With financial services, retail, and various other sectors increasingly focused on digital security, one of the most notable solutions providers of the past year is Madrid-based buguroo. The company raised a stunning $11 million in Series A funding in November, and is seeing growing activity across its multiple offices in Europe, North America, and South America.
That excitement is owed to buguroo’s unique approach to cybersecurity. While its platform certainly features buzzy technology like behavioral biometrics and other Artificial Intelligence-driven systems, in its fight against fraud it relies more on key principles than on any particular technological mechanism. As founder and CEO Pablo de la Riva explained in a recent interview with Mobile ID World Digital Content VP Susan Stover, “what we do is we guarantee that the user is who they claim to be and we guarantee that the user is not being manipulated. If you can do both, then there is no fraud.”
It’s a fairly simple mantra, but buguroo’s technology is highly complex, as de la Riva goes on to detail. He also discusses buguroo’s humble beginnings as a consultancy and the reason for its shift to software provision; the importance of the bugFraud platform’s frictionless approach; changing perceptions of AI technology on the part of customers; and more, including buguroo’s expansion plans.
Read the full interview between Mobile ID World’s Susan Stover and buguroo CEO Pablo de la Riva:
Susan Stover, VP of Digital Content, Mobile ID World: It is a pleasure to speak with you today Pablo. How about we start with some background on your company, can you tell us how buguroo got its start?
Pablo de la Riva, Founder and CEO, buguroo: We started a long time ago, in 2010, offering services in cybersecurity, ethical hacking and anti-fraud. In 2015, we decided to modify the business, only specializing in online fraud and as a software vendor instead of a consultancy. The reason we decided to place our focus on being a software vendor was because after several years working in computer science trying to help companies defend themselves against online fraud, we discovered that there weren’t any solutions that actually resolved the problems of fraud. There were only different companies that were targeting the different techniques that fraudsters were using to steal money from banks. When you tried to offer a solution for a big multinational bank where each branch was being targeted with a different technique, there was no universal solution.
Unfortunately, we found that once one type of technology was chosen to defend against, the fraudsters discovered that their technique wasn’t working. They would then just change their technique. They could do this because fraud is not like a firewall or any other solution in cybersecurity where you have a clear set of rules. If you program something, the language is always going to be the same, but fraud is oriented in adapting to the decision of the users and doesn’t follow specific rules like in a firewall such as PCP or PIP.
So, we started again with a completely different approach and a new focus, based on a guarantee that the companies would be safe regardless of the techniques the fraudster will try to use to target them. That is the reason why we started the company.
Susan Stover, VP of Digital Content, Mobile ID World: You have also gotten a lot of notoriety in terms of awards for cybersecurity so you have certainly hit the ground running.
In terms of financial services, it does seem to be the prime candidate for bugFraud. What is the value proposition for buguroo’s technology in the financial space?
Pablo de la Riva, Founder and CEO, buguroo: Our value proposition is that we disrupt the way in which financial institutions are protected by putting the focus on the procedures to prevent fraud instead of focusing on the techniques that the bad guys are currently using to commit fraud.
So, what we do is we guarantee that the user is who they claim to be and we guarantee that the user is not being manipulated. If you can do both, then there is no fraud. But if you can not guarantee either of those, then probably fraud will transpire. That is the difference between our approach and that of our competitors.
Our service protects users against any kind of threat, and not just manipulation threats, but also impersonation threats.
Susan Stover, VP of Digital Content, Mobile ID World: What would you say are the main fraud threats facing modern financial institutions? And how does buguroo’s technology protect against them?
Pablo de la Riva, Founder and CEO, buguroo: There are different kinds of threats that we protect against presently. We can consider account takeover as one of these. There is also, phishing, vishing, and all its variables. And then there’s Remote Access Trojans, Remote access tools, but also Trojan Bankers, which is where they modify the behavior of the user or what the user is viewing in their browsers or their apps. We cover all these kinds of cases.
We protect users from these attacks by creating unique profiles for them. We create these dynamic profiles by gathering information about the user and their environment using six different engines, each of which has an ‘opinion’ on whether the user is behaving as expected. We then compile these results to generate a risk score in real time using Deep Learning to predict whether the session is fraudulent or not.
