Thursday, January 22, 2015

Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace

This post originally appeared in TechCrunch.

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.
In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.
Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?
“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)

For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut downaltogether. “When our API collapsed under a DDoS attack, we experienced more customer churn in that one day than we had in the entire two years since our launch,” recalled one CEO.
StubhubUber, and Tinder struggle to battle fraud in their marketplaces. Uber employees themselves were caught defrauding competitor Gett. EvernoteBit.ly,FormspringDropboxCupid MediaZendesk, SnapchatClinkleMeetMeLastPass (a password security company!) and many others have had to tell users they lost their passwords or payment credentials to hackers. Cyber thieves stole $5 million worth of Bitcoins from Bitstamp, and destroyed Mt. Gox and Flexcoin. Hackers exposed the content and identities of Yik Yak accounts. The CEOs of HB GarySnapchat and many other startups have been vilified following the theft and publication of embarrassing emails. Google routinely blacklists websites for weeks due to malware. Appstudio,SendGridHB Gary and others have been defaced or even permanently shut down by anti-Western hacktivists for political reasons. For OnlyHonest.com, the damage appears to have been fatal.
And even if your startup beats the odds and survives its infancy without a serious incident, playing catch up later will cost many times more in time, money, reputation and distraction as you change architectures, re-writing code, moving infrastructure, re-imaging laptops, migrating email, and replacing billing systems.
But until your startup can afford a CISO, how do you protect your mission, IP, brand, assets, employees, and capital from cyber threats? For startups with limited resources and intense focus, what’s the right measured response to these threats?
To help our portfolio companies answer these questions, I surveyed Silicon Valley startups to understand their regrets and successes in mitigating cyber losses. I interviewed technical founders, Engineering VPs, CTOs and CISOs to hear what measures they wish they’d taken sooner, or in some cases, later. I also tapped security gurus like Dan Farmer (author, inventor of SATAN), Barrett Lyon (anti-DDoS warrior, hero of Fatal System Error), and Richard Clarke (author, top cyber intelligence officer in the White House and State Department).
I learned that adopting strong security practices is much easier to do when a company is young, while they still enjoy a small attack surface and a manageable number of devices to track. I was encouraged to hear that some basic, affordable practices – both technical and cultural – can mitigate the greatest risks to startups, positioning them well to develop a strong cyber posture as they grow.
So I now advise founders to download and consider these recommendations from Day One, and review the team’s progress quarterly. A secure organization starts at the top with the CEO, but demands a team effort. Whether you’re in a leadership position in finance, engineering, operations or finance, or simply in a position to influence those who are, following this 10-step plan could potentially save your venture.

BVP-Cyber-Security-Graphic
Cyber security will remain unsolved for as long as people compete for resources on a planet with digital assets. We face this challenge together, so as you read, please think about what may be missing, and share your feedback. As a VC, I share the entrepreneur’s goal – to minimize the distraction of cyber threats so each startup can focus on its mission. Keep in mind that if you want your venture to make a dent in the world, you can’t let hackers make a dent in you.

Monday, January 05, 2015

The Failure of Cyber Security and the Startups Who Will Save Us

2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties -- JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.

The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.

Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.

The Sprawl of Cyberwarfare

The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.

For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.

The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination of resources for such a targeted attack: the technical talent to create zero-day exploits and stealthy implants; labs that duplicate the target environment (e.g. the Siemens centrifuges of a nuclear enrichment facility); the field agents to conduct on-site ops (e.g. monitoring wireless communications, finding USB ports, or gaining employment); and years of patience. As a result of these investments in “military grade” cyber attacks, the best of these teams can boast a mission success rate close to 100%.

But cyber weapons are even harder to contain than conventional ones. Cyberwar victories have inspired terrorists, hacktivists and criminals to follow suit, recruiting cyber veterans and investing in the military grade approach. (Plus, some nations have started targeting companies directly.) No longer content to publish malware and wait for whatever data pop up, criminals now identify the crown jewels of businesses and target them with what we call Advanced Persistent Threats (APTs). You want credit cards? Get 56 million of them from Home Depot. You want to compromise people with the most sensitive secrets? Go to straight to the FBI’s archive of security clearances. You want the design of a new aircraft? Get it from Boeing. You need data for committing online bank theft? Get it for 76 million households at JP Morgan Chase.

