveal personal information such as passwords, credit card information, birthdays, and any personal information given up to these individuals. To put it in perspective, every day, there are about 3.4 billion phishing emails sent out. In 2022, almost half of every email sent out was a phishing attack. Think about that.
It's Barbarians at the gate. It feels like they're just mounting an insurmountable number of emails to overcome. It's one of those that is going to make it through. That's all it takes is just that one.
The interesting part is that 94% of all cyber-attacks are triggered by an email situation or compromise. They're highly successful. Why would I keep doing it? There's another scary statistic out there. There are almost 1.4 million new phishing websites created per month.
Zero Trust Network: An email situation or compromise triggered 94% of cyber attacks. They're highly successful.You have some great numbers here. Do you have any idea what percentage of the phishing attacks go after seniors in this country?
I don't know, specifically. I don't even think they need to boil that demographic down. It's scary to think that they would target elderly people. You can't get much higher than 94% on success rate, but that would be a scary proposition, I imagine. With our data version of AI, it is a new bully on the block. The stuff they're coming up with and how fast they can do what they do. There was a report out that they can crack over half of the common passwords in less than a minute in over 70% and less than a day. Just by artificial intelligence that we're just now seeing out there in the news. That's going to be the next growth model or the next attack.
Our technology is not even getting into the quantum computer that is already there. IBM created one of the first quantum computers, which accelerates this exponentially. It's getting down to what you're saying, facial recognition, which is something we now all have on our phones. Is it foolproof?
Facial recognition is not foolproof, but liveness authentication is.
Explain the difference between liveness and facial recognition.
It's very good. We all use it. If you have an iPhone, you can look. It allows you to get into the system, but it's basic. It picks out a couple of points on your face and allows you in. It doesn't have to be very robust because 99.9% of the time, you're the person in there going at your phone. It's easy to recognize you. Liveness authentication is a series of events leading up to face liveness recognition or we call it liveness access. What happens is you build the case and a profile of the individual by onboarding them, by authenticating their phone, and their ID, and then capture a video in the perfect image of them, cross-matching it back to the other devices. For example, my face to the face on the government-issued ID.
The end result is to create a biometric template that is extremely secure and that's gone through some top-notch rigor to say, “The data matches. The phone matches.” You build all these checks and balances. At the end of the profile, it says, “I feel certain this is more.” We take that, decentralize it break it up in a piece, and store it on a peer-to-peer network in different nodes.
The whole focus now is not only we build this wonderful profile but we've broken into pieces where they can't put Humpty Dumpty back together again, but we do it on the matching side. As you come into any system, if you've onboarded, we are going to recognize two things. One is the device that you enrolled from and match it to that face preset true one-to-one comparison. It's probably the highest level of access security out there available.
What are some of the major exposure gaps companies fail to identify and deal with?
The major one is denying and sticking their head in the sand, thinking it's not going to happen to them. You can't do that. You’ve got to be ahead of this game because the fraudsters are relentless. They're not backing down. We talked to companies all the time. They get hit, and then they try to go out and get cyber insurance after that. They're paying ten times the premium. Cyber insurance alone is astronomical. They don't even know how to price it up. It's gotten so bad in the industry. I was speaking with an insurance carrier the other day. They've elevated their rates ten-fold in the last few years because they're just trying to stay ahead of the claims because they're getting destroyed.
How do companies mitigate their exposure? If you were to write a consulting plan, how would you tell them to mitigate your exposure these days?
Think about what companies need to do. Internally, they need to look at what they have nowadays, “What can we do to improve this?” You see a lot of them say, “We store our data and hosted environment. AWS and Azure are taking care of.” That can be further from the truth. Seventy percent of companies that have their data hosted in a cloud service get hacked in the first year because everyone's under this illusion that one of the hosted environments is protecting their data and they call it a shared responsibility model.
