Forget I, Robot. This is iProov, and it will change the personal security forever
17 min read
19 February 2019
Whether it's done to steal money online or to travel under false documentation, criminals continue to pose as other people to get what they want. But Andrew Bud, founder and CEO of face and palm verification company, iProov is here to put a stop to all that and make the world a safer place in the process.
How do you protect people’s identities in an age of intelligent terrorism, cybercrime and smart fraud? That’s undoubtedly the question, or questions, that Andrew Bud asked himself before he founded iProov, a facial verification business back in 2011.
Since the year iProov was born, the issue of online authentication has only become more pressing at every level.
From dangerous individuals using fake documentation to pass borders, to everyday fraudulent activities including APP scams where criminals trick online banking customers into sending money to the wrong accounts, fraudsters and imposters cost money, and even potentially, people’s lives.
Clearly, sorting the problem of who is real and who is passing as someone else online is a tough and mighty intimidating task.
We meet an entrepreneur who is unafraid of the challenge of stopping them. We sit down with Andrew Bud, founder and CEO of iProov, a company that is shifting the way we verify people, which is something, he hopes, will create a safer world.
You were founding companies in the tech space back in 2000. That’s a millennium in techspeak, what are the issues tech and security companies face today that they didn’t face then?
The very architecture of the industry has fundamentally changed. Until perhaps ten years ago, the tech world was dominated by the twin axes of enterprise software vendors and telcos. Telcos, in particular, had enormous power as the gatekeepers to the connected world.
Since then, however, ubiquitous high-speed internet means there are no gatekeepers. This has been responsible for lowering the barriers to entry, as well as accelerating both innovation and competition.
“As a result, a lot of new players have emerged, including some very bad ones.”
A decade ago, hackers were mostly individuals sitting alone in their bedrooms. But that’s changed, and changed rapidly. Now we face buildings full of incredibly smart PhDs, financed by huge budgets.
Going back to pre-2011, tell us about why you founded iProov and what the inspiration was?
In 2008 I was the Executive Chairman of mBlox, the company I founded in 2000. At that point in time, it was the largest processor in the world of SMS mobile payments – more than £400m per year.
Our market share was high, fraud rates were low, and I had the privilege to serve on the board of the industry regulator.
Then, quite quickly, fraudsters began to exploit a weakness in the authenticated consent mechanism of the payment system, stealing from huge numbers of consumers through our network in the process.
“I found myself held to account by the press, including one memorable interview in which I was offered the choice of admitting to negligence or complicity!”
The regulator investigated and deemed our response “exemplary”, but it taught me a harsh lesson of the need for strong authentication that was simple enough to engage impatient mobile users.
When mobile apps and mobile internet exploded a couple of years later, the problem was evidently going to get worse, so it needed a solution. There wasn’t one, so I had to invent it.
Tell us about the work you undertook to upscale iProov from 2011 to today considering modern issues such as sophisticated hacker methods and global security threats?
The first challenge was to make the technology work. That needed a small team of outstandingly talented technologists, and it is our huge fortune to have a team that is entirely extraordinary.
“When recruiting great people, it helps to have a strong vision and a wonderful product; fortunately, a great team attracts great people.”
I was able to draw on colleagues from my mBlox journey, which was the previous tech company I started back in 2000. As well as through the relationships I’d built at UCL’s Computer Science Department, which I owe to the fifteen years I served as chair of its External Advisory Council.
“Quality, not quantity was all that mattered.”
Then, as InnovateUK funding helped us move through research into production, we began to need a larger cohort of engineers and developers. Again, we were incredibly fortunate to attract some young, tireless and brilliant staff.
Now that the market is ripe, we’re focussing on growing the marketing and commercial team, and once again we’ve won the lottery.
Can you break down for us just how iProov works and in what ways customers can make use of the technology?
iProov assures the genuine presence of online users, securing access to data, services and transactions. We use biometric verification to achieve this and our speciality is the detection of spoofs and replays.
“We are world leaders in detecting bogus biometrics. Fake copies of people, rather than lookalikes, are the real threat to biometric verification. Nowadays, detecting them is hard. We’ve invented a technology called the Flashmark, which uses the screen of the device to illuminate the user with a rapid sequence of colours.”
While that happens, we stream video of them to our servers, where we examine how that screen illumination is reflecting off their face (or palmprint). This tells us whether or not the user is real.
The sequence of colours is different each time, so it has to be correct or else we know we’re looking at a replayed recording. This is how we protect users against recordings stolen by phishing or social engineering, as well as from forgeries ranging from simple photos to deepfake synthetic videos.
This process is incredibly simple to use – you don’t have to do anything to iProov yourself except stay reasonably still. We want people aged 9 to 90 to be able to use iProov, without any challenges. We even stylise people’s faces when we display them in order to mitigate selfie anxiety!
