As part of the activities of its Rockaway Ventures Fund, the Rockaway Capital Group held an exceptional event during this year’s film festival in Karlovy Vary – the Creative Czechia conference. Its goal was to connect…
Software that runs in the background of a banking application to check whether someone is trying to steal your money – this is a product from Brno startup ThreatMark. We talked with Michal Tresner, its CEO, about expanding to America and what’s behind the scenes of modern on-line security.
The now profitable start-up was founded in 2015, and first came to prominence three years later, when CzechInvest and Forbes Magazine named it Start-up of the Year. That ThreatMark is growing is also confirmed by the fact that this year Deloitte included it on its list of the fifty fastest-growing tech companies in the Central and Eastern Europe region. Today, a team of 65 security and fraud detection experts guards the bank accounts of several dozen million people, and is now preparing for rapid expansion – both geographically and to entirely new markets.
Is the internet a safe place?
That’s a complicated question. It depends on what you’re doing on the internet. Most people don’t see it as safe – when, for example, you visit a physical bank branch to deposit a relatively large sum, it’s a routine operation and nobody feels threatened. But minimally the older generation is afraid of the on-line world.
Do you yourself have any experience with fraud?
Yes, you could say that. Many years back, I was operating one of my previous start-ups, a bitcoin currency exchange. And we were doing quite well – up until we found out that many of the transactions people were doing through us were basically money laundering. We were helping them convert Czech crowns or euros into bitcoins. We found this out when were were contacted by the police and we had to explain what transactions when where and how we were involved. The problem was that we weren’t performing sufficient verification of the identities of people who where exchanging money through us. This was also one of the things that led me to start ThreatMark.
ThreatMark’s mission is to make the on-line world a safe place through technologies. How are you achieving that goal?
In the broader sense, through how a user behaves in the on-line environment, we’re trying to recognize whether they are truly who they seem to be, and if they have a legitimate intent. This is of course a very broad concept. To be more specific – we monitor a user’s every action, especially when they access some on-line application, and based on how he moves his mouse, how he types on the keyboard, or how he holds a device, we can recognize his intent and identity. We check whether it’s him or some attacker impersonating him. We combine this with additional data like for example a specific type of transaction in on-line banking. Together, this creates a user’s unique behavioural imprint.
What types of fraud and attacks do you encounter most often?
Most often, we deal with attacks that lead to the attacker hijacking an account. This is usually the result of a cyber-attack, for example through the use of some malware or phishing, or social engineering, when someone gets you to give them your login information and takes over your account. We work with banks, so now I’m talking about fraudulent payments, but it can of course also be something different. For example, airline companies that use bonus programmes where you collect air miles – when someone comes and takes control of your account, they can simply transfer them elsewhere. But our biggest motivation is definitely protecting your finances.
Who is a typical ThreatMark client?
Banks – and we do several things for them. Fighting attacks on accounts and transfers is one thing. At the same time, banks lend money, for example, so they need to know whether they’re giving it to someone who intends to pay the loan back. We try to detect whether the bank should lend them the money in the first place. And then authentication is a big topic for us. Today two-factor authentication is being promoted everywhere, but we’re introducing a major revolution in the form of real-time behavioural profiling, where we can ensure that in more than 90 % of cases the bank doesn’t need to ask for authentication using a second factor. Hence all users need are their login name and password and fill them in “as usual”, resulting in a fundamental improvement to the user experience.
And as a client of a Czech bank, will I be able to tell in any way that my bank is using your system?
A normal client won’t be able to tell – there’s nothing to indicate that ThreatMark or any system of ours is interacting with the client. On the other hand, if sometimes your bank wants two-factor authentication and sometimes not, they’re most likely using our technology. Currently we’re protecting roughly 50 percent of the population in the Czech Republic. It’s quite likely that you’re using it.
What’s interesting is that our solution is protecting about 80 percent of mobile devices – phones, tablets and the like – in the Czech Republic, Austria, Hungary, and a few other countries. Uses don’t even know about it, because we’re part of their banking applications. When you compare this with the fact that the largest anti-virus companies such as ESET or Avast have mobile coverage of only three or four percent, we’re protecting many more people.
What’s the weakest link in the chain, in terms of security?
The user, of course. The problem is almost always between the keyboard and the monitor. But it’s also true that currently this mantra is being bandied about in the area of security with increasing frequency because the security of systems is constantly increasing, but users are adapting slowly and can always be fooled in some devious way.
