Aviva Zacks
Safety Detective’s Aviva Zacks had the opportunity to sit down with Uri Rivner, BioCatch’s co-founder and CCO, to ask him about why his company focuses on securing the data of the financial sector, what “vishing” is, and where he believes the cybersecurity industry is headed.
Safety Detective: Can you tell me a little bit about how you got into cybersecurity?
Uri Rivner: In 2011 I was working for a security company called RSA when, in one of the most famous cyberattacks in history, our network was hacked by a foreign army. You can imagine that it made us start looking more seriously into new technologies that could defend companies and end users from advanced attacks like malware, remote access attacks, and social engineering attacks. Shortly thereafter, in 2012, BioCatch—a behavioral biometrics start-up—asked me to join as a co-founder. Today, I’m the Chief Cyber Officer at BioCatch.
SD: Why does your company focus its security services on the financial sector?
UR: Simply because the banks and the credit card companies are typically the first to adopt new types of security controls. Digital end users of a bank or credit card company need to be able to function in a frictionless manner without interruption. But at the same time, banks and end users are being attacked constantly because that’s where the money is. In order to defend against those attacks, the industry really needs a defense mechanism that is not intrusive, that does not interrupt the user. Because, at the end of the day, strange as it may seem, most end users today place a higher priority on a smooth online experience than they do on eliminating the risk of fraud.
SD: What other industries use your company’s technology?
UR: Beyond the banking sector, many industries are now looking at behavioral biometrics: Healthcare companies, insurance companies, government agencies—essentially wherever there are digital end users working on a mobile app or online, or when a user creates an online account. An interesting thing about behavioral biometrics is that it can analyze user interaction and tries to understand whether what it is seeing matches this specific user’s regular online behavior patterns.
Account opening is now mostly through digital across many verticals and many application types. So, whenever a user opens a new account, specifically when some sort of identity check is required, that’s where behavioral biometrics is seeing high demand these days.
Interviewer: What are the current cyber threats that companies should be looking for?
UR: Digital end users are under constant attack. It could be as simple as phishing, trying to trick users to provide their credentials. It could be trojans where your PC or mobile device is infected with some sort of malware. It could be something called remote access, which is typically when hackers convince users to install some sort of software that will allow the criminals to have direct control and access from afar.
Mobile devices are specifically threatened by attacks like rogue applications. About a week or two before the official release of Pokémon GO, there were all sorts of rogue applications that masqueraded as Pokémon GO, and people downloaded them. It was essentially a way to record all of your information and give the criminals access to your phone. The same happened with Fortnite when the well-anticipated release to iOS and Android came about. A couple of weeks before that, all sorts of rogue applications were already appearing in the online stores. This is a new type of attack that people are less familiar with.
There are also social engineering attacks that happen everywhere across many verticals and applications. The whole idea is to trick the user into believing that whoever they’re talking to is not a criminal. This hacker will give a task to the user, which is either to log into their online banking or maybe to install something onto their device.
SD: What can you tell me about “vishing?”
UR: Vishing is part of a broader scam known as APP (authorized push payment) fraud because you actually authorize the payment yourself. It’s a scam and it goes like this: Someone gets a phone call from her mobile provider, asking her to provide her debit card number because she’s late on her payment. She provides a debit card and makes the payment, and five minutes later she gets a phone call from the bank asking about the payment. She tells the caller that she made the payment to her mobile provider. The bank tells her that was a scam, it was actually someone pretending to be her mobile provider, so the bank stopped the payment. But now they will have to switch her to a new bank account. And that she should log in again online and move all her money to this new account.
You’re probably thinking that there’s no way someone would actually fall for that, but she did. She logged into her online banking, and—while still on the phone with the “bank”—received a “new bank account number” and started to transfer money to that destination account. If you think about it, it’s a very stressful situation. Her money is at risk and she needs to move all of her money to a new bank account. Obviously, the second call is also made by a criminal. It’s not her real bank calling. And because all of it made sense, she was actually moving her money.
From the bank’s perspective, it was very difficult to detect because it was coming from the regular device; it was the real user doing it. It wasn’t a criminal or some sort of malware or remote access or something of that nature, which is why it’s called “authorized push payment” fraud.
SD: Where does BioCatch come in?
UR: Behavioral biometrics tracks irregular user behavior: the way you type information, the way you move the mouse, the way you hold your mobile device, etc. It builds a profile of your regular interaction, your regular behavior. So, if something else is happening within your account or someone else is on your accounting system, we know that’s not the normal behavior of the user.
In that specific banking fraud scenario that I described, it was done by the real user, so all the alarm bells were supposed to be silent because she was the real person doing the actual money transfer. However, using behavioral biometrics helps us notice that the user’s behavior changed because she was under stress. In vishing examples like this one, we typically see the user hesitating more, using functions they are not familiar with, and displaying other anomalies from their normal behavior.
These are some of the ways to know that the user is undergoing something unordinary and this is how banks are looking into addressing this specific type of attack.
SD: How do you see cybersecurity evolving in the next five years?
UR: There are a lot of changes that will happen in the next few years in our field of cybersecurity, which is specific to cybercrime and to protecting the digital end users. The race is to find a technology that is invisible to the user but can still effectively verify the real user.
We also have to remember that attackers are quite dynamic and adaptive, and they are always coming up new ways to hack into our private accounts. If you stop them in one area, they will develop other methods, which is why many of the industry players are investing in these new technologies, simply because they think about the future.
The second thing I would say is that opening an account is becoming the weakest point. We figure out the difference between an ordinary person and a criminal when they try to open an account. We use next-generation technologies like behavioral biometrics to find those differences and stop the hackers.