[bctt tweet="70% of companies with their data hosted in a cloud service get hacked in the first year because everyone's under the illusion that one of the hosted environments is protecting their data." username=""]
What that means is you share your data, and then you are responsible for your security. AWS, if you put it in perspective, build the house and they let you put your furniture in the house. You, as a business owner, are responsible for putting in windows, doors, all the locks on, and surveillance. All that is the responsibility of the business, not of the hosted platform. That's one big illusion that companies look strongly. The second one is multi-factor authentication.
You see a lot of it out there. We do multi-factor, but we do it in a multi-dimensional approach. We're fans of it. Unfortunately, the fraudsters and hackers are already well past multi-factor authentication. What they do is they build these phishing kits and look like legitimate services used to steal credentials. They forward the MFA request to the user.
They'll post out a bank. Look at the bank logo and they'll make it look like it's your bank, then they'll steal the credentials, then forward and back to have people enter more information. Once they get control of that data, what they do is return a session cookie that can be used to assess legitimate services as the user. Once they get that cookie and play, they can go in as the user, access the systems, and take over the accounts. It's referred to as an account takeover. You hear a lot in the mortgage business, “Business email compromised.”
I'm thinking about how vulnerable we are, but I wanted to instill this down to practical mortgage day-to-day operations. We all are working with an LOS. More people are working in addition to the LOS, which is a core system. Most would agree. You have these purchase point-of-sale terminals where we start interacting right away. We also have our CRMs and some of the tools that are out there. We have a Total Expert and SimpleNexus as one of our sponsors. There are any number of the larger LOSs out there. How should people start thinking about their tech stack as it relates to mortgage lending, and how do you intersect with that?
We push and put our stake on the ground. We believe that liveness authentication and decentralized biometrics are the key moving forward. That’s not just for the borrower but for the provider as well. You have it secured on both ends of the spectrum. Think about this. It's easy to do. It's a one-time onboarding. A borrower would want to get a mortgage. The mortgage lender in this scenario would send out a link or they can scan a QR code. They go through a simple boarding process.
Zero Trust Network: For the borrower and provider, authentication and decentralized biometrics are key in moving forward.
All we do is type in the mobile number. They take a picture of their government-issued ID, front and back, and they take a liveness scan of their face. We do all of our analytics on the back end, create this profile, and decentralize it. Now, everything is moving forward to the entire loan process. Everybody can go back to that borrower anytime in real time to say, “I want to authenticate that person.” Think about this. They are on board and submit their data. We normalize the data and auto-populate the LOS with that pristine data from their driver's license and other sources.
The loan officer has a color image front and back and a digital version of the government-issued ID, which is another win for them. They're checking all the boxes when it comes to their anti-money laundering and their bank’s secrecy act compliance. We do the watch list checks. We do all that for them. Everyone down the line feels extremely confident that they have a single source of truth to validate that borrower.
When he gets down the line, let’s say, he goes into a secure wire situation or instructions need to be set out. All the settlements should have to do now is send them a link. The borrower hits the link on their mobile device, takes a selfie, and sends it back. We know that device. We know that the phone belongs to that borrower. We know that face matches that device. In seconds, we're returning results to the agents saying, “That is the right person. Go ahead and send them the wireless instructions.” Now they have a secure end-to-end environment where they can safely move the information where you have a borrower that's now not wiring money to phony offshore accounts. They're wiring it to the actual secure agent that they were working with from the beginning.
A lot of people get complacent in this because they go, “It's the talent Insurance problem if they do this. It's the consumers' problem.” We need to wake up and realize that every one of our companies, even us personally, has a responsibility in this process. To what extent, if we fail, how is a loan officer or employee liable in those situations? Are they personally or is there a totally come under the bread level of the company?
It's a checkbox at the end of the day. There's a liability. There's no blowback on it. They're responsible for reasoning loans. You're going to have some people do it right and some people that could possibly do it wrong.
I get to the point where we, as companies, have got to take this seriously. We got into the training on this. We have to make sure we have the latest tools to do this. How are you helping companies do this? Do you have a product? Let's talk about what your company specifically does, and I'm talking about Moby.
