Corporate Japan is about to go through a major transition in its approach to computer security. In the past, Japan-only payment systems and the Japanese language itself provided a barrier that kept international fraud and attacks at a very low level.
All that is changing now. With payment systems becoming increasingly global, and free, instant translation available to anyone with a browser, fraud is on the rise in Japan.
Today we sit down with Atsuyoshi Shimazu of Caulis, and he’s going to both explain the new threats and explain exactly what he plans to do about them. He’ll also explain why Japan’s current approach to the internet of things means that things might get worse before they get better.
It’s a great conversation, and I think you’ll enjoy it.
- Why 50 million accounts are at risk in Japan
- Why some Japanese companies avoid taking security measures
- Toyota’s vision of connected cars in the gig economy
- What security looks like in an IoT world
- Why online fraud is about to skyrocket in Japan
- Japan’s susceptibility to ransomware attacks
- Why hacking insurance might be the future of security
- Why Japanese CSOs and CIOs are so bad at their jobs
Links from the Founder
Welcome to Disrupting Japan, straight talk from Japan’s most successful entrepreneurs.
I’m Tim Romero, and thanks for joining me.
Today, we’re going to talk about fraud. Online fraud, hackers, scams, identity theft in Japan, and what exactly we can do about it. Now, I’ve been involved professionally in IT in Japan for more than 20 years, and that includes both enterprise scale big IT and startup scale little IT.
Corporate Japan has always had a strange relationship with computer security. On one hand, companies are very sensitive to security concerns and they’ll pay top dollar for security hardware and software systems and evaluations. But on the other hand, day-to-day security practices are often neglected. Operating systems remain unpatched, firewalls are set up and then never touched again, and backup systems are rarely tested.
Right now, however, Japan is going through a bit of a security transition in both their understanding of fraud and how susceptible their systems are to fraud and hacking, and walk you through some of these important changes. Today, we sit down with Atsuyoshi Shimazu, founder and CEO of Caulis.
Now, Caulis offers a distributed online fraud prevention service called Fraud Alert, and it’s solid technology that has a special appeal in the Japanese market. Now, Atsuyoshi also explains how the internet of things is going to force all of us to radically change the way we think about online security and security in general. He also explains why the instances and losses due to online fraud is set to skyrocket in Japan over the next two years.
But you know, Atsuyoshi tells that story much better than I can. So let’s hear from our sponsor and get right to the interview.
Tim: So I’m sitting here with Atsuyoshi Shimazu of Caulis, the makers of Fraud Alert, which is an online security and fraud prevention tool. I’m sure you can explain it much better than I can. Thanks for sitting down with me. Can you tell me a bit about what Fraud Alert does and what Caulis is?
Atsuyoshi: Fraud Alert protect the corporate website from the fraud attack such as brute force attacks. At first, we protect the log-in page and also conversion page such as money transfer pages.
Tim: You’re preventing unauthorized access to web pages and monitoring the behavior on those pages as well?
Atsuyoshi: Yes. Also, we protect the smartphone apps. We check how to type the word and the behavior.
Tim: So like behavioral profiling?
Tim: Okay. So how does it work exactly? Do the systems make an API call to your systems? Is there code level integration?
Tim: How does the system work?
Tim: What type of things qualify as unusual user behavior?
Atsuyoshi: Now, I’m using the MacBook and using the Google Chrome in the location of the Otemachi area. So this is an unusual behavior. But if the hackers use the same ID and password but they use Windows 10 and Internet Explorer outside, this user’s behavior is not normal.
Tim: Okay. Right. So someone is coming in from a new location or if the same IP address tries to log in with a bunch of different user names, that’ll look suspicious?
Tim: Does Fraud Alert provide authentication and authorization services as well or is it simply —
Atsuyoshi: Focusing on detection.
Tim: Detection. Tell me about your customers. In previous interviews and on your website, you talk about 50 million accounts being protected but who are your actual customers? Are they ISPs or banks or small e-commerce sites?
Atsuyoshi: Now, we are focusing on the banking and the credit card coverage and also telecom carrier.