That’s why cyberspace exploded in 2014.

This is Not the Common Cold

But why are the crown jewels so exposed? Haven’t these companies all spent millions of dollars every year on firewalls, anti-virus software, and other security products? Don’t their IT departments have security engineers and analysts to detect and deflect these attacks?

The problem is that up until this year, corporate networks were instrumented to defend against generic malware attacks that cause minimal damage to each victim. Generic malware might redirect your search page, crash your hard drive, or install a bot to send spam or mine bitcoin. It’s not looking for your crown jewels because it doesn’t know who you are. It may worm its way to neighboring machines, but only in a singular, rudimentary way that jumps at most one or two hops. It’s automated and scalable – stealing pennies from all instead of fortunes from a few. If it compromises a few machines here and there, no big deal.

But with Advanced Persistent Threats, a human hacker directs the activity, carefully spreading the implant, so even the first point of infection can lead to devastation. These attacks are more like Ebola than the common cold, so what we today call state-of-the-art security is only slightly more effective than taking Airborne (and that’s a low bar). As long as corporate networks are porous to any infection at all, hackers can launch stealth campaigns jumping from host to host as they map the network, steal passwords, spread their agents, and exfiltrate data. Doubling down on malware filters will help, but it can never be 100% effective. All it takes is one zero-day exploit, or a single imprudent click on a malicious email, tweet or search result, for the campaign to begin. Or the attacker can simply buy a point of entry from the multitudes of hackers who already have bots running on the Internet.

Too Big Data

The dependence on malware filters is only half the problem. Ask any Chief Information Officer about his or her security infrastructure and you will hear all about the Secure Operation Center in which analysts pour over alerts and log files  (maybe even 24/7) identifying anomalies that may indicate security incidents. These analysts are tasked with investigating the incidents and rooting out any unauthorized activity inside the network. So even if someone can trespass the network, analysts will stop them. And indeed, thousands of security products today participate in the ecosystem by finding anomalies and generating alerts for the Security Information and Event Management (SIEM) system. Every week a new startup pops up, touting an innovative way to plow through log files, network stats, and other Big Data to identify anomalies.

But sometimes anomalies are just anomalies, and that’s why a human analyst has to investigate each alert before taking any pre-emptive action, such as locking a user out of the network or re-imaging a host. And with so many products producing so many anomalies, they are overwhelmed with too much data. They typically see a thousand incidents every day, with enough time to investigate twenty. (You can try to find more qualified analysts but only with diminishing returns, as each one sees less of the overall picture.)

That’s why, for example, when a FireEye system at Target spotted the malware used to exfiltrate 40 million credit cards, it generated an alert for the Secure Operations Center in Minneapolis, and nothing happened. Similarly, a forensic review at Neiman Marcus revealed more than 60 days of uninvestigated alerts that pointed to exfiltrating malware. SONY knew they were under attack for two years leading up to their catastrophic breach, and still they couldn’t find the needles in the haystack.

And yet, the drumbeat marches on, as security vendors old and new continue to tout their abilities to find anomalies.  They pile more and more alerts into the SIEM, guaranteeing that most will drop on the floor. No wonder APTs are so successful.

A Three Step Program

"Know Thy Self, Know Thy Enemy" - Sun Tzu, The Art of War

We need to adapt to this new reality, and the cyber security industry needs to enable it. Simply put, businesses need to focus their time and capital on stopping the most devastating attacks.

The first step here is to figure out what those attacks look like. What are your crown jewels? What are the worst case scenarios? Do you have patient data, credit cards, stealth fighter designs, a billion dollars in the bank, damning emails, or a critical server that, if crippled by a Distributed Denial of Service attack, would cause your customers to instantly drop you? As you prioritize the threats, identify your adversaries. Is it a foreign competitor, Anonymous, disgruntled employees, or North Korea? Every business is different, and each has a different boogeyman. The good news is that even though most CEO’s have never thought about it, this first step is easy and nearly free. (Cyber experts like Good Harbor or the BVP-funded K2 Intelligence can facilitate the process.)

