The mouse trap

Howard Edelstein Photo; Shlomi Yosef
Howard Edelstein Photo; Shlomi Yosef

Israeli company BioCatch helps international banks to prevent fraud and catch criminals by tracking keystrokes and mouse movements.

A few minutes before the beginning of the interview with Howard Edelstein, chairperson and CEO of Israeli company BioCatch, one of the pioneers in financial technology, it turns out that he is almost completely fluent in Hebrew. He immediately objects, saying that he has a hard time understanding things that he wrote in Hebrew himself two decades ago, but it is clear that he knows how to spell a lot more than "I love Israel." Edelstein is the son of Holocaust survivors from Poland who settled in the Bronx. His father engaged in commerce, not always successfully, and at age 14, young Howard went to work in a delicatessen. He learned Hebrew at Sunday school and completed a BSc in electrical engineering at New York University and an MSc in engineering at Stanford University.

"I have a hobby: for 20 years, I've been occasionally bringing delegations to Israel," he says, using the Hebrew word for delegations. "Deals come out of these visits, there's more patience, and especially more knowledge. Just 10 months ago, I was here with 25 senior executives, most of whom weren't Jewish and had never been here before. We saw companies, but we also learned about the history and became acquainted with the culture. When they left, their perspective was different. There's an expression that always repeats itself in these visits: 'It's complicated.' It really is complicated, very different from the US and the UK, which are surrounded by oceans and democratic neighbors."

This involvement is not confined to executive tours. Edelstein and his wife, Lisa, support the IVN fund, which invests in social business ventures in Israel and aids the Simon Wiesenthal center organize donation events. Educational activity also takes place in the framework of the Generations Against Genocide organization, of which Lisa was one of the founders. The organization's goal is to educate young people to become actively involved against harming helpless minorities. "I come from a family of Holocaust survivors, and the only thing they taught me in school was that intolerance must not be accepted," Edelstein explains when asked about his activism. "History teaches us that intolerance never has a good ending.

BioCatch, founded in 2011, has developed a product for verifying identities through behavioral biometrics. To put it in plain language, it identifies and documents hundreds of individual nuances of each person, such as how he moves the mouse, and holds the telephone or keyboard. These particulars are cross-checked with other suspicious behavioral data in order to detect break-ins to bank accounts, opening forged bank accounts, theft of tax refunds by impersonation of entitled parties, etc. Instead of relying on complicated passwords, questions like "What was your mother's maiden name?," and other difficult methods that are not always effective in order to prevent fraud, BioCatch tries to understand what really happens when somebody enters an account.

As of now, the company serves about 10 large financial clients, including Royal Bank of Scotland and American Express, serving 50 million customers. Last month, BioCatch announced a $30 million financing round, after having previously raised $12 million.

Science fiction-like technology

The recruitment of Edelstein to BioCatch, a company with only 65 employees, is no trivial matter, considering his status in the financial technology industry. At the beginning of his career, after getting his degree from Stanford, he joined a research group in Ford Motor Company that developed processors and voice identification. In the early 1980s, he worked at Israeli company Telrad Networks, where he developed a standard based on a touch screen for stock exchange trading. He then became senior VP marketing at Telerate, a Dow Jones index company; founded ESG under the auspices of Thomson Financial, the business division that developed technology for connecting investors to brokers; served as CEO of Radianz, which is now the online financial services division of BT; and is still chairperson of AcadiaSoft, a risk management venture in which 13 leading banks are participating, including Merrill Lynch, Goldman Sachs, Berkey's Bank, Deutsche Bank, and Credit Suisse. He was one of the first supporters of direct electronic processing of securities and one of the first to adopt the electronic method for approval of trading in the US.

What brings a man like this to the small Israeli company founded by CT and VP business development Avi Turgeman and the late Benny Rosenbaum, later joined by chief cyber officer Uri Rivner? "My involvement began as a friend of Avi in the US, and they slowly drew me in," he remembers. "It's addicting. First I came as a consultant, and then as an investor and member of the board. Three years ago, this technology seemed like science fiction; now it's science."

He uses an anecdote in order to highlight the point: "Willy Sutton was a well-known bank robber, who is now remembered more for what he said than for what he did. He was addicted to bank robbing and was in and out of jail. They asked him why he went on robbing banks, and he answered, 'Because that's where the money is, stupid.' That's that point. It's hard for a small company like us to get to the banks, but once we're inside, the feedback is amazing."

Edelstein has been chairperson of BioCatch since 2015 and was appointed CEO two months ago in order to enlarge the company's customer base and accelerate its growth, among other things through the recent financing round. Today, the company has 65 employees, mostly in its development center in Tel Aviv, with a few in Boston and London. This number, however, is projected to double over the coming year.