Tim: I want to dive into more detail about security in Japan. But before we do that, let’s talk about you for a minute. You found Caulis in December 15. So it’s been a really crazy two years, I’m sure.
Tim: And before that, you were working with Okada-san.
Tim: At the captcha company, Capy.
Atsuyoshi: Yes, that’s right.
Tim: Capy is also in security. They do this kind of advanced captcha technology.
Tim: What made you decide to leave Capy and start your own company?
Atsuyoshi: I have two reasons. Captcha just only focusing on the protecting bots but humans log-in, it cannot protect. This is the first reason.
Tim: Actually, is captcha still effective? Because it seems like at least the text-based captcha, I think AIs are better than humans at it. At least they’re better than me.
Atsuyoshi: Second reason, captcha itself, old hackers user account sees a captcha but the hacker would solve the captcha solution. Some hackers show this is the way to hack and bypass a captcha. Captcha is just only additional authentication but many authentication will be hacked so we want to focus on the detection, not authentication. And also, many electronics and also automatic will be connect it to the internet. So connecting would have the password and ID but captcha is just on a web browser. So we want to spread the security command to IOT industry.
Tim: That’s a good point. It’s dangerous to have a startup that’s really too focused on a specific technology.
Tim: All right. That makes sense.
Atsuyoshi: In the beginning of this month, NHK broadcasted the collaboration with Toyota and startups.
Tim: How is Toyota going to use your products? What are they going to use them for?
Atsuyoshi: Toyota is now using the sharing economies business model. Drivers can ride so many automotives. So ID and password, identification is very important.
Tim: Let’s look into this a little more. What will Toyota be doing in the sharing economy? Are they talking about having individual cars that different people can use, sort of like a car sharing program?
Atsuyoshi: Both, yes. They want to transit the business model, human-centric automotive car ride providers.
Tim: So when we move from the traditional web and mobile internet, which is primarily username-password-based, and we’re all used to typing those in —
Atsuyoshi: Yes, right.
Tim: When we move to IOT, when we move to something like an automobile, you’re not using username and password anymore.
Atsuyoshi: But they have so many apps. The apps need to input the ID and a password. After input of Toyota ID and password, the apps shows the users the right way to the destination or you drive so many kilometers so you should go to the car check.
Tim: Okay. You’ll be providing fraud detection for their web applications and mobile applications?
Atsuyoshi: Yes. This is the future strategy of Toyota. Car-centric is 20th century business model, in this century, and they will transit to human-centric car provider.
Tim: So it’s a relationship not just with the driver but with everyone in the family that might be driving the car or different people in the company who are driving the company car. Interesting.
Tim: That is going to be a big change for them.
Tim: It certainly makes sense that fraud detection is going to become more and more important as we move towards internet of things and more integrated services across a lot of different devices.
Tim: Let’s talk a bit about the problem of fraud in Japan.
Atsuyoshi: This is a very serious situation in Japan. Japan government did a survey in June of 2015, 1/3 IPO company have damage from fraud.
Tim: Yes. I’ve seen that number. So 1/3 of all public companies have said they’ve suffered damage from fraud but that’s a really broad statement. Does that mean internet fraud or credit card fraud? Does that include things like employees stealing from them?
Atsuyoshi: Online banking was 3 billion Yen in 2015. It has been 0.3 billion charge back damage. Charge back means someone steals the credit card information and use unauthorized purchase.
Tim: That is about $120 million?
Tim: So there’s $120 million of credit card fraud in Japan every year.
Atsuyoshi: But the damage is increasing every year. Before 2013, there is no damage in Japan because many browser doesn’t have the translating function. In the end of 2012 and the beginning of 2013, Firefox, Google Chrome, Internet Explorer have the function ‘language translation’ so many hackers, “Oh, this is a Japan bank. This is e-commerce. This is a credit card.” So many hackers attacked Japan.
Tim: Before, the Japanese language just made it more difficult.
Atsuyoshi: There’s language barrier.
Tim: Yes, there was a language barrier. Now the security barrier.
Tim: Of that credit card fraud, what percent of it is online fraud versus offline?
Atsuyoshi: Maybe offline is bigger.