Second, businesses need real-time threat intelligence that relate to their unique threatscapes. Almost every security technology depends upon a Black List that identifies malicious IP addresses, device fingerprints, host names, domains, executables or email addresses, but naturally they come with generic, one-size-fits-all data. Dozens of startups now sell specialized threat intel, such as BVP-funded Internet Identity, which allows clusters of similar companies to pool their cyber intelligence, or BVP-funded iSight Partners, whose global field force of over 100 analysts track and profile cyber adversaries and how to spot them in your network. What better way for your analysts to investigate the most important incidents, than to prioritize the ones associated with your most formidable adversaries?

"This is a global problem. We don't have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7"         
- Tony Cole, FireEye VP on CNN

And finally, security analysts need fewer alerts, not more. Instead of finding more anomalies, startups would better spend their time finding ways to eliminate alerts that don’t matter, and highlighting the ones that do. They would provide the analysts with better tools for connecting the alerts into incidents and campaigns, tapping into the skills of experienced “military grade” hackers to profile the attack patterns.

Outlook

The challenge of securing data today is obviously complex, with many other pressing opportunities for improvement such as cloud security, mobile security, application security and encryption. But as cyberwar spreads to the commercial Internet, re-orienting enterprise security to focus on Advanced Persistent Threats should be the single most important initiative for businesses and vendors alike. Of course, inertia is powerful, and it may take boards of directors, CISOs, product managers, entrepreneurs, and venture capitalists another tumultuous year in cyberspace to get the message.

Friday, November 14, 2014

Disrupting the Market for Souls

Last night at dinner with a group of officers from Facebook, LinkedIn and Twitter, Oxford Professor and legendary evolutionary biologist Richard Dawkins asked me to explain why I signed up to be a Trustee of the Richard Dawkins Foundation for Reason and Science. Later I was asked to share those comments, so here they are:

From inside Silicon Valley, it may seem somehow unnecessary or obsolete to promote science. But it’s easy to forget how fortunate and enlightened we are here. The scientific method is ingrained in everything we do. Instead of A/B testing your apps to improve your conversion funnel, would you ever rely instead on prayer, ritual and miracles?

But in the world at large, and even our country, most people still do not value the proven theories of scientists, either because they themselves do not understand science, or because there is too much social and emotional pressure upon them to value faith over evidence-based beliefs.

Still, so what? Why invest my limited time and capital in a startup foundation that promotes science and secularism?

As I would for any startup investment opportunity, I naturally start my assessment by looking at the incumbents in the vibrant market for people’s souls, to see how vulnerable they are to disruption. And as I deconstruct the businesses of religion, here’s what I see:
  • The largest possible market -- 7 billion customers!
  • Awesome value proposition – immortality – that addresses the most basic human desire.
  • A recurring revenue business model.
  • A Net Promoter Score higher than Apple's, where their customers go door to door on their behalf and build schools to sell their product.
  • An impressively large and distributed field sales organization staffed by product evangelists (literally) who work for low wages.
  • Enormous government subsidies in the form of 100% tax relief, and similar government subsidies for all their customers!
  • Enormously high switching costs – customers who churn can lose their jobs, friends, even family, and in some countries their head.
The only drawback is product quality. Not only is immortality difficult to deliver, but the entire industry agrees that only one of the thousands of products on the market actually works. The good news is that customers pay prior to shipment, and there is no mechanism for rating product satisfaction.

That's a business I would want to own!

The downsides are simply economic externalities – costs that are mostly born by others. Some are obvious, like Jihad and the oppression of gays and women. But the most dangerous externality of all is more subtle, and that’s the marginalization of science.

