George Kanuck, vice president for sales and marketing at Trustonic, tells IBS Journal how the firm is one of the biggest security ventures you may never have heard of.

Tell us about your company – how was it founded?

From around 2010, increasingly valuable services began to ‘go mobile’ and, as everyone knows, fraud follows money. Using software to protect software from software attacks can only get you so far; just look at anti-virus. To combat this, device makers and service providers recognised the need for hardware security in smartphones. The leading chip architect, Arm Limited, had a technology that was of interest to banks, governments, Hollywood studios and a variety of others whose services were vulnerable to cyberattacks. These organisations thought the technology was great, but that it needed to be both accessible and in a critical mass of devices.

So, Trustonic was formed – we’re a joint venture between Arm and digital security specialists Gemalto – and, since then, we have been working to embed our security technology in as many devices as possible to enable banks and other service providers to better protect their services, data and customers. It’s gaining significant momentum, as we’ve been integrated by 17 of the top 20 Android device manufacturers, meaning that we’re in well over a billion devices worldwide.

What is your business model?

For the financial services world, we work in a few ways:

  1. The technology we embed into devices is called a Trusted Execution Environment (TEE). This offers an isolated operating system within the device to store and remotely manage sensitive data, like banking and payments apps, making them immune to all software threats.
  2. We enable the device itself to be identified and trusted, by injecting a Root of Trust. This is important for secure banking and financial services as it’s essential to authenticate both the device and the user.
  3. Our technology also opens up other device functionality to the financial services community. For example, with the TEE you can ensure both the security of biometric user authentication and that the information displayed on screen or entered by the user cannot be intercepted by fraudsters.

Service providers work with us on a license basis to provide a simpler, safer and richer customer experience. They can use our simple APIs and software development kit as part of their app development and, when their app lands on a TEE device, it is protected by government-level hardware security. If no TEE is available, they benefit from our leading software protection, which is the same if not better than what most banks are currently using.

What sets you apart from the competition?

There are essentially two other ways of delivering secure mobile payments and banking. Protecting data using secure elements (SEs), or moving the functionality to the cloud. Secure elements offer high-security, but limited processing power, and have complex business models. Cloud-based payments are more user-friendly, but significantly less secure. TEE brings the best of both worlds and can even be combined with the other technologies.

What’s more, we’re the only provider of an open TEE. This means that, while there are other TEEs out there, service providers can’t utilise them to secure their apps – they can only be used by the handset manufacturers. This makes us unique in offering simple and accessible hardware security to the market, something we see as essential for maintaining consumer trust and leading the fight against fraud.

What was your smartest move?

I’d say the relentless pursuit of simplicity, as the security industry tends to overcomplicate everything. We recognise the potential of the TEE, as there are very few technologies that can enhance security and augment and simplify the user experience. But, it needs to be simple to integrate with, and we have worked hard to take the pain away for the service providers that we work with.

For example, banks don’t want to think about different security solutions for the thousands of different smartphones that are in circulation. With us, you can develop once and benefit from the best security available on each device. Simple!

And we’re seeing the results, as some of the most innovative mobile financial services in the world use us as their foundation. We’re protecting AliPay, Samsung Pay and WeChat Pay, not to mention a range of Bitcoin implementations.

Where did things get tough?

We’re a relatively small business playing with the big boys. To get our technology into devices and recognized by the market, we needed to balance the needs of international chip and handset makers, internet giants, big consumer brands, each with their own agendas and requirements. It has therefore taken time, patience and more than a little chin stroking to get to where we are today. And now that we are approaching critical mass across devices, the challenge is to help a broad range of service providers to recognise the benefits that they can gain with just a few tweaks to their services.

While it has been tough at times, we can see the market changing as users embrace services that have been enhanced. Real adoption is happening, especially in financial services – we recently announced that KB Kookmin Bank, which has 30 million customers, is using Trustonic to secure its peer-to-peer (P2P) payment and messaging app, Liiv TalkTalk.

Where do you want to be in five years’ time?

Very short-term, say in one year, we want to be protecting hundreds of millions of users who are enjoying richer, simpler and safer services. In five years’ time, we want to see better security across all connected devices, period. Connected device manufacturers need to take responsibility for the integrity and security of their products.

More devices are being connected and, until recently, hackers and fraudsters didn’t care. But now they do. Smartphones are currently the biggest target, but as we see connected cars, appliances and infrastructure able to access your personal and financial details, the threat will grow. Security needs to be foundational, not an afterthought. This is why we are seeing so much interest in the TEE.

In essence, we want to remove security as a consideration for both service providers and consumers. With effective security at the heart of everything, people can select the services that give them the best experience, without fear that corners have been cut.

by IBS Intelligence