Graeme Speak, the CEO and Founder, of BankVault.com, discusses the evolution of their technology and business focus, as well as how it addresses security threats in ways that other solutions don’t and can’t. He also shares his top five security threats and predictions for the future of online security.
Please tell me a little bit about yourself and your background.
I studied physics, chemistry and computer science then founded my first company almost straight out of university. Central Data Systems pioneered Application Service Providers (ASPs) which is what the industry now calls “cloud computing.” In 2005, I spun off the IP (Intellectual Property) into a separate company to narrow our focus. We launched GoPC.net as a new concept technology and were first to market delivering Linux desktops with open source applications via the Internet. It emulated a Microsoft desktop/server network with zero license costs. I moved to Silicon Valley and scaled it to 16,000 users. In 2013, the burden of continual upgrades was going to be the death of us so we did something revolutionary – redesigning the system so it would build completely new virtual machines from scratch on every login. It meant there were no more upgrades, no maintenance, no technical support, and no rollout of new systems. It was future-proof and in theory should reduce ongoing IT costs in any enterprise by 90%. Seeing the potential, we started developing ways to compress the build time reducing 20 minutes down to 4 minutes and today it rests at 2 seconds. It was a new type of cloud platform technology that we called “Rainmaker” and we filed our first patent application. It also got recognized by Rackspace’s CTO, was profiled by Robert Scoble for his video series in Silicon Valley, and Stanford University was looking a pilot project for 15,000 staff members. Rainmaker is now the secret ingredient that makes BankVault’s cyber products so unique. It came out of left field as a pivot applying the same technology to solve a different problem. The irony was that the first device was sitting on a desk under our noses for 2 years but we could not see any use for it. BankVault ensures that the endpoint device someone is using is secure, anonymous and untraceable from hackers. By using a technique now called remote isolation, it can be used to conduct secure online transactions such as banking or used to thwart the myriad of new cyber-attacks.
Before discussing the specifics of your product, I would like to understand its positioning. Why are you selling a security product specifically for banking, instead of a general-purpose security product?
Our starting point was to keep a very tight focus on one excruciating pain point – to stop bank account hacking. Once we nailed that, we started to broaden our offering to address other endpoint issues. We then segmented the technology into two different products:
BankVault is a business grade product that prevents bank account takeovers. It has potential applications from Blockchain to Homeland Security. SafeWindow is a consumer/small business product and includes an “invisible keyboard.” We have found that it is best to hook customer on a single clear issue and then once they understand how it secures something as important as a banking transaction they can see other applications for it.
99.99% of cyber-attacks by volume target the user’s endpoint: PC/Macs and smartphones. No party can ever guarantee the integrity of all possible combinations of software modules, applications, browsers, plug-ins’ and live internet connections on a device. By contrast, BankVault/SafeWindow sidesteps every attack vector we know of and can guarantee the integrity of the entire technology stack.
What exactly does the BankVault product do?
BankVault bypasses any malware or endpoint hack on the local device. It provides a secure isolated environment from which to conduct online transaction or communications. It does this by creating invisible endpoints that sidestep malware laid down by hackers and provides immunity from malware/ransomware by isolating the execution to a remote machine. Customers use it to secure online banking, share portfolio trading or inspecting potentially hazardous websites, emails or shared online folders. 99% of the technology is cloud based and delivered as a software-service. The users remote virtual machine is locked to a specific physical device ensuring their session cannot be hijacked. It effectively delivers a secure endpoint via the cloud, which bypasses all known attack vectors, even BIOS (Basic Input/Output System) firmware hacks. It also has interesting broader applications. For example, a Blockchain user loses everything if a hacker steals their personal key. BankVault has a patented method of combining a hardware wallet and secure endpoint into one system to provide secure transactions and keep the personal key safe. To give a simple analogy of BankVault, it is equivalent to buying a brand new computer for every transaction and then discarding it after use. It is a factory-reset where the system architecture upgrades each login to the latest supported version of every software component. BankVault is invisible to hackers and addresses the issues:
Key-loggers Spyware Man-in-the-Browser Man-in-the-Middle Ransomware, Viruses and Trojans BIOS/Firmware hacks WebGL Shader processes hiding in the GPU It disrupts some elements of social engineering It secures passwords, credit card numbers, and other critical data from endpoint hackers. It is safe to use with public Wi-Fi networks It supports documents such as Word, Excel, PowerPoint, PDF, image files. It can safely download, transfer, and print files
How does it do that?
