Cyber Crime Junkies

Identity Crisis: Aaron Painter on Mobile ID Verification, Cryptography, and Reducing Cyber Risk

Cyber Crime Junkies. Host David Mauro. Season 4 Episode 62

Catch the Video episode: https://youtu.be/zMNsjSGT-yw

Aaron Painter, former global executive at Microsoft, discusses the rising risks of deepfakes, how deep fake videos increase security risks, and how mobile-based identity verification helps like the new company he founded called Nametag.

In this story David Mauro interviews Aaron and discusses identity verification challenges. We discuss how to reduce risk from multi factor authentication, explore mobile-based identity verification as well as how cryptography reduces cyber risk. This episode is a guide for how to reduce risk from multi factor authentication. See what Aaron’s new company NAMETAG can do for your company’s security at https://getnametag.com/

 

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

 

🔐 The Importance of Verifying Live Human Faces Alongside IDs for MFA Resets 🔑

Ever wonder how secure your organization's multi-factor authentication (MFA) reset process is? 
 Are you confident that your helpdesk can distinguish between legitimate requests and potential security threats?  Curious about the best practices for verifying identity during MFA resets? Have you heard how mobile-based identity verification helps?

Verifying live human faces alongside government-issued IDs during MFA resets is essential. Here’s why:

1.     Prevent Identity Theft 🚫: Ensuring the person requesting the reset is who they claim to be helps protect against identity theft and unauthorized access to sensitive information.

2.     Strengthen Security 🔒: Combining live face verification with ID checks adds an extra layer of security, making it significantly harder for cybercriminals to breach accounts. Understanding how cryptography reduces cyber risk further enhances these security measures.

3.     Address Identity Verification Challenges 🧩: Live verification helps tackle identity verification challenges that traditional methods may fail to overcome, providing a more reliable solution.

4.     Enhance Employee Trust 🤝: Employees feel more secure knowing their organization takes stringent measures to protect their identities and access to company resources. This trust is crucial in the effort to reduce risk from multi-factor authentication.

5.     Reduce Fraud ⚠️: Live verification reduces the risk of social engineering attacks and fraudulent requests, safeguarding the organization’s data and assets. New ways to overcome identity verification challenges are constantly emerging, further fortifying these defenses.

6.     Ensure Compliance 📜: Many industries require strict verification processes to comply with regulations. This practice helps ensure your organization meets these standards.

7.     Streamline Processes 📈: While it may seem cumbersome, this added step can streamline overall security procedures by catching potential issues early and preventing larger security breaches.

By implementing live human face verification alongside government-issued IDs during MFA resets, organizations can significantly bolster their security posture and protect their valuable assets. Let’s prioritize security and ensure a safer digital environment for all employees. 🌐🔐

 

Summary

 

Aaron Painter, former executive leader at Microsoft who brought us Office, joins us to address the rising risks of deepfakes, how deep fake videos increase security risks, and how mobile-based identity verification helps like the new company he founded called Nametag.

 

In this story we discuss identity verification challenges. We discuss how to reduce risk from multi factor authentication, explore mobile-based identity verification as well as how cryptography reduces cyber risk. IT’s a guide for how to reduce risk from multi factor authentication. See what Aaron’s new company NAMETAG can do for your company’s security at https://getnametag.com/

 

 

Keywords

 

technology, identity verification, social engineering, cyber attacks, MFA lockouts, security, efficiency, mobile-based verification, deepfake attacks, identity verification, privacy, active listening, security solution, app clips, user experience

 

how mobile-based identity verification helps, mobile-based identity verification process, how cryptography reduces cyber risk,  identity verification challenges, how to reduce risk from multi factor authentication, new ways to overcome identity verification challenges, identity verification and cryptography, identity verification biometrics, how biometrics reduce and cryptography, how to reduce risk from mfa, multi factor authentication app risks, how cryptography reduces multi factor authentication risk, how deep fake videos increase security risks, artificial intelligence risks in cyber, new ways to reduce risk of deep fakes

 

Takeaways

 

·      The evolution of technology has played a significant role in enabling businesses to run more efficiently and create better experiences for employees and customers.

·      Social engineering poses a significant security risk, and the traditional methods of identity verification are vulnerable to exploitation by threat actors.

·      NameTag's innovative mobile-based identity verification process addresses MFA lockouts, enhances security, and improves the customer support experience.

·      Deepfake prevention is a critical aspect of security, and NameTag's approach to identity verification mitigates the risk of injection attacks and deepfake exploitation. Deepfake attacks pose a significant threat to security, especially in the context of identity verification and video calls.

·      Privacy-forward solutions and active listening can build trust and loyalty among employees and customers.

·      The use of app clips and instant apps can enhance user experience and security features without the need for app downloads.

 

Titles

 

Innovative Solutions for MFA Lockouts

The Evolution of Technology and Business Navigating Deepfake Attacks and Identity Verification

Seamless User Experience with App Clips and Instant Apps

 

Sound Bites

 

"I am so psyched for our conversation today."

"I love tech. I've always loved tech because it's an enabler for business."

"It's deeply motivating. I'll say that much."

"It was in a different industry, but we'll hold that aside."

"The thing to distract from the anecdote you shared is if you think about someone jumping on a video call and how easy it is to select a different camera or microphone."

"We are not just fighting deepfakes with AI, we get to fight deepfakes that are AI with AI, with biometrics and with cryptography."

 

Chapters

 

00:00 The Evolution of Technology and Business

08:27 Addressing the Challenges of Social Engineering

13:53 Innovative Solutions for MFA Lockouts

25:01 Building Trust and Loyalty through Privacy and Active Listening

32:35 Seamless User Experience with App Clips and Instant Apps

 

 

 

 

 

 

 

David Mauro (00:03.47)

How do you know who's calling? At work, when you receive a call, how do you know? With the rise of AI and deepfakes, it's undetectable by the human eye or the human ear. We've talked about cases already that have happened just this year where people have gotten on Zoom meetings, video live meetings or Teams meetings, video live meetings, and they've been fooled. They've been

 

duped by the advanced technology and we don't know necessarily how to authenticate people when they say they are who they are. Now, when we're in a situation where we work at a company or you lead a company or you own a company and you have a help desk or you have an outsourced help desk with a company,

 

whatever the case may be, when your employees need to reset their multifactor authentication and they call, how does that person at that help desk actually able to tell that the person is who they are? I mean, we've seen it in a couple of breaches. Some of the larger ones this year, think of the MGM, Uber, there's a couple of different ones where they, the help desk, I mean, help is built into the name.

 

Right? It's the help desk. They're there to help. They're trying to do their job. And some of the people do so much OSINT, so much research ahead of time that they socially engineer those on the help desk. So how can we protect your organization? Well, today we're meeting with Aaron Painter and he's a former executive leader at Microsoft who brought the world Office 365.

 

He was one of the leaders that rolled it out across the world in various countries. He joins us to address kind of the rising risks here of deep fakes of how deep fake videos increase security risk and then how mobile based identity verification helps. And we kind of talk about reducing all of the risks from multifactor authentication.

