Back to Blog

FinovateSpring 2014: Behind the Scenes with WePay, Rippleshot and TextPower

Thumbnail image for FinovateSpring2014ButtonLogo.jpg

In today’s report, we’ll get to know three more companies that made their Finovate debuts at FinovateSpring 2014 in San Jose.

So far, our Behind the Scenes series has introduced CUneXus,, and Venovate in our first installment. Here, we’ll meet API-developer WePay, network security innovator, Rippleshot; and SMS-based omni-factor authenticator TextPower.

What they do
“We are an API company focused on platform businesses: crowd funding sites, donation platforms, marketplaces …” this is how John Canfield, WePay Vice President of Risk, describes the company. Unveiling their Veda Risk engine at FinovateSpring, WePay demonstrated how it has leveraged its basic expertise in payments to provide a flexible way to create new accounts and process payments.
WePay’s origins as a payments company give it a unique insight into the needs of the clients it serves as an API innovator. John says the opportunity to focus on user experience and turning Big Data into Big Analytics makes sense in a world in which the payments industry is increasingly commoditized. “So why not innovate on the risk side, on compliance?” he says.
  • Processes transactions for more than 250,000 merchants; 400 platform partners 
  • Recorded 51% quarter-over-quarter growth from Q4 2013 to Q1 2014
  • Averaging 35% monthly growth in crowdfunding-specific processing
  • Powers eight out of the top 15 crowdfunding platforms
The experience
Wepay provided the example of a merchant who uses another Finovate alum, invoiceASAP, to bill clients. The challenge is to make it as easy as possible for the client to pay – and as quick and seamless as possible for the merchant to get paid.
With a single click, this merchant can apply to have WePay serve as her payment processor, allowing the merchant to accept, for example, a credit card payment rather than waiting for a check in the mail.
In most instances, credit card processors require merchants to fill out extended, complicated forms as part of the on-boarding process. WePay asks nothing more than the same basic credit card information typically provided in any transaction: card number, name, expiration date, CVV. But the result is a single-click process and response, rather than a days-long ordeal.
WePay’s approach results in a 95% acceptance rate for merchants. And credit for this goes to the company’s proprietary risk engine, Veda.
Veda pulls data from a variety of places: social media, other partners, and third party data sources to gain much more information about the transaction faster and easier than other processors. Veda also collects data on the payer and the merchant, including social media data (Facebook, Google+, Twitter, etc.), and delivers scores on both the merchant’s “quality” and the merchant’s “identity.”
“This is a very important online credential,” John says, “just like a passport or a driver’s license is an important credential for the physical world.”
What can we look forward to from WePay in the months to come? Customization in the form of better tailoring the risk experience, the user experience, so as to be the “ideal risk partner for our customers” is one goal. The company also plans to continue innovating on the risk engine itself, especially by incorporating new relevant risk data with the goal of providing a solution that fits the crowdfunding or marketplace platform perfectly. “It’s not a generic package,” says John. “everyone has something different.”