The system uses 3-Factor Authentication to identify a user logging in from a specific device. Once authenticated, a pristine new machine is built at a random Internet address and paired to the local physical device within 2 seconds. The thin client architecture displays a computer desktop over an encrypted connection. The desktop includes applications for browsing and opening PDFs, Word, Excel, PowerPoint and Image files. When the user is finished, the entire environment evaporates without trace. On the next login, a completely new machine is built from scratch with no history. BankVault delivers the entire technology stack to a remote user and can therefore ensure the integrity of the total system.
You now also offer a lower cost software-only solution – correct?
The original BankVault product uses a physical USB device. It takes over the laptop entirely and whilst it is a bullet-proof architecture, it is not convenient for everyone. In fact, we normally bundle it with a dedicated laptop for businesses so it become the banking device.
The new product we have just launched, called SafeWindow, is a pure software service for use by consumers and small business. A software app on the PC/Mac launches a remote machine that appears on screen as a safe window and provides almost all the same benefits as BankVault. This is much easier to use and is available at a much lower cost. Savvy users will understand right away that they are still using their local keyboard and local operating system and are therefore still be susceptible to a local key-logger attack. To address that issue, we created two solutions:
The first was a virtual keyboard delivered as an image from the SafeWindow virtual machine. Clicking the mouse in the remote machine bypasses characters being intercepted by a local key-logger. However, software that takes a screen snapshot on every mouse click can easily reveal the position of the mouse and thus each character of a password. The real innovation is the “Invisible keyboard,” which was the subject of our 4th patent application. This runs from a separate device such as a mobile phone/tablet and bypasses the local PC/Mac completely. It goes deeper because the keyboard in the mobile is just an A secret handshake exchanged with the remote machine establishes an encrypted connection so that only the remote machine that it is paired with can now interpret a user’s actions on the phone. No character ever exists in the mobile and there is no feedback mechanism other than a vibration so it is invisible to the operating system. When a user enters characters into a password field, they appear as asterisks on the local PC/Mac. The user can connect multiple devices in parallel to further scramble input so the complete sequence is never entered through one device.
What are the main differences/tradeoffs between the BankVault Business product and the SafeWindow / Safekeyboard product?
SafeWindow is convenient and simple to download and use. The invisible keyboard is available on both Android/iPhone and takes just one click to connect. BankVault is a premium business solution where it controls the entire environment including the local device. The virtual keyboard thwarts BIOS/firmware hacks and so this is a solution a bank or insurance underwriter can build a guarantee around, mitigating risk and differentiating their products to win new business. For example, a bank might offer a sub-24 hour reimbursement if hacked, knowing of course that it is unlikely that the customer’s account was hacked using BankVault. We are currently exploring the application of BankVault as a combined Blockchain hardware wallet and secure endpoint, to protect the Blockchain private key during use.
Why is using a VPN (Virtual Private Network) not good enough?
VPN security is a myth and it is naïve for anyone to think that it will protect him or her from hackers. People are still downloading emails attachments, browsing the web, and running system updates. We blindly trust third parties and all the evidence shows that this is where ransomware, key-loggers etc. come from. Today, just opening a website executes code that can introduce a man-in-the-browser infection. You will never know and a VPN cannot stop any of these attacks.
Does your software provide other types of malware or attack protection?
Ransomware is headline news because it dramatically takes businesses IT networks. However, Symantec reported 2.5x more financial malware in circulation than ransomware. This is far more insidious and can go completely undetected. The most sophisticated threats today are non-malware or file-less attacks, which use system browsers and automated update to infect systems. Gartner says browser-based attacks are now the primary attack vector on users. They also list “remote browsing” in the top cyber technologies for 2017 and predict 50% of enterprise adoption by 2021. BankVault and SafeWindow provide browser and desktop isolation. The industry is no longer able to prevent attacks, but BankVault/SafeWindow isolates the user in a safe environment for secure transactions. Potential threats are contained in a disposable machine.
How do you define your market? Who is your specific target audience within that market?
BankVault targets SMB’s. SafeWindow targets professionals/consumers. Our path to market is ideally through institutional channel partners. We initially launched BankVault to protect businesses managing trust bank accounts: real estate agents, property escrow agents, insurance brokers and lawyers. We now support a wide array of small and medium size business customers. Preventing bank account takeovers is a critical risk factor for all businesses. Banks may reimburse costs, but the delay is what cripples cash flow and destroys a business. SafeWindow is for consumers and professionals. It is a simpler product with a lower cost.
How would you describe your current typical customer? What is the percentage breakdown in revenues between the business version and SmartWindow?