 

David Mauro (02:28.59)

And they've come up with a really, really innovative approach that works and verifies it ties it right to a government issued ID and then the live persons individual face at the time of the call very quickly, very smoothly. It's something you're really going to find interesting. This is the story of Aaron Painter, how he's changing the world of multifactor authentication.

 

 

 

D. Mauro (00:02.062)

Welcome, everybody, to CYBER CRIME JUNKIES. I'm your host, David Mauro and in the studio today, I'm very honored to have a friend, Aaron Painter. He's the CEO and founder of NAMETAG which is an identity verification company that stops and reduces social engineering in situations that we're all familiar with. He's also author of the book Loyal, and there's links to the book in the show notes.

 

He's a global business and technology leader, having lived and worked in six countries across four continents. And that's from your bio. So that may have even changed in recent months. Aaron, welcome to the studio, sir. Glad you're here.

 

Aaron Painter (00:43.249)

It's a great honor to be here, David. I am a big fan of the podcast and, you know, catching up on some of the most recent episodes even, I just got more and more enthused on the theme you're starting to lay out around some of the risks that we're seeing, particularly as they go from call center to the way people log in to just general account protection. So I am so psyched for our conversation today.

 

D. Mauro (01:03.406)

Yeah, me too. Thanks so much. So before we get into, you know, name tag and the the the main issue that it is really primed to be solving, because it's been involved for for listeners and viewers. This has been involved in so many of the true cybercrime stories that we've been talking about over the last several months. This this really will be addressing that. But before we get into that, tell us kind of a little bit, just briefly kind of

 

What inspired you to get into technology in the first place? Did you grow up passionate about it? Share your experience. What triggered you?

 

Aaron Painter (01:43.505)

You know, I got obsessed early day. I was, I was never into sports as a kid. I was sort of always into business. I was just fascinated with like, how does a company work? Why does it work? What products do they sell? Are they selling the right products? I love that era and I, that way of thinking. And I grew up in this era. Fortunately, I often feel so grateful of technology change happening. And we have seen, I'm now becoming a little bit of a scholar on this and geeking out, but.

 

D. Mauro (01:53.614)

Yeah.

 

D. Mauro (02:04.974)

Yes.

 

Aaron Painter (02:09.393)

all throughout history, some of the best business opportunities, the best moments of business growth have been when new technologies introduced. Whether they're technology in the broadest sense, right? What do you think of that as the mill or industrial production or eventually the industrial revolution in multiple countries? This era of technology revolution that we've seen, particularly driven by the internet and then cloud, now AI, to me just makes businesses run better. It creates better experiences and it makes more efficient companies and better experiences for the employees that work there.

 

D. Mauro (02:22.094)

Correct. Yep.

 

Aaron Painter (02:38.321)

And so I love tech. I've always loved tech because it's an enabler for business. And that's kind of deeply what got me into tech in the first place and led me to Microsoft and then sort of a whole career from there.

 

D. Mauro (02:49.742)

Yeah, share with us briefly what I mean, we'll have your bio in the show notes, but share with us briefly about your run at Microsoft. You really headed up some major initiatives.

 

Aaron Painter (03:01.297)

You know, I love Microsoft and the company seems to have only gotten better since I've left. And part of that is just some of the amazing people that are there. What I started Microsoft in product and I worked early on in the days of office, this concept and everyone talked about Word, PowerPoint and Excel. And we were trying to bring value to the concept of it being bundled, you know, with backend services. We used to be separate.

 

D. Mauro (03:20.718)

If they used to be separate, right, like they used to be separate little apps, essentially, or programs. Right.

 

Aaron Painter (03:25.297)

Then it became a desktop bundle, but then you start talking about the backend bundle, which was SharePoint, and basically how do you host it, exchanges, makes Outlook better, et cetera. It was all sort of the predecessor to what we now think of as Office 365 or even Microsoft 365 of integrated sort of cloud services. But at the time, what was so neat is I had this opportunity that it was small, the org was small, there were so few people around, you know, and so you got to have this enormous kind of frankly outsized impact.

 

in a company. So it was actually very entrepreneurial, in my opinion, despite being a large company with, you know, share in a lot of different business lines in parts of the world. Although I then found the most extreme way to be even more entrepreneurial. And I got very, very involved in Microsoft's presence outside the US. You know, that meant serving as chief of staff first for Microsoft's head of international, it was about 60 % of our revenue, about half the employee base. And then from there, I got much deeper into thinking,

 

D. Mauro (04:01.646)

Right. That's.

 

Aaron Painter (04:22.161)

When should Microsoft open up in new countries? When do we go into Sri Lanka or Bangladesh or Brunei or? It exactly exactly. It was so fun and entrepreneurial again inside a big established company and with such an opportunity really for outsized impact. I'd love the adventure of it. I love that concept back to business. How do you be successful in a new market? You know what can you learn from that market that you can then take to other markets in the world help them grow faster?

 

D. Mauro (04:27.054)

So yeah, so that was like starting a new business each time, right? Yeah, it's exciting.

 

Mm -hmm.

 

Aaron Painter (04:51.057)

And so this became really the theme of my career at Microsoft. And I did that all around the world and then very deep in Brazil for a couple of years and ran the Windows franchise there. And then ultimately in China, and I spent five and a half years in China, two in Hong Kong, three and a half in Beijing. And ultimately building out kind of from scratch, what it meant to have an enterprise or modern cloud enterprise business in mainland China, which was super interesting and complicated and yet fun and fast growth and entrepreneurial.

 

D. Mauro (04:51.118)

That's phenomenal.

 

Aaron Painter (05:19.225)

I loved it. I love the culture of Microsoft. I love its mission.

 

D. Mauro (05:21.134)

That's like five episodes. I could go so deep right there. That's like five episodes of discussion. What was it like? What was the culture like? How was business generated? That's a phenomenal experience. So six different countries, four different continents. So what were they? China, Brazil, or else?

 

Aaron Painter (05:26.769)

Hahaha

 

Aaron Painter (05:38.673)

Well, thank you.

 

Aaron Painter (05:47.313)

Yeah, I was in France for a while, four years, I was in...

 

D. Mauro (05:49.87)

Wow.

 

Aaron Painter (05:53.329)

I was in France for four years, I was in the UK for four, a combination of Microsoft and then actually after Microsoft, I went to run a business called Cloud Reach that was owned by a private equity firm. And it was one of AWS's kind of first and largest partners in Europe. And we worked with large enterprises at the time on moving to the cloud. And then eventually that meant professional services, managed services, software associated with that. Again, really a neat chance to kind of go build something. But I, it was great and I love working with so many people and working closely.

 

D. Mauro (06:11.118)

Mmm.