Acquiring to what's going on here in the mortgage business, our focus is real simple. We would eliminate exposure gaps and data exposure. At the end of the day, we want to make sure that you're dealing with the right person at the right place at the right time. It's a very simple approach. Anybody would want to make sure that they have the right borrower, even all the way down to the closing table.
[bctt tweet="We would eliminate exposure gaps and then a data exposure. We want to ensure that you're dealing with the right person, at the right place, and at the right time." username=""]
I had a discussion with a title agent. I said, “What do you do to authenticate that borrower when they walk in the door to sign the documents where they're doing it online?” They're like, “The loan officers did that. We trust them,” I said, “What happens if there's a fraction here and he hits you for a $400,000 loan? Are you on the hook for that?” His response is, “I could be.” I said, “Does that trouble you? Doesn't it bother you that you are dependent on some unknown person making sure that's the right guy walking in your office?”
What we do is take them through the rigor. It's a very simple boarding process, less than a minute for the way to get on. They do it one time, and that's it. Anytime from origination to secure wire to remote online notary to the closing table, even post-closing review, any of those professionals and providers have the ability to send out a link to the individual to their mobile number on file in the LOS, hit a button, hit another applet and sends out a notice says, “I need you to authenticate yourself.”
The person hits it and does the liveness access. We call it liveness access for the selfie. It's done virtually real time and everyone just feels secure. There's no customer friction. That's what I get pushed back mostly on. I find that banks and mortgage companies are so worried about customer pushback and friction. In reality, this is a better customer service approach because you think about it, if you have a mortgage officer who says, “I'm sending you a link. I need you to do X, Y, and Z to prove your identity,” as a consumer, you're going to be like, “I like this bank. They're protecting my money, social, information, and reputation.”
Banks have looked at it backward for years. It wasn't too long ago when you were putting a thumbprint on a little pad and putting your fingerprint on the back of a check when you were depositing a check over $4,000. It's mind-boggling. The archaic approach is still in the industry nowadays, but the industry needs to take a big leap forward. F
We already have a cost problem in our industry. Our costs to bridging a loan are going up exponentially. That doesn't even factor in, “Should there be a loss?” as a result of a cyber security attack. When it comes to implementing the type of technology that Moby offers, how long does it take and what does the cost to do?
Implementation is pretty straightforward. We can stand alone or integrate into LOS, CRM, or even a title agent's platform. That's full APS stock or SaaS architecture. It's easy to use. We're a device independent. Anybody with a browser it could be a Mac, PC, or a mobile device. It does not matter, but when getting implemented and launching the service, there's no capital investment or hardware needed. I could set up a major banking system within 1 week or 2.
It's literally knowing what their addresses are in their facilities, assigning site-specific QR codes to those facilities, and then bringing up some training. It's everyone's off to the races. It's very fast. As far as costs, it is successively reasonable. The average transaction that we allow in this scenario is for a borrower to originate to run through the multiple use cases and have all that data readily available at the end. The normal transaction is less than $10.
It's a transactional model.
It's transactional based on that specific use. You have a user and a borrower says, “I'm using it.” There could be multiple transactions going back and forth, where they're authenticating the guy repeatedly. It doesn't matter. They have unlimited authentication.
Is it by the borrower or by transaction refinance? If they refinance after they've done their first mortgage, they get a purchase mortgage. They refinance another $10, or once you have a relationship with that consumer, it's $10, one and done.
The subscription is $10 and lasts for one year. If they have origination and they refinance and let's say, one year, there are no additional costs.
Outside of a year, which most indicate. Most of the time it happens outside of a year, then there's going to be a cost for that again. $10, for the amount of money that it saves, the risk that it takes out seems reasonable.
We find that you have a satisfied customer who understands if you think about dynamics and you have 85% of consumers now are looking for a better customer experience more than price. There's a report that says that 86% of consumers are willing to pay more money for a better customer experience. That's been part of the issue. The mortgage industry is moving there. It probably needs to move a lot quicker because all the digital that's coming into play is starting to change the industry because, at the end of the day, no one enjoys paperwork. Everyone has Harper.
