František Nonnemann of GDPR.cz recently had the chance to sit down with Petr Dvořák, founder and CEO of Wultra, to discuss trends related to advanced tools for user authentication and the protection against cyberattacks on online payments.
Read through the original interview (in Czech).
Petr, this year marks 10 years since you founded Wultra. What encouraged you to do it? Did you see a gap in the market and wanted to fill it?
Petr Dvořák (Wultra): Has it really been 10 years? Time has flown by, even though we’re talking about more than a quarter of my life.
For me, my main motivation for starting a company was the desire to break free and start my own business. However, in the beginning, I didn't know exactly what the company would do. All I knew for sure was that I didn't want to stay in the banking industry anymore, since I had spent many years in this particular field and I felt that a change would benefit me. Unfortunately, it turned out that I don't understand anything as profoundly as banking technology. That's why I returned to the industry and built a product in the area I understand best: The secure authentication of banking clients.
And now, after 10 years, you’re still largely providing the same services that you entered the market with 10 years ago. Can you advise on how you’ve gotten things so right?
Petr Dvořák: I don't think there is a general guide on how to create great products and hit the market. We try to bring a new product to the world every year or two, after which we give it a three-year waiting period. Some products stick, while others don't. So, if I were to give advice to entrepreneurs who are at the start of their own journey, I’d encourage building resilience and the ability to pick yourself up after every failure, take a breath, and start again.
All this being said, we’ve been fortunate enough to see continued success with our primary product, which delivers authentication for financial applications. We are targeting a fairly well-defined multi-factor authentication market in the financial sector. In 2024, this amounts to approximately 6.5 billion EUR globally. We were lucky that we started out at the time that we did, since realistically, it won’t be possible to enter this market in two to three years’ time due to tightening regulations.
However, we didn't invent something completely revolutionary. What differentiates us is mainly the better, more modern packaging of a product for developers’ tools (SDK and API). I’m convinced that thanks to this, we’re on top today in terms of the quality of our solutions. Financial institutions see that our solutions offer faster implementation and development compared to those of our competitors — that's why we manage to grow.
Of course, we also offer a number of unique features in the product itself, such as proximity-based authentication and functions for preventing social engineering attacks, but these are distinctive properties of a well-defined product — in other words, the bells and whistles that provide users with relevant benefits and enhance the product’s marketability.
Wultra focuses on the protection of mobile applications and online communication channels of financial institutions. What are some of the trends on the attackers’ side? Advanced technical attacks, phishing, spoofing, abuse of leaked passwords, or more intensive use of AI?
Petr Dvořák: Fortunately, we still live in a time when most ongoing attacks are relatively unadvanced on a technical level.
Vishing attacks (voice phishing) have by far the highest yield. Using this method, a fraudster forces a user to either confirm fraudulent payments (a technique known as authorized push payment fraud) or to pair the account with the fraudster's phone, who then does whatever they want with the account (known as account takeover). Typically, these kinds of attacks take place under the pretext of a profitable investment or a fictitious security problem with the account.
Of course, some clients still come across simpler "online marketplace attacks" in which the attacker pretends to be interested in advertised goods and offers to arrange transport and send money to the user’s card, which extorts payment card information from the user. Several times a year, we also encounter mobile malware that activates after starting mobile banking and prompts the user to enter login data or even a card number.
Unfortunately, the future doesn’t look the brightest from a security perspective. The biggest practical threat will be AI, which will not only enable the automation of attack scenarios and simplify more trustworthy communication with the victim (which, in turn, results in a higher impact), but it will also undermine the foundations for biometric authentication. Voice biometrics have long been superseded by AI and facial biometrics are now under significant pressure.
What are some authentication-related trends on the side of financial institutions? Passwordless access or the resurgence of physical hardware authenticators? You recently wrote about hardware authentication tools on Wultra’s blog, and I was quite surprised — I had previously understood hardware authenticators to be an outdated means of identification and authentication.