Broun: "Lies straight from the pit of Hell"
To keep their customers, religions convince them that faith trumps evidence, and in so doing, they undercut whatever shot we have as a species to fight disease, poverty and global warming.  Medical doctors in the US are turning to prayer as treatment. 17 Americans die everyday for lack of a kidney because most of us want to keep our corpses in tact in order to enter Heaven. And when every other American believes that the Earth is 6,000 years old, we elect representatives who (at least pretend to) think that way -- like a President who outlawed federal funding to research new stem cell lines. Congressman Broun, a member of the House Space, Science and Technology Committee, called the Big Bang Theory and evolution “lies straight from the pit of Hell”. Representative John Shimkus rejected carbon emission regulations because God promised Noah in Genesis 8:21 that there won’t be a flood, so it's heresy to worry about rising sea levels. “Man will not destroy this Earth. God’s word is infallible, unchanging, perfect.” Senator Inhofe, the next Chairman of the Senate's environmental oversight committee agrees with Shimkus on God's protection, and denies that Man is changing the climate.

Religions do this because science is the most formidable competitor they face. Science delivers a high quality product that works. Science has already doubled our life expectancy, and immortality is on the product road map.

The problem with science is that unlike religion, it has a terrible business model – it’s open source and free, with no premium paywall. That means science can’t afford a sales force, marketing materials, and lobbyists. Science competes against extremely well funded incumbents.

And yet, as a VC, I’ve divested myself from religion, and I’m investing my time and capital into science, and here’s why:
  1. The product is critical to our survival as a species.  That’s a strong value proposition.
  2. The internet accelerates the spread of information, providing a favorable macro trend.
  3. I look for what every VC is looking for, and that’s traction. Every survey shows a secular trend among young people today away from religion. Science can capitalize on this opening in the market.
But to pull this off, science needs:
market research, such as studies showing that atheists can be just as ethical and philanthropic as as others;
marketing materials, such as science curricula for schools;
sales people, such as biologists in the Bible Belt who can be mobilized to explain to school boards why Creationsim isn't science;
and customer support services that make people feel okay about expressing their honest beliefs to friends, family and co-workers (such as the Openly Secular campaign below).



The Richard Dawkins Foundation for Reason and Science is taking on these functions on behalf of science. Our balance sheet is way smaller than the competitors but if we can raise more capital, we will disrupt this industry. Join us, and you will get the best return on investment you’ve ever seen.

Monday, June 09, 2014

Dinosaurs in Space!

PCs and smartphones have pushed mainframes to the brink of extinction on Earth, and yet mainframes still thrive in space.

Most every satellite in orbit is a floating dinosaur - a bloated, one-off, expensive, often militarized, monolithic relic of the mainframe era. The opportunity for entrepreneurs today is to launch modern computer networks into space, disrupting our aging infrastructure with an Internet of microsats. 

Credit DeviantArt.com
So why has it taken so long for modern computing to reach space? Gravity. It’s hard to launch things. Governments have the money and patience to do it, as do large cable and telecom corporations. These players are slow to innovate, and large satellites have met their basic needs around science, defense, and communications, albeit at very high costs.

That’s changing:  several IT trends have come together to herald the extinction of these orbiting pterodactyls:
  • Moore’s law has reached the point where a single rocket launch can be amortized across dozens of tiny satellites, and the replacement cost is so low that we needn’t burden our missions with triple redundancies and a decade of testing
  • Global computing clouds make it easy to deploy ground stations; and
  • Advances in Big Data enable us to process the torrential flows of information we get from distributed networks

These trends have reduced the cost of a single aerospace mission from a billion dollars down to a hundred million just as the early-stage VC community amassed enough capital to undertake projects of this scope. And now that a handful of venture-backed startups like SpaceX and Skybox are demonstrating success, the number of aerospace business plans circulating through Sand Hill Road has climbed faster than a Falcon 9.

With each successful startup, progress accelerates and synergies emerge. As SpaceX makes launches cheaper, it opens the frontier to more entrepreneurs. Pioneers like Skybox and Planet Labs have to build end-to-end solutions for their markets, including everything from satellite buses to big data search algorithms; but there will soon evolve an ecosystem of vendors who specialize in launch mechanisms, cubesats, sensors, inter-sat communications, analytics, and software applications.

