On-line fraud is a full-time global business for the criminals involved, and a massive issue for retailers and merchants. In the US alone, in 2010 card not present fraud via the internet was reckoned to account for half the $105bn of total fraud during the course of the year, and globally cybercrime is estimated at $1.4 trillion.
As the way we make purchases and payments becomes increasingly internet-based, it calls for new security models. ValidSoft is ideally placed to meet the evolving security challenges facing retailers and the financial services organisations they work with, today and in the future. ValidSoft is the only security company in the world that provides protection for not only all electronic and phone-based banking channels but also for card-based channels, both card-present, and card-not-present. An emerging global leader, ValidSoft is now part of Elephant Talk, the Amsterdam-based telecoms company. Patrick Carroll, ValidSoft’s founder and CEO, spoke to The Grocery Trader.
GT – Pat, let’s start by talking about the background to Validsoft. When did you start the company? What were you doing before that?
I formed ValidSoft in October 2003. I spent most of my earlier working life in technology for the investment banking sector.
GT – What was the inspiration for your security solutions?
In 2003 Validsoft was one of the first companies in the world to recognise that transaction and payment systems and telecoms would inevitably converge, hence our development and launch of telecoms-based security products. Back then we bet that the mobile phone would become the product of choice for use in this area, on the basis that there was nothing you could do on your computer that you couldn’t do on your mobile in a much more “on the go” fashion. When Elephant Talk acquired us, we were able to join forces with a fully licensed mobile operator. This strategic alliance enables us to deploy our telecommunication-based security products on a single platform. I know of no other vendor who can deliver such solutions in such seamless fashion.
GT – How do you work together with John Petersen, your Global Head of Business Development?
John looks after our partner relations and is a specialist in the financial services sector in the UK and worldwide. He and I generally collaborate in most aspects of the business and are very focused on R&D, looking at innovation and securing patents for our solutions. Our other focus is on getting the message across to retailers and financial organisations that, instead of security being a burden they have to bear, the seamless solutions we offer are an enabler for them to get closer to their customers and transact with them, making imaginative use of the different communications technology options which are opening up.
GT – When were you taken over by Elephant Talk? Who are Elephant Talk?
We were bought by Elephant Talk in March 2010. Elephant Talk (ET) is an Amsterdam-based telecoms company that fulfils our requirements for telecoms services to deliver our market leading solutions. ET is a leading provider of the software mobile virtual networks and network operators need, which complements our ability to deliver the security to underpin mobile transactions and secure and manage the cloud.
GT – What difference does it make being owned by Elephant Talk?
It’s totally transformed our business and has opened doors for us to speak to the big players! Elephant Talk buying ValidSoft turns us into a telecoms company and brings significant benefits. Elephant Talk gives us a true carrier-grade platform to process up to 400,000 transactions a second, and extremely fast access to the signalling layer, the “Out-of-Band” part of the cellphone network through which the one-time-password is generated.
GT – How do you see yourselves in the marketplace?
As convergence towards the Smartphone increases, the need for payment security is paramount. ValidSoft and ET are both innovators, leveraging each other’s core capabilities and strengths, and are global leaders in managing and securing the mobile cloud.
GT – Does ValidSoft have a mission statement?
Our mission is to make all transaction channels secure using leading edge communications, recognising that mobile payments will in a short time be the centre of the universe in the e-commerce space.
GT – Before we move on to Card not Present, can you talk us briefly through your products for ATM and point-of-sale fraud?
We have developed VALid-POS® for card present fraud. This solution can determine, in real time, that a physical transaction involving a payment card is occurring in proximity to that cardholder’s mobile phone. It can do this in less than 400 milliseconds (0.4 seconds). In simple terms it does this by using the other ‘Out-of-Band’ channels on the mobile. If the card and phone aren’t in proximity, there’s a good chance the transaction is fraudulent. VALid-POS® is an evolution of our VALid® multifactor authentication and transaction verification platform that provides protection for multiple banking channels and which financial services organisations and European governments have adopted.
GT – Can you talk us through how your technology works?
Our technology addresses two fraud prevention issues: one linked to card present transactions and one linked to online transactions (i.e. card not present). Overall, our approach is based on multi-layered security using an out-of-band channel that will securely authenticate a user and verify a transaction.
For card present transactions, our solution is based on our Proximity Correlation Logic solution. Hence if your card is being used at an ATM and you need to authenticate your identity, we can correlate the positions of you and your card through your mobile.
With remote, online transactions, authentication and verification are more complex. Typically, two-factor authentication involves a PIN number and a token for on-line authorisation. With some solutions, when you log on, you use a card reader to generate a number, or you are sent an SMS with a unique number (or one time password) to key in.
