From the Birth of Online Banking, Digital Security Continues to Evolve

As the internet becomes more and more central to our everyday interactions with the world, the ways in which we store and share our sensitive personal information have not always progressed at the necessary speed. In this episode of Mastering Innovation on SiriusXM Channel 132, Business Radio Powered by The Wharton School, Louie Gasparini, Founder and CEO of Covault, discusses how his company is working to close digital security gaps through biometrics on our phone, cloud-based storage, and multi-step verification.

For our homes, we can install our own sophisticated locks and security systems, but on the internet, we have to trust that companies are taking adequate measures to protect our digital identities. These profiles are becoming increasingly detailed and may contain our SSN, date of birth, credit card numbers, and other sensitive information. As well-publicized security breaches in recent years have illustrated, such information is then vulnerable to the whims of a few skilled programmers. Gasparini, who was at helm of introducing secure online banking at Wells Fargo, has developed a few security-based startups and is now the CEO of a new digital security company, Covault. He explains the measures that his new company is trying to take to bring digital security up to speed.

An excerpt of the interview is transcribed below. Listen to more episodes here.

Transcript

Louie Gasparini
Louie Gasparini (Founder and CEO, Covault)

Harbir Singh: Tell us a bit about your journey. You’ve created several different companies that are always ahead of the trend with secure ways of protecting our digital identities.

Gasparini: Yes, on the cutting edge, some might say the bleeding edge. Back in my Wells Fargo days, it was great. That was just getting started, and Wells was very aggressive with technology. We were the first bank to offer online banking, and I was in charge of developing that effort and continuing to grow Wells Fargo’s online banking. Then we started seeing phishing: how do you know it’s the real site? So we came up with the idea of changing the login sequence? Instead of username and password, we started just asking for your username. Is this a Harbir that we’ve seen on a machine before? If it is, we show you an image that only you and the bank know, that’s how you know it’s not a phishing site. We also interrogate your device, make sure it looks like a device we’ve seen you on before, do a bit of fraud analytics, and then, if we’re all comfortable, we show you that image. Then you’re comfortable with putting in your password. That worked out really well.

[PassMark Security] was then bought by RSA, and I stayed with RSA for a couple of years as CTO. I’ve always been involved in security, authentication, and finance. I started another company, which became Personal Capital, as you mentioned, and they’re doing really well. I then joined BBVA as an Entrepreneur in Residence. At the time, blockchain was big. It’s still big. There was a need for an identity on, for, and to the blockchain. Plus, with fintech, there is more of a need for identity for online services. At some point, we are all going to have really true digital identities. How many times do you have to onboard at some place and type in your name, your address, your phone number? If it’s a high-assurance service, you have to type in your SSN, your date of birth, and all these sensitive pieces of information. How do you know what you’re even typing it into? Can malware and keystroke loggers steal that? Is it safe? Is it being stored correctly? There has to be a better way, and that is what Covault is all about: what is the best way we can do digital identity, control it ourselves, and make sure it’s secure when we share it with others?

Singh: This is stored in the cloud? You have a whole different concept completely in that sense.

“What is the best way we can do digital identity, control it ourselves, and make sure it’s secure when we share it with others?” – Louie Gasparini

Gasparini: Correct. We store the data in the cloud, but you, and only you, have the keys. We cannot see it; we’re blind to it. We have the best authenticators in the world nowadays. Your last segment talked about Apple and iPhone? Look what has gone on there. You’ve got this fantastic personal device that we can generate keys on, cryptographic keys, and store them in the Secure Enclave, which is a trusted hardware device where we can store keys in an iPhone. On Android, it’s called the Trusted Element. We generate and store keys there. We do all of our cryptographic functions on the phone and therefore, Covault never has visibility into the keys. We store the data in the cloud, and to get to the data, you need to prove you’re you to begin with to double check.

Singh: It’s a wonderful idea. What I find interesting is that the area of passwords and so on is constantly evolving. Rather than becoming simpler, it’s becoming more complicated. That’s number one. The second thing is it’s important to mention that internet security has become so significant that even in non-financial company boards, one of the key issues is internet security. It’s literally across industries. Why do you think that is? Why is it that with all the innovation, we are not able to assure protection against theft on the internet? What I mean by that is, in a developed society, you’re not sort of holding on to your suitcases at home because someone is going to come in and steal it, but in the internet world, we have this problem that there’s a lot of activity that is difficult to stay ahead of. Can you speak to that a little bit? Most people think it’s just about finance and passwords, but it’s about everything.

Gasparini: I’m going to give an interesting comparison. You know why God was able to create the world in seven days?

Singh: Tell me. That’s clearly a broad question.

Gasparini: He was able to create the world in seven days because he didn’t have an installed base.

Singh: That’s right, he didn’t have to upgrade the browser.

Gasparini: Exactly. The internet has grown over time, right? When I was at Wells Fargo and we started the first internet banking system in 1996, we had a lot of concerns internally about security. At the time all you could do was see your balances and see your account information, and we crossed out your SSN, your account numbers, so you couldn’t see anything. If somebody stole access to your stuff, who cared? There was nothing about you there to see. You couldn’t do anything; you couldn’t move money. In the beginning it was easy; username and password were enough. “Username, password” is convenient, and the whole internet has grown off of username, password. It’s become a problem, but in the beginning that was the easy way to start. It was very simple: you just needed a username and password and you went. The security, from the financial services point of view, started off pretty simply. Then people wanted more. In the United States and globally, it’s always been a balance of security and convenience.

Singh: As you add more features, they’re not necessarily completely ironclad, so the issue of security is a factor that might limit what you can offer?

“If we were able to design everything from scratch right now, it’d be a lot different.” – Louie Gasparini

Gasparini: Convenience has always won out. Even in the credit card world today, there’s fraud, but that’s the cost of doing business. It’s calculated into the CIS now. It’s become a legacy problem. That’s why I compare it to creating the world in seven days, because if we were able to design everything from scratch right now, it’d be a lot different. We’d do it a lot better and more easily, hopefully. The problem is you’ve got an install base. We’re already doing it this way, and getting people to change is a challenge. But with the mobile phones that we have nowadays, I should be able to authenticate who I am very easily.

About Our Guest

Louie Gasparini is an entrepreneur-in-residence at BBVA, working on identity related efforts for the financial services company. He has been with BBVA since 2015. Gasparini’s experience in identity spans many years, beginning with the start of the internet. In 1996, while with Wells Fargo, he oversaw the first online banking experience offered by a major bank as Senior Vice President of Internet Distribution Systems. Gasparini then started PassMark Security, a company aimed at user and site authentication. In 2006, Passmark was acquired by RSA, where Gasparini remained as Chief Technology Officer. He then formed a second startup called SafePage, which merged with SafeBank to form Personal Capital, a company disrupting the investment world with on-line tools, personal investment advisers and investment offerings. Gasparini attended the University of San Francisco.

Mastering Innovation is live on Thursdays at 4:00 p.m. ET. Listen to more episodes here.