First we perform a device assessment, not just to identify that the user is logging on from their usual device, but to assess whether any new device fits the user’s normal pattern of behavior. We protect millions of users and, as you can imagine, we see logins from new devices on a regular basis. Banks need to be precise in terms of identifying whether the device – or any change in the device – is customary for the user. This is one of the simpler kinds of analyses we undertake.
We also take into account the networks a user would normally connect with. In my case, for example, I usually connect in Spain with three different networks: my cellular, my household, and my office. And if I connect outside of my country I typically travel to the United States, London, or Latin America, and in those regions I usually use a secure VPN. So, if I then connected from Russia, Romania or China, for example, that is something that’s not expected for my profile.
This works in combination with the device I am using; if I connect with an iPhone X from Russia, that is not completely out of the ordinary, as that is the model of my cell phone. Also, if I connect with an iPhone 11 from China it may not be so strange because it is predictable that I would use such a device. But if I were to connect from China with an 8 year old Blackberry it would be unusual and worth investigating.
The third value we look at is called accounting protection and that refers to whether the information that is being represented in the app or in the browser is exactly what it should be. Because Trojan Bankers, for example, will modify what the user is viewing. They might alter the amount of money that is in their bank account, then ask the user to recover that data by giving the fraudster the second factor authentication. That technology is more complex and more advanced because it makes a comparison between the structure of the information that is being represented and the actual structure of the information that should be presented.
The fourth one correlates all of the channels that are connected and that means the browser, apps and servers.
The fifth value which is very much in fashion in cybersecurity is bio-behavior. With bio-behavior we create a biometric profile for each user and that has two main advantages against classic biometry. The first advantage is that it works phonemically. For example, it doesn’t work like fingerprint recognition to get authenticated. Instead, it incorporates biometrics gestures such as how you move your fingers, how you use the keyboard, how you swipe the touchscreen, how you press the touchscreen, how you use the mobile phone with accelerometer and magnetometer and sensor impressions and so on. We create a dynamic profile, which means that if your session in the bank lasts five minutes, during the entire five minutes you are being challenged. So, if somebody gets access remotely to your device in minute two, when you are already logged in, we can detect it as well. Or, even if somebody has stolen your device physically, we can detect this too. This is all because behavioral biometrics works dynamically.
The second advantage of bio-behavior is that you don’t need to depend on any sort of specific hardware. For example, high-quality mobiles have fingerprint recognition and they have facial recognition, but that kind of device is not available to 100 percent of the users of online banks. But with behavioral biometrics you can create profiles even with just the way someone uses a mouse and a keyboard, and that is enough. With modern devices, with facial recognition, for example, you need luminosity sensors to work with the camera even in low luminosity situations, and deep analysis to identify if it is a real face in 3D or if it is a picture. But with our behavioral biometrics none of that is needed and you don’t need to install anything into the device. The user is automatically profiled without them even knowing it. This means we can profile 100 percent of users without impacting the user experience.
The sixth one is straight intelligence and that last sensor determines if the network the user is using is private or not. So, we can detect if there are open VPNs, anonymous proxies, networking collated with botnets or a Tor network. We identify this and then it is taken into account in the overall risk score that we offer with our deep learning system.
Susan Stover, VP of Digital Content, Mobile ID World: buguroo’s technology offers a frictionless customer experience. Biometrics and UX design is a really hot topic in our industry right now and it was actually the topic of the panel that I moderated at Money20/20 this year and it sparked a lively discussion. What is the end user experience of bugFraud and why is it important to strive for a frictionless end user experience?
Pablo de la Riva, Founder and CEO, buguroo: That is an advantage that our technology has; it is frictionless and it doesn’t impact the experience that the user has. We make all the calculations for creating the user profiles remotely. That means that the size of our SDK is 70kb and the JavaScript that we use to protect the web environments is also minimal; it is only a couple of lines. The user doesn’t experience anything differently; their laptop will not get slower, there will be no lag with the bank application or the mobile app. There are a lot of variables that we need to take into account to create a profile, but all the calculations with which we are creating those deep learning profiles are being created and trained continuously in the cloud environment.
So, all the computations, all the necessities, all the capabilities that are needed to train those systems are outside of the user experience. At the same time the decisions are made so quickly that before the money is withdrawn, we can alert the bank that we know that session is going to be fraudulent when they try to move the money.