Tim: Okay. So most of it is offline?
Atsuyoshi: Yes. Such as stolen credit card using, it’s maybe 60%. But online damage is increasing year by year. In 2020, the online damage will overcome the offline damage, I think.
Tim: That’s a real problem and it’s something that anyone doing business in Japan needs to worry about. But when we’re looking about Japan, we’re talking about $120 million in credit card fraud a year. But in the US, that level is about $8.5 billion a year. It’s interesting. Japan is an economy that’s about 30% as big as the US but it only has about 1.5% of the credit card fraud.
Atsuyoshi: Many Japanese use cash. The credit card usage will be 20-30%. That 70% will be paid with cash.
Tim: Even taking that into account, even if there was three times more credit card transactions, that you would still only be looking at 4.5-5% the level of fraud of the US.
Atsuyoshi: Maybe still the language barrier will be protected in Japan.
Tim: But like you say, that language barrier, it’s really false security.
Atsuyoshi: Yes. But still the credit card and some e-commerce should require the users additional authentications.
Tim: Right now, is most of the credit card fraud in Japan coming from outside Japan?
Atsuyoshi: I think so. For example, one of the big e-commerce service introduce name recognition authentication. If the website recognize this user is malicious after pushing the button of the purchase, please put your name kana language, the fraud stopped.
Tim: Okay. Wow. So just making them input something in kana.
Tim: Well, yes, if you don’t speak Japanese but again, that’s not really real security because you could go to half a dozen different translation websites and get it to do that. So that will only slow the hackers down for a month or two, I think.
Atsuyoshi: Yes. It’s a temporary authentication, I think.
Tim: Right, right. Before, you mentioned that it wasn’t just credit cards but things like point systems and airline miles are a really big target for fraud these days.
Atsuyoshi: Yes, right. Because mileage could be changed to BitCoin or electric money. So a hacker think mileage is one type of money. In Japan, too much authentications, the user will be lost. Such as big airline companies have so many young people and older men, older men cannot recognize how to put short mail numbers into the website, so they dropped and they changed the airline company. This is a tradeoff, security and usability.
Tim: Yes. I mean almost every software system you’ll ever write, that’s the tradeoff, security and usability.
Tim: So how do you handle that? Let’s say for example, someone logs into one of your customer sites and you detect that they’re engaging in suspicious behavior, say they go directly from log-in and directly to the exchange points page instead of my account or something like that, what happens then? What does the user see?
Atsuyoshi: They suggest to use the additional authentication or now we have the log-in attempt, is it yours? Send email for confirmation of log-in.
Tim: Okay. So maybe before the transaction is finalized, they need to confirm by email or enter some other identifying information.
Tim: I see. Okay. Earlier this year, there was a couple of ransomware attacks, both in the US and in Europe. Did those affect Japan?
Atsuyoshi: Yes. In February to May, there were so many attacks. Some clients, they want to introduce authorization during Golden Week but they have another ransomware attack, so please stop because the damage was so huge.
Tim: Now, I know ransomware attacks aren’t something you can prevent. That’s just basic system level security that the clients need to do. But do you think Japanese companies are particularly susceptible to ransomware attacks?
Atsuyoshi: I think so. Some banking introduced many solution for ransomware protections but other industry cannot afford to introduce so many solutions because of their budget. There are very few companies who puts CIO Chief Information Officer, Chief Security Officers, Chief Information Security Officers. The position of CIO and CSO is a little bit lower position in Japan.
Tim: Yes. In Japan, a CIO, even a CTO is usually two or three levels below the CEO. They’re pretty far down there.
Atsuyoshi: Yes. So Japanese structure problems. In United States, the CEO, COO, CSO is same grade but in Japan, the CIO is very lower level. So they need more security solutions.
Tim: I’ve noticed that. One of the things that has struck me as strange in Japan for the last 20 years plus I’ve been working in technology here, Japanese companies are very, very slow to upgrade their public servers, even for security patches. Is that changing? Are people becoming more aware of the importance of security here?
Atsuyoshi: Yes. In Japan, do you know that system integrators such as NTT and IBM, they have huge power over clients. If the banking introduce IBM solutions, they cannot change the solutions without IBM power.
