Internet Security

Passbase is building a full stack identity engine with privacy baked in

Digital identity startup Passbase has bagged $600,000 in pre-seed funding led by a group of business angel investors from Alphabet, Stanford, Kleiner Perkins and EY, as well as seed fund investment from Chicago-based Upheaval Investments and Seedcamp. The 2018-founded Silicon Valley-based startup — whose co-founder we chatted to briefly on camera at Disrupt Berlin —…


Digital identity startup Passbase has bagged $600,000 in pre-seed funding led by a group of business angel investors from Alphabet, Stanford, Kleiner Perkins and EY, as well as seed fund investment from Chicago-based Upheaval Investments and Seedcamp.

The 2018-founded Silicon Valley-based startup — whose co-founder we chatted to briefly on camera at Disrupt Berlin — is building what it dubs an “identity engine” to simplify identity verification online.

Passbaseoffers a set of SDKs to developers to integrate into their service facial recognition, liveness detection, ID authenticity checks and ID information extraction, while also baking in privacy protections that allow individual users to control their own identity data.

A demo video of the verification product shows a user being asked to record a FaceID-style 3D selfie by tilting their face in front of a webcam and then scanning an ID document, also by holding it up to the camera.

On the developer front, the flagship claim is Passbase’s identity verification product can be deployed to a website or mobile app in less than three minutes, with just seven lines of code.

Co-founderMathias Klenktells TechCrunch the system architecture draws on ideas from public-private key encryption, blockchain and biometric authentication — and is capable of completing “zero-knowledge authentications.”

In practice, that means a website visitor or app user can prove who they are (or how old they are) without having to share their full identity document with the service.

Klenk, a Stanford alum, says the founding teampivoted to digital identity in the middle of last year after their earlier startup — a crypto exchange management app called Coinance — ran into regulatory difficulties right after they’d decided to go full-time on the project.

He says they got a call from Apple, in August 2018, informing them Coinance had been pulled from the AppStore. The issue was they needed to be able to comply with know your customer (KYC) requirements as regulators cracked down on the risk of cryptocurrency being used for money l

Read More

Be the first to write a comment.

Leave a Reply

Internet Security

Facebook needs a white hat Cambridge Analytica

Rob Blackie Contributor Share on Twitter Rob Blackie is a Digital Strategist based in London, England, who has contributed to The Guardian and The Independent newspapers. Mike Butcher Contributor More posts by this contributor Consolidation in Africa as classifieds player Jiji acquires their main competitor OLX Wayve claims ‘world first’ in driving a car autonomously…


Facebook has hada terrible couple of years. Fake news. Cambridge Analytica. Charges of anti-Semitism. Russia hacking the 2016 election. Racist memes, murders and lynchings in India, Myanmar and Sri Lanka.  

And Facebook is just the tech company with the longest list of scandals.There’s Google, YouTube and Twitter’s well-documented roles in radicalization to consider, not to mention growing global health crises caused by medical misinformation spread on all the major platforms.

Investors are rightly beginning to worry. If tech companies and their investors can’t foresee and stop these problems, it will likely lead to damaging regulation, costing them billions.

The rest of us are increasingly unhappy that internet giants refuse to take responsibility. The argument that the problem lies with third-party abuse of their tools is wearing thin, not just with the media and politicians, but increasingly with the public as well.

If the tech giants don’t want regulators to step in and police, they need to do much more to predict, and stop the abuse, before it even happens.

One hundred cardboard cutouts of Facebook founder and CEO Mark Zuckerberg stand outside the U.S. Capitol in Washington, DC, April 10, 2018. Advocacy group Avaaz is calling attention to what the groups says are hundreds of millions of fake accounts still spreading disinformation on Facebook. (Photo: SAUL LOEB/AFP/Getty Images)

The common factor in social media scandals

The problems mentioned above weren’t caused by anybody breaking existing social network rules. Nor

Read More

Continue Reading
Internet Security

We found a massive spam operation — and sunk its server

For ten days in March, millions were caught in the same massive spam campaign. Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent…


For ten daysin March, millions were caught in the same massive spam campaign.

Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent email with a link to a fake site pushing a weight loss pill or a bitcoin scam.

The emails were so convincing more than 100,000 people clicked through.

We know this because a security researcher found the server leaking the entire operation. The spammer had forgotten to set a password.

Security researcher Bob Diachenko found the leaking data and with help from TechCrunch analyzed the server. At the time of the discovery, the spammer’s rig was no longer running. It had done its job, and the spammer had likely moved onto another server — likely in an effort to avoid getting blacklisted by anti-spam providers. But the server was primed to start spamming again.

Given there were more than three million unique exposed credentials sitting on this spammer’s server — hosted onintelimost.com, we wanted to secure the data as soon as possible. With no contact information for the spammer — surprise, surprise — we asked the hosting provider, Awknet, to pull the server offline. Within a few hours of making contact, the provider nullrouted the server, forcing all its network traffic into a sinkhole.

TechCrunch provided a copy of the database to Troy Hunt. Anyone can now check breach notification site Have I Been Pwned to see if their email was misused.

But the dormant server — while it was still active — offered a rare opportunity to understand how a spam operation works.

The one thing we didn’t have was the spam email itself. We reached out to dozens of people to ask about the email they received. Two replied — but only one still had a copy of the email.

The email sent by the spammer. (Image: supplied)

“The same mail appeared on three occasions,” said one of the recipients in an email to TechCrunch. “The subject was related to an email I had sent previously

Read More

Continue Reading
Internet Security

It’s time to publicly shame United Airlines’ so-called online security (2016)

Jon Evans Contributor Jon Evans is the CTO of the engineering consultancy HappyFunCorp; the award-winning author of six novels, one graphic novel, and a book of travel writing; and TechCrunch’s weekend columnist since 2010. More posts by this contributor Where did social media go wrong? Welcome to the hub of all hubs: Cosmos has launched…


Dear executives of United Airlines, I have some advice for you. 1: Fire whoever is in charge of your online security. 2: Burn down the building in which they worked; it may be tainted. 3: Salt the ground so nothing ever grows there again, to be safe. 4: Hire somebody competent who will not infuriate your users while simultaneously compromising their security.

I know I probably sound like a disgruntled passenger who just had an unpleasant airline experience. Not so! I am actually fond of United, have flown hundreds of thousands of miles with them, and have upper-tier status with them. But I’m also an engineer who writes about security.

It was bad enough when they replaced their free-form password security questions withdrop-down selections— I am not making this up — for “Your favorite artist,” “Your favorite pizza topping,” etc

Read More

Continue Reading
Internet Security

Privacy complaints received by tech giants’ favorite EU watchdog up more than 2x since GDPR

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May. The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka…


A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon,Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in German

Read More

Continue Reading