A psychologist, a criminologist and a biologist walk in to a cybersecurity firm reads at first like the setup of an extremely conceptual joke. It is not.
It is, however, actually how Israeli cybersecurity firm Forter is building a next generation platform to outthink an extremely adaptable pool of modern cybercriminals.
“We have a biologist that has been studying molecule shifts his whole life – he brings that knowledge of how things evolve naturally on their own,” Forter CEO and Founder Michael Reitblat told MPD CEO Karen Webster in a recent podcast interview. And while hiring a biologist may not seem like the most intuitive move to make for a cybersecurity firm – it is one of many unusual moves that helps the startup deliver on its essential value proposition.
“We create a fraud free environment for online retailer,” Reitblat told Webster.
The company does that by essentially putting its money right where its advanced data analytics platform is. Forter’s model is to enable real-time review of a merchant’s transactions in real-time and then gives them an up or down vote in a matter ofmilliseconds, using their analytics engine. If they get it wrong, and let a fraudulent transaction through, they absorb the cost of the fraud.
“If you’re claiming to go do something good, you have to stand behind it,” Reitblat explained to Webster.
He also noted that though chargebacks do happen – and actually should happen from time to time – they can stand behind their claim because far more often than not they do get it right.
“Generally we are very experienced in dealing with fraud or cybersecurity – this team has been working together for many, many years,” Reitblat said, further explaining that much of the Forter team actually went to high school together, served in the Israeli Army’s intelligence unit together and even went on to work together at Fraud Sciences. Fraud Sciences was the Israeli data security firm that PayPal acquired in 2008 to build its proprietary fraud management systems.
“We know our stuff, we know our fraudsters, we know how this world works and we know how to adapt very quickly. In this world if you don’t adapt quickly, you die,” Reitblat told Webster. And the solution isn’t building “perfect silver armor” or a “Chinese Wall to keep the Mongolians out,” because that is increasingly an ineffective solution for modern merchants. On the one hand, there is a risk of locking too many people out and, as a retailer, cutting oneself off from legitimate sales.
“Weak links will always be there, you have to find a way to block them quickly enough. That is why we offer chargeback protection is because we don’t want to get to zero chargebacks. Zero chargebacks means you are preventing more than you should, you aren’t learning.”
And learning is the name of the game in the security businesses, because that is what their counterparts in the cybercrime industry are doing – learning all of the time.
“It is quite amazing how quickly from the time a new product is released that [cybercriminals] find a way to exploit it. It can be a matter of hours,” Reitblat noted when describing his and his colleagues perusal of the dark Web. Because cybercrime has evolved – what used to be the domain of individual actors who had to build all their own tools, scout their own leads and do all of their own heavy lifting, has now developed into its own malignant and dynamic ecosystem.
“Now [the cybercriminals] are becoming more institutionalized or organized, but not in the ‘Godfather’ sense of the phrase, but in the online ecosystem sense,” Reitblat explained. “There are people who are only building cybercrime tools and selling them and that is literally all they do. There is now cybercrime as a service. You can have a botnet built for $2 an hour. This is why collectively, the cybercriminals have become so much better.”
That situation starts to look pretty grim – Webster described it as resembling a game of whack-a-mole with cybercriminals – one set of tools is developed to stop one set of cybercrime only to have another type pop up that we might not be as prepared to fight.
“Up until now, retailers were developing their own tools, collecting their own data and they weren’t as covered as they should be,” Reitblat explained. “What we’re saying is, ‘Look, we are the best in the world at attacking fraud. We don’t know anything about retail or marketing products, but we know fraudsters well. Let us to do that for you.’ The major task we really assign ourselves is to make the retailer not think about it.”
Because trying to secure the payments and having to make decisions about what payment to take and not take really shouldn’t be a retailer’s problem according to Reitblat, insofar it is not the problem they went into business to solve. Merchants want to sell their goods, he noted, and they want to make it as easy as possible for users to buy them.
“In the end, the buyer will choose what he wants to pay with based on what he wants to use and what he has, and we have seen that the retailer wants to make the buying process easy and frictionless for the buyer.”
And because merchants need their payment systems to be open, because ease of use is always going to be important, weak spots will persist.
“We understand how fraudsters act and we monitor what they are doing. And what they are here to do is find the weakest link everywhere.”
Like for example, the recent fraud issue that cropped up on Apple Pay. Though the accounts themselves are secure, Webster noted, criminals found the weak link – account provisioning – and used stolen card credentials to create fake Apple Pay accounts.
“Apple may come up with the best solution but some other weak link in the chain brings it down, in this case it was how cards get into the system,” Reitblat commented on the situation. “Apple is as much at fault as they are not. They built a really good system but didn’t button up authentication.”
Forter isn’t about building a good system once – but instead making it smarter with each transaction. They do that by leveraging machine learning.
“We actually improve our technical systems two or three times a day. Every mistake we make, whether we declined it when we shouldn’t have, or we approved it and it was no good – the system learns automatically.”
They also rely on human expertise – like the biologists, criminologists and psychologists.
“We rely on the fact that we understand how fraudsters behave instead of just relying on machine learning,” Reitblat noted. “We understand we can’t be impervious, something bad will happen constantly. What we learned in the last year is that everyone will be breached in the end. It’s just like knowing that there is a high probability of there being an earthquake in San Francisco – we don’t know when it will happen but we can prepare for it. As long as we change fast enough and think creatively enough in all directions instead of applying the same old tools to fixing the problems, we can stay a step ahead. We need to anticipate where everything goes and build our services to where that happens. Otherwise fraudsters will do that for us.”
There are no silver bullets, and there are no universal solutions, noted Reitblat. Even when it comes to the question of “acceptable fraud,” that Webster referenced toward the end of their conversation, Reitblat said that the solutions are highly subjective within some broadly defined bounds.
“An acceptable level of fraud is higher than zero, and unacceptable amount is when they are going to take your merchant account away. Other than this, it depends greatly on the type of merchant we are talking to and what they are trying to achieve. Higher margin merchants can be more tolerant to fraud,” Reitblat explained. “We enable merchants to find that economic optimum.”
The common metaphor for talking about cybercrime is a burglar trying to break into a house. While that image captures part of the problem – namely that locking one’s door will only push a motivated burglar to the window. However if Reitblat and Forter are right, it is also an analogy that is going out of date – this isn’t one burglar with a tool bag going after a target, this is someone unleashing hundreds of millions of weaponized termites (that he had created by a weaponized termite breeder paid in bitcoin) on your house and waiting to see which wall they get through first.
As the criminals are getting smarter, faster and more specialized, the tools are going to have to as well.
Retailers don’t want to be data scientists and remaining ever vigilant against the forces that are looking to defraud them or lift their data is unappealing. And, if firms like Forter can ignite, it also might become another relic of the past, as retailers seek to hand off the advanced functions to specialists with the advanced tools.
Forter’s advancedDecision as a Service™ anti-fraud solution will be on display later this week at Innovation Project 2015.