 

Aaron Painter (06:22.129)

expanded from AWS to Microsoft to GCP. So we had sort of a multi -cloud approach just kind of before that became a thing. And I loved it. And when I was trying to figure out what to do next though, I had this really deep personal issue, which was the start of the pandemic. I had kind of just left my job. I had moved from London where Cloudreach was based to the US and I was like, okay, great. I'm going to go figure out what's next. I'm kind of looking around and then pandemic happened. Everyone, you know, sort of went into lockdown mode. Everything went digital.

 

D. Mauro (06:48.846)

Everything stopped. Yeah.

 

Aaron Painter (06:51.729)

digital only, and suddenly all these people in my life had their identity stolen. It was just like this one after another, friends, family members. And I said, all right, I'm going to be a good friend and be a good son. Like we're going to figure this out. Like, let's jump on the phone. Let's call these customer support lines and get things straightened out. And everyone who we call had the same, you know, rigmarole. It was, before I can help you, I need to ask you these very intense security questions. You know, what's your favorite color? What's your mother's maiden name? We all know what they're like.

 

D. Mauro (06:57.23)

Mm -hmm.

 

D. Mauro (07:20.271)

all of which is on social media, right? Or findable, right?

 

Aaron Painter (07:22.161)

Of course, and that's what happened. It's someone else found them. So to your point, then someone got on the phone before we did and answered those tough security questions and took over our accounts. And so it's sort of how, you know, how does this happen in the modern age? Okay. Yes. It's a horrible customer experience. You've covered that well in your show, right? By the way, no agent gets into this business because, you know, they want to interrogate people. Typically you go into support because you like helping people.

 

D. Mauro (07:33.006)

Right.

 

D. Mauro (07:46.368)

Right. Yeah, exactly.

 

Aaron Painter (07:47.825)

And the concept of being an interrogator, not how can I help you, but I need to make sure it's you before I do anything, is not pleasant for the agent.

 

D. Mauro (07:53.23)

Right, because otherwise it can hurt the real you, right? I mean, there's a reason behind it.

 

Aaron Painter (07:58.289)

That's right. So everyone sort of loses in the experience side, but gosh, everyone also loses from the security side. Because if you're really too intense and you ask too many questions, people are more mad at you, and maybe you protected the account, but maybe at the expense of having the account, right? Or that customer is so upset, they don't feel respected or understood or trusted. And regardless, it's very difficult to verify the identity of someone in those situations. And so we set out to say, is there a better way to do this? There must be a technology way to solve sort of this problem.

 

D. Mauro (08:04.014)

Mm -hmm.

 

D. Mauro (08:15.214)

Right. Yeah.

 

Aaron Painter (08:27.409)

And that's eventually what led to the creation of NamePag.

 

D. Mauro (08:30.158)

So it actually is like a natural evolution, which is kind of cool. Like in your life, it kind of from personal experience as well as professional acumen. That's fantastic. So, yeah. So let's paint the scenario of what happens if it's a bank or if it's a retailer or an organization, somebody is locked out of an account or somebody is

 

Aaron Painter (08:42.641)

It's deeply motivating. I'll say that much.

 

D. Mauro (09:00.11)

trying to reset their password, whatever it might be. When somebody calls a company's customer service desk, that's really where name tag comes in.

 

Aaron Painter (09:10.865)

Yeah, we found that's one of the sort of the highest risk attack vectors. And actually, I...

 

D. Mauro (09:15.214)

It really is. It's been involved in so many of the breaches. Right.

 

Aaron Painter (09:19.569)

We know that now, collectively, we can sit back and talk about that. I hate to call them out, but the common one to point to is MGM. In the casinos, I'm actually very soon on my way headed to Vegas and looking to say that MGM property, almost feeling bad for them, but hoping they've recovered. But it made an impact when 60 Minutes does a story on a cyber attack, and it's that real to people. And that made it real because you couldn't check into your hotels. Their properties were offline. The strip was sort of dark, so to speak.

 

D. Mauro (09:22.99)

Yeah.

 

D. Mauro (09:26.958)

Right.

 

D. Mauro (09:32.59)

haha

 

D. Mauro (09:43.086)

Yeah. Right. Elevators weren't working, everything, right.

 

Aaron Painter (09:49.905)

It became real, but conceptually what happened, we'll skip all the details, but is a, you know, a bad actor was able to call the employee help desk and impersonate an MGM employee by variety of processes. Some were smart, some weren't that smart. And eventually they took over that account and they use the access that they gained to go wreak havoc inside MGM. And so this concept, again, it's sort of sad they become branded this way, but most companies we talk to at the board level now are at the

 

D. Mauro (10:11.214)

Right.

 

Aaron Painter (10:18.097)

How are we responding to the MGM risk? We don't want to be the next MGM. And unfortunately, by the way, we're losing that battle as an industry. I mean, it's, in the months since I think that happened in late August in Q4 alone of last year, another 230 high profile companies were attacked by the exact same attack vector. And my gosh, this year has been even worse. And because it's been on the go.

 

D. Mauro (10:21.006)

Mm -hmm. Right.

 

D. Mauro (10:37.55)

Yeah.

 

Right. Well, and you have these groups that are so good. They're native English, if assuming it's an English speaking target, but they're native English speaking. They're very familiar. They do a lot of OSINT, a lot of research ahead of time, and they're able to answer all of the questions and speak just like they are the person.

 

Aaron Painter (11:02.289)

right? It's social engineering, which, you know, has a fancy new name, so to speak, or relatively more modern name or terminology, but it's been around forever. It's called, you know, conning people.

 

D. Mauro (11:04.846)

Yeah.

 

D. Mauro (11:12.878)

Yeah, it's been rated as old as any as old as humans themselves. Right.

 

Aaron Painter (11:18.289)

That's right. We've always been able to, and partly it's because as humans, we have to trust another in order to have a society. And so we are inherently trusting species and we can be a little hesitant. We want to make sure we don't trust everyone, not right away, but we want to give people the benefit of the doubt. And this concept that you can trick someone into being another person is unfortunately just become too easy. And yet it's all the more relevant or critical if you're trying to protect an account, it is becoming the front lines for security.

 

And that's sort of this dangerous moment that we've entered as an industry.

 

D. Mauro (11:50.798)

So when they call, usually there are a series of questions that a help desk person who wants to help, right? It's baked right into the name that they work for, right? It's the help desk. They are there to help. And one of the things that they'll do is they'll go through their litany of protocols, right? Are they calling from the number? Are they using the email correctly? Are they?

 

you know, what are the security questions that they have on file? And the problem is, is a lot of those can be obtained by threat actors, right? And so, right.

 

Aaron Painter (12:31.409)

That's exactly right. Those are the common angles. So you call the help desk today and a help desk rep will ask you a series of identifying questions. Typically they come from a customer file. If it's an employee context, this is very contentious, but occasionally bits of an HR file, which HR doesn't really want to give access to the IT help desk for, but sometimes those are used. Or sometimes maybe a third party database, like a credit reporting bureau type of thing. Where did you live? What street did you live on in X year?

 

D. Mauro (12:39.758)

Hmm?

