Launch HN: Berbix (YC S18) – Instant ID checks to fight fraud and stay compliant
We’re Steve and Eric, the founders of Berbix (https://www.berbix.com). We make it easy to instantly verify photo IDs. Our goal is to empower platforms to accurately identify their users while being responsible stewards of sensitive information.
Today, we’re launching our self-service ID checks (https://www.berbix.com/pricing) to organizations of any size that need to answer the question: Are you who you say you are?
We’re taking a privacy-first approach to identity verification. Your government-issued photo ID is one of the most sensitive pieces of information you own, and sharing it with a company online can be scary. We’ve invested significant effort to try to do this the right way from a security perspective, ensuring all images that ever leave our system are aggressively watermarked, and enforcing short retention policies to automatically purge data. We aren’t—nor do we ever intend to be—in the business of selling personal data.
Unless you’re a credit card processor, everyone knows that you’d be crazy to collect credit card numbers directly without using a system like Stripe because of PCI compliance. But there’s no equivalent standard for identity documents. It’s still the wild west when it comes to best practices around this extremely sensitive data. Companies inevitably will need to collect this data, whether to comply with regulations to verify age, confirm the identity of a GDPR or CCPA request, or deter fraud on a marketplace. It may come across as self serving, but we’d rather have a privacy-oriented company collect that data on their behalf.
We were the product and engineering leaders of the Trust & Safety team at Airbnb for several years where we were tasked with stopping all bad things from happening on Airbnb—both online and offline. This was a challenging problem as it included your typical online fraud like chargebacks, account takeovers, and wire scams in addition to much more novel offline risks like property damage and personal safety issues.
We learned to distinguish between “premeditated” bad actors who come to a platform with the intent to cause harm and “opportunistic” bad actors who would swipe a $20 bill on a nightstand, as an example. Some techniques work well against one group, but not the other. One effective means to fight both is to check a government-issued photo ID. Premeditated bad actors will often leave to find another platform with fewer protections, and opportunistic bad actors will think twice before doing something malicious in the moment when they know their ID has been checked.
Historically, checking IDs online has been hard. It required a 5-figure contract with a legacy ID verification provider, would take minutes or more, and the quality of the data returned left a lot to be desired. We knew there had to be a better way, and so we started Berbix. Our product returns a result in 2 seconds or less and leverages the machine- and human-readable components of a photo ID to maximize accuracy.
We’ve designed Berbix in a way that we, as developers, would want to use it (https://docs.berbix.com), with backend API libraries that make an integration simple and intuitive. We offer client-side SDKs for a number of platforms including React, iOS, Android and more (https://github.com/berbix). We make integration simple enough to be completed in a matter of minutes, while also providing flexibility to offer custom configurations if desired. Using our API, you can request the information you need to verify your users, while isolating your servers from ever handling the sensitive user-submitted ID images directly.
We’d love feedback from the HN community. Looking forward to hearing your thoughts!
56 comments
[ 1106 ms ] story [ 1862 ms ] threadDo users typically redirect to Berbix, or is there a hidden API integration?
Couple questions
- Is the verification completely automated?
- Sound's really expensive at $1 per check, why?
Drop me a line at (my first name) @berbix.com and I’ll shoot over a demo link so you can try it!
The unfortunate reality is that very often, businesses do not do enough due diligence before responding to data requests. [1] Berbix makes such diligence easier and more secure, such that more companies should be able to adopt better processes around data access requests.
[1] "GDPArrrrr: Using Privacy Laws to Steal Identities" https://i.blackhat.com/USA-19/Thursday/us-19-Pavur-GDPArrrrr...
We believe that going forward, fintech startups are going to have to have to have increasingly robust KYC programs, which will include an ID checks. Berbix is an effective tool to collect and check IDs instantly as part of a robust KYC program. To that end, we’re currently serving multiple customers in the fintech space with such programs.
Maybe it is not the case in the US? Interesting.
Is your market research limited to the US?
Or are you focusing on USA customers only? GDPR and all that.
Do you verify consistency of components on a license through access to a DMV database (e.g. name matches address matches license number) or is this closer to a surface-level check of subtle visual indicators present on a license? Watermarks, holograms, etc.
Curious if the core asset here is a well-trained CV model, or if there's a data/partnership moat as well.