Tim: Right, right. In Japan, the systems integrators have huge power over their clients.
Atsuyoshi: Yes. The leading company recognize this situation is very dangerous and so many banking decided to introduce cloud and hosting servers. It’s a bit very good for their business and also their security.
Tim: So you think the move to cloud is going to result in a significant increase in security.
Tim: That makes sense. I think it will because it takes the responsibility for upgrades and server downtime off of the client and makes it this automatic process.
Atsuyoshi: So some banker said if they want to introduce this type of new technology, their system made by system integrator, so introducing this new technology, it cost two to three years. System requirement, setting, six months is —
Tim: Right, right. Where any startup could do it in a month.
Atsuyoshi: Yes. So they decided to transit to their cloud business. After introducing cloud, it’s very popular in Japan, the Japanese traditional company can follow the technologies improvement.
Tim: Absolutely. And the move to the cloud has been great for companies like you as well.
Atsuyoshi: Yes. Two to three years is very long to introduce new technologies.
Tim: I think the big transition to cloud computing happened after the 2011 earthquake, when suddenly all of these companies couldn’t run their own data centers. But over the last three or four years, it really seem to have accelerated, the move into the cloud. A few months ago in a different interview, you mentioned that you’re talking with some insurance companies about offering basically hacking insurance.
Tim: How would that work? That sounds really interesting.
Atsuyoshi: Okay. Main purpose of the transit to the security to insurance, this is enterprise domain, this is a small business. In Japan, small business company doesn’t have IT department, so they want to buy our solution. Not security but insurance.
Tim: From an insurance point of view.
Tim: What is the asset that’s being insured? How do companies determine the value or the damage from a hack? It just seems like a very difficult thing.
Atsuyoshi: A good point. Now, we are discussing so many insurance companies. But at first, we gathered so many client data. This is a total log-in. We can see each industry’s hackers attack rate. We provide data to the insurance companies. Insurance company will calculate. So we provide how many hackers will attack the banking or credit card, e-commerce. We gather the data and we send it to the insurance company. The insurance company will make the insurance and we resell to our clients.
Tim: To the clients?
Atsuyoshi: Yes. This business model.
Tim: When do you think you’ll be able to do that?
Atsuyoshi: In next month we will release a press release with insurance company in Japan.
Tim: Wow. Okay. So September, probably by the time this episode airs, you’ll be offering hacker insurance.
Tim: Interesting. Insurance is easy to sell in Japan.
Atsuyoshi: Yes, right.
Tim: Japan is kind of over-insured by world standards. That’s a really interesting business model.
Atsuyoshi: Yes. We already have a discussion with five to six insurance companies in Japan. They have no data of how many hacker will be in Japan. We have this type of data.
Tim: Do you have plans for international expansion?
Atsuyoshi: Yes. And we have discussion with Indonesian banking or Malaysian banking. So Indonesia, Malaysia, Singapore, all government introduce to fintech investment, on venture capital. Southeast Asia is a very good market for fintech.
Tim: Some industries, it makes sense that it’s very local and it’s hard to go global, services are like that. But security seems like it almost has to be global. There’s an advantage to being global because most of the hacking and the threats are coming from overseas.
Atsuyoshi: Yes. We have maybe seven to nine competitors all over the world but all competitors are focusing on the side of Facebook or Google, the giants. So Southeast Asia, they are a little bit blue ocean. We have another stakeholder, ISI Dentsu, they have so many branch in Southeast Asia. They offer our solution to many Southeast Asian telecom or banking or credit card companies.
Tim: Fraud detection startups around the world, not even startups, the IBMs and the fraud detection companies around the world, the technology and approach is pretty much the same. The real difference is in the sales function and the pricing.
Atsuyoshi: Pricing is maybe 120 or 130 cheaper now because now, we got investment or debt finance from the banking and we sell very low or cheapest price. After selling, we can gather data.
Tim: Right, right.
Atsuyoshi: But IBM, selling is very high price.
