There’s a push towards a less cash, digital economy. While that’s great to make transactions faster, security remains a big concern. Fraudsters are coming in through malware, SIM swap, exploiting loopholes in the systems to siphon off everything from money to vital information for individuals, governments and countries. New York based Boloro Global claims it has the tech to tackle the problem.
Karl Peter Kilb III, CEO, Boloro Global says, “everybody is trying to figure out how to move to a digital economy, but the word that has to be at the center of this effort is `security’. If you do not have a secure authentication platform, a digital economy doesn’t work.” Boloro’s solution creates a parallel channel which bypasses Internet and the Operating System, allowing users to complete transactions `securely’. In an interview Kilb discusses the technology and more. Edited excerpts:
When it comes to digital transactions security is a big concern. How do you make users confident that they can participate in the digital economy while minimising or eliminating risks?Think about what we have already been doing for decades at the bank ATM. Only you have your physical bank card and only you have memorised the PIN. Even if you have dropped your bank card on the street, nobody will know your PIN (Personal Identification Number).
In our case, only you have your physical phone and even if somebody had your phone or a hacker got into your Gmail or malware got into your Operating System, the message that is sent to validate your transaction with Boloro’s system doesn’t touch the Internet or your Operating System. Boloro’s authentication is on the top of phone, using network-initiated USSD or the push-USSD channel, which is a secure signalling channel that every operator on the planet has.
We work closely with operators. We are already live with BSNL (Bharat Sanchar Nigam Limited) in India. We are working with operators in other parts of the world, like in Africa.
Boloro’s authentication solution is like another lock. Even if all else fails – hacker got in, malware, biometric is around on the street – you have a safety guard – that last layer of security – your physical phone and your memorised PIN. We allow the licensee to host and control the entire platform. If the government wants to host the solution, we give the government the API’s, we work with them, they host it on their own servers, behind their own firewalls. With Boloro, we give you the solution – you host it, you control it and you brand it.
BSNL is your first customer in India?
BSNL was the first operator in India providing us with connectivity to service customers. We host the platform with Amazon Web Services in India. Boloro can be used to service any customer on BSNL and customers of banks or government who are using a BSNL phone. We are trying to get other operators on board.
You can create your own PIN with an alpha-numeric code. Nobody has access to the channel except the mobile network operator. All the ways in which the fraudster tries to commit fraud come back to the Operating System and the Internet, and we avoid that. A government, bank or any other institution that installs Boloro has real time view into what is happening, providing transparency that protects customers.
Who are the founders and investors of Boloro?
Boloro started in 2009. It took a number of years to build the technology and then to create a pan-global patent portfolio and to perfect the technology. We licenced the authentication solution on a white-label basis for local hosting to anyone who wants it.
Boloro is a private US company. We did have private funding rounds, but at this point we are generating enough revenue where we are cash-flow positive as of this quarter. We are not actively seeking funding, but if somebody came along with a strategic investment, we would be willing to listen to them.
As we are accelerating into the digital era, security risks are also multiplying, does Boloro address those risks?
To truly secure something you need point to point security. In Boloro’s case, you are using the secure signalling layer of the mobile phone, and that’s point to point connectivity. Fraud by hacking and malware is via the Internet on the Operating System (OS). Boloro avoids those. If you have to travel on the Internet and the OS because that’s where the transactions occur, you should have another road for authentication away from this and the one thing that we all leave the house with is our physical mobile phone.
In a digital world, if you have your physical phone and you memorise your PIN, you are good to go. We can have lot of use cases here. For example, people have asked us to help with ATM systems in places where there are ATM skimming problems, wherein, at the ATM window, you can enter the pin in your phone instead of in the machine.
What are the things you look at while designing solutions?
There are two fundamental questions: “Who are you?” That’s everything about you – your face, your fingers, your voice – your personal biometric data. But, to us, you don’t need to use that very personal data for every transaction, the real question we ask is – “Is that really you?”
So, when you set up your account, we know you exist, we know what you look like, we may have your fingerprint and all of those things, but a fraudster can also have those things or a fraudster can get access to your phone through malware or something else and they can become you. So, how do we make sure that it really is you? Through your physical phone and your memorized PIN and layering on top of it all, your data is hosted in your own country and it could be immediately rolled out because all you need is mobile network operator involvement.
You are splitting the activity to two devices instead of one…
It’s two channels on one device – the phone
So be it the ATM, phone or the laptop, desktop…
It could be multiple devices, for instance, if you are sitting at your laptop and doing online banking but on a separate non-online channel on a separate device, you will get your authentication. It could be multiple channels and multiple devices.
But if I am using it on the app on my phone itself and the pin is also in my phone…
The PIN does not touch the operating system, the layer is on top of it, it only touches the firm ware of the phone, so even if it’s one device, it is two channels on one device and they never intercept.
AI, Machine Learning, IOT are increasingly being used by companies. Fraudsters are also using them.
Fraudsters are getting very good at using all those things, so what’s happening is the fraudsters are becoming sophisticated enough to decrypt supposedly encrypted data by running enough potential logins and passwords to figure it out.
You may be constantly coming up with bigger and better locks, but if it is the same kind of lock, over the Internet and Operating System, the fraudster already has the key to it and they are getting in through those doors no matter how many bits the encryption is.