The Emerging Threats of AI with Eli Farhood

[00:00:01] Get ready to discover some of the most actionable DevOps techniques and tooling, including performance and reliability for some of the world's smartest engineers. Hey, I'm Joe Colantonio, host of the DevOps Toolchain Podcast and my goal is to help you create DevOps toolchain awesomeness.

[00:00:19] Joe Colantonio Hey, it's Joe, and welcome to another episode of the Test Guild DevOps Toolchain. Today, we'll be talking to Eli all about the emerging threat of AI. There's a really interesting story that you're going to get a lot out of. If you don't know, Eli is a licensed trader and financial market analyst. He has co-managed portfolios for over two decades in multiple financial hubs. In his career, Eli gained a deep knowledge of cybercrime in money laundering, which I hope we'll get into. And after becoming an identity theft victim, he created catch to solve a problem affecting hundreds of millions of people. Really excited to talk to him about this. You don't want to miss it. Check it out.

[00:00:55] Are you ready to level up your DevOps game and crush those quality challenges? Whether you're dealing with flaky tests, scaling automation, or trying to integrate security into your pipelines, we got something just for you. Introducing the DevOps Quality Testing Playbook from TestGuild. It isn't just another PDF. It's your go to guide packed with actionable insights, best practices, and strategies to help you create a bulletproof DevOps toolchain. It's built specifically for engineers, testers, and DevOps teams who want to optimize their workflow and drive continuous quality throughout their pipelines. The best part? It's free and ready to download, so don't miss it. Head it over to Testguild.me/DevOpsbook and grab your copy today. Stay ahead of the game. Optimize your pipelines and let's crush those quality challenges together.

[00:01:45] Joe Colantonio Hey, Eli, welcome to the Guild.

[00:01:49] Eli Farhood Hi, Joe. Thank you for having me.

[00:01:51] Joe Colantonio Great to have you. Like I said, I think you have an interesting backstory. Before we get into a little bit of context, how did you become an identity theft victim and how did it lead you to creating your own company?

[00:02:01] Eli Farhood That's a great question. In 2015, actually, 2014, between 2014-2015, I had someone accessing my checking account by just providing my personal information to my bank. It was as simple as that. And they claim my identity there and they believed it. It was apparently through very remote communication, a phone, a combination of phone calls. And he didn't go through the crash risk there which, let's just put it this way. And he was able to transfer money from my checking account. Some banks allow that. Some banks don't. Depends on the banks risk appetite. And depending on the country as well, some countries have different regulatory requirements. But it was such an interesting experience and it was a struggle too, on a lot of fronts, mentally, most likely and financially. And also, you have to go to court and prove you're innocent. And it's kind of like you become tarnished. You know, your identity becomes tarnished. You become like a blacklisted person, no one else to do business with you because you're a risk. It's as simple as that. But when I was investigating with my bank, why this happened and how is it so easy today to just grab someone's information and steal their identities. And you realize that, well, there are a lot of data breaches happening every other week right now, and we call them technically the cyber security honeypots, right? And those provide records of sometimes hundreds of millions of people. I mean, just recently there's 3 billion Social Security number that was compromised. We heard about it in the news. What are these data breaches? We all covers that these data breaches are providing scavenged with our credentials and sensitive information. This is basically what's happening. And when they have that information, they can hack our accounts, they can claim our identities, they can hack our devices. And this is where the real risk lies. In America, we're very famous to make it easy to do business right in financial institutions. You just provide some of your information, a few clicks on the web and you create a credit account. But then it's easy. At the same time, there's a trade offs. You're at risk of getting compromised of someone using your information and not just to steal money. A lot of the cases, actually, and this is part of money laundering, a lot of frustrations, they don't care how much money you have. They don't care if you're a billionaire or if you're a millionaire, even if you're broke. All they care about is using your information to create fake accounts under your name. And those accounts can be used to funnel illicit activities. Basically, that's what they do for the most part. And in money laundering, everyone knows about this industry. This is basically how it happens. So then when they fall, you fall. They don't. Because they're using your name. And this is where the risk lies. And that's how it happened to me. And it was such a learning curve. Part of my work as a portfolio manager and a financial said, you're a licensed expert. My duty was to protect the financial data of my clients. I know the drill. I know like how to protect this information. But when it happened to me and you really have no say in that. Like, I didn't have a say of how someone grabbed my information. Maybe they got it from the dark web. I don't know how they got it. It's just that it tells you clearly that there's a problem. And the problem is 80% of fraud stems from stolen ID credentials. Just think about that number, 80% of fraud globally uses stolen id credentials. We have a big problem and we tried at catch to solve this problem.

