Getting Smart About SPIT

Right up front I’m going to confess to a bias.

I’ve been following security startup Bharosa for a couple of years. The three year-old company makes its home in my hometown, Santa Clara, CA. It used to have its office right next door to the community newspaper, The Santa Clara Weekly, where I do my non-technology writing.

The guys at Bharosa are nice guys — the name means “trust” in Hindi. They spent a lot of time showing me how their software worked and explaining it in terms that make sense to the most tech-averse person. To test it they invited the technology-skeptical publisher of the Weekly to try it out. And they always give me a heads up on news.

Like I said, I’m a fan.

So when I read recently that small businesses have big reservations about the security of VoIP, and that SPIT (Spam over Internet telephony) is one of the Internet’s most-searched terms at the moment, I called Jon Fisher, Bharosa’s CEO, to chat about it.

Bharosa has gained a significant following by protecting online transactions with Web-based software that uses images to scramble and encode information entered through a website.

Because the software runs on the server, not the site visitor’s PC, online businesses can ensure transaction security without relying on software or equipment on the customer’s end. In most cases the end user is unaware of it.

Because the information is scrambled differently every time and only the server has the key to deciphering it, fraudsters are blocked in their attempts to collect sensitive account information The beauty of the Bharosa approach is that even if fraudsters intercept the transaction with keylogging spyware, the data they collect is unusable.

“The way to systematically protect against scammers,” Fisher says, “is with an additional piece of information required to authorize the transaction — information that doesn’t exist in discernable form to be used for fraud.”

Now Bharosa is turning its attention to security for transactions that originate on a phone.

“In the last five years, with malware, phishing, pharming the Internet became completely vulnerable,” Fisher says. “All attacks that can happen to passwords can be transferred to other markets.”

Just as mail servers can be turned into spam zombies, servers running a phone system can be turned into SPIT zombies. And the potential target is huge.

“There are more than a billion cell phones in use,” Fisher continues. “The more people are doing business over the phone, the greater the security risk.

In other words, convergence is not always a good thing. The brave new world of mobile applications opens up a whole new constellation of opportunities for fraudsters. And Bharosa aims to be out in front of the bad guys here as well.

The company has carried over its encryption model to the phone. Instead of using images, the software uses pre-recorded sounds to authorize transactions.

Why not voice recognition? Factors as varied as poor sound quality to having a cold can interfere with the transaction, Fisher explains. Plus, there are logistical problems.

To use voice authentication, each user has to be recorded. If you have a million customers, all of them have to record their voices before they can do a transaction.

With Bharosa’s method organizations can simply pre-package tones and distribute them to customers instantly. It doesn’t matter if you have ten users or ten million.

It’s all part of Bharosa’s creative approach.

“We want to solve problems in innovative ways,” Fisher says. “We want to be a nimble company that attracts the best customers.”

So far Bharosa seems to be succeeding. The company’s software is getting thumbs up from some heavy hitters including the U.S. Air Force, UCSF Medical Center and Wells Fargo bank. The company recently signed partnership agreements with Oracle and Microsoft. Fisher estimates that about 20 million people worldwide are currently using Bharosa’s security software.

“The fraudsters are getting more sophisticated every day,” he notes, “so it’s critical that security solutions are more flexible and adaptive in order to always be a few steps ahead of the threats.”