In terms of who uses your technology currently, is it sector specific?
At present, our customers are in sectors that require very high levels of security like government and banking. Not only do we serve the UK Home Office and the US Department of Homeland Security, but our technology is also integrated into retail banking apps, such as that of ING Netherlands which is installed on millions of mobile devices.
Banks in many countries use us, but we are now finding applications in a much wider range of uses. In future, we will be in every sector of the online ecosystem.
Do you think that facial verification technology is the only surefire way to prevent security breaches like false impersonation?
Face verification is very good indeed. Thanks to modern AI techniques, it is very reliable both at providing the right individuals with access and keeping impersonators out. It also has the great advantage of being superbly easy to use. I just look at my device and it looks back at me – what could be simpler?!
Every single personal device with a front-facing camera can be used, so it eliminates any device or platform dependence.
“A person’s face is what links them to their government-issued photo ID, so it’s special in that way too. But we have also developed a palm print verification method, which is just as easy and secure. All a user needs to do is hover their hand over their phone for a couple of seconds.”
It’s a matter of personal or cultural choice which method an individual prefers to use. The important thing is to assure that, whichever biometric you use, the individual is indeed genuinely present. That’s the only surefire way to prevent large scale security breaches. No biometric will ever be truly secret, so the focus must be on preventing the successful use of any kind of copy. That’s what we’re really good at.
Will this form of security render the likes of ID cards and passports obsolete?
In future, the information shown today on your paper or plastic credential will be stored in the cloud. Instead of presenting your document, you will authenticate to assert that online information to whoever legitimately asks for it.
Genuinely present biometrics are really the only way to authenticate that assertion, which mustn’t be weak, shareable or repudiable. Of course, documents won’t disappear overnight, but their vulnerability to forgery and the difficulty in checking for forgeries, especially in self-service contexts, is going to limit their future.
In that case, do you think your technology could become a forerunner in the identity and travel space?
How difficult would it be to persuade governmental authorities and international bodies that this technology should become the norm? We are very optimistic that we could.
Already the US DHS has chosen us as the first-ever non-US recipient of one of their SVIP contracts and we are currently working towards deployment of our technology to help travellers cross US borders.
We are in live production with the UK Home Office on a large visa and immigration programme and we are in advanced discussions on several identity and travel applications worldwide. So, I think it is highly likely that the authorities will accept and indeed demand spoof-resilient face verification as part of their plans to get better control over who enters and leaves a country, whilst reducing the friction of travel.
What are the biggest logistical challenges iProov is set to face in 2019 and why?
Data sovereignty is a growing issue for many cloud services. Increasingly, governments are insisting that data about their citizens must only be stored in their territory. In a world of nearly 200 countries, that is a significant logistical challenge, but one we are meeting.
“We have lots of new goals in place for this, and next year. But I prefer to brag about things after we’ve accomplished them, not before.”
We intend to be able to build an iProov service hub in a local data centre in under an hour. Our aim is then to be managing a worldwide network of such hubs. We also have to analyse each authentication in real time, to detect any clues to new forms of cyber-attack and responding to any new attack accordingly.
– That’s a challenge we understand – mBlox was processing 6 billion transactions a year – and one we must meet in order to stay adaptable to the endless new threats that will appear.
Tell us about the single toughest moment you’ve experienced in the iProov journey and how you got over it?
Early in our journey, we were using face verification technology from one of the world’s top vendors. After months of hard work, we had finally reached evaluation by a global bank.
“A senior executive put his daughter in front of the camera and she passed as him. We were thunderstruck; it instantly killed our prospects with that bank.”
It was clear we needed a step change in performance. Then, iProov’s Research Director put forward an audacious plan to build our own face recogniser using a revolutionary new technology.
However, with help from InnovateUK funding, we carried out that plan and were one of the first companies in the world to launch a commercial face verification service based on deep learning. It worked spectacularly well and removed the final barrier to our success.
People often say that entrepreneurs need a certain kind of mindset to “make it.” When it comes to tech and security, what does this type of mindset look like to you? Is there one?
In Douglas Adam’s “Hitchhikers’ Guide to the Galaxy”, the most essential accessory is a towel. His Ravenous Bugblatter Beast of Traal is so stupid it thinks that if you can’t see it, it can’t see you. So, if you meet one, you throw the towel over your head. Every entrepreneur needs that towel. If you transfix on all the risks that could get you, you’d never even start!
“However, in cybersecurity, denial is also toxic, because your very task is the mitigation of risk.”
I intend never again to be offered the choice between reckless negligence and complicity; so, the mindset must balance a certain relentless optimism with painstaking creativity in imagining the worst while building the best!
– Trust is vital – you can’t do that effectively with a self-centred, transactional approach. It’s a long, team game.