The problem is that PIN numbers can be obtained fraudulently, and SIM cards can be cloned and SMS’s forwarded elsewhere. VALid® uses multi-factor authentication to reduce the risk of fraud. It does this by employing a cardholder’s mobile phone or landline to provide a one-time password for a given transaction.
Security can be further strengthened by the use of ValidSoft’s proprietary voice biometric technology, again by mobile phone, to establish another layer of authentication. All these are our patented platforms and our intellectual property. We are the only company with the ability to offer an independent solution blending all these.
GT – Our readers will probably be thinking by this stage that there are all kinds of online authentication solutions already, and wondering what’s so new about ValidSoft?
The available payment authentication technology is good, and it’s getting stronger and more reliable, but it doesn’t address the most important area – transaction verification. Unfortunately there are ‘man in the middle’ and ‘man in the browser’ attacks, which can be devastating. If it goes wrong, you’re in trouble: the fraudster’s got your funds and there’s nothing you can do about it.
We authenticate and verify at the same time through automated dial back to the card issuer. It’s as simple as a phone call, and in the phone call you can include all the attributes needed. We call this Transaction Integration Verification. The only answer is VALid® and our Out of Band technology, which is one of the most secure solutions and protects the customer against the most sophisticated attacks.
GT – What are ‘Man in the middle’ and ‘Man in the browser’ attacks?
‘Man In the Browser’ (MITB) attacks involve a Trojan – the number one type of on-line security threat – infecting the computer and pre-programming it to listen to keystrokes, and on banking sites they can totally corrupt transactions. The way to check that a transaction is authentic is to receive a reply, but even this can be compromised, as tokens and certificates are vulnerable to MITB attacks. ‘Man in the middle’ (MITM) was an earlier version of MITB in which the fraudster literally gets between you and the bank. If you’ve been redirected for payment on a web site, MITM can cut you off after you’ve received your payment authentication, and render your authentication redundant.
GT – What industry recognition have you had to date for your solutions?
We’ve had recognition from the financial services sector, the banks that issue plastic cards and the organisations that approve card payments for cash withdrawals and POS transactions.
GT – You have recently received the European Privacy seal. What is that, and does it relate to Card-not-present transactions?
We are the only security company with the European Privacy Seal – in fact we have two! The first is for Valid-POS®, and the second is for VALid®, which covers authentication and verification of remote transactions of various kinds. For example, we are involved in a major project with a European government involving VALid® for welfare recipients. People use our four-factor authentication solution to give assurance of their identity to their government before receiving their benefits.
GT – What are the existing security problems faced by online retailers?
If retailers want to let people buy on their site, it must be available 24x7x365. Online retailers run a borderless network with no idea of the people, devices or infections that they are in contact with, and are trying to carry out transactions under attack from fraudsters. Generically, on-line retailers won’t pay the cost of giving customers a token; you need to apply security on a per transaction basis, which is where the telecoms aspect becomes crucial. We can provide effective security, and we believe we will become the natural leader in this space. As we move into NFC (near field communications) and contactless payments, achieving more security will become essential in the context of delivering a better user experience.
GT – Does the consumer know your service is operating?
The consumer isn’t aware that our products are being used, so we can detect SIM swaps and so on in a manner that is invisible to end users.
GT – Aren’t online transactions already reasonably secure, due to online payment systems such as Secured by Visa?
They are, but there’s a very basic level of security against today’s sophisticated attackers, which means you can’t rely on just one form of security. With our model you get tremendous complexity. Online retailers want to be able to offer consumers as much self service as possible: the problem is the retailer doesn’t trust the internet and its users, Hence there’s less service for the consumer and the potential for transactions to be corrupted. People need to be protected: it’s a massive issue, with the global cost of cybercrime running at $1.4 trillion in 2010.
GT – How do your Card not Present solutions fit into the scenario of online payments such as Secured by Visa? Do you have relationships with Visa Europe and the other associations?
We signed a partnership agreement with Visa Europe at the back end of last year, which allows Visa Europe to integrate VALid® and VALid-POS® into their services, so we are now effectively ‘VALid-inside’. From our perspective, it’s important we get recognition, but for the card associations and others, publicising how they are handling security is a challenge – they don’t want the market to know what they are doing!
GT – How does VALid® interface with retailers’ payment systems?