It is one area that has a brilliant future. Right now, we are focusing mainly on banks because banks know that there is a problem with fraud; they have teams that are prepared and they already have budgets to tackle the problem. But in the future, this technology could go much further, being used to identify criminal activity such as assassins, or even terrorism. This is because we can create good quality profiles of the criminals even with just the information on how they move the mouse or how they use the keyboard.
Susan Stover, VP of Digital Content, Mobile ID World: I think there are so many use cases that would be applicable to this kind of technology so it is really exciting to see how buguroo is investigating that.
The idea of frictionless behavior-based identity centric security technology once kind of felt like science fiction, but how are your discussions with customers changing as everyone with a mobile device is becoming more familiar with AI, biometrics, and deep learning concepts?
Pablo de la Riva, Founder and CEO, buguroo: Years ago, as you mentioned, it was like science fiction and everyone thought it wasn’t possible. We have a demo environment everybody can try and they are so impressed when they see the differences between humans using the same device in the same environment using the same passwords and doing the same activities in theory, and that the system discovers pretty easily if it is the real user or a fraudster.
So, once they try the technology and once they witness the proof of its competency, they see that there is definitely something new in the market and that it is really possible today to work with artificial intelligence models that are so precise that we can be sure about whether the user is the owner of the account or if it is a third party.
Susan Stover, VP of Digital Content, Mobile ID World: Seeing is believing! FindBiometrics has been working in the industry for 20 years and we are seeing the time for critical education is really important to explain how this is working and how it affects peoples lives.
Pablo de la Riva, Founder and CEO, buguroo: In the beginning, I was explaining the reasons why we’re unique and the most basic example is to do with when you move the mouse. Our movements are different to a machine’s because a machine, when moving from point A to point B, will move in a perfectly straight line between the two. No human can do that because we are imperfect and we make imperfect decisions during our use of machines that employ sensors to interpret our movements. The movement of each human is predicated by their bodies. When you make a movement, you are going to make a curve and that curve is defined – at least – by the radius of your arm. That is something that can’t be modified. Also, there is a big difference between each person with regards to the strength of their hands, how they move the mouse faster or slower, how they stop the mouse and so on.
When I started to explain this, people didn’t believe me. But then when they understand the concepts and they see it in action, the combination of both makes it believable.
Susan Stover, VP of Digital Content, Mobile ID World: In 2019 it seems you have had a very good year, what can we expect next from buguroo?
Pablo de la Riva, Founder and CEO, buguroo: In the short term, we are going to expand our activities to different regions. We focused on Latin America initially because of proximity and language. It was easier to promote our products there because there is no language barrier. Now we know we that we are ready to target elsewhere because we have good references from there and Europe.
We are starting to expand into Europe, and we have one employee who started in London a quarter ago, and another who will be starting in January. We are also starting to have some activity in the US, and that is something we think we will accelerate over the next year and I will probably move out there.
From our perspective, what we are launching is what makes us unique and we still want to invest a lot of resources to improve our technology. We don’t want to simply identify that there has been a fraudulent transaction, because what we want to achieve is identifying the people behind those transactions. Let’s say 1,000 fraudulent transactions are identified in a month. Behind those 1,000 transactions there might be twelve people and we want to be able to say: these are the twelve fraudsters. Otherwise, if we continue improving our techniques and making it more difficult for the fraudster but we don’t actually identify the fraudster, we will only ever be at most as fast as the fraudsters. They are evolving their techniques and each time they evolve it will get harder to learn which techniques they are using and they will still be out there. And each time they will be more motivated, as their business is profitable.
So, in our opinion, the next evolution in this space is to be able to identify commonalities between the fraudulent transactions and to pair them with similar movements in other accounts that were created, let’s say, a few months before, but have since been dormant. These inactive accounts were likely created by fraudsters in order to understand how the banks work. Ideally, we would like to use this information to identify the people who create these accounts and then get access through third parties to attack and steal money. In anticipation of this evolution of the market, we have already incorporated this capability to identify fraudsters into our solution. This is the service we call Fraudster Hunter.
Susan Stover, VP of Digital Content, Mobile ID World: That seems like such a critical step and where our industry definitely needs to be going. We are really looking forward to profiling buguroo and seeing what is next. Thanks so much for joining me today.
Follow Us