Petr Dvořák: Hardware authenticators are my speculation for future development. Today, mobile-first authentication — logins via mobile keys and confirmation via push notifications — has come to be considered mainstream.
I’ll provide some foundational context to explain my reasoning. In the classic interpretation of multi-factor authentication, three different factors can be used: What you have, what you know (passwords), and what you are (biometrics). Although there are various derived factors (such as one’s location, social context, and so on), the three that I’ve mentioned are the primary elements for user authentication.
Unfortunately, passwords have long been a problem for users. Not only do users often struggle with proper password hygiene (choosing a long, random password unique to the specific service/platform), but users can also unknowingly hand over their passwords to bad actors (phishing sites). Thanks to our experience, we’ve come to the conclusion that users can be manipulated to supply any password or piece of sensitive information that they have knowledge of.
This is why many companies have pinned their hopes on the "passwordless" concept. However, if this login method is to be multi-factor, we can use just the two remaining factors: Possession and biometrics. This, too, poses a long-term problem, because even biometric authentication has its limits.
We can’t choose how unique we are as humans — the basis for biometric authentication is a natural biological product, which we then measure and examine for similarity. If we were to compare people to tomatoes, they grow on a vine and they all look the same, but if we measure them, we can tell them apart to some extent. Each tomato then grows and becomes what it is. In the same way, the entropy of a fingerprint cannot be increased, just as the characteristics of one’s face or voice can’t be changed. And yet, it’s the biometrics of the face and voice that artificial intelligence is already messing with. There are ways to make biometric authentication more durable and secure, but the question is how long it will last. The problem isn’t in the measurement, but instead, in the measured material. If we extrapolate the present and look into the future, I can imagine that it will be possible to create a perfect digital clone of you with enough precision to copy your characteristics and properties — not unlike cloning a tomato.
Therefore, it’s my belief that in multi-factor authentication, the possession factor will be dominant in the medium term, whose data entropy and "form factor" we can change. The means of authentication will thus be based on the combination of the possession factor as the primary factor and accurate biometrics to complement it. As a result, banking operations will be able to be carried out by you (or by your clone after they’ve stolen the possession factor).
Among your clients are a number of banks operating in the Czech Republic. How has the perception of cyber-security among Czech financial institutions changed over the past 10 years?
Petr Dvořák: Banks have always taken security seriously. I think the change in recent years has mainly taken place in the context of financial institutions’ perception of mobile banking as the primary channel for financial management. During this transformation, banks have stopped developing most security solutions in-house (because it simply isn’t possible in terms of capacity) and have started to buy products for individual needs in a structured manner, such as authentication, runtime protection, anti-fraud, and so on.
At the same time, the perception of security is being shaped by legislation. For example, PSD2 legislation introduced a requirement for Strong Customer Authentication (SCA) and the monitoring of fraudulent transactions, thereby raising the bar for bank security.
Do you see any major differences in these changes compared to other markets in which you operate, whether in Central Europe, Africa, or North America?
Petr Dvořák: The trends that we follow here in the Czech Republic are, to a large extent, happening all over the world. Of course, different markets’ overall perception of security may slightly differ.
The market that remains the most starkly different is the United States. Due to the allocation of financial resources towards insurance ("if something happens, we'll cover it somehow") and a smaller emphasis on consumer protection, American banks still haven’t embraced SCA requirements.
Some markets also adapt more quickly in the area of regulation, and this is usually in response to localized threats. For example, in Romania or Kuwait, the local regulator issued recommendations to protect clients against the effects of remote desktop applications (such as AnyDesk and TeamViewer), which fraudsters often use to wrongfully take control of a client's device. In Vietnam, on the other hand, legislation is soon coming into effect ordering banks to use authentication via biometrics (i.e. facial biometrics) for transactions over a certain limit.
For us, these kinds of region-specific trends give our team a great opportunity to create messaging and advice that’s relevant to banks in the specific market.
What surprised you the most when entering the African and North American markets? Was it necessary to significantly adapt your products due to different user behavior, communication methods of local financial institutions, significantly different threats, or specific regulation?
