This Security Startup Says Your Convenience Doesn't Factor

trusona-token-021916-620.jpg

Editor at Large

It would be hard to find two people more qualified to start a security company than Frank Abagnale and Ori Eisen.

Abagnale, the onetime con artist and check forger portrayed by Leonardo DiCaprio in the movie "Catch Me If You Can," has been working with the FBI for the past 40 years to investigate fraudsters and scam artists.

Eisen was the worldwide director of antifraud efforts at American Express. In 2004 he founded his own security company, 41st Parameter, at the suggestion of Abagnale, who served on its board of advisers. The company made fraud and cybercrime detection software; Eisen sold it to Experian for $324 million in 2013.

"He could have retired and said 'I'm done,' but he had one more idea he wanted to do, so he asked me to advise him on this project," Abagnale said.

That project is a security startup launching Monday called Trusona (the name is an amalgam of "true" and "persona"). It has created a heavy-duty authentication scheme designed to check, beyond a shadow of a doubt, that a person is who she says she is. The service is being marketed to banks, large companies and government agencies for use by their customers or employees.

"41st Parameter provided 99% fraud detection, because the main tenet was not to disturb customers — everything was passive," Eisen said. "It works really well, but it doesn't solve for the last mile."

By "last mile," he means authenticating the user's identity every time they log in — on the online banking site, on the mobile banking app or in the call center.

"I'm not OK with 99% of nuclear power plants being protected. Tweets out of CNN can't be 99% true — one false tweet from an AP account and weird things can happen," Eisen said. "Just before we retire, we wanted to fix that last thing."

Trusona is also announcing on Monday a Series A funding round of $8 million, led by Kleiner, Perkins, Caufield & Byers. Ted Schlein, a partner at the Silicon Valley venture capital firm, is joining Trusona's board.

Whereas 41st Parameter does all its work in the background, Trusona requires effort on the user's part. It's meant for private banking clients, corporate customers and VIPs, in situations where security needs to come before convenience.

At the heart of the service is a hardware token that Eisen refers to as "the baby" (the official name is TruToken). It's a small magnetic stripe card reader that can be plugged into a smartphone and used to scan an identification card or credit card and capture not only the information on the magnetic stripe, but also the patterns of the barium ferrite particles in the composition of the stripe. (No two are alike, according to Eisen, so the device can identify fake cards.)

This piece of hardware has been tested for the past six years inside ATMs in Chile, where it was used to prevent EMV chip-card fraud. To create the token, the technology was taken out of the ATM and put on an ASIC chip.

To sign up for the service, a prospective user needs to photograph or scan her passport or driver's license. Then she needs to go to the post office or have a postal delivery person come to her home to verify that piece of identification before receiving the token. (Trusona says it has a partnership with the U.S. Postal Service to do this.) Alternatively, a corporate customer could have someone in accounting or human resources play the role of "true notary," and check employees' IDs. Or a bank could have its private bankers serve this function.

"The first step is not technology. We need to meet you if you want to become a Trusona customer," Eisen said.

There are steps built in to ensure that even in the case of a rogue mail carrier, the integrity of the account opening remains intact. For one thing, Trusona binds the serial number on the back of the token before giving it to the post office; without the correct serial number, the user cannot access the account. Registration for the service can only be completed on the phone used to start it. If another user tries to plug it into a different phone, it won't work. (Should the user get a new phone, she would need to cancel the service and get a new token.)

"The process to get the device and set up is a bit cumbersome, but again, it is a highly secure process," said Shirley Inscoe, an analyst at Aite Group. She could envision banks replacing their hard tokens with Trusona, "particularly for clients who tend to move very large sums of money."

When the user receives her token at home, she has to take a picture of the back of her driver's license and send it to Trusona, which checks the GPS of her location against a Lexis/Nexis database to verify that the address matches the one on the license. (If the user moves, she'll have to start over. And if she doesn't have a driver's license, she can't use the service.) To open the Trunosa app, the user needs a six-digit PIN.

So the power of this approach is the multiple physical and virtual checks and balances.

"You can't say 'Hi, I'm Steven Spielberg and I live in New York,' " Eisen said. "If we go to the Lexis/Nexis check, your driver license will not match. You can't sit in a cybercafe in Russia and do this. Our journey does not begin with us believing you are who you say you are. We physically check it."

The concept of the hardware token has taken some wear and tear in recent years. In 2011, RSA suffered a serious data breach that compromised its tokens. Some industry observers have complained that tokens are hard to keep track of. They're one more object that can get lost, stolen or damaged. But Eisen points out that the National Institute of Standards and Technology's fourth and toughest level of security guidelines call for a physical token.

The overall hope is to truly defeat Internet fraud. The way things stand, "risk is an afterthought," Eisen said. "Banks need to compete, but not at the price of society suffering."

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Authentication Data security
MORE FROM AMERICAN BANKER