 

Aaron Painter (12:58.769)

Those are usually the spectrum of questions that people will use when they're trying to identify you for support in the traditional sense today.

 

D. Mauro (12:59.086)

Right.

 

D. Mauro (13:05.902)

Yeah, and I always feel one of two ways. One, they're grilling me and they should know that it's me, but based on where I'm calling from or how I'm accessing or whatever. But two, on the other side is I can't believe that's all they asked me. Like when I call, I'm not going to name names, but certain insurance company or a certain bank that I'm a customer to, I will call and literally

 

a couple basic questions that anybody could know and all of a sudden I'm in. And that's really concerning to me. So I want it to be more secure without affecting the customer experience. So nametag is really unique. So walk us through what it does. It's actually really cool.

 

Aaron Painter (13:53.169)

Thank you. We're really excited about it too. Let's complete your other options today. So you've got security questions, so to speak. Your next one might be, let's say you really want to elevate things. You might say, I'm going to send a text message to someone. Multi -factor, but even though flavors are multi -factor, sending a text message to someone, unfortunately is not terribly reliable because it relies on the telcos. The mobile telco is being really good at the same experience, which is, hi telco, I just got a new hardware. I upgraded my hardware. Can you move my phone number over?

 

D. Mauro (13:58.158)

okay. Yep.

 

Right. Multi -factor, right, correct.

 

Aaron Painter (14:22.289)

And they have to say, well, who is this? Do we know it's really you? And different telcos are trying different things, some of which is even you must go to the branch, probably people are giving $20 to the branch employees, 92 branch employees. We've just sort of pushed the problem on someone else. So SMS is one. Another people say, yeah, but you know, what about the authenticator app? That's much better, right? Because it's cryptographically secure and encrypted. And yeah, then there are methods. I watched a demo today of I can send a ping, the caller help desk can send a ping.

 

to the authenticator app you have. That's definitely progress. The challenge that all of these have is first, you don't know the human behind the device. So even if you've associated an account with a phone number or an authenticator app on that device, that's progress in that you know this device that we think has registered links to this account, but you don't actually know the human behind it. So if that phone number is taken over and switched to someone else's phone or the authenticator app or the device is in someone else's control, it...

 

D. Mauro (15:00.974)

Right.

 

Aaron Painter (15:20.881)

doesn't solve the problem. However, what's been most interesting, and this is kind of where we had our key learning, is that over half of support calls are often because people are locked out of their account. So they are calling because they are locked out of their authenticator app, right? Or for some reason, the message wasn't delivered via SMS, which again, is a much less secure way. So you've taken the best, I've got this authenticator app, and now I'm locked out. And so I have to call the help desk. They can't ping, they can't use that option. So the only thing left,

 

D. Mauro (15:32.686)

Mm -hmm.

 

D. Mauro (15:37.23)

Right.

 

D. Mauro (15:48.302)

Right.

 

Aaron Painter (15:50.129)

our security questions in a world prior to what Neonamepeg presents. So that kind of just completes the status of where we are today.

 

D. Mauro (15:54.35)

Yep.

 

D. Mauro (15:57.838)

And then what name tag does is it will actually do a picture. And this was involved. The recommendation for something like this was involved by a couple. It was discussed in a couple of large breaches that occurred earlier this year. And that was there are, you know, there's MFA fatigue that happens, right, where somebody will will be trying to access an account. They've got some stolen credentials, but.

 

they're pinging MFA. So they'll just keep doing it until somebody just lets them in. Right. Or they're able to take over the take over the device and capture the MFA. The problem is, is at that top level, at that administrative level, they still need to identify the person behind the device. And name tag ties in the the actual person, the government issued ID, right. Along with it like a selfie in real time.

 

Is that how it works?

 

Aaron Painter (16:58.961)

That's exactly right. So we kind of invented two core components in this. The first was this idea of identity verification, which chances are you have done. One of us has done before. And if you've opened a remote bank account, the IRS has some things they're working with the certain vendors, you know, maybe at the airport. It's the concept that you scan your ID and you take a selfie. The end user flow, ID .me is an example of that. Exactly right.

 

D. Mauro (17:19.406)

Yeah, it's like ID me. I think ID me through like with the with the IRS. Right. Yeah, exactly. Works very similar.

 

Aaron Painter (17:26.609)

you've used a similar flow. You've taken out your ID and you've taken a selfie, likely somewhere at this point in many developed countries for many scenarios. The challenge with 100 % of the technology on the market is that that flow exists in a browser -based environment. It basically gets a web browser. You can do it on mobile, you can do it on desktop, but it's still a web browser. It was created as technology for regulatory compliance reasons. Check the box. We have a plausible ID and file that is not the same as security.

 

D. Mauro (17:31.566)

Yep. Yep.

 

D. Mauro (17:41.934)

Mm -hmm.

 

D. Mauro (17:46.926)

Right.

 

D. Mauro (17:51.374)

Mm -hmm. Yeah.

 

D. Mauro (17:57.166)

Right.

 

Aaron Painter (17:57.265)

And so we reinvented that ID flow, the same concept, scan your ID and take a selfie, same end user experience, but instead of being a browser -based environment, we do it 100 % exclusively on mobile phones. You can be on desktop and we pivot you to mobile. You can be on mobile and you're already on mobile, but we use mobile phones because within that massive mobile computer in your little pocket, there are incredible bits of functionality that we can tap into to take the same end user flow and make it significantly more secure.

 

as a process. It turns out so secure, and we can talk more about this, but that it is able to prevent against deep fakes being used in the verification flow. So we've...

 

D. Mauro (18:36.654)

Well, let's talk about that. Let's talk about that because we don't.

 

Aaron Painter (18:39.409)

Well, just to complete your picture, because you asked kind of how it works, if you don't mind. OK.

 

D. Mauro (18:43.502)

Yeah, walk us through how it is and then and then let's just assume, OK, I'm going through this, but I'm deep faking my my person. Yeah. So go ahead. Yeah.

 

Aaron Painter (18:50.705)

Yeah. Let's dive into the fix. So just to complete. So we invented a new way to do core identity verification for security, which itself was awesome. We're like, all right, where do you apply this? And that's where we got pulled into this use case of, yeah, a lot of these tickets, like over half of them are people at the support desk who are locked out, calling the support desk because they're locked out. So we created a solution that could reach into Okta, Duo, Microsoft, Entra, Active Directory, OneLogin, others.

 

and do the reset. So in a world where you might go to a login page previously and there was a forgot my password button, which is useless if you've added MFA, because you've locked out of MFA. And the only option when you were locked out of MFA was to call the help desk. There is now a world where you can say, I can't access my account. You click that button and it presents you with the option to use name tag. We verify your ID, it takes an average of 23 seconds. And then the first time, and then from there we reach into...

 

D. Mauro (19:28.43)

Right.

