Using 20th-century security protocols for internet access will always leave the door wide open to fraudsters. What is needed is security designed for the internet, writes Zia Hayat
In 1995, when I was still at school, a bank heist caught my imagination. It wasn't stockings over the head, guns and getaway cars that did it; it was the fact that the villains never set foot inside the bank. The Russian gang instead hacked into Citibank's cash-management system over a number of months in 1994 and illegally transferred $10m to accounts around the world.
Since then, digital theft has become big business – with billions stolen every year – while catastrophic data breaches have knocked public confidence, prompted government action and wiped further billions off companies' share prices. It's the digital equivalent of ram-raiders attacking banks all day every day.
Some 10 years ago, the head of risk at HSBC told me that 96 per cent of the bank's market capitalization was intangible – goodwill, basically. Relying on passwords, pin numbers and biometrics is the equivalent of leaving the door open to ram-raiders who will keep on raiding the bank all the time they can get away with it. What's that going to do to goodwill, and the bank's market cap, once the public understand?
As internet inventor Tim Berners-Lee has admitted, security was never an inherent aspect of his brainchild, but was bolted on subsequently. Back in 1995, even I could see that these 20th-century protocols were not fit for purpose. And so started my interest in internet security and cryptography – leading ultimately to the founding of Callsign in 2012.
I learnt my craft under the best; David Green, my tutor at Manchester University, was a student of Alan Turing, widely considered the father of artificial intelligence and theoretical computer science, as well as the creator of the Enigma machine used for breaking German ciphers during the Second World War. I then went on to Southampton University to study for my PhD in applied cryptography, where I met Berners-Lee, who was an honorary professor.
Work followed at Accenture and Lloyds Banking Group, always in security operations; even in 2011, security protocols designed for the internet were still a rarity – beyond the military. But by then, banks were increasingly investing in online channels, seeing them as a way to cut costs and improve customer services. As far as I was concerned, by remaining wedded to traditional authentication protocols, they were leaving themselves open to disaster.
Callsign approaches internet security in a new and fundamentally different way. Instead of increasing security by employing biometrics (which can be easily compromised) or passwords and pin numbers (which add friction), we use three meta metrics: device, location and behavior. Correlating data from across all three metrics we can pick out truly suspicious activity without adding friction and thereby maintain a good customer experience.
Callsign recognizes that people act inconsistently – they might type slower because they're drunk, feel ill or they may have broken their wrist; or perhaps they have travelled to a new place, borrowed a device or stayed up all night – all of which would trigger alerts under traditional security protocols.
When device, location and behavior are looked at together it is possible to build up a picture that cross-checks suspicious activity to see if there is a genuine explanation before raising an alert. For example, the device may be new, but the payment destination a family member. Traditional systems would raise an alert; Callsign does not.
This is Intelligence Driven Authentication. It uses machine learning and algorithms to build a customer profile while limiting what information can be exchanged online to prevent fraudsters from being able to steal a customer profile. It's artificial learning that not only looks at the user, but also at what the fraudsters are doing.
For example, fraudsters want my data. Callsign encrypts it to keep it safe and will know that whenever it is used it has not been simply cut and pasted. It's all part of our solution. It's designed for the internet and is internet-safe. Originally launched for mobile devices via an API, today Callsign can be used on laptops and personal computers so that an organization can be safe across all its devices and platforms.
This means an organization can detect and prevent the misuse of credentials and stop people from doing things they are not authorized to. So it's not only applicable to banks and their customers, but is also being used by media companies, government agencies and professional-services companies in the UK, Europe, the US and Asia.
In the past 12 months, we helped prevent 14 big data breaches at an investment bank. As a result, the bank protected confidential data and its reputation, and avoided substantial fines and negative publicity. The financial benefits are incalculable.
At last we have a security system that can stop the digital ram-raiders, protect data, money, value and reputation. It's a 21st-century solution to a 20th-century problem.
Zia Hayat is founder and CEO of Callsign