So who are the customers for a space-based Internet? At first, aerospace startups will disrupt two large markets:

·       Scientific exploration of space.  In the past, costly scientific missions such as Apollo ($355 million in 1966), ISS ($3 billion/year), Hubble ($10 billion), and Cassini ($3.3 billion) were designed and built by government agencies. Expect startups to disrupt this market with innovations in rocketry, robotics, optics, cloud computing, space suits, renewable energy, and more.

·       Communications. Government defense agencies spend considerable sums on communications to serve their space-based weapon systems and intelligence bureaus. Media and cable companies also commission satellites to serve their consumers. Microsat networks of radios will supply these customers more cheaply and reliably.

While spatial avionics improve with Moore’s Law, certainly some payloads, like telescopes and robots, cannot be miniaturized beyond the constraints of physics. But even these missions will benefit from the cheap, rapid testing available on a nanosatellite.  Just as programmers today can build entire software companies using a free A.W.S. account and the open source LAMP stack, space-faring entrepreneurs can now explore myriads of new business models by launching $1,000 cubesats out of ISS.


In addition to disrupting existing markets, microsat networks in space will enable a new and important capability:  Planetary Awareness. When we surround our planet with sensors across the frequency spectrum, we will have access to data that opens up new markets. Today, we have sensors across our landmasses, but adding sensors in space, the ocean, and the atmosphere will illuminate both natural phenomena and human logistics. 

Planetary Awareness will enable many capabilities of high social value:

o   Aviation and maritime safety: The need for tracking and communicating with aircraft and ships is in the public eye today following the loss of flight MH370.

o   Nature surveillance: Predict and monitor weather, global warming, natural disasters, and the risk of meteor damage (as pioneered by the B612 Foundation).

o   Global journalism: Expose protests, genocides, and other state-censored events.

Planetary Awareness will also open new markets of high economic value, which are much more likely to drive the success of aerospace startups:

o   Finding natural resources: Minerals and fuel sources abound upon the ocean floor (as discovered by Liquid Robotics’ fleet of WaveGliders) and near-Earth asteroids (as Planetary Resources promises to find using cheap microsats).

o   Financial services: Tracking human activity and commerce (e.g. the proverbial counting of cars in parking lots) yields valuable data to merchants, logistics providers and investors.

o   Military and geopolitical intelligence: Governments already purchase imagery for this use, but visibility will greatly expand from more frequent flyovers, video, radio surveillance, and automated analytics.

Geospatial imaging attracts many startups because it is already a robust and underserved market, but the opportunity to enable planetary awareness is much broader.  Dan Berkenstock didn’t start Skybox Imaging just to sell images and video: he had a more profound vision for the impact that startups can have on the aerospace industry.  His mission attracted co-founders from Stanford and NASA, his CEO Tom Ingersoll from Universal Space, aerospace legends like Joe Rothenberg who led the Hubble repair as well as other star engineers and investors. And now Skybox is proving that they, along with SpaceX and other nimble startups, will displace dinosaurs in space with data services driven by constellations of smart microsats. 

Wednesday, April 23, 2014

The Admins in BVP's Companies Are No Longer "Unsung" Heroes

With sincere appreciation for the thankless job executed day in and out by the admins at BVP and our portfolio companies, I spent today with a barbershop quartet making our way from San Jose to San Francisco serenading these heroes of Silicon Valley. The final stop, captured below, was at Smule to recognize office manager Erika San Miguel.

Wednesday, April 09, 2014

Jukebox Saturday Night! (and Saturday afternoon)

If you like a cappella singing, come hear Voices in Harmony along with Stanford's Mendicants and other groups who will join us this Saturday in Santa Clara at 2PM and 7:30pm.  It's shaping up to be a great show.  Tickets



Monday, March 31, 2014

How to Land a Job at a Hot Startup

Congrats to Zhen, who joins Smule today, after submitting the resume below. Zhen used Smule's Sing! app to compile his resume from 7 original tracks of vocals, violin and guitar.