 

Aaron Painter (19:49.201)

the ID verification by the identity provider, like an octa, let's say, or a duo, and we can press the reset button for the user. So it is a full self -service MFA reset functionality that is secure. So it changes the dynamic in the sense that one, it's definitely a better experience because you don't have to call the help desk. It's super more secure from what was happening before. And also it's a huge cost savings opportunity because of half of your support tickets, we're dealing with, you know, these locked out users. If the user can reset themselves,

 

D. Mauro (20:02.318)

That's it.

 

D. Mauro (20:06.19)

Yeah.

 

D. Mauro (20:13.07)

Right.

 

Aaron Painter (20:18.417)

It's just an automation and efficiency strategy. And so that's what we're seeing companies roll out kind of at an incredible pace at the moment, but both for their employees and then increasingly for customer accounts. If it's a customer account that is worth protecting, meaning they've added MFA to it, chances are you have a surge in MFA lockouts and support tickets. And so we're able to come in and surround your existing MFA solution and close this key loophole.

 

D. Mauro (20:21.198)

Sure.

 

D. Mauro (20:42.83)

That's fantastic. So the process when I'm an employee and I'm calling the help desk because I'm locked out is the help desk will send a message to my phone, right? Not an SMS message. They will send a ping to my phone. It'll populate the name tag app, even if I don't have the app installed, right? And something comes across, I click on it.

 

then it asks me to put in my government issued ID and then take a selfie and it compares the two.

 

Aaron Painter (21:16.017)

That's generally exactly right. And neat things, you don't have to pre -enrolled. You don't actually have to have the same phone. So IT isn't doing any reliance on, are you accessible at this phone number? We're delivering a link. They can scan on the website. They can get it delivered to them a variety of ways. That's in the customer support, the agent assisted flow. In the self -service flow as an employee today in many cool companies, you go to a microsite. You might go to nametag .mycompany .com and they say, hey, are you locked out?

 

D. Mauro (21:42.414)

Right.

 

Aaron Painter (21:44.977)

great, type in your email address and it says great email address and then it asks you to verify with name tag. You scan a QR code, you go through the verification flow on your mobile and then when you're done, it says great, you've been verified. Now let's go reset whatever it might be, your Okta, your Duo, your Entra. And so the user doesn't even have to contact the help desk to do it.

 

D. Mauro (22:02.766)

so it completely goes around it. That's fantastic. That's really good.

 

Aaron Painter (22:06.961)

It's a big kind of overdue innovation. And yeah, there's so many cool pieces in it. I mean, it feels slick. It feels mobile. It feels native in a mobile environment. We're using some really cool technology from Apple and Android such that it is a mobile app registered with Apple and Android, but it doesn't require the end user to go to the app store to get it. It's sort of delivered over the air as an experience. So it feels like it just pops up when you need it, goes away when you don't. It's super slick.

 

D. Mauro (22:10.414)

So.

 

D. Mauro (22:16.11)

Yeah.

 

D. Mauro (22:33.166)

Yeah. So what are some of the let's think let's play devil's advocate. The objections or challenges or concerns. Well the skeptics say injection attacks. What about injection attacks at a station. How do we address those.

 

Aaron Painter (22:50.257)

Great question. And I think you're starting to go into this topic very nicely around deepfakes. So it's important for people to understand that we hear a lot about deepfakes and hear a lot about deepfake detectors, which is typically AI technology trying to detect, is this AI that I'm speaking with, engaging with, is someone holding up a photo of someone that was artificially generated? Deepfake detectors are typically AI versus AI. I think of that as an arms race, meaning someone's always gonna be slightly ahead, someone's gonna be slightly behind.

 

D. Mauro (23:01.006)

Mm -hmm.

 

D. Mauro (23:09.454)

Right.

 

D. Mauro (23:16.11)

Mm -hmm.

 

Aaron Painter (23:18.833)

And it's going to be that way for a long time. Increasingly, the bad actors are slightly ahead of the good actors in this world. When you move from deepfake detection to deepfake prevention, it's important to think about how deepfakes are often used. And there are two key ways they're typically deployed. One is around, exactly as you said, an injection attack. Now, an injection attack is the best analogy I can give is if you think about, conceptually, the attacker in Hong Kong recently. And if you saw this, it's made a lot of noise.

 

D. Mauro (23:23.726)

Yeah, they always are. They always are. Yeah.

 

D. Mauro (23:46.35)

Mm -hmm, absolutely.

 

Aaron Painter (23:48.241)

where it was, we've recently, we thought it was a financial services firm. It's kind of gone public. It was in a different industry, but we'll hold that aside.

 

D. Mauro (23:53.87)

Correct. It was an email that was sent, almost a business email compromise, to do certain secret transactions. We've talked about it on our show. And then they said no. And then they said, well, jump on either a Teams meeting or a Zoom meeting. And there was about seven other people there, but they were all deep faked. And then they went and did a series of transactions, seven or eight of them, totaling the equivalent of $25 million US. Pretty impressive.

 

Aaron Painter (24:12.209)

You got it.

 

Aaron Painter (24:20.433)

You're spot on.

 

D. Mauro (24:23.438)

feet. Yeah. Yeah.

 

Aaron Painter (24:23.473)

So incredibly so, and it scared a lot of people because by the way, the advice from most of the technology companies, the leading ones, the Brick at the moment, around what should you do if your user is locked out of MFA is what they call visual verification, which means hop on a video call with that user. And now here's an example of someone hopping on a video call and the people on the call weren't the real people. So it caused doubt into the whole system and that is frankly the infrastructure of how we protect accounts today. So what's important?

 

D. Mauro (24:39.406)

Right.

 

D. Mauro (24:44.014)

Right.

 

D. Mauro (24:50.446)

Right. That's exactly right. Which is why I'm asking you, which is why I like how do we protect against that? But this does, which is why I'm fascinated by this.

 

Aaron Painter (24:52.625)

What's important to extract from your -

 

Aaron Painter (25:01.841)

I love your energy on it. It's awesome. It's very energizing to me. Thank you. The way, the thing to distract from the anecdote you shared is if you think about someone jumping on a video call and how easy it is to select a different camera or microphone, those platforms were designed to make that easy. You might want a different camera or microphone to make it a better call. Awesome. But that also means you could select what is considered to be a deep fake emulator, basically a piece of software that is projecting the deep fake.

 

D. Mauro (25:17.006)

Mm -hmm.

 

D. Mauro (25:21.998)

Mm -hmm.

 

Aaron Painter (25:29.905)

And so in that context, it was probably super easy. I mean, a little trickery involved, obviously, but technically very easy to put that deep fake emulator into the call. So now fast forward to a world where we're doing identity verification flow. If the flow is browser -based, as all the flows are for regulatory compliance, you also can inject. It's not quite as easy as select your camera, but essentially you are injecting a feed that can be whatever you want it to be, whatever a software tells it to be.

 

D. Mauro (25:39.726)

Mm -hmm.

 

D. Mauro (25:47.15)

Right.

 

D. Mauro (25:56.878)

Right.