Most payment processors have risk engines, of which there are some six different ones worldwide. The payment process either interfaces with the risk engine (Real Time), or comes in afterwards (Near Real Time). When the bank “sees” a transaction is fraudulent but in fact it’s not, it’s called a “false positive”. The authorisation process takes 500 milliseconds and we can do our part in 400msec so VALid® sits “inside” the authorisation process. Unfortunately, when the banks’ systems flag a fraud, they get it wrong nine times out of ten, and each of these rejections is a negative that costs the bank money, from £7.50 to £15 a time, to remedy the false positive. The big risk for the merchant and the banks is cards that are stolen. Given the risk of entering card details on line, it’s very easy to get information to generate fraudulent transactions.
GT – Can you tell us about the companies you have helped to date? Do you produce case studies?
We’re talking to every major institution in the UK, but as you’ll appreciate many of them would be very reticent when it comes to producing a case study about it! However, I can tell you that a UK building society already has our services installed and operational.
GT – How do you charge the retailer for your service? Is there a fixed cost per transaction, or a fixed percentage of the sale?
Most online organisations are moving to a pay per click model. As we evolve towards the cloud, it’s moving in that direction, which is terrific for us. Our platforms either work on a pay per transaction fee, or are related to the volume of transactions.
GT – Besides interviews like this, how are you going about getting the message across to retailers about the difference that your solutions can make to their operations?
We’re working at several levels: the most important one is working through government agencies, such as UK Payments. We attend and speak at conferences and seminars, which generate a lot of interest, and follow them up with workshops. What we do can seem complex at first, but when we explain what’s underneath the bonnet and the penny drops, it’s really very simple.
We also offer security solutions for loyalty programmes and NFCs. Our solutions can be tailored to any form of online activity.
GT – What packages do you offer to web-based retailers? What do they receive?
It depends: either our technology is outsourced and resides in the cloud, or people have it within their premises. Everything is secured. We have major data centres in Amsterdam and Brussels, and provide fully encrypted links into the client’s site.
GT – How do you evaluate the package retailers need to have?
In our workshops with customers we look at their areas of concern, be they achieving better online service or allowing greater user flexibility and self-service. From there we do a trial with the client. We have a rigorous programme and can do a trial in two to four weeks, then report back. At the end of the process we have a full understanding of what the retailer needs.
GT – How long does it take to ‘spec’ and then to install one of your systems?
Using the UK building society as an example, the trial was divided up in three phases. It started with an internal roll-out that was then opened up to a number of customers. The final, full-blown roll-out took place in June this year.
GT – Who owns the project at the client end?
We work at different levels, and sponsors vary. In on-line banking it could be the Head of Banking or the CIO, someone who recognises and owns the issues, as well as the customer experience.
GT – How do you make sure all the people in the organisation are fully conversant with the problems you’re addressing?
We educate clients and produce collateral as a consequence. Hence at our seminars we make the sessions as practical as possible and explain the complexity underneath to ensure we get across the need for our solutions and how they address the problems.
GT – Online retailing’s been here for a long time. Haven’t all the major retailers’ sites already got something like this in place? Why switch to VALid®?
When online retailing started, the industry in general had a simple understanding of fraud. We’ve had two economic cycles since then that have affected retailers’ investment in security, but the fraudsters haven’t been constrained. The companies took two-factor control as standard, but the fraudsters moved on, which is why we developed VALid® with its four factors.
A number of retailers are using certain types of SMS and email, but SMS is not secure and fraudsters can carry out SIM swaps and so redirect texts. To illustrate the danger, a major token provider was infiltrated, but with a dynamic solution this would not have happened.
We need to take security to the next level. We need a dynamic and layered approach that we can change on the fly. As new threats emerge we can upgrade and update VALid® immediately, with no impact on the solution, and no hardware change.
GT – Do you advise online retailers about their general security, as in making sure call centres are clean, with no numbers written down etc?
Yes, we do. During the workshop stage we reach a good understanding of people’s thinking about security. We’ve got all the tools, but we need to educate organisations about the need to use them and how to do it.
GT – Where do you see VALid’s card-not-present fraud prevention going from here?
We see VALid® becoming the benchmark remote security solution. The route to market is through the major consolidators, so we are working through the larger organisations, who are all involved in promoting awareness that online fraud is a major topic of concern. We’re in touch with the top 600 organisations around the world. We will be getting our references up and running in due course, and highlighting them to show how adoption of this technology is developing.
The predictions are that if nothing happens to combat it, online fraud will increase between three and fivefold in the next three to five years. With 78% of online transactions across Europe being between five and 15 Euros, things will become even worse as we move from ecommerce using PC-based devices into the Smartphone environment and people get used to paying for things by ‘tap and go’ through NFC technology. We have the proven solutions in place to provide all the protection necessary, and we’re here to talk to the people that need to be protected.
Tel: 020 3170 8125