The CEO of ZooZ admits that he wasn't thinking of the prominent Zeus malware, which targets bank accounts, when he named his payments company. But he was absolutely thinking of security.
ZooZ provides technology that allows other companies to add a seamless and secure payment screen to apps that run on smartphones and other Web-connected devices. Users do not have to retype a credit card number or PayPal credential on that device for any future ZooZ purchases (
But it works only from that device. Every new device that users wish to use requires a fresh enrollment.
"We're using a patent-pending technology that uniquely recognizes each and every device that you try to pay from," says Oren Levy, CEO and co-founder of ZooZ, in an interview. "That allows us to reduce fraud and also reduce the risk of chargeback."
The payment data is stored in the cloud and tokenized in a way that makes the data worthless unless it is reunited with the user's hardware.
"You need the device," Levy says. If hackers were to break into ZooZ's system and steal its tokenized data, "they have only pieces of data that mean nothing," he says.
ZooZ also requires a PIN code for each transaction. "Even if someone steals your phone, they will have no way to pay with it unless they know your PIN," and they are locked out from the account after three failed PIN entries, Levy says.
For extra security, ZooZ can also remotely erase a device's authorization if a consumer requests it.
The process of enrolling fresh from each device is an added step compared to what many other digital payment methods require.
As for the name, ZooZ has nothing to do with the anti-bank malware. The company is named after an ancient form of currency and the Hebrew word for "move," conveying the idea of mobile money.
With desktop computers, banks and other companies have used device identification for years as an added layer of security.
"We need a corollary in the mobile phone, and here they are," says Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner.
ZooZ's approach to security is strong, Litan says, but she suggested one possible opening for attackers: "Zeus can get in the way of ZooZ," she says.
The Zeus malware functions by launching a man-in-the-browser attack, which allows hackers to piggyback on properly authenticated sessions. If the user's device is compromised with similar malware, it may no longer be a reliable form of authentication, Litan says.
"Man-in-the-mobile would look like it's coming from the legitimate device," she says.
Such attacks are dangerous because they are so hard to detect, Levy says. "There is no known 100% protection for such attacks," he said in a follow-up email, but they are harder to execute from mobile devices and ZooZ has several protections in place to guard against them.
ZooZ verifies each transaction between servers belonging to itself and the merchant, so if a user's browser is compromised it would not be able to interfere with that part of the process. ZooZ also has rules that detect signs of potential fraud, such as whether a single device is being used to make payments from multiple card accounts, he says.