 

Aaron Painter (25:58.385)

And that is how injection attacks work. The other key way that they work, the other key thing to think about is a presentation attack. And a presentation attack is when you present fake information to the camera. So think of that as I'm going to wear a mask, you know, Mission Impossible style, a three -dimensional mask, or I'm going to print a fake copy of this driver's license or passport, and I'm going to hold it up to a camera. That's a presentation attack where you present falsified information.

 

D. Mauro (26:00.782)

Yep.

 

D. Mauro (26:13.006)

Mm -hmm.

 

D. Mauro (26:22.542)

Right.

 

Aaron Painter (26:25.809)

And that's another way deepfakes are commonly deployed, but usually different, right? So many deepfakes we think of today are digital manipulations. So keeping them in digital form, injection attack is the primary way that they're successful at that. Okay. So to your question, by routing users to a mobile device, we get incredible advantages. We are not just fighting deepfakes with AI, we get to fight deepfakes that are AI with AI, with biometrics and with cryptography.

 

D. Mauro (26:53.87)

Right.

 

Aaron Painter (26:53.873)

And turns out in the world of security, cryptography is still one of our best tools because those mobile environments are, I think of it as a, you know, in Apple's world, we call them secure enclaves. They are, they are basically fortified little encrypted shells, which are very difficult to inject into. And so by using a native mobile app, even the way that we deliver them, we're able to take advantage of that secure encrypted shell that exists on the phone, which makes it very difficult to inject.

 

D. Mauro (27:04.526)

Mm -hmm.

 

Aaron Painter (27:22.673)

You'd have to essentially break the cryptography encryption on the device to be able to inject a false feed. So we know now that our app is there, our app in quotes, is there. It is speaking to the camera that's capturing it from the device and that we know that it is essentially our feed that's giving us that data. So, but inherently just architecturally in the structure of how we built this, we've been able to prevent injection attacks from taking hold because it's not a detection game. It's literally just hard to use them and deploy them.

 

D. Mauro (27:26.51)

Right.

 

Aaron Painter (27:51.569)

because we're doing it on the mobile phone.

 

D. Mauro (27:52.046)

Right. Exactly. So how do you let me ask you this from a layman's perspective. How do you assess that the government issued ID that's being shown right is is accurate.

 

Aaron Painter (28:12.465)

Yes, great question. So prior to the world of deep fakes, one of the things you would think about is I would make a PDF. The easiest way to make a fake document, right, was actually you can almost go to GPT today, not exactly, but here's my photo, make me a California driver's license, save his PDF, upload it on some other tool. Literally, most KYC tools have an upload button. You can upload what you saved. And so it was still an injection attack. It wasn't a deep fake injection attack, but essentially you're actually just uploading a falsified digital image.

 

D. Mauro (28:22.446)

Hmm.

 

Right.

 

Right.

 

D. Mauro (28:33.998)

Mm -hmm.

 

D. Mauro (28:38.318)

Right.

 

D. Mauro (28:41.678)

Right.

 

Aaron Painter (28:41.873)

So again, structurally, we've prevented those. So then you get into, okay, was it physically manipulated? And one of the really interesting was a much smaller percentage. And by the way, as a threat actor, your cost structure starts to grow dramatically. Because now you need to have very high end printers and capable of printing in the three dimensional document with the right holograms with all these sorts of things. But then we get to evaluate those using all the advanced features of the mobile device.

 

D. Mauro (28:47.822)

Mm -hmm.

 

D. Mauro (29:00.238)

yeah.

 

Aaron Painter (29:09.073)

So suddenly we're not just looking at it on the Blurry webcam, we're able to look at it with high res, dimensional imagery, the 3D depth map camera and how it was used. We're able to use the onboard ML processing on the device as it's analyzing it in real time and capturing non -Blurry frames. There's a whole bunch of toys basically that we get to use in a mobile environment. The old thread there. That's right. So it's just using frankly, these modern toy.

 

D. Mauro (29:09.422)

Right.

 

D. Mauro (29:29.902)

that are built right into the mobile phone, that all these different levels. That's great. That's fantastic.

 

Aaron Painter (29:38.865)

You know, you're, I think I heard on one of your earlier podcast example of it, you walk into the branch and they recognize you and you feel respected and it's kind of quick. Why is that so hard when you're calling the bank? And it's a similar thing. You're, you're showing your ID, you know, you're being trusted at that point. And someone's looking at it and comparing it. We're taking that human experience, but we're able to do it now in a really high fidelity remote way. And that means you can carry the same thing that we want to be able to achieve in person, trust the government, trust the government set of issued IDs.

 

D. Mauro (29:49.486)

Right.

 

Aaron Painter (30:08.465)

which does not solve the entire global population of un -ID'd, that is a separate and important topic. But in our high value scenarios and many of the developed environments where we operate and where we might work as employees, it solves a lot and we really can open up new channels.

 

D. Mauro (30:12.974)

Yeah, that's a separate issue. Right. Correct. Right.

 

D. Mauro (30:24.654)

Yeah, it really does. Yeah, that's fantastic. That's great. So I understand how you came up with it and and the inspiration of it. How did you without anything proprietary being disclosed? But how do you how do you get this developed? Like, did you work with your team people from that you've known from the industry? I mean, that is a that's a pretty big thing to have developed so quickly. It's really good.

 

Aaron Painter (30:53.457)

I could not be more grateful to work with some really, really brilliant technologists, particularly our CTO, Ross is just incredible and grew up in this space professionally. And so, experience in national security and defending against foreign adversaries helped train him really well to eventually go work in the private sector where he was very well equipped to help companies deal with the types of attacks that previously governments might've seen.

 

And so it's a mindset against adversaries as much as then, you know, Ross and eventually the incredible team we've hired across ML and mobile expertise and just back -ended frankly, even design, because you want the experience to convey trust for an end user as they're going through it. And then, you know, the other often unspoken member of our team often is legal. We get a lot of, you know, I just finished spending my whole holiday day with different legal teams because...

 

D. Mauro (31:20.366)

That's fantastic.

 

D. Mauro (31:31.854)

Hmm.

 

D. Mauro (31:40.526)

All right.

 

Aaron Painter (31:45.809)

We constantly want to stay afresh on what's happening around the world. What are the latest developments on privacy and data law? And we don't want to just be complying. We want to be wildly progressive in them and how we allow an end user to have control over their data and control over the privacy and where the information lives and who owns it and that it's opt -in and consent -based and being very forward thinking there. So privacy and legal scoping often works hand in hand with security and design to think about how do we consistently improve the experience.

 

D. Mauro (31:55.406)

That's great.

 

D. Mauro (32:15.15)

Great. And that leads me to this question then, because the privacy friends will ask, well, what data, like, is my personal data then stored somewhere? Is it stored on a computer somewhere, a server? Is it, is it sold later? Like, how, how are you guys addressing that? Meaning now I'm giving a, I'm giving my driver's license, my photo, my, my home address, all of this information to this

 

Aaron Painter (32:35.345)

Yeah, this is the, I.

 

D. Mauro (32:45.422)

company that I work for this this help desk person so like how do I know that that's gonna stay safe basically to to kind of dumb it down for for me.