"The digital identity has been broken; it can't be trusted," says Rivner. "All of the information of the credit rating agencies has been broken into. The number of personal information items that have been broken into in recent years is nine billion. The information about more than half of the population of the US is in the wrong hands: where they live, bank accounts particulars, every possible thing. Passwords and bank accounts particulars are the easy part. The quantity of US Social Security numbers (the US equivalent of an identity card number) in the hands of criminals is in the hundreds of millions, and the number of fraud cases based on this information is doubling every year."

According to Rivner, obtaining forged credit cards is the simplest and most common fraud. Once a card is approved on the basis of forged particulars, an average of $3,000 can be withdrawn with it, and the fraudulent owner can vanish. There are two main channels for opening fraudulent bank accounts: moving money from another account that a hacker has already broken into, withdrawing it, and disappearing is one. The other is opening many forged accounts in order to launder large sums of money. "Today, if you want to open a forged bank account," Edelstein says, "it will cost you a dollar to purchase a person's particulars: credit particulars, driving license number, recent hotel reservations, and the name of his or her dog. No use has yet been made of half of the nine billion personal information items stolen. It takes criminals time to get command of the quantities of information that have been stolen from Equifax, for example, but it will become faster.

"The identity of people opening accounts is currently the biggest fraud problem, because financial institutions don't know for what they will be used. It could be for money laundering or buying nuclear weapons from North Korea. When someone opens an account in your name and deposits money in it, the banks is not disturbed, and you in effect become an unwitting collaborator with criminals, like the people smuggling drugs across the border without being aware of it."

And then the crook rolled with the mouse

Rivner then proceeds to use an iPad to illustrate how BioCatch wants to deal with this problem. He asks me to move the iPad in each direction, and to pull it several times along an imaginary line on the screen. Then he displays graphs documenting the movements I made in comparison with other people performing exactly the same actions, and the differences are clear. For example, in drawing a line between two points, which it turns out moved easily without my being aware of it, I made corrections towards the end that differed from those made by others. The appearance of the line also differs from one person to another - something straight and sometimes wavering slightly, and the force of the pressure on the screen is also different.

Rivner" "What we're doing is understanding your normal behavior and the way you think when you use various devices in order to enter various accounts. In opening an account, when we have no history to rely on, we look at the behavior typical of the bad people, for example, if there are halts when they are feeding in ID or Social Security numbers because the information isn't in their long-term memories. Another sign is keyboard shortcuts that criminals use and other people don't. "For example, only 1.3% of people know the shift plus tab shortcut that puts you back on a form to correct an error in one of the fields. This is something that many swindlers use; it is an indication to be on the alert." "There are hundreds of such example," Edelstein adds.

"Globes": So you have a database with behavioral information about 50 million customers of the banks you serve. What about a behavioral database of criminals?

Rivner: "We don't talk about it, but you get the idea. There are actually two questions here: whether this is a legitimate user of an account, and whether the behavior is negative or positive. The user may not be malicious, even if he or she is unknown to us, for example, a partner in an account entering it for the first time. The combination of the answers to the two questions therefore yields very accurate results."

At this point, Rivner gives two examples of fraud prevented by the company. "We had a case with a UK bank. Someone gets a telephone call from a cable company telling her that she has been late in paying a £60 bill, and she pays it. Five minutes later, she gets what purports to be a call from the bank telling her that it was a fraud, and because the swindlers got her credit card number, the 'bank' will give her a new account to which she will transfer all of her money. They tell her, 'Since you can't do it all at once, divide it up into several transfers. In a 45-minute telephone call, they persuaded her to transfer her money. Ostensibly, since the person who made the transfers is a real person authorized to use the account, it seems all right. Because the call was so long, however, and she got bored during it, she spent quite a few minutes drawing circles on the screen with the mouse. That was the stage at which we halted her transactions in the account. People don't enter their accounts in order to play."

You would expect the fact that all the money was being sent to a different destination to arouse suspicion.

"It's true that the bank would probably have halted the transfer of all of the money at some point, but many people transfer large sums of money. There are transfers of millions of dollars, and even tens of millions of dollars, at commercial banks in a single transaction. We once saw a transfer that came from an authorized device in the usual location of something like $2 million. It all seemed proper, but our system noticed that while the usual user scrolls the page using the roll bar, the party making this transaction scrolled the page using the mouse scroll wheel. The transaction was halted.

Published by Globes [online], Israel business news - www.globes-online.com - on April 29, 2018

© Copyright of Globes Publisher Itonut (1983) Ltd. 2018

Howard Edelstein Photo; Shlomi Yosef
Howard Edelstein Photo; Shlomi Yosef
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018