[00:05:52] Joe Colantonio It's a great point about money laundering. I had someone that was running credit cards through a low price item I had on my website and just cycling through hundreds and hundreds of numbers until I shut it down. And some of them actually went through. I assume someone is just trying to see if it goes through. Once it goes through, they know they have a real credit card, I guess, and real identity that they then can use for money laundering, because a lot of people think, hey, I don't have millions of dollars so I don't have to worry. But obviously, like you said, that was a good point.

[00:06:18] Eli Farhood Yeah, exactly. And that's why and this is kind of like the two decade old problem. Now we're facing an emerging problem AI, AI is such amazing technology, fascinating, fabulous. Call it whatever you want is going to change the world. I've started learning about AI and coding in AI, and I'm also fascinated and I've seen what was going on today or what happened recently with that theft of $25 million at the Hong Kong based company. I've seen that coming. It was obvious that it's going to happen where someone used a Deepfake video, pretend to be the CFO and he was giving instructions basically to his assistant, Hey, wire $25 million. We don't want to lose that deal. And so there was this urgency. And the thing is, if you read it on CNN, it tells you that the assistant was doubtful about what's going on, but that urgency and he saw his CFO on live on camera during a Zoom call he never thought it would be a deep fake. But there. You doubt it and you do it because you don't buy it. But that person, you're speaking to them, they sound like your CFO, they look like a CFO, right? All say, walk like you talk, ...., right? Same thing with. Yeah, the emerging threat of AI is serious. And while it is a fascinating technology, fraudsters now have access to it and everyone have access to it. And I know that software players are using it. And also, you know, powerful hacking groups are using as well. And so it's going to provide them a lot of leverage here and we need to be ready.

[00:08:03] Joe Colantonio I didn't know about the deep fake hack. That is crazy. At this point, then how do you prevent it because when I read about hacking, it's always like usually it's not necessarily a developer that has a wormhole. It's usually like you said, someone calls that they're pretending to be someone. I don't even know how do you get around now with AI now doing deepfakes to prevent it.

[00:08:24] Eli Farhood Great question. So like I said, when we started attempting to solve the problem, we decided to eliminate credentials. That was our first goal because we wanted to leave hackers with nothing to steal about us. Okay. Any access codes, any passwords, any username. We wanted to eliminate that component because, to be honest, I mean, look at history, if you look back just 50 years ago, every now and then, there's a large data breach. Trillion dollar companies like Microsoft can't protect themselves, they can't protect their data, they can't protect good clients. Right? We've seen it last year. What do you do? Like if you cannot protect the information that is publicly available, what do you do? What's your solution? Well, the solution for us was to eliminate credentials and replace it with biometrics. But then that wouldn't help me as I fell victim. My problem was that someone stole my information and claimed my identity. And this is how the system runs pretty much all over the place. If you go to the UK, USA, Australia, Asia, part of Aisa, most part of Asia, they do use what we call in cyber security, PII, personal identifying information. And that information can be used to just represent who you are. We decided additionally, on top of eliminating passwords and multifactor authentication, which are really highly risky. We decided to also allow you to authorize who can use your information whenever you need. And so think about this right now, my information is compromised. Scammers want to use it. They go to the bank. They want to create a credit account, but then they can't create that account before I authorize and use it. But then how do you authorize it? This was the challenge that we were facing. How do you allow people to authorize who can use your information. Because today, information can be compromised, used by big tech, by whoever right? We want to bring back control to you, the individual. You have to take back control over your data and you have to decide who can use it, who cannot use it, where they can use it, for how long It is going to be used? For five minute, ten minute, one day, one week, whatever it is, whenever you need that information, we want it to allow you to authorize who can use it so that you can take back control of your data. Your sensitive data. These are yours. These are your credentials, so to speak. To the government, to agency, to financial institutions. And that's how we started, attempting to find a solution for what happened to me personally. And our solution was basically your hand. Just use your hand. It's your biometric. You won't lose it. No one can steal it, right? And with that, you can authorize on any smart device who can use your information. We're protecting you by protecting the use of your information or giving you back control over who you're allowed to use your information. And then we're eliminating passwords, which also are a great vehicle through those data breaches that hackers.

