Photo: Shuman Ghosemajumder / Shape Security
Shuman Ghosemajumder isn’t talking about the startup where he works, Shape Security, publicly yet.But he opened up to Business Insider to talk about how Shape is making the Web safe from bad guys who want into your bank account..
And in the meantime, Shape’s investors have Silicon Valley talking.
The company took $6 million in its first round of financing from Google chairman Eric Schmidt’s fund, Tomorrow Ventures; Google Ventures; Kleiner Perkins; and Baseline Ventures, a firm which backed Twitter and Instagram.
Angel investors from Facebook, Twitter and LinkedIn also invested.
Ghosemajumder joined Shape in March from Google, where he worked on detecting fraudulent clicks on ads. He’s the startup’s VP of strategy.
To understand why the Valley is so excited about Shape, you’ve got to understand a bit about Zeus, a piece of malware which attacks online bank accounts. Crooks recently used Zeus to steal $47 million from banking customers in Europe.
As of today, there’s no real way to detect and stop Zeus. It takes money from your bank account when you access your account through your mobile phone or PC.
- Zeus makes itself look like a bank or online store’s genuine site.
- Changing your password won’t stop it. It simply collects your new password.
- “Two-factor authenticaton,” where the bank sends you a text to validate your transaction, won’t stop it because Zeus can send you a fake text that looks like it came from the bank.
- Hackers can buy Zeus “crimeware kits” on black market websites for anywhere from $700 to $15,000, Microsoft says. These automate the process.
- Android and iPhone users are at risk.
Although only we only have stats for how much money European banks have lost so far—$47 million—U.S. banks and e-commerce sites are also affected, according to the Zeus Tracker website.
Zeus is so scary to banks and other businesses that Microsoft moved last spring against one of the Zeus botnets—networks of infected computers used to spread Zeus to other machines—last March. But there are hundreds of them still out there, Microsoft says.
Even a user who is very careful about security has no way of knowing that the site they are visiting isn’t their real bank, but a hacker’s site. That’s because Zeus doesn’t actually start to work until after you type in your bank’s Web address and enter your username and password. At that point, Zeus sends you a to a fake Web page that looks like the real deal.
Shape aims to solve the problem by making it harder for Zeus to look like real websites.
“Instead of trying to detect the attack, we provide deflection,” explains Ghosemajumder. “We sit between the website and the users.”
Shape’s technology makes it very hard for the hacker to automate the attack.
It will then become too expensive for hackers to use Zeus. Instead of buying a kit and having access to a lot of hacked websites and a lot a infected smartphones and PCs, the hacker would have to individually compromise each website every time a user logged on.
Because Shape is still in stealth mode, Ghosemajumder wouldn’t give us more details than that. But that’s enough information to understand why security insiders are excited about these guys. They have 47 million reasons to be.