By Pablo de la Riva, CEO and Founder, buguroo
Interview ahead of the 2nd Annual Fraud and Financial Crime Europe Summit, taking place 2-3 April in London
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I founded my first company when I was 21 years old – a security consulting firm – and buguroo is my first software start up experience. I have been working in the anti-fraud sector for almost 15 years, first as a cyber-security analyst, then as a team leader, later as CTO with almost 200 people reporting to me and now as CEO.
I´m passionate about my work. When I was little, I wanted to study architecture. It’s something I love —the design of houses, buildings, skyscrapers… I always believed that your work has to be something you enjoy, and I would say I discovered architecture very early. However, when I was given my first computer when I was 12 years old, in the midst of the internet boom, I went hacked and suddenly all my previous plans were blown away.
An intruder gained control of my system and began talking to me. I didn’t know who it was and they didn’t know who I was. However, they had control of the device that my family had made such an effort to buy. I didn’t know how it could have happened, or where the intruder was. I asked himself, ‘how is this possible? A stranger taking control of another stranger’s system… I was fascinated. I thought it was so exciting that right then and there I saw clearly that architecture would have to wait.
In buguroo we manufacture software that combats online fraud. It helps applications – web and mobile device – ensure that users are who they say they are and that they are not being manipulated. Ensuring those two things is what lets you be sure there is no fraud, as fraud always entails an alteration in one of these two points. For this purpose we use techniques such as deep learning, behavioural biometrics and data analytics, which are a very positive trend and have a great future, and not only in the online fraud field.
What, for you, are the benefits of attending a conference like the Fraud and Financial Crime Europe Summit and what can attendees expect to learn from your session?
I believe this is a very exciting time, with the banks undergoing a complete digital transformation and with important threats for them in the future that will mean they have to invest a lot of money in very innovative solutions to prevail over the new trends, such as Fintech, cryptocurrencies or the major technologies that are positioning themselves to offer banking services. This will open up a lot of new alternatives, whether from the standpoint of usability and experiences for users, or opportunities for cybercriminals. This is why we are so highly motivated to do research and develop new solutions, to keep one step ahead of new trends.
Online fraud landscape is wide enough to need solutions which give a full vision about the user risk. Most of the solutions just cover some fraud scenarios, exposing a gap that fraudsters can explode to commit fraud or forcing the customers to hire more than one solution. buguroo is the only provider that combines both online fraud principles: the user is who claims to be and is not being manipulated, which allows buguroo to detect from common Phishing, Unknown Malware, Account Takeovers attacks up to latest methods, with neither false-positives nor false-negatives.
Without giving too much away, how can understanding the origin of online fraud assist in prevention, and how can deep learning be leveraged?
However strange it may seem to laypeople, we can draw parallels between malware and works of art, which have their own style and author’s signature. In the same way as we refer to art forms, such as pop art, impressionism, cubism, surrealism, etc., some distinctive styles can also be recognized in the malware produced by hackers schools in different geographical areas. These schools have developed their own way of launching attacks, mainly in the wake of the broad spectrum of security measures that have gradually been implemented in the same geographical areas they hack. Getting to know who they are enables us to predict how they will evolve and what we can expect from them. Targets, attacks and techniques change…but fraudsters just move. Being able to use the digital fingerprint to identify fraudsters moving laterally between companies will be our next step, helping our customers to prevent the attack and to research who, how, where, when…were involved into the fraud.
At buguroo, we believe that the only way to face the threats and risks of now and the future is by implementing a holistic, protection approach, which protects users over the course of their sessions and serves to assess their behaviour thanks to all the information they supply.
What are some best practices or advances in the industry to identify legitimate users vs. fraudsters?
Knowing your customer is important not just for commercial purposes, also for security ones. buguroo creates an unique digital profile with an holistic view from each user: where is he/she login from (network, devices, geolocation,etc), has he or she got any malware manipulating his or her user experience (webinjects, session hijacking, Man in the browser, Rat-in-the-browser) how does he or she usually types, clicks, touch, etc (so you can find if someone is impersonating the legitimate user). Knowing each user uniquely will allow our customers to offer useful adaptive authentication and transaction monitoring solutions. Much more than just clustering bad and good…bugFraud will give the option to catch the one.
buguroo’s approach allows us to be able to identify fraudsters even when they change their targets. Finally, a cybercriminal is a human with a specific way to type, move the mouse, touch the screen,etc. so it does not matter which company is he/she targeting. buguroo digital profile would help our customers to have pre-emptive detection.
How can behavioral biometrics assist in prevention and detection of cyber crime?
bugFraud is able to identify create a unique AI model for each single user whenever an user is being impersonated by a fraudster taking care about how each user specifically interacts with our customers’ website or APP mobile profiling the devices, networks used (geolocation, reputation, anonymization, etc.), behavioural biometrics (mouse, keyboard, touchpad, screen, etc.) and much more to identify if the fraud could happen. From buguroo’s perspective, there are not good or bad behaviours, there are legitimate users and users trying to impersonate first ones. That´s why you need to be able to know each user individually, and learn from his behavioural… By applying Deep Learning and Behavioural Biometrics during the whole user session we collect and correlate, more parameters than any other tool to create the richest profile with the maximum precision.
It is important to emphasize that the solution does not use any sensitive data that makes it be possible for buguroo to identify the BANK’s customers, in order to be compliant with existing regulations and for the protection of personal information.
How do you see the impact of Fraud and Financial Crime evolving over the next 6-12 months?
I think the biggest challenge right now is fighting against the diverse range of online fraud types. Depending on the bank, on how it challenges users, its own operatives, and even depending on the attacker’s knowledge of a particular bank, the methods used are different. So, covering this diversity, in addition to understanding that each customer is different and has its own particularities. Also the new international banking regulations, focused in real time and new services operated by third parties, open a new opportunities for cybercriminals to explore new attack vectors that doesn’t exist before. Moreover, the digital banking transformation and the easiness of online accounts creation without the requirement of attending to a banking office, could trigger employees to consider internal fraud scared of employee cuts, as well as facilitating cybercriminal work due to a lower exposure.
Fraud landscape is ever changing, traditional rules-based solutions will not be enough anymore. You need to detect proactively whenever a risk is happening in your users even when you have never seen this attack before. How to address it? Not be always following the fraudster, anticipate him fighting their purposes. New attack…same goal, impersonate the user or manipulate him.
The weakest link is the end-user, but…how to protect someone who do not control? Moreover, old-strategies where you impact in the user experience or force to install software in the client-side is not an option. The challenge is to protect your users in a transparent way is the challenge. Frictionless, agentless…and secure.