[00:11:32] Eli Farhood Alright. I would think this is kind of like a mind shift of from the way people are used to doing things. How do people start incorporating this technology then? If I'm a developer listening to this and have an application of software? How hard is it to integrate into biometric data like you have or your technology in order to get it to work? Can they retrofit it? Does it have to be built from the beginning with this type of authentication in mind? How does that work?

[00:11:54] Joe Colantonio So if you look at most robust biometric systems, I'm sure a lot of people heard of some clear at the airport, right. Or they've probably heard of face ID on iPhones or they heard about Amazon wand at the Whole food store, right? Most of these robust technology, we call them robust. They have a problem. They do rely on a device. And unless that device is available, that can be it disappears. And so we also attempted to solve the problem from that perspective. We wanted to eliminate the hardware so that we can democratize access. When you can access your identity, using your head on any smart device, it's basically like a password. That's the beauty of passwords, right? Passwords work everywhere. You can change them if someone stole them, right? Steals them. Right. And they work on a laptop. On an iPad. And this one device, we wanted to replicate the convenience of passwords, remove the friction of passwords and give you a back control over who can use your information. That's basically the genesis of Couch. That's how we started building this. And I was really lucky that my co-founder is a veteran in cybersecurity. He has more than 20 years of experience in that field. He has one successful exit. So we have a proven team. We have addressed IBM, Raytheon, Symantec. And those veterans really are helping us shape up the product and come up with the value that businesses need, that consumers need, because we want to provide protection not just for consumers, for businesses. Think of like financial services, for example. They have on their infrastructure audits, customer information, employee information. If that information is compromised you as a business, your whole you're held liable, right? And someone can sue you. So think of all those risks as a business. You know, we can protect that as well. And but so again, to provide that protection, we had to eliminate the hardware elements from any biometric system. It just doesn't work. It's for us, it's a nonstarter. If you need a special hardware. Good luck. I don't have access to my account anywhere. And you still have to use passwords at some point. If I can't use it on any device, then you have to allow me to use passwords. And the moment I allow you to use passwords, then the risk is still there. We haven't really solved much. We needed to eliminate passwords, and in order to do that, we needed to provide you access on any device. That's why we thought of developing a technology that works without having to have any special device. It works on your iPad, on your laptop, on your phone, on your Android, on any small device that has a camera.

[00:14:36] Joe Colantonio All right. How does it work then? Rather than a log in screen, just place your hand here and then?

[00:14:40] Eli Farhood Yeah, basically, think of it like if a bank deploys our technologies to software only solution, all you have to do, as in the journey, would be starting their banking app, waving their hand and they have access to their phone. I mean, for their bank account, they don't need any password. They don't need Authentication code, they don't need all this hassle.

[00:15:02] Joe Colantonio All right. I know a lot of laws being passed like GDPR. You get fined a lot if someone has shown they're stealing your data, especially to work for health care. So do you see this as a way to actually make your GDPR compliance even stronger because you're like hey! I'm not storing anything. I'm storing, I don't know what you're strong. I storing a handprint. I don't know how that works. You're not storing any PII information, I guess.

