Entersekt never would have been established in 2007, were it not for the audacious claims by a B.Comm student and the activities of an unknown bank fraudster, which stirred up the emotions of four electronic engineering students: Christiaan Brand, Dewald Nolte, Altus van Tonder and Niel Müller.
The Stellenbosch-based software house is a fast-growing African player, which wants to establish itself in the States, the United Kingdom and beyond. Most of the major South African banking groups have already signed up Entersekt, which has been certified by Visa, MasterCard and American Express to integrate with their 3-D secure payments system. It has become an ally of the domestic banking industry in dealing with online fraudsters.
Bank corruption is one of the principal cyber-crimes in the world. According to the South African Banking Risk Information Centre, the South African banking industry incurred losses of R263.3 million ($29.6 million) in 2009/2010 for card fraud. These fraudulent activities increased by 53% in 2010/2011 to R403.1 million ($45.4 million).
According to Schalk Nolte, chief executive of Entersekt, independent statistics from IT Web show that web phishing in South Africa amounted to R320 million ($36 million) in 2011. In the second half of 2012, bank fraudsters used online banking to harvest around R100 million ($11.3 million) illegally. The country has registered 3% of the world’s phishing activities, while 46% occur in the States and 19% in the United Kingdom.
Dewald Nolte remembers how, during a challenging week filled with tests, a self-assured B.Comm student confronted him and a group of engineers, while they strolled to the Langenhoven Student Centre for a meal.
“Here I am, relaxing, and you poor guys are working so hard but I’m still going to make a fortune, much more than you engineers,” he said.
Nolte, Brand, van Tonder and Müller, who all possessed an entrepreneurial spirit, became more committed to pursuing a successful business career after the encounter. The group met weekly to brainstorm the inception of the right business. Their ‘aha’ moment came through default, not design. Brand’s mother became victim of an online banking fraudster and lost R20,000 ($2,250). Brand couldn’t believe how this was possible in an age of one-time password (OTP) access logins and online security systems.
The four students worked around the clock for over a year in a virtual garage to mastermind Entersekt.
Their enormous investment of time and money to invest seed capital for the establishment of Entersekt, conjures images of Bill Gates, the Beatles and the 10,000-hour rule mentioned by Malcolm Gladwell in Outliers. He claims that 10,000 hours are needed to secure greatness and mastery; Mozart, The Beatles and Gates are some examples. The Beatles performed in Hamburg, Germany over 1,200 times between 1960 to 1964, amassing more than 10,000 hours of playing time. Gates spent 10,000 hours programing on a high-school computer in 1968, aged 13.
The four students amassed their 10,000 hours by developing a prototype, which was conceptualized into a company in 2008. Its revolutionary technology was registered at a patent-office in the same year.
The pioneers needed the intervention of two more leaders to propel the idea from their virtual garage to the commercial marketplace.
Earlier in his career, Schalk Nolte was one of 33 expatriates sent to Nigeria by Vodacom to manage a possible new venture. The deal was eventually scuttled because of shareholder concerns. Twenty eight of the expatriates remained in Nigeria to form a new management company to run V-mobile Nigeria. With Nolte at the helm of network expansion, they grew their clients from 300,000 to a couple of million, while the numbers at the base station increased from 300 to 2,500.
Nolte was approached to join Entersekt, after it had been patented but was not yet commercially formed. He realized that banks wouldn’t do business with a virtual garage start-up.
“We had to establish a presence and an address and the technopark in the technological hub [of Stellenbosch] was appealing,” he says.
Through Schalk Nolte’s acquaintance with Ramzi Mansour of Carita Investments in Nigeria, he set up a meeting in Centurion between Mansour and Dewald Nolte.
“He decided to invest in us not only because of the idea of our business but because of the people. He said he could see the passion in our eyes,” says Dewald Nolte.
Securing the finances was a considerable challenge for the students, who lacked collateral, especially in 2008 when the global recession was in full swing.
“We had to pull through tough times, pay ourselves nothing and invest everything into the seed capital of the company to succeed. In hindsight, it proved to be the right way of doing it,” says Schalk Nolte.
In internet banking a two-factor authentication system is used based on something you know, your username and password, and something you have, a cellphone. Unfortunately, such an authentication system, which relies on browser communication, can be defeated.
In the real world, people are sent a phishing e-mail; if they click on the link, they will get routed to a fake banking website, which fools them into entering their username and password. This fake site, in real time, runs a script and enters the credentials into the real bank account. When the real bank receives the credentials it sends an OTP or asks the user to generate this OTP on the token. When you enter your OTP, it is intercepted by the man in the middle, who now has access to your username, password and OTP.
The beauty of Entersekt’s system, however, is that it uses industry-standard electronic certificates to create a secure out-of-band communication channel, based on mutual authentication between a bank and its customers’ mobile devices, according to Nolte. These certificates are deployed using a light-weight application that is available for hundreds of cellphone models on the iOs, Blackberry, Android Windows Phone and Java platforms. An electronic transaction initiated through any channel (online banking, card-not-present and via the ATM) is sent to the bank customer’s mobile device for confirmation before the transaction takes place.
In the OTP system it goes via the internet, where the fraudsters have access, while this system is beyond the reach of fraudsters as customers respond to real-time requests for transactions by selecting ‘accept’ or ‘reject’. The bank retains control over the process of registering users and all communication is encrypted end-to-end and cannot be intercepted by any other party, says Nolte.
The result is true out-of-brand, two-factor authentication that counters phishing and other kinds of fraud. This system has cut online banking fraud for Entersekt’s clients to zero and annually re-issues certificates per client.
“We have found that our contracts become a net saving for the banks and not a cost increase.
When Entersekt sold their technology to Nedbank, the crime moved to other banks.
“It’s like a burglary in your street. If you increase your security and use more burglar-bars, the criminals might target your next-door neighbors,” he added.
Although the company has established a local footprint—with eight of their 10 clients based in South Africa—it has received international recognition and the demand for its services is growing. Entersekt has patented their technology in the States, United Kingdom, China and India and is aggressively pursuing markets in Nigeria and Kenya.
“We were nominated at the world’s biggest security conference in San Francisco in 2011 as one of the top 10w most innovative companies globally. We are 18 to 24 months ahead of our competitors in terms of technology,” says Nolte.
Protection to safeguard their assets is one thing; expansion to ensure a bigger global presence is a different proposition all together.
“We have a staff presence and a small office in London and we are about to open an office in Atlanta in the States… We have to be where the new ideas, the standards and the concepts are created,” he adds.