If not, very curious how you solve for false negatives in your KYC. That itself is a meaty problem domain. I remember when Coinbase was scaling, tons of folks were complaining about being unable to access funds because they were told that they weren't providing proper identifying information, even when they were, in fact, were.
I love this, for the same reason I love Stripe (and before them authorize.net et al): I don't want every vendor I use that has KYC requirements to implement their own controls on the screenshots/scans/videos/whatever of government IDs, because then there will be a huge amount of variation and some of them will inevitably get it very very wrong.
Putting it all under one roof (or a few roofs) allows those few companies to get storing and handling this toxic data really right, extract a reasonable amount of revenue, and everybody wins (Berbix wins because money, their customers win because they don't have to pay the opportunity cost or real cost of developing this in house, and end users win because of better/safer handling of ID information).
Also not sure why this makes handling ID information “safer.” The vendor using this service still has access to all the images (ID and selfie) and data returned to them from this API that they can store a copy of on their own servers forever. This is not like your Stripe analogy where you only get the token and not the actual card number.
1. "images that leave our system..."
Why do they at all??
--
2. You're a startup. Meaning: 90%+ chance you die. What procedures have you put in place to make sure that ALL the data is destroyed in case your company changes hands, so that it cannot be used by somebody whose ideas and privacy are different than yours, simply by buying you (or your carcass after you are bankrupt)?
--
3. What use is watermarking in case of a giant data breach? The fact that we know that YOU lost our data doesn't help us any. What are your plans for data storage such that a breach in your systems does not allow easy exfiltration?
On the point of why images leave our system at all, we provide a way to show our work to our customers — they won’t trust our results if they can’t see that they’re accurate. When they access information on our dashboard, if we render the images, they’ve left our systems. To be clear, we’re not syndicating this information to any third parties, just showing this information directly to our customer (who is the owner and controller of this data).
As for what procedures we put in place, we enforce short retention periods for the data we store in our systems for precisely the reason you are worried about. At the expiration of that period, the data is permanently deleted. Furthermore, in the event of a change of control, the contracts we’ve put in place with our existing customers govern how the information can be used. This is super important to us as we personally take privacy extremely seriously.
The aggressive watermarking is important for several reasons. First, in the worst case scenario, we can trace how a breach happened and when. Second, it is watermarked in such a way that the images become much less functional than they would be otherwise — the intent is to ensure that the images cannot be used to verify an identity on any other service. We take security very seriously — we’ve already secured SOC 2 certification and continue to invest heavily in security using industry best practices.
For example, shutterstock logo sure doesn’t stop people from using those. Plus there are open source tools to reverse such watermarking.
I get (in retrospect, after research) that you're asking for a real-time face pose change for better identity verification, but do you realize how dystopian it feels when someone is fighting with an opaque bureaucracy and the process demands that they smile about it?
You should try expressing a rationale up-front so it's not so Orwellian.
I know you already get this, but for posterity, the idea here is to make sure the person submitting their ID is actually in front of the computer (and can react to a prompt). Attempting to use a still photo is a common way a bad actor may try to circumvent these protections. Obviously correctly identifying someone in the case you described is extremely important given the sensitivity of some of these data access requests.
Orwellian isn’t exactly the vibe we’re looking for, though, so we can do better here.
I do get the aim, but it took me a while --- I'd wondered if it was simply data collection for more classifier training or something, which felt like a dodgy extra ask along with a verification service (even if it's the same strategy as recaptcha).
I hope I'm wrong somewhere.
If I'm not, I don't think I want to do business with you, or to ever have my ID checked by you if it means you'll get to keep my data- then ask me for an up-to-date picture to improve your collection when I object to that.
They say the photo will be removed - I believe them. GPDR, California laws, good will, storage is expansive, etc.
What I won't trust anyone with, is what they will do with the data created from this photo that is not the photo itself.
I hope Berbix has a plan here for the fact that when sketchy companies use their service, it will make them look sketchy by association.
With respect to Sift, we see them as good stewards given their narrow focus of preventing fraud as opposed to data brokers that sell your data to ad networks, hedge funds, etc.
Sift has taken a privacy-conscious approach to responding to data access requests by ensuring the individual is in fact who they say they are. We’re proud to help them prevent fraudulent access to sensitive personal information.