[00:15:24] Eli Farhood That's a great, great question. So one of our clients is actually based in Europe. And yes, we're dealing with GDPR and we found a way around it. We're going to deploy our tech on their infrastructure. And so the business, because GDPR does not allow a third party to authenticate someone's business, right? And so the way around it was that we deploy our tech on their infrastructure, and this way the business client will authenticate their all clients using our tech on their infrastructure. We're not dealing with confidentiality. We don't get access to that information. We don't deal with any kind of customer data that the client has.

[00:16:05] Joe Colantonio Love it. Biometrics, like why is it more secure then than using, say, a password generator that creates like a crazy password for you automatically? Why is this, you think, a better solution than something like that?

[00:16:17] Eli Farhood Yeah, that's amazing because. Well, the thing is that you can steal anything today. You can use AI to recreate anything as well. And in the future, even though there are some technologies that can verify. That's AI. The digital sign in the app, which in the future, even as AI becomes more mature as a technology and more advanced. We know for a fact that we will not even be able to tell the difference between an AI footage and a real human footage shot with a camera sensor. And when that happens, it will be extremely hard to protect people unless you deploy certain technologies that can verify personhood or can verify that that biometric is a human biometric. And that's what we attempt to do both with catch, because in our technology, we have that engine that can verify whether this image is a human biometric or whether it is a deepfake biometric. We also use other biological mockers so we can detect pulse and other mockers that are part of our trade secret that can certify to the highest degree that this biometric belongs to you, the owner of that identity, and not someone else who has a photo of your hand, who could have a video of your hand or who could have compromised our servers. But just to tell you more technically about that, even after our servers are compromised, that wouldn't matter much because we don't have any raw biometrics. When you sign up to our servers, let me walk you through what technically happens. We take a picture of your hand, but that picture then is converted into a function. We have a mathematical function that represents Joe, for example, and we house that function on our servers at eight different locations, and we purge that biometric image that we took from your hand. And the reason why we're purging it because that's not good to us. We want to have all the tokenized items that represents your identity and they're going to be stored on several different locations so that we make it extremely hard for fraudsters to steal that constant which represent who you are. I hope I was able to do that.

[00:18:36] Joe Colantonio Yeah, absolutely. Because I was going to ask you, what's going to stop someone from stealing your biometric of your hands and creating a 3D? I know this is outrageous. A 3D model of it. And like really try to mimic as much as possible. It sounds like you have algorithms that I just learned about recently about deep fakes, that people can look at the blood flow in your eyes, some sort of algorithm that'll know if it's a fake. So it sounds like something similar to biometrics at the hand.

[00:18:58] Eli Farhood You could say that. And you can't stop anyone from seeing biometrics. Let's start there. Your biometric is available on LinkedIn, it's available on your Facebook, on your Instagram. We're taking pictures here and there. We could be at it.

[00:19:11] Joe Colantonio That's true. Right, Right.

[00:19:12] Eli Farhood Right. And if you're targeted, like we're going to take things to the highest level of security, if you're the targeted person and you happen to be at an event and someone just snapped the picture of you have a hidden camera somewhere in the chest there, someone can get your biometric one way or another, especially if it's facial recognition. We believe the hand is much more secure than the face because someone has his hand on his profile. And it's a voluntary biometric about like if you're walking down the street, cameras are capturing your face anyway. So we call that a passive biometric, but your hand is a voluntary biometric. It's not going to be captured even if you're walking down the street. That's why we believe the hand is much more powerful and more secure biometric than facial recognition, and also has a lot of other advantages. For example, it doesn't discriminate against people of color or races. Also, besides being a voluntary biometric, it is private. Think of that. Facial recognition, eyes recognition. All these are invasive technologies.

[00:20:15] Joe Colantonio I think it's a good point, especially with software developers, algorithms that have biases baked into them. You bring up a good point. This sounds like a way that maybe you can train, not have to worry so much about biases. So how true is that then? How accurate is that?