And that’s the best thing about our solution – it’s perhaps the only one that can save people’s money even after they’ve fallen victim to fraud. An attacker who has fooled a user and gotten his login information from him has to use it eventually. We can recognize when an illegitimate user is logging in, for example because he’s writing on the keyboard or holding the mouse differently. That’s amazing, because no other security technology can fight social engineering, and ours can.
So if I understand correctly, you evaluate a huge number of parameters. How does the back-end intelligence work?
It depends on a number of factors. User behaviour can for example be described by how they write on the keyboard, move the mouse, what transactions they usually do or what devices they typically use, from which geo-locations, at what times, and so on. There are hundreds of these parameters.
But in order for the system to be able to detect that a user is logging in through their mobile phone, or that someone is using a device that we identified as an attacker in the past, we need to do something called device fingerprinting – so we for example monitor installed applications, configuration, connected WiFi and Bluetooth networks, or the wallpaper you have on your phone screen. And we’re capable of using all this to create an anonymized fingerprint.
And then you tell the bank that this entails low risk, this high risk, and it’s then up to the bank to block a potential impostor?
Yes, that’s right. We determine whether they’re an authenticated user, whether an attack is occurring, and whether it’s a typical payment. We give the bank all this information within a few milliseconds, and it’s up to them to decide what to do next.
How can your system continue to evolve? Is there some technology that’s you’re looking at going forward?
Behavioural biometry is a very broad, but young field. It’s only been in the past five years that we’ve managed to refine the technology so that’s it’s usable. Right now we’re merely talking about how to recognize a user when they go to the bank, but there’s an entire number of potential uses. For example, we’re working on a new use case where we look at how unknown users fill out a loan application or an e-shop registration form, for example, and estimate their intent from their behaviour. And this can be applied throughout the internet – wherever there’s some sort of on-line onboarding. That’s the direction we’re taking now. Covid, which shut people up at home, is a perfect accelerating force for us, because everyone has to register with all systems on-line. This will be a major thing in the future.
That sounds like an opportunity for a start-up to grow quickly…
That’s probably very true. The banking world is very set in its ways and everything takes a terribly long time. And while our banking business is doing extremely well, we nevertheless need to scale up the entire company to be able to work with banks around the world. So we’re looking at possible acceleration in new areas. It won’t happen overnight, but it won’t take years either.
And why did you start with banks?
That’s a good question. (laughter) At the very beginning we thought up a technology for detecting cyber-attacks, which were specific for the banking sector, however. But we soon realized that it’s really a cat and mouse game, where you’re trying to describe some past fraudulent behaviour. During ThreatMark’s first year, we’d already realized that we had to turn the tables, and so we’re trying to describe legitimate user behaviour. This is much more stable going forward and moves us toward something much, much larger.
I’d like to return to the subject of Covid. What occurred over the past year and how did it affect your business?
Covid had both a negative and positive impact on us. Some banks got scared and postponed parts of some projects and cancelled others completely. On the other hand, a number of other customers realized they needed to better protect their users. When you look at how many people moved on-line, including in the area of banking services, how many people started shopping on Košík and ordering on-line… These are major drivers for us, because wherever you go in the on-line world, you need to have your data protected.
Every year, our revenues grow by roughly 70 to 100 percent, and this year won’t by any different. Covid didn’t have a direct impact on banks because banking is a horribly slow machine. But it is true that as far as cyber-attack detection goes, in 2020 we recorded a 400-percent increase in phishing attacks. Attackers tried to take advantage of people’s fears and under the guise of obtaining some additional information to do with Covid, vaccination, and similar topics, did more damage than anyone expected. But for us it’s an opportunity, as it highlights the importance of good security.
You say you want to be number one in threat detection. How far are you from that goal?
In the Czech Republic, we’re definitely the most frequently-used solution for banks. Nevertheless, globally this area is so large and so much money is involved that we’re of course definitely not the only ones. There’s a lot of competition and it’s growing ever day. But I think that an important benchmark for us was when we were included in the reports of large analysis organizations like Gartner, Forrester, Aite, KuppingerCole and so on.
What’s in store for you in the near future?
The plan is to grow as quickly as possible. We have a big step ahead of us: we want to go to the USA and open a truly functional branch there. At the moment we’re discussing how best to do it so that it’s not a naive plan. And perhaps one day we’ll move our headquarters there.
How important is Rockaway for you as a partner?
Right from the start I’ve seen Rockaway as a bearer of knowledge. If I couldn’t talk about the benefit that’s most evident – investments at the beginning and throughout our relationship – then the main thing is advice on how to do business. And that’s something that’s always useful.