Reed Taussig, ThreatMetrix: "The entire payments industry has really understood the severity of the problem"

Reed Taussig has more than 30 years of experience in the computer hardware and software field. Prior to joining ThreatMetrix, Mr. Taussig was president and CEO of Vormetric, a leader in the data privacy and protection industry. Under Mr. Taussig’s direction, Vormetric established itself as a leading provider of encryption solutions for the Payment Card Industry Data Security Standards (PCI DSS). Mr. Taussig also served as president and CEO of Callidus Software, the leading provider of enterprise incentive compensation management application systems.

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions, processing over 500 million login, payment and wire transfers monthly. ThreatMetrix TrustDefende Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing and malware.

Could you please elaborate on how ThreatMetrix balances security and data privacy?

Reed Taussig: ThreatMetrix collects personally identifiable information which is private key encrypted, meaning that our providers of information can see it, but ThreatMetrix can’t. Therefore, our 25,000 customers around the world who provide us with info send it to us as crypted, as it cannot be human readable, even by our technology.

In order to ensure a balance for this conflicting situation between security and data privacy, we have created an anonymous global network based on the principle that “I don’t need to know your name to know who you are.

Regardless of the transactions performed, each company has different levels of risk. The level of risk is different, depending on the operation and the company involved, as it is easier to commit fraud when signing in for a dating website rather than opening a bank account.

We turn the information in a private key encrypted data to compare it across the internet, so we can know that someone’s email address is being used on 5 different devices in 3 different continents and 4 different time zones. There’s no need for an email address to tell that an identity has been compromised.

To sum up, ThreatMetrix has built a real-time federated network of 25,000 customers. It is contact-sensitive, applying the rules and risk levels required by the degree of risk that each customer ought to have in order to protect a transaction.

What can consumers do to protect sensitive data and what should they do if their account details are exposed?

Reed Taussig: Firstly, there is the device, then the user credentials and last, phishing attacks. An internet connected device (computer, mobile) used without a firewall or any other security measure, will be compromised within 2 or 3 minutes. Therefore, people need to realize that device protection with firewalls and mini anti-virus scans is vital.

Still, it is not enough. . Passwords are a big problem. People talk about having very complex passwords which become impossible to remember. Therefore, customers put them on a document on their computer which becomes compromised and then fraudsters gain access to all the passwords. A better solution for this would be to divide the websites you do business with into groups. For instance, for simple website where risk is not that high, like Facebook, consumers could use the same credentials to avoid having too many usernames and passwords. On the other hand, for sensitive websites, like bank accounts, you should have complex passwords that are not easily readable and you should not repeat them.

Via phishing attacks fraudsters acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by sending an email asking for personal data on behalf of a trustworthy entity and they are becoming extremely sophisticated.

All financial institutions and companies engaged in internet commerce recognize that fraud is a major issue and it leads to customer reputational damage. This is far more important for companies and financial institutions than the actual losses due to fraud. If your account gets hacked, besides changing your password, changing your bank account number is vital.

Merchants face a lot of challenges when it comes to m-commerce conversion, customer centricity and security. What is the impact of this mobile/omni-channel commerce on risk management?

Reed Taussig: In 2013, 30% of ThreatMetrix commerce transactions came from mobile, up from 15% in 2012 and this year, the percentage is expected to reach 50%.

On the one hand, mobile is a new device, so technology can be built to protect that device. On the other hand, mobile devices are a simple extension of laptops, so we have had this problem before. The difference is that a mobile device provides hypermobility to consumers, which creates a new risk factor in determining fraud when it comes to location.

One is using mobile devices as web browsers to complete a transaction like doing on a laptop - this accounts for about 50-60% of all transactions. For high risk transactions like bank account transactions, the safer approach would be to use a vendor supplied app which has protective measure that can detect the real geo-location. If the phone has been geo-broken (stolen and used to make transactions), there is a high chance that the transactions are fraudulent.

Android phones are most susceptible to fraud. Statistics show that 90% of malware is directed to Android mobile devices because they have an opened system which presents a lot of opportunities for fraudsters. There is a real problem when it comes to mobile devices and it is very important to be careful what kind of information you store on such devices.

What would be the greatest fraud-related challenges for merchants?

Reed Taussig: Banks and merchants, as well as the entire payments industry, have really understood the severity of the problem when it comes to fraud. In 2013, there was USD 1.2 billion invested into new security start-ups which are focused on internet fraud, malware, botnets. Lately, I have seen a very increased willingness from retailers and financial services companies to spend more money to protect themselves. The retail industry, particularly in the US, was the first industry to adopt the authentication technology that ThreatMetrix sells.