 

Aaron Painter (32:52.305)

It's, it's an, it's a bear. That's okay. It's a, it's a very important dynamic and there are a lot of flavors to it and pieces to consider one. It's you. We've, we've, we've really tried to implement things that are very privacy forward. So the, I'll say an end user is in control of their data. It's not opt out. If you don't want to share it, it is explicit opt in. So you were choosing to share it for a given moment with a given company for a given period of time. And you, by the way, can go back and revoke.

 

There's a self -service take it back option and a self -service sort of delete my data option. Super cool. We call it though also a feature we call privacy masking that works two ways. It works for the end user, meaning, you know, best analogies physical world, you go into a bar and maybe they're in the U S have to be 21 and there's maybe a bouncer at the door. That bouncer needs to know that person entering is over 21. They do not need to know your home address. They don't even need to know your name.

 

D. Mauro (33:25.198)

that's great. Yeah, that's really good, right?

 

D. Mauro (33:42.158)

Mm -hmm.

 

D. Mauro (33:46.222)

Right. Correct.

 

Aaron Painter (33:50.001)

But it's creepy, we call it oversharing. You're probably giving more than is necessary for that transaction. So we allow the end user to choose, they give specific consent for what information they're sharing with the company. And then we give the company the ability to limit what information they collect and what information they themselves see. So in some cases, they might only need to know.

 

D. Mauro (33:55.214)

Mm -hmm.

 

D. Mauro (34:08.878)

Right, because a lot of companies don't want to hold on to that information, right? Because, yeah, because there's... Right, exactly.

 

Aaron Painter (34:12.817)

That's exactly right. Or they don't want to give it to help desk rep if they do even.

 

So those have been really core tenants in our design philosophy around this. But another one that's been sort of nuanced is I tend to believe identity is a real time question. It's a lot like credit cards. Like you're given a credit card from a bank and then it's not the, now I have all this credit. No, you have a piece of plastic that means you can go swipe it when you want to spend. And at that moment, somebody goes through the network and says, is this person's account valid? Do they have sufficient credit?

 

D. Mauro (34:19.918)

Good.

 

D. Mauro (34:30.702)

Mm -hmm.

 

Aaron Painter (34:47.921)

Do we authorize the transaction? So to me, the concept that you have been issued a document once is not proof that you are still that person. And by the way, you were the person on the phone. You were that person at that moment. You need to re -verify the person. You need real -time context around the identity of that person. Have we seen suspicious behavior? Have factors changed? Has someone else recently tried to impersonate you such that this needs extra caution and care? And so this concept of re -verification has been really core in how we built, at least our solution,

 

D. Mauro (34:49.806)

Right.

 

Aaron Painter (35:18.065)

Because we wanted not just to make it easy for you to come back, hey, I've used this one. I've used name tag once before. I've created my name tag. I used it once with one company, maybe as an employee. I've used it with another where I'm a customer. But we wanted to make it express for you to re -verify yourself. So let's say if you're on the same device, you might not need to scan your ID again. You could just take a selfie. One of our patents is linking that back to the earlier selfie into the government issued ID. Awesome. But also, what happens then if I'm...

 

You have a new device and sometimes there's no trust. Okay, well, we have a solution for that too. Another one of our patents addresses how we solve that so that you can kind of recover your name tag in order to do, let's say, account recovery. But this concept of reusability was so core for the end user experience and for security, but what we underestimated was also to prevent bad actors. Because when we see a fraudster come through and we see a lot of attempted fraudsters,

 

D. Mauro (35:51.214)

Right.

 

Aaron Painter (36:13.841)

When we see them, it allows us also to create a network where we know bad actors exist and to make it more difficult for them to prove to be someone else in one of their interactions. And so this concept of fraud value would be underestimated at the beginning.

 

D. Mauro (36:13.87)

Mm -hmm.

 

D. Mauro (36:25.326)

So.

 

Yeah, so that leads me to a question. You catch somebody through this process. I have a forged ID or I'm not the person. I'm trying to use a deepfake or something happens and you catch it. What do you guys do with that information?

 

Aaron Painter (36:49.585)

There are a lot of interesting things we do behind the scenes in learning and in maybe making it more difficult for that bad actor. So we won't go into the details on those, but in a practical sense, what we also do is we go back and tell the company.

 

D. Mauro (36:53.134)

Hmm.

 

D. Mauro (37:02.03)

That means what you're doing is good. So I'm just letting you know. That means that means you're doing the right thing with it. So that's good.

 

Aaron Painter (37:09.905)

Thank you. But what we do do is we go back and tell the company. And so if we can, we say, hey, because oftentimes we might not have full context. Hey, this bad actor, we have a clear bad actor who was trying to take over this account. You're going to have context on, wow, that they were after that asset or that email account or that. that's very helpful to us. Or maybe we've seen this bad actor before and they've been trying and things like that. And so we a lot of our we we do that today as kind of a voluntary service.

 

And it's actually very exciting to see how valuable it's been to the companies when we're able to share back with them some details around.

 

D. Mauro (37:42.03)

I could see. yeah, absolutely. That's really good. So we will have a link to get nametag .com in the show notes. Definitely go check this out. This is really, really interesting. And it's addressing one of the top social engineering threat vectors that we've been talking about in so many of our episodes. Question, how did you guys create it?

 

so that they don't even have to download the app. Like I know that there's a lot of security features and offerings out there. Clearly, a lot of them have to do with apps. We have to download the app, create an account. Some people don't even want to do that. So how did you guys do that so that it just comes through? Because I saw that in a demo and it was really exciting to see.

 

Aaron Painter (38:35.473)

Thanks. It's actually not a special sauce in a way. We've surrounded that with a bunch of special sauce, but that's actually this really neat function. In Apple, it's called an app clip, and on Android, it's called an instant app. And they are apps that are delivered basically wireless over the air. When they started, they had very small size requirements. And so they had to be very tiny apps. The platforms have expanded those in recent months to make some of them a little bit bigger. But what's particularly neat about it is we're

 

D. Mauro (38:45.838)

that's right. Yeah.

 

D. Mauro (38:55.31)

Mm -hmm.

 

Aaron Painter (39:04.817)

So most of the times you would see one of these is, you know, toast. If you've ever used a payment restaurant, check out, pay your bill, see the menu platform. Toast uses an app clip. It's a great example. You scan it, this thing pops up, you get an app functionality, it goes away. Pay the parking meters. I've seen a bunch of parking lots do them for parking meter. Great. For us, the reason why it works is because we also are able to use so many of the native features in the device. So we don't need to beam down a lot of code.

 

D. Mauro (39:09.198)

Mm -hmm.

 

Yep. Yep. Okay. That's right, it does. Yeah, I've used it and you're right. Okay. Yep. Yep.

 

Aaron Painter (39:33.905)

to then basically trigger all these advanced features on your phone. And that's why for us, it's a gorgeous illustration. As the mobile company saw them, they've been like, wow, this was exactly what we envisioned when we created this. It's essentially a small app that then takes advantage of all of the local processing and hardware abilities in the device. That's right.