Petr Dvořák: In these markets, we haven’t seen the need for radically different products, nor have we found it necessary to adapt to local legislation. In particular, I’d like to emphasize that European legislation gives us a good basis to work from because the legislative “brands" that it has introduced, like PSD2 or GDPR, are known worldwide. (For example, people in Brazil use terms like "Brazilian PSD2" or "Brazilian GDPR.”)
The biggest challenge in some of the markets we focus on has actually been the language barrier, since proficiency in English isn’t always a given, even when working with top bank managers.
When it comes to cyber-security investments in the EU, what role do new NIS2-type regulations currently play? Similarly, how is DORA affecting the financial sector? For most of your clients, do these regulations serve as a confirmation that they’re on the right track, a motivator to pay more attention and prioritize cyber-security, or a realization of what’s coming?
Petr Dvořák: I confess that I haven’t noticed a particularly strong reaction from our banking clients in regards to regulations like NIS2 or DORA. Banks are aware of these changes, and they’re dealing with them — just as we're doing the same. I think we’ve all accepted the fact that these regulations will come and that we need to take steps to prepare for them.
If I were to translate things into the terminology of a business presentation: DORA and NIS2 serve as a supplementary argument to instill confidence in stakeholders, embodying the sentiment of "Of course, we are DORA-ready." However, the initiation of most business discussions isn’t primarily driven by the regulation itself.
In general, the current banking regulations aim at a more conscious approach by organizations and an improved structuring of internal documentation. As a result, the benefit for banks’ end customers is that they can be sure that the organization that manages their money won’t miss something due to a lack of process.
DORA affects not only your clients, but also you as a provider of IT services in the financial sector. How is Wultra preparing for the new regulation? Have you found anything to be surprising as an experienced supplier of security tools for the financial market?
Petr Dvořák: We carefully monitor the regulation of the financial sector, which is why neither the introduction of DORA nor its contents came as a surprise to us. From our legal office, we knew about the legislation from the first outlines. We’re now in the process of implementing DORA compliance. Thanks to the care and diligence of our operations department, I’m confident that we’ll manage everything smoothly. We remain the most concerned about the impact that this change can potentially have on contracts with our customers (for example, it may be necessary for us to re-contract some of our longtime clients as a formality).
What advice do you have for an IT company that has delivered less to the financial market, has less experience, and is feeling intimidated about regulations like DORA? Where should they begin? Can ISO certification in the field of information security, which Wultra has, help?
Petr Dvořák: I think ISO 27001 is something that should be mandatory hygiene for every IT company.
For compliance with regulations such as DORA or NIS2, preparation through ISO 27001 is absolutely essential and represents the necessary minimum. IT companies are often worried that ISO 27001 will have a negative impact on them in terms of work efficiency, but this often stems from a misunderstanding of how this standard (and similar standards) work.
To summarize things for professionals who are considering ISO 27001 but are hesitant to implement it, the standard is basically a collection of headings that describe topics that need to be addressed in one’s company. These topics need to be filled with content according to how the company works. It’s worth noting that the implementation of ISO 27001 will look different in a family business with five employees compared to a bank. Therefore, it’s not useful to evaluate the speed of a bank’s processes and make a judgment about ISO 27001’s impact solely based on the bank’s implementation of ISO 27001.
We mentioned earlier that Wultra turns 10 this year. I'll avoid HR clichés and won’t ask where you see yourself or your company in the next 10 years. Instead, I’m curious about your view of the digital security and resilience of finance and payments. How will we pay in 10 years’ time, and what tools and methods will we use to protect our money?
Petr Dvořák: When it comes to anything tech-related, 10 years is nearly an eternity. That being said, if the trends of artificial intelligence and automation through robotics come together, we’ll be focusing more closely on the nature of society, the functioning of economies, and the concept of money itself instead of how we make payments.
In principle, I can imagine almost everything that we see in today’s sci-fi movies becoming a reality. And whatever comes, Wultra will be there.
.webp)