[00:20:30] Eli Farhood It is so true. The reason why there's a bias, not just because of the algorithm itself. There's a technical reason. When you happen to have a darker skin, a shade, AI struggled sometimes to figure out where's your eyes, where's your nose. And that struggle sometimes makes the eye on inefficient. If that makes sense. And sometimes it gives you a false negative or a false positive. It can be both. The hand on the other hand, the hand, no matter what skin color you have or race, or what kind of race you belong to. They all have a bright palm. And we did our lab tests on that. Like black people has bright palms. The hand has a lot of features, specially this color, always having a bright palm. Actually, to your point, if you happen to be a black person, your hand is much more accurate than a white person. If that makes sense because there's no contrast. You have the black lines on your hands. But then you have a white backdrop, which is perfect for identification. But just giving example that, yes, the hand has a lot of advantages from a discrimination perspective, from a privacy perspective, and also from a security perspective. A lot of the times and I'm not sure if you've seen it, but the demonstration of how they act face ID on iPhone if you ever watched that?

[00:21:59] Joe Colantonio No. No.

[00:22:00] Eli Farhood Okay. Yeah, it was hacked three months after the launch of the face ID of iPhone. And the way they hacked it is that they literally, like, used a 3D mask of that person. They 3D printed a mask of the space. They put sunglasses on his eyes to mimic real human eyes. And they unlocked the phone. It was that simple. The hand is a very like I would say, it's not a static. It's very highly that you can make gestures with that. How can 3D print that? It's very hard to 3D print a hand and make a gesture. And those lines, as you close your hand and open it, they change with every frame of that sequence while the face is more static. You remember back to the days when they were allowing you to use facial recognition with a mask. And they said, okay, I know who you are. That's because facial recognition, for the most part, focuses on this side of your face, the static part. And the more static it is, we say we think it's, the more risky. That's why the hand is very hard to recreate on 3D printer.

[00:23:07] Joe Colantonio This is a dumb question. Does your hand ever change? Like my mother in law could not get fingerprinted. I don't know why? There something with the fingertips, couldn't get a fingerprint off it. Is that possible with the hand as any use cases where the hand changes over time or is it usable?

[00:23:24] Eli Farhood Absolutely. It does change over time, not over the weeks, but definitely over the years. And that is not a problem because every time we are using catch, we're grabbing a picture of that pen, tokenizing it and retraining the engine by the device. As long as there are minor changes over time, that's not a problem. The problem lies if there's a sudden change. Let's say you had a wound on your hand. Maybe there's a large scar that just wasn't there when you signed up. Yes, that will be problematic. But then we give you the option to use both hands to identify who we are seeking use let hand, right hand. If this one is busy, you can use this one or other way around.

[00:24:04] Joe Colantonio All right, Eli, this sounds like a great solution. How can people learn more or sign up that they're interested in it? Do you have like a free trial? Like, have you gotten a lot of input already from the market that this is definitely something that people want to do to start using hand type of authentication within their software?

[00:24:20] Eli Farhood Yeah, absolutely. Thank you for bringing that up. So we have had interest from IBM as a potential partner and also we were chosen by Visa among the top 5 FinTech startups in the United States. We also worked with the FDIC on digital identity proofing for community banks. So we've had some interesting validation on that side. We also grabbed several LOIs, and now we're engaging with B2B customers. Like I said earlier, one of them is based in Europe. There are interests that use our concept and explore it and try to offer it to their end users. And now, we're actually trying to also gauge interest from the end users. We want to know if retail investors or the consumers are also interested in that concept. We wanted to regulate both sides of the market, the businesses, then the consumers, and that we launched our cross-funding campaign. And so I invite people to visit our website catchid.com. That's C-A-T-C-H-I-D.com where they can also learn more about catch, about its features, about provides and the protection it provides for identity. And there's also an invest button if they want to explore more our investment opportunity and join our journey. Because we think that this movement is just starting. Digital identities are here to stay and this is the future. The future is a lot of private businesses will need to identify where you are. And we want to be the leader in that space so that we help change the world, protect people from fraud and protect businesses as well. We know for a fact if you're able to streamline, if you're able to provide convenience as security on any device, that can change a lot of things in cyber security, especially when it comes to business dynamics, that makes a lot of business very efficient, more profitable. Any profitability on the business side will bring down the prices of their services. It will be more inclusive when you can democratize access. People can access their identities from any device. That's also very powerful. Underserved, underbanked, operate, or perhaps regions can gain access to banking services again. I mean, why do you think banks are charging so many high fees because they have a high cost as well. Those branch that they maintain are seeing them close to $8000 on average per year. If you're able like as a bank, I mean, let's look at Covid, post-COVID, things change a lot. People are more aggressive doing things online. People don't go to the branch anymore. I've heard it from many hackers. They told me, there are ghost towns right now and so most of their branches are profitable. If they cut down on that unprofitable element, they have now those branches. They can become more efficient, they can provide cheaper financial services, be more inclusive and at more expand their client base. There's a lot of dynamics that can go into play. And we're very excited. By the way, I didn't mention this in my discussion but we're very excited about Web3 because digital assets are so powerful and they will change the world. But their problem is that they're not secure. And this is also our next challenge at Catch. We want to use this technology we're building and add more to it to protect digital assets. This is such an amazing space that I'm really excited.