Wednesday, February 26, 2014

Cyber Soothsaying: Where There's a Way, There's a Will

This week, the RSA Conference draws its annual pilgrimage of data security professionals seeking insights on market and technology trends. As a seed-stage security investor in this industry, it has been my job to predict the future of cybersecurity, and so now’s a good time to share two important rules that have served me well:


(i)                Follow the Money: what’s the most lucrative opportunity emerging for hackers today? Identify the hacker’s next big opportunity, and you know who will need to respond! This rule, for example, steered me toward spam in 2002 (Postini), online banking theft in 2004 (Cyota), geopolitical warfare in 2009 (Endgame) and DDoS attacks in 2013 (Defense.Net).

(ii)              Where There’s A Way There’s A Will. Physicists know that if a natural phenomenon can exist, then most likely it does.  The cyber corollary is that vulnerabilities in the wild WILL be exploited – it’s only a matter of time.  Poisoning the DNS, using the cloud to factor large numbers, and streaming smartphone microphones were all considered theoretical attacks, until they weren’t. Whenever we dismiss vulnerabilities as too difficult to exploit, hackers eventually humble us with their ingenuity.


Just this week we saw two important examples of this rule in action. The first is Apple’s confirmation of a glaring deficiency in their implementation of SSL that means we’ve been kidding ourselves about how secure the Mac and iPhone really are. The software engineers at Apple are mortal, and just as prone to the inevitable security lapses that plague any complex system.

The second example is a blog post by RSA about new malware on Android phones that coordinate with web based attacks to hijack banking sessions. I have been expecting this “innovation” since 2005, when I predicted that banks, plagued by the security shortcomings of passwords and biometrics, would adopt and embrace out-of-band authentication for any risky transaction:

That's why solutions in the future will move away from 2-factor authentication and toward 2-channel authentication. Since your bank knows your phone numbers, a bank computer can simply call you when it needs to confirm your identity, and authorize the specific transaction ("This is Wells Fargo--please enter the code on your screen to authorize the transfer of $50,000 from your account to the account of the Boys and Girls Club of Belfast"). This is a very inexpensive and fast solution to deploy, and requires much less customer training. Not to mention that it's secure (at least for many years, until hackers can easily identify and commandeer affiliated phone lines).

This prediction turned out well: 2-channel authentication has since become standard procedure for banks, application developers and consumers, thanks largely to three investments I made back then:

1.      If you’re a bank…
Cyota (acq. by RSA) is the market leader in assessing your transactions for risk so they can be escalated for authentication;

2.      If you’re a developer…
Twilio is the market leader in enabling apps to launch phone calls or SMS messages for out-of-band authentication (this may be Twilio’s single largest use case); and

3.      If you’re an individual…
Lifelock leads the Identity Theft market, by contacting you through multiple channels when they spot a risky transaction involving your Personally Identifiable Information.

However, as I parenthetically noted in 2005, it’s theoretically possible to “commandeer affiliated phone lines” in order to defeat 2-channel authentication. This seemed like a pretty far-fetched idea 8 years ago, but sure enough where there’s a way there’s a will, and bank accounts are where the money is! So I wasn’t too surprised to hear from RSA that hackers now intercept your SMS messages and phone calls in order to defeat the banks’ security mechanism.

It is natural that hackers focused on this attack vector because so few IT people understand the perils of mobile malware. Enterprises are busy deploying MDM and app-wrapping products, but they ignore the rampant spread of malware that  renders those solutions useless. If I root your phone and ship home screenshots every minute that you run SalesForce, what good are the MDM and MAM products? (Lucky for Airwatch, they sold out before customers caught on to this.)

This is why we at BVP funded Wandera – the only company specifically building a cloud-based smartphone security service, which filters out mobile malware during both download and execution, as well as providing URL filtering, data leak prevention, and enterprise cloud app visibility.

At the time we invested, many people warned us that mobile malware is simply not a big concern. But see Rules 1 and 2 above! Smartphones house our most precious secrets, and there are so many easy ways into them. I’m predicting that enterprises and governments will quickly understand this, and scramble to secure their employees’ phones just as they do their (larger) computers.


If you want to join me in predicting the future of cyberspace, look for the money chasing hackers, and pay more heed this week at RSA to the warnings of security gurus, since no vulnerability is too hard to exploit. Where there’s a way, there’s a will.