A Peek at ThreatMetrix, and Why It’s Becoming Integral to a Lot of Other Startups

You may not know ThreatMetrix, but plenty of companies are already well-acquainted with what it does and how it can help them, from popular social networks and dating sites to retailers to financial services companies, including peHUB parent Thomson Reuters.

Here’s why: Los Gatos, Calif.-based ThreatMetrix stops online fraud by “fingerprinting” the devices used to commit it, and according to some — including the folks at PayPal and Gartner Group security analyst Avivah Litan — ThreatMetrix appears to be doing it better than its competitors.

The 36-person startup is just getting started, says 55-year-old CEO Reed Tausing, who joined the company from the data privacy company Vormetric and was the CEO and fifth employee of now publicly traded Callidus Software. We talked for a bit this morning.

I’ve been hearing from various corners about ThreatMetrix. Can you give us some idea of your funding situation, how fast you’re growing, and whether you’ll raise another round soon?

We’ve raised $12.1 million over two rounds, including from Technology Venture Partners in Sydney, Australia, CM Capital in Brisbane, and most recently, U.S. Venture Partners. I’ll probably raise money this year. We’d like to raise in the neighborhood of $7 million to $10 million, maybe in the fall. The business is doubling quarter over quarter and when you’re experiencing that kind of growth certain rivets that you thought were secure you find to be insecure.

Rather than look at transactional data, your software examines each device used in an online transaction for potential anomalies, is that right?

Well, the company was incorporated in the U.S. in July 2008, but it was founded initially as a device identification story in 2005, as part of a consulting project with the Australian government. It was trying to keep spammers and hackers off its more sensitive military and financial sites and it discovered that a lot of people were attacking from hidden proxies and botnets. So it started off that way, with the technology enabling us to tell [our customers] what a device is, where it is, what kind of transaction it’s executing, in what language the fonts on the computer are, and so forth. But we’ve since added machine-based learning and a rules engine that lets out customers blacklist or white-list devices based on their needs and now it’s a really interesting product.

That is interesting. Who would approve a transaction from what you’ve determined to be a sketchy computer?

It’s really determined on a customer-by-customer basis. If I’m one of these casual gaming sites like PlaySpan or Loopt or another that we deal with, a gamer who is behind a hidden proxy may not be that important because gamers are all behind hidden proxies. In another situation, we’d flagged a transaction as negative for a dating site customer because the device used was connected to a botnet. But the site said, hey, this customer is valid, he always pays his monthly dues. It was sort of like, Al Capone needs to find love, too.

You mention Loopt. My impression is that ThreatMetrix is being used by a lot of the social networks out here to authenticate users. How does that work and are they your bread and butter?

In part. We focus on three applications: new account origination, account takeover, and what’s called [credit] Card Not Present transactions.

New account origination is used to determine whether or not Connie is Connie, including at social networks, which have all these products with synthetic identities [like social games], where fraudsters get into their systems and start ripping off their customers.

Think of it this way: When a user signs up for a social network or a dating site, it’s not like signing up for a new credit card or mortgage at a Wells Fargo, which can gather all kinds of personally identifiable information from that person — including a social security number — then use a service like Experien to verify that a user is who he says he is.

Because you aren’t going to give most social networks that kind of information, what we can do is tell that social network — with a high degree of confidence — that you may not be who you say you are because your stated place of residence doesn’t jibe with your IP address, or your email says that you’re in the U.S. but we can see that you’re actually in Vietnam, or your Linux computer is masquerading as a Windows computer. 

Is Facebook a customer?

It’s not, though we work with number of other social networks, including MyYearBook.

And you’re collecting all this information through embedded HTML tags that you put on your customers’ Websites and that suck up data about our computers or phones while we’re on that particular site?

Yes, we start profiling the device when you log onto a customer’s Website. Our systems ask: what is it? Have we see it before? If so, what’s the device’s reputation. If you’re buying something, when you start entering your bill to/ship to information on that page, we’re then scoring it so we can provide the customer with a confidence score.

Which ranges from what to what?

Negative 100 to positive 100. A negative 100 means that you’re a confirmed dirtbag. A positive 100 means that you’re an identified returning customer. In addition to the score, we provide reason codes — like this is behind a proxy, this is connected to a botnet — so our customer can then make their own decision about what to do.

How does it work in real time?

With a lot of fancy software. When you hit “enter” to purchase a product, we return our information about you to our customers in 500 milliseconds. So there’s a lot of code and a lot of servers and a lot of memory involved. We’re basically processing 200 million matches in a second or less, including based on your own computer’s attributes. Maybe you didn’t buy anything at our first customers’ site, but then you went to customer B and used your credit card. We didn’t extract that number, but that credit card hash is added to our record of your device. So if you go to a third merchant and you use that credit card successfully again, it will increase our confidence, even if you aren’t using the same IP address.

Sounds like you need to have sophisticated customers in order to process all of this data you’re sending.

Not always. We have unsophisticated customers who have no internal fraud management solution, in which case we provide information through a portal and on a daily basis through reports. It’s when you have an alternative payments site, or new account registration, or you’re selling digital goods, that you have to do everything on a real-time basis.

And how do you charge customers, via a monthly subscription?

No, it’s all prepaid transactions, sort of like prepaid phone minutes. We’ll sell you an initial block of transactions — 50,000 transactions for $3,500. If you like it and want to continue usig the service, you can purchase more transactions, and the more you buy, the steeper the discount. It’s very useful for retailers that have seasonal jumps. Plus, from a customer’s viewpoint, I think it’s more fair than insisting that you have to sign up for a year. We’re a SaaS company; we want to earn our keep.

What’s your fastest growing market?

Fifty percent of our revenue right now is coming from retail customers. Our fastest-growing segment, 30 to 40 percent of our business, is what we’d called Web 2.0 companies –alternative payment sites, social networking, dating sites. That’s growing so fast because traditional means to stop fraud aren’t available to them. They don’t have enough information from their customers and it would be too expensive to verify them if they did. Our third market is financial services.

Speaking of which, I hear PayPal sends a lot of business your way. Is that true?

Yes, they’ve been very generous in referring their customers with high fraud rates to us. When their customers start experiencing a number of chargebacks PayPal will say to them: you can either sign up with someone like ThreatMetrix and reduce your chargebacks or we’re going to cut you off.

Have you been approached by eBay as a possible acquisition target?

We haven’t talked with them about being purchased and we’re not really for sale.

Are you profitable?

Not yet, though we think we will be toward the end of this year. We’re at about a $10 million run rate, after starting from zero in January of 2009. We ended last year with more than 100 new customers. We’ll have added around 300 more by the end of this year.

We’re also growing in  terms of the quality of our customers. We’re crossing the chasm, as they say in Silicon Valley. We’re even talking with Thomson Reuters. I can assure you that in January ’09, there’s no way they would have called us up.