What Japan can do about its online fraud problem, according to this security expert
n
A photo of Atsuyoshi Shimazu
nn
n n n n
This article is part of Tech in Asia’s partnership with Disrupting Japan where we publish the revised transcripts from the show’s podcast interviews with Japanese entrepreneurs. This is heavily revised from the original transcripts. For the full interview, go here.
n
I’ve been involved professionally in IT in Japan—both in enterprises and startups—for more than 20 years. Corporate Japan has always had a strange relationship with computer security. On one hand, companies are very sensitive to security concerns, and they pay top dollar for hardware and software systems and evaluations. But on the other, day-to-day security practices are often neglected.
n
I sat down with Atsuyoshi Shimazu, founder and CEO of Caulis, which offers a distributed online fraud prevention service called Fraud Alert. Atsuyoshi explains Japan’s problem with online fraud, what businesses and consumers should do, and the current challenges to the country’s cybersecurity.
nYou founded Caulis in December 2015. But before that, you worked for a captcha company. Why did you leave?n
I have two reasons. First, captcha only focuses on protection against bots but not human log-ins. Second, hackers can bypass a captcha, and we wanted to focus on detection, not authentication. We also wanted to spread the security command to the IoT industry.
nHow serious is Japan’s problem with online fraud?n
It is a very serious situation in Japan. The government did a survey in June 2015 and found that one-third of publicly listed companies were suffering damages due to fraud.
n
Online banking in Japan has seen around US$120 million worth of damages due to credit card fraud, and it is increasing every year. It started in 2013 when web browsers like Firefox, Google Chrome, and Internet Explorer enabled a language translation function. It then became easy for so many hackers to identify a Japanese bank, an ecommerce site, credit card information, and so on. Before, the language barrier made it difficult for hackers.
n
Right now, damages from offline credit card fraud are bigger than online—maybe 60 percent. But I think online will overcome offline in 2020.
nJapan’s economy is about 30 percent as big as the US’, but it only has about 1.5 percent of credit card fraud. Why?n
Many Japanese use cash. Only about 20 percent to 30 percent of the population uses credit card. The remaining 70 percent pays with cash.
nAre Japanese companies particularly susceptible to ransomware attacks?n
I think so. Some of the banks here have introduced many solutions for ransomware protection, but companies in other industries cannot afford to introduce so many solutions because of their budget.
n
There’s also a structure problem. There are very few Japanese companies that have a chief information officer, chief security officer, or the like. These positions are low in Japan, whereas in the US, the CEO, COO, and CSO are in the same job grade. Japanese companies definitely need more security solutions.
nJapanese companies are very slow to upgrade their public servers, even for security patches. Is this changing?n
Yes. In Japan, do you know that system integrators such as NTT and IBM have huge power over their clients? If the banks introduce IBM solutions, they cannot change solutions without IBM’s power.
n
Leading companies have recognized that this situation is very dangerous, so a lot of banks decided to turn to cloud and hosting services. This is a good move for their business and security.
nWhat advice do you have for online businesses that require log-in authentication?n
They should know the hacking rate. After founding my company, I’ve met so many CIOs and CSOs who didn’t know how many fraud attacks come to their websites. Maybe the idea is completely new to them, since a CIO or CSO is not a key person in a Japanese organization, like I said.
n
I also found that Japan’s CIOs are in their 50s or mid-50s. In the US, they are in their late 20s or early 30s, and the CSOs are very young and techie. In Japan, a CSO is like an accounting or financial head. Only about 54 percent of public companies here have a CSO; it’s 88 percent in the US.
nWhat’s your advice for consumers on internet safety?n
I have introduced this website called Have I Been Pwned to my friends. Users can input their email addresses there to check if their ID has been stolen.
n
Also, please have different IDs and passwords for each website. In Japan, 70 percent of internet users use the same ID and password for all the web services they access.
nIf I gave you a magic wand, what would you like to change in Japan?n
I want all employees to have time to travel the world.
n
Many Japanese live only in Japan and have only Japanese friends. It’s a very closed world. I want younger people to have a more global perspective.
n
***
n
Security is not about proving to a computer that you are the human you say you are. It’s proving that you as a human or as a machine have the right to ask for the action you’re requesting, whether that’s viewing a web page or transferring money.
n
Atsuyoshi’s fraud alert system can allow different companies and individuals to share identifying information on bad actors. That won’t completely stop the bad guys but it will make things a lot more expensive for them.
n
However, it requires cooperation for it to work on a global scale. It requires multinational companies across the globe to share information about when and how they’ve been hacked, and who’s doing it. So far, most companies have been very reluctant to do so because of legal liabilities and concerns that would negatively affect their corporate image and, perhaps, their stock price.
n
Read more from this series here.