[bctt tweet="All the digital that's coming into play is starting to change the industry. Because, at the end of the day, no one enjoys paperwork." username=""]
I went to the doctor and it's the same form every time I go in, but that's part of it. It's well overdue. What we're trying to do with the industry is going to protect it and it's an easy user case. It's the same process for every step. Once there's an onboard, anybody can follow just a simple hidden applet, send a text, and the bar’s authenticated within seconds. You can't ask for an easier or lighter version.
I have two things I'd like you to pan on here real quick. The first is, in anticipation of this interview, I did a little count. I have 82 passwords. I might be all 5 or 10, either way, but I got 82. Because of this constant thing where you’ve got to be changing your password periodically in some companies, those deals where I have to reset 78 passwords a month, which I see your technology could completely eliminate that issue and I guess I’m wrong.The second thing was my cardiologist shared something with me, and I haven't followed up with him to talk about it. When I go back in, I will, and he said what's happening right now in the medical field. His medical costs have gotten so expensive. There's so much fraud in that now. Close people are stilling an ID, making up a phony ID, and going to a brand new doctor representing. They've phished the insurance number off the bar because they did something stupid when they asked to validate your account or something and going into your doctor and getting surgical procedures done off the phony I'd and all that stuff. I never thought that would be a problem, but it's apparently becoming a bigger problem. Did you hear that?
You're a genius. To your first point, I looked at myself. The average person has about 100 email usernames and passwords. I keep a spreadsheet of mine, just to give you an example. I have tabs underneath of a base on different things. I completely agree that eventually, liveness authentication is going to replace username and password. You think of the rigor and the friction that you go through because I'm a big fan of two-factor authentication, where you type in your mobile number and you get a code, but do it every time, it wears you out.
Every time you log into something and it's asking for more information, that's a bad customer experience. Our focus is saying, “Let's clean it up.” I'll use your scenario with the hospital because what you're describing is the number one joint commission target. Their goal with the joint commission and healthcare is to eliminate patient misidentification, not necessarily for theft. It's literally for hospital change or lose on average $17 million a year in denied claims due to patient misidentification.
Don't even factor in how many patients go in there and they pull up the wrong file on them. From one who went into the emergency room for the first time in my life at 55, I gave him a Social Security number and some of their individual had been using my Social Security number at the hospital for a number of years. I had to prove to them that it was my Social Security number before they would treat me. It's mine.
What you're describing is we have a local hospital here, the biggest chain in the Louisville area. They have been breached. They have a cybersecurity breach going on. Their entire network is down. I was over there for an appointment. They were using paper forms that had to eventually be re-entered and reissued back into the EMR. It's crazy to think that these organizations are still reliant on usernames and passwords for access to get into these systems, specifically in the financial and healthcare markets because their 1 and 2 out there are being attacked.
How can people get a hold of you if they want to learn more about Moby and your services?
Look at our website at GotMoby.com or just give me a call. My direct mobile number is (502) 664-6069. Call me anytime. If anyone has any questions, I'll be happy to spend time with them and do any type of service education to help them understand that this is a very serious issue. It's not necessarily the financial amount of front. It's the long-term losses.
They're showing a 15% decline in business. Once they get breached over 3 years, there is still a 15% loss, and haven't regained back to their old business position. It's got a long-term threat and ramifications. People need to get ahead of this before it’s a fraud issue because it's not a matter of if, it’s when. You can think it's going to happen, but you're going to get breached.
It's important. Thank you so much, John, for being here with us. Thank you, Marc, for joining me in the interview. It’s good to have you all reading this. Take this seriously. You read a lot about cybersecurity. Check out what John and his company, Moby, are doing. It’s GotMoby.com. Thank you so much for being here. I appreciate it.
It’s my pleasure. Marc, thank you so much.
It's been great.
