I believe SHAKEN/STIR was mandated only for calls originating from within the US, however, most of these fraud calls are originating over VOIP (or SIP) from outside the US.
Coinbase is a publicly listed company, with all its assets & liabilities shared in quarterly investor updates. They store all customers assets 1:1 (ie does not re-hypothecate any of customer assets)
Enron was also public, so was Lehman Brothers. The idea that public companies can't game their numbers or commit fraud is provably false. Why anyone would have large sums of crypto (5 or 6 figures+) on an exchange is beyond me.
1. When we started to specialize in a vertical and created the narrative and the product for that vertical. This is esp. true in domains with many legacy players.
2. For some reason or the other, we have always had delays in announcing our fundraising rounds: both Seed and Series A announcements were delayed by 3-6 months. The moment we announced, we got a step magnitude more inbound customers. Lesson here is to not be a perfectionist and be willing to share the company/product publicly earlier, so you can incorporate customer feedback early.
PS: If it helps provide context for (1) above, our domain is fraud prevention; and we focused on payment fraud for Fintechs/Crypto instead of going after generalized fraud prevention across all categories like ecommerce.
Handling ACH fraud is tricky. There is no decent dispute resolution mechanism in ACH compared to what Visa/MC offer for cards. So FinTechs and their backing bank are on the hook for customer reversals for up to 60 days. In the new FinTech revolution, this is one of the most misunderstood things. Many FinTech entrepreneurs think they can put up a nice UI and offer great interest rates only to get hit by huge fraud losses as soon as they launch. I run a fraud prevention startup for FinTechs - sardine.ai - and I hear of a new FinTech hit by fraud every week.
we are a stealth startup founded by former Paypal and Coinbase engineers. We have a device intelligence product that can detect accesses from proxies/VPNs without using any IP list. We can also detect the True OS that someone is using - useful to detect emulators and script kiddies. Happy to chat if of interest: info AT sardine.ai
Account recovery is a completely underserved problem today and many companies don't have a well thought through solution. Many rely on Knowledge Based Authentication questions that can be found easily by an attacker who has access to your email. To solve for cases where someone has lost all factors (forgot password, lost access to email, lost phone number), we need a brand new way of thinking about solutions. Hit me up if anyone's interested in brainstorming on the same!