 

D. Mauro (39:37.134)

That's great.

 

D. Mauro (39:49.294)

all the other security and features and benefits built in. Yeah, that's great. And this is fantastic. OK, before I let you go, though, share with us a little bit about your book. So you wrote this book, Loyal, in 2017, and it's about building a culture and active listening and how loyal employees will make loyal customers. Walk us through kind of.

 

What caused you to write the book and what's the premises?

 

Aaron Painter (40:21.329)

It's a great question and related to what we do today in many ways. When I was living in China, I had so many big companies. I was nervous at first. I didn't speak Chinese and I was nervous to go out and kind of just meet with these big Chinese companies. And I quickly found they actually really wanted to meet with me. And part of it was because I had worked in so many other parts of the world. And so they said, we're going to, maybe he'll teach us something. Right. And so they were kind of covering me like, teach me what you know. And, you know, unlimited value there, but I, I,

 

D. Mauro (40:24.878)

Hmm?

 

D. Mauro (40:35.63)

Yeah.

 

D. Mauro (40:44.11)

Mm -hmm.

 

Aaron Painter (40:49.841)

I was also really eager to learn from them because at this time a lot of these companies were growing wildly fast and really being successful in China. And I didn't speak Chinese. And so some of them spoke a little bit of English. So I would go into these meetings and same thing happened to me in Brazil and other places. And the only tool I really had was to actively listen. It was this, I'm trying to understand the intent of what they're getting at. And maybe a translator was helping a bit, but I was really trying. I would pick up occasionally some Chinese words that, I understand this and that. And

 

what ended up happening was that people felt respected because they knew I was actively trying to listen, even if I didn't understand all the words. And by feeling respected, they felt like they could trust me and therefore they could trust my employer and we could form a business relationship. And so that act of actively listening really helped create those needs. Then separately, by the way, some of the time I was being asked, hey, how, you know, the market's so competitive, my employees are all leaving, I hire them and they train them and they go away, what should I do?

 

D. Mauro (41:25.998)

Mm -hmm. Mm -hmm.

 

Aaron Painter (41:48.497)

And it was actually looking at successful examples of companies. And for me, one of the most formative was Warby Parker in the U .S. You know, the eyeglass company, you know, is retail and online. And, you know, Warby, their internal culture is so orchestrated around listening. You know, in your first week on the job, you go to your team meeting and you express vulnerability and share with the broader group. And then people begin to trust you. And the managers are so eager to listen to the employees and listen to the feedback.

 

D. Mauro (41:54.99)

Mm hmm. Yep. Of course. Yep.

 

Aaron Painter (42:16.657)

that when the employees then get on the phone and they're talking to customers, they are hunting for feedback. They are really good listeners because they know the customer will feel better, but they know that if they pick up something, their management's gonna care and they're gonna run back and back. Listen to what I heard from a customer. And that's when it came to me that there's this virtuous cycle of creating a culture where employees feel heard and how they carry that to customers. In our business,

 

D. Mauro (42:21.902)

Right.

 

D. Mauro (42:28.654)

Mm -hmm.

 

D. Mauro (42:32.27)

That's really good.

 

D. Mauro (42:40.238)

Well, it's exactly what Yeah, I mean, that's, that's along the lines of what Chris Voss talks about and never split the difference. Even in hostage negotiations, when you're when you're in intense situations, and you're talking to people that you clear that clearly are doing bad deeds, right and about to harm someone when you're able to even like what Chris Voss mentioned was even psychopaths want to be heard. And oftentimes, what he found was,

 

being able to let them be heard without agreeing. You're not necessarily agreeing with them, but you're it's what he calls tactical empathy. Right. You're able to listen to them, let them be heard. The trust builds, the rapport builds. You provide a safe exit for them to be apprehended by law enforcement. So it's really interesting. It it's so important for culture. Right. Because people don't, you know, people don't.

 

function and respond well to dictatorial mandates from top down, right? If they're heard and then leaders above them respond, even if the answer is no, but the fact that they were heard makes everybody feel good. Like, at least I understand why they said no, they heard me out, everything was better. It's a really interesting concept.

 

Aaron Painter (44:03.729)

Thanks, it's spot on. And not only is it good for people, but it turns out it's been good for business because, you know, so many of our innovations and what we do and our product, and, you know, I shared the story of how we went from this core ID verification technology to be able to do account resets and protection. It's because we listened. It's because we had people in the market eventually became our customers who came and said, Hey, I think I need this. And we could have dismissed it and said, no, no, we do something else. But it's because we listened and said, Hey, tell us more. What does that mean? How would it help you? And we still as best as we can.

 

D. Mauro (44:08.526)

yeah.

 

D. Mauro (44:19.662)

Right.

 

Aaron Painter (44:32.721)

always chances to be better. As best as we can, are we trying to listen and stay a step ahead based on what we're hearing from our customers? And it's allowed us to just really build kind of spot on for what turns out the market needs right now.

 

D. Mauro (44:45.582)

Well, that is fantastic. Aaron Painter, everybody. That was a really, really enlightening, really excellent discussion. We'll have links to everything in the show notes. What's on your horizon? What do you have planned for the for the upcoming weeks and months?

 

Aaron Painter (45:04.369)

You know, I work a lot, which I love, even though it's summer, but we're just, we're in this surge at the moment where, you know, we're almost like nothing I've ever experienced in business. We have the right product at the right time. And so we are all working extra hard to make sure we're meeting our customer commitments and kind of able to welcome as many new customers as we can. It's kind of going through hyper growth. You know, my, my background is in scale. And so I'm ready for that. A lot of my colleagues are ready for that.

 

D. Mauro (45:11.054)

Mm -hmm.

 

D. Mauro (45:28.558)

Yep.

 

Aaron Painter (45:33.361)

but it's super fun and it definitely keeps us all kind of very busy at the moment.

 

D. Mauro (45:34.798)

yeah.

 

Yeah, it's it's it's that Carpe Diem sees the moment feeling. So I wish you nothing but the best. I look forward to watching the the the rise of it. And I will tell you, you know, our podcast doesn't talk about particular products or anything like that. That's just not what we're about. We're very agnostic. You've come up with something, though, that solves the issue we keep talking about. And you keep.

 

like responding in such a positive way. I wish you guys nothing but the best. This is really, really exciting to see. So after a little while, when I'm sure it's going to evolve even more, you'll throw another half dozen patents under your belt and please come back to us after a little while. All right.

 

Aaron Painter (46:13.425)

Super kind of you, dude.

 

Aaron Painter (46:24.465)

Super grateful for that. I'm gonna keep listening along the way. I know many of the listeners are enjoying these shows. I certainly am. So thank you again for having me.

 

D. Mauro (46:30.318)

Thank you so much. That's so kind. Awesome. Thank you everybody. Appreciate it.

 

 

People on this episode