Due to extreme data breaches, hundreds of millions of identities are sold on the black market

Could you briefly give our readers some background information about Protectoria?

Protectoria is a security software company, founded by me, providing R&D done by scientists and partners within the academic community and the Innovation Computing Centre in Norway. We have made huge progress in security on mobile devices, building the software, aiming at the new compliance obligations, where regulatory bodies come into play. Currently, PSD2, the eIDAS regulation, the Network and Information Security Directive, and the E-Privacy Directive are trying to expunge any weaknesses that the market currently has. All of these regulations are entering market, restructuring, reshaping, in the period between 2016-2019. I saw this coming many years ago, and that has shaped our strategy of aiming at this market scenario. We have prepared over many years for this change in the market. My background is from IT and banking in the Nordics, and then security since 1995. I incorporated two companies in 1999, they were acquired by IBM in 2003. I left IBM for a few years and started Protectoria to work on this.

Mobile commerce and the usage of mobile banking applications have exploded over the last five years. The user experience is definitively improving but how is the situation regarding fraud and manipulation of transactions?

Many businesses, whether these are Silicon Valley start-ups from of big European financial services are at the stage of acquiring as many users as possible with cool and convenient mobile payment applications. They are primarily focused on getting a huge customer bases. Pretty much ignoring the fact that a mobile phone is like a PC with a windows NT from 98, not patched without firewall and without anti-virus. However, people are processing their payments with it today and according to Bloomberg the cost of mobile payment fraud has a price tag of 6 billion USD for merchants and card issuers a year in the US, only!

What kind of solutions/technologies are commonly used to fight fraud and secure applications?

Obviously, the front-line security is a very weak point, so one must stack up lots of back-end measures, reactive mechanisms, that analyse, detect, and correlate suspicious behaviour. And this is failing; it isn’t the answer to the threat level that is now becoming more and more advanced and systemic. Due to extreme data breaches, hundreds of millions of identities are acquired and sold on the black market. This is the launch pad for mobile fraud; you know the phone numbers, so you can tailor a mass attack, simply by sending all of them a message that one doesn’t even have to open for it to take over your phone. That is the environment of attack capabilities these days. And the longer this drags on, the more current financial institutions fall behind on hackers and fraudsters. 

These reactive mechanisms in the industry today have fallen behind on hackers. And every day they fall behind further in the race of defending mobile phones and the transactions running through them. And this race is about to be lost. There are dark figures in the statistics, and the risk mitigation in the market works for incentive the payment providers to push the risk over to the third parties, like consumers and merchants, who are the real losers in todays market.

Could you explain how the technology of the Protectoria Secure Mobile Platform, what makes it different.

We handle this problem in the front end. This can be described in an analogy. Current mobile payment apps can be imagined like bricks; they are stable entities, and the same software is replicated in all instances. So, when an attacker penetrates the defence, he typically goes for the reverse-engineering attack, or the overlay attack. This attack consists of finding out how the defence mechanism works, and then tailoring the running code to get around this. After having done this, the attacker can intercept transaction requests between the server and the device, and change them. This is the most common type of attack, but continuously being executed with more and more sophistication over the years

What we do to prevent this, is to convert this ‘brick’, a stable entity, into a far more dynamic entity, like a Rubik’s Cube.

This makes it virtually impossible to launch an attack, because the attacker can only analyse one moment of the running code, which becomes immediately obsolete, as the running code changes dynamically and in unpredictable ways. With this technology, the cost, the complexity, and the effort to crack the transaction security increases exponentially for hackers the more devices they attack.

There is always a big risk entering a market with so many big players. How did you convince your investors to take the risk investing in this new technology?

If you look at the current market mechanism, you will find that the problems that have arisen are not replaced by solutions, but merely held at bay. This causes an aggregation of problems, which creates a lot of ROI-limitations for commercial players in the market. On an aggregated level this is becoming a bigger and bigger burden for even nations. At some point, the regulatory bodies cannot allow this aggregation to exist any further, as the risk becomes too great and systemic. Our investors are people who believe that this problem must be solved, and see that the advantages of doing something different and unique than all the other security companies. On top of this, the value proposition becomes bigger and bigger as these problems keep stacking up. And even though it is a pretty high-risk investment, many people are starting to see that we are opening the doors to a new and payment willing market. These markets are typically the European market under PSD2 security compliance and many of emerging markets with the mobile-only approach across whole nations, that cannot any longer allow cyber-criminals to undermine the critical infrastructures.

Security problems cannot any longer just be pushed, they must be resolved and Protectoria is the only company worldwide that has passed a third-party security evaluation as required under PSD2. As far as we can see, all other security software solutions for mobile payment transactions have failed to meet this compliance level.

About Trond Lemberg

Trond has 30 years of experience in banking (Nordea), banking technology and information security technology, including being the project manager of the first VISA SET certified trust centre (Evry) of Norway. He is currently CEO at Protectoria and also the inventor of 5 patent pending security mechanisms of Protectoria.

About Protectoria

Protectoria is a digital security company from Oslo, Norway. Protectoria is strategically aiming at the high-end software security market derived from the compliant security market of EU/EEA. Our focus lies on Internet communication. Being able to protect your identity and trust othersis the cornerstone of our online lives.