Tim: Well, the advantage of being a startup is you do get to come in from the bottom of the market, the lower price and eventually push out the IBMs, the threat matrixes.
Tim: Let’s talk about Japan in general. We were talking before that credit card fraud and online fraud from inside Japan is still relatively rare. Most of the attacks are coming from outside Japan. Do you think this is changing? Do you think the fraud rate inside Japan is increasing or is it staying the same?
Atsuyoshi: A little bit increasing, I think. Because many dark website settings the data of this is a Japanese ID and password risk. Some Japanese will buy these lists and they put their ID and password, individual information, financial assets.
Tim: So just because hacking is becoming so much easier than it used to be, more people are doing it?
Atsuyoshi: Yes. Traditional hackers see the weakness of the system and research and produce the malware or ransomwares. It was very hard.
Tim: Right. Hacking used to be hard. It took some serious technical skills.
Atsuyoshi: Yes. But now the fraud is just when you purchase, ID and password, put ID and password, no technical hacking.
Tim: Yes. You’re right. Every year, it becomes easier and easier so we should expect more and more people to be doing it.
Atsuyoshi: Yes. There are so many list of how to hack Google, how to hack Apple. They can download the source of the hacking tool.
Tim: Right. Let me ask you, other than using Fraud Alert, what advice do you have for people who are running e-commerce sites and blogs or anything with a log-in? What advice do you have for them about —
Atsuyoshi: At first, they should see how many rate of the hacker attacks. After founding this company, I met so many CIO, CSO, maybe 20 to 30 CIO, CSOs but they don’t know how many fraud attack come to their own website. No one knows.
Tim: So they’re not even paying attention to it?
Tim: Do they know how to monitor it or is it all just new to them?
Atsuyoshi: Maybe new to them because in Japan, CIO, CSO is not a key person. Maybe the head of administrator will promote the CIO, CSO department.
Tim: The sad thing is that in most large Japanese companies, the equivalent of the CIO or the CTO is the one that is used to managing the systems integrators. He’s used to working with outsourcing companies. So a lot of times, they’re not really a technical person. All of the technical knowledge is in their system integrator, not in their company.
Atsuyoshi: Yes. Last month, I checked how old is each country’s CIOs. Japan is almost the end of 50s or at least mid-50s. But in United States, maybe the end of 20s or beginning of 30s, and CSO is very young people.
Tim: CIO, I’d imagine, will be a little older.
Atsuyoshi: Yes. The CSO is very young and techy but in Japan, CSO is just only accounting, financial head is a CSO.
Tim: Do most public companies have a chief security officer, a CSO?
Atsuyoshi: In Japan 54%. 54% is just only the back office last position or they’re hired as a CSO outside of company.
Tim: Is the number much higher in America?
Atsuyoshi: 88%, I think.
Tim: 88% of public companies have a chief security officer?
Atsuyoshi: I have a data so I will send the report.
Tim: Okay. That is quite a difference, then. Do you have any advice for general internet users and consumers about how to stay safe on the internet?
Atsuyoshi: Yes. Do you know Have I Been Pwned?
Tim: Have I Been Pwned? Yes, I do. That’s a great one. We’ll put a link up on this site.
Atsuyoshi: I already introduced this website to Japan CSO or my friends. At first, general user put their own email address to this website and check after this he can see if their ID was stolen.
Tim: Have I Been Pawned is a great site if your identity has been sold and/or your account has been hacked. We’ll put a link up on the page so the users can go and check it out because that’s important information.
Atsuyoshi: Yes. Also, please separate each website the ID and the password. In Japan, 70% Japanese use same ID and password all web service.
Tim: Yes. Get a password manager. There are many good ones out there, pick one.
Tim: Well, listen, before we wrap up, I want to ask you what I call my magic wand question. That is, if I gave you a magic wand and I said you could change one thing about Japan, anything at all, the education system, the way people think about risk, the way people think about failure, anything at all, to make it better for startups in Japan, what would you change?
Atsuyoshi: I want to make all employees have time to travel all over the world. Masa, head of the business planning, he lived in England, Malaysia, China, Singapore. He has so many various friend and various experience so he has a big perspective even if he’s just 27.