What they do
Rippleshot specializes in detecting fraud and data breaches using a different focus: the merchant payment network itself. Many security solutions, says the company, are vertical and siloed. Rippleshot’s technology in contrast uses a Microsoft search engine-like technology to detect data breaches and examine patterns of behavior before merchants and credit card issuers are even aware a problem exists. While some anti-fraud measures focus on customers, their cards, their mobile devices, Rippleshot “profiles merchants.”
Add to this the fact that the technology is cloud-based, requiring no installation or exchange of personally identifiable information, and delivers the kind of analytics that, for example, help financial institutions re-issue cards smarter and faster to compromised accounts.
  • Detects breaches long before they become known to public
  • Monitors more than 16 million online and offline POS terminals and payment gateways
  • Cloud-based solution requires no installation within company’s IT environment and no PII (personally identifiable information) exchanged
The experience
Here is a standard scenario in the world according to Rippleshot: customers visit a compromised merchant. The fraudster who may be stealing mag stripe data at the point-of-sale, then sells the stolen card information, which will be used for fraudulent transactions far and wide.
Critically, compromised cards all will share a history of transacting with the compromised merchant. And when Rippleshot discovers a merchant with a broader than av
erage history of encountering compromised cards, there is a good chance that this merchant is the source of the breach or fraud.
Rippleshot’s technology combines Big Data, machine learning, and cutting-edge statistics to scan through hundreds of millions of card transactions to spot this kind of common history. With this method, Rippleshot says it is able to narrow down the source of the breach or fraud not just to the specific store, but the specific POS terminal, as well. Exactly when the breach occurred is also valuable security intel that Rippleshot’s analytics provides.
Above: Rippleshot dashboard
Another plus of Rippleshot’s approach to security is the way it helps card issuers deal with the challenge of reissuing cards when fraud occurs. The standard strategy is to create and distribute a sizable number of cards to compromised and noncompromised accounts alike in an attempt to almost smother the problem.
Breach Fraud_Spend_Map_bts
Above: Breach and fraud spend map
Rippleshot seeks to provide a smarter way of reissuing cards. Of the three main categories of cardholder – those with compromised cards and those with cards about to expire in any event – most issuers can handle internally with their own systems. Rippleshot shines in the third instance – those cards that have not yet been compromised but remain vulnerable. Here the company provides real-time, time of transaction, decline rules until issuers can provide a new card. These rules range from geography to store type to transaction type.
Above: Rippleshot Chain List
What’s next for Rippleshot? Currently able to provide merchants with card fraud alerts, the company is looking into ways to give merchants the ability to get alerts on data breaches, as well. The goal is to become increasingly proactive, something that rarely happens at the merchant level. 
“Our solution is a combination of ADT + insurance,” Rippleshot CEO Canh Tran and COO Lucas Ward say, pointing to a team made up of experts in the field of analytics, UI, and fraud detection. “Many of our guys have more than 10 years experience in fighting fraud.” And from their perspective fraud and data breaches will always be more a matter of if than when.

What they do
Could the path to superior online authentication be paved with something as simple as SMS?
Or perhaps more accurately, SMS-run backwards. The genius of TextPower’s solution lies in the way it has leveraged a fundamental understanding of how text messaging actually works on mobile devices into one of the most unique methods for ID verification in the market.
The trick, as explained below, is that the effectiveness of SMS as a authentication method depends entirely on which direction the authentication request is coming from. As CEO Scott Goldman explains, each mobile device has a built-in unique code, developed by the manufacturer. This code is used by telecommunications companies to make sure that a single mobile device is not being used for multiple accounts.
This same unique mobile device identifier, says Goldman, can tell an authenticating website or VPN whether the device seeking access is the correct one. Even if I as a fraudster have your correct credentials, if I don’t have your device also, then I don’t get access.
  • 2012 Tech America Orange County High-Tech Awards Finalist
  • Info Security Products Guide 2012 Global Excellence Awards winner
  • 2011 Government Security News Homeland Security Award winner
  • TextPower founded 2009; TextKey founded 2013
  • $525,000 in funding; 7 employees
The experience
The experience of using TextKey is in most respects similar to what users of other SMS or text-based authentication experience. By relying on behavior as common as sending a text message, TextPower believes their authentication solution is that much more likely to be adopted and readily embraced by the average person already accustomed to communicating by text messaging.
TextKey works like this: a person who has legitimate access to a TextKey-enabled website will enter their username and password. The website will then display a unique, one-time code. The person seeking access must text that code to a specific number, using the mobile device that had been pre-designated.
If the correct code is sent from the correct mobile device, then access is granted. If either is incorrect – an inaccurate code or a device that is not the designated device – then access is not granted.
At this point, other additional authentication protocols can be brought into play, ranging from challenge questions to intervention by a human agent.
Scott credits h
is company’s background as a text messaging company for the ability to see security differently. He and his team may have an inside track on understanding how the actual mechanics of text messaging work – and could be made to work. But they are also passionate about the point that it is not enough for security to be “easy” – it has to be no different from everyday activities. Scott says, “in the battle between security and convenience, convenience always wins.” 
To get a sense of TextPower’s future with TextKey, consider the potential implementations of the technology. With a pedigree of mission critical deployments including everything from utility companies to the criminal justice system (read: wearable probation monitoring technology), the company is confident it will be able to develop similar relationships with the smaller banks and credit unions that are looking for affordable security solutions.
“We can protect anything with an ID and a password,” says Scott, referring to TextKey as “Fortune 100-level security that can be set up in just a few hours. And as to the question of scale? Bring it. “We could receive millions of messages a day and it wouldn’t strain the system at all. Volume is no object.”

Be sure to say tuned for our next Behind the Scenes feature with more new Finovate alums from FinovateSpring!