Our business is evolving rapidly so the horizon keeps changing. Our original focus was to validate SMB’s would actually buy our product. The first year of business was spent acquiring support from business associations and selling BankVault to their members. That worked well and we have now changed gears looking for banks and an insurance underwriter to undertake a pilot project. This year we launched SafeWindow and we now target the much larger professional/consumer market. We expect the big volume of customers to come from professional/consumers but we are also preparing to release an enterprise version of BankVault in the next few months, so we are now exploring government opportunities in the USA and Australia.
You sell both directly from your web site and through resellers?
BankVault is sold directly unless there is a local channel partner in the country. In Australia, it is available through IT service providers listed on the website. SafeWindow is available directly from the BankVault.com website. We have just signed our first institutional channel partner, a global identity management and credit reporting agency. They will promote and sell SafeWindow to their customer base and test a broader proposition beyond just safe banking. Our go-to-market strategy is to sell via trusted institutional partners. Having now signed our first institutional partner, we are looking to hasten discussions to select a pilot in banking, insurance, cloud accounting, and government.
How do you see your tools as different than and/or better than existing security products?
BankVault’s approach is unique, since it came to the problem from the opposite direction of the rest of the industry. We know it is impossible for anyone to harden or guarantee every user’s PC/Mac and smartphone with so many different combinations of software packages. However, BankVault is based on a very simple principal - build a pristine endpoint each time for temporary use. It is obvious how it works and so people understand it. In 2016 Garner highlighted an emerging use of “remote browsing” by enterprises. The products we have examined require users to “trust” a man-in-the-middle third party in should be a simple point-to-point connection. Those enterprise products have weakened their security model in exchange for high performance. BankVault/SafeWindow allows the user to run a secure point-to-point connection with a remote website without force a third party main-in-the-middle to break trust.
What do you see as the top threats to banking and other applications containing critical and confidential information?
My shortlist of the most critical threats are:
How do you see computer security in general, and banking security in particular, progressing in the next five years?
The cyber problem today costs the global economy $500 Billion and is growing exponentially to $2 Trillion by 2019. This is focused on 1st world countries where 95% of businesses and 70% of the economy is in SME’s. From the banks point of view, the problem is always the customer’s PC/Mac or smartphone. Europe and Australia are implementing instant payment processing between banks, which remove any opportunity to claw back a transaction from a cyber heist. We are talking with local banks about bundling BankVault or SafeWindow for customers. It allows the bank to deliver a temporary secure endpoint to conduct a banking transaction securely by using but completely sidestepping everything on the users existing device. Artificial Intelligence (AI) and quantum computing are the big unknowns. AI is now used to detect fraud and hacking attempts, but I can see this also being used to automate rapid comprehensive cyber-attacks.
What are your future plans for BankVault?
I know our technology is sound and we have now validated that it has a real place in the cyber landscape. For us, it is now a question of how can we quickly communicate with the market. We realized that the only way to get scale quickly is to partner with institutions and leverage their brand and customer base. BankVault is my passion and life’s work. The team is dedicated to ensure our technology is accessible to help people and businesses around the world protect themselves. We are currently raising another round of investment to support further expansion through institutional partners.
How many employees do you have today? Where are they located?
We are a technology innovation team and intend to remain small and foster growth through appointing institutional channel partners. The team comprises 15 people split between Perth and Sydney Australia, and a corporate development team in San Francisco, USA.
You have been involved in the Australian startup community for many years. How would you describe it?
I travel a lot and so really do notice the changes over time. In 2010, when I first returned from Silicon Valley to Australia, it felt embryonic. However, it has matured exponentially since then. Today, 40% of the Australia tech ecosystem is based in Sydney and is fueled by big successes stories such as Atlassian. However, there have been some huge successes out of Perth and the one I’ll highlight is Canva, which was created by a couple of friends 4 years ago and last valued at $400m. Many success cases demonstrate that Australia is a crucible of real talent that is bursting to break out. I am really excited to be part of that. On a personal level, I love helping and contributing to others whether that is to inspire or to guide. I saw in myself, that often just an ounce of encouragement is all it took to change my world to Technicolor. That is often all that an entrepreneur requires - then get out of the way to watch what they create next. I have also found the reward for a success is that it supercharges me as well.
How many hours a day do you normally work? What do you like to do when you are not working?
I might look like a work-a-holic but I am not. It is not work. It is my life. When I have a clear vision and know that I am right, that is enough to push me out beyond my comfort zone. To answer your question, I would say that I am on point 18 hours a day. When I am not in the office, I am kite surfing and I love downwind runs along the beach line riding waves. It terrifies me. I am scared of the cold, the waves, the wind and the sharks. However, that is where living happens – beyond the edge of comfort, where you are constantly creating.