Can you imagine using your smartphone’s location, Bluetooth and other signals to validate access to a certain application and prove that you, in fact, are you? The method may not sound new, but some are finding new ways — including pioneering technology — to do it.
This seems to be the case for incognita: a privacy-by-design company focused on anti-fraud technologies that promises to offer an extra (and innovative) security solution for companies and, at the same time, reduce the friction of its users. And all this combined with the protection of individual data.
Seeking to understand more about the company, as well as the operation and peculiarities of the technology, the TecMasters talked to Lucas Queiroz, co-founder and Chief Security Officer (CSO) at Incognia. Check out the main points of this chat below.
Before talking about this technology based mainly on the location of mobile devices, it is necessary to go back in time to understand a little more about the trajectory of Incognia. More specifically back eight years ago.
This is because it was on this date that In Loco Media, formerly Incognia, emerged. In 2014, the company already used its own technology capable of identifying the geographic position of smartphones. At the time, the application provided offers to people who passed in front of an establishment — yes, notifications were consented to by the user.
The beginning was even promising — with annual growth of 100% between 2014 and 2019 — but In Loco certainly did not count on a global pandemic that would impact the entire world in 2020. it in other areas and survive in the market.
With that, In Loco Media was restructured to Incognia in March 2020. And the “pivot” was big. The headquarters in Recife became California (USA). The focus on marketing was redirected to anti-fraud systems. And the technology, of course, has been optimized.
“We already had a structure focused on the anti-fraud sector, we already had a certain product and we rebuilt the company on top of all that. But today we are another company, you can’t compare. There was a general change, especially in the application of location technology”, highlighted Queiroz.
The change worked. Incognia grew 10 times faster than In Loco Media in just its first year of existence. And today, the company is already starting to attract the attention of companies and investors around the world.
As for location-based technology
Given the brief summary of the company and its trajectory in the market, it is time to understand what Incognia has to offer to the market.
Anyone who accesses banking apps, digital wallets or any other platform that requires a certain level of security is certainly already used to some mobile protection measures such as facial or digital biometrics, passwords (PINs) or confirmation of personal data, right?
The actions are understandable, since attempts at digital fraud totaled BRL 5.8 billion in 2021, according to a ClearSale survey. But for the user, these frictions can be cause for discontent. Prove that you are you at all times? As tiring as receiving daily telemarketing calls.
“Apps that need more security can have a frictionless onboarding process. You’re a legitimate user and you’re using the app correctly, so you shouldn’t be charged every time with a photo of your face. This friction hinders the user”, pointed out the executive.
The idea of Incognia is precisely reduce this friction, but without compromising on user safety. How? Through signals collected from the mobile device such as location, Bluetooth, Wi-Fi, GPS, among others, which create a kind of profile based on location behavior. It sounds complicated, but it’s not.
Imagine an individual residing in the South Zone of São Paulo who has a work routine and activities close to home. Incognia’s technology will then collect all these signals to draw a private “map” of this user, which will be considered in their activities via mobile devices.
If access to a particular app happens within the natural radius of the individual’s routine, the login process occurs normally. But if any activity is detected from a location outside the user’s behavioral pattern, other security measures may be required to validate access.
With this, the technology eliminates all bureaucratic processes when making a bank transaction or logging into a certain application. All based on the profile built from the user’s location behavior — which, by the way, is constantly updated by adding new routes and routes taken by the person.
This Incognia technology is compiled into a SDK (software development kit) for companies to install code into their applications. The result, according to Queiroz, is a “much more fluid experience, without friction and with great safety”.
Doubts and more doubts
Although the Incognia SDK is already a reality for millions of users, the mechanism is still something unknown and certainly different for most people. Added to the fact that it is a unique technology, it is natural that several doubts arise.
Does this mapping, in fact, guarantee extra protection?
One of the main questions is whether this location-based mapping is enough to guarantee user protection, given that cybercriminals are increasingly improving their techniques for scams and fraud. The answer is “yes,” according to the Incognia co-founder.
Proof of this is a survey carried out with more than 100 million devices “equipped” with Incognia’s technology. The research came up with some interesting information:
- 90% of legitimate user logins occur from trusted locations;
- 95% of non-fraudulent sensitive transactions occur from trusted locations;
- 88% of legitimate e-commerce purchases occur from trusted locations;
- 85% of legitimate users open digital bank accounts from their home address;
- 93% of billing addresses used for legitimate e-commerce purchases are home addresses.
Just link this data to user activity to trace a kind of pattern of sessions made in points considered safe (trusted locations). In addition, this more assertive location facilitates the registration process that requires validation through proof of residence, for example.
For those who doubt the effectiveness, it is worth checking the public case with fintech will bank. After adopting the technology, the institution observed an 80% drop in account theft cases and zero cases of account theft with active location — don’t worry, we’ll talk about that later.
What threats does technology mitigate
Although account takeover — accounts compromised after the actor has obtained the victim’s credentials — is the main threat to be tackled, the SDK is also used to filter fake accounts, in addition to detecting root and emulators, for example.
Is it better than other validations?
“But why use these device signals instead of a PIN or digital biometrics?” some may be asking. For Queiroz, the advantage lies precisely in the fact that the mechanism makes it difficult for a fraudster to replicate the “steps” of a victim.
“Behavior is a difficult metric to replicate. How can a fraudster copy your behavior and try to impersonate you? Is very difficult. Facial biometrics has several cases of people using third-party images. If it’s just IP data, the user can use a VPN and people can use fake GPS apps. The fact that you use location and create user behavior through a more assertive technology, which also uses Wi-Fi, Bluetooth and cellular networks, makes the practice of forging data to gain access to the account much more difficult.” said Lucas Queiroz.
But what about the privacy issue?
The main question, however, is how the company manages to collect all this data and still ensure the privacy of user information. More protection, but in return, more signal collection? It is worth it? The fear is completely understandable.
But first of all, it is necessary to understand some important points. The first is that Incognia does not collect any personally identifiable information (PII), according to the company’s co-founder.
“We do not collect name, CPF, RG, identity or anything like that. We actually collect signals, anonymous user data. The idea is: there is a device and that device belongs to an account linked to a code. We will map the device, but we don’t know who the people are. This gives an interesting protection”, explained Queiroz.
Also according to the executive, this code linked to the device (called an ID) is used only to analyze the risk assessments of a particular device. In addition, Incognia applies pseudo-anonymization, encryption and hashes techniques to protect IDs.
Even though the company highlights that data collection for fraud prevention does not require the user’s explicit consent, according to the General Personal Data Protection Law (LGPD), it highlights that the user is not obligated to provide your location data and that permission will need to be granted by him.
The good news is that technology can also function well without this precious data. In this case, the company will use other data from the device (knowing if the device is using an emulator or jailbreak, for example), which will be used to build risk assessments.
Future of Incognita
Currently with more than 100 million users at its base, Incognia now has a goal for 2022: to grow. And this expansion will take place both in Brazil and abroad. In practice, this should be seen with the capture of new customers and new partnerships.
“We have several clients here in Brazil. We just haven’t closed deals yet to make the cases public. The idea is to expand here and in other regions. We are based in the USA, which already serves the world at large. But we are also closing with clients in Europe and Asia”, revealed the executive.
For now, Incognia’s location technology should remain something new and perhaps even distant for many people. But if everything goes according to the company’s plans, the SDK will certainly become part of the routine of mobile users – whether they are from here or from abroad.