[00:27:46] Joe Colantonio You mean like leveraging blockchain to make it more traceable?

[00:27:49] Eli Farhood Right. Absolutely. Because actually we do use blockchain to track and record the parties involved time, location, and the purpose of the transaction so that it can go back in time and review what went wrong. If there's anything wrong in the transaction.

[00:28:05] Joe Colantonio You're dealing with banking, probably health care, a lot of regulated environments. How could someone trust this type of technology, I assume have you been to like audits? You have to prove yourself to any type of government bodies to say, hey, this is a legitimate technology before a bank or a financial institution can incorporate it into their software.

[00:28:25] Eli Farhood Yeah, absolutely. You have to have it's like sending organic bananas, right? I give that example, all of that. You got to get this certificate that's open. Same thing here. You have to be compliant, get all the certifications needed in order to work with banks. And that's why we know for a fact right now large banks are not our clients because we're not there yet, but we're conducting penetration testing in-house. We're going to conduct penetration testing with a third party, get those certifications, all the compliances needed before we start offering this to big banks for sure.

[00:28:56] Joe Colantonio Okay, Eli, before we go, what's the best way to find or contact you?

[00:28:58] Eli Farhood You can find me all LinkedIn, Eli Farhood. I respond number friend list. But get to our website catchid.com that's C-A-T-C-H-I-D.com and you can learn more about Catch over there and you know I have my contacts as well there you can contact me directly. I'd love to connect and I look forward to-I'm very identity so person to me let's put it this way because I fell victim to fraud and twice, Joe not just once, twice. Last year, 2023. It was another experience. It's very personal for me. There's no plan B for me. I need to solve this problem and protect people, protect myself, protect businesses, and we can do it. And this is why we're working on this so hard then so that we can achieve our mission and vision.

[00:29:48] For links of everything of value we covered in this DevOps Toolchain Show. Head on over to Testguild.com/p168. So that's it for this episode of the DevOps Toolchain Show. I'm Joe, my mission is to help you succeed in creating end--to-end full stack DevOps toolchain awesomeness. As always, test everything and keep the good. Cheers!

[00:30:11] Hey, thank you for tuning in. It's incredible to connect with close to 400,000 followers across all our platforms and over 40,000 email subscribers who are at the forefront of automation, testing, and DevOps. If you haven't yet, join our vibrant community at TestGuild.com where you become part of our elite circle driving innovation, software testing, and automation. And if you're a tool provider or have a service looking to empower our guild with solutions that elevate skills and tackle real world challenges, we're excited to collaborate. Visit TestGuild.info to explore how we can create transformative experiences together. Let's push the boundaries of what we can achieve.

[00:30:55] Oh, the Test Guild Automation Testing podcast. Oh, the Test Guild Automation Testing podcast. With lutes and lyres, the bards began their song. A tune of knowledge, a melody of code. Through the air it spread, like wildfire through the land. Guiding testers, showing them the secrets to behold.