The consumer facing experience on this is not the best. Here I am filing a request to a third party processor for data that I never personally sent them. And in order to handle that, I have to send even more sensitive information to yet another third party processor. See the irony here?
Sift’s email said the ID data would be retained for no more than 14 days, while Berbix’ privacy policy says the retention period is the shorter of “until no longer needed” or for 3 years from my last interaction with your customer.
Who’s right here, and if your customer quotes end users a retention period that’s shorter than 3 years, how do you hold them to that?
Regarding your question on data deletion; we abide by the retention policies chosen by our customers, which are typically much shorter than 3 years. For Sift specifically, the retention policy is indeed 14 days, after which point we automatically delete all the personally identifiable information we've collected on Sift's behalf. We'll be taking in your feedback, however, as this could be made clearer in both our privacy policy and our product.
I stumbled on Indian government's effort to address this problem via https://digilocker.gov.in/ I think they basically store photos of you, your govt IDs (driving license, social security etc), your records (educational, financial) and digitally verify it with the issuer of those records (in most cases, other govt agencies), plus, also link it with your mobile phone number and/or personal email (for MFA). Is it fair to say berbix is doing the same but addressing a global market? Or, is berbix a complementary product, that is, you'd simply build on top of a service like digilocker as requester and/or issuer of verifiable documents [0]?
With that in mind, do you also plan to expand verifiability to other forms of documents, too, other than IDs?
Congratulations on the launch.
[0] https://partners.digitallocker.gov.in/
idology
jumio
identity mind
onfido...
So, let's take a look at your terms.[1]
However, we cannot guarantee that unauthorized third parties will never be able to defeat our security measures or use your personal information for improper purposes. You should always use caution before sharing your sensitive personal information online.
we each agree to resolve any claim, dispute, or controversy (excluding any claims for injunctive or other equitable relief as provided below) arising out of or in connection with or relating to these Website Terms of Use, or the breach or alleged breach thereof, by binding arbitration by JAMS, Inc.
Not only mandatory arbitration, but arbitration with JAMS, which has problems.[2] Not the American Arbitration Association consumer rules. The AAA will often send small claims to Small Claims Court, which is cheaper, and has real judges.
These Website Terms of Use, and any rights and licenses granted hereunder, may not be transferred or assigned by you, but may be assigned by Berbix without restriction.
So if you exit by being acquired by Google or Facebook or Tencent, they get all the data.
There's nothing in the terms which places any legal responsibilities on Berbix beyond minimal compliance with the law. The terms are no better than the average web site, and worse than many.
So, "privacy last".
[1] https://terms.berbix.com/terms/website [2] https://www.sfgate.com/news/article/PRIVATE-JUSTICE-Can-publ...
Our “privacy-first” claims are namely three-fold:
1. We limit the data returned to our customers and enforce a maximum data retention period after which data is permanently deleted. We encourage customers to reduce the amount of data they need and the number of days it must be stored.
2. We built our own image watermarking service to protect the sensitive images we process and store. This helps ensure that the images cannot be used to verify an identity on any other service.
3. We completed our SOC 2 Type 1 examination in March 2019. This is an intensive security audit performed by an accredited third party. We perform these annually.
And thanks for the feedback regarding JAMS specifically. We are in the process of revising our terms that were first drafted early this year before our public launch.
We really do appreciate this feedback, which we will take into account as we continue to iterate on both our Terms of Service and Privacy Policy to best-reflect our business practices. As part of this effort, we are making a commitment to always publish a record of all changes to our terms.
Why is there no demo on your site?
If you want to give it a try yourself, you can sign up and try our "test mode" for free!
[1] https://www.youtube.com/watch?v=cX4lQlCWXq0
[2] https://www.youtube.com/watch?v=O3nV0AXbsL8
$100 / month is NOT "Pay-as-you-go" pricing.
Pay-as-you-go doesn’t necessarily mean usage-based pricing.
We need to compare the face on the user's ID card against other user-provided photos to see if they are the same person. Will the 'images.front.face_image' watermark interfere with face analysis?
Twilio's Lookup API can return extra data from various databases. Have you considered doing something similar with Berbix Verify? We would be interested in sex-offender registration status, violent crime conviction status, and home geographic area. Various demographic info could also be useful: education level, employment status, income/asset level, etc.
Can this be used for age verification for adult sites?