Industry

Passwords, watch out!

Six months ago we graduated from Y Combinator, which was by far the most fun and intense passage of our startup lives. After Demo Day we decided to dedicate the coming six months to full-on focus. We dedicated the radio silence to onboarding and learning from customers, finishing a 1.0 release, and building out our team in San Francisco. Today, we are proud to announce our 2 million dollar seed round lead by First Round Capital.

We are truly excited about joining the First Round Capital family, a seed fund that has bred security and anti-fraud startups such as Sift Science, Caspida, and Area1–all of which are great inspirations to us. Other major participants in the round include F-Prime Capital Partners and FundersClub, as well as individuals that are working with us to build the most easy to use security product out there; Othman Laraki (founder of Color Genomics and former VP Product at Twitter), and Ludwig Petterson (first designer at Stripe), among others.

Protection against account takeover is a huge and growing challenge for both consumers and businesses. Since our launch in March, we have detected and mitigated more than 250,000 hacked accounts across 15 million users. We knew this was a big problem, but we were stunned by the scale of malicious traffic. We now clearly see the after-effects of the billions of stolen credentials from hacks at Yahoo, LinkedIn, Sony and the likes.

Given the increased value of online user data, sophistication of attackers is rapidly outpacing the tooling. Only a few years ago, account takeover was a relatively naive process, and passwords sufficiently secured most applications. Today, account takeover is far more automated and widespread. By leveraging lists of stolen login credentials, fraudsters use digital armies known as botnets to direct millions of login attempts in parallel, targeting sites of any size.

Most companies do not have world class security experts on the team. To protect their customers, companies often resort to quick-and-dirty solutions like complex password policies, multi-factor authentication, and security questions. These all require your users to participate in order to provide the necessary security.

The real solution is to install account takeover protection. Since the problem of account takeover has been around for ages, there are many vendors out there. Unfortunately, they look and function like they were built during the stone age. The low accuracy put enormous burdens on your support and risk team, having to go through daily lists of potential account takeovers. Sure, these solutions are sufficient to catch known attacks, but they rely very much on the fact that scripted bots don’t act like humans. By using modern hacking tools, you quickly blow up these assumptions.

We’ve seen how Stripe revolutionized online payments, and we think it’s time to do the same thing to account security. We are building the easiest solution for protecting your customers. Developers simply drop in a line of code into any website or mobile app, and Castle will look for suspicious login patterns without bothering the legitimate user, nor the support or risk team, and requires no rules or manual training.

Our machine learning learns the unique behavior of each user to identify who is likely to have their account compromised. And most importantly, we have optimized our algorithms to minimize false positives and for users to self-identify and verify their account activity in an unobtrusive way. We will start catching attackers the second you deploy us!

More than half of online consumers still use the same passwords across all of their websites and accounts, not because they’re stupid, but because it’s convenient. Security needs to be convenient or people won’t use it.

The only viable long-term solution is to replace passwords, and that is what we have set out to do. This is the first step on our journey.