Tim: Would you say the best way to do that would be, for example, companies be more willing to send employees to international conferences or do you think after university, students should spend one year living somewhere else?
Atsuyoshi: Yes. Many Japanese just live only in Japan and just have Japanese friends. It’s a very close world. I want younger people to have a more global perspective. Masa go to England, England has talented people from all over the world. Outside of the Japan’s younger people are so experienced, so talented people but Japan is same type of Japanese and so – I don’t know how to —
Tim: It’s interesting. A number of my guests before had said it’s important for Japanese to go overseas to improve their creativity but it sounds like you’re talking about something a little bit different. Is it that overseas is more competitive than in Japan and that it forces people into this competitive nature and to be the best in the world?
Tim: So it’s the same way, for example, that you were saying Japanese websites could get away with being sloppy with security because the Japanese language protected them, where English language sites have to be the most secure in the world because everyone’s attacking them.
Atsuyoshi: I think so.
Tim: So it’s that kind of dynamic, you have to compete harder?
Atsuyoshi: Compete harder. We have advantage of the blacklist APIs. We will connect to the global Facebook, Apples, all players should release the data to each other.
Tim: So the different organizations should share the blacklist and share security information. That’s happening now, right?
Atsuyoshi: Now, no.
Atsuyoshi: No. Every CSO have a trouble how to share the hacker list. Previous century, securities are more concrete and not shared.
Tim: Sure. It was physical.
Atsuyoshi: Yes. We want to make more companies risk sharing companies.
Tim: I think a lot of companies are talking about the importance of that. I think it’s going to be critically important because the hackers are all sharing information. The good guys have to share information or they’re going to lose.
Atsuyoshi: Good point. The way hacking will be improving but the malwares, if this malware attack Mizuho banking, Mizuho banking share to the other banking, this malware wouldn’t be effective.
Tim: So do you think we’re going to get to a point where the security companies are going to start sharing these information soon?
Tim: Not soon?
Atsuyoshi: Not soon.
Tim: That’s too bad.
Atsuyoshi: But IOT decade, each device will be connected to the internet, so IOT itself make situation change, I think. Because in IOT, automotive is dangerous for drivers.
Tim: It will force the industry to start taking security seriously.
Tim: Well, that will be a good thing. Well, listen, Atsuyoshi, I want to thank you so much for sitting down with me today.
Atsuyoshi: Yes. Thank you very much.
¥And we’re back.
Don’t talk to me about biometrics. Biometrics are terrible security. You can’t keep them secret. You can’t change them. Biometric systems tend to be hacked within months of their commercial release. That’s really the point, I suppose. Security is not about proving to a computer that you are the human you say you are. It’s proving that you as a human or as a machine have the right to ask for the action you’re requesting, whether that’s viewing a webpage or transferring money.
Not only do computers look more like humans to other computers than real humans but more and more, we humans are going to be relying on our intelligent agents and computer code to act on our behalf.
Atsuyoshi’s Fraud Alert system is an excellent tool and an important part of the future security solution. Different companies and individuals sharing identifying information on bad actors. Now, that won’t completely stop the bad guys but will make things a lot more expensive for them.
To really make this work on a global scale, however, requires cooperation. It requires multinational companies all over the globe to share information about when and how they’ve been hacked, and who’s doing it. So far, most companies have been very reluctant to do so because of legal liabilities and concerns that would negatively affect their corporate image and perhaps their stock price if news got out that their system’s been hacked.
Perhaps third-party companies like Caulis will be able to bridge that gap by providing the information without directly identifying the target. That would make things a lot harder on the hacker and that’s always a good thing.
If you’ve got thoughts on hacking, cracking, and computer security in general, other than the fact that I’ve been using hackers in an overly broad sense, then Atsuyoshi and I would love to hear from you. So come by disruptingjapan.com/show101 and let us know what you think. When you come by the site, you’ll see all the links and resources that Atsuyoshi talked about in the resources section of the post.
But most of all, thanks for listening and thank you for letting people interested in Japanese startups know about the show.
I’m Tim Romero, and thanks for listening to Disrupting Japan.